prx_auth 1.4.1 → 1.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 765ac2dcac47b990cfb7978891f92fe853d0e8001fc663a0099f90ef064f14a1
-  data.tar.gz: 8085236902300f65d458a6b66cd2904ff116c340b7c79a08fc17f274856693ce
+  metadata.gz: b11c5af8dd4126044aa9d468a50dee909483bc6de84b6fa8f46362e208dac776
+  data.tar.gz: 8e308914d3c6f254130bbc02f245ec9a690ea3efbd67c7e03af27d89248e1285
 SHA512:
-  metadata.gz: fa5b7a5de59a4de7b0bc974b2ac8932acbf5117c070ea3d2ab602223696a5761eda9a46421d18dfb8c5612331456a42dfeaeae3c63480081c30c90d170de7d5c
-  data.tar.gz: 66759612cee8f4cf1788d9374934f2a79678e72923fec8a188399fd5f158616ca0a3bc371be66de12e8981cece7c958b0281aaf9a1753826ae816c3e090bd17a
+  metadata.gz: 1e41ac8e49eb3bbf6e77a60dbd7a607766dceecc131a221eaefb9d1c6251507cf9b526a7d031dc0a686dd32683ef9113031db1a6de957a86a19738ec9ad5a7d5
+  data.tar.gz: 27a2c10518729f37f366ff301835618c959ea7ef5a8446ee0ed0176b6f3046e820fedc58cbce6ce790f114875f98b2c68fbbc06592e8d9685a4eb985e0305d43

data/lib/prx_auth/scope_list.rb

@@ -42,7 +42,7 @@ module PrxAuth
 
     def initialize(list)
       @string = list
-      @string.split(SCOPE_SEPARATOR).each do |value|
+      @string.split(SCOPE_SEPARATOR).uniq.each do |value|
         next if value.length < 1
 
         parts = value.split(NAMESPACE_SEPARATOR, 2)
@@ -56,21 +56,21 @@ module PrxAuth
 
     def contains?(namespace, scope=nil)
       entries = if scope.nil?
-                  scope, namespace = namespace, NO_NAMESPACE 
+                  scope, namespace = namespace, NO_NAMESPACE
                   [Entry.new(namespace, symbolize(scope), nil)]
                 else
                   scope = symbolize(scope)
                   namespace = symbolize(namespace)
                   [Entry.new(namespace, scope, nil), Entry.new(NO_NAMESPACE, scope, nil)]
                 end
-      
+
       entries.any? do |possible_match|
         include?(possible_match)
       end
     end
 
     def to_s
-      @string
+      entries.join(SCOPE_SEPARATOR)
     end
 
     def condense
@@ -125,7 +125,7 @@ module PrxAuth
 
     def &(other_list)
       return ScopeList.new('') if other_list.nil?
-      
+
       self - (self - other_list) + (other_list - (other_list - self))
     end
 

data/lib/prx_auth/version.rb

@@ -1,3 +1,3 @@
 module PrxAuth
-  VERSION = "1.4.1"
+  VERSION = "1.7.1"
 end

data/lib/rack/prx_auth/auth_validator.rb

@@ -0,0 +1,58 @@
+require 'json/jwt'
+
+module Rack
+  class PrxAuth
+    class AuthValidator
+
+      attr_reader :issuer, :token
+
+      def initialize(token, certificate = nil, issuer = nil)
+        @token = token
+        @certificate = certificate
+        @issuer = issuer
+      end
+
+      def valid?
+        valid_token_format? && !expired? && @certificate.valid?(token)
+      end
+
+      def claims
+        @claims ||= decode_token
+      end
+
+      def valid_token_format?
+        decode_token.present?
+      end
+
+      def decode_token
+        return {} if token.nil?
+
+        begin
+          JSON::JWT.decode(token, :skip_verification)
+        rescue JSON::JWT::InvalidFormat
+          {}
+        end
+      end
+
+      def expired?
+        (time_to_live + 30) <= 0 # 30 second clock jitter allowance
+      end
+
+      def time_to_live
+        now = Time.now.to_i
+        if claims['exp'].nil?
+          0
+        elsif claims['iat'].nil? || claims['iat'] <= claims['exp']
+          claims['exp'] - now
+        else
+          # malformed - exp is a num-seconds offset from issued-at-time
+          (claims['iat'] + claims['exp']) - now
+        end
+      end
+
+      def token_issuer_matches?
+        claims['iss'] == @issuer
+      end
+    end
+  end
+end

