rack-cloudflare-jwt 0.0.4

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 52042fd199a754f3e17a8af8f7c2d8199027bf8756dd28c0f198e70cea25588b
+  data.tar.gz: 37b5ee08766e991637676b22e722ec73d2936a7aeeb872bf9f7b6bad6a270064
+SHA512:
+  metadata.gz: 4595f288d91508cd7f6744aae41599e4b0396a4d555077cf6dc9315c18ab4e1124e456643701346d275f4d7859a4ecf6d9c38b18a4511f0a83b15fd0badf8e3e
+  data.tar.gz: 1411676c2c0df41fffbae2ba8288e09c6061c6011a7162363524b6f3e0b0cdbaef8502c54810b5cc38d71864c7d73ec9bb4c2a468ebc1595b4c306ec9a87d6c4

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Shuttlerock
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,54 @@
+# Rack::CloudflareJwt
+
+[![CircleCI](https://circleci.com/gh/Shuttlerock/rack-cloudflare-jwt.svg?style=svg)](https://circleci.com/gh/Shuttlerock/rack-cloudflare-jwt)
+
+## About
+
+This gem provides CloudFlare JSON Web Token (JWT) based authentication.
+
+## Requirements
+
+- Ruby 2.6.0 or greater
+
+## Installation
+
+Add this line to your application's `Gemfile`:
+
+```ruby
+gem 'rack-cloudflare-jwt'
+```
+
+And then execute:
+
+```
+$ bundle install
+```
+
+Or install it directly with:
+
+```
+$ gem install rack-cloudflare-jwt
+```
+
+## Usage
+
+`Rack::CloudflareJwt::Auth` accepts several configuration options. All options are passed in a single Ruby Hash:
+
+* `policy_aud` : required : `String` : A Application Audience (AUD) Tag.
+
+* `include_paths` : optional : Array : An Array of path strings representing paths that should be checked for the presence of a valid JWT token. Includes sub-paths as of specified paths as well (e.g. `%w(/docs)` includes `/docs/some/thing.html` also). Each path should start with a `/`. If a path not matches the current request path this entire middleware is skipped and no authentication or verification of tokens takes place.
+
+### Rails
+
+```ruby
+require 'rack/cloudflare_jwt'
+Rails.application.config.middleware.use Rack::CloudflareJwt::Auth, policy_aud: 'xxx.yyy.zzz', include_paths: %w[/foo]
+```
+
+## Contributing
+
+1. Fork it ( https://github.com/Shuttlerock/rack-cloudflare-jwt/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/lib/rack/cloudflare_jwt/auth.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'multi_json'
+require 'net/http'
+require 'rack/jwt'
+
+module Rack
+  module CloudflareJwt
+    # Authentication middleware
+    #
+    # @see https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/
+    class Auth
+      # Certs path
+      CERTS_PATH = '/cdn-cgi/access/certs'
+      # Default algorithm
+      DEFAULT_ALGORITHM = 'RS256'
+      # CloudFlare JWT header.
+      HEADER_NAME = 'HTTP_CF_ACCESS_JWT_ASSERTION'
+
+      # Token regex.
+      #
+      # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
+      TOKEN_REGEX = /
+        ^(
+        [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
+        [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
+        [a-zA-Z0-9\-\_]+    # 1 or more chars, no trailing chars
+        )$
+      /x.freeze
+
+      attr_reader :policy_aud, :include_paths
+
+      # Initializes middleware
+      def initialize(app, opts = {})
+        @app           = app
+        @policy_aud    = opts.fetch(:policy_aud, nil)
+        @include_paths = opts.fetch(:include_paths, [])
+
+        check_policy_aud!
+        check_include_paths_type!
+      end
+
+      # Public: Call a middleware.
+      def call(env)
+        if !path_matches_include_paths?(env)
+          @app.call(env)
+        elsif missing_auth_header?(env)
+          return_error('Missing Authorization header')
+        elsif invalid_auth_header?(env)
+          return_error('Invalid Authorization header format')
+        else
+          verify_token(env)
+        end
+      end
+
+      private
+
+      # Private: Check policy aud.
+      def check_policy_aud!
+        return unless !policy_aud.is_a?(String) || policy_aud.strip.empty?
+
+        raise ArgumentError, 'policy_aud argument cannot be nil/empty'
+      end
+
+      # Private: Check include_paths type.
+      def check_include_paths_type!
+        raise ArgumentError, 'include_paths argument must be an Array' unless include_paths.is_a?(Array)
+
+        include_paths.each do |path|
+          raise ArgumentError, 'each include_paths Array element must be a String' unless path.is_a?(String)
+          raise ArgumentError, 'each include_paths Array element must not be empty' if path.empty?
+          raise ArgumentError, 'each include_paths Array element must start with a /' unless path.start_with?('/')
+        end
+      end
+
+      # Private: Verify a token.
+      def verify_token(env)
+        # extract the token from header.
+        token         = env[HEADER_NAME]
+        decoded_token = public_keys(env).find do |key|
+          dt = decode_token(token, key.public_key)
+          break dt if dt
+        end
+
+        if decoded_token
+          env['jwt.payload'] = decoded_token.first
+          env['jwt.header']  = decoded_token.last
+          @app.call(env)
+        else
+          return_error('Invalid token')
+        end
+      end
+
+      # Private: Decode a token.
+      #
+      # Example:
+      #
+      #   [
+      #     {"data"=>"test"}, # payload
+      #     {"alg"=>"RS256"} # header
+      #   ]
+      #
+      # @return [Array<Hash>] the token.
+      # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
+      def decode_token(token, secret)
+        Rack::JWT::Token.decode(token, secret, true, aud: policy_aud, verify_aud: true, algorithm: DEFAULT_ALGORITHM)
+      rescue ::JWT::VerificationError
+        Rails.logger.info 'Invalid JWT token : Signature Verification Error'
+      rescue ::JWT::ExpiredSignature
+        Rails.logger.info 'Invalid JWT token : Expired Signature (exp)'
+      rescue ::JWT::IncorrectAlgorithm
+        Rails.logger.info 'Invalid JWT token : Incorrect Key Algorithm'
+      rescue ::JWT::ImmatureSignature
+        Rails.logger.info 'Invalid JWT token : Immature Signature (nbf)'
+      rescue ::JWT::InvalidIssuerError
+        Rails.logger.info 'Invalid JWT token : Invalid Issuer (iss)'
+      rescue ::JWT::InvalidIatError
+        Rails.logger.info 'Invalid JWT token : Invalid Issued At (iat)'
+      rescue ::JWT::InvalidAudError
+        Rails.logger.info 'Invalid JWT token : Invalid Audience (aud)'
+      rescue ::JWT::InvalidSubError
+        Rails.logger.info 'Invalid JWT token : Invalid Subject (sub)'
+      rescue ::JWT::InvalidJtiError
+        Rails.logger.info 'Invalid JWT token : Invalid JWT ID (jti)'
+      rescue ::JWT::DecodeError
+        Rails.logger.info 'Invalid JWT token : Decode Error'
+      end
+
+      # Private: Check if current path is in the include_paths.
+      #
+      # @return [Boolean] true if it is, false otherwise.
+      def path_matches_include_paths?(env)
+        include_paths.empty? || include_paths.any? { |ex| env['PATH_INFO'].start_with?(ex) }
+      end
+
+      # Private: Check if auth header is invalid.
+      #
+      # @return [Boolean] true if it is, false otherwise.
+      def invalid_auth_header?(env)
+        env[HEADER_NAME] !~ TOKEN_REGEX
+      end
+
+      # Private: Check if no auth header.
+      #
+      # @return [Boolean] true if it is, false otherwise.
+      def missing_auth_header?(env)
+        env[HEADER_NAME].nil? || env[HEADER_NAME].strip.empty?
+      end
+
+      # Private: Return an error.
+      def return_error(message)
+        body    = { error: message }.to_json
+        headers = { 'Content-Type' => 'application/json' }
+
+        [403, headers, [body]]
+      end
+
+      # Private: Get public keys.
+      #
+      # @return [Array<OpenSSL::PKey::RSA>] the public keys.
+      def public_keys(env)
+        host = env['HTTP_HOST']
+        keys = Rails.cache.fetch([self.class.name, '#secrets', host]) { fetch_public_keys(host) }
+        keys.map do |jwk_data|
+          ::JWT::JWK.import(jwk_data).keypair
+        end
+      end
+
+      # Private: Fetch public keys.
+      #
+      # @param host [String] The host.
+      #
+      # @return [Array<Hash>] the public keys.
+      def fetch_public_keys(host)
+        json = Net::HTTP.get(host, CERTS_PATH)
+        json.present? ? MultiJson.load(json, symbolize_keys: true).fetch(:keys) : []
+      rescue StandardError
+        []
+      end
+    end
+  end
+end

