rapid-rack 0.0.1

data/config/routes.rb

@@ -0,0 +1,6 @@
+RapidRack::Engine.routes.draw do
+  opts = Rails.application.config.rapid_rack
+  authenticator = opts.authenticator.constantize.new(opts)
+
+  mount authenticator => ''
+end

data/lib/rapid-rack.rb

@@ -0,0 +1 @@
+require 'rapid_rack'

data/lib/rapid_rack.rb

@@ -0,0 +1,8 @@
+module RapidRack
+end
+
+require 'rapid_rack/version'
+require 'rapid_rack/authenticator'
+require 'rapid_rack/default_receiver'
+require 'rapid_rack/redis_registry'
+require 'rapid_rack/engine' if defined?(Rails)

data/lib/rapid_rack/authenticator.rb

@@ -0,0 +1,121 @@
+require 'json/jwt'
+require 'rack/utils'
+
+module RapidRack
+  class Authenticator
+    def initialize(opts)
+      @url = opts[:url]
+      @receiver = opts[:receiver].try(:constantize)
+      fail('A receiver must be configured for rapid_rack') if @receiver.nil?
+      @secret = opts[:secret]
+      @issuer = opts[:issuer]
+      @audience = opts[:audience]
+      @error_handler = opts[:error_handler].try(:constantize).try(:new) || self
+    end
+
+    def call(env)
+      sym = DISPATCH[env['PATH_INFO']]
+      return send(sym, env) if sym
+
+      [404, {}, ["Not found: #{env['PATH_INFO']}"]]
+    end
+
+    def handle(_env, _exception)
+      [
+        400, { 'Content-Type' => 'text/plain' }, [
+          'Sorry, your attempt to log in to this service was not successful. ',
+          'Please contact the service owner for assistance, and include the ',
+          'link you used to access this service.'
+        ]
+      ]
+    end
+
+    private
+
+    InvalidClaim = Class.new(StandardError)
+    private_constant :InvalidClaim
+
+    DISPATCH = {
+      '/login' => :initiate,
+      '/jwt' => :callback,
+      '/logout' => :terminate
+    }
+    private_constant :DISPATCH
+
+    def initiate(env)
+      return method_not_allowed unless method?(env, 'GET')
+
+      [302, { 'Location' => @url }, []]
+    end
+
+    def callback(env)
+      return method_not_allowed unless method?(env, 'POST')
+      params = Rack::Utils.parse_query(env['rack.input'].read)
+
+      with_claims(env, params['assertion']) do |claims|
+        receiver.receive(env, claims)
+      end
+    end
+
+    def terminate(env)
+      return method_not_allowed unless method?(env, 'GET')
+
+      receiver.logout(env)
+    end
+
+    def with_claims(env, assertion)
+      claims = JSON::JWT.decode(assertion, @secret)
+      validate_claims(claims)
+      yield claims
+    rescue JSON::JWT::Exception => e
+      @error_handler.handle(env, e)
+    rescue InvalidClaim => e
+      @error_handler.handle(env, e)
+    end
+
+    def validate_claims(claims)
+      reject_claim_if(claims, 'aud') { |v| v != @audience }
+      reject_claim_if(claims, 'iss') { |v| v != @issuer }
+      reject_claim_if(claims, 'typ') { |v| v != 'authnresponse' }
+      reject_claim_if(claims, 'jti', &method(:replayed?))
+      reject_claim_if(claims, 'nbf', &:zero?)
+      reject_claim_if(claims, 'nbf', &method(:future?))
+      reject_claim_if(claims, 'exp', &method(:expired?))
+      reject_claim_if(claims, 'iat', &method(:skewed?))
+    end
+
+    def replayed?(jti)
+      !receiver.register_jti(jti)
+    end
+
+    def skewed?(iat)
+      (iat - Time.now.to_i).abs > 60
+    end
+
+    def expired?(exp)
+      Time.at(exp) < Time.now
+    end
+
+    def future?(nbf)
+      Time.at(nbf) > Time.now
+    end
+
+    def reject_claim_if(claims, key)
+      val = claims[key]
+      fail(InvalidClaim, "nil #{key}") unless val
+      fail(InvalidClaim, "bad #{key}: #{val}") if yield(val)
+    end
+
+    def method?(env, method)
+      env['REQUEST_METHOD'] == method
+    end
+
+    def method_not_allowed
+      [405, {}, ['Method not allowed']]
+    end
+
+    def receiver
+      @receiver.new
+    end
+  end
+end

data/lib/rapid_rack/default_receiver.rb

@@ -0,0 +1,30 @@
+module RapidRack
+  module DefaultReceiver
+    def receive(env, claims)
+      attrs = map_attributes(claims['https://aaf.edu.au/attributes'])
+      store_id(env, subject(attrs).id)
+      finish(env)
+    end
+
+    def map_attributes(attrs)
+      attrs
+    end
+
+    def store_id(env, id)
+      env['rack.session']['subject_id'] = id
+    end
+
+    def finish(_env)
+      redirect_to('/')
+    end
+
+    def redirect_to(url)
+      [302, { 'Location' => url }, []]
+    end
+
+    def logout(env)
+      env['rack.session'].clear
+      redirect_to('/')
+    end
+  end
+end

