rack-cloudflare-jwt 0.0.6 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b02234c4f02891933a6509fafc629a63caa158f3272881a3342965f4da300511
-  data.tar.gz: 6d6746b102725c8f48818158d99fc631af3a4420ccdb2ef8cb52adbd1dc7319d
+  metadata.gz: 9cfffcc56a02828c0ab0aea34ce64dd64e7fa09b9c564cc2146f7a54f01ff189
+  data.tar.gz: 55b46d11820643dead91670a3c23aaa25d0d80526844ecdcadb38c2ec5110465
 SHA512:
-  metadata.gz: 5ea641bd7ea94915e07dfc19d82a1b173872a2b2b09eb6dcefabe2229d09d445caa4c9553f85c359615850cd03849820b09d8ca37ad72a75bc2af897bb4fcb19
-  data.tar.gz: 2936ec4b34f29bfa86b39cf4fb0360729e4a92706ffb7c7bf730f1b49c0dfc132f24f29335f42e7275c838bfd8674e819a572d6fe430682e89601f290184118d
+  metadata.gz: 637d37665fa3e39c8d65649ad3fde2bee0cd84a3bf1d3e8974e2abb49c2e3d051785f63dee1bc5ac914e601076e0cf14b6a0c04a359b675f7b3e8cd1cae7c294
+  data.tar.gz: 8879652a99cf5639b2ad6543524ea4ff28f7ce92be470a4d6594f9554751b10f6e3079262532d2b9a7948cb277a7f33d6e06171f4e147d8898f24eeec0a079e8

data/README.md

@@ -32,17 +32,20 @@ $ gem install rack-cloudflare-jwt
 
 ## Usage
 
-`Rack::CloudflareJwt::Auth` accepts several configuration options. All options are passed in a single Ruby Hash:
+`Rack::CloudflareJwt::Auth` accepts configuration options. All options are passed in a single Ruby `Hash<String, String>`. E.g. `{ '/admin' => 'aud-1', '/manager' => 'aud-2' }`.
 
-* `policy_aud` : required : `String` : A Application Audience (AUD) Tag.
+* `Hash` key : `String` : A path string representing paths that should be checked for the presence of a valid JWT token. Includes sub-paths as of specified path as well (e.g. `/docs` includes `/docs/some/thing.html` also). Each path should start with a `/`. If a path doesn't matches the current request path this entire middleware is skipped and no authentication or verification of tokens takes place.
 
-* `include_paths` : optional : Array : An Array of path strings representing paths that should be checked for the presence of a valid JWT token. Includes sub-paths as of specified paths as well (e.g. `%w(/docs)` includes `/docs/some/thing.html` also). Each path should start with a `/`. If a path not matches the current request path this entire middleware is skipped and no authentication or verification of tokens takes place.
+* `Hash` value : `String` : A Application Audience (AUD) Tag.
+
+Also, you should provide a Team Domain.
 
 ### Rails
 
 ```ruby
-require 'rack/cloudflare_jwt'
-Rails.application.config.middleware.use Rack::CloudflareJwt::Auth, policy_aud: 'xxx.yyy.zzz', include_paths: %w[/foo]
+Rails.application.config.middleware.use Rack::CloudflareJwt::Auth, 'my-team-domain.cloudflareaccess.com',
+                                                                   '/my-path-1' => 'aaa.bbb.ccc'
+                                                                   '/my-path-2' => 'xxx.yyy.zzz',
 ```
 
 ## Contributing

data/lib/rack/cloudflare/jwt.rb

@@ -0,0 +1 @@
+require 'rack/cloudflare_jwt'

data/lib/rack/cloudflare_jwt.rb

@@ -2,9 +2,8 @@
 
 require 'rack/cloudflare_jwt/version'
 