data/lib/rack/cloudflare_jwt/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Rack
+  module CloudflareJwt
+    VERSION = '0.0.4'
+  end
+end

data/lib/rack/cloudflare_jwt.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require 'rack/cloudflare_jwt/version'
+
+module Rack
+  # CloudFlare JSON Web Token
+  module CloudflareJwt
+    autoload :Auth, 'rack/cloudflare_jwt/auth'
+  end
+end

metadata

@@ -0,0 +1,190 @@
+--- !ruby/object:Gem::Specification
+name: rack-cloudflare-jwt
+version: !ruby/object:Gem::Version
+  version: 0.0.4
+platform: ruby
+authors:
+- Aleksei Vokhmin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-01-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.16.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.16.2
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 12.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 12.0.0
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.8.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.8.0
+- !ruby/object:Gem::Dependency
+  name: rubocop-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.0
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.16.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.16.0
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.0
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.16.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.16.0
+description: Rack middleware that provides authentication based on CloudFlare JSON
+  Web Tokens.
+email:
+- avokhmin@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- lib/rack/cloudflare_jwt.rb
+- lib/rack/cloudflare_jwt/auth.rb
+- lib/rack/cloudflare_jwt/version.rb
+homepage: https://github.com/Shuttlerock/rack-cloudflare-jwt
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.6.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Rack middleware that provides authentication based on CloudFlare JSON Web
+  Tokens.
+test_files: []