rails-vault-jwt 0.1.0 → 0.2.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 410f4ef7c6b7f8ce74ffed0d7d99c5ebe753151b9db6b5db1d218b7ecbbd8c18
4
- data.tar.gz: cfc364e819fe4af7c31b905c4bb0b69b197ffe623655e4c6bf7778bdc0811cfe
3
+ metadata.gz: 56e13dd8dfadee363e4789e1bf500b72ed53702b9144c673cd941cd88810e366
4
+ data.tar.gz: f56952d5e1190fc34554de88b42404ee0f68d67e61490c599f28be6482c92326
5
5
  SHA512:
6
- metadata.gz: b55438c67edc9375487e8546254ab3b48da37a183d84a1374123976944b21f94a72904032e88957257bd43f8a8b7ef36996d588acc469010719d3caea1b921cc
7
- data.tar.gz: 256f556c85fd42c8640d157063d338c25d886b34a61f7c69e4fb365f51ce9b846e78cd68ff117b948e6c3fcc69398614983eb1eb8d0fc87f0f75b747ef266be5
6
+ metadata.gz: 27a96436485358397827ff3e0930836ed8a036e6566fa41a81636a711fde677a20678cfa1bcdc5b910229e69cbe6229fc137bae80cd2937d48becd68ece66dda
7
+ data.tar.gz: cb107da1c5ee885cb09ab6d9ee7f25acb02962c6a73fe064df6cc917e28cece33034942581fec5be5c555c662b7b5665009e305302edb23eb81e9ec5128d7ef3
data/CHANGELOG.md CHANGED
@@ -6,6 +6,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
6
6
 
7
7
  ## [Unreleased]
8
8
 
9
+ ## [0.2.1] - 2021-02-07
10
+ ### Fixed
11
+ - Calls token to get a new token if needed when calling bearer_token
12
+
13
+ ## [0.2.0] - 2021-02-06
14
+ ### Added
15
+ - Add #bearer_token method to use token to acquire a JWT
16
+
17
+ ### Changed
18
+ - Prefix env vars with `VAULT_`
19
+
20
+ ## [0.1.3] - 2021-01-18
21
+ ### Added
22
+ - Added `valid_issuers` config item to allow restricting key lookups to specific issuers
23
+
24
+ ## [0.1.2] - 2021-01-18
25
+ ### Fixed
26
+ - Fixed issuer key url
27
+
28
+ ## [0.1.1] - 2021-01-18
29
+ ### Added
30
+ - Very basic logging around some errors
31
+
9
32
  ## [0.1.0] - 2021-01-17
10
33
  ### Added
11
34
  - Initial commit
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- rails-vault-jwt (0.1.0)
4
+ rails-vault-jwt (0.2.1)
5
5
  activesupport (~> 6.1)
6
6
  jwt (~> 2.2)
7
7
  vault (~> 0.15)
@@ -9,36 +9,36 @@ PATH
9
9
  GEM
10
10
  remote: https://rubygems.org/
11
11
  specs:
12
- actionpack (6.1.0)
13
- actionview (= 6.1.0)
14
- activesupport (= 6.1.0)
12
+ actionpack (6.1.1)
13
+ actionview (= 6.1.1)
14
+ activesupport (= 6.1.1)
15
15
  rack (~> 2.0, >= 2.0.9)
16
16
  rack-test (>= 0.6.3)
17
17
  rails-dom-testing (~> 2.0)
18
18
  rails-html-sanitizer (~> 1.0, >= 1.2.0)
19
- actionview (6.1.0)
20
- activesupport (= 6.1.0)
19
+ actionview (6.1.1)
20
+ activesupport (= 6.1.1)
21
21
  builder (~> 3.1)
22
22
  erubi (~> 1.4)
23
23
  rails-dom-testing (~> 2.0)
24
24
  rails-html-sanitizer (~> 1.1, >= 1.2.0)
25
- activesupport (6.1.0)
25
+ activesupport (6.1.1)
26
26
  concurrent-ruby (~> 1.0, >= 1.0.2)
27
27
  i18n (>= 1.6, < 2)
28
28
  minitest (>= 5.1)
29
29
  tzinfo (~> 2.0)
30
30
  zeitwerk (~> 2.3)
31
- ast (2.4.1)
31
+ ast (2.4.2)
32
32
  aws-eventstream (1.1.0)
33
33
  aws-sigv4 (1.2.2)
34
34
  aws-eventstream (~> 1, >= 1.0.2)
35
35
  builder (3.2.4)
36
- concurrent-ruby (1.1.7)
36
+ concurrent-ruby (1.1.8)
37
37
  crass (1.0.6)
38
38
  diff-lcs (1.4.4)
39
- docile (1.3.4)
39
+ docile (1.3.5)
40
40
  erubi (1.10.0)
41
- i18n (1.8.7)
41
+ i18n (1.8.8)
42
42
  concurrent-ruby (~> 1.0)
43
43
  jwt (2.2.2)
44
44
  loofah (2.9.0)
@@ -74,28 +74,28 @@ GEM
74
74
  rspec-expectations (3.10.1)
75
75
  diff-lcs (>= 1.2.0, < 2.0)
76
76
  rspec-support (~> 3.10.0)
77
- rspec-mocks (3.10.1)
77
+ rspec-mocks (3.10.2)
78
78
  diff-lcs (>= 1.2.0, < 2.0)
79
79
  rspec-support (~> 3.10.0)
80
- rspec-support (3.10.1)
81
- rubocop (1.7.0)
80
+ rspec-support (3.10.2)
81
+ rubocop (1.9.1)
82
82
  parallel (~> 1.10)
83
- parser (>= 2.7.1.5)
83
+ parser (>= 3.0.0.0)
84
84
  rainbow (>= 2.2.2, < 4.0)
85
85
  regexp_parser (>= 1.8, < 3.0)
86
86
  rexml
87
87
  rubocop-ast (>= 1.2.0, < 2.0)
88
88
  ruby-progressbar (~> 1.7)
89
- unicode-display_width (>= 1.4.0, < 2.0)
90
- rubocop-ast (1.4.0)
89
+ unicode-display_width (>= 1.4.0, < 3.0)
90
+ rubocop-ast (1.4.1)
91
91
  parser (>= 2.7.1.5)
92
92
  rubocop-rake (0.5.1)
93
93
  rubocop
94
- rubocop-rspec (2.1.0)
94
+ rubocop-rspec (2.2.0)
95
95
  rubocop (~> 1.0)
96
96
  rubocop-ast (>= 1.1.0)
97
97
  ruby-progressbar (1.11.0)
98
- simplecov (0.21.0)
98
+ simplecov (0.21.2)
99
99
  docile (~> 1.1)
100
100
  simplecov-html (~> 0.11)
101
101
  simplecov_json_formatter (~> 0.1)
@@ -103,7 +103,7 @@ GEM
103
103
  simplecov_json_formatter (0.1.2)
104
104
  tzinfo (2.0.4)
105
105
  concurrent-ruby (~> 1.0)
106
- unicode-display_width (1.7.0)
106
+ unicode-display_width (2.0.0)
107
107
  vault (0.15.0)
108
108
  aws-sigv4
109
109
  zeitwerk (2.4.2)
@@ -13,7 +13,11 @@ module Rails
13
13
  module JWT
14
14
  class Error < StandardError; end
15
15
 
