rack-prx_auth 0.0.4 → 0.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e7cde70cde8a0092e5b9b103dca645ead406af8b
-  data.tar.gz: 36a0c5162508458ec15e9db7572d1cc1244113fd
+  metadata.gz: 65365d276d9668d2b774150b51cae69cc94e7d4a
+  data.tar.gz: 2f9218bdcfe4b22ac97f45f6040b575e0fa9c665
 SHA512:
-  metadata.gz: 805280d7e1fda15de81c390a9c73d89613cc42843452eeff25481abfec36b6882bc8e8fa58312aba0660d7cf8abecea377127fb8912a359ae74214adc5131b7d
-  data.tar.gz: 5b518e3aecb8e4c9c557c1fb7369a092e0b48f902b6e87a5e56fbd407c68e048ea627dc54572a3700d66cdc636f06b21f20451671f88e5fd1cea3604f7cc4619
+  metadata.gz: 253b726a570baa8db347649f171b89f7d955ebec32c65d860aa426a1dda1df0c1fe333d5518b28530f7a9047bc29febf82d5978d8aca71035f3463017ba63625
+  data.tar.gz: bdd2a4f396fb85aefd68677becf5fedaf16a8b46482ff8bd6735455afa0de71cb367d07a13743405ec5f8911ea83523d9b69900d55593295c10dc61b2ce8fb62

data/.gitignore

@@ -7,6 +7,7 @@
 /pkg/
 /spec/reports/
 /tmp/
+/vendor/bundle/
 *.bundle
 *.so
 *.o

data/.travis.yml

@@ -1,3 +1,8 @@
 language: ruby
 rvm:
+  - 2.0.0-p598
   - 2.1.1
+  - 2.1.2
+  - 2.1.3
+  - 2.1.4
+  - 2.1.5

data/Gemfile

@@ -2,3 +2,6 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in rack-prx_auth.gemspec
 gemspec
+
+gem 'guard', '~> 2.6.1'
+gem 'guard-minitest', '~> 2.3.2'

data/Guardfile

@@ -1,7 +1,7 @@
 guard :minitest, all_after_pass: true do
   watch(%r{^test/(.*)\/?test_(.*)\.rb})
-  watch(%r{^lib/rack/(.*/)?([^/]+)\.rb})                      { |m| "test/#{m[1]}test_#{m[2]}.rb" }
-  watch(%r{^lib/rack/(.+)\.rb})                               { |m| "test/#{m[1]}_test.rb" }
+  watch(%r{^lib/(.*/)?([^/]+)\.rb})                      { |m| "test/#{m[1]}test_#{m[2]}.rb" }
+  watch(%r{^lib/(.+)\.rb})                               { |m| "test/#{m[1]}_test.rb" }
   watch(%r{^lib/(.+)\.rb})                                    { |m| "test/#{m[1]}_test.rb" }
   watch(%r{^test/.+_test\.rb})
   watch(%r{^test/test_helper\.rb})                            { 'test' }

data/README.md

@@ -1,6 +1,12 @@
 # Rack::PrxAuth
 
-TODO: Write a gem description
+[![Gem Version](https://badge.fury.io/rb/rack-prx_auth.svg)](http://badge.fury.io/rb/rack-prx_auth)
+[![Dependency Status](https://gemnasium.com/PRX/rack-prx_auth.svg)](https://gemnasium.com/PRX/rack-prx_auth)
+[![Build Status](https://travis-ci.org/PRX/rack-prx_auth.svg?branch=master)](https://travis-ci.org/PRX/rack-prx_auth)
+[![Code Climate](https://codeclimate.com/github/PRX/rack-prx_auth/badges/gpa.svg)](https://codeclimate.com/github/PRX/rack-prx_auth)
+[![Coverage Status](https://coveralls.io/repos/PRX/rack-prx_auth/badge.svg)](https://coveralls.io/r/PRX/rack-prx_auth)
+
+This gem adds middleware to a Rack application that decodes and verified a JSON Web Token (JWT) issued by PRX.org. If the JWT is invalid, the middleware will respond with a 401 Unauthorized. If the JWT was not issued by PRX (or the specified issuer), the request will continue through the middleware stack.
 
