tripwire-server 0.1.1 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 29ad4de59013e7b0962b8444feb069a8b1b216831a40d46fa7dd9c3cb16371a8
-  data.tar.gz: c6ccc706e11d7954c33e3a77797bb2711748cc99fb3144a6f46c2e588d0f8136
+  metadata.gz: 45e6986f12a591fdd4523c5564f2555d09c0729783e5d12998541e65652814d4
+  data.tar.gz: b7c767d8c99846ce42dfa6820dcf787a48cb36f0367ec302f636a55b706dfd0c
 SHA512:
-  metadata.gz: 38a299b8107727875c39ebe0c0a3a97cf6d45396f484a49dbc02766cbc5bb1918308c75908959a53e1e4e04409ec545ba7d2cb795bea6ba85c5ec31a182372d7
-  data.tar.gz: 0547b124aed5e0fba0e744279b63b312f9e0abee5114195ed452fd92bff6ad8cfa05e0543bcfd7c1c7ba678b0c4e5861be3f9e20451c7f43d8a578b4a4f910a2
+  metadata.gz: 6bb732f690f751fd371ffcaccec4895f762a06685703715c92e35a1cbdd35d87dca706d6fcb5a5c8763e8bd9e26ca003e758d747dc724bdba2c21547922ce032
+  data.tar.gz: fe3def014d6b619cad9e3a07a1fc05a276b415231b30538afbf49d832bb5436f644cc9918a02aa1bea1a9a0fdae0cbc67c141d8e2d181bfd60da3d4eb0cebf7b

data/README.md

@@ -1,16 +1,18 @@
 # Tripwire Ruby Library
 
 ![Preview](https://img.shields.io/badge/status-preview-111827)
-![Ruby 2.6+](https://img.shields.io/badge/ruby-2.6%2B-CC342D?logo=ruby&logoColor=white)
+![Ruby 3.3+](https://img.shields.io/badge/ruby-3.3%2B-CC342D?logo=ruby&logoColor=white)
 ![License: MIT](https://img.shields.io/badge/license-MIT-0f766e.svg)
 
-The Tripwire Ruby library provides convenient access to the Tripwire API from applications written in Ruby. It includes a client for Sessions, Fingerprints, Teams, Team API key management, and sealed token verification.
+The Tripwire Ruby library provides convenient access to the Tripwire API from applications written in Ruby. It includes a client for Sessions, visitor fingerprints, Teams, Team API key management, sealed token verification, Gate, and Gate delivery/webhook helpers.
 
 The library also provides:
 
 - a fast configuration path using `TRIPWIRE_SECRET_KEY`
 - lazy helpers for cursor-based pagination
 - structured API errors and built-in sealed token verification
+- public, bearer-token, and secret-key auth modes for Gate flows
+- Gate delivery/webhook helpers
 
 ## Documentation
 
@@ -26,11 +28,11 @@ bundle add tripwire-server
 
 ## Requirements
 
-- Ruby 2.6+
+- Ruby 3.3+
 
 ## Usage
 
-The library needs to be configured with your account's secret key. Set `TRIPWIRE_SECRET_KEY` in your environment or pass `secret_key` directly:
+Use `TRIPWIRE_SECRET_KEY` or `secret_key:` for core detect APIs. For public or bearer-auth Gate flows, the client can also be created without a secret key:
 
 ```ruby
 require "tripwire/server"
@@ -38,7 +40,9 @@ require "tripwire/server"
 client = Tripwire::Server::Client.new(secret_key: "sk_live_...")
 
 page = client.sessions.list(verdict: "bot", limit: 25)
-session = client.sessions.get("sid_123")
+session = client.sessions.get("sid_0123456789abcdefghjkmnpqrs")
+
+puts "#{session[:decision][:automation_status]} #{session[:highlights].first&.fetch(:summary, nil)}"
 ```
 
 ### Sealed token verification
@@ -47,7 +51,7 @@ session = client.sessions.get("sid_123")
 result = Tripwire::Server.safe_verify_tripwire_token(sealed_token, "sk_live_...")
 
 if result[:ok]
-  puts "#{result[:data][:verdict]} #{result[:data][:score]}"
+  puts "#{result[:data][:decision][:verdict]} #{result[:data][:decision][:risk_score]}"
 else
   warn result[:error].message
 end
@@ -57,22 +61,22 @@ end
 
 ```ruby
 client.sessions.iter(search: "signup").each do |session|
-  puts "#{session[:id]} #{session[:latestResult][:verdict]}"
+  puts "#{session[:id]} #{session[:latest_decision][:verdict]}"
 end
 ```
 
-### Fingerprints
+### Visitor fingerprints
 
 ```ruby
-fingerprint = client.fingerprints.get("vis_123")
+fingerprint = client.fingerprints.get("vid_0123456789abcdefghjkmnpqrs")
 puts fingerprint[:id]
 ```
 
 ### Teams
 
 ```ruby
-team = client.teams.get("team_123")
-updated = client.teams.update("team_123", name: "New Name")
+team = client.teams.get("team_0123456789abcdefghjkmnpqrs")
+updated = client.teams.update("team_0123456789abcdefghjkmnpqrs", name: "New Name")
 
 puts updated[:name]
 ```
@@ -80,8 +84,39 @@ puts updated[:name]
 ### Team API keys
 
 ```ruby
-created = client.teams.api_keys.create("team_123", name: "Production")
-client.teams.api_keys.revoke("team_123", created[:id])
+created = client.teams.api_keys.create("team_0123456789abcdefghjkmnpqrs", name: "Production", environment: "live")
+client.teams.api_keys.revoke("team_0123456789abcdefghjkmnpqrs", created[:id])
+```
+
+### Gate APIs
+
+```ruby
+delivery_key_pair = Tripwire::Server::GateDelivery.create_delivery_key_pair
+
+services = client.gate.registry.list
+session = client.gate.sessions.create(
+  service_id: "tripwire",
+  account_name: "my-project",
+  delivery: delivery_key_pair[:delivery]
+)
+
+puts "#{services.first[:id]} #{session[:consent_url]}"
+```
+
+### Gate delivery and webhook helpers
+
+```ruby
+key_pair = Tripwire::Server::GateDelivery.create_delivery_key_pair
+response = Tripwire::Server::GateDelivery.create_gate_approved_webhook_response(
+  delivery: key_pair[:delivery],
+  outputs: {
+    "TRIPWIRE_PUBLISHABLE_KEY" => "pk_live_...",
+    "TRIPWIRE_SECRET_KEY" => "sk_live_..."
+  }
+)
+payload = Tripwire::Server::GateDelivery.decrypt_gate_delivery_envelope(key_pair[:private_key], response[:encrypted_delivery])
+
+puts payload[:outputs]["TRIPWIRE_SECRET_KEY"]
 ```
 
 ### Error handling

data/lib/tripwire/server/client.rb

@@ -10,11 +10,9 @@ module Tripwire
       DEFAULT_TIMEOUT = 30
       SDK_CLIENT_HEADER = "tripwire-server-ruby/0.1.0".freeze
 
-      attr_reader :sessions, :fingerprints, :teams, :timeout
+      attr_reader :sessions, :fingerprints, :teams, :gate, :timeout
 
       def initialize(secret_key: ENV["TRIPWIRE_SECRET_KEY"], base_url: DEFAULT_BASE_URL, timeout: DEFAULT_TIMEOUT, user_agent: nil, transport: nil)
-        raise ConfigurationError, "Missing Tripwire secret key. Pass secret_key explicitly or set TRIPWIRE_SECRET_KEY." if secret_key.nil? || secret_key.empty?
-
         @secret_key = secret_key
         @base_url = base_url
         @timeout = timeout
@@ -24,17 +22,18 @@ module Tripwire
         @sessions = SessionsResource.new(self)
         @fingerprints = FingerprintsResource.new(self)
         @teams = TeamsResource.new(self)
+        @gate = GateResource.new(self)
       end
 
-      def request_json(method, path, query: {}, body: nil, expect_content: true)
+      def request_json(method, path, query: {}, body: nil, expect_content: true, auth: { kind: :secret })
         url = build_url(path, query)
         headers = {
-          "Authorization" => "Bearer #{@secret_key}",
           "Accept" => "application/json",
           "X-Tripwire-Client" => SDK_CLIENT_HEADER
         }
         headers["User-Agent"] = @user_agent if @user_agent
         headers["Content-Type"] = "application/json" if body
+        apply_auth_headers(headers, auth)
 
         status, response_headers, response_body =
           if @transport
@@ -54,9 +53,9 @@ module Tripwire
               status: status,
               code: error[:code] || "request.failed",
               message: error[:message] || response_body.to_s,
-              request_id: request_id || error[:requestId],
-              field_errors: details[:fieldErrors] || [],
-              docs_url: error[:docsUrl],
+              request_id: request_id || error[:request_id],
+              field_errors: details[:fields] || [],
+              docs_url: error[:docs_url],
               body: payload
             )
           end
@@ -125,6 +124,24 @@ module Tripwire
         end
       end
       private :deep_symbolize
+
+      def apply_auth_headers(headers, auth)
+        kind = (auth[:kind] || :secret).to_sym
+        case kind
+        when :none
+          headers
+        when :bearer
+          token = auth[:token]
+          raise ConfigurationError, "Missing bearer token for this Tripwire request." if token.nil? || token.empty?
+
+          headers["Authorization"] = "Bearer #{token}"
+        else
+          raise ConfigurationError, "Missing Tripwire secret key. Pass secret_key explicitly or set TRIPWIRE_SECRET_KEY." if @secret_key.nil? || @secret_key.empty?
+
+          headers["Authorization"] = "Bearer #{@secret_key}"
+        end
+      end
+      private :apply_auth_headers
     end
 
     class BaseResource
@@ -138,8 +155,8 @@ module Tripwire
         ListResult.new(
           items: payload[:data],
           limit: payload.fetch(:pagination).fetch(:limit),
-          has_more: payload.fetch(:pagination).fetch(:hasMore),
-          next_cursor: payload.fetch(:pagination)[:nextCursor]
+          has_more: payload.fetch(:pagination).fetch(:has_more),
+          next_cursor: payload.fetch(:pagination)[:next_cursor]
         )
       end
     end
@@ -203,12 +220,12 @@ module Tripwire
     end
 
     class ApiKeysResource < BaseResource
-      def create(team_id, name: nil, is_test: nil, allowed_origins: nil, rate_limit: nil)
+      def create(team_id, name: nil, environment: nil, allowed_origins: nil, rate_limit: nil)
         payload = @client.request_json("POST", "/v1/teams/#{CGI.escape(team_id)}/api-keys", body: compact({
           name: name,
-          isTest: is_test,
-          allowedOrigins: allowed_origins,
-          rateLimit: rate_limit
+          environment: environment,
+          allowed_origins: allowed_origins,
+          rate_limit: rate_limit
         }))
         payload[:data]
       end
@@ -222,8 +239,7 @@ module Tripwire
       end
 
       def revoke(team_id, key_id)
-        @client.request_json("DELETE", "/v1/teams/#{CGI.escape(team_id)}/api-keys/#{CGI.escape(key_id)}", expect_content: false)
-        nil
+        @client.request_json("DELETE", "/v1/teams/#{CGI.escape(team_id)}/api-keys/#{CGI.escape(key_id)}")[:data]
       end
 
       def rotate(team_id, key_id)
@@ -261,5 +277,144 @@ module Tripwire
         }.reject { |_key, value| value.nil? })[:data]
       end
     end
+
+    class GateResource < BaseResource
+      attr_reader :registry, :services, :sessions, :login_sessions, :agent_tokens
+
+      def initialize(client)
+        super(client)
+        @registry = GateRegistryResource.new(client)
+        @services = GateServicesResource.new(client)
+        @sessions = GateSessionsResource.new(client)
+        @login_sessions = GateLoginSessionsResource.new(client)
+        @agent_tokens = GateAgentTokensResource.new(client)
+      end
+    end
+
+    class GateRegistryResource < BaseResource
+      def list
+        @client.request_json("GET", "/v1/gate/registry", auth: { kind: :none })[:data]
+      end
+
+      def get(service_id)
+        @client.request_json("GET", "/v1/gate/registry/#{CGI.escape(service_id)}", auth: { kind: :none })[:data]
+      end
+    end
+
+    class GateServicesResource < BaseResource
+      def list
+        @client.request_json("GET", "/v1/gate/services")[:data]
+      end
+
+      def get(service_id)
+        @client.request_json("GET", "/v1/gate/services/#{CGI.escape(service_id)}")[:data]
+      end
+
+      def create(id:, name:, description:, website:, webhook_url:, discoverable: nil, dashboard_login_url: nil, webhook_secret: nil, env_vars: nil, docs_url: nil, sdks: nil, branding: nil, consent: nil)
+        @client.request_json("POST", "/v1/gate/services", body: compact({
+          id: id,
+          discoverable: discoverable,
+          name: name,
+          description: description,
+          website: website,
+          dashboard_login_url: dashboard_login_url,
+          webhook_url: webhook_url,
+          webhook_secret: webhook_secret,
+          env_vars: env_vars,
+          docs_url: docs_url,
+          sdks: sdks,
+          branding: branding,
+          consent: consent
+        }))[:data]
+      end
+
+      def update(service_id, discoverable: nil, name: nil, description: nil, website: nil, dashboard_login_url: nil, webhook_url: nil, webhook_secret: nil, env_vars: nil, docs_url: nil, sdks: nil, branding: nil, consent: nil)
+        @client.request_json("PATCH", "/v1/gate/services/#{CGI.escape(service_id)}", body: compact({
+          discoverable: discoverable,
+          name: name,
+          description: description,
+          website: website,
+          dashboard_login_url: dashboard_login_url,
+          webhook_url: webhook_url,
+          webhook_secret: webhook_secret,
+          env_vars: env_vars,
+          docs_url: docs_url,
+          sdks: sdks,
+          branding: branding,
+          consent: consent
+        }))[:data]
+      end
+
+      def disable(service_id)
+        @client.request_json("DELETE", "/v1/gate/services/#{CGI.escape(service_id)}")[:data]
+      end
+
+      private
+
+      def compact(hash)
+        hash.reject { |_key, value| value.nil? }
+      end
+    end
+
+    class GateSessionsResource < BaseResource
+      def create(service_id:, account_name:, delivery:, metadata: nil)
+        body = {
+          service_id: service_id,
+          account_name: account_name,
+          delivery: delivery
+        }
+        body[:metadata] = metadata unless metadata.nil?
+
+        @client.request_json("POST", "/v1/gate/sessions", body: body, auth: { kind: :none })[:data]
+      end
+
+      def poll(gate_session_id, poll_token:)
+        @client.request_json(
+          "GET",
+          "/v1/gate/sessions/#{CGI.escape(gate_session_id)}",
+          auth: { kind: :bearer, token: poll_token }
+        )[:data]
+      end
+
+      def acknowledge(gate_session_id, poll_token:, ack_token:)
+        @client.request_json(
+          "POST",
+          "/v1/gate/sessions/#{CGI.escape(gate_session_id)}/ack",
+          body: { ack_token: ack_token },
+          auth: { kind: :bearer, token: poll_token }
+        )[:data]
+      end
+    end
+
+    class GateLoginSessionsResource < BaseResource
+      def create(service_id:, agent_token:)
+        @client.request_json(
+          "POST",
+          "/v1/gate/login-sessions",
+          body: { service_id: service_id },
+          auth: { kind: :bearer, token: agent_token }
+        )[:data]
+      end
+
+      def consume(code:)
+        @client.request_json("POST", "/v1/gate/login-sessions/consume", body: { code: code })[:data]
+      end
+    end
+
+    class GateAgentTokensResource < BaseResource
+      def verify(agent_token:)
+        @client.request_json("POST", "/v1/gate/agent-tokens/verify", body: { agent_token: agent_token })[:data]
+      end
+
+      def revoke(agent_token:)
+        @client.request_json(
+          "POST",
+          "/v1/gate/agent-tokens/revoke",
+          body: { agent_token: agent_token },
+          expect_content: false
+        )
+        nil
+      end
+    end
   end
 end

data/lib/tripwire/server/crypto_support.rb

@@ -0,0 +1,49 @@
+require "openssl"
+require "rubygems"
+
+module Tripwire
+  module Server
+    module CryptoSupport
+      MIN_SUPPORTED_RUBY_VERSION = Gem::Version.new("3.3.0")
+      UNSUPPORTED_RUNTIME_MESSAGE = "Tripwire Ruby cryptography helpers require Ruby 3.3+ with modern OpenSSL support.".freeze
+
+      module_function
+
+      def supported_runtime?
+        return @supported_runtime unless @supported_runtime.nil?
+
+        @supported_runtime = Gem::Version.new(RUBY_VERSION) >= MIN_SUPPORTED_RUBY_VERSION &&
+          OpenSSL::PKey.respond_to?(:generate_key) &&
+          defined?(OpenSSL::KDF) &&
+          OpenSSL::KDF.respond_to?(:hkdf) &&
+          aead_auth_data_supported?
+      end
+
+      def ensure_supported_runtime!
+        return if supported_runtime?
+
+        raise ConfigurationError, UNSUPPORTED_RUNTIME_MESSAGE
+      end
+
+      def minimum_supported_ruby_version
+        MIN_SUPPORTED_RUBY_VERSION
+      end
+
+      def unsupported_runtime_message
+        UNSUPPORTED_RUNTIME_MESSAGE
+      end
+
+      def aead_auth_data_supported?
+        cipher = OpenSSL::Cipher.new("aes-256-gcm")
+        cipher.encrypt
+        cipher.key = "\x00".b * 32
+        cipher.iv = "\x00".b * 12
+        cipher.auth_data = "".b
+        true
+      rescue StandardError
+        false
+      end
+      private_class_method :aead_auth_data_supported?
+    end
+  end
+end