rack-cloudflare-jwt 0.0.9 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2b2687d696920c000108afefaef5a1ca3362a1abee3a02d70394dbf58d3853c4
-  data.tar.gz: b70a5704eb4617eda9e0c7da2e16931dd259b7106394f74f8f62dc2d01771ad6
+  metadata.gz: 240d66a2a123b06cf3625765ce2d7b4772c2a46f059fd62decc90acd4d9e68bc
+  data.tar.gz: 9bf13c926defed079e9266752c64ab3b38d004e3665252b3dd7a663db77ae66c
 SHA512:
-  metadata.gz: b0d36f13a6ad4d5dbff4b389026f45c14a1952540058d616d859d60e4016dcb35a2c3899b42a93cd15204e233b267f9687c3664df4199f71e980b48fc85b1ce9
-  data.tar.gz: f0e6d960ae41120b05d71888d92bc134202186b539126753c0d51d60b34a6a6d964383b809fea8cf63353b4cf499b2556350201c3f14d1ee7fcfc0369853b477
+  metadata.gz: 735971f62a1c16c83d6591baa3d60c052107ef61076850a0598c2456c386aec32c62b79927e15560f2d9f47ef17f991ff084ee6bb27284ab17195e6fcd805148
+  data.tar.gz: c3f15c032fa1715e728e6e0337ddfae61165a8bda598cc69f077b5f87f71e93d2e24b249ae79ac197361a533ac730cf8b1c0823f2f1b00e794b15b3d1180c41d

data/README.md

@@ -32,17 +32,17 @@ $ gem install rack-cloudflare-jwt
 
 ## Usage
 
-`Rack::CloudflareJwt::Auth` accepts several configuration options. All options are passed in a single Ruby Hash:
+`Rack::CloudflareJwt::Auth` accepts configuration options. All options are passed in a single Ruby `Hash<String, String>`. E.g. `{ '/admin' => 'aud-1', '/manager' => 'aud-2' }`.
 
-* `policy_aud` : required : `String` : A Application Audience (AUD) Tag.
+* `Hash` key : `String` : A path string representing paths that should be checked for the presence of a valid JWT token. Includes sub-paths as of specified path as well (e.g. `/docs` includes `/docs/some/thing.html` also). Each path should start with a `/`. If a path doesn't matches the current request path this entire middleware is skipped and no authentication or verification of tokens takes place.
+
+* `Hash` value : `String` : A Application Audience (AUD) Tag.
 
-* `include_paths` : optional : Array : An Array of path strings representing paths that should be checked for the presence of a valid JWT token. Includes sub-paths as of specified paths as well (e.g. `%w(/docs)` includes `/docs/some/thing.html` also). Each path should start with a `/`. If a path not matches the current request path this entire middleware is skipped and no authentication or verification of tokens takes place.
 
 ### Rails
 
 ```ruby
-require 'rack/cloudflare_jwt'
-Rails.application.config.middleware.use Rack::CloudflareJwt::Auth, policy_aud: 'xxx.yyy.zzz', include_paths: %w[/foo]
+Rails.application.config.middleware.use Rack::CloudflareJwt::Auth, '/my-path' => 'xxx.yyy.zzz'
 ```
 
 ## Contributing

data/lib/rack/cloudflare/jwt.rb

@@ -0,0 +1 @@
+require 'rack/cloudflare_jwt'

data/lib/rack/cloudflare_jwt.rb

@@ -2,9 +2,8 @@
 
 require 'rack/cloudflare_jwt/version'
 
-module Rack
+module Rack::CloudflareJwt
   # CloudFlare JSON Web Token
-  module CloudflareJwt
-    autoload :Auth, 'rack/cloudflare_jwt/auth'
-  end
+
+  autoload :Auth, 'rack/cloudflare_jwt/auth'
 end

data/lib/rack/cloudflare_jwt/auth.rb

@@ -5,219 +5,234 @@ require 'multi_json'
 require 'net/http'
 require 'rack/jwt'
 
