prx_auth 1.7.1 → 1.8.0

data/test/rack/prx_auth/certificate_test.rb

@@ -1,25 +1,25 @@
-require 'test_helper'
+require "test_helper"
 
 describe Rack::PrxAuth::Certificate do
   let(:subject) { Rack::PrxAuth::Certificate.new }
   let(:certificate) { subject }
 
-  describe '#initialize' do
-    it 'allows setting the location of the certificates' do
-      cert = Rack::PrxAuth::Certificate.new('http://example.com')
-      assert cert.cert_location == URI('http://example.com')
+  describe "#initialize" do
+    it "allows setting the location of the certificates" do
+      cert = Rack::PrxAuth::Certificate.new("http://example.com")
+      assert cert.cert_location == URI("http://example.com")
     end
 
-    it 'defaults to DEFAULT_CERT_LOC' do
+    it "defaults to DEFAULT_CERT_LOC" do
       assert certificate.cert_location == Rack::PrxAuth::Certificate::DEFAULT_CERT_LOC
     end
   end
 
-  describe '#valid?' do
-    it 'validates the token with the public key' do
+  describe "#valid?" do
+    it "validates the token with the public key" do
       token, key = nil, nil
       certificate.stub(:public_key, :public_key) do
-        JSON::JWT.stub(:decode, Proc.new {|t, k| token, key = t, k }) do
+        JSON::JWT.stub(:decode, proc { |t, k| token, key = t, k }) do
           certificate.valid?(:token)
         end
       end
@@ -28,8 +28,8 @@ describe Rack::PrxAuth::Certificate do
       assert key == :public_key
     end
 
-    it 'returns false if verification fails' do
-      JSON::JWT.stub(:decode, Proc.new do |t, k|
+    it "returns false if verification fails" do
+      JSON::JWT.stub(:decode, proc do |t, k|
         raise JSON::JWT::VerificationFailed
       end) do
         certificate.stub(:public_key, :foo) do
@@ -38,7 +38,7 @@ describe Rack::PrxAuth::Certificate do
       end
     end
 
-    it 'returns true if verification passes' do
+    it "returns true if verification passes" do
       JSON::JWT.stub(:decode, {}) do
         certificate.stub(:public_key, :foo) do
           assert certificate.valid?(:token)
@@ -47,8 +47,8 @@ describe Rack::PrxAuth::Certificate do
     end
   end
 
-  describe '#certificate' do
-    it 'calls fetch if unprimed' do
+  describe "#certificate" do
+    it "calls fetch if unprimed" do
       def certificate.fetch
         :sigil
       end
@@ -57,16 +57,16 @@ describe Rack::PrxAuth::Certificate do
     end
   end
 
-  describe '#public_key' do
-    it 'pulls from the certificate' do
+  describe "#public_key" do
+    it "pulls from the certificate" do
       certificate.stub(:certificate, Struct.new(:public_key).new(:key)) do
         assert certificate.send(:public_key) == :key
       end
     end
   end
 
-  describe '#fetch' do
-    it 'pulls from `#cert_location`' do
+  describe "#fetch" do
+    it "pulls from `#cert_location`" do
       Net::HTTP.stub(:get, ->(x) { "{\"certificates\":{\"asdf\":\"#{x}\"}}" }) do
         OpenSSL::X509::Certificate.stub(:new, ->(x) { x }) do
           certificate.stub(:cert_location, "a://fake.url/here") do
@@ -76,7 +76,7 @@ describe Rack::PrxAuth::Certificate do
       end
     end
 
-    it 'sets the expiration value' do
+    it "sets the expiration value" do
       Net::HTTP.stub(:get, ->(x) { "{\"certificates\":{\"asdf\":\"#{x}\"}}" }) do
         OpenSSL::X509::Certificate.stub(:new, ->(_) { Struct.new(:not_after).new(Time.now + 10000) }) do
           certificate.send :certificate
@@ -86,41 +86,41 @@ describe Rack::PrxAuth::Certificate do
     end
   end
 
-  describe '#expired?' do
+  describe "#expired?" do
     let(:stub_cert) { Struct.new(:not_after).new(Time.now + 10000) }
     before(:each) do
-      certificate.instance_variable_set :'@certificate', stub_cert
+      certificate.instance_variable_set :@certificate, stub_cert
     end
 
-    it 'is false when the certificate is not expired' do
+    it "is false when the certificate is not expired" do
       assert !certificate.send(:expired?)
     end
 
-    it 'is true when the certificate is expired' do
+    it "is true when the certificate is expired" do
       stub_cert.not_after = Time.now - 500
       assert certificate.send(:expired?)
     end
   end
 
