rack-prx_auth 0.3.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b87251008aee29e6d86aae5fbec89cbd77b08479a57bfe69a78b7ca8b765d75b
-  data.tar.gz: fb463afd9ea824de3c6bb7b0cb1115a5783c422d3c3edaf53583bd670ba72f54
+  metadata.gz: 007badaca2bcd0d872e5bb23d18ba81098707f5417444688917a54444cf3bbcf
+  data.tar.gz: 799e16711cd95cba80a48608bad0d936da2bf26bcad96b713e8180a79c69650d
 SHA512:
-  metadata.gz: d2688d966852da50ed3d9045b187790b106ddf7996f4964544c50128baeb1fa407871abcf90d094387c5e08e12fd27215145468462e65d9491e1bfb8c4ceec3b
-  data.tar.gz: b110467850548ec5f5e0b31951f782d0b303b1fa41c10f58b29cc9930894c22bb1aede5e419c7ec1d52fbd8ae022cf5385de8f2e0c454052dabcc7f667c83098
+  metadata.gz: f276c65f9164b4c7b7fbe3fce4e09e10ea6d8e2e8e264cfa7110887b0b92da8e6f07602b822abf25687fadb60f68706f96834cbdd01a0eea64ab18721846366f
+  data.tar.gz: 2d3be4be1f0e42c5cd7d31e96b31e878d81f1ca914ad677351ff53e58d161cbdded223285211ee2d9b7b733c51b3dc3c1bb47cc508498928eccd66305bb97ee0

data/lib/prx_auth.rb

@@ -0,0 +1,7 @@
+require 'prx_auth/scope_list'
+require 'prx_auth/resource_map'
+require 'rack/prx_auth/version'
+
+module PrxAuth
+  VERSION = Rack::PrxAuth::VERSION
+end

data/lib/prx_auth/resource_map.rb

@@ -0,0 +1,49 @@
+module PrxAuth
+  class ResourceMap
+    WILDCARD_KEY = '*'
+
+    def initialize(mapped_values)
+      input = mapped_values.clone
+      @wildcard = ScopeList.new(input.delete(WILDCARD_KEY)||'')
+      @map = Hash[input.map do |(key, values)|
+        [key, ScopeList.new(values)]
+      end]
+    end
+
+    def contains?(resource, namespace=nil, scope=nil)
+      resource = resource.to_s
+
+      if resource == WILDCARD_KEY
+        raise ArgumentError if namespace.nil?
+      
+        @wildcard.contains?(namespace, scope)
+      else
+        mapped_resource = @map[resource]
+        
+        if mapped_resource && !namespace.nil?
+          mapped_resource.contains?(namespace, scope) || @wildcard.contains?(namespace, scope)
+        elsif !namespace.nil?
+          @wildcard.contains?(namespace, scope)
+        else
+          !!mapped_resource
+        end
+      end
+    end
+
+    def freeze
+      @map.freeze
+      @wildcard.freeze
+      self
+    end
+
+    def resources(namespace=nil, scope=nil)
+      if namespace.nil?
+        @map.keys
+      else
+        @map.select do |name, list|
+          list.contains?(namespace, scope)
+        end.map(&:first)
+      end
+    end
+  end
+end

data/lib/prx_auth/scope_list.rb

@@ -0,0 +1,58 @@
+module PrxAuth
+  class ScopeList
+    SCOPE_SEPARATOR = ' '
+    NAMESPACE_SEPARATOR = ':'
+    NO_NAMESPACE = :_
+
+    def initialize(list)
+      @string = list
+    end
+
+    def contains?(namespace, scope=nil)
+      scope, namespace = namespace, NO_NAMESPACE if scope.nil?
+
+      if namespace == NO_NAMESPACE
+        map[namespace].include?(symbolize(scope))
+      else
+        symbolized_scope = symbolize(scope)
+        map[symbolize(namespace)].include?(symbolized_scope) || map[NO_NAMESPACE].include?(symbolized_scope)
+      end
+    end
+
+    def freeze
+      @string.freeze
+      self
+    end
+
+    private
+
+    def map
+      @parsed_map ||= empty_map.tap do |map|
+        @string.split(SCOPE_SEPARATOR).each do |value|
+          next if value.length < 1
+
+          parts = value.split(NAMESPACE_SEPARATOR, 2)
+          if parts.length == 2
+            map[symbolize(parts[0])] << symbolize(parts[1])
+          else
+            map[NO_NAMESPACE] << symbolize(parts[0])
+          end
+        end
+      end
+    end
+
+    def empty_map
+      @empty_map ||= Hash.new do |hash, key|
+        hash[key] = []
+      end
+    end
+
+    def symbolize(value)
+      case value
+      when Symbol then value
+      when String then value.downcase.gsub('-', '_').intern
+      else symbolize value.to_s
+      end
+    end
+  end
+end