-module Rack
-  module CloudflareJwt
-    # Authentication middleware
-    #
-    # @see https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/
-    class Auth
-      # Custom decode token error.
-      class DecodeTokenError < StandardError; end
-
-      # Certs path
-      CERTS_PATH = '/cdn-cgi/access/certs'
-      # Default algorithm
-      DEFAULT_ALGORITHM = 'RS256'
-      # CloudFlare JWT header.
-      HEADER_NAME = 'HTTP_CF_ACCESS_JWT_ASSERTION'
-      # HTTP_HOST header.
-      HEADER_HTTP_HOST = 'HTTP_HOST'
-
-      # Token regex.
-      #
-      # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
-      TOKEN_REGEX = /
-        ^(
-        [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
-        [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
-        [a-zA-Z0-9\-\_]+    # 1 or more chars, no trailing chars
-        )$
-      /x.freeze
-
-      attr_reader :policy_aud, :include_paths
-
-      # Initializes middleware
-      def initialize(app, opts = {})
-        @app           = app
-        @policy_aud    = opts.fetch(:policy_aud, nil)
-        @include_paths = opts.fetch(:include_paths, [])
-
-        check_policy_aud!
-        check_include_paths_type!
-      end
+module Rack::CloudflareJwt
+  # Authentication middleware
+  #
+  # @see https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/
+  class Auth
+    # Custom decode token error.
+    class DecodeTokenError < StandardError; end
+
+    # Certs path
+    CERTS_PATH = '/cdn-cgi/access/certs'
+    # Default algorithm
+    DEFAULT_ALGORITHM = 'RS256'
+    # CloudFlare JWT header.
+    HEADER_NAME = 'HTTP_CF_ACCESS_JWT_ASSERTION'
+    # HTTP_HOST header.
+    HEADER_HTTP_HOST = 'HTTP_HOST'
+    # Key for get current path.
+    PATH_INFO = 'PATH_INFO'
+
+    # Token regex.
+    #
+    # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
+    TOKEN_REGEX = /
+      ^(
+      [a-zA-Z0-9\-_]+\.  # 1 or more chars followed by a single period
+      [a-zA-Z0-9\-_]+\.  # 1 or more chars followed by a single period
+      [a-zA-Z0-9\-_]+    # 1 or more chars, no trailing chars
+      )$
+    /x.freeze
+
+    attr_reader :policies
+
+    # Initializes middleware
+    #
+    # @example Initialize middleware in Rails
+    #   config.middleware.use(
+    #     Rack::CloudflareJwt::Auth,
+    #     '/admin'   => <cloudflare-aud-1>,
+    #     '/manager' => <cloudflare-aud-2>,
+    #   )
+    #
+    # @param policies [Hash<String, String>] the policies with paths and AUDs.
+    def initialize(app, policies = {})
+      @app      = app
+      @policies = policies
 
-      # Public: Call a middleware.
-      def call(env)
-        if !path_matches_include_paths?(env)
-          @app.call(env)
-        elsif missing_auth_header?(env)
-          return_error('Missing Authorization header')
-        elsif invalid_auth_header?(env)
-          return_error('Invalid Authorization header format')
-        else
-          verify_token(env)
-        end
-      end
+      check_policy_auds!
+      check_paths_type!
+    end
 
-      private
+    # Public: Call a middleware.
+    def call(env)
+      if !path_matches?(env)
+        @app.call(env)
+      elsif missing_auth_header?(env)
+        return_error('Missing Authorization header')
+      elsif invalid_auth_header?(env)
+        return_error('Invalid Authorization header format')
+      else
+        verify_token(env)
+      end
+    end
 
-      # Private: Check policy aud.
-      def check_policy_aud!
-        return unless !policy_aud.is_a?(String) || policy_aud.strip.empty?
+    private
 
-        raise ArgumentError, 'policy_aud argument cannot be nil/empty'
-      end
+    # Private: Check policy auds.
+    def check_policy_auds!
+      raise ArgumentError, 'policies cannot be nil/empty' if policies.values.empty?
 
-      # Private: Check include_paths type.
-      def check_include_paths_type!
-        raise ArgumentError, 'include_paths argument must be an Array' unless include_paths.is_a?(Array)
+      policies.each_value do |policy_aud|
+        next unless !policy_aud.is_a?(String) || policy_aud.strip.empty?
 