data/lib/rapid_rack/engine.rb

@@ -0,0 +1,33 @@
+require 'yaml'
+
+module RapidRack
+  class Engine < ::Rails::Engine
+    isolate_namespace RapidRack
+
+    configure do
+      config.rapid_rack = OpenStruct.new
+    end
+
+    initializer 'rapid_rack.build_rack_application' do
+      config.rapid_rack = OpenStruct.new(configuration)
+      config.rapid_rack.authenticator = authenticator
+    end
+
+    def configuration
+      return @configuration if @configuration
+
+      file = Rails.root.join('config/rapidconnect.yml')
+      fail("Missing configuration: #{file}") unless File.exist?(file)
+
+      opts_from_file = YAML.load_file(file).symbolize_keys
+      opts_from_app = config.rapid_rack.to_h
+
+      @configuration = opts_from_file.merge(opts_from_app)
+    end
+
+    def authenticator
+      return 'RapidRack::MockAuthenticator' if configuration[:development_mode]
+      'RapidRack::Authenticator'
+    end
+  end
+end

data/lib/rapid_rack/redis_registry.rb

@@ -0,0 +1,12 @@
+module RapidRack
+  module RedisRegistry
+    def register_jti(jti)
+      key = "rapid_rack:jti:#{jti}"
+      redis.setnx(key, 1) && redis.expire(key, 60)
+    end
+
+    def redis
+      Redis.new
+    end
+  end
+end

data/lib/rapid_rack/version.rb

@@ -0,0 +1,3 @@
+module RapidRack
+  VERSION = '0.0.1'
+end

data/rapid-rack.gemspec

@@ -0,0 +1,36 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'rapid_rack/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'rapid-rack'
+  spec.version       = RapidRack::VERSION
+  spec.authors       = ['Shaun Mangelsdorf']
+  spec.email         = ['s.mangelsdorf@gmail.com']
+  spec.summary       = 'Rack middleware for AAF Rapid Connect authentication.'
+  spec.homepage      = 'https://github.com/ausaccessfed/rapid-rack'
+  spec.license       = 'Apache-2.0'
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(/^bin\//) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(/^(test|spec|features)\//)
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'json-jwt'
+
+  spec.add_development_dependency 'bundler', '~> 1.6'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec-rails'
+  spec.add_development_dependency 'capybara'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'rails', '~> 4.1.7'
+  spec.add_development_dependency 'sqlite3'
+  spec.add_development_dependency 'fakeredis'
+  spec.add_development_dependency 'redis'
+
+  spec.add_development_dependency 'guard'
+  spec.add_development_dependency 'guard-rspec'
+  spec.add_development_dependency 'guard-rubocop'
+  spec.add_development_dependency 'guard-bundler'
+end

data/spec/dummy/app/models/test_subject.rb

@@ -0,0 +1,2 @@
+class TestSubject < ActiveRecord::Base
+end

data/spec/dummy/config.ru

@@ -0,0 +1,2 @@
+require ::File.expand_path('../config/environment',  __FILE__)
+run Rails.application

data/spec/dummy/config/application.rb

@@ -0,0 +1,24 @@
+require File.expand_path('../boot', __FILE__)
+
+require 'active_record/railtie'
+require 'action_controller/railtie'
+require 'action_view/railtie'
+
+Bundler.require(*Rails.groups)
+require 'rapid_rack'
+
+require_relative '../lib/test_receiver'
+require_relative '../lib/test_error_handler'
+
+module Dummy
+  class Application < Rails::Application
+    config.cache_classes = true
+    config.eager_load = false
+
+    config.consider_all_requests_local = true
+    config.action_dispatch.show_exceptions = false
+
+    config.rapid_rack.receiver = 'TestReceiver'
+    config.rapid_rack.error_handler = 'TestErrorHandler'
+  end
+end

data/spec/dummy/config/boot.rb

@@ -0,0 +1,4 @@
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../../../Gemfile', __FILE__)
+
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])
+$LOAD_PATH.unshift File.expand_path('../../../../lib', __FILE__)

data/spec/dummy/config/database.yml

@@ -0,0 +1,5 @@
+test:
+  adapter: sqlite3
+  pool: 1
+  timeout: 5000
+  database: ':memory:'

data/spec/dummy/config/environment.rb

@@ -0,0 +1,2 @@
+require File.expand_path('../application', __FILE__)
+Rails.application.initialize!