data/lib/rack/prx_auth.rb

@@ -2,6 +2,7 @@ require 'json/jwt'
 require 'rack/prx_auth/version'
 require 'rack/prx_auth/certificate'
 require 'rack/prx_auth/token_data'
+require 'prx_auth'
 
 module Rack
   class PrxAuth

data/lib/rack/prx_auth/token_data.rb

@@ -1,17 +1,15 @@
+require 'prx_auth/resource_map'
+
 module Rack
   class PrxAuth
     class TokenData
-      WILDCARD_RESOURCE_NAME = '*'
-
-      attr_reader :attributes, :authorized_resources, :scopes
+      attr_reader :scopes
 
       def initialize(attrs = {})
         @attributes = attrs
-        if attrs['aur']
-          @authorized_resources = unpack_aur(attrs['aur']).freeze
-        else
-          @authorized_resources = {}.freeze
-        end
+
+        @authorized_resources = ::PrxAuth::ResourceMap.new(unpack_aur(attrs['aur'])).freeze
+        
         if attrs['scope']
           @scopes = attrs['scope'].split(' ').freeze
         else
@@ -19,35 +17,27 @@ module Rack
         end
       end
 
+      def resources(namespace=nil, scope=nil)
+        @authorized_resources.resources(namespace, scope)
+      end
+
       def user_id
         @attributes['sub']
       end
 
-      def authorized?(resource, scope=nil)
-        if resource == WILDCARD_RESOURCE_NAME
-          globally_authorized?(scope)
-        elsif scope.nil?
-          authorized_for_resource?(resource, scope)
-        else
-          authorized_for_resource?(resource, scope) || globally_authorized?(scope)
-        end
+      def authorized?(resource, namespace=nil, scope=nil)
+        @authorized_resources.contains?(resource, namespace, scope)
       end
 
-      def globally_authorized?(scope)
-        raise ArgumentError if scope.nil?
-
-        authorized_for_resource?(WILDCARD_RESOURCE_NAME, scope)
+      def globally_authorized?(namespace, scope=nil)
+        authorized?(::PrxAuth::ResourceMap::WILDCARD_KEY, namespace, scope)
       end
       
       private
 
-      def authorized_for_resource?(resource, scope=nil)
-        if auth = authorized_resources[resource.to_s]
-          scope.nil? || (scopes + auth.split(' ')).include?(scope.to_s)
-        end
-      end
-
       def unpack_aur(aur)
+        return {} if aur.nil?
+
         aur.clone.tap do |result|
           unless result['$'].nil?
             result.delete('$').each do |role, resources|
@@ -56,9 +46,6 @@ module Rack
               end
             end
           end
-          if result[WILDCARD_RESOURCE_NAME].nil? && result['0']
-            result[WILDCARD_RESOURCE_NAME] = result.delete('0')
-          end
         end
       end
     end

data/lib/rack/prx_auth/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class PrxAuth
-    VERSION = "0.3.0"
+    VERSION = "1.0.0"
   end
 end