-        include_paths.each do |path|
-          raise ArgumentError, 'each include_paths Array element must be a String' unless path.is_a?(String)
-          raise ArgumentError, 'each include_paths Array element must not be empty' if path.empty?
-          raise ArgumentError, 'each include_paths Array element must start with a /' unless path.start_with?('/')
-        end
+        raise ArgumentError, 'policy AUD argument cannot be nil/empty'
       end
+    end
 
-      # Private: Verify a token.
-      def verify_token(env)
-        # extract the token from header.
-        token         = env[HEADER_NAME]
-        decoded_token = public_keys(env).find do |key|
-          break decode_token(token, key.public_key)
-        rescue DecodeTokenError => e
-          logger.info e.message
-          nil
-        end
-
-        if decoded_token
-          logger.debug 'CloudFlare JWT token is valid'
-
-          env['jwt.payload'] = decoded_token.first
-          env['jwt.header']  = decoded_token.last
-          @app.call(env)
-        else
-          return_error('Invalid token')
-        end
+    # Private: Check paths type.
+    def check_paths_type!
+      policies.each_key do |path|
+        raise ArgumentError, 'each key element must be a String' unless path.is_a?(String)
+        raise ArgumentError, 'each key element must not be empty' if path.empty?
+        raise ArgumentError, 'each key element must start with a /' unless path.start_with?('/')
       end
+    end
 
-      # Private: Decode a token.
-      #
-      # Example:
-      #
-      #   [
-      #     {"data"=>"test"}, # payload
-      #     {"alg"=>"RS256"} # header
-      #   ]
-      #
-      # @return [Array<Hash>] the token or `nil` at error.
-      # @raise [DecodeTokenError] if the token is invalid.
-      #
-      # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
-      def decode_token(token, secret)
-        Rack::JWT::Token.decode(token, secret, true, aud: policy_aud, verify_aud: true, algorithm: DEFAULT_ALGORITHM)
-      rescue ::JWT::VerificationError
-        raise DecodeTokenError, 'Invalid JWT token : Signature Verification Error'
-      rescue ::JWT::ExpiredSignature
-        raise DecodeTokenError, 'Invalid JWT token : Expired Signature (exp)'
-      rescue ::JWT::IncorrectAlgorithm
-        raise DecodeTokenError, 'Invalid JWT token : Incorrect Key Algorithm'
-      rescue ::JWT::ImmatureSignature
-        raise DecodeTokenError, 'Invalid JWT token : Immature Signature (nbf)'
-      rescue ::JWT::InvalidIssuerError
-        raise DecodeTokenError, 'Invalid JWT token : Invalid Issuer (iss)'
-      rescue ::JWT::InvalidIatError
-        raise DecodeTokenError, 'Invalid JWT token : Invalid Issued At (iat)'
-      rescue ::JWT::InvalidAudError
-        raise DecodeTokenError, 'Invalid JWT token : Invalid Audience (aud)'
-      rescue ::JWT::InvalidSubError
-        raise DecodeTokenError, 'Invalid JWT token : Invalid Subject (sub)'
-      rescue ::JWT::InvalidJtiError
-        raise DecodeTokenError, 'Invalid JWT token : Invalid JWT ID (jti)'
-      rescue ::JWT::DecodeError
-        raise DecodeTokenError, 'Invalid JWT token : Decode Error'
+    # Private: Verify a token.
+    def verify_token(env)
+      # extract the token from header.
+      token         = env[HEADER_NAME]
+      policy_aud    = policies.find { |path, _aud| env[PATH_INFO].start_with?(path) }&.last
+      decoded_token = public_keys(env).find do |key|
+        break decode_token(token, key.public_key, policy_aud)
+      rescue DecodeTokenError => e
+        logger.info e.message
+        nil
       end
 
-      # Private: Check if current path is in the include_paths.
-      #
-      # @return [Boolean] true if it is, false otherwise.
-      def path_matches_include_paths?(env)
-        include_paths.empty? || include_paths.any? { |ex| env['PATH_INFO'].start_with?(ex) }
-      end
+      if decoded_token
+        logger.debug 'CloudFlare JWT token is valid'
 