data/lib/rack/prx_auth/certificate.rb

@@ -11,6 +11,7 @@ module Rack
 
       def initialize(cert_uri = nil)
         @cert_location = cert_uri.nil? ? DEFAULT_CERT_LOC : URI(cert_uri)
+        @certificate = nil
       end
 
       def valid?(token)

data/lib/rack/prx_auth/token_data.rb

@@ -32,7 +32,11 @@ module Rack
       def globally_authorized?(namespace, scope=nil)
         authorized?(::PrxAuth::ResourceMap::WILDCARD_KEY, namespace, scope)
       end
-      
+
+      def authorized_account_ids(scope)
+        resources(::PrxAuth::Rails.configuration.namespace, scope).map(&:to_i)
+      end
+
       private
 
       def unpack_aur(aur)

data/lib/rack/prx_auth.rb

@@ -1,6 +1,7 @@
 require 'json/jwt'
 require 'rack/prx_auth/certificate'
 require 'rack/prx_auth/token_data'
+require 'rack/prx_auth/auth_validator'
 require 'prx_auth'
 
 module Rack
@@ -20,16 +21,21 @@ module Rack
       @issuer = options[:issuer] || DEFAULT_ISS
     end
 
+    def build_auth_validator(token)
+      AuthValidator.new(token, @certificate, @issuer)
+    end
+
     def call(env)
       return @app.call(env) unless env['HTTP_AUTHORIZATION']
 
       token = env['HTTP_AUTHORIZATION'].split[1]
-      claims = decode_token(token)
 
-      return @app.call(env) unless should_validate_token?(claims)
+      auth_validator = build_auth_validator(token)
 
-      if valid?(claims, token)
-        env['prx.auth'] = TokenData.new(claims)
+      return @app.call(env) unless should_validate_token?(auth_validator)
+
+      if auth_validator.valid?
+        env['prx.auth'] = TokenData.new(auth_validator.claims)
         @app.call(env)
       else
         INVALID_TOKEN
@@ -38,31 +44,8 @@ module Rack
 
     private
 
-    def valid?(claims, token)
-      !expired?(claims) && @certificate.valid?(token)
-    end
-
-    def decode_token(token)
-      return {} if token.nil?
-
-      begin
-        JSON::JWT.decode(token, :skip_verification)
-      rescue JSON::JWT::InvalidFormat
-        {}
-      end
-    end
-
-    def expired?(claims)
-      now = Time.now.to_i - 30 # 30 second clock jitter allowance
-      if claims['iat'] <= claims['exp']
-        now > claims['exp']
-      else
-        now > (claims['iat'] + claims['exp'])
-      end
-    end
-
-    def should_validate_token?(claims)
-      claims['iss'] == @issuer
+    def should_validate_token?(auth_validator)
+      auth_validator.token_issuer_matches?
     end
   end
 end

data/prx_auth.gemspec

@@ -21,12 +21,12 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = '>= 2.3'
 
   spec.add_development_dependency 'bundler', '~> 2.0'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rake', '~> 12.3.3'
   spec.add_development_dependency 'coveralls', '~> 0'
   spec.add_development_dependency 'guard'
   spec.add_development_dependency 'guard-minitest'
 