 ## Installation
 
@@ -18,9 +24,38 @@ Or install it yourself as:
 
     $ gem install rack-prx_auth
 
+In a non-Rails app, add the following to the application's config.ru file:
+
+```ruby
+use Rack::PrxAuth, cert_location: [CERT LOCATION], issuer: [ISSUER]
+```
+The `cert_location` and `issuer` parameters are optional. See below.
+
 ## Usage
 
-TODO: Write usage instructions here
+### The Request
+
+Rack-prx_auth looks for a token in the request's HTTP_AUTHORIZATION header. It expects that the header's content will take the form of 'Bearer <your token>'. If no HTTP_AUTHORIZATION header is present, rack-prx_auth passes the request to the next middleware.
+
+We have another application that's in charge of making the token. It's called id.prx.org. Its job is to show a form for a user to enter credentials, validate those credentials, and then generate a JWT using PRX's private key. See http://openid.net/specs/openid-connect-implicit-1_0.html to find out what information is encoded in a JWT. Basically it's a hash containing, among other things, the user's ID, the issuer of the token, and when the token expires.
+
+### Configuration
+
+Rack-prx_auth takes two optional parameters, `issuer` and `cert_location`. See Installation for how to specify them.
+
+By default, rack-prx_auth will assume that you want to make sure the JWT was issued by PRX. After decoding the JWT, rack-prx_auth checks the `issuer` field to make sure it's id.prx.org. If you want it to check for a different issuer, pass `issuer: <your issuer>` as a parameter.
+
+Since the JWT was created using PRX's private key, rack-prx_auth needs to fetch PRX's public key to decode it. It does this by accessing the `cert_location` (default is https://id.prx.org/api/v1/certs), generating an OpenSSL::X509::Certificate based on its contents, and determining the public key from the certificate object. Should you wish to get your public key from a different certificate, you may specify a different endpoint by passing `cert_location: <your cert location>` as a parameter. Keep in mind that unless the certificate matches the private key used to make the JWT, rack-prx_auth will return 401.
+
+### The Response
+
+If the token isn't valid, meaning it's expired or it wasn't created using our private key, rack-prx_auth will return 401 Unauthorized.
+
+If there's nothing in the HTTP_AUTHORIZATION heading, there's something but JSON::JWT can't decode it, or the issuer field doesn't specify the correct issuer, rack-prx_auth just punts to the next piece of middleware.
+
+If all goes well, rack-prx_auth takes the decoded JWT and makes a TokenData object. Then it adds this object to the `env` with the key 'prx.auth'.
+
+If you are using rack-prx_auth in a Rails app, you'll have a few handy controller methods available to you. Calling `prx_auth_token` within a controller returns the TokenData object, and `prx_authenticated?` tells you whether a TokenData object is available. Also, if you call `user_id` on the TokenData object, you get the user's ID so you can ask id.prx.org for information about them.
 
 ## Contributing
 

data/Rakefile

@@ -3,7 +3,8 @@ require 'rake'
 require 'rake/testtask'
 
 Rake::TestTask.new do |t|
-  t.pattern = 'test/*test.rb'
+  t.libs << 'test'
+  t.pattern = 'test/**/*test.rb'
 end
 
 task default: :test

data/lib/rack/prx_auth/certificate.rb

@@ -0,0 +1,55 @@
+require 'json/jwt'
+require 'net/http'
+
+module Rack
+  class PrxAuth
+    class Certificate
+      EXPIRES_IN = 43200
+      DEFAULT_CERT_LOC = URI('https://id.prx.org/api/v1/certs')
+
+      attr_reader :cert_location
+
+      def initialize(cert_uri = nil)
+        @cert_location = cert_uri.nil? ? DEFAULT_CERT_LOC : URI(cert_uri)
+      end
+
+      def valid?(token)
+        begin
+          JSON::JWT.decode(token, public_key)
+        rescue JSON::JWT::VerificationFailed
+          false
+        else
+          true
+        end
+      end
+
+      private
+
+      def public_key
+        certificate.public_key
+      end
+
+      def certificate
+        if @certificate.nil? || needs_refresh?
+          @certificate = fetch
+        end
+        @certificate
+      end
+
+      def fetch
+        certs = JSON.parse(Net::HTTP.get(cert_location))
+        cert_string = certs['certificates'].values[0]
+        @refresh_at = Time.now.to_i + EXPIRES_IN
+        OpenSSL::X509::Certificate.new(cert_string)
+      end
+
+      def needs_refresh?
+        expired? || @refresh_at <= Time.now.to_i
+      end
+
+      def expired?
+        @certificate.not_after < Time.now
+      end
+    end
+  end
+end

data/lib/rack/prx_auth/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class PrxAuth
-    VERSION = "0.0.4"
+    VERSION = "0.0.6"
   end
 end

data/lib/rack/prx_auth.rb

@@ -1,34 +1,47 @@
 require 'json/jwt'
 require 'rack/prx_auth/version'
-require 'rack/prx_auth/public_key'
+require 'rack/prx_auth/certificate'
 require 'rack/prx_auth/token_data'
-require 'rack/prx_auth/railtie' if defined?(Rails)
 
 module Rack
   class PrxAuth
-    attr_reader :public_key
+    INVALID_TOKEN = [
+      401, {'Content-Type' => 'application/json'},
+      [{status: 401, error: 'Invalid JSON Web Token'}.to_json]
+    ]
+
+    DEFAULT_ISS = 'id.prx.org'
+
+    attr_reader :issuer
 
     def initialize(app, options = {})
       @app = app
-      @public_key = PublicKey.new(options[:cert_location])
+      @certificate = Certificate.new(options[:cert_location])
+      @issuer = options[:issuer] || DEFAULT_ISS
     end
 
     def call(env)
-      token = (env['HTTP_AUTHORIZATION'] || 'no token').split[1]
+      return @app.call(env) unless env['HTTP_AUTHORIZATION']
+
+      token = env['HTTP_AUTHORIZATION'].split[1]
       claims = decode_token(token)
 
-      if claims['iss'] == 'auth.prx.org'
-        if verified?(token) && !token_expired?(claims) && !cert_expired?(@public_key.certificate)
-          env['prx.auth'] = TokenData.new(claims)
-          @app.call(env)
-        else
-          [401, {'Content-Type' => 'application/json'}, [{status: 401, error: 'Invalid JSON Web Token'}.to_json]]
-        end
-      else
+      return @app.call(env) unless should_validate_token?(claims)
+
+      if valid?(claims, token)
+        env['prx.auth'] = TokenData.new(claims)
         @app.call(env)
+      else
+        INVALID_TOKEN
       end
     end
 
+    private
+
+    def valid?(claims, token)
+      !expired?(claims) && @certificate.valid?(token)
+    end
+
     def decode_token(token)
       begin
         JSON::JWT.decode(token, :skip_verification)
@@ -37,22 +50,12 @@ module Rack
       end
     end
 
-    def verified?(token)
-      begin
-        JSON::JWT.decode(token, @public_key.key)
-      rescue JSON::JWT::VerificationFailed
-        false
-      else
-        true
-      end
-    end
-
-    def cert_expired?(certificate)
-      certificate.not_after < Time.now
+    def expired?(claims)
+      Time.now.to_i > (claims['iat'] + claims['exp'])
     end
 
