rapid-rack 0.0.1

data/spec/lib/rapid_rack/engine_spec.rb

@@ -0,0 +1,92 @@
+module RapidRack
+  RSpec.describe Engine, type: :feature do
+    let(:opts) { YAML.load_file('spec/dummy/config/rapidconnect.yml') }
+    let(:issuer) { opts['issuer'] }
+    let(:audience) { opts['audience'] }
+    let(:url) { opts['url'] }
+    let(:secret) { opts['secret'] }
+    let(:receiver_class) { 'TestReceiver' }
+    let(:handler) { nil }
+    let(:app) { Rails.application }
+
+    # Unfortunately the neatest way to get access to a routed application in
+    # the engine.
+    let(:engine_app) { RapidRack::Engine.routes.routes.routes[0].app }
+
+    subject { last_response }
+
+    before do
+      error_handler = handler.try(:constantize).try(:new) || engine_app
+      engine_app.instance_variable_set(:@error_handler, error_handler)
+      engine_app.instance_variable_set(:@receiver, receiver_class.constantize)
+    end
+
+    it_behaves_like 'an authenticator'
+
+    context 'full integration' do
+      let(:receiver_class) do
+        build_class do
+          include DefaultReceiver
+          include RedisRegistry
+
+          def map_attributes(attrs)
+            {
+              targeted_id: attrs['edupersontargetedid'],
+              email: attrs['mail'],
+              name: attrs['displayname']
+            }
+          end
+
+          def subject(attrs)
+            identifier = attrs.slice(:targeted_id)
+            TestSubject.find_or_initialize_by(identifier).tap do |subject|
+              subject.update_attributes!(attrs)
+            end
+          end
+        end
+      end
+
+      let(:attrs) do
+        {
+          cn: 'Test User', displayname: 'Test User X', surname: 'User',
+          givenname: 'Test', mail: 'testuser@example.com', o: 'Test Org',
+          edupersonscopedaffiliation: 'member@example.com',
+          edupersonprincipalname: 'testuser@example.com',
+          edupersontargetedid: "#{issuer}!#{audience}!abcd"
+        }
+      end
+
+      let(:valid_claims) do
+        {
+          aud: audience, iss: issuer, iat: Time.now, typ: 'authnresponse',
+          nbf: 1.minute.ago, exp: 2.minutes.from_now,
+          jti: 'accept', :'https://aaf.edu.au/attributes' => attrs
+        }
+      end
+
+      let(:receiver) { receiver_class.constantize.new }
+      let(:assertion) { JSON::JWT.new(claims).sign(secret).to_s }
+      let(:claims) { valid_claims }
+      let(:session) { {} }
+
+      def run
+        post '/auth/jwt', assertion: assertion
+      end
+
+      it 'creates the subject' do
+        expect { run }.to change(TestSubject, :count).by(1)
+      end
+
+      it 'redirects to /' do
+        run
+        expect(last_response).to be_redirect
+        expect(last_response['Location']).to eq('/')
+      end
+
+      it 'sets the session' do
+        run
+        expect(last_request.session[:subject_id]).to eq(TestSubject.last.id)
+      end
+    end
+  end
+end

data/spec/lib/rapid_rack/redis_registry_spec.rb

@@ -0,0 +1,27 @@
+require 'fakeredis'
+require 'redis'
+
+module RapidRack
+  RSpec.describe RedisRegistry do
+    let(:overrides) { Module.new }
+
+    subject do
+      klass = Class.new
+      klass.send(:extend, described_class)
+      klass.send(:extend, overrides)
+    end
+
+    context '#register_jti' do
+      let(:value) { 'abcd' }
+
+      it 'returns true for a new jti' do
+        expect(subject.register_jti(value)).to be_truthy
+      end
+
+      it 'returns false for a previously seen jti' do
+        subject.register_jti(value)
+        expect(subject.register_jti(value)).to be_falsey
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,45 @@
+require 'simplecov'
+
+ENV['RAILS_ENV'] ||= 'test'
+require File.expand_path('../dummy/config/environment.rb',  __FILE__)
+
+require 'rspec/rails'
+require 'capybara/rspec'
+require 'fakeredis'
+
+require 'rapid_rack'
+
+Dir['./spec/support/*.rb'].each { |f| require f }
+
+RSpec.configure do |config|
+  config.before(:suite) do
+    load Rails.root.join('db/schema.rb')
+  end
+
+  config.before { Redis::Connection::Memory.reset_all_databases }
+
+  config.around do |example|
+    ActiveRecord::Base.transaction do
+      example.run
+      fail ActiveRecord::Rollback
+    end
+  end
+
+  config.expect_with :rspec do |expectations|
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  config.mock_with :rspec do |mocks|
+    mocks.verify_partial_doubles = true
+  end
+
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+  config.disable_monkey_patching!
+
+  config.order = :random
+  Kernel.srand config.seed
+
+  config.include Rack::Test::Methods
+  config.include TemporaryTestClass
+end

data/spec/support/authenticator_examples.rb

@@ -0,0 +1,216 @@
+shared_examples 'an authenticator' do
+  let(:handler) { nil }
+  let(:receiver) do
+    build_class do
+      def receive(_, _)
+        [200, {}, ['Permitted']]
+      end
+
+      def logout(_)
+        [200, {}, ['Logged Out!']]
+      end
+
+      def register_jti(*)
+        true
+      end
+    end
+  end
+
+  context 'get /nonexistent' do
+    before { get '/auth/nonexistent' }
+    it { is_expected.to be_not_found }
+  end
+
+  context 'get /login' do
+    before { get '/auth/login' }
+
+    it 'redirects to the url' do
+      expect(last_response).to be_redirect
+      expect(last_response['Location']).to eq(url)
+    end
+  end
+
+  context 'post /login' do
+    before { post '/auth/login' }
+    it { is_expected.to be_method_not_allowed }
+  end
+
+  context 'get /logout' do
+    before { get '/auth/logout' }
+    it 'responds using the receiver' do
+      expect(last_response).to be_successful
+      expect(last_response.body).to have_content('Logged Out!')
+    end
+  end
+
+  context 'post /logout' do
+    before { post '/auth/logout' }
+    it { is_expected.to be_method_not_allowed }
+  end
+
+  context 'get /jwt' do
+    before { get '/auth/jwt' }
+    it { is_expected.to be_method_not_allowed }
+  end
+
+  context 'post /jwt' do
+    before { post '/auth/jwt', assertion: assertion }
+
+    let(:attrs) do
+      {
+        cn: 'Test User', displayname: 'Test User X', surname: 'User',
+        givenname: 'Test', mail: 'testuser@example.com', o: 'Test Org',
+        edupersonscopedaffiliation: 'member@example.com',
+        edupersonprincipalname: 'testuser@example.com',
+        edupersontargetedid: "#{issuer}!#{audience}!abcd"
+      }
+    end
+
+    let(:valid_claims) do
+      {
+        aud: audience, iss: issuer, iat: Time.now, typ: 'authnresponse',
+        nbf: 1.minute.ago, exp: 2.minutes.from_now,
+        jti: 'accept', :'https://aaf.edu.au/attributes' => attrs
+      }
+    end
+
+    let(:assertion) { JSON::JWT.new(claims).sign(secret).to_s }
+
+    context 'with an invalid assertion' do
+      let(:assertion) { 'x.y.z' }
+      it { is_expected.to be_bad_request }
+    end
+
+    context 'with a valid assertion' do
+      let(:claims) { valid_claims }
+
+      it 'responds using the receiver' do
+        expect(last_response).to be_successful
+        expect(last_response.body).to have_content('Permitted')
+      end
+    end
+
+    shared_examples 'an invalid claims set' do |field|
+      it { is_expected.to be_bad_request }
+
+      context 'with an error handler' do
+        let(:handler) do
+          build_class do
+            def handle(_env, exception)
+              [403, {}, ["Surprise!\n", exception.message]]
+            end
+          end
+        end
+
+        it 'uses the error handler to respond' do
+          expect(subject).to be_forbidden
+          expect(subject.body).to have_content('Surprise!')
+        end
+
+        it 'complains about the invalid field' do
+          val = claims[field]
+          expected = if val.nil?
+                       "nil #{field}"
+                     else
+                       "bad #{field}: #{val}"
+                     end
+
+          expect(subject.body).to have_content(expected)
+        end
+      end
+    end
+
+    context 'with a nil audience' do
+      let(:claims) { valid_claims.merge(aud: nil) }
+      it_behaves_like 'an invalid claims set', :aud
+    end
+
+    context 'with an invalid audience' do
+      let(:claims) { valid_claims.merge(aud: 'invalid') }
+      it_behaves_like 'an invalid claims set', :aud
+    end
+
+    context 'with a nil issuer' do
+      let(:claims) { valid_claims.merge(iss: nil) }
+      it_behaves_like 'an invalid claims set', :iss
+    end
+
+    context 'with an invalid issuer' do
+      let(:claims) { valid_claims.merge(iss: 'invalid') }
+      it_behaves_like 'an invalid claims set', :iss
+    end
+
+    context 'with a nil type' do
+      let(:claims) { valid_claims.merge(typ: nil) }
+      it_behaves_like 'an invalid claims set', :typ
+    end
+
+    context 'with an invalid type' do
+      let(:claims) { valid_claims.merge(typ: 'blarghn') }
+      it_behaves_like 'an invalid claims set', :typ
+    end
+
+    context 'with a nil jti' do
+      let(:claims) { valid_claims.merge(jti: nil) }
+      it_behaves_like 'an invalid claims set', :jti
+    end
+
+    context 'with a replayed jti' do
+      let(:receiver) do
+        build_class do
+          def register_jti(*)
+            false
+          end
+        end
+      end
+
+      let(:claims) { valid_claims.merge(jti: 'blarghn') }
+      it_behaves_like 'an invalid claims set', :jti
+    end
+
+    context 'with a nil nbf' do
+      let(:claims) { valid_claims.merge(nbf: nil) }
+      it_behaves_like 'an invalid claims set', :nbf
+    end
+
+    context 'with an invalid nbf' do
+      let(:claims) { valid_claims.merge(nbf: 2.minutes.from_now) }
+      it_behaves_like 'an invalid claims set', :nbf
+    end
+
+    context 'with a non-numeric nbf' do
+      let(:claims) { valid_claims.merge(nbf: 'a') }
+      it_behaves_like 'an invalid claims set', :nbf
+    end
+
+    context 'with a nil exp' do
+      let(:claims) { valid_claims.merge(exp: nil) }
+      it_behaves_like 'an invalid claims set', :exp
+    end
+
+    context 'with an invalid exp' do
+      let(:claims) { valid_claims.merge(exp: 1.minute.ago) }
+      it_behaves_like 'an invalid claims set', :exp
+    end
+
+    context 'with a non-numeric exp' do
+      let(:claims) { valid_claims.merge(exp: 'a') }
+      it_behaves_like 'an invalid claims set', :exp
+    end
+
+    context 'with a nil iat' do
+      let(:claims) { valid_claims.merge(iat: nil) }
+      it_behaves_like 'an invalid claims set', :iat
+    end
+
+    context 'with an invalid iat' do
+      let(:claims) { valid_claims.merge(iat: 10.minutes.ago) }
+      it_behaves_like 'an invalid claims set', :iat
+    end
+
+    context 'with a non-numeric iat' do
+      let(:claims) { valid_claims.merge(iat: 'a') }
+      it_behaves_like 'an invalid claims set', :iat
+    end
+  end
+end

data/spec/support/temporary_test_class.rb

@@ -0,0 +1,8 @@
+module TemporaryTestClass
+  def build_class(&bl)
+    klass = Class.new(&bl)
+    name = "TestClass#{SecureRandom.hex}"
+    RapidRack.const_set(name, klass)
+    "RapidRack::#{name}"
+  end
+end

metadata

@@ -0,0 +1,296 @@
+--- !ruby/object:Gem::Specification
+name: rapid-rack
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Shaun Mangelsdorf
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-11-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: capybara
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.1.7
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.1.7
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: fakeredis
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: redis
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard-rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: guard-bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- s.mangelsdorf@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".simplecov"
+- Gemfile
+- Guardfile
+- LICENSE
+- README.md
+- Rakefile
+- config/routes.rb
+- lib/rapid-rack.rb
+- lib/rapid_rack.rb
+- lib/rapid_rack/authenticator.rb
+- lib/rapid_rack/default_receiver.rb
+- lib/rapid_rack/engine.rb
+- lib/rapid_rack/redis_registry.rb
+- lib/rapid_rack/version.rb
+- rapid-rack.gemspec
+- spec/dummy/app/models/test_subject.rb
+- spec/dummy/config.ru
+- spec/dummy/config/application.rb
+- spec/dummy/config/boot.rb
+- spec/dummy/config/database.yml
+- spec/dummy/config/environment.rb
+- spec/dummy/config/rapidconnect.yml
+- spec/dummy/config/routes.rb
+- spec/dummy/config/secrets.yml
+- spec/dummy/db/schema.rb
+- spec/dummy/lib/test_error_handler.rb
+- spec/dummy/lib/test_receiver.rb
+- spec/lib/rapid_rack/authenticator_spec.rb
+- spec/lib/rapid_rack/default_receiver_spec.rb
+- spec/lib/rapid_rack/engine_spec.rb
+- spec/lib/rapid_rack/redis_registry_spec.rb
+- spec/spec_helper.rb
+- spec/support/authenticator_examples.rb
+- spec/support/temporary_test_class.rb
+homepage: https://github.com/ausaccessfed/rapid-rack
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Rack middleware for AAF Rapid Connect authentication.
+test_files:
+- spec/dummy/app/models/test_subject.rb
+- spec/dummy/config.ru
+- spec/dummy/config/application.rb
+- spec/dummy/config/boot.rb
+- spec/dummy/config/database.yml
+- spec/dummy/config/environment.rb
+- spec/dummy/config/rapidconnect.yml
+- spec/dummy/config/routes.rb
+- spec/dummy/config/secrets.yml
+- spec/dummy/db/schema.rb
+- spec/dummy/lib/test_error_handler.rb
+- spec/dummy/lib/test_receiver.rb
+- spec/lib/rapid_rack/authenticator_spec.rb
+- spec/lib/rapid_rack/default_receiver_spec.rb
+- spec/lib/rapid_rack/engine_spec.rb
+- spec/lib/rapid_rack/redis_registry_spec.rb
+- spec/spec_helper.rb
+- spec/support/authenticator_examples.rb
+- spec/support/temporary_test_class.rb