tep 0.11.0

data/test/test_auth.rb

@@ -0,0 +1,223 @@
+require_relative "helper"
+
+# Tep::Auth + Tep::AuthBearerToken: end-to-end JWT bearer-token
+# auth flow. Boots a tep app that installs the auth filter, mints
+# tokens via Tep::Jwt at request time, and exercises req.identity
+# from handler bodies.
+class TestAuth < TepTest
+  app_source <<~RB
+    require 'sinatra'
+
+    SECRET = "test-shared-secret-do-not-use-in-prod"
+
+    Tep::AuthBearerToken.set_secret(SECRET)
+    Tep::Auth.install!
+
+    # ---- mint endpoints (test harness uses these to get tokens) ----
+    # The payload is Tep::Json-friendly flat JSON: sub, exp, caps
+    # (comma-separated), and optionally delegate (pipe-encoded).
+
+    post '/mint_human' do
+      res.headers["Content-Type"] = "text/plain"
+      sub = Tep::Json.get_str(req.raw_body, "sub")
+      caps = Tep::Json.get_str(req.raw_body, "caps")
+      exp = Time.now.to_i + 600
+      payload = "{" +
+        Tep::Json.encode_pair_str("sub", sub) + "," +
+        Tep::Json.encode_pair_int("exp", exp) + "," +
+        Tep::Json.encode_pair_str("caps", caps) +
+      "}"
+      Tep::Jwt.encode_hs256(payload, SECRET)
+    end
+
+    post '/mint_agent' do
+      res.headers["Content-Type"] = "text/plain"
+      sub = Tep::Json.get_str(req.raw_body, "sub")
+      caps = Tep::Json.get_str(req.raw_body, "caps")
+      delegate = Tep::Json.get_str(req.raw_body, "delegate")
+      exp = Time.now.to_i + 600
+      payload = "{" +
+        Tep::Json.encode_pair_str("sub", sub) + "," +
+        Tep::Json.encode_pair_int("exp", exp) + "," +
+        Tep::Json.encode_pair_str("caps", caps) + "," +
+        Tep::Json.encode_pair_str("delegate", delegate) +
+      "}"
+      Tep::Jwt.encode_hs256(payload, SECRET)
+    end
+
+    post '/mint_expired' do
+      res.headers["Content-Type"] = "text/plain"
+      sub = Tep::Json.get_str(req.raw_body, "sub")
+      # Issued in the past, expired in the past.
+      exp = Time.now.to_i - 60
+      payload = "{" +
+        Tep::Json.encode_pair_str("sub", sub) + "," +
+        Tep::Json.encode_pair_int("exp", exp) + "," +
+        Tep::Json.encode_pair_str("caps", "read") +
+      "}"
+      Tep::Jwt.encode_hs256(payload, SECRET)
+    end
+
+    # ---- identity-introspection endpoints ----
+    # Every route below reads req.identity (populated by the
+    # auth-filter before this handler runs).
+
+    before do
+      res.headers["Content-Type"] = "text/plain"
+    end
+
+    get '/whoami' do
+      req.identity.subject
+    end
+
+    get '/is_human' do
+      req.identity.human? ? "yes" : "no"
+    end
+
+    get '/is_agent' do
+      req.identity.agent? ? "yes" : "no"
+    end
+
+    get '/may_read' do
+      req.identity.may?(:read) ? "yes" : "no"
+    end
+
+    get '/may_write' do
+      req.identity.may?(:write) ? "yes" : "no"
+    end
+
+    get '/may_post_summary' do
+      req.identity.may?(:post_summary) ? "yes" : "no"
+    end
+
+    get '/agent_id' do
+      if req.identity.acting_via == nil
+        ""
+      else
+        req.identity.acting_via.agent_id
+      end
+    end
+  RB
+
+  # ---- helper: mint a token, then call a route with it as Bearer ----
+
+  def mint_human(sub, caps)
+    body = "{" +
+      "\"sub\":\"" + sub + "\"," +
+      "\"caps\":\"" + caps + "\"}"
+    post("/mint_human", body).body
+  end
+
+  def mint_agent(sub, caps, delegate)
+    body = "{" +
+      "\"sub\":\"" + sub + "\"," +
+      "\"caps\":\"" + caps + "\"," +
+      "\"delegate\":\"" + delegate + "\"}"
+    post("/mint_agent", body).body
+  end
+
+  def mint_expired(sub)
+    body = "{\"sub\":\"" + sub + "\"}"