-    def token_expired?(claims)
-      Time.now.to_i > (claims['iat'] + claims['exp'])
+    def should_validate_token?(claims)
+      claims['iss'] == @issuer
     end
   end
 end

data/rack-prx_auth.gemspec

@@ -6,23 +6,21 @@ require 'rack/prx_auth/version'
 Gem::Specification.new do |spec|
   spec.name          = "rack-prx_auth"
   spec.version       = Rack::PrxAuth::VERSION
-  spec.authors       = ["Eve Asher"]
-  spec.email         = ["eve@prx.org"]
+  spec.authors       = ["Eve Asher", "Chris Rhoden"]
+  spec.email         = ["eve@prx.org", "carhoden@gmail.com"]
   spec.summary       = %q{Rack middleware that verifies and decodes a JWT token and attaches the token's claims to env.}
   spec.description   = %q{Specific to PRX. Will ignore tokens that were not issued by PRX.}
-  spec.homepage      = ""
+  spec.homepage      = "https://github.com/PRX/rack-prx_auth"
   spec.license       = "MIT"
 
   spec.files         = `git ls-files -z`.split("\x0")
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
-  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.test_files    = spec.files.grep(%r{^test/})
   spec.require_paths = ["lib"]
 
-  spec.add_development_dependency 'bundler', '~> 1.7'
+  spec.add_development_dependency 'bundler', '~> 1.3'
   spec.add_development_dependency 'rake', '~> 10.0'
-  spec.add_development_dependency 'guard', '~> 2.6', '>= 2.6.1'
-  spec.add_development_dependency 'guard-minitest', '~> 2.3', '>= 2.3.2'
-  spec.add_development_dependency 'minitest-stub_any_instance'
+  spec.add_development_dependency 'coveralls', '~> 0'
 
   spec.add_dependency 'rack', '~> 1.5', '>= 1.5.2'
   spec.add_dependency 'json', '~> 1.8', '>= 1.8.1'

data/test/rack/prx_auth/certificate_test.rb

@@ -0,0 +1,130 @@
+require 'test_helper'
+
+describe Rack::PrxAuth::Certificate do
+  let(:subject) { Rack::PrxAuth::Certificate.new }
+  let(:certificate) { subject }
+
+  describe '#initialize' do
+    it 'allows setting the location of the certificates' do
+      cert = Rack::PrxAuth::Certificate.new('http://example.com')
+      cert.cert_location.must_equal URI('http://example.com')
+    end
+
+    it 'defaults to DEFAULT_CERT_LOC' do
+      certificate.cert_location.must_equal Rack::PrxAuth::Certificate::DEFAULT_CERT_LOC
+    end
+  end
+
+  describe '#valid?' do
+    it 'validates the token with the public key' do
+      token, key = nil, nil
+      certificate.stub(:public_key, :public_key) do
+        JSON::JWT.stub(:decode, Proc.new {|t, k| token, key = t, k }) do
+          certificate.valid?(:token)
+        end
+      end
+
+      token.must_equal :token
+      key.must_equal :public_key
+    end
+
+    it 'returns false if verification fails' do
+      JSON::JWT.stub(:decode, Proc.new do |t, k|
+        raise JSON::JWT::VerificationFailed
+      end) do
+        certificate.stub(:public_key, :foo) do
+          certificate.wont_be :valid?, :token
+        end
+      end
+    end
+
+    it 'returns true if verification passes' do
+      JSON::JWT.stub(:decode, {}) do
+        certificate.stub(:public_key, :foo) do
+          certificate.must_be :valid?, :token
+        end
+      end
+    end
+  end
+
+  describe '#certificate' do
+    it 'calls fetch if unprimed' do
+      def certificate.fetch
+        :sigil
+      end
+
+      certificate.send(:certificate).must_equal :sigil
+    end
+  end
+
+  describe '#public_key' do
+    it 'pulls from the certificate' do
+      certificate.stub(:certificate, Struct.new(:public_key).new(:key)) do
+        certificate.send(:public_key).must_equal :key
+      end
+    end
+  end
+
+  describe '#fetch' do
+    it 'pulls from `#cert_location`' do
+      Net::HTTP.stub(:get, ->(x) { "{\"certificates\":{\"asdf\":\"#{x}\"}}" }) do
+        OpenSSL::X509::Certificate.stub(:new, ->(x) { x }) do
+          certificate.stub(:cert_location, "a://fake.url/here") do
+            certificate.send(:fetch).must_equal "a://fake.url/here"
+          end
+        end
+      end
+    end
+
+    it 'sets the expiration value' do
+      Net::HTTP.stub(:get, ->(x) { "{\"certificates\":{\"asdf\":\"#{x}\"}}" }) do
+        OpenSSL::X509::Certificate.stub(:new, ->(_) { Struct.new(:not_after).new(Time.now + 10000) }) do
+          certificate.send :certificate
+          certificate.wont_be :needs_refresh?
+        end
+      end
+    end
+  end
+
+  describe '#expired?' do
+    let(:stub_cert) { Struct.new(:not_after).new(Time.now + 10000) }
+    before(:each) do
+      certificate.instance_variable_set :'@certificate', stub_cert
+    end
+
+    it 'is false when the certificate is not expired' do
+      certificate.wont_be :expired?
+    end
+
+    it 'is true when the certificate is expired' do
+      stub_cert.not_after = Time.now - 500
+      certificate.must_be :expired?
+    end
+  end
+
+  describe '#needs_refresh?' do
+    def refresh_at=(time)
+      certificate.instance_variable_set :'@refresh_at', time
+    end
+
+    it 'is true if certificate is expired' do
+      certificate.stub(:expired?, true) do
+        certificate.must_be :needs_refresh?
+      end
+    end
+
+    it 'is true if we are past refresh value' do
+      self.refresh_at = Time.now.to_i - 1000
+      certificate.stub(:expired?, false) do
+        certificate.must_be :needs_refresh?
+      end
+    end
+
+    it 'is false if certificate is not expired and refresh is in the future' do
+      self.refresh_at = Time.now.to_i + 10000
+      certificate.stub(:expired?, false) do
+        certificate.wont_be :needs_refresh?
+      end
+    end
+  end
+end