data/test/prx_auth/resource_map_test.rb

@@ -0,0 +1,98 @@
+require 'test_helper'
+
+describe PrxAuth::ResourceMap do
+  let(:map) { PrxAuth::ResourceMap.new(input) }
+  let(:input) { {'123' => 'admin one two three ns1:namespaced', '456' => 'member four five six' } }
+
+  describe '#authorized?' do
+    it 'contains scopes in list' do
+      assert map.contains?(123, :admin)
+    end
+
+    it 'does not include across aur limits' do
+      assert !map.contains?(123, :member)
+    end
+
+    it 'does not require a scope' do
+      assert map.contains?(123)
+    end
+
+    it 'does not match if it hasnt seen the resource' do
+      assert !map.contains?(789)
+    end
+
+    it 'works with namespaced scopes' do
+      assert map.contains?(123, :ns1, :namespaced)
+    end
+
+    describe 'with wildcard resource' do
+      let(:input) do
+        {
+          '*' => 'peek',
+          '123' => 'admin one two three',
+          '456' => 'member four five six'
+        }
+      end
+
+      it 'applies wildcard lists to queries with no matching value' do
+        assert map.contains?(789, :peek)
+      end
+
+      it 'does not scan unscoped for wildcard resources' do
+        assert !map.contains?(789)
+      end
+
+      it 'allows querying by wildcard resource directly' do
+        assert map.contains?('*', :peek)
+        assert !map.contains?('*', :admin)
+      end
+
+      it 'treats wildcard lists as additive to other explicit ones' do
+        assert map.contains?(123, :peek)
+      end
+
+      it 'refuses to run against wildcard with no scope' do
+        assert_raises ArgumentError do
+          map.contains?('*')
+        end
+      end
+    end
+  end
+
+  describe '#resources' do
+    let (:input) do
+      {
+        '*' => 'read wildcard',
+        '123' => 'read write buy',
+        '456' => 'read ns1:buy'
+      }
+    end
+
+    let (:resources) { map.resources }
+
+    it 'returns resource ids' do
+      assert resources.include?('123')
+      assert resources.include?('456')
+    end
+
+    it 'excludes wildcard values' do
+      assert !resources.include?('*')
+    end
+
+    it 'filters for scope' do
+      resources = map.resources(:write)
+      assert resources.include?('123')
+      assert !resources.include?('456')
+      assert !resources.include?('*')
+    end
+
+    it 'works with namespaces' do
+      resources = map.resources(:ns1, :buy)
+      assert resources.include?('123')
+      assert resources.include?('456')
+
+      resources = map.resources(:buy)
+      assert !resources.include?('456')
+    end
+  end
+end

data/test/prx_auth/scope_list_test.rb

@@ -0,0 +1,44 @@
+require 'test_helper'
+
+describe PrxAuth::ScopeList do
+  let (:scopes) { 'read write sell  top-up' }
+  let (:list) { PrxAuth::ScopeList.new(scopes) }
+
+  it 'looks up successfully for a given scope' do
+    assert list.contains?('write')
+  end
+  
+  it 'scans for symbols' do
+    assert list.contains?(:read)
+  end
+
+  it 'handles hyphen to underscore conversions' do
+    assert list.contains?(:top_up)
+  end
+
+  it 'fails for contents not in the list' do
+    assert !list.contains?(:buy)
+  end
+
+  describe 'with namespace' do
+    let (:scopes) { 'ns1:hello ns2:goodbye aloha 1:23' }
+    
+    it 'works for namespaced lookups' do
+      assert list.contains?(:ns1, :hello)
+    end
+
+    it 'fails when the wrong namespace is passed' do
+      assert !list.contains?(:ns1, :goodbye)
+    end
+
+    it 'looks up global scopes when namespaced fails' do
+      assert list.contains?(:ns1, :aloha)
+      assert list.contains?(:ns3, :aloha)
+    end
+
+    it 'works with non-symbol namespaces' do
+      assert list.contains?(1, 23)
+    end
+  end
+
+end

data/test/rack/prx_auth/certificate_test.rb

@@ -7,11 +7,11 @@ describe Rack::PrxAuth::Certificate do
   describe '#initialize' do
     it 'allows setting the location of the certificates' do
       cert = Rack::PrxAuth::Certificate.new('http://example.com')
-      cert.cert_location.must_equal URI('http://example.com')
+      assert cert.cert_location == URI('http://example.com')
     end
 
     it 'defaults to DEFAULT_CERT_LOC' do
-      certificate.cert_location.must_equal Rack::PrxAuth::Certificate::DEFAULT_CERT_LOC
+      assert certificate.cert_location == Rack::PrxAuth::Certificate::DEFAULT_CERT_LOC
     end
   end
 
