prx_auth 1.2.0 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b6b1ad46cadbbeddae8e3bebd398582339573c0cd93a16e1ec32d81640c57132
-  data.tar.gz: e16653c6a43a3398d770dee31c1cc414a5a1eedb38434e8568c9d7fad3f74e78
+  metadata.gz: 0ac722c142dfc949c887f3bd913c19e9a743c6dc9503badaa967fc180b200344
+  data.tar.gz: bbac43c4ad1611c136da5a66f544eea639262fa2cb01e6eb1853610ee630b0ca
 SHA512:
-  metadata.gz: ef892e741fce211dd772a141dd0b80741b395cc8a926651322c79e9bcb91e141c556164c5b46a2f617a5297bc26ab04c0e6f1b954c6d7440ecd42d78831d1025
-  data.tar.gz: 50f52aa960307c3f2117cef31586c946338b032183c5d0f85d1098af448e0fe4e27b97365a782970b95738eec4e6be90f05f35dde1597841f70e0ede9a2a4aa4
+  metadata.gz: 7941fafb990e4d7aa8cb070963aba181b91d3d108fd4a4d6017618b15532d83876db3dc69a3fb962d5193adb61f82cad5874b7b65590880b99a6eb68117e0e6d
+  data.tar.gz: b3d1a127bbe650df453b3158d81df5fd56dfcad9c9862ceaba502ca25dd45ad9c6a6764f65a481cd6a54989aa22b5cf10774a003efc97d949c782cdddc767660

data/lib/prx_auth/resource_map.rb

@@ -37,6 +37,14 @@ module PrxAuth
       end
     end
 
+    def [](key)
+      super(key.to_s)
+    end
+
+    def []=(key, value)
+      super(key.to_s, value)
+    end
+
     def condense
       condensed_wildcard = @wildcard.condense
       condensed_map = Hash[map do |resource, list|

data/lib/prx_auth/scope_list.rb

@@ -4,19 +4,15 @@ module PrxAuth
     NAMESPACE_SEPARATOR = ':'
     NO_NAMESPACE = :_
 
-    Entry = Struct.new(:namespace, :scope)
+    Entry = Struct.new(:namespace, :scope, :string)
 
     class Entry
-      def equal?(other_entry)
+      def ==(other_entry)
         namespace == other_entry.namespace && scope == other_entry.scope
       end
 
       def to_s
-        if namespaced?
-          "#{namespace}:#{scope}"
-        else
-          scope.to_s
-        end
+        string
       end
 
       def namespaced?
@@ -25,11 +21,15 @@ module PrxAuth
 
       def unnamespaced
         if namespaced?
-          Entry.new(NO_NAMESPACE, scope)
+          Entry.new(NO_NAMESPACE, scope, string.split(':').last)
         else
           self
         end
       end
+
+      def inspect
+        "#<ScopeList::Entry \"#{to_s}\">"
+      end
     end
 
     def self.new(list)
@@ -47,9 +47,9 @@ module PrxAuth
 
         parts = value.split(NAMESPACE_SEPARATOR, 2)
         if parts.length == 2
-          push Entry.new(symbolize(parts[0]), symbolize(parts[1]))
+          push Entry.new(symbolize(parts[0]), symbolize(parts[1]), value)
         else
-          push Entry.new(NO_NAMESPACE, symbolize(parts[0]))
+          push Entry.new(NO_NAMESPACE, symbolize(parts[0]), value)
         end
       end
     end
@@ -57,11 +57,11 @@ module PrxAuth
     def contains?(namespace, scope=nil)
       entries = if scope.nil?
                   scope, namespace = namespace, NO_NAMESPACE 
-                  [Entry.new(namespace, symbolize(scope))]
+                  [Entry.new(namespace, symbolize(scope), nil)]
                 else
                   scope = symbolize(scope)
                   namespace = symbolize(namespace)
-                  [Entry.new(namespace, scope), Entry.new(NO_NAMESPACE, scope)]
+                  [Entry.new(namespace, scope, nil), Entry.new(NO_NAMESPACE, scope, nil)]
                 end
       
       entries.any? do |possible_match|
@@ -126,7 +126,11 @@ module PrxAuth
     def &(other_list)
       return ScopeList.new('') if other_list.nil?
       
-      self - (self - other_list)
+      self - (self - other_list) + (other_list - (other_list - self))
+    end
+
+    def ==(other)
+      condense.sort_by(&:to_s) == other.condense.sort_by(&:to_s)
     end
 
     private

data/lib/prx_auth/version.rb

@@ -1,3 +1,3 @@
 module PrxAuth
-  VERSION = "1.2.0"
+  VERSION = "1.5.0"
 end

data/lib/rack/prx_auth.rb

@@ -53,7 +53,12 @@ module Rack
     end
 
     def expired?(claims)
-      Time.now.to_i > (claims['iat'] + claims['exp'])
+      now = Time.now.to_i - 30 # 30 second clock jitter allowance
+      if claims['iat'] <= claims['exp']
+        now > claims['exp']
+      else
+        now > (claims['iat'] + claims['exp'])
+      end
     end
 
     def should_validate_token?(claims)

data/prx_auth.gemspec

@@ -21,12 +21,12 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = '>= 2.3'
 
   spec.add_development_dependency 'bundler', '~> 2.0'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rake', '~> 12.3.3'
   spec.add_development_dependency 'coveralls', '~> 0'
   spec.add_development_dependency 'guard'
   spec.add_development_dependency 'guard-minitest'
 
