soar_authentication_token 0.0.4 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0f96b19d4ab690a6bfdd43d38c9c16795dbef257
-  data.tar.gz: a91497c50df87f8adaaa76c6929e33a8f3afd9fe
+  metadata.gz: cba64c87af18ce0cacb4333430c2056b2a8dbf4d
+  data.tar.gz: 2b78253b2ce7ed01e483075950e81400c8d7435b
 SHA512:
-  metadata.gz: 0230c1bbd09ba5887a6be2908824dc5d441f28da8e9128c4da1240f967a5d2588df2f42d3b94cb984abb9375a507ab5f312f36f5e6b624d9938c595084cd1db3
-  data.tar.gz: e8dc6ceb4f1d612f40bc62b64c912a7b5085e77fe49edbeea3a40b29c0cbd209bb3b82da67d7805d50ef9d97bbaab8c7ff61bcfb04a53cbe866b731edafa677c
+  metadata.gz: 98fabb13ee0409d95199d7eceb98a1eed2af9c0f0b4a506e6e883ed9f762d488bdef6a5e786cac824f78a1437af3f32cd4b587e10a7ca1819e3a2d896a3512e5
+  data.tar.gz: ec3ec0e4f402d2effabe925dfbefe3e7b7413eb0462cd8e6b3765386828d40d690f95a21965241f6fd14c0e9f2d7b4bbb9bc8134d9eac7874358057cad1de56b

data/README.md

@@ -25,7 +25,17 @@ Or install it yourself as:
 
 Run the rspec test tests using docker compose:
 
-    $ docker-compose run soar-authentication-token /bin/bash -c 'sleep 10; bundle exec rspec -cfd spec'
+    $ docker-compose build
+    $ docker-compose run --rm soar-authentication-token
+
+Properly clean up containers afterwards:
+
+    $ docker-compose down
+
+Locally run a subset:
+
+    $ bundle exec rspec -cfd spec/rack_middleware_spec.rb
+
 
 ## Usage
 

data/docker-compose.yml

@@ -1,6 +1,7 @@
 version: '2.0'
 services:
   soar-authentication-token:
+    command: /bin/bash -c 'sleep 10; bundle exec rspec -cfd spec'
     build: .
     image: soar-authentication-token
     volumes:

data/lib/soar_authentication_token/rack_middleware.rb

@@ -1,97 +1,29 @@
-require 'browser'
-require 'cgi'
-require 'net/http'
-require 'nokogiri'
-require 'rack/request'
-require 'uri'
+require 'rack'
 
 module SoarAuthenticationToken
-
   class RackMiddleware
-
-    def initialize(app, config)
+    def initialize(app, configuration)
       @app = app
-      @config = config
+      @configuration = configuration
     end
 
     def call(env)
       request = Rack::Request.new env
-      if @config[:browsers_only] and !is_browser?(request)
+      session, params = request.session, request.params
+      valid, authenticated_identifier = validate_and_resolve_token(request.env['HTTP_AUTHORIZATION'],params['flow_identifier'])
+      if valid
+        session['user'] = authenticated_identifier
         @app.call env
       else
-        session, params = request.session, request.params
-        if session['user']
-          @app.call env
-        elsif params['logoutRequest']
-          callback(:on_logout, env, st_from_logoutrequest(params['logoutRequest']))
-          [200, {}, ['']]
-        elsif user = signon(request)
-          session['user'] = user
-          callback(:on_login, env, request['ticket'])
-          @app.call env
-        else
-          service = get_service request
-          [302, {'Location' => signon_url(service)}, ['']]
-        end
+        [401, {"Content-Type" => "text/html"}, ["401 - Not authenticated"]]
       end
     end
 
     private
 
-    def callback(on_what, env, service_ticket)
-      @config[on_what].call(env, service_ticket) if(@config[on_what])
-    end
-
-    def st_from_logoutrequest(logout_request)
-      document = Nokogiri::XML::Document.parse(logout_request)
-      document.xpath('/samlp:LogoutRequest/samlp:SessionIndex').text
+    def validate_and_resolve_token(authentication_token,flow_identifier)
+      token_validator = SoarAuthenticationToken::TokenValidator.new(@configuration)
+      token_validator.validate(authentication_token: authentication_token,flow_identifier: flow_identifier)
     end
-
-
-    def is_browser?(request)
-      ua = request.user_agent
-      Browser.new(ua: ua).id != :other
-    end
-
-    def signon(request)
-      ticket = request.params['ticket']
-      service = get_service(request)
-      if ticket and service
-        redeem_service_ticket(ticket, service)
-      end
-    end
-
-    def get_service(request)
-      url = request.url
-      url.gsub!(/\&ticket=ST-\w+/, '')
-      url.gsub!(/\?ticket=ST-\w+/, '?')
-      url.chomp('?')
-    end
-
-    def redeem_service_ticket(ticket, service)
-      uri = URI.parse validation_url(ticket, service)
-      req = Net::HTTP::Get.new(uri.to_s)
-      verify_mode = @config[:ignore_certificate] ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
-      Net::HTTP.start(uri.host, uri.port, :use_ssl => (uri.scheme == 'https'), :verify_mode => verify_mode) do |http|
-        response = http.request(req)
-        if response.code.to_i == 200
-          response_xml = Nokogiri::XML::Document.parse(response.body)
-          user_element = response_xml.xpath('/cas:serviceResponse/cas:authenticationSuccess/cas:user')
-          unless user_element.empty?
-            user_element.inner_text
-          end
-        end
-      end
-    end
-
-    def signon_url(service = '')
-      "#{@config[:prefix]}/login?service=#{CGI.escape service}"
-    end
-
-    def validation_url(ticket, service)
-      "#{@config[:prefix]}/serviceValidate?ticket=#{ticket}&service=#{CGI.escape service}"
-    end
-
   end
-
 end

