rack-prx_auth 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 53764ad6c8d28d070c297e861583800e8695f730
+  data.tar.gz: 25df2b4ac3cdfa4ed82336b4f21e2d1bd81611c3
+SHA512:
+  metadata.gz: c948e9875aeb2d5f26467a8b6305fc25b6b7f33aa2579df68a1d7ae2b528ca6e8957d3fde85f892b1600335548c7e89120b3d3df85e8e50ffb18bc410bc1671e
+  data.tar.gz: 4ff2517a84b28cfd8eeac03ba05ffc2d06ed26874b77c6f6f6cc29c67cd59c683fdf671b3078967c7df0b5fd8762dae0fa3f1b7bd7ad2ea22b5a42be9b5a3e24

data/.gitignore

@@ -0,0 +1,14 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/.travis.yml

@@ -0,0 +1,3 @@
+language: ruby
+rvm:
+  - 2.1.1

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in rack-prx_auth.gemspec
+gemspec

data/Guardfile

@@ -0,0 +1,8 @@
+guard :minitest, all_after_pass: true do
+  watch(%r{^test/(.*)\/?test_(.*)\.rb})
+  watch(%r{^lib/rack/(.*/)?([^/]+)\.rb})                      { |m| "test/#{m[1]}test_#{m[2]}.rb" }
+  watch(%r{^lib/rack/(.+)\.rb})                               { |m| "test/#{m[1]}_test.rb" }
+  watch(%r{^lib/(.+)\.rb})                                    { |m| "test/#{m[1]}_test.rb" }
+  watch(%r{^test/.+_test\.rb})
+  watch(%r{^test/test_helper\.rb})                            { 'test' }
+end

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2014 PRX, Eve Asher
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,31 @@
+# Rack::PrxAuth
+
+TODO: Write a gem description
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'rack-prx_auth'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install rack-prx_auth
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it ( https://github.com/PRX/rack-prx_auth/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,9 @@
+require 'bundler/gem_tasks'
+require 'rake'
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.pattern = 'test/*test.rb'
+end
+
+task default: :test

data/lib/rack/prx_auth.rb

@@ -0,0 +1,58 @@
+require 'json/jwt'
+require 'rack/prx_auth/version'
+require 'rack/prx_auth/public_key'
+require 'rack/prx_auth/token_data'
+require 'rack/prx_auth/railtie' if defined?(Rails)
+
+module Rack
+  class PrxAuth
+    attr_reader :public_key
+
+    def initialize(app)
+      @app = app
+      @public_key = PublicKey.new
+    end
+
+    def call(env)
+      token = (env['HTTP_AUTHORIZATION'] || 'no token').split[1]
+      claims = decode_token(token)
+
+      if claims['iss'] == 'auth.prx.org'
+        if verified?(token) && !token_expired?(claims) && !cert_expired?(@public_key.certificate)
+          env['prx.auth'] = TokenData.new(claims)
+          @app.call(env)
+        else
+          [401, {'Content-Type' => 'application/json'}, [{status: 401, error: 'Invalid JSON Web Token'}.to_json]]
+        end
+      else
+        @app.call(env)
+      end
+    end
+
+    def decode_token(token)
+      begin
+        JSON::JWT.decode(token, :skip_verification)
+      rescue JSON::JWT::InvalidFormat
+        {}
+      end
+    end
+
+    def verified?(token)
+      begin
+        JSON::JWT.decode(token, @public_key.key)
+      rescue JSON::JWT::VerificationFailed
+        false
+      else
+        true
+      end
+    end
+
+    def cert_expired?(certificate)
+      certificate.not_after < Time.now
+    end
+
+    def token_expired?(claims)
+      Time.now.to_i > (claims['iat'] + claims['exp'])
+    end
+  end
+end

data/lib/rack/prx_auth/controller_methods.rb

@@ -0,0 +1,11 @@
+class Rack::PrxAuth
+  module ControllerMethods
+    def prx_auth_token
+      request.env['prx.auth']
+    end
+
+    def prx_authenticated?
+      !!prx_auth_token
+    end
+  end
+end

data/lib/rack/prx_auth/public_key.rb

@@ -0,0 +1,37 @@
+module Rack
+  class PrxAuth
+    class PublicKey
+      EXPIRES_IN = 43200
+      AUTH_URI = URI('https://auth.prx.org/api/v1/certs')
+
+      attr_reader :certificate
+
+      def initialize
+        @created_at = Time.now
+        get_key
+      end
+
+      def refresh_key
+        if Time.now > @created_at + EXPIRES_IN
+          get_key
+        end
+      end
+
+      def get_key
+        @certificate = get_certificate
+        @key = @certificate.public_key
+      end
+
+      def get_certificate
+        certs = JSON.parse(Net::HTTP.get(AUTH_URI))
+        cert_string = certs['certificates'].values[0]
+        OpenSSL::X509::Certificate.new(cert_string)
+      end
+
+      def key
+        refresh_key
+        @key
+      end
+    end
+  end
+end

