rack-prx_auth 0.0.6 → 0.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 65365d276d9668d2b774150b51cae69cc94e7d4a
-  data.tar.gz: 2f9218bdcfe4b22ac97f45f6040b575e0fa9c665
+  metadata.gz: ac85eaa2032bbae554c23530f43c4e3d26c8545b
+  data.tar.gz: ab19c84a7ea04d795ffe526ee289692aa0a84f1d
 SHA512:
-  metadata.gz: 253b726a570baa8db347649f171b89f7d955ebec32c65d860aa426a1dda1df0c1fe333d5518b28530f7a9047bc29febf82d5978d8aca71035f3463017ba63625
-  data.tar.gz: bdd2a4f396fb85aefd68677becf5fedaf16a8b46482ff8bd6735455afa0de71cb367d07a13743405ec5f8911ea83523d9b69900d55593295c10dc61b2ce8fb62
+  metadata.gz: 0f6f1b767c855b51231059c5a702d46abbd5dd9411317c1372dda4f96bf3c4ebf210aa04e94abcb7871695ba7a7a6b7984da9301489d04b0e11c3158aa7e43a2
+  data.tar.gz: 65c6902e5c051f0e73092aa279bcec88c64e378f699eba8fdb36ddfe36c605382455170d3ecb51af54612e997eff72d965e502afe5bf0f10cf77ff8d1ce50d7f

data/CHANGELOG.md

@@ -0,0 +1,20 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+This project adheres to [Semantic Versioning](http://semver.org/).
+
+## [Unreleased][unreleased]
+
+## [0.0.7] - 2014-07-10
+### Added
+- This Changelog
+- TokenData#authorized? method
+
+## [0.0.6] - 2015-04-22
+### Removed
+- Railtie
+### Fixed
+- Endless loop while fetching afer certificate cache expires
+
+[unreleased]: https://github.com/PRX/rack-prx_auth/compare/v0.0.7...HEAD
+[0.0.7]: https://github.com/PRX/rack-prx_auth/compare/v0.0.6...v0.0.7
+[0.0.6]: https://github.com/PRX/rack-prx_auth/compare/v0.0.5...v0.0.6

data/lib/rack/prx_auth/token_data.rb

@@ -1,15 +1,45 @@
 module Rack
   class PrxAuth
     class TokenData
+      attr_reader :attributes, :authorized_resources, :scopes
+
       def initialize(attrs = {})
         @attributes = attrs
+        if attrs['aur']
+          @authorized_resources = unpack_aur(attrs['aur']).freeze
+        else
+          @authorized_resources = {}.freeze
+        end
+        if attrs['scope']
+          @scopes = attrs['scope'].split(' ').freeze
+        else
+          @scopes = [].freeze
+        end
       end
 
-      attr_reader :attributes
-
       def user_id
         @attributes['sub']
       end
+
+      def authorized?(resource, scope=nil)
+        if auth = authorized_resources[resource.to_s]
+          scope.nil? || (scopes + auth.split(' ')).include?(scope.to_s)
+        end
+      end
+
+      private
+
+      def unpack_aur(aur)
+        aur.clone.tap do |result|
+          unless result['$'].nil?
+            result.delete('$').each do |role, resources|
+              resources.each do |res|
+                result[res.to_s] = role
+              end
+            end
+          end
+        end
+      end
     end
   end
 end

data/lib/rack/prx_auth/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class PrxAuth
-    VERSION = "0.0.6"
+    VERSION = "0.0.7"
   end
 end

data/test/rack/prx_auth/token_data_test.rb

@@ -0,0 +1,52 @@
+require 'test_helper'
+
+describe Rack::PrxAuth::TokenData do
+  it 'pulls user_id from sub' do
+    token = Rack::PrxAuth::TokenData.new('sub' => 123)
+    token.user_id.must_equal 123
+  end
+
+  it 'pulls authorized_resources from aur' do
+    token = Rack::PrxAuth::TokenData.new('aur' => {'123' => 'admin'})
+    token.authorized_resources['123'].must_equal 'admin'
+  end
+
+  it 'unpacks compressed aur into authorized_resources' do
+    token = Rack::PrxAuth::TokenData.new('aur' => {
+      '123' => 'member',
+      '$' => {
+        'admin' => [456, 789, 1011]
+      }
+    })
+    token.authorized_resources['$'].must_be_nil
+    token.authorized_resources['789'].must_equal 'admin'
+    token.authorized_resources['123'].must_equal 'member'
+  end
+
+  describe '#authorized?' do
+    let(:token) { Rack::PrxAuth::TokenData.new('aur' => aur, 'scope' => scope) }
+    let(:scope) { 'read write purchase sell delete' }
+    let(:aur) { {'123' => 'admin', '456' => 'member' } }
+
+    it 'is authorized for scope in aur' do
+      assert token.authorized?(123, 'admin')
+    end
+
+    it 'is authorized for scope in scopes' do
+      assert token.authorized?(456, :delete)
+    end
+
+    it 'is not authorized across aur limits' do
+      assert !token.authorized?(123, :member)
+    end
+
+    it 'does not require a scope' do
+      assert token.authorized?(123)
+    end
+
+    it 'is unauthorized if it hasnt seen the resource' do
+      assert !token.authorized?(789)
+    end
+
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-prx_auth
 version: !ruby/object:Gem::Version
-  version: 0.0.6
+  version: 0.0.7
 platform: ruby
 authors:
 - Eve Asher
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-04-22 00:00:00.000000000 Z
+date: 2015-06-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -123,6 +123,7 @@ extra_rdoc_files: []
 files:
 - .gitignore
 - .travis.yml
+- CHANGELOG.md
 - Gemfile
 - Guardfile
 - LICENSE
@@ -134,6 +135,7 @@ files:
 - lib/rack/prx_auth/version.rb
 - rack-prx_auth.gemspec
 - test/rack/prx_auth/certificate_test.rb
+- test/rack/prx_auth/token_data_test.rb
 - test/rack/prx_auth_test.rb
 - test/test_helper.rb
 homepage: https://github.com/PRX/rack-prx_auth
@@ -163,5 +165,6 @@ summary: Rack middleware that verifies and decodes a JWT token and attaches the
   claims to env.
 test_files:
 - test/rack/prx_auth/certificate_test.rb
+- test/rack/prx_auth/token_data_test.rb
 - test/rack/prx_auth_test.rb
 - test/test_helper.rb