rack-cloudflare-jwt 0.0.5 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 96e4477d5accd4824246258e9705fea334849ca6727c873349b49f0fb3eac9e1
-  data.tar.gz: 714c31cc874fc247d83eff6f46ae04b2ce62ad4772c0551bc7782113eb986eba
+  metadata.gz: 240d66a2a123b06cf3625765ce2d7b4772c2a46f059fd62decc90acd4d9e68bc
+  data.tar.gz: 9bf13c926defed079e9266752c64ab3b38d004e3665252b3dd7a663db77ae66c
 SHA512:
-  metadata.gz: 67a1ca74de47a7f0082666903f0bc14dd8229216d6201e9e3983db20d677076693f1d304359f5e861c6635ae1f7e58ef316fa60a8691e535094bd3e84b4011b0
-  data.tar.gz: 13de638b271c4f015506bfdf6a10d0c2dd441dab5378d6fe6e762203a1c38f73b92c1fd2133d2ca947242acbaf0571481e1194112b9c5c49e3ae8f96b966b201
+  metadata.gz: 735971f62a1c16c83d6591baa3d60c052107ef61076850a0598c2456c386aec32c62b79927e15560f2d9f47ef17f991ff084ee6bb27284ab17195e6fcd805148
+  data.tar.gz: c3f15c032fa1715e728e6e0337ddfae61165a8bda598cc69f077b5f87f71e93d2e24b249ae79ac197361a533ac730cf8b1c0823f2f1b00e794b15b3d1180c41d

data/README.md

@@ -32,17 +32,17 @@ $ gem install rack-cloudflare-jwt
 
 ## Usage
 
-`Rack::CloudflareJwt::Auth` accepts several configuration options. All options are passed in a single Ruby Hash:
+`Rack::CloudflareJwt::Auth` accepts configuration options. All options are passed in a single Ruby `Hash<String, String>`. E.g. `{ '/admin' => 'aud-1', '/manager' => 'aud-2' }`.
 
-* `policy_aud` : required : `String` : A Application Audience (AUD) Tag.
+* `Hash` key : `String` : A path string representing paths that should be checked for the presence of a valid JWT token. Includes sub-paths as of specified path as well (e.g. `/docs` includes `/docs/some/thing.html` also). Each path should start with a `/`. If a path doesn't matches the current request path this entire middleware is skipped and no authentication or verification of tokens takes place.
+
+* `Hash` value : `String` : A Application Audience (AUD) Tag.
 
-* `include_paths` : optional : Array : An Array of path strings representing paths that should be checked for the presence of a valid JWT token. Includes sub-paths as of specified paths as well (e.g. `%w(/docs)` includes `/docs/some/thing.html` also). Each path should start with a `/`. If a path not matches the current request path this entire middleware is skipped and no authentication or verification of tokens takes place.
 
 ### Rails
 
 ```ruby
-require 'rack/cloudflare_jwt'
-Rails.application.config.middleware.use Rack::CloudflareJwt::Auth, policy_aud: 'xxx.yyy.zzz', include_paths: %w[/foo]
+Rails.application.config.middleware.use Rack::CloudflareJwt::Auth, '/my-path' => 'xxx.yyy.zzz'
 ```
 
 ## Contributing

data/lib/rack/cloudflare/jwt.rb

@@ -0,0 +1 @@
+require 'rack/cloudflare_jwt'

data/lib/rack/cloudflare_jwt.rb

@@ -2,9 +2,8 @@
 
 require 'rack/cloudflare_jwt/version'
 
-module Rack
+module Rack::CloudflareJwt
   # CloudFlare JSON Web Token
-  module CloudflareJwt
-    autoload :Auth, 'rack/cloudflare_jwt/auth'
-  end
+
+  autoload :Auth, 'rack/cloudflare_jwt/auth'
 end

data/lib/rack/cloudflare_jwt/auth.rb

@@ -5,178 +5,234 @@ require 'multi_json'
 require 'net/http'
 require 'rack/jwt'
 