+    post("/mint_expired", body).body
+  end
+
+  def authed(path, token)
+    get(path, "Authorization" => "Bearer " + token)
+  end
+
+  # ---- anonymous (no Authorization header) ----
+
+  def test_anonymous_subject
+    assert_equal "user:", get("/whoami").body
+  end
+
+  def test_anonymous_has_no_caps
+    assert_equal "no", get("/may_read").body
+  end
+
+  # ---- valid human token ----
+
+  def test_human_subject_via_bearer
+    token = mint_human("user:42", "read,write")
+    assert_equal "user:user:42", authed("/whoami", token).body
+  end
+
+  def test_human_marked_human
+    token = mint_human("user:42", "read")
+    assert_equal "yes", authed("/is_human", token).body
+  end
+
+  def test_human_not_agent
+    token = mint_human("user:42", "read")
+    assert_equal "no", authed("/is_agent", token).body
+  end
+
+  def test_human_granted_caps
+    token = mint_human("user:42", "read,write")
+    assert_equal "yes", authed("/may_read", token).body
+    assert_equal "yes", authed("/may_write", token).body
+  end
+
+  def test_human_lacks_ungranted_cap
+    token = mint_human("user:42", "read")
+    assert_equal "no", authed("/may_write", token).body
+  end
+
+  # ---- valid agent token ----
+
+  def test_agent_subject_format
+    token = mint_agent(
+      "user:42", "read",
+      "summarizer-bot|1000|9999999999|token")
+    assert_equal "agent:summarizer-bot/user:42",
+      authed("/whoami", token).body
+  end
+
+  def test_agent_marked_agent
+    token = mint_agent(
+      "user:42", "read",
+      "summarizer-bot|1000|9999999999|token")
+    assert_equal "yes", authed("/is_agent", token).body
+  end
+
+  def test_agent_id_exposed
+    token = mint_agent(
+      "user:42", "read",
+      "summarizer-bot|1000|9999999999|token")
+    assert_equal "summarizer-bot", authed("/agent_id", token).body
+  end
+
+  def test_agent_caps_subset_of_principal
+    # Principal would have :read + :write; this token grants :read only.
+    # Auth doesn't enforce subset -- issuer does -- but tests that
+    # whatever the token carries flows through.
+    token = mint_agent(
+      "user:42", "read",
+      "summarizer-bot|1000|9999999999|token")
+    assert_equal "yes", authed("/may_read", token).body
+    assert_equal "no",  authed("/may_write", token).body
+  end
+
+  # ---- token rejections ----
+
+  def test_expired_token_falls_back_to_anonymous
+    token = mint_expired("user:42")
+    assert_equal "user:", authed("/whoami", token).body
+  end
+
+  def test_bad_signature_falls_back_to_anonymous
+    token = mint_human("user:42", "read")
+    tampered = token + "x"
+    assert_equal "user:", authed("/whoami", tampered).body
+  end
+
+  def test_malformed_bearer_header_falls_back_to_anonymous
+    # No "Bearer " prefix.
+    res = get("/whoami", "Authorization" => "Basic abcdef")
+    assert_equal "user:", res.body
+  end
+
+  def test_missing_authorization_falls_back_to_anonymous
+    assert_equal "user:", get("/whoami").body
+  end
+end

data/test/test_auth_oauth2.rb

@@ -0,0 +1,208 @@
+require_relative "helper"
+
+# Tep::AuthOAuth2: OAuth2-style authorization-code issuance. tep
+# acts as the authorization server -- registers bot clients, issues
+# short-lived codes after consent, exchanges codes for JWTs. The
+# downstream identity surface is the same as direct bearer-token
+# auth: the resulting JWT carries `delegate` and BearerToken parses
+# it into a delegated Tep::Identity.
+class TestAuthOAuth2 < TepTest
+  app_source <<~RB
+    require 'sinatra'
+
+    SECRET = "test-oauth2-shared-secret"
+    Tep::AuthBearerToken.set_secret(SECRET)
+    Tep::Auth.install!
+
+    # Register one bot client at boot.