-module Rack
+module Rack::CloudflareJwt
   # CloudFlare JSON Web Token
-  module CloudflareJwt
-    autoload :Auth, 'rack/cloudflare_jwt/auth'
-  end
+
+  autoload :Auth, 'rack/cloudflare_jwt/auth'
 end

data/lib/rack/cloudflare_jwt/auth.rb

@@ -5,180 +5,230 @@ require 'multi_json'
 require 'net/http'
 require 'rack/jwt'
 
-module Rack
-  module CloudflareJwt
-    # Authentication middleware
-    #
-    # @see https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/
-    class Auth
-      # Certs path
-      CERTS_PATH = '/cdn-cgi/access/certs'
-      # Default algorithm
-      DEFAULT_ALGORITHM = 'RS256'
-      # CloudFlare JWT header.
-      HEADER_NAME = 'HTTP_CF_ACCESS_JWT_ASSERTION'
-
-      # Token regex.
-      #
-      # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
-      TOKEN_REGEX = /
-        ^(
-        [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
-        [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
-        [a-zA-Z0-9\-\_]+    # 1 or more chars, no trailing chars
-        )$
-      /x.freeze
-
-      attr_reader :policy_aud, :include_paths
-
-      # Initializes middleware
-      def initialize(app, opts = {})
-        @app           = app
-        @policy_aud    = opts.fetch(:policy_aud, nil)
-        @include_paths = opts.fetch(:include_paths, [])
-
-        check_policy_aud!
-        check_include_paths_type!
-      end
+module Rack::CloudflareJwt
+  # Authentication middleware
+  #
+  # @see https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/
+  class Auth
+    # Custom decode token error.
+    class DecodeTokenError < StandardError; end
+
+    # Certs path
+    CERTS_PATH = '/cdn-cgi/access/certs'
+    # Default algorithm
+    DEFAULT_ALGORITHM = 'RS256'
+    # CloudFlare JWT header.
+    HEADER_NAME = 'HTTP_CF_ACCESS_JWT_ASSERTION'
+    # Key for get current path.
+    PATH_INFO = 'PATH_INFO'
+
+    # Token regex.
+    #
+    # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
+    TOKEN_REGEX = /
+      ^(
+      [a-zA-Z0-9\-_]+\.  # 1 or more chars followed by a single period
+      [a-zA-Z0-9\-_]+\.  # 1 or more chars followed by a single period
+      [a-zA-Z0-9\-_]+    # 1 or more chars, no trailing chars
+      )$
+    /x.freeze
+
+    attr_reader :policies, :team_domain
+
+    # Initializes middleware
+    #
+    # @example Initialize middleware in Rails
+    #   config.middleware.use(
+    #     Rack::CloudflareJwt::Auth,
+    #     ENV['RACK_CLOUDFLARE_JWT_TEAM_DOMAIN'],
+    #     '/admin'   => <cloudflare-aud-1>,
+    #     '/manager' => <cloudflare-aud-2>,
+    #   )
+    #
+    # @param team_domain [String] the Team Domain (e.g. 'test.cloudflareaccess.com').
+    # @param policies [Hash<String, String>] the policies with paths and AUDs.
+    def initialize(app, team_domain, policies = {})
+      @app         = app
+      @team_domain = team_domain
+      @policies    = policies
+
+      check_policy_auds!
+      check_paths_type!
+    end
 
-      # Public: Call a middleware.
-      def call(env)
-        if !path_matches_include_paths?(env)
-          @app.call(env)
-        elsif missing_auth_header?(env)
-          return_error('Missing Authorization header')
-        elsif invalid_auth_header?(env)
-          return_error('Invalid Authorization header format')
-        else
-          verify_token(env)
-        end
+    # Public: Call a middleware.
+    def call(env)
+      if !path_matches?(env)
+        @app.call(env)
+      elsif missing_auth_header?(env)
+        return_error('Missing Authorization header')
+      elsif invalid_auth_header?(env)
+        return_error('Invalid Authorization header format')
+      else
+        verify_token(env)
       end
+    end
 
-      private
-
-      # Private: Check policy aud.
-      def check_policy_aud!
-        return unless !policy_aud.is_a?(String) || policy_aud.strip.empty?
+    private
 
-        raise ArgumentError, 'policy_aud argument cannot be nil/empty'
-      end
+    # Private: Check policy auds.
+    def check_policy_auds!
+      raise ArgumentError, 'policies cannot be nil/empty' if policies.values.empty?
 