   spec.add_dependency 'rack', '>= 1.5.2'
   spec.add_dependency 'json', '>= 1.8.1'
-  spec.add_dependency 'json-jwt', '~> 1.9.4'
+  spec.add_dependency 'json-jwt', '~> 1.12.0'
 end

data/test/prx_auth/scope_list_test.rb

@@ -12,7 +12,7 @@ describe PrxAuth::ScopeList do
   it 'looks up successfully for a given scope' do
     assert list.contains?('write')
   end
-  
+
   it 'scans for symbols' do
     assert list.contains?(:read)
   end
@@ -27,7 +27,7 @@ describe PrxAuth::ScopeList do
 
   describe 'with namespace' do
     let (:scopes) { 'ns1:hello ns2:goodbye aloha 1:23' }
-    
+
     it 'works for namespaced lookups' do
       assert list.contains?(:ns1, :hello)
     end
@@ -76,6 +76,11 @@ describe PrxAuth::ScopeList do
       assert sl.to_s == 'The-Beginning the-end'
     end
 
+    it 'dedups and condenses' do
+      sl = new_list('one ns1:two ns2:two one three three') - new_list('ns1:two three')
+      assert_equal sl.length, 2
+      assert_equal sl.to_s, 'one ns2:two'
+    end
   end
 
   describe '#+' do
@@ -86,6 +91,12 @@ describe PrxAuth::ScopeList do
       assert sl.contains?(:two)
     end
 
+    it 'dedups and condenses' do
+      sl = new_list('one ns1:one two') + new_list('two three') + new_list('two')
+      assert_equal sl.length, 3
+      assert_equal sl.to_s, 'one two three'
+    end
+
     it 'accepts nil' do
       sl = new_list('one two') + nil
       assert sl.contains?(:one) && sl.contains?(:two)
@@ -126,4 +137,4 @@ describe PrxAuth::ScopeList do
       refute_equal PrxAuth::ScopeList.new("foo bar"), PrxAuth::ScopeList.new("foo:bar bar:foo")
     end
   end
-end
+end

