roo_on_rails 1.14.0 → 1.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA256:
-  metadata.gz: 101bbe2f7ca6f86ba6dc9813c5871be5e18933f2fe75634763eec5b1cfe5adcc
-  data.tar.gz: 2efc21d30c33572d62183d2f80456c046442b9f2cce8d74d6120fe6e01e029c2
+SHA1:
+  metadata.gz: 350514c8b5824a6829103a912a01e155aa18074f
+  data.tar.gz: 827cb9bec23c0d69bab1e2df74024e63861853ce
 SHA512:
-  metadata.gz: 625ef2e2f32eadc97628075838a991e5271728b1ca282c63cd40b53da344e2bf3e7cd451cd10ec7de8a3025c1e0509eacf5ef498b9e9d7580091b4528b83306c
-  data.tar.gz: 745e97920deb29280dafe9cc4ed9a72180547823a93f4ea4debbd582a64faa58188b515112443f480087b7a566355bf3bd21c2217ab5082bf3894cc42dc1fd25
+  metadata.gz: 5954c887ece5accaeaf6b9acb328ef24978f6d5673ae2ba2ae2cb8d29f0bcc83f1b55346fb500371cba87ad3e8ebeeba2f44d6b0503c96ae7c696a594e03e768
+  data.tar.gz: 38aaf68d5cf8271b15597ba0145088f272ceb52cdbeb03602b38fb215dbf4b2220cb6d95008676bfad9062c2a4e831994b6bc1837d450fdc9366819943a701fe

data/CHANGELOG.md

@@ -1,6 +1,19 @@
 # HEAD
 
-_A description of the awesome feature or bug fix you just wrote!_
+_A description of your awesome new stuff here!_
+
+# v1.15.0
+
+Features:
+
+- Process JWTs in `Authorization` headers and populate the request env's `roo.identity` key with the claims, if present and valid. (#79)
+- RooOnRails::Logger is now compatible with ActiveSupport::Logger on Rails versions >= 4.2 (#77)
+
+# v1.14.0
+
+Bug Fix:
+
+- Routemaster Publisher was sending epoch seconds instead of milliseconds (#78)
 
 # v1.13.1 (2017-10-18)
 

data/CONTRIBUTING.md

@@ -0,0 +1,11 @@
+# Contributing
+
+PRs are welcome to this repo to add new features that will be useful across our Ruby services.
+
+If you're putting a PR together, please ensure that:
+
+- There are ample **tests** for your code (they'll be executed against all our supported versions automatically)
+- You've made changes to the **`README.md`** file explaining how to make use of the work you're adding
+- You've added a line to the **`CHANGELOG.md`** file, with a short explanation of what you've added (feel free to add this in a commit after you've created your PR so you can add the PR number)
+
+Thanks!

data/README.md

@@ -23,6 +23,7 @@
   - [Sidekiq](#sidekiq)
   - [HireFire](#hirefire)
   - [Logging](#logging)
+  - [Identity](#identity)
   - [Google OAuth authentication](#google-oauth-authentication)
   - [Datadog Integration](#datadog-integration)
   - [Routemaster Client](#routemaster-client)
@@ -216,6 +217,31 @@ logger.with(a: 1, b: 2).info('Stuff')
 See the [class documentation](lib/roo_on_rails/logger.rb) for further
 details.
 
+### Identity
+
+If your service wants to accept JWTs for identity claims, then adding the `json-jwt` gem
+to your `Gemfile` and the following railtie to your app will ensure any data presented is
+available:
+
+```ruby
+require 'roo_on_rails/railties/roo_identity'
+```
+
+Any inbound request which has a valid JWT will have the claims made available:
+
+```ruby
+class MyController
+  def index
+    customer_id = request.env['roo.identity']['cust']
+    request.env['roo.identity'].class
+    # => JSON::JWT
+  end
+end
+```
+
+Be aware that maliciously crafted JWTs will raise 401s that your other middleware can present
+and poorly configured JWT set up will raise errors that you'll be able to catch in test.
+
 ### Google OAuth authentication
 
