rack-prx_auth 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 53764ad6c8d28d070c297e861583800e8695f730
4
+ data.tar.gz: 25df2b4ac3cdfa4ed82336b4f21e2d1bd81611c3
5
+ SHA512:
6
+ metadata.gz: c948e9875aeb2d5f26467a8b6305fc25b6b7f33aa2579df68a1d7ae2b528ca6e8957d3fde85f892b1600335548c7e89120b3d3df85e8e50ffb18bc410bc1671e
7
+ data.tar.gz: 4ff2517a84b28cfd8eeac03ba05ffc2d06ed26874b77c6f6f6cc29c67cd59c683fdf671b3078967c7df0b5fd8762dae0fa3f1b7bd7ad2ea22b5a42be9b5a3e24
data/.gitignore ADDED
@@ -0,0 +1,14 @@
1
+ /.bundle/
2
+ /.yardoc
3
+ /Gemfile.lock
4
+ /_yardoc/
5
+ /coverage/
6
+ /doc/
7
+ /pkg/
8
+ /spec/reports/
9
+ /tmp/
10
+ *.bundle
11
+ *.so
12
+ *.o
13
+ *.a
14
+ mkmf.log
data/.travis.yml ADDED
@@ -0,0 +1,3 @@
1
+ language: ruby
2
+ rvm:
3
+ - 2.1.1
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source 'https://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in rack-prx_auth.gemspec
4
+ gemspec
data/Guardfile ADDED
@@ -0,0 +1,8 @@
1
+ guard :minitest, all_after_pass: true do
2
+ watch(%r{^test/(.*)\/?test_(.*)\.rb})
3
+ watch(%r{^lib/rack/(.*/)?([^/]+)\.rb}) { |m| "test/#{m[1]}test_#{m[2]}.rb" }
4
+ watch(%r{^lib/rack/(.+)\.rb}) { |m| "test/#{m[1]}_test.rb" }
5
+ watch(%r{^lib/(.+)\.rb}) { |m| "test/#{m[1]}_test.rb" }
6
+ watch(%r{^test/.+_test\.rb})
7
+ watch(%r{^test/test_helper\.rb}) { 'test' }
8
+ end
data/LICENSE ADDED
@@ -0,0 +1,22 @@
1
+ Copyright (c) 2014 PRX, Eve Asher
2
+
3
+ MIT License
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining
6
+ a copy of this software and associated documentation files (the
7
+ "Software"), to deal in the Software without restriction, including
8
+ without limitation the rights to use, copy, modify, merge, publish,
9
+ distribute, sublicense, and/or sell copies of the Software, and to
10
+ permit persons to whom the Software is furnished to do so, subject to
11
+ the following conditions:
12
+
13
+ The above copyright notice and this permission notice shall be
14
+ included in all copies or substantial portions of the Software.
15
+
16
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
20
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
21
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
22
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,31 @@
1
+ # Rack::PrxAuth
2
+
3
+ TODO: Write a gem description
4
+
5
+ ## Installation
6
+
7
+ Add this line to your application's Gemfile:
8
+
9
+ ```ruby
10
+ gem 'rack-prx_auth'
11
+ ```
12
+
13
+ And then execute:
14
+
15
+ $ bundle
16
+
17
+ Or install it yourself as:
18
+
19
+ $ gem install rack-prx_auth
20
+
21
+ ## Usage
22
+
23
+ TODO: Write usage instructions here
24
+
25
+ ## Contributing
26
+
27
+ 1. Fork it ( https://github.com/PRX/rack-prx_auth/fork )
28
+ 2. Create your feature branch (`git checkout -b my-new-feature`)
29
+ 3. Commit your changes (`git commit -am 'Add some feature'`)
30
+ 4. Push to the branch (`git push origin my-new-feature`)
31
+ 5. Create a new Pull Request
data/Rakefile ADDED
@@ -0,0 +1,9 @@
1
+ require 'bundler/gem_tasks'
2
+ require 'rake'
3
+ require 'rake/testtask'
4
+
5
+ Rake::TestTask.new do |t|
6
+ t.pattern = 'test/*test.rb'
7
+ end
8
+
9
+ task default: :test
@@ -0,0 +1,58 @@
1
+ require 'json/jwt'
2
+ require 'rack/prx_auth/version'
3
+ require 'rack/prx_auth/public_key'
4
+ require 'rack/prx_auth/token_data'
5
+ require 'rack/prx_auth/railtie' if defined?(Rails)
6