@@ -24,8 +24,8 @@ describe Rack::PrxAuth::Certificate do
         end
       end
 
-      token.must_equal :token
-      key.must_equal :public_key
+      assert token == :token
+      assert key == :public_key
     end
 
     it 'returns false if verification fails' do
@@ -33,7 +33,7 @@ describe Rack::PrxAuth::Certificate do
         raise JSON::JWT::VerificationFailed
       end) do
         certificate.stub(:public_key, :foo) do
-          certificate.wont_be :valid?, :token
+          assert !certificate.valid?(:token)
         end
       end
     end
@@ -41,7 +41,7 @@ describe Rack::PrxAuth::Certificate do
     it 'returns true if verification passes' do
       JSON::JWT.stub(:decode, {}) do
         certificate.stub(:public_key, :foo) do
-          certificate.must_be :valid?, :token
+          assert certificate.valid?(:token)
         end
       end
     end
@@ -53,14 +53,14 @@ describe Rack::PrxAuth::Certificate do
         :sigil
       end
 
-      certificate.send(:certificate).must_equal :sigil
+      assert certificate.send(:certificate) == :sigil
     end
   end
 
   describe '#public_key' do
     it 'pulls from the certificate' do
       certificate.stub(:certificate, Struct.new(:public_key).new(:key)) do
-        certificate.send(:public_key).must_equal :key
+        assert certificate.send(:public_key) == :key
       end
     end
   end
@@ -70,7 +70,7 @@ describe Rack::PrxAuth::Certificate do
       Net::HTTP.stub(:get, ->(x) { "{\"certificates\":{\"asdf\":\"#{x}\"}}" }) do
         OpenSSL::X509::Certificate.stub(:new, ->(x) { x }) do
           certificate.stub(:cert_location, "a://fake.url/here") do
-            certificate.send(:fetch).must_equal "a://fake.url/here"
+            assert certificate.send(:fetch) == "a://fake.url/here"
           end
         end
       end
@@ -80,7 +80,7 @@ describe Rack::PrxAuth::Certificate do
       Net::HTTP.stub(:get, ->(x) { "{\"certificates\":{\"asdf\":\"#{x}\"}}" }) do
         OpenSSL::X509::Certificate.stub(:new, ->(_) { Struct.new(:not_after).new(Time.now + 10000) }) do
           certificate.send :certificate
-          certificate.wont_be :needs_refresh?
+          assert !certificate.send(:needs_refresh?)
         end
       end
     end
@@ -93,12 +93,12 @@ describe Rack::PrxAuth::Certificate do
     end
 
     it 'is false when the certificate is not expired' do
-      certificate.wont_be :expired?
+      assert !certificate.send(:expired?)
     end
 
     it 'is true when the certificate is expired' do
       stub_cert.not_after = Time.now - 500
-      certificate.must_be :expired?
+      assert certificate.send(:expired?)
     end
   end
 
@@ -109,21 +109,21 @@ describe Rack::PrxAuth::Certificate do
 
     it 'is true if certificate is expired' do
       certificate.stub(:expired?, true) do
-        certificate.must_be :needs_refresh?
+        assert certificate.send(:needs_refresh?)
       end
     end
 
     it 'is true if we are past refresh value' do
       self.refresh_at = Time.now.to_i - 1000
       certificate.stub(:expired?, false) do
-        certificate.must_be :needs_refresh?
+        assert certificate.send(:needs_refresh?)
       end
     end
 
     it 'is false if certificate is not expired and refresh is in the future' do
       self.refresh_at = Time.now.to_i + 10000
       certificate.stub(:expired?, false) do
-        certificate.wont_be :needs_refresh?
+        assert !certificate.send(:needs_refresh?)
       end
     end
   end

data/test/rack/prx_auth/token_data_test.rb

@@ -6,36 +6,45 @@ describe Rack::PrxAuth::TokenData do
     assert token.user_id == 123
   end
 
-  it 'pulls authorized_resources from aur' do
+  it 'pulls resources from aur' do
     token = Rack::PrxAuth::TokenData.new('aur' => {'123' => 'admin'})
-    assert token.authorized_resources['123'] == 'admin'
+    assert token.resources.include?('123')
   end
 
-  it 'unpacks compressed aur into authorized_resources' do
+  it 'unpacks compressed aur' do
     token = Rack::PrxAuth::TokenData.new('aur' => {
       '123' => 'member',
       '$' => {
         'admin' => [456, 789, 1011]
       }
     })
-    assert token.authorized_resources['$'].nil?
-    assert token.authorized_resources['789'] == 'admin'
-    assert token.authorized_resources['123'] == 'member'
+    assert !token.resources.include?('$')
+    assert token.resources.include?('789')
+    assert token.resources.include?('123')
+  end
+
+  describe '#resources' do
+    let(:token) { Rack::PrxAuth::TokenData.new('aur' => aur) }
+    let(:aur) { {'123' => 'admin ns1:namespaced', '456' => 'member' } }
+
+    it 'scans for resources by namespace and scope' do
+      assert token.resources(:admin) == ['123']
+      assert token.resources(:namespaced) == []
+      assert token.resources(:member) == ['456']
+      assert token.resources(:ns1, :namespaced) == ['123']
+      assert token.resources(:ns1, :member) == ['456']
+    end
   end
 
   describe '#authorized?' do
     let(:token) { Rack::PrxAuth::TokenData.new('aur' => aur, 'scope' => scope) }
     let(:scope) { 'read write purchase sell delete' }
-    let(:aur) { {'123' => 'admin', '456' => 'member' } }
+    let(:aur) { {'123' => 'admin ns1:namespaced', '456' => 'member' } }
 
     it 'is authorized for scope in aur' do
       assert token.authorized?(123, 'admin')
     end
 
-    it 'is authorized for scope in scopes' do
-      assert token.authorized?(456, :delete)
-    end
-
     it 'is not authorized across aur limits' do
       assert !token.authorized?(123, :member)
     end
@@ -48,6 +57,12 @@ describe Rack::PrxAuth::TokenData do
       assert !token.authorized?(789)
     end
 
+    it 'works for namespaced scopes' do
+      assert token.authorized?(123, :ns1, :namespaced)
+      assert !token.authorized?(123, :namespaced)
+      assert token.authorized?(123, :ns1, :admin)
+    end
+
     describe 'with wildcard role' do
       let(:aur) { {'*' => 'peek', '123' => 'admin', '456' => 'member' } }
 
@@ -82,25 +97,5 @@ describe Rack::PrxAuth::TokenData do
         end
       end
     end
-
-    describe 'wildcard fallback handling' do
-
-      describe 'with no primary wildcard present' do
-        let(:aur) { {'0' => 'peek', '123' => 'admin', '456' => 'member' } }
-
-        it 'applies fallback as a wildcard' do
-          assert token.authorized?(789, :peek)
-        end
-      end
-
-      describe 'with primary wildcard present' do
-        let(:aur) { {'*' => 'cook', '0' => 'peek', '123' => 'admin', '456' => 'member' } }
-
-        it 'does not apply the fallback as a wildcard' do
-          assert token.authorized?(789, :cook)
-          assert !token.authorized?(789, :peek)
-        end
-      end
-    end
   end
 end

data/test/rack/prx_auth_test.rb

@@ -11,30 +11,30 @@ describe Rack::PrxAuth do
     it 'does nothing if there is no authorization header' do
       env = {}
 
-      prxauth.call(env.clone).must_equal env
+      assert prxauth.call(env.clone) == env
     end
 
     it 'does nothing if the token is from another issuer' do
       claims['iss'] = 'auth.elsewhere.org'
 
