usps-jwt_auth 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 13fa5947571c35b0d6cea5c6236bb61048f3977dd6c008a0c9a04887f458a2e6
+  data.tar.gz: 48572594ff31f88c6f9043c0856b49b9a3b2bcf9faaa380d2dd5ee40561cb614
+SHA512:
+  metadata.gz: a8777d6b9c4c146e327aba4eb179d500168b620d3f811b6f76fa23eddace6f3eabb1ce2926158ecd1729145c19025f5579f27a874446853551a1510fbaf37703
+  data.tar.gz: 5c436aabb4889f0ef6cd5cc0601b0ec00e7ce434fb373a7e7977c819fd8769ea90d582137bdd10b0b0fb42c6f41d6905fb3f3aa9eede62fe0f8ab2aebe206564

data/.ruby-version

@@ -0,0 +1 @@
+3.4.6

data/README.md

@@ -0,0 +1,23 @@
+# USPS JWT Authentication
+
+## Installation
+
+```sh
+bundle exec rake usps:jwt:install
+```
+
+## Configuration
+
+```ruby
+Usps::JwtAuth.configure do |config|
+  config.environment = Rails.env
+  config.keys_path = Rails.root.join('config/keys')
+  config.public_keys_path = Rails.root.join('config/public_keys')
+
+  config.jwt = {
+    audience: ENV.fetch('JWT_AUDIENCE'),
+    issuer_base: ENV.fetch('JWT_ISSUER_BASE', 'usps:1'),
+    issuers: ENV.fetch('JWT_ISSUERS', 'admin:1').split(','),
+  }
+end
+```

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+require 'rubocop/rake_task'
+
+RuboCop::RakeTask.new
+
+task default: %i[spec rubocop]

data/lib/tasks/jwt_auth.rake

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+namespace :usps do
+  namespace :jwt do
+    desc 'Setup JWT Authentication'
+    task install: :environment do
+      # Ensure keys directories exist
+      FileUtils.mkdir_p(Usps::JwtAuth.configuration.keys_path)
+      FileUtils.touch(Usps::JwtAuth.configuration.keys_path.join('/.keep'))
+      FileUtils.mkdir_p(Usps::JwtAuth.configuration.public_keys_path)
+      FileUtils.touch(Usps::JwtAuth.configuration.public_keys_path.join('/.keep'))
+
+      # Ignore keys directories from git
+      File.open('.gitignore', 'a') do |file|
+        file.puts "\n"
+        file.puts Usps::JwtAuth.configuration.keys_path
+        file.puts "!#{Usps::JwtAuth.configuration.keys_path.join('/.keep')}"
+        file.puts Usps::JwtAuth.configuration.public_keys_path
+        file.puts "!#{Usps::JwtAuth.configuration.public_keys_path.join('/.keep')}"
+      end
+    end
+  end
+end

data/lib/usps/jwt_auth/concern.rb

@@ -0,0 +1,123 @@
+# frozen_string_literal: true
+
+module Usps
+  module JwtAuth
+    # Controller helpers for handling JWT authentication
+    #
+    module Concern
+      extend ActiveSupport::Concern
+
+      included do
+        helper_method :current_user
+        helper_method :jwt_user
+        helper_method :user_signed_in?
+      end
+
+    private
+
+      def current_user
+        return @current_user if defined?(@current_user)
+
+        stub_jwt! if JwtAuth.configuration.environment.test? && fetch_jwt.nil?
+
+        current_user_from_jwt
+      end
+
+      # Validate JWT, or else redirect to old location
+      #   Old location will check for login, and either generate a JWT and redirect back, or
+      #   redirect to login page
+      def authenticate_user_from_jwt!
+        user_signed_in? || redirect_to_login
+      end
+
+      def user_signed_in?
+        current_user.present?
+      end
+
+      ###############
+      # Gem Private #
+      ###############
+
+      def current_user_from_jwt
+        reset_session if params[:logout].present?
+        return if set_new_jwt
+
+        load_current_user if fetch_jwt.present?
+      end
+
+      def load_current_user
+        @current_user = jwt_user
+        return @current_user unless Pundit.policy(@current_user, :admin).admin? && session.key?('impersonate')
+
+        # Admin has entered impersonation mode -- override current_user
+        @current_user = Members::Member.find(session['impersonate']['impersonated'])
+      rescue JWT::ExpiredSignature
+        clear_jwt
+        nil
+      rescue ActiveRecord::RecordNotFound => e
+        Bugsnag.notify(e)
+        clear_jwt
+        nil
+      end
+
+      def jwt_user
+        @jwt_user ||= Members::Member.find(jwt['certificate']) if fetch_jwt
+      end
+
+      def set_new_jwt
+        return if params[:jwt].blank?
+
+        store_jwt(params[:jwt])
+        redirect_to(params[:path] || root_path) # Breaks the login loop
+        nil
+      end
+
+      def store_jwt(token)
+        session[:jwt] = token
+        cookies[:jwt] = { value: token, domain: cookie_domain, httponly: true }
+      end
+
+      def cookie_domain
+        JwtAuth.configuration.environment.production? ? '.aws.usps.org' : 'localhost'
+      end
+
+      def clear_jwt
+        session[:jwt] = nil
+        cookies.delete(:jwt, domain: cookie_domain)
+      end
+
+      def fetch_jwt
+        session[:jwt] || cookies[:jwt]
+      end
+
+      def jwt
+        Decode.decode(
+          fetch_jwt,
+          audience: [JwtAuth.configuration.jwt.audience],
+          issuer: JwtAuth.configuration.jwt.issuer
+        )
+      end
+
+      def redirect_to_login
+        url = 'https://www.usps.org/jwt'
+        local = "#{url}?local&port=#{ENV.fetch('PORT', '3000')}"
+        production = "#{url}?application=#{JwtAuth.configuration.jwt.audience}"
+        url = JwtAuth.configuration.environment.development? ? local : production
+        url = "#{url}&path=#{request.path}"
+
+        redirect_to(url, allow_other_host: true)
+      end
+
+      def stub_jwt!
+        raise 'Cannot stub JWT outside of test environment!' unless JwtAuth.configuration.environment.test?
+
+        store_jwt(
+          Encode.encode(
+            { certificate: ENV['STUB_CERTIFICATE'].presence || 'E123456' },
+            audience: [JwtAuth.configuration.jwt.audience], issuer: JwtAuth.configuration.issuers.first
+          )
+        )
+      end
+    end
+  end
+end

data/lib/usps/jwt_auth/config.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Usps
+  module JwtAuth
+    # Configure JWT Authentication
+    #
+    module Config
+      attr_accessor :keys_path, :public_keys_path, :environment
+      attr_writer :key_size
+      attr_reader :jwt
+
+      def initialize
+        yield self if block_given?
+      end
+
+      def key_size
+        @key_size || 4096
+      end
+
+      def jwt=(hash)
+        @jwt = ActiveSupport::OrderedOptions.new(
+          {
+            issuer_base: 'usps:1',
+            issuers: [],
+            audience: nil,
+            algorithm: 'RS512'
+          }.merge(hash)
+        )
+      end
+
+      def issuer
+        /\A#{jwt.issuer_base}(?::#{RegExp.union(jwt.issuers)})?\z/
+      end
+    end
+  end
+end

data/lib/usps/jwt_auth/decode.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Usps
+  module JwtAuth
+    # Decode and validate data from a JWT
+    #
+    class Decode
+      CONFIG = {
+        required_claims: %w[iss exp],
+        verify_iss: true,
+        verify_aud: true,
+        algorithm: JwtAuth.configuration.jwt.algorithm
+      }.freeze
+
+      def self.decode(token, audience: [], issuer: nil)
+        new.decode(token, audience: audience, issuer: issuer)
+      end
+
+      def self.issuer_pattern(issuer)
+        /\A#{JwtAuth.configuration.jwt.issuer_base}(?:\z|:#{issuer})/
+      end
+
+      def decode(token, audience: [], issuer: nil)
+        result = JWT.decode(
+          token,
+          public_key(token),
+          true,
+          CONFIG.merge(
+            aud: audience,
+            iss: self.class.issuer_pattern(issuer)
+          )
+        )
+        result[0]['data']
+      end
+
+    private
+
+      def public_key(token)
+        OpenSSL::PKey::RSA.new(File.read("#{JwtAuth.configuration.public_keys_path}/#{fingerprint(token)}.pub"))
+      end
+
+      def fingerprint(token)
+        JWT.decode(token, nil, false)[0]['key']
+      end
+    end
+  end
+end

data/lib/usps/jwt_auth/encode.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+module Usps
+  module JwtAuth
+    # Encode data as a JWT
+    #
+    class Encode
+      JwtAuth.config.key_size
+
+      def self.encode(data, expiration_time: 15 * 60, audience: [], issuer: nil)
+        new(expiration_time: expiration_time, audience: audience, issuer: issuer).encode(data)
+      end
+
+      def initialize(expiration_time: 15 * 60, audience: [], issuer: nil)
+        private_key
+        @expiration_time = expiration_time
+        @audience = audience
+        @issuer = issuer
+      rescue StandardError
+        @private_key = generate_private_key
+        store_private_key
+        retry
+      ensure
+        store_public_key
+      end
+
+      def encode(data)
+        JWT.encode(payload(data), private_key, ALGORITHM)
+      end
+
+      def public_key
+        @public_key ||= private_key.public_key
+      end
+
+      def fingerprint
+        OpenSSL::Digest::SHA256.new(public_key.to_der).to_s
+      end
+
+    private
+
+      def expires_at
+        DateTime.now.to_i + @expiration_time
+      end
+
+      def payload(data)
+        {
+          data: data,
+          exp: expires_at.to_i,
+          iss: [JwtAuth.configuration.jwt.issuer_base, @issuer].join(':'),
+          aud: @audience,
+          key: fingerprint
+        }
+      end
+
+      def private_key
+        @private_key ||= OpenSSL::PKey::RSA.new(File.read(keys.first))
+      end
+
+      def keys
+        Dir["#{JwtAuth.configuration.keys_path}/*"]
+      end
+
+      def store_private_key
+        path = "#{JwtAuth.configuration.keys_path}/#{fingerprint}"
+        File.open(path, 'w+') { |f| f.puts(private_key) }
+        FileUtils.chmod(0o600, path)
+      end
+
+      def store_public_key
+        path = "#{JwtAuth.configuration.public_keys_path}/#{fingerprint}.pub"
+        File.open(path, 'w+') { |f| f.puts(public_key) }
+        FileUtils.chmod(0o644, path)
+      end
+
+      def generate_private_key
+        OpenSSL::PKey::RSA.generate(KEY_SIZE)
+      end
+    end
+  end
+end

data/lib/usps/jwt_auth/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Usps
+  module JwtAuth
+    VERSION = '0.0.1'
+  end
+end

data/lib/usps/jwt_auth.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+# Internal requires
+require_relative 'jwt_auth/version'
+require_relative 'jwt_auth/config'
+require_relative 'jwt_auth/encode'
+require_relative 'jwt_auth/decode'
+require_relative 'jwt_auth/concern'
+
+module Usps
+  # DOC COMMENT
+  module JwtAuth
+    class << self
+      def configuration
+        @configuration ||= Config.new
+      end
+
+      def configure
+        yield(configuration) if block_given?
+        configuration
+      end
+
+      delegate :encode, to: :Encode
+      delegate :decode, to: :Decode
+    end
+  end
+end

data/sig/usps_jwt/auth.rbs

@@ -0,0 +1,6 @@
+module UspsJwt
+  module Auth
+    VERSION: String
+    # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+  end
+end

metadata

@@ -0,0 +1,66 @@
+--- !ruby/object:Gem::Specification
+name: usps-jwt_auth
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Julian Fiander
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: JWT authentication for USPS applications deployed to AWS
+email:
+- jsfiander@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".ruby-version"
+- README.md
+- Rakefile
+- lib/tasks/jwt_auth.rake
+- lib/usps/jwt_auth.rb
+- lib/usps/jwt_auth/concern.rb
+- lib/usps/jwt_auth/config.rb
+- lib/usps/jwt_auth/decode.rb
+- lib/usps/jwt_auth/encode.rb
+- lib/usps/jwt_auth/version.rb
+- sig/usps_jwt/auth.rbs
+homepage: https://www.usps.org
+licenses: []
+metadata:
+  homepage_uri: https://www.usps.org
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.4.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: USPS JWT Authentication
+test_files: []