data/lib/rack/prx_auth/railtie.rb

@@ -0,0 +1,15 @@
+require 'rails/railtie'
+require 'rack/prx_auth/controller_methods'
+require 'rack/prx_auth'
+
+class Rack::PrxAuth
+  class Railtie < Rails::Railtie
+    config.to_prepare do
+      ApplicationController.send(:include, Rack::PrxAuth::ControllerMethods)
+    end
+
+    initializer 'rack-prx_auth.insert_middleware' do |app|
+      app.config.middleware.insert_before ActionDispatch::ParamsParser, 'Rack::PrxAuth'
+    end
+  end
+end

data/lib/rack/prx_auth/token_data.rb

@@ -0,0 +1,11 @@
+module Rack
+  class PrxAuth
+    class TokenData
+      def initialize(attrs = {})
+        @attributes = attrs
+      end
+
+      attr_reader :attributes
+    end
+  end
+end

data/lib/rack/prx_auth/version.rb

@@ -0,0 +1,5 @@
+module Rack
+  class PrxAuth
+    VERSION = "0.0.1"
+  end
+end

data/rack-prx_auth.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'rack/prx_auth/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "rack-prx_auth"
+  spec.version       = Rack::PrxAuth::VERSION
+  spec.authors       = ["Eve Asher"]
+  spec.email         = ["eve@prx.org"]
+  spec.summary       = %q{Rack middleware that verifies and decodes a JWT token and attaches the token's claims to env.}
+  spec.description   = %q{Specific to PRX. Will ignore tokens that were not issued by PRX.}
+  spec.homepage      = ""
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency 'bundler', '~> 1.7'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'guard', '~> 2.6', '>= 2.6.1'
+  spec.add_development_dependency 'guard-minitest', '~> 2.3', '>= 2.3.2'
+
+  spec.add_dependency 'rack', '~> 1.5', '>= 1.5.2'
+  spec.add_dependency 'json', '~> 1.8', '>= 1.8.1'
+  spec.add_dependency 'json-jwt', '~> 0.7', '>= 0.7.0'
+end

data/test/controller_methods_test.rb

@@ -0,0 +1,44 @@
+require 'minitest/autorun'
+require 'minitest/spec'
+require 'minitest/pride'
+require 'rack/prx_auth'
+require 'rack/prx_auth/controller_methods'
+require 'rack/prx_auth/token_data'
+
+class FakeController
+  include Rack::PrxAuth::ControllerMethods
+  attr_accessor :request
+
+  Request = Struct.new('Request', :env)
+
+  def initialize(env)
+    self.request = Request.new(env)
+  end
+end
+
+describe Rack::PrxAuth::ControllerMethods do
+  let(:claims) { {'sub'=>nil, 'exp'=>3600, 'iat'=>Time.now.to_i, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'auth.prx.org'} }
+  let(:token_data) { Rack::PrxAuth::TokenData.new(claims) }
+  let(:env) { {'prx.auth' => token_data } }
+  let(:empty_env) { Hash.new }
+
+  describe '#prx_auth_token' do
+    it 'returns the token data object' do
+      FakeController.new(env).prx_auth_token.must_equal token_data
+    end
+
+    it 'returns nil if there is no prx.auth field' do
+      FakeController.new(empty_env).prx_auth_token.must_be_nil
+    end
+  end
+
+  describe '#prx_authenticated?' do
+    it 'returns false if there is no token data' do
+      FakeController.new(empty_env).prx_authenticated?.must_equal false
+    end
+
+    it 'must be true if there is token data' do
+      FakeController.new(env).prx_authenticated?.must_equal true
+    end
+  end
+end