-      # Private: Check if auth header is invalid.
-      #
-      # @return [Boolean] true if it is, false otherwise.
-      def invalid_auth_header?(env)
-        env[HEADER_NAME] !~ TOKEN_REGEX
+        env['jwt.payload'] = decoded_token.first
+        env['jwt.header']  = decoded_token.last
+        @app.call(env)
+      else
+        return_error('Invalid token')
       end
+    end
 
-      # Private: Check if no auth header.
-      #
-      # @return [Boolean] true if it is, false otherwise.
-      def missing_auth_header?(env)
-        env[HEADER_NAME].nil? || env[HEADER_NAME].strip.empty?
-      end
+    # Private: Decode a token.
+    #
+    # @param token [String] the token.
+    # @param secret [String] the public key.
+    # @param policy_aud [String] the CloudFlare AUD.
+    #
+    # @example
+    #
+    #   [
+    #     {"data"=>"test"}, # payload
+    #     {"alg"=>"RS256"} # header
+    #   ]
+    #
+    # @return [Array<Hash>] the token or `nil` at error.
+    # @raise [DecodeTokenError] if the token is invalid.
+    #
+    # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
+    def decode_token(token, secret, policy_aud)
+      Rack::JWT::Token.decode(token, secret, true, aud: policy_aud, verify_aud: true, algorithm: DEFAULT_ALGORITHM)
+    rescue ::JWT::VerificationError
+      raise DecodeTokenError, 'Invalid JWT token : Signature Verification Error'
+    rescue ::JWT::ExpiredSignature
+      raise DecodeTokenError, 'Invalid JWT token : Expired Signature (exp)'
+    rescue ::JWT::IncorrectAlgorithm
+      raise DecodeTokenError, 'Invalid JWT token : Incorrect Key Algorithm'
+    rescue ::JWT::ImmatureSignature
+      raise DecodeTokenError, 'Invalid JWT token : Immature Signature (nbf)'
+    rescue ::JWT::InvalidIssuerError
+      raise DecodeTokenError, 'Invalid JWT token : Invalid Issuer (iss)'
+    rescue ::JWT::InvalidIatError
+      raise DecodeTokenError, 'Invalid JWT token : Invalid Issued At (iat)'
+    rescue ::JWT::InvalidAudError
+      raise DecodeTokenError, 'Invalid JWT token : Invalid Audience (aud)'
+    rescue ::JWT::InvalidSubError
+      raise DecodeTokenError, 'Invalid JWT token : Invalid Subject (sub)'
+    rescue ::JWT::InvalidJtiError
+      raise DecodeTokenError, 'Invalid JWT token : Invalid JWT ID (jti)'
+    rescue ::JWT::DecodeError
+      raise DecodeTokenError, 'Invalid JWT token : Decode Error'
+    end
+
+    # Private: Check if current path is in the policies.
+    #
+    # @return [Boolean] true if it is, false otherwise.
+    def path_matches?(env)
+      policies.empty? || policies.keys.any? { |ex| env[PATH_INFO].start_with?(ex) }
+    end
 
-      # Private: Return an error.
-      def return_error(message)
-        body    = { error: message }.to_json
-        headers = { 'Content-Type' => 'application/json' }
+    # Private: Check if auth header is invalid.
+    #
+    # @return [Boolean] true if it is, false otherwise.
+    def invalid_auth_header?(env)
+      env[HEADER_NAME] !~ TOKEN_REGEX
+    end
 
-        [403, headers, [body]]
-      end
+    # Private: Check if no auth header.
+    #
+    # @return [Boolean] true if it is, false otherwise.
+    def missing_auth_header?(env)
+      env[HEADER_NAME].nil? || env[HEADER_NAME].strip.empty?
+    end
 
-      # Private: Get public keys.
-      #
-      # @return [Array<OpenSSL::PKey::RSA>] the public keys.
-      def public_keys(env)
-        host = env[HEADER_HTTP_HOST]
-        fetch_public_keys_cached(host).map do |jwk_data|
-          ::JWT::JWK.import(jwk_data).keypair
-        end
-      end
+    # Private: Return an error.
+    def return_error(message)
+      body    = { error: message }.to_json
+      headers = { 'Content-Type' => 'application/json' }
 