   spec.add_dependency 'rack', '>= 1.5.2'
   spec.add_dependency 'json', '>= 1.8.1'
-  spec.add_dependency 'json-jwt', '~> 1.9.4'
+  spec.add_dependency 'json-jwt', '~> 1.11.0'
 end

data/test/prx_auth/resource_map_test.rb

@@ -169,4 +169,17 @@ describe PrxAuth::ResourceMap do
       assert map.as_json.has_key?('*')
     end
   end
+
+  describe '#[]' do
+    it 'automatically stringifies' do
+      refute_nil map[123]
+    end
+  end
+
+  describe '#[]=' do
+    it 'automatically stringifies' do
+      map[789] = PrxAuth::ScopeList.new("")
+      refute_nil map["789"]
+    end
+  end
 end

data/test/prx_auth/scope_list_test.rb

@@ -70,6 +70,12 @@ describe PrxAuth::ScopeList do
       sl = new_list('one two') - nil
       assert sl.contains?(:one) && sl.contains?(:two)
     end
+
+    it 'maintains dashes and capitalization in the result' do
+      sl = new_list('The-Beginning the-middle the-end') - new_list('the-Middle')
+      assert sl.to_s == 'The-Beginning the-end'
+    end
+
   end
 
   describe '#+' do
@@ -98,5 +104,26 @@ describe PrxAuth::ScopeList do
       sl = new_list('one') & nil
       assert !sl.contains?(:one)
     end
+
+    it 'works when either side has non-namespaced values correctly' do
+      sl = PrxAuth::ScopeList.new('foo:bar') & PrxAuth::ScopeList.new('bar')
+      assert sl.contains?(:foo, :bar)
+      refute sl.contains?(:bar)
+
+      sl = PrxAuth::ScopeList.new('bar') & PrxAuth::ScopeList.new('foo:bar')
+      assert sl.contains?(:foo, :bar)
+      refute sl.contains?(:bar)
+    end
+  end
+
+  describe '==' do
+
+    it 'is equal when they are functionally equal' do
+      assert_equal PrxAuth::ScopeList.new("foo ns:foo bar ns2:baz"), PrxAuth::ScopeList.new("ns2:baz bar foo")
+    end
+
+    it 'is not equal when they are not functionally equal' do
+      refute_equal PrxAuth::ScopeList.new("foo bar"), PrxAuth::ScopeList.new("foo:bar bar:foo")
+    end
   end
 end

data/test/rack/prx_auth_test.rb

@@ -5,7 +5,9 @@ describe Rack::PrxAuth do
   let(:prxauth) { Rack::PrxAuth.new(app) }
   let(:fake_token) { 'afawefawefawefawegstgnsrtiohnlijblublwjnvrtoign'}
   let(:env) { {'HTTP_AUTHORIZATION' => 'Bearer ' + fake_token } }
-  let(:claims) { {'sub'=>3, 'exp'=>3600, 'iat'=>Time.now.to_i, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
+  let(:iat) { Time.now.to_i }
+  let(:exp) { 3600 }
+  let(:claims) { {'sub'=>3, 'exp'=>exp, 'iat'=>iat, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
 
   describe '#call' do
     it 'does nothing if there is no authorization header' do
@@ -59,15 +61,49 @@ describe Rack::PrxAuth do
     end
   end
 
-  describe '#token_expired?' do
-    it 'returns true if token is expired' do
-      claims['iat'] = Time.now.to_i - 4000
+  describe '#expired?' do
 
-      assert prxauth.send(:expired?, claims) == true
+    def expired?(claims)
+      prxauth.send(:expired?, claims)
     end
 
-    it 'returns false if it is valid' do
-      assert prxauth.send(:expired?, claims) == false
+    describe 'with a malformed exp' do
+      let(:iat) { Time.now.to_i }
+      let(:exp) { 3600 }
+
+      it 'is expired if iat + exp are in the past' do
+        claims['iat'] -= 3631
+
+        assert expired?(claims)
+      end
+
+      it 'is not expired if iat + exp are in the future' do
+        claims['iat'] = Time.now.to_i - 3599
+
+        refute expired?(claims)
+      end
+
+      it 'allows a 30s clock jitter' do
+        claims['iat'] = Time.now.to_i - 3629
+
+        refute expired?(claims)
+      end
+    end
+
+    describe 'with a corrected exp' do
+      let(:iat) { Time.now.to_i - 3600 }
+      let(:exp) { Time.now.to_i + 1 }
+
+      it 'is not expired if exp is in the future' do
+        refute expired?(claims)
+      end
+
+      it 'is expired if exp is in the past (with 30s jitter grace)' do
+        claims['exp'] = Time.now.to_i - 31
+        assert expired?(claims)
+        claims['exp'] = Time.now.to_i - 29
+        refute expired?(claims)
+      end
     end
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: prx_auth
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.5.0
 platform: ruby
 authors:
 - Eve Asher
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-05 00:00:00.000000000 Z
+date: 2020-10-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -31,14 +31,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: coveralls
   requirement: !ruby/object:Gem::Requirement
@@ -115,14 +115,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.9.4
+        version: 1.11.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.9.4
+        version: 1.11.0
 description: Specific to PRX. Will ignore tokens that were not issued by PRX.
 email:
 - eve@prx.org