data/test/rack/prx_auth_test.rb

@@ -0,0 +1,79 @@
+require 'test_helper'
+
+describe Rack::PrxAuth do
+  let(:app) { Proc.new {|env| env } }
+  let(:prxauth) { Rack::PrxAuth.new(app) }
+  let(:fake_token) { 'afawefawefawefawegstgnsrtiohnlijblublwjnvrtoign'}
+  let(:env) { {'HTTP_AUTHORIZATION' => 'Bearer ' + fake_token } }
+  let(:claims) { {'sub'=>3, 'exp'=>3600, 'iat'=>Time.now.to_i, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
+
+  describe '#call' do
+    it 'does nothing if there is no authorization header' do
+      env = {}
+
+      prxauth.call(env.clone).must_equal env
+    end
+
+    it 'does nothing if the token is from another issuer' do
+      claims['iss'] = 'auth.elsewhere.org'
+
+      JSON::JWT.stub(:decode, claims) do
+        prxauth.call(env.clone).must_equal env
+      end
+    end
+
+    it 'does nothing if token is invalid' do
+      prxauth.call(env.clone).must_equal env
+    end
+
+    it 'returns 401 if verification fails' do
+      JSON::JWT.stub(:decode, claims) do
+        prxauth.stub(:valid?, false) do
+          prxauth.call(env).must_equal Rack::PrxAuth::INVALID_TOKEN
+        end
+      end
+    end
+
+    it 'returns 401 if access token has expired' do
+      JSON::JWT.stub(:decode, claims) do
+        prxauth.stub(:expired?, true) do
+          prxauth.call(env).must_equal Rack::PrxAuth::INVALID_TOKEN
+        end
+      end
+    end
+
+    it 'attaches claims to request params if verification passes' do
+      prxauth.stub(:decode_token, claims) do
+        prxauth.stub(:valid?, true) do
+          prxauth.call(env)['prx.auth'].tap do |token|
+            token.must_be_instance_of Rack::PrxAuth::TokenData
+            token.attributes.must_equal claims
+            token.user_id.must_equal claims['sub']
+          end
+        end
+      end
+    end
+  end
+
+  describe '#token_expired?' do
+    it 'returns true if token is expired' do
+      claims['iat'] = Time.now.to_i - 4000
+
+      prxauth.send(:expired?, claims).must_equal true
+    end
+
+    it 'returns false if it is valid' do
+      prxauth.send(:expired?, claims).must_equal false
+    end
+  end
+
+  describe 'initialize' do
+    it 'takes a certificate location as an option' do
+      loc = nil
+      Rack::PrxAuth::Certificate.stub(:new, Proc.new{|l| loc = l}) do
+        Rack::PrxAuth.new(app, cert_location: :location)
+        loc.must_equal :location
+      end
+    end
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,9 @@
+require 'coveralls'
+Coveralls.wear!
+
+$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
+require 'rack/prx_auth'
+
+require 'minitest/autorun'
+require 'minitest/spec'
+require 'minitest/pride'