-      # Private: Check include_paths type.
-      def check_include_paths_type!
-        raise ArgumentError, 'include_paths argument must be an Array' unless include_paths.is_a?(Array)
+      policies.each_value do |policy_aud|
+        next unless !policy_aud.is_a?(String) || policy_aud.strip.empty?
 
-        include_paths.each do |path|
-          raise ArgumentError, 'each include_paths Array element must be a String' unless path.is_a?(String)
-          raise ArgumentError, 'each include_paths Array element must not be empty' if path.empty?
-          raise ArgumentError, 'each include_paths Array element must start with a /' unless path.start_with?('/')
-        end
+        raise ArgumentError, 'policy AUD argument cannot be nil/empty'
       end
+    end
 
-      # Private: Verify a token.
-      def verify_token(env)
-        # extract the token from header.
-        token         = env[HEADER_NAME]
-        decoded_token = public_keys(env).find do |key|
-          dt = decode_token(token, key.public_key)
-          break dt if dt
-        end
-
-        if decoded_token
-          Rails.logger.debug 'CloudFlare JWT token is valid'
-
-          env['jwt.payload'] = decoded_token.first
-          env['jwt.header']  = decoded_token.last
-          @app.call(env)
-        else
-          return_error('Invalid token')
-        end
+    # Private: Check paths type.
+    def check_paths_type!
+      policies.each_key do |path|
+        raise ArgumentError, 'each key element must be a String' unless path.is_a?(String)
+        raise ArgumentError, 'each key element must not be empty' if path.empty?
+        raise ArgumentError, 'each key element must start with a /' unless path.start_with?('/')
       end
+    end
 
-      # Private: Decode a token.
-      #
-      # Example:
-      #
-      #   [
-      #     {"data"=>"test"}, # payload
-      #     {"alg"=>"RS256"} # header
-      #   ]
-      #
-      # @return [Array<Hash>] the token.
-      # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
-      def decode_token(token, secret)
-        Rack::JWT::Token.decode(token, secret, true, aud: policy_aud, verify_aud: true, algorithm: DEFAULT_ALGORITHM)
-      rescue ::JWT::VerificationError
-        Rails.logger.info 'Invalid JWT token : Signature Verification Error'
-      rescue ::JWT::ExpiredSignature
-        Rails.logger.info 'Invalid JWT token : Expired Signature (exp)'
-      rescue ::JWT::IncorrectAlgorithm
-        Rails.logger.info 'Invalid JWT token : Incorrect Key Algorithm'
-      rescue ::JWT::ImmatureSignature
-        Rails.logger.info 'Invalid JWT token : Immature Signature (nbf)'
-      rescue ::JWT::InvalidIssuerError
-        Rails.logger.info 'Invalid JWT token : Invalid Issuer (iss)'
-      rescue ::JWT::InvalidIatError
-        Rails.logger.info 'Invalid JWT token : Invalid Issued At (iat)'
-      rescue ::JWT::InvalidAudError
-        Rails.logger.info 'Invalid JWT token : Invalid Audience (aud)'
-      rescue ::JWT::InvalidSubError
-        Rails.logger.info 'Invalid JWT token : Invalid Subject (sub)'
-      rescue ::JWT::InvalidJtiError
-        Rails.logger.info 'Invalid JWT token : Invalid JWT ID (jti)'
-      rescue ::JWT::DecodeError
-        Rails.logger.info 'Invalid JWT token : Decode Error'
+    # Private: Verify a token.
+    def verify_token(env)
+      # extract the token from header.
+      token         = env[HEADER_NAME]
+      policy_aud    = policies.find { |path, _aud| env[PATH_INFO].start_with?(path) }&.last
+      decoded_token = public_keys.find do |key|
+        break decode_token(token, key.public_key, policy_aud)
+      rescue DecodeTokenError => e
+        logger.info e.message
+        nil
       end
 