-module Rack
-  module CloudflareJwt
-    # Authentication middleware
-    #
-    # @see https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/
-    class Auth
-      # Certs path
-      CERTS_PATH = '/cdn-cgi/access/certs'
-      # Default algorithm
-      DEFAULT_ALGORITHM = 'RS256'
-      # CloudFlare JWT header.
-      HEADER_NAME = 'HTTP_CF_ACCESS_JWT_ASSERTION'
-
-      # Token regex.
-      #
-      # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
-      TOKEN_REGEX = /
-        ^(
-        [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
-        [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
-        [a-zA-Z0-9\-\_]+    # 1 or more chars, no trailing chars
-        )$
-      /x.freeze
-
-      attr_reader :policy_aud, :include_paths
-
-      # Initializes middleware
-      def initialize(app, opts = {})
-        @app           = app
-        @policy_aud    = opts.fetch(:policy_aud, nil)
-        @include_paths = opts.fetch(:include_paths, [])
-
-        check_policy_aud!
-        check_include_paths_type!
-      end
+module Rack::CloudflareJwt
+  # Authentication middleware
+  #
+  # @see https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/
+  class Auth
+    # Custom decode token error.
+    class DecodeTokenError < StandardError; end
+
+    # Certs path
+    CERTS_PATH = '/cdn-cgi/access/certs'
+    # Default algorithm
+    DEFAULT_ALGORITHM = 'RS256'
+    # CloudFlare JWT header.
+    HEADER_NAME = 'HTTP_CF_ACCESS_JWT_ASSERTION'
+    # HTTP_HOST header.
+    HEADER_HTTP_HOST = 'HTTP_HOST'
+    # Key for get current path.
+    PATH_INFO = 'PATH_INFO'
+
+    # Token regex.
+    #
+    # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
+    TOKEN_REGEX = /
+      ^(
+      [a-zA-Z0-9\-_]+\.  # 1 or more chars followed by a single period
+      [a-zA-Z0-9\-_]+\.  # 1 or more chars followed by a single period
+      [a-zA-Z0-9\-_]+    # 1 or more chars, no trailing chars
+      )$
+    /x.freeze
+
+    attr_reader :policies
+
+    # Initializes middleware
+    #
+    # @example Initialize middleware in Rails
+    #   config.middleware.use(
+    #     Rack::CloudflareJwt::Auth,
+    #     '/admin'   => <cloudflare-aud-1>,
+    #     '/manager' => <cloudflare-aud-2>,
+    #   )
+    #
+    # @param policies [Hash<String, String>] the policies with paths and AUDs.
+    def initialize(app, policies = {})
+      @app      = app
+      @policies = policies
 
-      # Public: Call a middleware.
-      def call(env)
-        if !path_matches_include_paths?(env)
-          @app.call(env)
-        elsif missing_auth_header?(env)
-          return_error('Missing Authorization header')
-        elsif invalid_auth_header?(env)
-          return_error('Invalid Authorization header format')
-        else
-          verify_token(env)
-        end
-      end
+      check_policy_auds!
+      check_paths_type!
+    end
 
-      private
+    # Public: Call a middleware.
+    def call(env)
+      if !path_matches?(env)
+        @app.call(env)
+      elsif missing_auth_header?(env)
+        return_error('Missing Authorization header')
+      elsif invalid_auth_header?(env)
+        return_error('Invalid Authorization header format')
+      else
+        verify_token(env)
+      end
+    end
 
-      # Private: Check policy aud.
-      def check_policy_aud!
-        return unless !policy_aud.is_a?(String) || policy_aud.strip.empty?
+    private
 
-        raise ArgumentError, 'policy_aud argument cannot be nil/empty'
-      end
+    # Private: Check policy auds.
+    def check_policy_auds!
+      raise ArgumentError, 'policies cannot be nil/empty' if policies.values.empty?
 
-      # Private: Check include_paths type.
-      def check_include_paths_type!
-        raise ArgumentError, 'include_paths argument must be an Array' unless include_paths.is_a?(Array)
+      policies.each_value do |policy_aud|
+        next unless !policy_aud.is_a?(String) || policy_aud.strip.empty?
 
-        include_paths.each do |path|
-          raise ArgumentError, 'each include_paths Array element must be a String' unless path.is_a?(String)
-          raise ArgumentError, 'each include_paths Array element must not be empty' if path.empty?
-          raise ArgumentError, 'each include_paths Array element must start with a /' unless path.start_with?('/')
-        end
+        raise ArgumentError, 'policy AUD argument cannot be nil/empty'
       end
+    end
 
-      # Private: Verify a token.
-      def verify_token(env)
-        # extract the token from header.
-        token         = env[HEADER_NAME]
-        decoded_token = public_keys(env).find do |key|
-          dt = decode_token(token, key.public_key)
-          break dt if dt
-        end
-
-        if decoded_token
-          env['jwt.payload'] = decoded_token.first
-          env['jwt.header']  = decoded_token.last
-          @app.call(env)
-        else
-          return_error('Invalid token')
-        end
+    # Private: Check paths type.
+    def check_paths_type!
+      policies.each_key do |path|
+        raise ArgumentError, 'each key element must be a String' unless path.is_a?(String)
+        raise ArgumentError, 'each key element must not be empty' if path.empty?
+        raise ArgumentError, 'each key element must start with a /' unless path.start_with?('/')
       end
+    end
 
-      # Private: Decode a token.
-      #
-      # Example:
-      #
-      #   [
-      #     {"data"=>"test"}, # payload
-      #     {"alg"=>"RS256"} # header
-      #   ]
-      #
-      # @return [Array<Hash>] the token.
-      # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
-      def decode_token(token, secret)
-        Rack::JWT::Token.decode(token, secret, true, aud: policy_aud, verify_aud: true, algorithm: DEFAULT_ALGORITHM)
-      rescue ::JWT::VerificationError
-        Rails.logger.info 'Invalid JWT token : Signature Verification Error'
-      rescue ::JWT::ExpiredSignature
-        Rails.logger.info 'Invalid JWT token : Expired Signature (exp)'
-      rescue ::JWT::IncorrectAlgorithm
-        Rails.logger.info 'Invalid JWT token : Incorrect Key Algorithm'
-      rescue ::JWT::ImmatureSignature
-        Rails.logger.info 'Invalid JWT token : Immature Signature (nbf)'
-      rescue ::JWT::InvalidIssuerError
-        Rails.logger.info 'Invalid JWT token : Invalid Issuer (iss)'
-      rescue ::JWT::InvalidIatError
-        Rails.logger.info 'Invalid JWT token : Invalid Issued At (iat)'
-      rescue ::JWT::InvalidAudError
-        Rails.logger.info 'Invalid JWT token : Invalid Audience (aud)'
-      rescue ::JWT::InvalidSubError
-        Rails.logger.info 'Invalid JWT token : Invalid Subject (sub)'
-      rescue ::JWT::InvalidJtiError
-        Rails.logger.info 'Invalid JWT token : Invalid JWT ID (jti)'
-      rescue ::JWT::DecodeError
-        Rails.logger.info 'Invalid JWT token : Decode Error'
+    # Private: Verify a token.
+    def verify_token(env)
+      # extract the token from header.
+      token         = env[HEADER_NAME]
+      policy_aud    = policies.find { |path, _aud| env[PATH_INFO].start_with?(path) }&.last
+      decoded_token = public_keys(env).find do |key|
+        break decode_token(token, key.public_key, policy_aud)
+      rescue DecodeTokenError => e
+        logger.info e.message
+        nil
       end
 
-      # Private: Check if current path is in the include_paths.
-      #
-      # @return [Boolean] true if it is, false otherwise.
-      def path_matches_include_paths?(env)
-        include_paths.empty? || include_paths.any? { |ex| env['PATH_INFO'].start_with?(ex) }
-      end
+      if decoded_token
+        logger.debug 'CloudFlare JWT token is valid'
 
-      # Private: Check if auth header is invalid.
-      #
-      # @return [Boolean] true if it is, false otherwise.
-      def invalid_auth_header?(env)
-        env[HEADER_NAME] !~ TOKEN_REGEX
+        env['jwt.payload'] = decoded_token.first
+        env['jwt.header']  = decoded_token.last
+        @app.call(env)
+      else
+        return_error('Invalid token')
       end
+    end
 
-      # Private: Check if no auth header.
-      #
-      # @return [Boolean] true if it is, false otherwise.
-      def missing_auth_header?(env)
-        env[HEADER_NAME].nil? || env[HEADER_NAME].strip.empty?
-      end
+    # Private: Decode a token.
+    #
+    # @param token [String] the token.
+    # @param secret [String] the public key.
+    # @param policy_aud [String] the CloudFlare AUD.
+    #
+    # @example
+    #
+    #   [
+    #     {"data"=>"test"}, # payload
+    #     {"alg"=>"RS256"} # header
+    #   ]
+    #
+    # @return [Array<Hash>] the token or `nil` at error.
+    # @raise [DecodeTokenError] if the token is invalid.
+    #
+    # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
+    def decode_token(token, secret, policy_aud)
+      Rack::JWT::Token.decode(token, secret, true, aud: policy_aud, verify_aud: true, algorithm: DEFAULT_ALGORITHM)
+    rescue ::JWT::VerificationError
+      raise DecodeTokenError, 'Invalid JWT token : Signature Verification Error'
+    rescue ::JWT::ExpiredSignature
+      raise DecodeTokenError, 'Invalid JWT token : Expired Signature (exp)'
+    rescue ::JWT::IncorrectAlgorithm
+      raise DecodeTokenError, 'Invalid JWT token : Incorrect Key Algorithm'
+    rescue ::JWT::ImmatureSignature
+      raise DecodeTokenError, 'Invalid JWT token : Immature Signature (nbf)'
+    rescue ::JWT::InvalidIssuerError
+      raise DecodeTokenError, 'Invalid JWT token : Invalid Issuer (iss)'
+    rescue ::JWT::InvalidIatError
+      raise DecodeTokenError, 'Invalid JWT token : Invalid Issued At (iat)'
+    rescue ::JWT::InvalidAudError
+      raise DecodeTokenError, 'Invalid JWT token : Invalid Audience (aud)'
+    rescue ::JWT::InvalidSubError
+      raise DecodeTokenError, 'Invalid JWT token : Invalid Subject (sub)'
+    rescue ::JWT::InvalidJtiError
+      raise DecodeTokenError, 'Invalid JWT token : Invalid JWT ID (jti)'
+    rescue ::JWT::DecodeError
+      raise DecodeTokenError, 'Invalid JWT token : Decode Error'
+    end
+
+    # Private: Check if current path is in the policies.
+    #
+    # @return [Boolean] true if it is, false otherwise.
+    def path_matches?(env)
+      policies.empty? || policies.keys.any? { |ex| env[PATH_INFO].start_with?(ex) }
+    end
 
-      # Private: Return an error.
-      def return_error(message)
-        body    = { error: message }.to_json
-        headers = { 'Content-Type' => 'application/json' }
+    # Private: Check if auth header is invalid.
+    #
+    # @return [Boolean] true if it is, false otherwise.
+    def invalid_auth_header?(env)
+      env[HEADER_NAME] !~ TOKEN_REGEX
+    end
 
-        [403, headers, [body]]
+    # Private: Check if no auth header.
+    #
+    # @return [Boolean] true if it is, false otherwise.
+    def missing_auth_header?(env)
+      env[HEADER_NAME].nil? || env[HEADER_NAME].strip.empty?
+    end
+
+    # Private: Return an error.
+    def return_error(message)
+      body    = { error: message }.to_json
+      headers = { 'Content-Type' => 'application/json' }
+
+      [403, headers, [body]]
+    end
+
+    # Private: Get public keys.
+    #
+    # @return [Array<OpenSSL::PKey::RSA>] the public keys.
+    def public_keys(env)
+      host = env[HEADER_HTTP_HOST]
+      fetch_public_keys_cached(host).map do |jwk_data|
+        ::JWT::JWK.import(jwk_data).keypair
       end
+    end
+
+    # Private: Fetch public keys.
+    #
+    # @param host [String] The host.
+    #
+    # @return [Array<Hash>] the public keys.
+    def fetch_public_keys(host)
+      json = Net::HTTP.get(host, CERTS_PATH)
+      json.empty? ? [] : MultiJson.load(json, symbolize_keys: true).fetch(:keys)
+    rescue StandardError
+      []
+    end
 
-      # Private: Get public keys.
-      #
-      # @return [Array<OpenSSL::PKey::RSA>] the public keys.
-      def public_keys(env)
-        host = env['HTTP_HOST']
-        keys = Rails.cache.fetch([self.class.name, '#secrets', host]) { fetch_public_keys(host) }
-        keys.map do |jwk_data|
-          ::JWT::JWK.import(jwk_data).keypair
-        end
+    # Private: Get cached public keys.
+    #
+    # Store a keys in the cache only 10 minutes.
+    #
+    # @param host [String] The host.
+    #
+    # @return [Array<Hash>] the public keys.
+    def fetch_public_keys_cached(host)
+      key = [self.class.name, '#secrets', host].join('_')
+
+      if defined? Rails
+        Rails.cache.fetch(key, expires_in: 600) { fetch_public_keys(host) }
+      elsif defined? Padrino
+        keys = Padrino.cache[key]
+        keys || Padrino.cache.store(key, fetch_public_keys(host), expires: 600)
+      else
+        fetch_public_keys(host)
       end
+    end
 
-      # Private: Fetch public keys.
-      #
-      # @param host [String] The host.
-      #
-      # @return [Array<Hash>] the public keys.
-      def fetch_public_keys(host)
-        json = Net::HTTP.get(host, CERTS_PATH)
-        json.present? ? MultiJson.load(json, symbolize_keys: true).fetch(:keys) : []
-      rescue StandardError
-        []
+    # Private: Get a logger.
+    #
+    # @return [ActiveSupport::Logger] the logger.
+    def logger
+      if defined? Rails
+        Rails.logger
+      elsif defined? Padrino
+        Padrino.logger
       end
     end
   end

data/lib/rack/cloudflare_jwt/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-module Rack
+module Rack # rubocop:disable Style/ClassAndModuleChildren
   module CloudflareJwt
-    VERSION = '0.0.5'
+    VERSION = '0.1.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-cloudflare-jwt
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.1.0
 platform: ruby
 authors:
 - Aleksei Vokhmin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-01-28 00:00:00.000000000 Z
+date: 2021-03-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -80,6 +80,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.0.0
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -94,6 +108,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.16.0
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.8.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.8.0
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -160,6 +188,7 @@ extra_rdoc_files: []
 files:
 - LICENSE
 - README.md
+- lib/rack/cloudflare/jwt.rb
 - lib/rack/cloudflare_jwt.rb
 - lib/rack/cloudflare_jwt/auth.rb
 - lib/rack/cloudflare_jwt/version.rb