rapid-rack 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: af245c337b3548052eb181b90d9e817a0c7f993d
-  data.tar.gz: 4d8dabe27aeadf4221dedcfa547c8e3cfc16a11d
+  metadata.gz: 8a7a45733ec5f445a2b7cca550518cfcf6758508
+  data.tar.gz: 71743e8d43c0f32a356f502dbea161231aae1f73
 SHA512:
-  metadata.gz: fca522118573223624ea3ba0d22d7ea8634ea87a4e293134cef252a8fda9d928da05b97fe03111b0047d3dd63fbbec9ff1e9fb97bda040e3041bfb1e00df53ea
-  data.tar.gz: ff9bebca1bf46e73e8ffbfb45b3b58bc244b1c5e984506f52356183741b5351e97152ed6c5fea008b054dde63176e00d866ab342bbdb58e3c2f8739f68ffefbf
+  metadata.gz: 44f99dc995ba155323f9f8afb067d2df829c845ddaf4a7dcb5180065b4400e63bb24ff359f7d72bb977b5fc5684290675fb12f36838bcb143f7e6b4a929dee0a
+  data.tar.gz: 7578c349a4e9a6f49a782d2e3003f56bedf5c4c4496000386714ec17a00339f31c44531dce1e9667eaf9494d67083854e3a349c6c0619ecdb5e6ad875536fd02

data/README.md

@@ -95,7 +95,9 @@ end
 
 ### Integrating with a Rack application
 
-Map the `RapidRack::Authenticator` app to a path in your application:
+Map the `RapidRack::Authenticator` app to a path in your application. The
+strongly suggested default of `/auth` will result in a callback URL ending in
+`/auth/jwt`, which is given to Rapid Connect during registration:
 
 ```ruby
 Rack::Builder.new do
@@ -152,7 +154,9 @@ module MyApplication
 end
 ```
 
-Mount the `RapidRack::Engine` engine in your Rails app. In `config/routes.rb`:
+Mount the `RapidRack::Engine` engine in your Rails app.  The strongly suggested
+default of `/auth` will result in a callback URL ending in `/auth/jwt`, which is
+given to Rapid Connect during registration. In `config/routes.rb`:
 
 ```ruby
 Rails.application.routes.draw do
@@ -177,6 +181,60 @@ class WelcomeController < ApplicationController
 end
 ```
 
+### Using with Capybara-style tests
+
+Configure `rapid_rack` to run in test mode. In a Rails application this can be
+set in `config/environments/test.rb`:
+
+```ruby
+Rails.application.configure do
+  # ...
+
+  config.rapid_rack.test_mode = true
+end
+```
+
+Set the JWT in your test code. In this example factory\_girl has a `jwt` factory
+registered which creates a valid JWT.
+
+```ruby
+RSpec.feature 'First visit', type: :feature do
+  given(:user_attrs) { attributes_for(:user) }
+
+  background do
+    attrs = create(:aaf_attributes, displayname: user_attrs[:name],
+                                    mail: user_attrs[:email])
+    RapidRack::TestAuthenticator.jwt = create(:jwt, aaf_attributes: attrs)
+  end
+
+  # ...
+end
+```
+
+Once this is in place, your example will be presented with a plain page with a
+'Login' button when it is required to log in. The button will submit the form
+to the `/auth/jwt` endpoint, which works as normal and will invoke your
+receiver.
+
+```ruby
+RSpec.feature 'First visit', type: :feature do
+  # ... code from above ...
+
+  scenario 'initial login' do
+    visit '/'
+    click_button 'Sign in via AAF'
+
+    # At this point, your Capybara test is sitting in the TestAuthenticator page
+    # which has a 'Login' button and no other content.
+    expect(current_path).to eq('/auth/login')
+    click_button 'Login'
+
+    expect(current_path).to match(%r{/users/\d+})
+    expect(page).to have_content("Logged in as: #{user_attrs[:name]}")
+  end
+end
+```
+
 ## Contributing
 
 Refer to [GitHub Flow](https://guides.github.com/introduction/flow/) for

data/lib/rapid_rack.rb

@@ -2,7 +2,9 @@ module RapidRack
 end
 
 require 'rapid_rack/version'
+require 'rapid_rack/with_claims'
 require 'rapid_rack/authenticator'
+require 'rapid_rack/test_authenticator'
 require 'rapid_rack/default_receiver'
 require 'rapid_rack/redis_registry'
 require 'rapid_rack/engine' if defined?(Rails)

data/lib/rapid_rack/authenticator.rb

@@ -3,6 +3,11 @@ require 'rack/utils'
 
 module RapidRack
   class Authenticator
+    attr_reader :issuer, :audience, :secret, :error_handler
+    private :issuer, :audience, :secret, :error_handler
+
+    include WithClaims
+
     def initialize(opts)
       @url = opts[:url]
       @receiver = opts[:receiver].try(:constantize)
@@ -32,9 +37,6 @@ module RapidRack
 
     private
 
-    InvalidClaim = Class.new(StandardError)
-    private_constant :InvalidClaim
-
     DISPATCH = {
       '/login' => :initiate,
       '/jwt' => :callback,
@@ -63,49 +65,6 @@ module RapidRack
       receiver.logout(env)
     end
 