-      # Private: Check if current path is in the include_paths.
-      #
-      # @return [Boolean] true if it is, false otherwise.
-      def path_matches_include_paths?(env)
-        include_paths.empty? || include_paths.any? { |ex| env['PATH_INFO'].start_with?(ex) }
-      end
+      if decoded_token
+        logger.debug 'CloudFlare JWT token is valid'
 
-      # Private: Check if auth header is invalid.
-      #
-      # @return [Boolean] true if it is, false otherwise.
-      def invalid_auth_header?(env)
-        env[HEADER_NAME] !~ TOKEN_REGEX
+        env['jwt.payload'] = decoded_token.first
+        env['jwt.header']  = decoded_token.last
+        @app.call(env)
+      else
+        return_error('Invalid token')
       end
+    end
 
-      # Private: Check if no auth header.
-      #
-      # @return [Boolean] true if it is, false otherwise.
-      def missing_auth_header?(env)
-        env[HEADER_NAME].nil? || env[HEADER_NAME].strip.empty?
-      end
+    # Private: Decode a token.
+    #
+    # @param token [String] the token.
+    # @param secret [String] the public key.
+    # @param policy_aud [String] the CloudFlare AUD.
+    #
+    # @example
+    #
+    #   [
+    #     {"data"=>"test"}, # payload
+    #     {"alg"=>"RS256"} # header
+    #   ]
+    #
+    # @return [Array<Hash>] the token or `nil` at error.
+    # @raise [DecodeTokenError] if the token is invalid.
+    #
+    # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
+    def decode_token(token, secret, policy_aud)
+      Rack::JWT::Token.decode(token, secret, true, aud: policy_aud, verify_aud: true, algorithm: DEFAULT_ALGORITHM)
+    rescue ::JWT::VerificationError
+      raise DecodeTokenError, 'Invalid JWT token : Signature Verification Error'
+    rescue ::JWT::ExpiredSignature
+      raise DecodeTokenError, 'Invalid JWT token : Expired Signature (exp)'
+    rescue ::JWT::IncorrectAlgorithm
+      raise DecodeTokenError, 'Invalid JWT token : Incorrect Key Algorithm'
+    rescue ::JWT::ImmatureSignature
+      raise DecodeTokenError, 'Invalid JWT token : Immature Signature (nbf)'
+    rescue ::JWT::InvalidIssuerError
+      raise DecodeTokenError, 'Invalid JWT token : Invalid Issuer (iss)'
+    rescue ::JWT::InvalidIatError
+      raise DecodeTokenError, 'Invalid JWT token : Invalid Issued At (iat)'
+    rescue ::JWT::InvalidAudError
+      raise DecodeTokenError, 'Invalid JWT token : Invalid Audience (aud)'
+    rescue ::JWT::InvalidSubError
+      raise DecodeTokenError, 'Invalid JWT token : Invalid Subject (sub)'
+    rescue ::JWT::InvalidJtiError
+      raise DecodeTokenError, 'Invalid JWT token : Invalid JWT ID (jti)'
+    rescue ::JWT::DecodeError
+      raise DecodeTokenError, 'Invalid JWT token : Decode Error'
+    end
 