metadata

@@ -1,181 +1,142 @@
 --- !ruby/object:Gem::Specification
 name: rack-prx_auth
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.6
 platform: ruby
 authors:
 - Eve Asher
+- Chris Rhoden
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-11-20 00:00:00.000000000 Z
+date: 2015-04-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '10.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '10.0'
 - !ruby/object:Gem::Dependency
-  name: guard
+  name: coveralls
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.6'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.6.1
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.6'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.6.1
-- !ruby/object:Gem::Dependency
-  name: guard-minitest
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.3'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.3.2
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.3'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.3.2
-- !ruby/object:Gem::Dependency
-  name: minitest-stub_any_instance
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '1.5'
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: 1.5.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '1.5'
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: 1.5.2
 - !ruby/object:Gem::Dependency
   name: json
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '1.8'
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: 1.8.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '1.8'
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: 1.8.1
 - !ruby/object:Gem::Dependency
   name: json-jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0.7'
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: 0.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0.7'
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: 0.7.0
 description: Specific to PRX. Will ignore tokens that were not issued by PRX.
 email:
 - eve@prx.org
+- carhoden@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".gitignore"
-- ".travis.yml"
+- .gitignore
+- .travis.yml
 - Gemfile
 - Guardfile
 - LICENSE
 - README.md
 - Rakefile
 - lib/rack/prx_auth.rb
-- lib/rack/prx_auth/controller_methods.rb
-- lib/rack/prx_auth/public_key.rb
-- lib/rack/prx_auth/railtie.rb
+- lib/rack/prx_auth/certificate.rb
 - lib/rack/prx_auth/token_data.rb
 - lib/rack/prx_auth/version.rb
 - rack-prx_auth.gemspec
-- test/controller_methods_test.rb
-- test/rack-prx_auth_test.rb
-homepage: ''
+- test/rack/prx_auth/certificate_test.rb
+- test/rack/prx_auth_test.rb
+- test/test_helper.rb
+homepage: https://github.com/PRX/rack-prx_auth
 licenses:
 - MIT
 metadata: {}
@@ -185,21 +146,22 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.1.11
 signing_key: 
 specification_version: 4
 summary: Rack middleware that verifies and decodes a JWT token and attaches the token's
   claims to env.
 test_files:
-- test/controller_methods_test.rb
-- test/rack-prx_auth_test.rb
+- test/rack/prx_auth/certificate_test.rb
+- test/rack/prx_auth_test.rb
+- test/test_helper.rb

data/lib/rack/prx_auth/controller_methods.rb

@@ -1,11 +0,0 @@
-class Rack::PrxAuth
-  module ControllerMethods
-    def prx_auth_token
-      request.env['prx.auth']
-    end
-
-    def prx_authenticated?
-      !!prx_auth_token
-    end
-  end
-end