-  describe '#needs_refresh?' do
+  describe "#needs_refresh?" do
     def refresh_at=(time)
-      certificate.instance_variable_set :'@refresh_at', time
+      certificate.instance_variable_set :@refresh_at, time
     end
 
-    it 'is true if certificate is expired' do
+    it "is true if certificate is expired" do
       certificate.stub(:expired?, true) do
         assert certificate.send(:needs_refresh?)
       end
     end
 
-    it 'is true if we are past refresh value' do
+    it "is true if we are past refresh value" do
       self.refresh_at = Time.now.to_i - 1000
       certificate.stub(:expired?, false) do
         assert certificate.send(:needs_refresh?)
       end
     end
 
-    it 'is false if certificate is not expired and refresh is in the future' do
+    it "is false if certificate is not expired and refresh is in the future" do
       self.refresh_at = Time.now.to_i + 10000
       certificate.stub(:expired?, false) do
         assert !certificate.send(:needs_refresh?)

data/test/rack/prx_auth/token_data_test.rb

@@ -1,101 +1,138 @@
-require 'test_helper'
+require "test_helper"
 
 describe Rack::PrxAuth::TokenData do
-  it 'pulls user_id from sub' do
-    token = Rack::PrxAuth::TokenData.new('sub' => 123)
+  it "pulls user_id from sub" do
+    token = Rack::PrxAuth::TokenData.new("sub" => 123)
     assert token.user_id == 123
   end
 
-  it 'pulls resources from aur' do
-    token = Rack::PrxAuth::TokenData.new('aur' => {'123' => 'admin'})
-    assert token.resources.include?('123')
+  it "pulls resources from aur" do
+    token = Rack::PrxAuth::TokenData.new("aur" => {"123" => "admin"})
+    assert token.resources.include?("123")
   end
 
-  it 'unpacks compressed aur' do
-    token = Rack::PrxAuth::TokenData.new('aur' => {
-      '123' => 'member',
-      '$' => {
-        'admin' => [456, 789, 1011]
+  it "unpacks compressed aur" do
+    token = Rack::PrxAuth::TokenData.new("aur" => {
+      "123" => "member",
+      "$" => {
+        "admin" => [456, 789, 1011]
       }
     })
-    assert !token.resources.include?('$')
-    assert token.resources.include?('789')
-    assert token.resources.include?('123')
+    assert !token.resources.include?("$")
+    assert token.resources.include?("789")
+    assert token.resources.include?("123")
   end
 
-  describe '#resources' do
-    let(:token) { Rack::PrxAuth::TokenData.new('aur' => aur) }
-    let(:aur) { {'123' => 'admin ns1:namespaced', '456' => 'member' } }
+  describe "#resources" do
+    let(:token) { Rack::PrxAuth::TokenData.new("aur" => aur) }
+    let(:aur) { {"123" => "admin ns1:namespaced", "456" => "member"} }
 
-    it 'scans for resources by namespace and scope' do
-      assert token.resources(:admin) == ['123']
+    it "scans for resources by namespace and scope" do
+      assert token.resources(:admin) == ["123"]
       assert token.resources(:namespaced) == []
-      assert token.resources(:member) == ['456']
-      assert token.resources(:ns1, :namespaced) == ['123']
-      assert token.resources(:ns1, :member) == ['456']
+      assert token.resources(:member) == ["456"]
+      assert token.resources(:ns1, :namespaced) == ["123"]
+      assert token.resources(:ns1, :member) == ["456"]
     end
   end
 
-  describe '#authorized?' do
-    let(:token) { Rack::PrxAuth::TokenData.new('aur' => aur, 'scope' => scope) }
-    let(:scope) { 'read write purchase sell delete' }
-    let(:aur) { {'123' => 'admin ns1:namespaced', '456' => 'member' } }
+  describe "#authorized?" do
+    let(:token) { Rack::PrxAuth::TokenData.new("aur" => aur, "scope" => scope) }
+    let(:scope) { "read write purchase sell delete" }
+    let(:aur) { {"123" => "admin ns1:namespaced", "456" => "member"} }
 
-    it 'is authorized for scope in aur' do
-      assert token.authorized?(123, 'admin')
+    it "is authorized for scope in aur" do
+      assert token.authorized?(123, "admin")
     end
 
-    it 'is not authorized across aur limits' do
+    it "is not authorized across aur limits" do
       assert !token.authorized?(123, :member)
     end
 
-    it 'does not require a scope' do
+    it "does not require a scope" do
       assert token.authorized?(123)
     end
 
-    it 'is unauthorized if it hasnt seen the resource' do
+    it "is unauthorized if it hasnt seen the resource" do
       assert !token.authorized?(789)
     end
 