 When `GOOGLE_AUTH_ENABLED` is set to true we inject a `Omniauth` Rack middleware

data/lib/roo_on_rails/logger.rb

@@ -1,6 +1,12 @@
-require 'logger'
 require 'delegate'
 require 'roo_on_rails/logfmt'
+require 'rails/version'
+
+if Rails::VERSION::MAJOR < 4
+  require 'logger'
+else
+  require 'active_support/logger'
+end
 
 module RooOnRails
   # A compatible replacement for the standard Logger to provide context, similar
@@ -30,7 +36,7 @@ module RooOnRails
   class Logger < SimpleDelegator
     def initialize(io = STDOUT)
       @show_timestamp = io.tty?
-      logger = ::Logger.new(io).tap do |l|
+      logger = _default_logger_class.new(io).tap do |l|
         l.formatter = method(:_formatter)
       end
       super(logger)
@@ -100,5 +106,13 @@ module RooOnRails
       thread_key = @_context_stack_key ||= "roo_on_rails:logging_context:#{object_id}".freeze
       Thread.current[thread_key] ||= [{}]
     end
+
+    def _default_logger_class
+      if Rails::VERSION::MAJOR < 4
+        ::Logger
+      else
+        ActiveSupport::Logger
+      end
+    end
   end
 end

data/lib/roo_on_rails/rack/populate_env_from_jwt.rb

@@ -0,0 +1,101 @@
+require 'json/jwt'
+require 'faraday'
+require 'faraday_middleware'
+
+module RooOnRails
+  module Rack
+    class PopulateEnvFromJWT
+      UnacceptableKeyError = Class.new(RuntimeError)
+      # Hardcoded URLs for valid keys per environment. These will change very infrequently.
+      VALID_JWK_URL_PREFIXES = YAML.load(
+        File.read(File.expand_path('../valid_identity_service_prefixes.yml', __FILE__))
+      ).freeze
+
+      def initialize(app, logger:, skip_sig_verify: true)
+        @app = app
+        @keys = {}
+        @logger = logger
+
+        if skip_sig_verify && development?
+          @logger.warn "JWTs signature verifification has been switched off in development."
+          @verify_sigs = false
+        else
+          @verify_sigs = true
+        end
+      end
+
+      def call(env)
+        env['roo.identity'] = decode_authorization_header(env['HTTP_AUTHORIZATION'])
+        @app.call(env)
+
+      # Other exceptions will bubble up, allowing the higher middleware to return a 500, which is
+      # intentional.
+      rescue UnacceptableKeyError, JSON::JWT::Exception => e
+        # Identifying user is clearly attempting to hack or has been given a totally incorrect
+        # token, log this and flag as Forbidden, without executing the rest of the middleware stack.
+        ::NewRelic::Agent.notice_error(e) if defined?(NewRelic)
+        [401, {}, []]
+      end
+
+      private
+
+      def development?
+        if ENV['RACK_ENV'].nil?
+          @logger.warn "Your RACK_ENV isn't set. You probably want it set to 'development' in dev."
+        end
+
+        ENV['RACK_ENV'] == 'development'
+      end
+
+      # @raise [UnacceptableKeyError,Faraday::Error,OpenSSL::OpenSSLError] From `#public_key`
+      # @raise [JSON::JWT::Exception] Bubble ups from `JSON::JWT.decode`
+      # @return [JSON::JWT] The list of claims this header makes by way of a JWS token. Will be an
+      #   empty hash for invalid or absent tokens.
+      def decode_authorization_header(header_value)
+        return JSON::JWT.new unless (header_value || '').starts_with?('Bearer ')
+        jws_token = header_value[7..-1]
+
+        JSON::JWT.decode(jws_token, :skip_verification).tap do |jwt|
+          jwt.verify!(public_key(jwt.header[:jku])) if @verify_sigs
+        end
+      end
+
+      def acceptable_key?(key_url)
+        return false if key_url.nil?
+        @key_prefixes ||= VALID_JWK_URL_PREFIXES[ENV['RACK_ENV']]
+        @key_prefixes.any? { |acceptable| key_url.starts_with?(acceptable) }
+      end
+
+      # @raise [UnacceptableKeyError] When the key URL is not from a trusted location
+      # @raise [Faraday::Error] When the JWK at the given URL is not retrievable for some reason.
+      #   See: https://github.com/lostisland/faraday/blob/master/lib/faraday/error.rb
+      # @return [JSON::JWK] The JWK for the specified URL
+      def public_key(key_url)
+        unless acceptable_key?(key_url)
+          raise UnacceptableKeyError, "#{key_url} is not a valid Deliveroo Key URL"
+        end
+
+        # NB. don't use ||= memoization, or this middleware can be attacked by
+        # being asked to decode large numbers of non-existant key-ids, each of
+        # which would fill the @keys hash with a tuple.
+        return @keys[key_url] if @keys.key?(key_url)
+
+        @logger.info "Downloading identity public key from #{key_url}"
+        json = http_request.get(key_url).body
+        @keys[key_url] = JSON::JWK.new(json)
+      rescue Faraday::ParsingError
+        raise JSON::JWT::InvalidFormat, 'Downloaded JWK is not a valid JSON file'
+      end
+
+      def http_request
+        Faraday.new do |conf|
+          conf.response :json
+          conf.response :raise_error
+          conf.request :json
+
+          conf.adapter Faraday.default_adapter
+        end
+      end
+    end
+  end
+end