data/test/rack-prx_auth_test.rb

@@ -0,0 +1,107 @@
+require 'minitest/autorun'
+require 'minitest/spec'
+require 'minitest/pride'
+require 'rack/prx_auth'
+
+describe Rack::PrxAuth do
+  let(:app) { Proc.new {|env| env } }
+  let(:prxauth) { Rack::PrxAuth.new(app) }
+  let(:fake_token) { 'afawefawefawefawegstgnsrtiohnlijblublwjnvrtoign'}
+  let(:env) { {'HTTP_AUTHORIZATION' => 'Bearer ' + fake_token } }
+  let(:claims) { {'sub'=>nil, 'exp'=>3600, 'iat'=>Time.now.to_i, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'auth.prx.org'} }
+
+  describe '#call' do
+    it 'does nothing if there is no authorization header' do
+      env = {}
+
+      prxauth.call(env).must_equal env
+    end
+
+    it 'does nothing if the token is from another issuer' do
+      claims['iss'] = 'auth.elsewhere.org'
+
+      JSON::JWT.stub(:decode, claims) do
+        prxauth.call(env).must_equal env
+      end
+    end
+
+    it 'does nothing if token is invalid' do
+      prxauth.call(env).must_equal env
+    end
+
+    it 'returns 401 if verification fails' do
+      JSON::JWT.stub(:decode, claims) do
+        prxauth.stub(:verified?, false) do
+          prxauth.call(env).must_equal [401, {'Content-Type' => 'application/json'}, [{status: 401, error: 'Invalid JSON Web Token'}.to_json]]
+        end
+      end
+    end
+
+    it 'returns 401 if access token has expired' do
+      JSON::JWT.stub(:decode, claims) do
+        prxauth.stub(:token_expired?, true) do
+          prxauth.call(env).must_equal [401, {'Content-Type' => 'application/json'}, [{status: 401, error: 'Invalid JSON Web Token'}.to_json]]
+        end
+      end
+    end
+
+    it 'returns 401 if certificate has expired' do
+      JSON::JWT.stub(:decode, claims) do
+        prxauth.stub(:cert_expired?, true) do
+          prxauth.call(env).must_equal [401, {'Content-Type' => 'application/json'}, [{status: 401, error: 'Invalid JSON Web Token'}.to_json]]
+        end
+      end
+    end
+
+    it 'attaches claims to request params if verification passes' do
+      JSON::JWT.stub(:decode, claims) do
+        prxauth.call(env)['prx.auth'].must_be_instance_of Rack::PrxAuth::TokenData
+        prxauth.call(env)['prx.auth'].attributes.must_equal claims
+      end
+    end
+  end
+
+  describe '#token_expired?' do
+    it 'returns true if token is expired' do
+      claims['iat'] = Time.now.to_i - 4000
+
+      prxauth.token_expired?(claims).must_equal true
+    end
+
+    it 'returns false if it is valid' do
+      prxauth.token_expired?(claims).must_equal false
+    end
+  end
+
+  describe '#cert_expired?' do
+    let(:cert) { prxauth.public_key.certificate }
+
+    it 'returns true if cert is expired' do
+      cert.stub(:not_after, Time.now - 100000) do
+        prxauth.cert_expired?(cert).must_equal true
+      end
+    end
+
+    it 'returns false if it is valid' do
+      cert.stub(:not_after, Time.now + 100000) do
+        prxauth.cert_expired?(cert).must_equal false
+      end
+    end
+  end
+
+  describe '#verified?' do
+    it 'returns false if error is raised' do
+      raise_error = Proc.new { raise JSON::JWT::VerificationFailed }
+
+      JSON::JWT.stub(:decode, raise_error) do
+        prxauth.verified?(fake_token).must_equal false
+      end
+    end
+
+    it 'returns true if no error is raised' do
+      JSON::JWT.stub(:decode, claims) do
+        prxauth.verified?(fake_token).must_equal true
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,191 @@
+--- !ruby/object:Gem::Specification
+name: rack-prx_auth
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Eve Asher
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-10-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: guard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.6.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.6.1
+- !ruby/object:Gem::Dependency
+  name: guard-minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.3.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.3.2
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.2
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.8.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.8.1
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.7.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.7.0
+description: Specific to PRX. Will ignore tokens that were not issued by PRX.
+email:
+- eve@prx.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- Guardfile
+- LICENSE
+- README.md
+- Rakefile
+- lib/rack/prx_auth.rb
+- lib/rack/prx_auth/controller_methods.rb
+- lib/rack/prx_auth/public_key.rb
+- lib/rack/prx_auth/railtie.rb
+- lib/rack/prx_auth/token_data.rb
+- lib/rack/prx_auth/version.rb
+- rack-prx_auth.gemspec
+- test/controller_methods_test.rb
+- test/rack-prx_auth_test.rb
+homepage: ''
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Rack middleware that verifies and decodes a JWT token and attaches the token's
+  claims to env.
+test_files:
+- test/controller_methods_test.rb
+- test/rack-prx_auth_test.rb