-    it 'works for namespaced scopes' do
+    it "works for namespaced scopes" do
       assert token.authorized?(123, :ns1, :namespaced)
       assert !token.authorized?(123, :namespaced)
       assert token.authorized?(123, :ns1, :admin)
     end
 
-    describe 'with wildcard role' do
-      let(:aur) { {'*' => 'peek', '123' => 'admin', '456' => 'member' } }
+    describe "with wildcard role" do
+      let(:aur) { {"*" => "peek", "123" => "admin", "456" => "member"} }
 
-      it 'applies wildcard tokens to queries with no matching aur' do
+      it "applies wildcard tokens to queries with no matching aur" do
         assert token.authorized?(789, :peek)
       end
 
-      it 'does not authorize unscoped for wildcard resources' do
+      it "does not authorize unscoped for wildcard resources" do
         assert !token.authorized?(789)
       end
 
-      it 'allows querying by wildcard resource directly' do
-        assert token.authorized?('*', :peek)
-        assert !token.authorized?('*', :admin)
+      it "allows querying by wildcard resource directly" do
+        assert token.authorized?("*", :peek)
+        assert !token.authorized?("*", :admin)
       end
 
-      it 'has a shorthand `gobally_authorized?` to query wildcard' do
+      it "has a shorthand `gobally_authorized?` to query wildcard" do
         assert token.globally_authorized?(:peek)
         assert !token.globally_authorized?(:admin)
       end
 
-      it 'treats global authorizations as additive to other explicit ones' do
+      it "treats global authorizations as additive to other explicit ones" do
         assert token.authorized?(123, :peek)
       end
 
-      it 'refuses to run `globally_authorized?` with no scope' do
+      it "refuses to run `globally_authorized?` with no scope" do
         assert_raises ArgumentError do
           token.globally_authorized?
         end
         assert_raises ArgumentError do
-          token.authorized?('*')
+          token.authorized?("*")
         end
       end
     end
+
+    describe "#except" do
+      let(:token) { Rack::PrxAuth::TokenData.new("aur" => aur) }
+      let(:aur) { {"123" => "admin ns1:namespaced", "456" => "member"} }
+
+      it "removes resources from the aur" do
+        token2 = token.except(123)
+
+        assert token.authorized?(123, "admin")
+        assert token.authorized?(456, "member")
+
+        refute token2.authorized?(123, "admin")
+        assert token2.authorized?(456, "member")
+
+        # the ! version modifies the token
+        token2.except!(456)
+        refute token2.authorized?(456, "member")
+      end
+    end
+
+    describe "#empty_resources?" do
+      it "checks if the user has access to any resources" do
+        token = Rack::PrxAuth::TokenData.new("aur" => {"123" => "anything"})
+        refute token.empty_resources?
+        assert token.except("123").empty_resources?
+      end
+
+      it "checks for empty scopes" do
+        token = Rack::PrxAuth::TokenData.new("aur" => {"123" => ""})
+        assert token.empty_resources?
+      end
+
+      it "is not empty with wildcard auth" do
+        token = Rack::PrxAuth::TokenData.new("aur" => {"*" => "anything"})
+        refute token.empty_resources?
+      end
+    end
   end
 end

data/test/rack/prx_auth_test.rb

@@ -1,40 +1,40 @@
-require 'test_helper'
+require "test_helper"
 
 describe Rack::PrxAuth do
-  let(:app) { Proc.new {|env| env } }
+  let(:app) { proc { |env| env } }
   let(:prxauth) { Rack::PrxAuth.new(app) }
-  let(:fake_token) { 'afawefawefawefawegstgnsrtiohnlijblublwjnvrtoign'}
-  let(:env) { {'HTTP_AUTHORIZATION' => 'Bearer ' + fake_token } }
+  let(:fake_token) { "afawefawefawefawegstgnsrtiohnlijblublwjnvrtoign" }
+  let(:env) { {"HTTP_AUTHORIZATION" => "Bearer " + fake_token} }
   let(:iat) { Time.now.to_i }
   let(:exp) { 3600 }
-  let(:claims) { {'sub'=>3, 'exp'=>exp, 'iat'=>iat, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
+  let(:claims) { {"sub" => 3, "exp" => exp, "iat" => iat, "token_type" => "bearer", "scope" => nil, "iss" => "id.prx.org"} }
 
-  describe '#call' do
-    it 'does nothing if there is no authorization header' do
+  describe "#call" do
+    it "does nothing if there is no authorization header" do
       env = {}
 
       assert prxauth.call(env.clone) == env
     end
 
-    it 'does nothing if the token is from another issuer' do
-      claims['iss'] = 'auth.elsewhere.org'
+    it "does nothing if the token is from another issuer" do
+      claims["iss"] = "auth.elsewhere.org"
 