data/lib/soar_authentication_token/version.rb

@@ -1,3 +1,3 @@
 module SoarAuthenticationToken
-  VERSION = '0.0.4'
+  VERSION = '0.1.0'
 end

data/soar_authentication_token.gemspec

@@ -21,9 +21,11 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'soar_xt', '~> 0.0.3'
   spec.add_dependency 'jwt', '~> 1.5', '>= 1.5.6'
+  spec.add_dependency "rack", '~> 1.6', '>= 1.6.4'
 
   spec.add_development_dependency 'pry', '~> 0'
-  spec.add_development_dependency "bundler", "~> 1.3"
-  spec.add_development_dependency "rake", "~> 10.0"
-  spec.add_development_dependency "rspec", "~> 2.13"
+  spec.add_development_dependency 'bundler', '~> 1.3'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 2.13'
+  spec.add_development_dependency "capybara", '~> 2.1', '>= 2.1.0'
 end

data/spec/rack_middleware_spec.rb

@@ -0,0 +1,67 @@
+require 'spec_helper'
+require 'rack'
+require 'rack/test'
+
+describe SoarAuthenticationToken::RackMiddleware do
+  include Rack::Test::Methods
+
+  def create_token_generator
+    keypair_generator = SoarAuthenticationToken::KeypairGenerator.new
+    private_key, public_key = keypair_generator.generate
+    configuration = {
+      'mode' => 'local',
+      'private_key' => private_key,
+      'public_key' => public_key
+    }
+    [ SoarAuthenticationToken::TokenGenerator.new(configuration), private_key, public_key ]
+  end
+
+  before :all do
+    @local_valid_generator,   @valid_private_key,   @valid_public_key   = create_token_generator
+    @local_invalid_generator, @imvalid_private_key, @invalid_public_key = create_token_generator
+  end
+
+  before :each do
+    @test_app = lambda do |env|
+      request = Rack::Request.new env
+      session = request.session
+      [200, {"Content-Type"=>"text/html"}, ["tested with authenticated user #{session['user']}"] ]
+    end
+    @iut_configuration = { 'mode' => 'local', 'public_key' => @valid_public_key}
+    @iut = SoarAuthenticationToken::RackMiddleware.new(@test_app, @iut_configuration)
+  end
+
+  it 'has a version number' do
+    expect(SoarAuthenticationToken::VERSION).not_to be nil
+  end
+
+  context "when initialized" do
+    it 'remembers the app provided' do
+      expect(@iut.instance_variable_get("@app")).to eq(@test_app)
+    end
+
+    it 'remembers the configuration provided' do
+      expect(@iut.instance_variable_get("@configuration")).to eq(@iut_configuration)
+    end
+  end
+
+  context "when called with an environment" do
+    it "should return 401 if the request contains no authentication token" do
+      opts = { }
+      code, env, body = @iut.call Rack::MockRequest.env_for('http://service', opts)
+      expect([code, env, body]).to eq([401, {"Content-Type" => "text/html"}, ["401 - Not authenticated"]])
+    end
+
+    it "should return 401 if the request contains an invalid authentication token" do
+      opts = { 'HTTP_AUTHORIZATION' => @local_invalid_generator.generate(authenticated_identifier: 'a@b.com') }
+      code, env, body = @iut.call Rack::MockRequest.env_for('http://service', opts)
+      expect([code, env, body]).to eq([401, {"Content-Type" => "text/html"}, ["401 - Not authenticated"]])
+    end
+
+    it "should pass requests that are authenticated through to the application" do
+      opts = { 'HTTP_AUTHORIZATION' => @local_valid_generator.generate(authenticated_identifier: 'a@b.com') }
+      code, env, body = @iut.call Rack::MockRequest.env_for('http://service', opts)
+      expect([code, env, body]).to eq([200, {"Content-Type"=>"text/html"}, ["tested with authenticated user a@b.com"] ])
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: soar_authentication_token
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.1.0
 platform: ruby
 authors:
 - Barney de Villiers
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-12-01 00:00:00.000000000 Z
+date: 2016-12-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: soar_xt
@@ -44,6 +44,26 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.5.6
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.4
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
@@ -100,6 +120,26 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.13'
+- !ruby/object:Gem::Dependency
+  name: capybara
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.1.0
 description: Interface to the authentication token service
 email:
 - barney.de.villiers@hetzner.co.za
@@ -137,6 +177,7 @@ files:
 - sanity/sanity_benchmark.rb
 - soar_authentication_token.gemspec
 - spec/keypair_generator_spec.rb
+- spec/rack_middleware_spec.rb
 - spec/spec_helper.rb
 - spec/token_generator_spec.rb
 - spec/token_validator_spec.rb
@@ -166,6 +207,7 @@ specification_version: 4
 summary: Client library for Hetzner's authentication token service
 test_files:
 - spec/keypair_generator_spec.rb
+- spec/rack_middleware_spec.rb
 - spec/spec_helper.rb
 - spec/token_generator_spec.rb
 - spec/token_validator_spec.rb