+
7
+ module Rack
8
+ class PrxAuth
9
+ attr_reader :public_key
10
+
11
+ def initialize(app)
12
+ @app = app
13
+ @public_key = PublicKey.new
14
+ end
15
+
16
+ def call(env)
17
+ token = (env['HTTP_AUTHORIZATION'] || 'no token').split[1]
18
+ claims = decode_token(token)
19
+
20
+ if claims['iss'] == 'auth.prx.org'
21
+ if verified?(token) && !token_expired?(claims) && !cert_expired?(@public_key.certificate)
22
+ env['prx.auth'] = TokenData.new(claims)
23
+ @app.call(env)
24
+ else
25
+ [401, {'Content-Type' => 'application/json'}, [{status: 401, error: 'Invalid JSON Web Token'}.to_json]]
26
+ end
27
+ else
28
+ @app.call(env)
29
+ end
30
+ end
31
+
32
+ def decode_token(token)
33
+ begin
34
+ JSON::JWT.decode(token, :skip_verification)
35
+ rescue JSON::JWT::InvalidFormat
36
+ {}
37
+ end
38
+ end
39
+
40
+ def verified?(token)
41
+ begin
42
+ JSON::JWT.decode(token, @public_key.key)
43
+ rescue JSON::JWT::VerificationFailed
44
+ false
45
+ else
46
+ true
47
+ end
48
+ end
49
+
50
+ def cert_expired?(certificate)
51
+ certificate.not_after < Time.now
52
+ end
53
+
54
+ def token_expired?(claims)
55
+ Time.now.to_i > (claims['iat'] + claims['exp'])
56
+ end
57
+ end
58
+ end
@@ -0,0 +1,11 @@
1
+ class Rack::PrxAuth
2
+ module ControllerMethods
3
+ def prx_auth_token
4
+ request.env['prx.auth']
5
+ end
6
+
7
+ def prx_authenticated?
8
+ !!prx_auth_token
9
+ end
10
+ end
11
+ end
@@ -0,0 +1,37 @@
1
+ module Rack
2
+ class PrxAuth
3
+ class PublicKey
4
+ EXPIRES_IN = 43200
5
+ AUTH_URI = URI('https://auth.prx.org/api/v1/certs')
6
+
7
+ attr_reader :certificate
8
+
9
+ def initialize
10
+ @created_at = Time.now
11
+ get_key
12
+ end
13
+
14
+ def refresh_key
15
+ if Time.now > @created_at + EXPIRES_IN
16
+ get_key
17
+ end
18
+ end
19
+
20
+ def get_key
21
+ @certificate = get_certificate
22
+ @key = @certificate.public_key
23
+ end
24
+
25
+ def get_certificate
26
+ certs = JSON.parse(Net::HTTP.get(AUTH_URI))
27
+ cert_string = certs['certificates'].values[0]
28
+ OpenSSL::X509::Certificate.new(cert_string)
29
+ end
30
+
31
+ def key
32
+ refresh_key
33
+ @key
34
+ end
35
+ end
36
+ end
37
+ end
@@ -0,0 +1,15 @@
1
+ require 'rails/railtie'
2
+ require 'rack/prx_auth/controller_methods'
3
+ require 'rack/prx_auth'
4
+
5
+ class Rack::PrxAuth
6
+ class Railtie < Rails::Railtie
7
+ config.to_prepare do
8
+ ApplicationController.send(:include, Rack::PrxAuth::ControllerMethods)
9
+ end
10
+
11
+ initializer 'rack-prx_auth.insert_middleware' do |app|
12
+ app.config.middleware.insert_before ActionDispatch::ParamsParser, 'Rack::PrxAuth'
13
+ end
14
+ end
15
+ end
@@ -0,0 +1,11 @@
1
+ module Rack
2
+ class PrxAuth
3
+ class TokenData
4
+ def initialize(attrs = {})
5
+ @attributes = attrs
6
+ end
7
+
8
+ attr_reader :attributes
9
+ end
10
+ end
11
+ end
@@ -0,0 +1,5 @@
1
+ module Rack
2
+ class PrxAuth
3
+ VERSION = "0.0.1"
4
+ end
5
+ end
@@ -0,0 +1,29 @@
1
+ # coding: utf-8
2
+ lib = File.expand_path('../lib', __FILE__)
3
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
+ require 'rack/prx_auth/version'
5
+
6
+ Gem::Specification.new do |spec|
7
+ spec.name = "rack-prx_auth"
8
+ spec.version = Rack::PrxAuth::VERSION
9
+ spec.authors = ["Eve Asher"]
10
+ spec.email = ["eve@prx.org"]
11
+ spec.summary = %q{Rack middleware that verifies and decodes a JWT token and attaches the token's claims to env.}
12
+ spec.description = %q{Specific to PRX. Will ignore tokens that were not issued by PRX.}
13
+ spec.homepage = ""
14
+ spec.license = "MIT"
15
+
16
+ spec.files = `git ls-files -z`.split("\x0")
17
+ spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
18
+ spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
19
+ spec.require_paths = ["lib"]
20
+
21
+ spec.add_development_dependency 'bundler', '~> 1.7'
22
+ spec.add_development_dependency 'rake', '~> 10.0'
23
+ spec.add_development_dependency 'guard', '~> 2.6', '>= 2.6.1'
24
+ spec.add_development_dependency 'guard-minitest', '~> 2.3', '>= 2.3.2'
25
+
26
+ spec.add_dependency 'rack', '~> 1.5', '>= 1.5.2'
27
+ spec.add_dependency 'json', '~> 1.8', '>= 1.8.1'
28
+ spec.add_dependency 'json-jwt', '~> 0.7', '>= 0.7.0'
29
+ end
@@ -0,0 +1,44 @@
1
+ require 'minitest/autorun'
2
+ require 'minitest/spec'
3
+ require 'minitest/pride'
4
+ require 'rack/prx_auth'
5
+ require 'rack/prx_auth/controller_methods'
6
+ require 'rack/prx_auth/token_data'
7
+
8
+ class FakeController
9
+ include Rack::PrxAuth::ControllerMethods
10
+ attr_accessor :request
11
+
12
+ Request = Struct.new('Request', :env)
13
+
14
+ def initialize(env)
15
+ self.request = Request.new(env)
16
+ end
17
+ end
18
+
19
+ describe Rack::PrxAuth::ControllerMethods do
20
+ let(:claims) { {'sub'=>nil, 'exp'=>3600, 'iat'=>Time.now.to_i, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'auth.prx.org'} }
21
+ let(:token_data) { Rack::PrxAuth::TokenData.new(claims) }
22
+ let(:env) { {'prx.auth' => token_data } }
23
+ let(:empty_env) { Hash.new }
24
+
25
+ describe '#prx_auth_token' do
26
+ it 'returns the token data object' do
27
+ FakeController.new(env).prx_auth_token.must_equal token_data
28
+ end
29
+
30
+ it 'returns nil if there is no prx.auth field' do
31
+ FakeController.new(empty_env).prx_auth_token.must_be_nil
32
+ end
33
+ end
34
+
35
+ describe '#prx_authenticated?' do
36
+ it 'returns false if there is no token data' do
37
+ FakeController.new(empty_env).prx_authenticated?.must_equal false
38
+ end
39
+
40
+ it 'must be true if there is token data' do
41
+ FakeController.new(env).prx_authenticated?.must_equal true
42
+ end
43
+ end
44
+ end
@@ -0,0 +1,107 @@
1
+ require 'minitest/autorun'
2
+ require 'minitest/spec'
3
+ require 'minitest/pride'
4
+ require 'rack/prx_auth'
5
+
6
+ describe Rack::PrxAuth do
7
+ let(:app) { Proc.new {|env| env } }
8
+ let(:prxauth) { Rack::PrxAuth.new(app) }
9
+ let(:fake_token) { 'afawefawefawefawegstgnsrtiohnlijblublwjnvrtoign'}
10
+ let(:env) { {'HTTP_AUTHORIZATION' => 'Bearer ' + fake_token } }
11
+ let(:claims) { {'sub'=>nil, 'exp'=>3600, 'iat'=>Time.now.to_i, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'auth.prx.org'} }
12
+
13
+ describe '#call' do
14
+ it 'does nothing if there is no authorization header' do
15
+ env = {}
16
+
17
+ prxauth.call(env).must_equal env
18
+ end
19
+
20
+ it 'does nothing if the token is from another issuer' do
21
+ claims['iss'] = 'auth.elsewhere.org'
22
+
23
+ JSON::JWT.stub(:decode, claims) do
24
+ prxauth.call(env).must_equal env
25
+ end
26
+ end
27
+
28
+ it 'does nothing if token is invalid' do
29
+ prxauth.call(env).must_equal env
30
+ end
31
+
32
+ it 'returns 401 if verification fails' do
33
+ JSON::JWT.stub(:decode, claims) do
34
+ prxauth.stub(:verified?, false) do
35
+ prxauth.call(env).must_equal [401, {'Content-Type' => 'application/json'}, [{status: 401, error: 'Invalid JSON Web Token'}.to_json]]
36
+ end
37
+ end
38
+ end
39
+
40
+ it 'returns 401 if access token has expired' do
41
+ JSON::JWT.stub(:decode, claims) do
42
+ prxauth.stub(:token_expired?, true) do
43
+ prxauth.call(env).must_equal [401, {'Content-Type' => 'application/json'}, [{status: 401, error: 'Invalid JSON Web Token'}.to_json]]
44
+ end
45
+ end
46
+ end
47
+
48
+ it 'returns 401 if certificate has expired' do
49
+ JSON::JWT.stub(:decode, claims) do
50
+ prxauth.stub(:cert_expired?, true) do
51
+ prxauth.call(env).must_equal [401, {'Content-Type' => 'application/json'}, [{status: 401, error: 'Invalid JSON Web Token'}.to_json]]
52
+ end
53
+ end
54
+ end
55
+
56
+ it 'attaches claims to request params if verification passes' do
57
+ JSON::JWT.stub(:decode, claims) do
58
+ prxauth.call(env)['prx.auth'].must_be_instance_of Rack::PrxAuth::TokenData
59
+ prxauth.call(env)['prx.auth'].attributes.must_equal claims
60
+ end
61
+ end
62
+ end
63
+
64
+ describe '#token_expired?' do
65
+ it 'returns true if token is expired' do
66
+ claims['iat'] = Time.now.to_i - 4000
67
+
68
+ prxauth.token_expired?(claims).must_equal true
69
+ end
70
+
71
+ it 'returns false if it is valid' do
72
+ prxauth.token_expired?(claims).must_equal false
73
+ end
74
+ end
75
+
76
+ describe '#cert_expired?' do
77
+ let(:cert) { prxauth.public_key.certificate }
78
+
79
+ it 'returns true if cert is expired' do
80
+ cert.stub(:not_after, Time.now - 100000) do
81
+ prxauth.cert_expired?(cert).must_equal true
82
+ end
83
+ end
84
+
85
+ it 'returns false if it is valid' do
86
+ cert.stub(:not_after, Time.now + 100000) do
87
+ prxauth.cert_expired?(cert).must_equal false
88
+ end
89
+ end
90
+ end
91
+
92
+ describe '#verified?' do
93
+ it 'returns false if error is raised' do
94
+ raise_error = Proc.new { raise JSON::JWT::VerificationFailed }
95
+
96
+ JSON::JWT.stub(:decode, raise_error) do
97
+ prxauth.verified?(fake_token).must_equal false
98
+ end
99
+ end
100
+
101
+ it 'returns true if no error is raised' do
102
+ JSON::JWT.stub(:decode, claims) do
103
+ prxauth.verified?(fake_token).must_equal true
104
+ end
105
+ end
106
+ end
107
+ end
metadata ADDED
@@ -0,0 +1,191 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: rack-prx_auth
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.1
5
+ platform: ruby
6
+ authors:
7
+ - Eve Asher
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2014-10-01 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: bundler
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: '1.7'
20
+ type: :development
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: '1.7'
27
+ - !ruby/object:Gem::Dependency
28
+ name: rake
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: '10.0'
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: '10.0'
41
+ - !ruby/object:Gem::Dependency
42
+ name: guard
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: '2.6'
48
+ - - ">="
49
+ - !ruby/object:Gem::Version
50
+ version: 2.6.1
51
+ type: :development
52
+ prerelease: false
53
+ version_requirements: !ruby/object:Gem::Requirement
54
+ requirements:
55
+ - - "~>"
56
+ - !ruby/object:Gem::Version
57
+ version: '2.6'
58
+ - - ">="
59
+ - !ruby/object:Gem::Version
60
+ version: 2.6.1
61
+ - !ruby/object:Gem::Dependency
62
+ name: guard-minitest
63
+ requirement: !ruby/object:Gem::Requirement
64
+ requirements:
65
+ - - "~>"
66
+ - !ruby/object:Gem::Version
67
+ version: '2.3'
68
+ - - ">="
69
+ - !ruby/object:Gem::Version
70
+ version: 2.3.2
71
+ type: :development
72
+ prerelease: false
73
+ version_requirements: !ruby/object:Gem::Requirement
74
+ requirements:
75
+ - - "~>"
76
+ - !ruby/object:Gem::Version
77
+ version: '2.3'
78
+ - - ">="
79
+ - !ruby/object:Gem::Version
80
+ version: 2.3.2
81
+ - !ruby/object:Gem::Dependency
82
+ name: rack
83
+ requirement: !ruby/object:Gem::Requirement
84
+ requirements:
85
+ - - "~>"
86
+ - !ruby/object:Gem::Version
87
+ version: '1.5'
88
+ - - ">="
89
+ - !ruby/object:Gem::Version
90
+ version: 1.5.2
91
+ type: :runtime
92
+ prerelease: false
93
+ version_requirements: !ruby/object:Gem::Requirement
94
+ requirements:
95
+ - - "~>"
96
+ - !ruby/object:Gem::Version
97
+ version: '1.5'
98
+ - - ">="
99
+ - !ruby/object:Gem::Version
100
+ version: 1.5.2
101
+ - !ruby/object:Gem::Dependency
102
+ name: json
103
+ requirement: !ruby/object:Gem::Requirement
104
+ requirements:
105
+ - - "~>"
106
+ - !ruby/object:Gem::Version
107
+ version: '1.8'
108
+ - - ">="
109
+ - !ruby/object:Gem::Version
110
+ version: 1.8.1
111
+ type: :runtime
112
+ prerelease: false
113
+ version_requirements: !ruby/object:Gem::Requirement
114
+ requirements:
115
+ - - "~>"
116
+ - !ruby/object:Gem::Version
117
+ version: '1.8'
118
+ - - ">="
119
+ - !ruby/object:Gem::Version
120
+ version: 1.8.1
121
+ - !ruby/object:Gem::Dependency
122
+ name: json-jwt
123
+ requirement: !ruby/object:Gem::Requirement
124
+ requirements:
125
+ - - "~>"
126
+ - !ruby/object:Gem::Version
127
+ version: '0.7'
128
+ - - ">="
129
+ - !ruby/object:Gem::Version
130
+ version: 0.7.0
131
+ type: :runtime
132
+ prerelease: false
133
+ version_requirements: !ruby/object:Gem::Requirement
134
+ requirements:
135
+ - - "~>"
136
+ - !ruby/object:Gem::Version
137
+ version: '0.7'
138
+ - - ">="
139
+ - !ruby/object:Gem::Version
140
+ version: 0.7.0
141
+ description: Specific to PRX. Will ignore tokens that were not issued by PRX.
142
+ email:
143
+ - eve@prx.org
144
+ executables: []
145
+ extensions: []
146
+ extra_rdoc_files: []
147
+ files:
148
+ - ".gitignore"
149
+ - ".travis.yml"
150
+ - Gemfile
151
+ - Guardfile
152
+ - LICENSE
153
+ - README.md
154
+ - Rakefile
155
+ - lib/rack/prx_auth.rb
156
+ - lib/rack/prx_auth/controller_methods.rb
157
+ - lib/rack/prx_auth/public_key.rb
158
+ - lib/rack/prx_auth/railtie.rb
159
+ - lib/rack/prx_auth/token_data.rb
160
+ - lib/rack/prx_auth/version.rb
161
+ - rack-prx_auth.gemspec
162
+ - test/controller_methods_test.rb
163
+ - test/rack-prx_auth_test.rb
164
+ homepage: ''
165
+ licenses:
166
+ - MIT
167
+ metadata: {}
168
+ post_install_message:
169
+ rdoc_options: []
170
+ require_paths:
171
+ - lib
172
+ required_ruby_version: !ruby/object:Gem::Requirement
173
+ requirements:
174
+ - - ">="
175
+ - !ruby/object:Gem::Version
176
+ version: '0'
177
+ required_rubygems_version: !ruby/object:Gem::Requirement
178
+ requirements:
179
+ - - ">="
180
+ - !ruby/object:Gem::Version
181
+ version: '0'
182
+ requirements: []
183
+ rubyforge_project:
184
+ rubygems_version: 2.2.2
185
+ signing_key:
186
+ specification_version: 4
187
+ summary: Rack middleware that verifies and decodes a JWT token and attaches the token's
188
+ claims to env.
189
+ test_files:
190
+ - test/controller_methods_test.rb
191
+ - test/rack-prx_auth_test.rb