       JSON::JWT.stub(:decode, claims) do
         assert prxauth.call(env.clone) == env
       end
     end
 
-    it 'does nothing if token is invalid' do
+    it "does nothing if token is invalid" do
       assert prxauth.call(env.clone) == env
     end
 
-    it 'does nothing if the token is nil' do
-      env = { "HTTP_AUTHORIZATION" => "Bearer "}
+    it "does nothing if the token is nil" do
+      env = {"HTTP_AUTHORIZATION" => "Bearer "}
       assert prxauth.call(env) == env
     end
 
-    it 'returns 401 if verification fails' do
-      auth_validator = prxauth.build_auth_validator('sometoken')
+    it "returns 401 if verification fails" do
+      auth_validator = prxauth.build_auth_validator("sometoken")
 
       JSON::JWT.stub(:decode, claims) do
         prxauth.stub(:build_auth_validator, auth_validator) do
@@ -45,8 +45,8 @@ describe Rack::PrxAuth do
       end
     end
 
-    it 'returns 401 if access token has expired' do
-      auth_validator = prxauth.build_auth_validator('sometoken')
+    it "returns 401 if access token has expired" do
+      auth_validator = prxauth.build_auth_validator("sometoken")
 
       JSON::JWT.stub(:decode, claims) do
         prxauth.stub(:build_auth_validator, auth_validator) do
@@ -57,24 +57,24 @@ describe Rack::PrxAuth do
       end
     end
 
-    it 'attaches claims to request params if verification passes' do
-      auth_validator = prxauth.build_auth_validator('sometoken')
+    it "attaches claims to request params if verification passes" do
+      auth_validator = prxauth.build_auth_validator("sometoken")
 
       JSON::JWT.stub(:decode, claims) do
         prxauth.stub(:build_auth_validator, auth_validator) do
-          prxauth.call(env)['prx.auth'].tap do |token|
+          prxauth.call(env)["prx.auth"].tap do |token|
             assert token.instance_of? Rack::PrxAuth::TokenData
-            assert token.user_id == claims['sub']
+            assert token.user_id == claims["sub"]
           end
         end
       end
     end
   end
 
-  describe 'initialize' do
-    it 'takes a certificate location as an option' do
+  describe "initialize" do
+    it "takes a certificate location as an option" do
       loc = nil
-      Rack::PrxAuth::Certificate.stub(:new, Proc.new{|l| loc = l}) do
+      Rack::PrxAuth::Certificate.stub(:new, proc { |l| loc = l }) do
         Rack::PrxAuth.new(app, cert_location: :location)
         assert loc == :location
       end

data/test/test_helper.rb

@@ -1,10 +1,12 @@
-require 'coveralls'
+require "coveralls"
 Coveralls.wear!
 
-$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
-require 'prx_auth'
-require 'rack/prx_auth'
+$LOAD_PATH.unshift File.expand_path("../../lib", __FILE__)
+require "prx_auth"
+require "rack/prx_auth"
+require "pry"
+require "pry-byebug"
 
-require 'minitest/autorun'
-require 'minitest/spec'
-require 'minitest/pride'
+require "minitest/autorun"
+require "minitest/spec"
+require "minitest/pride"

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: prx_auth
 version: !ruby/object:Gem::Version
-  version: 1.7.1
+  version: 1.8.0
 platform: ruby
 authors:
 - Eve Asher
 - Chris Rhoden
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-01-05 00:00:00.000000000 Z
+date: 2023-08-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -81,6 +81,48 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: standard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -113,14 +155,14 @@ dependencies:
   name: json-jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.12.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.12.0
 description: Specific to PRX. Will ignore tokens that were not issued by PRX.
@@ -131,6 +173,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".git-blame-ignore-revs"
+- ".github/workflows/check-project-std.yml"
 - ".gitignore"
 - ".travis.yml"
 - CHANGELOG.md
@@ -159,7 +203,7 @@ homepage: https://github.com/PRX/prx_auth
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -174,16 +218,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.3.3
+signing_key:
 specification_version: 4
 summary: Utilites for parsing PRX JWTs and Rack middleware that verifies and attaches
   the token's claims to env.
-test_files:
-- test/prx_auth/resource_map_test.rb
-- test/prx_auth/scope_list_test.rb
-- test/rack/prx_auth/auth_validator_test.rb
-- test/rack/prx_auth/certificate_test.rb
-- test/rack/prx_auth/token_data_test.rb
-- test/rack/prx_auth_test.rb
-- test/test_helper.rb
+test_files: []