16
+ class InvalidIssuer < StandardError; end
17
+
16
18
  class << self
19
+ extend Forwardable
20
+
17
21
  def configure
18
22
  @config = Config.new
19
23
  yield(@config) if block_given?
@@ -23,6 +27,8 @@ module Rails
23
27
  def config
24
28
  @config || configure
25
29
  end
30
+
31
+ def_delegators :config, :token, :bearer_token
26
32
  end
27
33
  end
28
34
  end
@@ -20,7 +20,8 @@ module Rails
20
20
  render json: { errors: ['Not Authenticated'] }, status: :unauthorized
21
21
  nil
22
22
  end
23
- rescue ::JWT::VerificationError, ::JWT::DecodeError
23
+ rescue ::JWT::VerificationError, ::JWT::DecodeError => e
24
+ JWT.config.logger.debug { "Error while verifying token: #{e}" }
24
25
  render json: { errors: ['Not Authenticated'] }, status: :unauthorized
25
26
  end
26
27
 
@@ -28,10 +29,16 @@ module Rails
28
29
 
29
30
  def http_token
30
31
  @http_token ||= (request.headers['Authorization'].split.last if request.headers['Authorization'].present?)
32
+ JWT.config.logger.debug { "@http_token => #{@http_token}" }
33
+
34
+ @http_token
31
35
  end
32
36
 
33
37
  def auth_token
34
38
  @auth_token ||= JWT::Decoder.decode(http_token)
39
+ JWT.config.logger.debug { "@auth_token => #{@auth_token}" }
40
+
41
+ @auth_token
35
42
  end
36
43
 
37
44
  def token_valid?
@@ -7,9 +7,14 @@ module Rails
7
7
  module JWT
8
8
  class Config
9
9
  extend Forwardable
10
- attr_accessor :cache
10
+ attr_accessor :cache, :logger, :valid_issuers
11
11
  attr_reader :token_provider
12
12
 
13
+ def initialize
14
+ @logger = defined?(Rails) && defined?(Rails.logger) ? Rails.logger : Logger.new($stdout)
15
+ @valid_issuers = []
16
+ end
17
+
13
18
  def token_provider=(value)
14
19
  @token_provider = if value.is_a? Class
15
20
  value.new
@@ -18,7 +23,7 @@ module Rails
18
23
  end
19
24
  end
20
25
 