       JSON::JWT.stub(:decode, claims) do
-        prxauth.call(env.clone).must_equal env
+        assert prxauth.call(env.clone) == env
       end
     end
 
     it 'does nothing if token is invalid' do
-      prxauth.call(env.clone).must_equal env
+      assert prxauth.call(env.clone) == env
     end
 
     it 'does nothing if the token is nil' do
-      env = {"HTTP_AUTHORIZATION"=>"Bearer "}
-      prxauth.call(env).must_equal env
+      env = { "HTTP_AUTHORIZATION" => "Bearer "}
+      assert prxauth.call(env) == env
     end
 
     it 'returns 401 if verification fails' do
       JSON::JWT.stub(:decode, claims) do
         prxauth.stub(:valid?, false) do
-          prxauth.call(env).must_equal Rack::PrxAuth::INVALID_TOKEN
+          assert prxauth.call(env) == Rack::PrxAuth::INVALID_TOKEN
         end
       end
     end
@@ -42,7 +42,7 @@ describe Rack::PrxAuth do
     it 'returns 401 if access token has expired' do
       JSON::JWT.stub(:decode, claims) do
         prxauth.stub(:expired?, true) do
-          prxauth.call(env).must_equal Rack::PrxAuth::INVALID_TOKEN
+          assert prxauth.call(env) == Rack::PrxAuth::INVALID_TOKEN
         end
       end
     end
@@ -51,9 +51,8 @@ describe Rack::PrxAuth do
       prxauth.stub(:decode_token, claims) do
         prxauth.stub(:valid?, true) do
           prxauth.call(env)['prx.auth'].tap do |token|
-            token.must_be_instance_of Rack::PrxAuth::TokenData
-            token.attributes.must_equal claims
-            token.user_id.must_equal claims['sub']
+            assert token.instance_of? Rack::PrxAuth::TokenData
+            assert token.user_id == claims['sub']
           end
         end
       end
@@ -64,11 +63,11 @@ describe Rack::PrxAuth do
     it 'returns true if token is expired' do
       claims['iat'] = Time.now.to_i - 4000
 
-      prxauth.send(:expired?, claims).must_equal true
+      assert prxauth.send(:expired?, claims) == true
     end
 
     it 'returns false if it is valid' do
-      prxauth.send(:expired?, claims).must_equal false
+      assert prxauth.send(:expired?, claims) == false
     end
   end
 
@@ -77,22 +76,22 @@ describe Rack::PrxAuth do
       loc = nil
       Rack::PrxAuth::Certificate.stub(:new, Proc.new{|l| loc = l}) do
         Rack::PrxAuth.new(app, cert_location: :location)
-        loc.must_equal :location
+        assert loc == :location
       end
     end
   end
 
   describe '#decode_token' do
     it 'should return an empty result for a nil token' do
-      prxauth.send(:decode_token, nil).must_equal({})
+      assert prxauth.send(:decode_token, nil) == {}
     end
 
     it 'should return an empty result for an empty token' do
-      prxauth.send(:decode_token, {}).must_equal({})
+      assert prxauth.send(:decode_token, {}) == {}
     end
 
     it 'should return an empty result for a malformed token' do
-      prxauth.send(:decode_token, 'asdfsadfsad').must_equal({})
+      assert prxauth.send(:decode_token, 'asdfsadfsad') == {}
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-prx_auth
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Eve Asher
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-03-30 00:00:00.000000000 Z
+date: 2020-04-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -139,11 +139,16 @@ files:
 - LICENSE
 - README.md
 - Rakefile
+- lib/prx_auth.rb
+- lib/prx_auth/resource_map.rb
+- lib/prx_auth/scope_list.rb
 - lib/rack/prx_auth.rb
 - lib/rack/prx_auth/certificate.rb
 - lib/rack/prx_auth/token_data.rb
 - lib/rack/prx_auth/version.rb
 - rack-prx_auth.gemspec
+- test/prx_auth/resource_map_test.rb
+- test/prx_auth/scope_list_test.rb
 - test/rack/prx_auth/certificate_test.rb
 - test/rack/prx_auth/token_data_test.rb
 - test/rack/prx_auth_test.rb
@@ -173,6 +178,8 @@ specification_version: 4
 summary: Rack middleware that verifies and decodes a JWT token and attaches the token's
   claims to env.
 test_files:
+- test/prx_auth/resource_map_test.rb
+- test/prx_auth/scope_list_test.rb
 - test/rack/prx_auth/certificate_test.rb
 - test/rack/prx_auth/token_data_test.rb
 - test/rack/prx_auth_test.rb