data/lib/rack/prx_auth/public_key.rb

@@ -1,37 +0,0 @@
-module Rack
-  class PrxAuth
-    class PublicKey
-      EXPIRES_IN = 43200
-
-      attr_reader :certificate, :cert_location
-
-      def initialize(cert_location = nil)
-        @created_at = Time.now
-        @cert_location = URI(cert_location || 'https://auth.prx.org/api/v1/certs')
-        get_key
-      end
-
-      def refresh_key
-        if Time.now > @created_at + EXPIRES_IN
-          get_key
-        end
-      end
-
-      def get_key
-        @certificate = get_certificate
-        @key = @certificate.public_key
-      end
-
-      def get_certificate
-        certs = JSON.parse(Net::HTTP.get(@cert_location))
-        cert_string = certs['certificates'].values[0]
-        OpenSSL::X509::Certificate.new(cert_string)
-      end
-
-      def key
-        refresh_key
-        @key
-      end
-    end
-  end
-end

data/lib/rack/prx_auth/railtie.rb

@@ -1,15 +0,0 @@
-require 'rails/railtie'
-require 'rack/prx_auth/controller_methods'
-require 'rack/prx_auth'
-
-class Rack::PrxAuth
-  class Railtie < Rails::Railtie
-    config.to_prepare do
-      ApplicationController.send(:include, Rack::PrxAuth::ControllerMethods)
-    end
-
-    initializer 'rack-prx_auth.insert_middleware' do |app|
-      app.config.middleware.insert_before ActionDispatch::ParamsParser, 'Rack::PrxAuth'
-    end
-  end
-end

data/test/controller_methods_test.rb

@@ -1,44 +0,0 @@
-require 'minitest/autorun'
-require 'minitest/spec'
-require 'minitest/pride'
-require 'rack/prx_auth'
-require 'rack/prx_auth/controller_methods'
-require 'rack/prx_auth/token_data'
-
-class FakeController
-  include Rack::PrxAuth::ControllerMethods
-  attr_accessor :request
-
-  Request = Struct.new('Request', :env)
-
-  def initialize(env)
-    self.request = Request.new(env)
-  end
-end
-
-describe Rack::PrxAuth::ControllerMethods do
-  let(:claims) { {'sub'=>nil, 'exp'=>3600, 'iat'=>Time.now.to_i, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'auth.prx.org'} }
-  let(:token_data) { Rack::PrxAuth::TokenData.new(claims) }
-  let(:env) { {'prx.auth' => token_data } }
-  let(:empty_env) { Hash.new }
-
-  describe '#prx_auth_token' do
-    it 'returns the token data object' do
-      FakeController.new(env).prx_auth_token.must_equal token_data
-    end
-
-    it 'returns nil if there is no prx.auth field' do
-      FakeController.new(empty_env).prx_auth_token.must_be_nil
-    end
-  end
-
-  describe '#prx_authenticated?' do
-    it 'returns false if there is no token data' do
-      FakeController.new(empty_env).prx_authenticated?.must_equal false
-    end
-
-    it 'must be true if there is token data' do
-      FakeController.new(env).prx_authenticated?.must_equal true
-    end
-  end
-end