21
- def_delegators :@token_provider, :token
26
+ def_delegators :@token_provider, :token, :bearer_token
22
27
  end
23
28
  end
24
29
  end
@@ -19,7 +19,8 @@ module Rails
19
19
  jwks: key_provider.keys(issuer(token))
20
20
  }
21
21
  )[0])
22
- rescue StandardError
22
+ rescue StandardError => e
23
+ JWT.config.logger.error "Error while decoding token: #{e}"
23
24
  nil
24
25
  end
25
26
 
@@ -12,6 +12,8 @@ module Rails
12
12
  end
13
13
 
14
14
  def keys(issuer)
15
+ raise InvalidIssuer if JWT.config.valid_issuers.any? && !(JWT.config.valid_issuers.include? issuer)
16
+
15
17
  if @cache.respond_to?(:fetch)
16
18
  @cache.fetch("keys/#{issuer}", expires_in: 5.minutes) do
17
19
  fetch_keys issuer
@@ -22,7 +24,7 @@ module Rails
22
24
  end
23
25
 
24
26
  def fetch_keys(issuer)
25
- raw = Net::HTTP.get URI.parse(issuer)
27
+ raw = Net::HTTP.get URI.parse("#{issuer}/.well-known/keys")
26
28
  JSON.parse raw, symbolize_names: true
27
29
  end
28
30
  end
@@ -9,12 +9,18 @@ module Rails
9
9
  class BaseProvider
10
10
  attr_reader :expire_time
11
11
 
12
- def initialize(*_args)
12
+ def initialize(*_args, bearer_role_name: nil, **_kwargs)
13
13
  @expire_time = DateTime.now
14
+ @bearer_role_name = bearer_role_name || ENV.fetch('VAULT_BEARER_ROLE', '')
14
15
  end
15
16
 
16
17
  def auth; end
17
18
 
19
+ def bearer_token
20
+ token
21
+ client.logical.read("identity/oidc/token/#{@bearer_role_name}")&.data[:token]
22
+ end
23
+
18
24
  def token
19
25
  unless token_valid?
20
26
  auth_data = auth
@@ -8,8 +8,8 @@ module Rails
8
8
  def initialize(*args, mount_name: 'approle', role_id: nil, secret_id: nil, token_ttl: '5m')
9
9
  super
10
10
  @mount_name = mount_name
11
- @role_id = role_id || ENV.fetch('ROLE_ID')
12
- @secret_id = secret_id || ENV.fetch('SECRET_ID')
11
+ @role_id = role_id || ENV.fetch('VAULT_ROLE_ID')
12
+ @secret_id = secret_id || ENV.fetch('VAULT_SECRET_ID')
13
13
  @token_ttl = token_ttl
14
14
  end
15
15
 
@@ -3,7 +3,7 @@
3
3
  module Rails
4
4
  module Vault
5
5
  module JWT
6
- VERSION = '0.1.0'
6
+ VERSION = '0.2.1'
7
7
  end
8
8
  end
9
9
  end
@@ -22,8 +22,8 @@ Gem::Specification.new do |spec|
22
22
  spec.metadata['allowed_push_host'] = 'https://rubygems.org'
23
23
 
24
24
  spec.metadata['homepage_uri'] = spec.homepage
25
- spec.metadata['source_code_uri'] = 'https://github.com/datanuggets/rails-vault-jwt'
26
- spec.metadata['changelog_uri'] = 'https://github.com/datanuggets/rails-vault-jwt/blob/main/CHANGELOG.md'
25
+ spec.metadata['source_code_uri'] = 'https://github.com/twitch-data-nuggets/rails-vault-jwt'
26
+ spec.metadata['changelog_uri'] = 'https://github.com/twitch-data-nuggets/rails-vault-jwt/blob/main/CHANGELOG.md'
27
27
  else
28
28
  raise 'RubyGems 2.0 or newer is required to protect against ' \
29
29
  'public gem pushes.'
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails-vault-jwt
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Nick King
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2021-01-18 00:00:00.000000000 Z
11
+ date: 2021-02-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -148,8 +148,8 @@ licenses:
148
148
  metadata:
149
149
  allowed_push_host: https://rubygems.org
150
150
  homepage_uri: https://github.com/datanuggets/rails-vault-jwt
151
- source_code_uri: https://github.com/datanuggets/rails-vault-jwt
152
- changelog_uri: https://github.com/datanuggets/rails-vault-jwt/blob/main/CHANGELOG.md
151
+ source_code_uri: https://github.com/twitch-data-nuggets/rails-vault-jwt
152
+ changelog_uri: https://github.com/twitch-data-nuggets/rails-vault-jwt/blob/main/CHANGELOG.md
153
153
  post_install_message:
154
154
  rdoc_options: []
155
155
  require_paths: