soar_authentication_token 5.0.3 → 6.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 491fb012d892cd595bc740285e53eceab63a0e40
-  data.tar.gz: c75f083d8147b4cd3d85c883b1a1b135457587ff
+  metadata.gz: d480cb997dfa47de93d61ea0233f01dae96c4f6e
+  data.tar.gz: 217e4bd00d02c269e0865a93e9d852efae326aef
 SHA512:
-  metadata.gz: 25bdc621393d29988cb0f84228a611f475871997d80cd61a0b2e35c7c634d07507738acea54213139d5991ff1b6d7fc892d295f20c4f889f92a6c79e61ae5838
-  data.tar.gz: d3397fd56e4436a945ab7abd3195af33beb82708455eb703011ad89acb6e30a9683be8e923eaabe8de219c6f4e413f8c487c11f90dfe741c2b07466b5ab79a6a
+  metadata.gz: 5d0597fd7a320cc8ceda84cc6e7a059ae7ca006790620c08fe2133b49305f81d22dd1afb7e98e068be6ec4b2e435db97623d6ef98bbb39fce9a6eac5d6ad8b0d
+  data.tar.gz: c2f6de36be543cfb0f24617b77012115db406196b7be048e052048eb3b58afcef9a1628b771849e3e0c82ef88aedfbf41290d3480aff41f683cfb96be36ffba6

data/README.md

@@ -43,9 +43,10 @@ In this mode the StaticTokenValidator is configured with a list of preconfigured
 Run the rspec test tests using docker compose:
 
 ```bash
-export UID; docker-compose build --force-rm --no-cache
+export UID
+docker-compose build --force-rm --no-cache
 docker-compose down
-export UID; docker-compose run --rm soar-authentication-token
+docker-compose run --rm soar-authentication-token
 docker-compose down
 ```
 
@@ -54,6 +55,7 @@ docker-compose down
 For test purposes this repo relies on various other repos with services.  This is to test the interaction between the generator and validation clients and these services. In order to pull the latest from the referenced projects and build fresh docker images, simply the following commands:
 
 ```bash
+export UID
 git pull && git submodule foreach 'git fetch origin --tags; git checkout master; git pull'
 docker-compose down
 docker-compose build --force-rm --no-cache

data/docker-compose.yml

@@ -14,6 +14,7 @@ services:
     build: authentication-token-generator-service
     image: authentication-token-generator-service
     command: soaring start -e production
+    user: $UID:$UID
     expose:
       - "9393"
     volumes:
@@ -27,26 +28,29 @@ services:
     build: authentication-token-validator-service
     image: authentication-token-validator-service
     command: soaring start -e production
+    user: $UID:$UID
     expose:
       - "9393"
     volumes:
       - ./authentication-token-validator-service:/usr/local/src/
     environment:
-      - RACK_ENV=development
+      - RACK_ENV=production
       - ENVIRONMENT_FILE=environment_local_ecosystem.yml
     links:
       - authentication-token-store
   authentication-token-store:
     build: authentication-token-store
     image: authentication-token-store
-    command: soaring start -e development
+    command: soaring start -e production
+    user: $UID:$UID
     expose:
       - "9393"
+    volumes:
+      - ./authentication-token-store:/usr/local/src/
     environment:
-      - RACK_ENV=development
+      - RACK_ENV=production
       - ENVIRONMENT_FILE=environment_local_ecosystem.yml
     links:
       - authentication-token-redis-store
   authentication-token-redis-store:
     image: redis
-    command: redis-server --requirepass redis_password

data/lib/soar_authentication_token/providers/jwt_token_validator.rb

@@ -12,7 +12,7 @@ module SoarAuthenticationToken
       @store_provider = store_provider
     end
 
-    def validate(authentication_token:,flow_identifier: nil)
+    def validate(authentication_token:,flow_identifier:, request_information:)
       decoded_token_payload = decode(authentication_token)
       return rejection_result(reason: 'Token decode/verification failure') if decoded_token_payload.nil?
       meta = compile_meta_from_payload(decoded_token_payload)

data/lib/soar_authentication_token/providers/remote_token_validator.rb

@@ -12,11 +12,11 @@ module SoarAuthenticationToken
       #ignore the store provider since this validator does not use a store
     end
 
-    def validate(authentication_token:,flow_identifier: nil)
+    def validate(authentication_token:, request_information:, flow_identifier:)
       attempt = 0
       begin
         Timeout::timeout(@configuration['timeout']) do
-          response = send_request(authentication_token,flow_identifier)
+          response = send_request(authentication_token,request_information,flow_identifier)
           validate_and_extract_information_from_response(response)
         end
       rescue Timeout::Error
@@ -33,13 +33,14 @@ module SoarAuthenticationToken
       @configuration['attempts'] ||= 2
     end
 
-    def send_request(authentication_token,flow_identifier)
+    def send_request(authentication_token,request_information,flow_identifier)
       uri = URI.parse(@configuration['validator-url'])
       uri.query = URI.encode_www_form( {'flow_identifier' => flow_identifier} )
       http = Net::HTTP.new(uri.host, uri.port)
       http.use_ssl = true if uri.is_a?(URI::HTTPS)
       request = Net::HTTP::Post.new(uri.request_uri)
-      request.body = { 'authentication_token' => authentication_token }.to_json
+      request.body = { 'authentication_token' => authentication_token,
+                       'request_information' => request_information }.to_json
       http.request(request)
     end
 

data/lib/soar_authentication_token/rack_middleware.rb

@@ -1,16 +1,19 @@
 require 'rack'
+require 'json'
 
 module SoarAuthenticationToken
   class RackMiddleware
-    def initialize(app, configuration, auditing = nil)
+    def initialize(app, configuration, service_identifier, auditing = nil)
       @app = app
       @configuration = configuration
+      @service_identifier = service_identifier
       @auditing = auditing
     end
 
     def call(env)
-      session, params, token, flow_id = get_request_information(env)
-      token_valid, token_meta, message = validate_and_resolve_token(token,flow_id)
+      session, params, token, flow_id, request_information, = get_request_information(env)
+      token_valid, token_meta, message = validate_and_resolve_token(token, request_information, flow_id)
+      $stderr.puts token_valid, token_meta, message
       if token_valid
         session['user'] = token_meta['authenticated_identifier']
         session['auth_token_meta'] = token_meta
@@ -27,12 +30,20 @@ module SoarAuthenticationToken
       [ request.session,
         request.params,
         request.env['HTTP_AUTHORIZATION'],
-        request.params['flow_identifier'] ]
+        request.params['flow_identifier'],
+        { 'source_address'    => request.env['REMOTE_ADDR'],
+          'user_agent'        => request.env['HTTP_USER_AGENT'],
+          'service'           => @service_identifier,
+          'resource'          => request.env['REQUEST_PATH']
+        }
+      ]
     end
 
-    def validate_and_resolve_token(authentication_token,flow_identifier)
+    def validate_and_resolve_token(authentication_token, request_information, flow_identifier)
       token_validator = SoarAuthenticationToken::TokenValidator.new(@configuration)
-      token_validator.validate(authentication_token: authentication_token,flow_identifier: flow_identifier)
+      token_validator.validate(authentication_token: authentication_token,
+                               request_information: request_information,
+                               flow_identifier: flow_identifier)
     end
 
     def audit_token_rejection(message, flow_id)
@@ -40,7 +51,15 @@ module SoarAuthenticationToken
     end
 
     def rejection
-      [401, { 'Content-Type' => 'application/json'}, ["401 - Not authenticated"]]
+      [ 401,
+        { 'Content-Type' => 'application/json'},
+        {
+          'status' => 'fail',
+          'data' => {
+            'notifications' => ['Not authenticated']
+          }
+        }
+      ]
     end
   end
 end

data/lib/soar_authentication_token/token_validator.rb

@@ -10,8 +10,9 @@ module SoarAuthenticationToken
       @provider.inject_store_provider(store_provider)
     end
 
-    def validate(authentication_token:,flow_identifier: nil)
+    def validate(authentication_token:, request_information: {}, flow_identifier: nil)
       @provider.validate(authentication_token: authentication_token,
+                         request_information:  request_information,
                          flow_identifier:      flow_identifier)
     end
 

data/lib/soar_authentication_token/version.rb

@@ -1,3 +1,3 @@
 module SoarAuthenticationToken
-  VERSION = '5.0.3'
+  VERSION = '6.0.0'
 end

data/spec/jwt_token_validator_spec.rb

@@ -4,7 +4,7 @@ require 'yaml'
 describe SoarAuthenticationToken::JwtTokenValidator do
   subject { SoarAuthenticationToken::JwtTokenValidator }
   before :all do
-    @test_store = AuthTokenStoreProvider::StubClient.new
+    @test_store = AuthTokenStoreProvider::LocalStubClient.new
     keypair_generator = SoarAuthenticationToken::KeypairGenerator.new
     @valid_private_key,   @valid_public_key   = keypair_generator.generate
     @invalid_private_key, @invalid_public_key = keypair_generator.generate
@@ -63,6 +63,10 @@ describe SoarAuthenticationToken::JwtTokenValidator do
     @remote_generator = SoarAuthenticationToken::TokenGenerator.new(@remote_generator_configuration)
   end
 
+  before :each do
+    @test_store.clear_store
+  end
+
   it 'has a version number' do
     expect(SoarAuthenticationToken::VERSION).not_to be nil
   end
@@ -122,8 +126,9 @@ describe SoarAuthenticationToken::JwtTokenValidator do
       context 'given unknown token (not in store)' do
         let!(:token_validation_result) {
           token, token_generator_meta = @local_valid_generator.generate(authenticated_identifier: @test_identifier)
-          @test_store.instance_variable_set("@store", []) #clear store
-          iut.validate(authentication_token: token)
+          @test_store.clear_store
+          token_validation_result = iut.validate(authentication_token: token)
+          token_validation_result
         }
         let!(:token_validity) { token_validation_result[0] }
         let!(:token_meta)     { token_validation_result[1] }
@@ -202,7 +207,7 @@ describe SoarAuthenticationToken::JwtTokenValidator do
           expect(iut).to receive(:attempt_decode_using_a_key).once.ordered.with(token, @multiple_key_configuration['keys']['KEYPAIR_20160108T190001']).and_return(nil)
           expect(iut).to receive(:attempt_decode_using_a_key).once.ordered.with(token, @multiple_key_configuration['keys']['KEYPAIR_20160107T230001']).and_return(nil)
 
-          iut.validate(authentication_token: token)
+          iut.validate(authentication_token: token, flow_identifier: nil, request_information: nil)
         end
 
         it 'attempts to use all the public keys' do
@@ -211,7 +216,7 @@ describe SoarAuthenticationToken::JwtTokenValidator do
 
           expect(iut).to receive(:attempt_decode_using_a_key).exactly(3).times
 
-          iut.validate(authentication_token: token)
+          iut.validate(authentication_token: token, flow_identifier: nil, request_information: nil)
         end
       end
 
@@ -229,7 +234,7 @@ describe SoarAuthenticationToken::JwtTokenValidator do
         it 'responds indicating the token is valid' do
           iut = SoarAuthenticationToken::JwtTokenValidator.new(@multiple_key_configuration)
           iut.inject_store_provider(@test_store)
-          token_validity, token_meta, message = iut.validate(authentication_token: token)
+          token_validity, token_meta, message = iut.validate(authentication_token: token, flow_identifier: nil, request_information: nil)
 
           expect(token_validity).to eq true
         end
@@ -245,7 +250,7 @@ describe SoarAuthenticationToken::JwtTokenValidator do
           iut.inject_store_provider(@test_store)
 
           expect(iut).to receive(:attempt_decode_using_a_key).once.with(token, @multiple_key_configuration['keys']['KEYPAIR_20160108T200001']).and_return([token_meta])
-          iut.validate(authentication_token: token)
+          iut.validate(authentication_token: token, flow_identifier: nil, request_information: nil)
         end
       end
 
@@ -283,7 +288,7 @@ describe SoarAuthenticationToken::JwtTokenValidator do
           expect(iut).to receive(:attempt_decode_using_a_key).once.with(token, @multiple_key_configuration['keys']['KEYPAIR_20160108T200001']).and_return(nil)
           expect(iut).to receive(:attempt_decode_using_a_key).once.with(token, @multiple_key_configuration['keys']['KEYPAIR_20160108T190001']).and_return([token_meta])
           expect(iut).not_to receive(:attempt_decode_using_a_key).with(token, @multiple_key_configuration['keys']['KEYPAIR_20160107T230001'])
-          iut.validate(authentication_token: token)
+          iut.validate(authentication_token: token, flow_identifier: nil, request_information: nil)
         end
       end
     end

data/spec/rack_middleware_spec.rb

@@ -32,19 +32,23 @@ describe SoarAuthenticationToken::RackMiddleware do
   end
 
   def get_store
-    AuthTokenStoreProvider::Client.new({ 'service_url' => 'http://authentication-token-store:9393/'})
+    AuthTokenStoreProvider::Client.new({ 'service_url' => 'http://authentication-token-store:9393/',
+                                         'auth_token' => 'test_ecosystem_token_for_auth_token_generator_service'})
   end
 
   before :all do
     @local_valid_generator,   @valid_private_key,   @valid_public_key   = create_valid_token_generator
     @local_invalid_generator, @imvalid_private_key, @invalid_public_key = create_invalid_token_generator
+    @failure_response_json = { 'status' => 'fail', 'data' => {
+                                 'notifications' => ['Not authenticated']
+                               }
+                              }
   end
 
   before :each do
     @test_app = lambda do |env|
       request = Rack::Request.new env
       session = request.session
-      $stderr.puts "In the controller"
       test_app_response_data = {
         'message' => "tested with authenticated user #{session['user']}",
         'user' => session['user'],
@@ -56,7 +60,7 @@ describe SoarAuthenticationToken::RackMiddleware do
       'provider' => 'SoarAuthenticationToken::RemoteTokenValidator',
       'validator-url' => 'http://authentication-token-validator-service:9393/validate'
     }
-    @iut = SoarAuthenticationToken::RackMiddleware.new(@test_app, @iut_configuration)
+    @iut = SoarAuthenticationToken::RackMiddleware.new(@test_app, @iut_configuration, "test-service", nil)
   end
 
   it 'has a version number' do
@@ -78,7 +82,7 @@ describe SoarAuthenticationToken::RackMiddleware do
       it "return with 401" do
         opts = { }
         code, env, body = @iut.call Rack::MockRequest.env_for('http://service', opts)
-        expect([code, env, body]).to eq([401, {"Content-Type" => "application/json"}, ["401 - Not authenticated"]])
+        expect([code, env, body]).to eq([401, {"Content-Type" => "application/json"}, @failure_response_json])
       end
     end
 
@@ -86,7 +90,7 @@ describe SoarAuthenticationToken::RackMiddleware do
       it "return with 401" do
         opts = { 'HTTP_AUTHORIZATION' => @local_invalid_generator.generate(authenticated_identifier: 'a@b.com') }
         code, env, body = @iut.call Rack::MockRequest.env_for('http://service', opts)
-        expect([code, env, body]).to eq([401, {"Content-Type" => "application/json"}, ["401 - Not authenticated"]])
+        expect([code, env, body]).to eq([401, {"Content-Type" => "application/json"}, @failure_response_json])
       end
     end
 

data/spec/remote_token_validator_spec.rb

@@ -38,7 +38,7 @@ describe SoarAuthenticationToken::RemoteTokenValidator do
     context 'given valid token' do
       let!(:token_validation_result) {
         token, token_generator_meta = @remote_generator.generate(authenticated_identifier: @test_identifier)
-        iut.validate(authentication_token: token)
+        iut.validate(authentication_token: token, request_information: nil, flow_identifier: nil)
       }
       let!(:token_validity) { token_validation_result[0] }
       let!(:token_meta)     { token_validation_result[1] }
@@ -56,7 +56,7 @@ describe SoarAuthenticationToken::RemoteTokenValidator do
     context 'given invalid (generalized) token' do
       let!(:token_validation_result) {
         token, token_generator_meta = @local_invalid_generator.generate(authenticated_identifier: @test_identifier)
-        iut.validate(authentication_token: token)
+        iut.validate(authentication_token: token, request_information: nil, flow_identifier: nil)
       }
       let!(:token_validity) { token_validation_result[0] }
       let!(:token_meta)     { token_validation_result[1] }
@@ -88,13 +88,13 @@ describe SoarAuthenticationToken::RemoteTokenValidator do
       }
       it 'raise error after attempt that timeout has occured' do
         expect{
-          iut.validate(authentication_token: valid_token)
+          iut.validate(authentication_token: valid_token, request_information: nil, flow_identifier: nil)
         }.to raise_error Timeout::Error
       end
       it 'by default attempts 2 times with 3 second timeout' do
         start_time = Time.now
         expect{
-          iut.validate(authentication_token: valid_token)
+          iut.validate(authentication_token: valid_token, request_information: nil, flow_identifier: nil)
         }.to raise_error Timeout::Error
         expect(Time.now - start_time).to be_within(1).of 6
       end

data/spec/spec_helper.rb

@@ -16,3 +16,70 @@ require 'auth_token_store_provider'
 def one_year_in_seconds
   31536000
 end
+
+
+module AuthTokenStoreProvider
+  class LocalStubClient
+    def store
+      @@store ||= []
+    end
+
+    def clear_store
+      @@store = []
+    end
+
+    def initialize(configuration = {})
+      if configuration['stub-data'] != {} || configuration['stub-data'] != nil
+        @@store = configuration['stub-data']
+      end
+    end
+
+    def store_failure(state = true)
+      @@store_failure = state
+    end
+
+    def store_failure?
+      @@store_failure ||= false
+      @@store_failure
+    end
+
+    def add(token_identifier:, authenticated_identifier:, token_issue_time:, token_expiry_time:, flow_identifier: nil)
+      raise RuntimeError, 'Failure accessing store' if store_failure?
+      store << { token_identifier: token_identifier,
+                  authenticated_identifier: authenticated_identifier,
+                  token_issue_time: token_issue_time,
+                  token_expiry_time: token_expiry_time }
+    end
+
+    def remove(token_identifier:, flow_identifier: nil)
+      raise RuntimeError, 'Failure accessing store' if store_failure?
+      store.delete_if { |x| x[:token_identifier] == token_identifier }
+      true
+    end
+
+    def token_exist?(token_identifier:, authenticated_identifier:, token_issue_time:, token_expiry_time:, flow_identifier: nil)
+      raise RuntimeError, 'Failure accessing store' if store_failure?
+
+      store.each { |x|
+        if ((x[:token_identifier] == token_identifier) and
+            (x[:authenticated_identifier] == authenticated_identifier) and
+            (x[:token_issue_time] == token_issue_time) and
+            (x[:token_expiry_time] == token_expiry_time))
+          return true
+        end
+      }
+      false
+    end
+
+    def remove_tokens_for(authenticated_identifier:, flow_identifier: nil)
+      raise RuntimeError, 'Failure accessing store' if store_failure?
+      store.delete_if { |x| x[:authenticated_identifier] == authenticated_identifier }
+      true
+    end
+
+    def list_tokens_for(authenticated_identifier:, flow_identifier: nil)
+      raise RuntimeError, 'Failure accessing store' if store_failure?
+      store.select { |x| x[:authenticated_identifier] == authenticated_identifier}
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: soar_authentication_token
 version: !ruby/object:Gem::Version
-  version: 5.0.3
+  version: 6.0.0
 platform: ruby
 authors:
 - Barney de Villiers
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-02-27 00:00:00.000000000 Z
+date: 2017-04-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: soar_xt
@@ -221,7 +221,6 @@ files:
 - bin/keypair-generator
 - bin/rotate-configs
 - bin/setup
-- docker-compose-isolated.yml
 - docker-compose.yml
 - lib/soar_authentication_token.rb
 - lib/soar_authentication_token/config_rotator.rb

data/docker-compose-isolated.yml

@@ -1,49 +0,0 @@
-version: '2.0'
-services:
-  soar-authentication-token:
-    command: /bin/bash -c 'sleep 5; bundle exec rspec -cfd spec'
-    build: .
-    image: soar-authentication-token
-    volumes:
-      - .:/usr/local/src/
-    links:
-      - authentication-token-generator-service
-      - authentication-token-validator-service
-  authentication-token-generator-service:
-    build: authentication-token-generator-service
-    image: authentication-token-generator-service
-    expose:
-      - "9393"
-    volumes:
-      - ./authentication-token-generator-service:/usr/local/src/
-    environment:
-      - RACK_ENV=development
-      - ENVIRONMENT_FILE=environment_local_ecosystem.yml
-    links:
-      - authentication-token-store
-  authentication-token-validator-service:
-    build: authentication-token-validator-service
-    image: authentication-token-validator-service
-    expose:
-      - "9393"
-    volumes:
-      - ./authentication-token-validator-service:/usr/local/src/
-    environment:
-      - RACK_ENV=development
-      - ENVIRONMENT_FILE=environment_local_ecosystem.yml
-    links:
-      - authentication-token-store
-  authentication-token-store:
-    build: authentication-token-store
-    image: authentication-token-store
-    command: soaring start
-    expose:
-      - "9393"
-    environment:
-      - RACK_ENV=development
-      - ENVIRONMENT_FILE=environment_local_ecosystem.yml
-    links:
-      - authentication-token-redis-store
-  authentication-token-redis-store:
-    image: redis
-    command: redis-server --requirepass redis_password