data/test/rack-prx_auth_test.rb

@@ -1,129 +0,0 @@
-require 'minitest/autorun'
-require 'minitest/spec'
-require 'minitest/pride'
-require 'minitest/stub_any_instance'
-require 'rack/prx_auth'
-
-describe Rack::PrxAuth do
-  let(:app) { Proc.new {|env| env } }
-  let(:prxauth) { Rack::PrxAuth.new(app) }
-  let(:fake_token) { 'afawefawefawefawegstgnsrtiohnlijblublwjnvrtoign'}
-  let(:env) { {'HTTP_AUTHORIZATION' => 'Bearer ' + fake_token } }
-  let(:claims) { {'sub'=>3, 'exp'=>3600, 'iat'=>Time.now.to_i, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'auth.prx.org'} }
-
-  describe '#call' do
-    it 'does nothing if there is no authorization header' do
-      env = {}
-
-      prxauth.call(env).must_equal env
-    end
-
-    it 'does nothing if the token is from another issuer' do
-      claims['iss'] = 'auth.elsewhere.org'
-
-      JSON::JWT.stub(:decode, claims) do
-        prxauth.call(env).must_equal env
-      end
-    end
-
-    it 'does nothing if token is invalid' do
-      prxauth.call(env).must_equal env
-    end
-
-    it 'returns 401 if verification fails' do
-      JSON::JWT.stub(:decode, claims) do
-        prxauth.stub(:verified?, false) do
-          prxauth.call(env).must_equal [401, {'Content-Type' => 'application/json'}, [{status: 401, error: 'Invalid JSON Web Token'}.to_json]]
-        end
-      end
-    end
-
-    it 'returns 401 if access token has expired' do
-      JSON::JWT.stub(:decode, claims) do
-        prxauth.stub(:token_expired?, true) do
-          prxauth.call(env).must_equal [401, {'Content-Type' => 'application/json'}, [{status: 401, error: 'Invalid JSON Web Token'}.to_json]]
-        end
-      end
-    end
-
-    it 'returns 401 if certificate has expired' do
-      JSON::JWT.stub(:decode, claims) do
-        prxauth.stub(:cert_expired?, true) do
-          prxauth.call(env).must_equal [401, {'Content-Type' => 'application/json'}, [{status: 401, error: 'Invalid JSON Web Token'}.to_json]]
-        end
-      end
-    end
-
-    it 'attaches claims to request params if verification passes' do
-      JSON::JWT.stub(:decode, claims) do
-        prxauth.call(env)['prx.auth'].must_be_instance_of Rack::PrxAuth::TokenData
-        prxauth.call(env)['prx.auth'].attributes.must_equal claims
-        prxauth.call(env)['prx.auth'].user_id.must_equal claims['sub']
-      end
-    end
-  end
-
-  describe '#token_expired?' do
-    it 'returns true if token is expired' do
-      claims['iat'] = Time.now.to_i - 4000
-
-      prxauth.token_expired?(claims).must_equal true
-    end
-
-    it 'returns false if it is valid' do
-      prxauth.token_expired?(claims).must_equal false
-    end
-  end
-
-  describe '#cert_expired?' do
-    let(:cert) { prxauth.public_key.certificate }
-
-    it 'returns true if cert is expired' do
-      cert.stub(:not_after, Time.now - 100000) do
-        prxauth.cert_expired?(cert).must_equal true
-      end
-    end
-
-    it 'returns false if it is valid' do
-      cert.stub(:not_after, Time.now + 100000) do
-        prxauth.cert_expired?(cert).must_equal false
-      end
-    end
-  end
-
-  describe '#verified?' do
-    it 'returns false if error is raised' do
-      raise_error = Proc.new { raise JSON::JWT::VerificationFailed }
-
-      JSON::JWT.stub(:decode, raise_error) do
-        prxauth.verified?(fake_token).must_equal false
-      end
-    end
-
-    it 'returns true if no error is raised' do
-      JSON::JWT.stub(:decode, claims) do
-        prxauth.verified?(fake_token).must_equal true
-      end
-    end
-  end
-
-  describe 'initialize' do
-    it 'takes a certificate location as an option' do
-      Rack::PrxAuth::PublicKey.stub_any_instance(:get_key, nil) do
-        prxauth = Rack::PrxAuth.new(app, cert_location: 'http://www.prx-auth.org/api/v1/certs')
-        key = prxauth.public_key
-        key.cert_location.host.must_equal 'www.prx-auth.org'
-        key.cert_location.path.must_equal '/api/v1/certs'
-      end
-    end
-
-    it 'uses auth.prx.org if no uri is given' do
-      Rack::PrxAuth::PublicKey.stub_any_instance(:get_key, nil) do
-        prxauth = Rack::PrxAuth.new(app)
-        key = prxauth.public_key
-        key.cert_location.host.must_equal 'auth.prx.org'
-        key.cert_location.path.must_equal '/api/v1/certs'
-      end
-    end
-  end
-end