data/test/rack/prx_auth/auth_validator_test.rb

@@ -0,0 +1,141 @@
+require 'test_helper'
+
+describe Rack::PrxAuth::AuthValidator do
+  let(:app) { Proc.new {|env| env } }
+  let(:auth_validator) { Rack::PrxAuth::AuthValidator.new(token, certificate, 'id.local.test') }
+
+  let(:token) { 'some.token.foo' }
+
+  let(:iat) { Time.now.to_i }
+  let(:exp) { 3600 }
+  let(:claims) { {'sub'=>3, 'exp'=>exp, 'iat'=>iat, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
+  let(:certificate) { Rack::PrxAuth::Certificate.new }
+
+  describe '#token_issuer_matches' do
+    it 'false if the token is from another issuer' do
+      auth_validator.stub(:claims, claims) do
+        refute auth_validator.token_issuer_matches?
+      end
+    end
+
+    it 'is false if the issuer in the validator does not match' do
+      auth_validator.stub(:issuer, 'id.foo.com') do
+        refute auth_validator.token_issuer_matches?
+      end
+    end
+  end
+
+  describe '#valid?' do
+    it 'is false if token is invalid' do
+      auth_validator.stub(:claims, claims) do
+        refute auth_validator.valid?
+      end
+    end
+
+    it 'is false if the token is nil' do
+      certificate.stub(:valid?, true) do
+        auth_validator.stub(:token, nil) do
+          refute auth_validator.valid?
+        end
+      end
+    end
+  end
+
+  describe '#expired?' do
+
+    def expired?(claims)
+      auth_validator.stub(:claims, claims) do
+        auth_validator.expired?
+      end
+    end
+
+    describe 'with a malformed exp' do
+      let(:iat) { Time.now.to_i }
+      let(:exp) { 3600 }
+
+      it 'is expired if iat + exp are in the past' do
+        claims['iat'] -= 3631
+
+        assert expired?(claims)
+      end
+
+      it 'is not expired if iat + exp are in the future' do
+        claims['iat'] = Time.now.to_i - 3599
+
+        refute expired?(claims)
+      end
+
+      it 'allows a 30s clock jitter' do
+        claims['iat'] = Time.now.to_i - 3629
+
+        refute expired?(claims)
+      end
+    end
+
+    describe 'with a corrected exp' do
+      let(:iat) { Time.now.to_i - 3600 }
+      let(:exp) { Time.now.to_i + 1 }
+
+      it 'is not expired if exp is in the future' do
+        refute expired?(claims)
+      end
+
+      it 'is expired if exp is in the past (with 30s jitter grace)' do
+        claims['exp'] = Time.now.to_i - 31
+        assert expired?(claims)
+        claims['exp'] = Time.now.to_i - 29
+        refute expired?(claims)
+      end
+    end
+  end
+
+  describe '#time_to_live' do
+    def time_to_live(claims)
+      auth_validator.stub(:claims, claims) do
+        auth_validator.time_to_live
+      end
+    end
+
+    it 'returns the ttl without any clock jitter correction' do
+      claims['exp'] = Time.now.to_i + 999
+      assert_equal time_to_live(claims), 999
+    end
+
+    it 'handles missing exp' do
+      claims['exp'] = nil
+      assert_equal time_to_live(claims), 0
+    end
+
+    it 'handles missing iat' do
+      claims['iat'] = nil
+      claims['exp'] = Time.now.to_i + 999
+      assert_equal time_to_live(claims), 999
+    end
+
+    it 'handles malformed exp' do
+      claims['iat'] = Time.now.to_i
+      claims['exp'] = 999
+      assert_equal time_to_live(claims), 999
+    end
+  end
+
+  describe '#decode_token' do
+    it 'should return an empty result for a nil token' do
+        auth_validator.stub(:token, nil) do
+          assert auth_validator.decode_token == {}
+        end
+    end
+
+    it 'should return an empty result for an empty token' do
+        auth_validator.stub(:token, '') do
+          assert auth_validator.decode_token == {}
+        end
+    end
+
+    it 'should return an empty result for a malformed token' do
+        auth_validator.stub(:token, token) do
+          assert auth_validator.decode_token == {}
+        end
+    end
+  end
+end

data/test/rack/prx_auth_test.rb

@@ -34,24 +34,34 @@ describe Rack::PrxAuth do
     end
 
     it 'returns 401 if verification fails' do
+      auth_validator = prxauth.build_auth_validator('sometoken')
+
       JSON::JWT.stub(:decode, claims) do
-        prxauth.stub(:valid?, false) do
-          assert prxauth.call(env) == Rack::PrxAuth::INVALID_TOKEN
+        prxauth.stub(:build_auth_validator, auth_validator) do
+          auth_validator.stub(:valid?, false) do
+            assert prxauth.call(env) == Rack::PrxAuth::INVALID_TOKEN
+          end
         end
       end
     end
 
     it 'returns 401 if access token has expired' do
+      auth_validator = prxauth.build_auth_validator('sometoken')
+
       JSON::JWT.stub(:decode, claims) do
-        prxauth.stub(:expired?, true) do
-          assert prxauth.call(env) == Rack::PrxAuth::INVALID_TOKEN
+        prxauth.stub(:build_auth_validator, auth_validator) do
+          auth_validator.stub(:expired?, true) do
+            assert prxauth.call(env) == Rack::PrxAuth::INVALID_TOKEN
+          end
         end
       end
     end
 
     it 'attaches claims to request params if verification passes' do
-      prxauth.stub(:decode_token, claims) do
-        prxauth.stub(:valid?, true) do
+      auth_validator = prxauth.build_auth_validator('sometoken')
+
+      JSON::JWT.stub(:decode, claims) do
+        prxauth.stub(:build_auth_validator, auth_validator) do
           prxauth.call(env)['prx.auth'].tap do |token|
             assert token.instance_of? Rack::PrxAuth::TokenData
             assert token.user_id == claims['sub']
@@ -61,52 +71,6 @@ describe Rack::PrxAuth do
     end
   end
 
-  describe '#expired?' do
-
-    def expired?(claims)
-      prxauth.send(:expired?, claims)
-    end
-
-    describe 'with a malformed exp' do
-      let(:iat) { Time.now.to_i }
-      let(:exp) { 3600 }
-
-      it 'is expired if iat + exp are in the past' do
-        claims['iat'] -= 3631
-
-        assert expired?(claims)
-      end
-
-      it 'is not expired if iat + exp are in the future' do
-        claims['iat'] = Time.now.to_i - 3599
-
-        refute expired?(claims)
-      end
-
-      it 'allows a 30s clock jitter' do
-        claims['iat'] = Time.now.to_i - 3629
-
-        refute expired?(claims)
-      end
-    end
-
-    describe 'with a corrected exp' do
-      let(:iat) { Time.now.to_i - 3600 }
-      let(:exp) { Time.now.to_i + 1 }
-
-      it 'is not expired if exp is in the future' do
-        refute expired?(claims)
-      end
-
-      it 'is expired if exp is in the past (with 30s jitter grace)' do
-        claims['exp'] = Time.now.to_i - 31
-        assert expired?(claims)
-        claims['exp'] = Time.now.to_i - 29
-        refute expired?(claims)
-      end
-    end
-  end
-
   describe 'initialize' do
     it 'takes a certificate location as an option' do
       loc = nil
@@ -116,18 +80,4 @@ describe Rack::PrxAuth do
       end
     end
   end
-
-  describe '#decode_token' do
-    it 'should return an empty result for a nil token' do
-      assert prxauth.send(:decode_token, nil) == {}
-    end
-
-    it 'should return an empty result for an empty token' do
-      assert prxauth.send(:decode_token, {}) == {}
-    end
-
-    it 'should return an empty result for a malformed token' do
-      assert prxauth.send(:decode_token, 'asdfsadfsad') == {}
-    end
-  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: prx_auth
 version: !ruby/object:Gem::Version
-  version: 1.4.1
+  version: 1.7.1
 platform: ruby
 authors:
 - Eve Asher
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-21 00:00:00.000000000 Z
+date: 2022-01-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -31,14 +31,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: coveralls
   requirement: !ruby/object:Gem::Requirement
@@ -115,14 +115,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.9.4
+        version: 1.12.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.9.4
+        version: 1.12.0
 description: Specific to PRX. Will ignore tokens that were not issued by PRX.
 email:
 - eve@prx.org
@@ -144,11 +144,13 @@ files:
 - lib/prx_auth/scope_list.rb
 - lib/prx_auth/version.rb
 - lib/rack/prx_auth.rb
+- lib/rack/prx_auth/auth_validator.rb
 - lib/rack/prx_auth/certificate.rb
 - lib/rack/prx_auth/token_data.rb
 - prx_auth.gemspec
 - test/prx_auth/resource_map_test.rb
 - test/prx_auth/scope_list_test.rb
+- test/rack/prx_auth/auth_validator_test.rb
 - test/rack/prx_auth/certificate_test.rb
 - test/rack/prx_auth/token_data_test.rb
 - test/rack/prx_auth_test.rb
@@ -172,7 +174,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.1
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Utilites for parsing PRX JWTs and Rack middleware that verifies and attaches
@@ -180,6 +182,7 @@ summary: Utilites for parsing PRX JWTs and Rack middleware that verifies and att
 test_files:
 - test/prx_auth/resource_map_test.rb
 - test/prx_auth/scope_list_test.rb
+- test/rack/prx_auth/auth_validator_test.rb
 - test/rack/prx_auth/certificate_test.rb
 - test/rack/prx_auth/token_data_test.rb
 - test/rack/prx_auth_test.rb