-      # Private: Return an error.
-      def return_error(message)
-        body    = { error: message }.to_json
-        headers = { 'Content-Type' => 'application/json' }
+    # Private: Check if current path is in the policies.
+    #
+    # @return [Boolean] true if it is, false otherwise.
+    def path_matches?(env)
+      policies.empty? || policies.keys.any? { |ex| env[PATH_INFO].start_with?(ex) }
+    end
+
+    # Private: Check if auth header is invalid.
+    #
+    # @return [Boolean] true if it is, false otherwise.
+    def invalid_auth_header?(env)
+      env[HEADER_NAME] !~ TOKEN_REGEX
+    end
+
+    # Private: Check if no auth header.
+    #
+    # @return [Boolean] true if it is, false otherwise.
+    def missing_auth_header?(env)
+      env[HEADER_NAME].nil? || env[HEADER_NAME].strip.empty?
+    end
+
+    # Private: Return an error.
+    def return_error(message)
+      body    = { error: message }.to_json
+      headers = { 'Content-Type' => 'application/json' }
+
+      [403, headers, [body]]
+    end
 
-        [403, headers, [body]]
+    # Private: Get public keys.
+    #
+    # @return [Array<OpenSSL::PKey::RSA>] the public keys.
+    def public_keys
+      fetch_public_keys_cached.map do |jwk_data|
+        ::JWT::JWK.import(jwk_data).keypair
       end
+    end
+
+    # Private: Fetch public keys.
+    #
+    # @return [Array<Hash>] the public keys.
+    def fetch_public_keys
+      json = Net::HTTP.get(team_domain, CERTS_PATH)
+      json.empty? ? [] : MultiJson.load(json, symbolize_keys: true).fetch(:keys)
+    rescue StandardError
+      []
+    end
 
-      # Private: Get public keys.
-      #
-      # @return [Array<OpenSSL::PKey::RSA>] the public keys.
-      def public_keys(env)
-        host = env['HTTP_HOST']
-        keys = Rails.cache.fetch([self.class.name, '#secrets', host]) { fetch_public_keys(host) }
-        keys.map do |jwk_data|
-          ::JWT::JWK.import(jwk_data).keypair
-        end
+    # Private: Get cached public keys.
+    #
+    # Store a keys in the cache only 10 minutes.
+    #
+    # @return [Array<Hash>] the public keys.
+    def fetch_public_keys_cached
+      key = [self.class.name, '#secrets'].join('_')
+
+      if defined? Rails
+        Rails.cache.fetch(key, expires_in: 600) { fetch_public_keys }
+      elsif defined? Padrino
+        keys = Padrino.cache[key]
+        keys || Padrino.cache.store(key, fetch_public_keys, expires: 600)
+      else
+        fetch_public_keys
       end
+    end
 
-      # Private: Fetch public keys.
-      #
-      # @param host [String] The host.
-      #
-      # @return [Array<Hash>] the public keys.
-      def fetch_public_keys(host)
-        json = Net::HTTP.get(host, CERTS_PATH)
-        json.present? ? MultiJson.load(json, symbolize_keys: true).fetch(:keys) : []
-      rescue StandardError
-        []
+    # Private: Get a logger.
+    #
+    # @return [ActiveSupport::Logger] the logger.
+    def logger
+      if defined? Rails
+        Rails.logger
+      elsif defined? Padrino
+        Padrino.logger
       end
     end
   end

data/lib/rack/cloudflare_jwt/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-module Rack
+module Rack # rubocop:disable Style/ClassAndModuleChildren
   module CloudflareJwt
-    VERSION = '0.0.6'
+    VERSION = '0.2.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-cloudflare-jwt
 version: !ruby/object:Gem::Version
-  version: 0.0.6
+  version: 0.2.0
 platform: ruby
 authors:
 - Aleksei Vokhmin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-01-28 00:00:00.000000000 Z
+date: 2021-04-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -80,6 +80,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.0.0
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -94,6 +108,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.16.0
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.8.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.8.0
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -160,6 +188,7 @@ extra_rdoc_files: []
 files:
 - LICENSE
 - README.md
+- lib/rack/cloudflare/jwt.rb
 - lib/rack/cloudflare_jwt.rb
 - lib/rack/cloudflare_jwt/auth.rb
 - lib/rack/cloudflare_jwt/version.rb
@@ -182,7 +211,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.1
 signing_key: 
 specification_version: 4
 summary: Rack middleware that provides authentication based on CloudFlare JSON Web