+    Tep::AuthOAuth2.register_client(
+      "summarizer-bot",
+      "Summarizer Bot",
+      "https://bot.example/oauth/callback",
+      [:read, :post_summary])
+
+    before do
+      res.headers["Content-Type"] = "text/plain"
+    end
+
+    # ---- consent endpoint: caller passes the principal + granted
+    # caps; app's real implementation would render a consent UI +
+    # only reach here on user-approve. The test stub skips the UI.
+
+    post '/consent' do
+      principal_id = Tep::Json.get_str(req.raw_body, "principal_id")
+      client_id    = Tep::Json.get_str(req.raw_body, "client_id")
+      caps_str     = Tep::Json.get_str(req.raw_body, "caps")
+      Tep::AuthOAuth2.issue_code(principal_id, client_id, caps_str, 0)
+    end
+
+    # ---- token-exchange endpoint: bot redeems code for JWT.
+
+    post '/token' do
+      code      = Tep::Json.get_str(req.raw_body, "code")
+      client_id = Tep::Json.get_str(req.raw_body, "client_id")
+      Tep::AuthOAuth2.exchange_code(code, client_id, 0)
+    end
+
+    # ---- client lookup (sanity check the registry).
+
+    get '/client/:id' do
+      c = Tep::AuthOAuth2.find_client(params[:id])
+      if c == nil
+        "missing"
+      else
+        c.name + "|" + c.redirect_uri
+      end
+    end
+
+    # ---- identity-introspection endpoints (mirrors test_auth).
+
+    get '/whoami' do
+      req.identity.subject
+    end
+
+    get '/is_agent' do
+      req.identity.agent? ? "yes" : "no"
+    end
+
+    get '/agent_id' do
+      if req.identity.acting_via == nil
+        ""
+      else
+        req.identity.acting_via.agent_id
+      end
+    end
+
+    get '/origin' do
+      if req.identity.acting_via == nil
+        ""
+      else
+        req.identity.acting_via.origin.to_s
+      end
+    end
+
+    get '/may_read' do
+      req.identity.may?(:read) ? "yes" : "no"
+    end
+
+    get '/may_post_summary' do
+      req.identity.may?(:post_summary) ? "yes" : "no"
+    end
+
+    get '/may_write' do
+      req.identity.may?(:write) ? "yes" : "no"
+    end
+  RB
+
+  # ---- helpers ----
+
+  def consent_body(principal_id, client_id, caps)
+    "{" +
+      "\"principal_id\":\"" + principal_id + "\"," +
+      "\"client_id\":\"" + client_id + "\"," +
+      "\"caps\":\"" + caps + "\"}"
+  end
+
+  def token_body(code, client_id)
+    "{\"code\":\"" + code + "\",\"client_id\":\"" + client_id + "\"}"
+  end
+
+  def consent(principal_id, client_id, caps)
+    post("/consent", consent_body(principal_id, client_id, caps)).body
+  end
+
+  def exchange(code, client_id)
+    post("/token", token_body(code, client_id)).body
+  end
+
+  def authed(path, token)
+    get(path, "Authorization" => "Bearer " + token)
+  end
+
+  # ---- client registry ----
+
+  def test_registered_client_lookup
+    assert_equal "Summarizer Bot|https://bot.example/oauth/callback",
+      get("/client/summarizer-bot").body
+  end
+
+  def test_unregistered_client_lookup
+    assert_equal "missing", get("/client/never-registered").body
+  end
+
+  # ---- happy path: issue + exchange ----
+
+  def test_issue_code_returns_nonempty
+    code = consent("user:42", "summarizer-bot", "read")
+    refute_equal "", code
+    # base64url, 24 random bytes -> ~32 chars
+    assert code.length >= 28, "code too short: #{code.inspect}"
+  end
+
+  def test_exchange_code_returns_jwt
+    code = consent("user:42", "summarizer-bot", "read,post_summary")
+    token = exchange(code, "summarizer-bot")
+    refute_equal "", token
+    # JWT shape: three dot-separated segments.
+    assert_equal 2, token.count("."), "token: #{token.inspect}"
+  end
+
+  def test_exchanged_jwt_authenticates_as_agent
+    code = consent("user:42", "summarizer-bot", "read,post_summary")
+    token = exchange(code, "summarizer-bot")
+    assert_equal "agent:summarizer-bot/user:42",
+      authed("/whoami", token).body
+  end
+
+  def test_exchanged_jwt_marked_agent
+    code = consent("user:42", "summarizer-bot", "read")
+    token = exchange(code, "summarizer-bot")
+    assert_equal "yes", authed("/is_agent", token).body
+  end
+
+  def test_exchanged_jwt_carries_agent_id
+    code = consent("user:42", "summarizer-bot", "read")
+    token = exchange(code, "summarizer-bot")
+    assert_equal "summarizer-bot", authed("/agent_id", token).body
+  end
+
+  def test_exchanged_jwt_origin_is_oauth_grant
+    code = consent("user:42", "summarizer-bot", "read")
+    token = exchange(code, "summarizer-bot")
+    assert_equal "oauth_grant", authed("/origin", token).body
+  end
+
+  def test_exchanged_jwt_caps_granted
+    code = consent("user:42", "summarizer-bot", "read,post_summary")
+    token = exchange(code, "summarizer-bot")
+    assert_equal "yes", authed("/may_read", token).body
+    assert_equal "yes", authed("/may_post_summary", token).body
+  end
+
+  def test_exchanged_jwt_caps_not_in_grant_are_rejected
+    # User granted only :read. The JWT should NOT carry :write.
+    code = consent("user:42", "summarizer-bot", "read")
+    token = exchange(code, "summarizer-bot")
+    assert_equal "no", authed("/may_write", token).body
+  end
+
+  # ---- rejections ----
+
+  def test_exchange_unknown_code_returns_empty
+    assert_equal "", exchange("never-issued-code", "summarizer-bot")
+  end
+
+  def test_exchange_wrong_client_id_returns_empty
+    code = consent("user:42", "summarizer-bot", "read")
+    # Try to redeem against a different client_id.
+    assert_equal "", exchange(code, "different-bot")
+  end
+
+  def test_exchange_is_single_use
+    code = consent("user:42", "summarizer-bot", "read")
+    # First exchange succeeds.
+    refute_equal "", exchange(code, "summarizer-bot")
+    # Second exchange of the same code fails.
+    assert_equal "", exchange(code, "summarizer-bot")
+  end
+end

data/test/test_auth_session_cookie.rb

@@ -0,0 +1,198 @@
+require_relative "helper"
+
+# Tep::AuthSessionCookie: signed-session-cookie auth provider.
+# Round-trip an Identity via the tep.session cookie + verify it's
+# read back through req.identity on the next request.
+class TestAuthSessionCookie < TepTest
+  app_source <<~RB
+    require 'sinatra'
+
+    Tep.session_secret = "test-session-secret-do-not-use-in-prod"
+    Tep::Auth.install!
+
+    # ---- write paths: the test harness calls these to seed a
+    # session cookie. POST body is irrelevant; the route hardcodes
+    # the identity it sets so the test can predict the readback.
+
+    before do
+      res.headers["Content-Type"] = "text/plain"
+    end
+
+    post '/login_human' do
+      caps = [:read, :write]
+      ident = Tep::Identity.new("user:42", nil, caps)
+      Tep::AuthSessionCookie.set(req, ident, 0)
+      "ok"
+    end
+
+    post '/login_human_with_exp' do
+      # Expiry 600s in the future -- valid for the immediate readback.
+      caps = [:read]
+      ident = Tep::Identity.new("user:42", nil, caps)
+      Tep::AuthSessionCookie.set(req, ident, Time.now.to_i + 600)
+      "ok"
+    end
+
+    post '/login_human_expired' do
+      # Expiry 60s in the PAST -- readback rejects.
+      caps = [:read]
+      ident = Tep::Identity.new("user:42", nil, caps)
+      Tep::AuthSessionCookie.set(req, ident, Time.now.to_i - 60)
+      "ok"
+    end
+
+    post '/login_agent' do
+      caps = [:read]
+      delegation = Tep::AgentDelegation.new(
+        "summarizer-bot", 1000, 9999999999, :token)
+      ident = Tep::Identity.new("user:42", delegation, caps)
+      Tep::AuthSessionCookie.set(req, ident, 0)
+      "ok"
+    end
+
+    post '/logout' do
+      Tep::AuthSessionCookie.clear(req)
+      "ok"
+    end
+
+    # ---- read paths ----
+
+    get '/whoami' do
+      req.identity.subject
+    end
+
+    get '/is_human' do
+      req.identity.human? ? "yes" : "no"
+    end
+
+    get '/is_agent' do
+      req.identity.agent? ? "yes" : "no"
+    end
+
+    get '/may_read' do
+      req.identity.may?(:read) ? "yes" : "no"
+    end
+
+    get '/may_write' do
+      req.identity.may?(:write) ? "yes" : "no"
+    end
+
+    get '/agent_id' do
+      if req.identity.acting_via == nil
+        ""
+      else
+        req.identity.acting_via.agent_id
+      end
+    end
+  RB
+
+  # Pull the tep.session cookie out of a Set-Cookie header and
+  # return the "tep.session=..." string suitable for a Cookie:
+  # request header.
+  def session_cookie_from(res)
+    raw = res["set-cookie"]
+    return nil if raw.nil? || raw.empty?
+    pair = raw.split(";").first
+    pair.strip
+  end
+
+  # POST to a login route, then GET `path` with the resulting
+  # session cookie. Returns the GET response.
+  def with_session_from(login_path, path)
+    login_res = post(login_path)
+    cookie = session_cookie_from(login_res)
+    assert cookie, "expected tep.session cookie in #{login_path} response, got: #{login_res['set-cookie'].inspect}"
+    get(path, "Cookie" => cookie)
+  end
+
+  # ---- anonymous (no session cookie at all) ----
+
+  def test_anonymous_when_no_cookie
+    assert_equal "user:", get("/whoami").body
+  end
+
+  def test_anonymous_has_no_caps
+    assert_equal "no", get("/may_read").body
+  end
+
+  # ---- human identity round-trips through the session ----
+
+  def test_human_subject_round_trips
+    res = with_session_from("/login_human", "/whoami")
+    assert_equal "user:user:42", res.body
+  end
+
+  def test_human_marked_human
+    res = with_session_from("/login_human", "/is_human")
+    assert_equal "yes", res.body
+  end
+
+  def test_human_caps_round_trip
+    res = with_session_from("/login_human", "/may_read")
+    assert_equal "yes", res.body
+    res = with_session_from("/login_human", "/may_write")
+    assert_equal "yes", res.body
+  end
+
+  # ---- agent identity round-trips ----
+
+  def test_agent_subject_round_trips
+    res = with_session_from("/login_agent", "/whoami")
+    assert_equal "agent:summarizer-bot/user:42", res.body
+  end
+
+  def test_agent_marked_agent
+    res = with_session_from("/login_agent", "/is_agent")
+    assert_equal "yes", res.body
+  end
+
+  def test_agent_id_round_trips
+    res = with_session_from("/login_agent", "/agent_id")
+    assert_equal "summarizer-bot", res.body
+  end
+
+  # ---- expiry ----
+
+  def test_valid_exp_still_works
+    res = with_session_from("/login_human_with_exp", "/whoami")
+    assert_equal "user:user:42", res.body
+  end
+
+  def test_expired_identity_falls_back_to_anonymous
+    res = with_session_from("/login_human_expired", "/whoami")
+    assert_equal "user:", res.body
+  end
+
+  # ---- logout ----
+
+  def test_logout_clears_identity
+    # Step 1: log in
+    login_res = post("/login_human")
+    logged_in_cookie = session_cookie_from(login_res)
+
+    # Step 2: verify identity is set
+    res = get("/whoami", "Cookie" => logged_in_cookie)
+    assert_equal "user:user:42", res.body
+
+    # Step 3: logout (server clears the identity_* keys; the response
+    # re-signs the cleared cookie and returns it).
+    logout_res = post("/logout", "", "Cookie" => logged_in_cookie)
+    logged_out_cookie = session_cookie_from(logout_res)
+
+    # Step 4: subsequent request with the post-logout cookie sees
+    # anonymous.
+    res = get("/whoami", "Cookie" => logged_out_cookie)
+    assert_equal "user:", res.body
+  end
+
+  # ---- tampering ----
+
+  def test_tampered_cookie_falls_back_to_anonymous
+    login_res = post("/login_human")
+    cookie = session_cookie_from(login_res)
+    # Mangle the signature half (everything after the last dot).
+    tampered = cookie.sub(/\.[^.]+\z/, ".aaaaaaaa")
+    res = get("/whoami", "Cookie" => tampered)
+    assert_equal "user:", res.body
+  end
+end