-      # Private: Fetch public keys.
-      #
-      # @param host [String] The host.
-      #
-      # @return [Array<Hash>] the public keys.
-      def fetch_public_keys(host)
-        json = Net::HTTP.get(host, CERTS_PATH)
-        json.empty? ? [] : MultiJson.load(json, symbolize_keys: true).fetch(:keys)
-      rescue StandardError
-        []
+      [403, headers, [body]]
+    end
+
+    # Private: Get public keys.
+    #
+    # @return [Array<OpenSSL::PKey::RSA>] the public keys.
+    def public_keys(env)
+      host = env[HEADER_HTTP_HOST]
+      fetch_public_keys_cached(host).map do |jwk_data|
+        ::JWT::JWK.import(jwk_data).keypair
       end
+    end
+
+    # Private: Fetch public keys.
+    #
+    # @param host [String] The host.
+    #
+    # @return [Array<Hash>] the public keys.
+    def fetch_public_keys(host)
+      json = Net::HTTP.get(host, CERTS_PATH)
+      json.empty? ? [] : MultiJson.load(json, symbolize_keys: true).fetch(:keys)
+    rescue StandardError
+      []
+    end
 
-      # Private: Get cached public keys.
-      #
-      # Store a keys in the cache only 10 minutes.
-      #
-      # @param host [String] The host.
-      #
-      # @return [Array<Hash>] the public keys.
-      def fetch_public_keys_cached(host)
-        key = [self.class.name, '#secrets', host].join('_')
-
-        if defined? Rails
-          Rails.cache.fetch(key, expires_in: 600) { fetch_public_keys(host) }
-        elsif defined? Padrino
-          keys = Padrino.cache[key]
-          keys || Padrino.cache.store(key, fetch_public_keys(host), expires: 600)
-        else
-          fetch_public_keys(host)
-        end
+    # Private: Get cached public keys.
+    #
+    # Store a keys in the cache only 10 minutes.
+    #
+    # @param host [String] The host.
+    #
+    # @return [Array<Hash>] the public keys.
+    def fetch_public_keys_cached(host)
+      key = [self.class.name, '#secrets', host].join('_')
+
+      if defined? Rails
+        Rails.cache.fetch(key, expires_in: 600) { fetch_public_keys(host) }
+      elsif defined? Padrino
+        keys = Padrino.cache[key]
+        keys || Padrino.cache.store(key, fetch_public_keys(host), expires: 600)
+      else
+        fetch_public_keys(host)
       end
+    end
 
-      # Private: Get a logger.
-      #
-      # @return [ActiveSupport::Logger] the logger.
-      def logger
-        if defined? Rails
-          Rails.logger
-        elsif defined? Padrino
-          Padrino.logger
-        end
+    # Private: Get a logger.
+    #
+    # @return [ActiveSupport::Logger] the logger.
+    def logger
+      if defined? Rails
+        Rails.logger
+      elsif defined? Padrino
+        Padrino.logger
       end
     end
   end

data/lib/rack/cloudflare_jwt/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-module Rack
+module Rack # rubocop:disable Style/ClassAndModuleChildren
   module CloudflareJwt
-    VERSION = '0.0.9'
+    VERSION = '0.1.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-cloudflare-jwt
 version: !ruby/object:Gem::Version
-  version: 0.0.9
+  version: 0.1.0
 platform: ruby
 authors:
 - Aleksei Vokhmin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-03-17 00:00:00.000000000 Z
+date: 2021-03-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -80,6 +80,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.0.0
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -174,6 +188,7 @@ extra_rdoc_files: []
 files:
 - LICENSE
 - README.md
+- lib/rack/cloudflare/jwt.rb
 - lib/rack/cloudflare_jwt.rb
 - lib/rack/cloudflare_jwt/auth.rb
 - lib/rack/cloudflare_jwt/version.rb
@@ -196,8 +211,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.8
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Rack middleware that provides authentication based on CloudFlare JSON Web