data/lib/roo_on_rails/rack/valid_identity_service_prefixes.yml

@@ -0,0 +1,6 @@
+production:
+  - https://deliveroo.co.uk/identity-keys/
+  - https://identity.deliveroo.net/identity/keys/
+staging:
+  - https://test.deliveroo.co.uk/identity-keys/
+  - https://identity-staging.deliveroo.net/identity-keys/

data/lib/roo_on_rails/railties/roo_identity.rb

@@ -0,0 +1,24 @@
+require 'roo_on_rails/config'
+
+module RooOnRails
+  module Railties
+    class RooIdentity < Rails::Railtie
+      initializer 'roo_on_rails.roo_identity.middleware' do |app|
+        Rails.logger.with initializer: 'roo_on_rails.roo_identity' do |log|
+          log.debug 'loading'
+          _add_middleware(app, log)
+        end
+      end
+
+      private
+
+      def _add_middleware(app, log)
+        require 'roo_on_rails/rack/populate_env_from_jwt'
+
+        app.config.middleware.use RooOnRails::Rack::PopulateEnvFromJWT, logger: log
+      rescue LoadError
+        log.error 'the json-jwt gem is not in the bundle so Roo Identity will not be available'
+      end
+    end
+  end
+end

data/lib/roo_on_rails/version.rb

@@ -1,3 +1,3 @@
 module RooOnRails
-  VERSION = '1.14.0'.freeze
+  VERSION = '1.15.0'.freeze
 end

data/roo_on_rails.gemspec

@@ -37,6 +37,9 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'faraday_middleware'
   spec.add_runtime_dependency 'routemaster-client'
 
+  # Optional gems you may add to your project
+  spec.add_development_dependency 'json-jwt', '~> 1.8'
+
   spec.add_development_dependency 'bundler', '~> 1.13'
   spec.add_development_dependency 'rake', '~> 10.0'
   spec.add_development_dependency 'rspec', '~> 3.0'
@@ -46,4 +49,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'simplecov'
   spec.add_development_dependency 'codecov'
   spec.add_development_dependency 'rack-test'
+  spec.add_development_dependency 'rspec-its'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roo_on_rails
 version: !ruby/object:Gem::Version
-  version: 1.14.0
+  version: 1.15.0
 platform: ruby
 authors:
 - Julien Letessier
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-11-02 00:00:00.000000000 Z
+date: 2017-11-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dotenv-rails
@@ -226,6 +226,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: json-jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -352,6 +366,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Scaffolding for building services
 email:
 - julien.letessier@gmail.com
@@ -371,6 +399,7 @@ files:
 - ".travis.yml"
 - Appraisals
 - CHANGELOG.md
+- CONTRIBUTING.md
 - Gemfile
 - Guardfile
 - LICENSE.txt
@@ -424,7 +453,9 @@ files:
 - lib/roo_on_rails/logfmt.rb
 - lib/roo_on_rails/logger.rb
 - lib/roo_on_rails/papertrail_client.rb
+- lib/roo_on_rails/rack/populate_env_from_jwt.rb
 - lib/roo_on_rails/rack/safe_timeouts.rb
+- lib/roo_on_rails/rack/valid_identity_service_prefixes.yml
 - lib/roo_on_rails/railties/database.rb
 - lib/roo_on_rails/railties/env.rb
 - lib/roo_on_rails/railties/google_oauth.rb
@@ -432,6 +463,7 @@ files:
 - lib/roo_on_rails/railties/logging.rb
 - lib/roo_on_rails/railties/new_relic.rb
 - lib/roo_on_rails/railties/rake_tasks.rb
+- lib/roo_on_rails/railties/roo_identity.rb
 - lib/roo_on_rails/railties/routemaster.rb
 - lib/roo_on_rails/railties/sidekiq.rb
 - lib/roo_on_rails/routemaster/lifecycle_events.rb
@@ -470,7 +502,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.0
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: Scaffolding for building services