rack-prx_auth 0.2.1 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0e57bda2725fe363d27b499e084653515fba6fdd2dd90af5ea42edce47fa2918
-  data.tar.gz: 594cf56ce3d05aa865400dc092a166c4ef1cefb27018c1012116430018045373
+  metadata.gz: b87251008aee29e6d86aae5fbec89cbd77b08479a57bfe69a78b7ca8b765d75b
+  data.tar.gz: fb463afd9ea824de3c6bb7b0cb1115a5783c422d3c3edaf53583bd670ba72f54
 SHA512:
-  metadata.gz: 62c7e985124f8809cd0b8afcece43a0107d5f8027740b319dad1a95c7760ea4ff3913c4e0b337beab1dbb5506a45e5ba6d9fbe41ca871b3cdcf3841a9f777a18
-  data.tar.gz: 3d5f9d6a398fec46149e1413ad89d8990a9bc16b335f2aed1b3918f4e5ffdaa1545b9ecab89392a795dad48d267d0d464c2393be3a9f0639ac42c5f62a49640c
+  metadata.gz: d2688d966852da50ed3d9045b187790b106ddf7996f4964544c50128baeb1fa407871abcf90d094387c5e08e12fd27215145468462e65d9491e1bfb8c4ceec3b
+  data.tar.gz: b110467850548ec5f5e0b31951f782d0b303b1fa41c10f58b29cc9930894c22bb1aede5e419c7ec1d52fbd8ae022cf5385de8f2e0c454052dabcc7f667c83098

data/.gitignore

@@ -13,3 +13,4 @@
 *.o
 *.a
 mkmf.log
+.ruby-version

data/Gemfile

@@ -2,6 +2,3 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in rack-prx_auth.gemspec
 gemspec
-
-gem 'guard'
-gem 'guard-minitest'

data/lib/rack/prx_auth/token_data.rb

@@ -1,6 +1,8 @@
 module Rack
   class PrxAuth
     class TokenData
+      WILDCARD_RESOURCE_NAME = '*'
+
       attr_reader :attributes, :authorized_resources, :scopes
 
       def initialize(attrs = {})
@@ -22,13 +24,29 @@ module Rack
       end
 
       def authorized?(resource, scope=nil)
-        if auth = authorized_resources[resource.to_s]
-          scope.nil? || (scopes + auth.split(' ')).include?(scope.to_s)
+        if resource == WILDCARD_RESOURCE_NAME
+          globally_authorized?(scope)
+        elsif scope.nil?
+          authorized_for_resource?(resource, scope)
+        else
+          authorized_for_resource?(resource, scope) || globally_authorized?(scope)
         end
       end
 
+      def globally_authorized?(scope)
+        raise ArgumentError if scope.nil?
+
+        authorized_for_resource?(WILDCARD_RESOURCE_NAME, scope)
+      end
+      
       private
 
+      def authorized_for_resource?(resource, scope=nil)
+        if auth = authorized_resources[resource.to_s]
+          scope.nil? || (scopes + auth.split(' ')).include?(scope.to_s)
+        end
+      end
+
       def unpack_aur(aur)
         aur.clone.tap do |result|
           unless result['$'].nil?
@@ -38,6 +56,9 @@ module Rack
               end
             end
           end
+          if result[WILDCARD_RESOURCE_NAME].nil? && result['0']
+            result[WILDCARD_RESOURCE_NAME] = result.delete('0')
+          end
         end
       end
     end

data/lib/rack/prx_auth/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class PrxAuth
-    VERSION = "0.2.1"
+    VERSION = "0.3.0"
   end
 end

data/rack-prx_auth.gemspec

@@ -23,6 +23,8 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'bundler', '~> 2.0'
   spec.add_development_dependency 'rake', '~> 10.0'
   spec.add_development_dependency 'coveralls', '~> 0'
+  spec.add_development_dependency 'guard'
+  spec.add_development_dependency 'guard-minitest'
 
   spec.add_dependency 'rack', '>= 1.5.2'
   spec.add_dependency 'json', '>= 1.8.1'

data/test/rack/prx_auth/token_data_test.rb

@@ -3,12 +3,12 @@ require 'test_helper'
 describe Rack::PrxAuth::TokenData do
   it 'pulls user_id from sub' do
     token = Rack::PrxAuth::TokenData.new('sub' => 123)
-    token.user_id.must_equal 123
+    assert token.user_id == 123
   end
 
   it 'pulls authorized_resources from aur' do
     token = Rack::PrxAuth::TokenData.new('aur' => {'123' => 'admin'})
-    token.authorized_resources['123'].must_equal 'admin'
+    assert token.authorized_resources['123'] == 'admin'
   end
 
   it 'unpacks compressed aur into authorized_resources' do
@@ -18,9 +18,9 @@ describe Rack::PrxAuth::TokenData do
         'admin' => [456, 789, 1011]
       }
     })
-    token.authorized_resources['$'].must_be_nil
-    token.authorized_resources['789'].must_equal 'admin'
-    token.authorized_resources['123'].must_equal 'member'
+    assert token.authorized_resources['$'].nil?
+    assert token.authorized_resources['789'] == 'admin'
+    assert token.authorized_resources['123'] == 'member'
   end
 
   describe '#authorized?' do
@@ -48,5 +48,59 @@ describe Rack::PrxAuth::TokenData do
       assert !token.authorized?(789)
     end
 
+    describe 'with wildcard role' do
+      let(:aur) { {'*' => 'peek', '123' => 'admin', '456' => 'member' } }
+
+      it 'applies wildcard tokens to queries with no matching aur' do
+        assert token.authorized?(789, :peek)
+      end
+
+      it 'does not authorize unscoped for wildcard resources' do
+        assert !token.authorized?(789)
+      end
+
+      it 'allows querying by wildcard resource directly' do
+        assert token.authorized?('*', :peek)
+        assert !token.authorized?('*', :admin)
+      end
+
+      it 'has a shorthand `gobally_authorized?` to query wildcard' do
+        assert token.globally_authorized?(:peek)
+        assert !token.globally_authorized?(:admin)
+      end
+
+      it 'treats global authorizations as additive to other explicit ones' do
+        assert token.authorized?(123, :peek)
+      end
+
+      it 'refuses to run `globally_authorized?` with no scope' do
+        assert_raises ArgumentError do
+          token.globally_authorized?
+        end
+        assert_raises ArgumentError do
+          token.authorized?('*')
+        end
+      end
+    end
+
+    describe 'wildcard fallback handling' do
+
+      describe 'with no primary wildcard present' do
+        let(:aur) { {'0' => 'peek', '123' => 'admin', '456' => 'member' } }
+
+        it 'applies fallback as a wildcard' do
+          assert token.authorized?(789, :peek)
+        end
+      end
+
+      describe 'with primary wildcard present' do
+        let(:aur) { {'*' => 'cook', '0' => 'peek', '123' => 'admin', '456' => 'member' } }
+
+        it 'does not apply the fallback as a wildcard' do
+          assert token.authorized?(789, :cook)
+          assert !token.authorized?(789, :peek)
+        end
+      end
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-prx_auth
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.0
 platform: ruby
 authors:
 - Eve Asher
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-07-01 00:00:00.000000000 Z
+date: 2020-03-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -53,6 +53,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard-minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -139,8 +167,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6.2
+rubygems_version: 3.0.1
 signing_key: 
 specification_version: 4
 summary: Rack middleware that verifies and decodes a JWT token and attaches the token's