-    def with_claims(env, assertion)
-      claims = JSON::JWT.decode(assertion, @secret)
-      validate_claims(claims)
-      yield claims
-    rescue JSON::JWT::Exception => e
-      @error_handler.handle(env, e)
-    rescue InvalidClaim => e
-      @error_handler.handle(env, e)
-    end
-
-    def validate_claims(claims)
-      reject_claim_if(claims, 'aud') { |v| v != @audience }
-      reject_claim_if(claims, 'iss') { |v| v != @issuer }
-      reject_claim_if(claims, 'typ') { |v| v != 'authnresponse' }
-      reject_claim_if(claims, 'jti', &method(:replayed?))
-      reject_claim_if(claims, 'nbf', &:zero?)
-      reject_claim_if(claims, 'nbf', &method(:future?))
-      reject_claim_if(claims, 'exp', &method(:expired?))
-      reject_claim_if(claims, 'iat', &method(:skewed?))
-    end
-
-    def replayed?(jti)
-      !receiver.register_jti(jti)
-    end
-
-    def skewed?(iat)
-      (iat - Time.now.to_i).abs > 60
-    end
-
-    def expired?(exp)
-      Time.at(exp) < Time.now
-    end
-
-    def future?(nbf)
-      Time.at(nbf) > Time.now
-    end
-
-    def reject_claim_if(claims, key)
-      val = claims[key]
-      fail(InvalidClaim, "nil #{key}") unless val
-      fail(InvalidClaim, "bad #{key}: #{val}") if yield(val)
-    end
-
     def method?(env, method)
       env['REQUEST_METHOD'] == method
     end

data/lib/rapid_rack/engine.rb

@@ -27,6 +27,7 @@ module RapidRack
 
     def authenticator
       return 'RapidRack::MockAuthenticator' if configuration[:development_mode]
+      return 'RapidRack::TestAuthenticator' if configuration[:test_mode]
       'RapidRack::Authenticator'
     end
   end

data/lib/rapid_rack/test_authenticator.rb

@@ -0,0 +1,27 @@
+module RapidRack
+  class TestAuthenticator < Authenticator
+    class <<self
+      attr_accessor :jwt
+    end
+
+    def call(env)
+      return login if env['PATH_INFO'] == '/login'
+      super
+    end
+
+    private
+
+    def login
+      jwt = TestAuthenticator.jwt || fail('No login JWT was set')
+      out = [] << <<-EOF
+        <html><body>
+          <form action="/auth/jwt" method="post">
+            <input type="hidden" name="assertion" value="#{jwt}"/>
+            <button type="submit">Login</button>
+          </form>
+        </body></html>
+      EOF
+      [200, {}, out]
+    end
+  end
+end

data/lib/rapid_rack/version.rb

@@ -1,3 +1,3 @@
 module RapidRack
-  VERSION = '0.1.0'
+  VERSION = '0.2.0'
 end

data/lib/rapid_rack/with_claims.rb

@@ -0,0 +1,63 @@
+module RapidRack
+  module WithClaims
+    def with_claims(env, assertion)
+      claims = JSON::JWT.decode(assertion, secret)
+      validate_claims(claims)
+      yield claims
+    rescue JSON::JWT::Exception => e
+      error_handler.handle(env, e)
+    rescue InvalidClaim => e
+      error_handler.handle(env, e)
+    end
+
+    private
+
+    InvalidClaim = Class.new(StandardError)
+    private_constant :InvalidClaim
+
+    def validate_claims(claims)
+      validate_aud(claims)
+      validate_iss(claims)
+      validate_typ(claims)
+      validate_jti(claims)
+      validate_nbf(claims)
+      validate_exp(claims)
+      validate_iat(claims)
+    end
+
+    def validate_jti(claims)
+      reject_claim_if(claims, 'jti') { |jti| !receiver.register_jti(jti) }
+    end
+
+    def validate_iat(claims)
+      reject_claim_if(claims, 'iat') { |iat| (iat - Time.now.to_i).abs > 60 }
+    end
+
+    def validate_exp(claims)
+      reject_claim_if(claims, 'exp') { |exp| Time.at(exp) < Time.now }
+    end
+
+    def validate_nbf(claims)
+      reject_claim_if(claims, 'nbf', &:zero?)
+      reject_claim_if(claims, 'nbf') { |nbf| Time.at(nbf) > Time.now }
+    end
+
+    def validate_typ(claims)
+      reject_claim_if(claims, 'typ') { |v| v != 'authnresponse' }
+    end
+
+    def validate_iss(claims)
+      reject_claim_if(claims, 'iss') { |v| v != issuer }
+    end
+
+    def validate_aud(claims)
+      reject_claim_if(claims, 'aud') { |v| v != audience }
+    end
+
+    def reject_claim_if(claims, key)
+      val = claims[key]
+      fail(InvalidClaim, "nil #{key}") unless val
+      fail(InvalidClaim, "bad #{key}: #{val}") if yield(val)
+    end
+  end
+end

data/spec/lib/rapid_rack/engine_spec.rb

@@ -88,5 +88,29 @@ module RapidRack
         expect(last_request.session[:subject_id]).to eq(TestSubject.last.id)
       end
     end
+
+    context '#authenticator' do
+      before do
+        expect_any_instance_of(RapidRack::Engine)
+          .to receive(:configuration).at_least(:once).and_return(configuration)
+      end
+
+      subject { RapidRack::Engine.authenticator }
+
+      context 'in development mode' do
+        let(:configuration) { { development_mode: true } }
+        it { is_expected.to eq('RapidRack::MockAuthenticator') }
+      end
+
+      context 'in test mode' do
+        let(:configuration) { { test_mode: true } }
+        it { is_expected.to eq('RapidRack::TestAuthenticator') }
+      end
+
+      context 'with no mode' do
+        let(:configuration) { {} }
+        it { is_expected.to eq('RapidRack::Authenticator') }
+      end
+    end
   end
 end

data/spec/lib/rapid_rack/test_authenticator_spec.rb

@@ -0,0 +1,68 @@
+require 'rack/lobster'
+
+module RapidRack
+  RSpec.describe TestAuthenticator, type: :feature do
+    def build_app(prefix)
+      opts = { receiver: receiver, secret: secret,
+               issuer: issuer, audience: audience }
+      Rack::Builder.new do
+        use Rack::Lint
+        map(prefix) { run TestAuthenticator.new(opts) }
+        run Rack::Lobster.new
+      end
+    end
+
+    let(:prefix) { '/auth' }
+    let(:issuer) { 'https://rapid.example.com' }
+    let(:audience) { 'https://service.example.com' }
+    let(:secret) { '1234abcd' }
+    let(:app) { build_app(prefix) }
+    let(:receiver) do
+      build_class {}
+    end
+
+    subject { last_response }
+
+    context 'get /login' do
+      def run
+        get '/auth/login'
+      end
+
+      context 'with a JWT' do
+        around do |example|
+          begin
+            TestAuthenticator.jwt = 'the jwt'
+            example.run
+          ensure
+            TestAuthenticator.jwt = nil
+          end
+        end
+
+        before { run }
+        it { is_expected.to be_successful }
+
+        context 'login form' do
+          subject { Capybara.string(last_response.body) }
+
+          it { is_expected.to have_xpath("//form[@action='/auth/jwt']") }
+          it { is_expected.to have_xpath("//form/input[@value='the jwt']") }
+        end
+      end
+
+      context 'with no JWT' do
+        before { TestAuthenticator.jwt = nil }
+
+        it 'raises an error' do
+          expect { run }.to raise_error('No login JWT was set')
+        end
+      end
+    end
+
+    context 'post /jwt' do
+      it 'passes through to the parent' do
+        post '/auth/jwt', assertion: 'x.y.z'
+        expect(subject).to be_bad_request
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rapid-rack
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Shaun Mangelsdorf
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-12-04 00:00:00.000000000 Z
+date: 2014-12-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json-jwt
@@ -244,7 +244,9 @@ files:
 - lib/rapid_rack/default_receiver.rb
 - lib/rapid_rack/engine.rb
 - lib/rapid_rack/redis_registry.rb
+- lib/rapid_rack/test_authenticator.rb
 - lib/rapid_rack/version.rb
+- lib/rapid_rack/with_claims.rb
 - rapid-rack.gemspec
 - spec/dummy/app/models/test_subject.rb
 - spec/dummy/config.ru
@@ -262,6 +264,7 @@ files:
 - spec/lib/rapid_rack/default_receiver_spec.rb
 - spec/lib/rapid_rack/engine_spec.rb
 - spec/lib/rapid_rack/redis_registry_spec.rb
+- spec/lib/rapid_rack/test_authenticator_spec.rb
 - spec/spec_helper.rb
 - spec/support/authenticator_examples.rb
 - spec/support/temporary_test_class.rb
@@ -306,6 +309,7 @@ test_files:
 - spec/lib/rapid_rack/default_receiver_spec.rb
 - spec/lib/rapid_rack/engine_spec.rb
 - spec/lib/rapid_rack/redis_registry_spec.rb
+- spec/lib/rapid_rack/test_authenticator_spec.rb
 - spec/spec_helper.rb
 - spec/support/authenticator_examples.rb
 - spec/support/temporary_test_class.rb