data/spec/dummy/config/rapidconnect.yml

@@ -0,0 +1,5 @@
+---
+url: 'https://rapid.example.com/jwt/authnrequest/research/0vs2aoAbd5bH6HRK'
+secret: '5>O+`=2x%`\=.""f,6KDxV2p|MEE*P<]'
+issuer: 'https://rapid.example.com'
+audience: 'https://service.example.com'

data/spec/dummy/config/routes.rb

@@ -0,0 +1,3 @@
+Rails.application.routes.draw do
+  mount RapidRack::Engine => '/auth'
+end

data/spec/dummy/config/secrets.yml

@@ -0,0 +1,2 @@
+test:
+  secret_key_base: 890f88caa9641d1845e85a49fd9aedbd30cf507f223dcb1cb6ccc53ba23731d

data/spec/dummy/db/schema.rb

@@ -0,0 +1,7 @@
+ActiveRecord::Schema.define(version: 0) do
+  create_table(:test_subjects, force: true) do |t|
+    t.string :targeted_id, null: false
+    t.string :name, null: false
+    t.string :email, null: false
+  end
+end

data/spec/dummy/lib/test_error_handler.rb

@@ -0,0 +1,5 @@
+class TestErrorHandler
+  def handle(_env, _error)
+    [400, {}, ['Error!']]
+  end
+end

data/spec/dummy/lib/test_receiver.rb

@@ -0,0 +1,13 @@
+class TestReceiver
+  def receive(_env, _claims)
+    [200, {}, ['Permitted']]
+  end
+
+  def logout(_env)
+    [200, {}, ['Logged Out!']]
+  end
+
+  def register_jti(jti)
+    jti == 'accept'
+  end
+end

data/spec/lib/rapid_rack/authenticator_spec.rb

@@ -0,0 +1,26 @@
+require 'rack/lobster'
+
+module RapidRack
+  RSpec.describe Authenticator, type: :feature do
+    def build_app(prefix)
+      opts = { url: url, receiver: receiver, secret: secret,
+               issuer: issuer, audience: audience, error_handler: handler }
+      Rack::Builder.new do
+        use Rack::Lint
+        map(prefix) { run Authenticator.new(opts) }
+        run Rack::Lobster.new
+      end
+    end
+
+    let(:prefix) { '/auth' }
+    let(:issuer) { 'https://rapid.example.com' }
+    let(:audience) { 'https://service.example.com' }
+    let(:url) { 'https://rapid.example.com/jwt/authnrequest/research/abcd1234' }
+    let(:secret) { '1234abcd' }
+    let(:app) { build_app(prefix) }
+
+    subject { last_response }
+
+    it_behaves_like 'an authenticator'
+  end
+end

data/spec/lib/rapid_rack/default_receiver_spec.rb

@@ -0,0 +1,115 @@
+module RapidRack
+  RSpec.describe DefaultReceiver do
+    let(:creator) { double }
+    let(:overrides) { Module.new }
+
+    subject do
+      Class.new.tap do |klass|
+        class <<klass
+          attr_accessor :creator
+          delegate :subject, to: :creator
+        end
+        klass.send(:extend, described_class)
+        klass.send(:extend, overrides)
+        klass.creator = creator
+      end
+    end
+
+    let(:env) { { 'rack.session' => session } }
+    let(:session) { {} }
+    let(:claims) { { 'https://aaf.edu.au/attributes' => attrs } }
+    let(:attrs) do
+      {}
+    end
+
+    let(:authenticated_subject) { double(id: 1) }
+
+    context '#receive' do
+      before do
+        allow(creator).to receive(:subject).with(anything)
+          .and_return(authenticated_subject)
+      end
+
+      def run
+        subject.receive(env, claims)
+      end
+
+      it 'passes the attributes through to the subject method' do
+        expect(creator).to receive(:subject).with(attrs)
+          .and_return(authenticated_subject)
+
+        run
+      end
+
+      it 'sets the session key' do
+        expect { run }.to change { session['subject_id'] }.from(nil).to(1)
+      end
+
+      it 'redirects to a default location' do
+        expect(run).to eq([302, { 'Location' => '/' }, []])
+      end
+
+      context 'with an overridden `map_attributes` method' do
+        let(:overrides) do
+          Module.new do
+            def map_attributes(_)
+              { 'remapped' => true }
+            end
+          end
+        end
+
+        it 'passes the mapped attributes through to the subject method' do
+          expect(creator).to receive(:subject).with('remapped' => true)
+            .and_return(authenticated_subject)
+
+          run
+        end
+      end
+
+      context 'with an overridden `store_id` method' do
+        let(:overrides) do
+          Module.new do
+            def store_id(env, id)
+              env['rack.session']['blarghn'] = id
+            end
+          end
+        end
+
+        it 'sets the configured session key' do
+          expect { run }.to change { session['blarghn'] }.from(nil).to(1)
+        end
+      end
+
+      context 'with an overridden `finish` method' do
+        let(:overrides) do
+          Module.new do
+            def finish(env)
+              header = { 'Location' => "/#{env['rack.session']['subject_id']}" }
+              [204, header, []]
+            end
+          end
+        end
+
+        it 'responds using the overridden method' do
+          expect(run).to eq([204, { 'Location' => '/1' }, []])
+        end
+      end
+    end
+
+    context '#logout' do
+      let(:session) { { 'something' => 'x' } }
+
+      def run
+        subject.logout(env)
+      end
+
+      it 'clears the session' do
+        expect { run }.to change { session }.to({})
+      end
+
+      it 'redirects to a default location' do
+        expect(run).to eq([302, { 'Location' => '/' }, []])
+      end
+    end
+  end
+end