prx_auth 1.7.1 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b11c5af8dd4126044aa9d468a50dee909483bc6de84b6fa8f46362e208dac776
-  data.tar.gz: 8e308914d3c6f254130bbc02f245ec9a690ea3efbd67c7e03af27d89248e1285
+  metadata.gz: 80b52f104115aa7226438db0566660e430cec97a304798bf2098467d69a73547
+  data.tar.gz: a40db03c0c4a4f529231a8d7f63c80a8c6c50b5f7010c6cc84d6d63f399e5752
 SHA512:
-  metadata.gz: 1e41ac8e49eb3bbf6e77a60dbd7a607766dceecc131a221eaefb9d1c6251507cf9b526a7d031dc0a686dd32683ef9113031db1a6de957a86a19738ec9ad5a7d5
-  data.tar.gz: 27a2c10518729f37f366ff301835618c959ea7ef5a8446ee0ed0176b6f3046e820fedc58cbce6ce790f114875f98b2c68fbbc06592e8d9685a4eb985e0305d43
+  metadata.gz: cb2093473b3f817c9e0b7edf4eacd9427d3efa30d3338c344956a64c004876b788e1342615f72d20f2fcfd7e3ff79a1247180da65c9691c30a960dbafd7b0e2d
+  data.tar.gz: ed0ee1c6557b1a5420e9f6e195067de9b5440175c59cb8d6708f668464e86018c89d162d146b8e92fddf5c81594aedc86011d4c48a670796a9b989a62af81026

data/.git-blame-ignore-revs

@@ -0,0 +1,2 @@
+# 2023-04-12 Auto-fix all Ruby files with standardrb
+09e6ab7a47e225887bd0bdea221f2e54ed3cb101

data/.github/workflows/check-project-std.yml

@@ -0,0 +1,21 @@
+name: Check project standards
+
+on:
+  push
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    env:
+      RAILS_ENV: test
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Install Ruby and gems
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.0'
+          bundler-cache: true
+      - name: Lint Ruby files
+        run: bundle exec standardrb

data/Gemfile

@@ -1,4 +1,4 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
 # Specify your gem's dependencies in rack-prx_auth.gemspec
 gemspec

data/Guardfile

@@ -1,8 +1,8 @@
 guard :minitest, all_after_pass: true do
-  watch(%r{^test/(.*)\/?test_(.*)\.rb})
-  watch(%r{^lib/(.*/)?([^/]+)\.rb})                      { |m| "test/#{m[1]}test_#{m[2]}.rb" }
-  watch(%r{^lib/(.+)\.rb})                               { |m| "test/#{m[1]}_test.rb" }
-  watch(%r{^lib/(.+)\.rb})                                    { |m| "test/#{m[1]}_test.rb" }
+  watch(%r{^test/(.*)/?test_(.*)\.rb})
+  watch(%r{^lib/(.*/)?([^/]+)\.rb}) { |m| "test/#{m[1]}test_#{m[2]}.rb" }
+  watch(%r{^lib/(.+)\.rb}) { |m| "test/#{m[1]}_test.rb" }
+  watch(%r{^lib/(.+)\.rb}) { |m| "test/#{m[1]}_test.rb" }
   watch(%r{^test/.+_test\.rb})
-  watch(%r{^test/test_helper\.rb})                            { 'test' }
+  watch(%r{^test/test_helper\.rb}) { "test" }
 end

data/Rakefile

@@ -1,10 +1,10 @@
-require 'bundler/gem_tasks'
-require 'rake'
-require 'rake/testtask'
+require "bundler/gem_tasks"
+require "rake"
+require "rake/testtask"
 
 Rake::TestTask.new do |t|
-  t.libs << 'test'
-  t.pattern = 'test/**/*test.rb'
+  t.libs << "test"
+  t.pattern = "test/**/*test.rb"
 end
 
 task default: :test

data/lib/prx_auth/resource_map.rb

@@ -1,32 +1,30 @@
 module PrxAuth
   class ResourceMap < Hash
-    WILDCARD_KEY = '*'
+    WILDCARD_KEY = "*"
 
     def initialize(mapped_values)
       super() do |hash, key|
         if key == WILDCARD_KEY
           @wildcard
-        else
-          nil
         end
       end
       input = mapped_values.clone
-      @wildcard = ScopeList.new(input.delete(WILDCARD_KEY)||'')
+      @wildcard = ScopeList.new(input.delete(WILDCARD_KEY) || "")
       input.each do |(key, values)|
         self[key.to_s] = ScopeList.new(values)
       end
     end
 
-    def contains?(resource, namespace=nil, scope=nil)
+    def contains?(resource, namespace = nil, scope = nil)
       resource = resource.to_s
 
       if resource == WILDCARD_KEY
         raise ArgumentError if namespace.nil?
-      
+
         @wildcard.contains?(namespace, scope)
       else
         mapped_resource = self[resource]
-        
+
         if mapped_resource && !namespace.nil?
           mapped_resource.contains?(namespace, scope) || @wildcard.contains?(namespace, scope)
         elsif !namespace.nil?
@@ -45,37 +43,50 @@ module PrxAuth
       super(key.to_s, value)
     end
 
+    def except!(*keys)
+      keys.each { |key| delete(key.to_s) }
+      self
+    end
+
+    def except(*keys)
+      dup.except!(*keys)
+    end
+
+    def empty?
+      @wildcard.empty? && (super || values.all?(&:empty?))
+    end
+
     def condense
       condensed_wildcard = @wildcard.condense
-      condensed_map = Hash[map do |resource, list|
+      condensed_map = map do |resource, list|
         [resource, (list - condensed_wildcard).condense]
-      end]
+      end.to_h
       ResourceMap.new(condensed_map.merge(WILDCARD_KEY => condensed_wildcard))
     end
 
-    def +(other_map)
+    def +(other)
       result = {}
-      (resources + other_map.resources + [WILDCARD_KEY]).uniq.each do |resource|
+      (resources + other.resources + [WILDCARD_KEY]).uniq.each do |resource|
         list_a = list_for_resource(resource)
-        list_b = other_map.list_for_resource(resource)
+        list_b = other.list_for_resource(resource)
         result[resource] = if list_a.nil?
-                             list_b
-                           elsif list_b.nil?
-                             list_a
-                           else
-                             list_a + list_b
-                           end
+          list_b
+        elsif list_b.nil?
+          list_a
+        else
+          list_a + list_b
+        end
       end
 
       ResourceMap.new(result).condense
     end
 
-    def -(other_map)
+    def -(other)
       result = {}
-      other_wildcard = other_map.list_for_resource(WILDCARD_KEY) || PrxAuth::ScopeList.new('')
+      other_wildcard = other.list_for_resource(WILDCARD_KEY) || PrxAuth::ScopeList.new("")
 
       resources.each do |resource|
-        result[resource] = list_for_resource(resource) - (other_wildcard + other_map.list_for_resource(resource))
+        result[resource] = list_for_resource(resource) - (other_wildcard + other.list_for_resource(resource))
       end
 
       if @wildcard.length
@@ -85,21 +96,21 @@ module PrxAuth
       ResourceMap.new(result)
     end
 
-    def &(other_map)
+    def &(other)
       result = {}
-      other_wildcard = other_map.list_for_resource(WILDCARD_KEY)
-      
-      (resources + other_map.resources).uniq.each do |res|
+      other_wildcard = other.list_for_resource(WILDCARD_KEY)
+
+      (resources + other.resources).uniq.each do |res|
         left = list_for_resource(res)
-        right = other_map.list_for_resource(res)
+        right = other.list_for_resource(res)
 
         result[res] = if left.nil?
-                        right & @wildcard
-                      elsif right.nil?
-                        left & other_wildcard
-                      else
-                        (left + @wildcard) & (right + other_wildcard)
-                      end
+          right & @wildcard
+        elsif right.nil?
+          left & other_wildcard
+        else
+          (left + @wildcard) & (right + other_wildcard)
+        end
       end
 
       if @wildcard.length > 0
@@ -109,11 +120,11 @@ module PrxAuth
       ResourceMap.new(result).condense
     end
 
-    def as_json(opts={})
-      super(opts).merge(@wildcard.length > 0 ? {WILDCARD_KEY => @wildcard}.as_json(opts) : {})
+    def as_json(opts = {})
+      super(opts).merge((@wildcard.length > 0) ? {WILDCARD_KEY => @wildcard}.as_json(opts) : {})
     end
 
-    def resources(namespace=nil, scope=nil)
+    def resources(namespace = nil, scope = nil)
       if namespace.nil?
         keys
       else

data/lib/prx_auth/scope_list.rb

@@ -1,14 +1,14 @@
 module PrxAuth
   class ScopeList < Array
-    SCOPE_SEPARATOR = ' '
-    NAMESPACE_SEPARATOR = ':'
+    SCOPE_SEPARATOR = " "
+    NAMESPACE_SEPARATOR = ":"
     NO_NAMESPACE = :_
 
     Entry = Struct.new(:namespace, :scope, :string)
 
     class Entry
-      def ==(other_entry)
-        namespace == other_entry.namespace && scope == other_entry.scope
+      def ==(other)
+        namespace == other.namespace && scope == other.scope
       end
 
       def to_s
@@ -21,21 +21,21 @@ module PrxAuth
 
       def unnamespaced
         if namespaced?
-          Entry.new(NO_NAMESPACE, scope, string.split(':').last)
+          Entry.new(NO_NAMESPACE, scope, string.split(":").last)
         else
           self
         end
       end
 
       def inspect
-        "#<ScopeList::Entry \"#{to_s}\">"
+        "#<ScopeList::Entry \"#{self}\">"
       end
     end
 
     def self.new(list)
       case list
       when PrxAuth::ScopeList then list
-      when Array then super(list.join(' '))
+      when Array then super(list.join(" "))
       else super(list)
       end
     end
@@ -54,15 +54,15 @@ module PrxAuth
       end
     end
 
-    def contains?(namespace, scope=nil)
+    def contains?(namespace, scope = nil)
       entries = if scope.nil?
-                  scope, namespace = namespace, NO_NAMESPACE
-                  [Entry.new(namespace, symbolize(scope), nil)]
-                else
-                  scope = symbolize(scope)
-                  namespace = symbolize(namespace)
-                  [Entry.new(namespace, scope, nil), Entry.new(NO_NAMESPACE, scope, nil)]
-                end
+        scope, namespace = namespace, NO_NAMESPACE
+        [Entry.new(namespace, symbolize(scope), nil)]
+      else
+        scope = symbolize(scope)
+        namespace = symbolize(namespace)
+        [Entry.new(namespace, scope, nil), Entry.new(NO_NAMESPACE, scope, nil)]
+      end
 
       entries.any? do |possible_match|
         include?(possible_match)
@@ -92,18 +92,18 @@ module PrxAuth
       end
     end
 
-    def as_json(opts=())
+    def as_json(opts = ()) # standard:disable Lint/EmptyExpression
       to_s.as_json(opts)
     end
 
-    def -(other_scope_list)
-      return self if other_scope_list.nil?
+    def -(other)
+      return self if other.nil?
 
       tripped = false
       result = []
 
       each do |entry|
-        if other_scope_list.include?(entry) || other_scope_list.include?(entry.unnamespaced)
+        if other.include?(entry) || other.include?(entry.unnamespaced)
           tripped = true
         else
           result << entry
@@ -117,16 +117,16 @@ module PrxAuth
       end
     end
 
-    def +(other_list)
-      return self if other_list.nil?
+    def +(other)
+      return self if other.nil?
 
-      ScopeList.new([to_s, other_list.to_s].join(SCOPE_SEPARATOR)).condense
+      ScopeList.new([to_s, other.to_s].join(SCOPE_SEPARATOR)).condense
     end
 
-    def &(other_list)
-      return ScopeList.new('') if other_list.nil?
+    def &(other)
+      return ScopeList.new("") if other.nil?
 
-      self - (self - other_list) + (other_list - (other_list - self))
+      self - (self - other) + (other - (other - self))
     end
 
     def ==(other)
@@ -138,7 +138,7 @@ module PrxAuth
     def symbolize(value)
       case value
       when Symbol then value
-      when String then value.downcase.gsub('-', '_').intern
+      when String then value.downcase.tr("-", "_").intern
       else symbolize value.to_s
       end
     end

data/lib/prx_auth/version.rb

@@ -1,3 +1,3 @@
 module PrxAuth
-  VERSION = "1.7.1"
+  VERSION = "1.8.0"
 end

data/lib/prx_auth.rb

@@ -1,3 +1,3 @@
-require 'prx_auth/resource_map'
-require 'prx_auth/scope_list'
-require 'prx_auth/version'
+require "prx_auth/resource_map"
+require "prx_auth/scope_list"
+require "prx_auth/version"

data/lib/rack/prx_auth/auth_validator.rb

@@ -1,9 +1,8 @@
-require 'json/jwt'
+require "json/jwt"
 
 module Rack
   class PrxAuth
     class AuthValidator
-
       attr_reader :issuer, :token
 
       def initialize(token, certificate = nil, issuer = nil)
@@ -40,18 +39,18 @@ module Rack
 
       def time_to_live
         now = Time.now.to_i
-        if claims['exp'].nil?
+        if claims["exp"].nil?
           0
-        elsif claims['iat'].nil? || claims['iat'] <= claims['exp']
-          claims['exp'] - now
+        elsif claims["iat"].nil? || claims["iat"] <= claims["exp"]
+          claims["exp"] - now
         else
           # malformed - exp is a num-seconds offset from issued-at-time
-          (claims['iat'] + claims['exp']) - now
+          (claims["iat"] + claims["exp"]) - now
         end
       end
 
       def token_issuer_matches?
-        claims['iss'] == @issuer
+        claims["iss"] == @issuer
       end
     end
   end

data/lib/rack/prx_auth/certificate.rb

@@ -1,11 +1,11 @@
-require 'json/jwt'
-require 'net/http'
+require "json/jwt"
+require "net/http"
 
 module Rack
   class PrxAuth
     class Certificate
       EXPIRES_IN = 43200
-      DEFAULT_CERT_LOC = URI('https://id.prx.org/api/v1/certs')
+      DEFAULT_CERT_LOC = URI("https://id.prx.org/api/v1/certs")
 
       attr_reader :cert_location
 
@@ -15,13 +15,11 @@ module Rack
       end
 
       def valid?(token)
-        begin
-          JSON::JWT.decode(token, public_key)
-        rescue JSON::JWT::VerificationFailed
-          false
-        else
-          true
-        end
+        JSON::JWT.decode(token, public_key)
+      rescue JSON::JWT::VerificationFailed
+        false
+      else
+        true
       end
 
       private
@@ -39,7 +37,7 @@ module Rack
 
       def fetch
         certs = JSON.parse(Net::HTTP.get(cert_location))
-        cert_string = certs['certificates'].values[0]
+        cert_string = certs["certificates"].values[0]
         @refresh_at = Time.now.to_i + EXPIRES_IN
         OpenSSL::X509::Certificate.new(cert_string)
       end

data/lib/rack/prx_auth/token_data.rb

@@ -1,4 +1,4 @@
-require 'prx_auth/resource_map'
+require "prx_auth/resource_map"
 
 module Rack
   class PrxAuth
@@ -8,28 +8,28 @@ module Rack
       def initialize(attrs = {})
         @attributes = attrs
 
-        @authorized_resources = ::PrxAuth::ResourceMap.new(unpack_aur(attrs['aur'])).freeze
-        
-        if attrs['scope']
-          @scopes = attrs['scope'].split(' ').freeze
+        @authorized_resources = ::PrxAuth::ResourceMap.new(unpack_aur(attrs["aur"])).freeze
+
+        @scopes = if attrs["scope"]
+          attrs["scope"].split(" ").freeze
         else
-          @scopes = [].freeze
+          [].freeze
         end
       end
 
-      def resources(namespace=nil, scope=nil)
+      def resources(namespace = nil, scope = nil)
         @authorized_resources.resources(namespace, scope)
       end
 
       def user_id
-        @attributes['sub']
+        @attributes["sub"]
       end
 
-      def authorized?(resource, namespace=nil, scope=nil)
+      def authorized?(resource, namespace = nil, scope = nil)
         @authorized_resources.contains?(resource, namespace, scope)
       end
 
-      def globally_authorized?(namespace, scope=nil)
+      def globally_authorized?(namespace, scope = nil)
         authorized?(::PrxAuth::ResourceMap::WILDCARD_KEY, namespace, scope)
       end
 
@@ -37,14 +37,27 @@ module Rack
         resources(::PrxAuth::Rails.configuration.namespace, scope).map(&:to_i)
       end
 
+      def except!(*resources)
+        @authorized_resources = @authorized_resources.except(*resources)
+        self
+      end
+
+      def except(*resources)
+        dup.except!(*resources)
+      end
+
+      def empty_resources?
+        @authorized_resources.empty?
+      end
+
       private
 
       def unpack_aur(aur)
         return {} if aur.nil?
 
         aur.clone.tap do |result|
-          unless result['$'].nil?
-            result.delete('$').each do |role, resources|
+          unless result["$"].nil?
+            result.delete("$").each do |role, resources|
               resources.each do |res|
                 result[res.to_s] = role
               end

data/lib/rack/prx_auth.rb

@@ -1,17 +1,17 @@
-require 'json/jwt'
-require 'rack/prx_auth/certificate'
-require 'rack/prx_auth/token_data'
-require 'rack/prx_auth/auth_validator'
-require 'prx_auth'
+require "json/jwt"
+require "rack/prx_auth/certificate"
+require "rack/prx_auth/token_data"
+require "rack/prx_auth/auth_validator"
+require "prx_auth"
 
 module Rack
   class PrxAuth
     INVALID_TOKEN = [
-      401, {'Content-Type' => 'application/json'},
-      [{status: 401, error: 'Invalid JSON Web Token'}.to_json]
+      401, {"Content-Type" => "application/json"},
+      [{status: 401, error: "Invalid JSON Web Token"}.to_json]
     ]
 
-    DEFAULT_ISS = 'id.prx.org'
+    DEFAULT_ISS = "id.prx.org"
 
     attr_reader :issuer
 
@@ -26,16 +26,16 @@ module Rack
     end
 
     def call(env)
-      return @app.call(env) unless env['HTTP_AUTHORIZATION']
+      return @app.call(env) unless env["HTTP_AUTHORIZATION"]
 
-      token = env['HTTP_AUTHORIZATION'].split[1]
+      token = env["HTTP_AUTHORIZATION"].split[1]
 
       auth_validator = build_auth_validator(token)
 
       return @app.call(env) unless should_validate_token?(auth_validator)
 
       if auth_validator.valid?
-        env['prx.auth'] = TokenData.new(auth_validator.claims)
+        env["prx.auth"] = TokenData.new(auth_validator.claims)
         @app.call(env)
       else
         INVALID_TOKEN

data/prx_auth.gemspec

@@ -1,32 +1,33 @@
-# coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path("../lib", __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'prx_auth/version'
+require "prx_auth/version"
 
 Gem::Specification.new do |spec|
-  spec.name          = "prx_auth"
-  spec.version       = PrxAuth::VERSION
-  spec.authors       = ["Eve Asher", "Chris Rhoden"]
-  spec.email         = ["eve@prx.org", "carhoden@gmail.com"]
-  spec.summary       = %q{Utilites for parsing PRX JWTs and Rack middleware that verifies and attaches the token's claims to env.}
-  spec.description   = %q{Specific to PRX. Will ignore tokens that were not issued by PRX.}
-  spec.homepage      = "https://github.com/PRX/prx_auth"
-  spec.license       = "MIT"
+  spec.name = "prx_auth"
+  spec.version = PrxAuth::VERSION
+  spec.authors = ["Eve Asher", "Chris Rhoden"]
+  spec.email = ["eve@prx.org", "carhoden@gmail.com"]
+  spec.summary = "Utilites for parsing PRX JWTs and Rack middleware that verifies and attaches the token's claims to env."
+  spec.description = "Specific to PRX. Will ignore tokens that were not issued by PRX."
+  spec.homepage = "https://github.com/PRX/prx_auth"
+  spec.license = "MIT"
 
-  spec.files         = `git ls-files -z`.split("\x0")
-  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
-  spec.test_files    = spec.files.grep(%r{^test/})
+  spec.files = `git ls-files -z`.split("\x0")
+  spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = '>= 2.3'
+  spec.required_ruby_version = ">= 2.3"
 
-  spec.add_development_dependency 'bundler', '~> 2.0'
-  spec.add_development_dependency 'rake', '~> 12.3.3'
-  spec.add_development_dependency 'coveralls', '~> 0'
-  spec.add_development_dependency 'guard'
-  spec.add_development_dependency 'guard-minitest'
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 12.3.3"
+  spec.add_development_dependency "coveralls", "~> 0"
+  spec.add_development_dependency "guard"
+  spec.add_development_dependency "guard-minitest"
+  spec.add_development_dependency "pry"
+  spec.add_development_dependency "pry-byebug"
+  spec.add_development_dependency "standard"
 
-  spec.add_dependency 'rack', '>= 1.5.2'
-  spec.add_dependency 'json', '>= 1.8.1'
-  spec.add_dependency 'json-jwt', '~> 1.12.0'
+  spec.add_dependency "rack", ">= 1.5.2"
+  spec.add_dependency "json", ">= 1.8.1"
+  spec.add_dependency "json-jwt", ">= 1.12.0"
 end