usps-jwt_auth 0.1.1 → 0.2.1.pre.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4ba26d6eaed75b285ebfc99c508c1293fcfa256829ec0bfdd8aae3d53bb32614
-  data.tar.gz: 0f4798665bd519bf0b09da6ff765fb656b4cbd634cfa14d0fe02b9277567bba7
+  metadata.gz: 3c45d1b462c7f11136d16d76f13b72ab45153f4e9bd6e94ed1ccd9306a0f325e
+  data.tar.gz: e36e70c0e2280ddd766c428580c0a3d41070e674eb63df01f96e5cc4ce670da7
 SHA512:
-  metadata.gz: ee25cbc235574214e7a6584f6ec2adc69adf79393307b96f6e5b2e0fe884c9c73a1b5ce4b06c6772e4719eb3b070fdc1d093328a99c9b199932e929c29c14b43
-  data.tar.gz: 11c096d289512d8650e82b4ca5e9ec2ac03344cd0d7d70ec12375405d7aac292dab3f910b276eddeb8d4f8b874a9f6cde31e5edc99eea4ebbef54464403195c3
+  metadata.gz: 04d6b27926a988870273e8298388c1f44579cbcfa6d5f6c95667f9e82704881e1be6b9f5cd149561d52fc21f36371148c1e513461af6c5cb00cb44e91e073358
+  data.tar.gz: 3af959d552bd694fc8d10cf976416be52ef8f6e833eb45b751f112d657aaeaf4ce71b0bf1aa2f4f0f2011cbdb4b7a7217b0290d3c9e328b6be6016b51c63929a

data/.simplecov

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+SimpleCov.start do
+  enable_coverage :branch
+  primary_coverage :branch
+
+  groups.delete('Channels')
+  groups.delete('Libraries')
+
+  add_filter('lib/usps/jwt_auth/concern.rb')
+end

data/README.md

@@ -21,14 +21,14 @@ bundle exec rails usps:jwt:install
 ```ruby
 Usps::JwtAuth.configure do |config|
   config.environment = Rails.env
-  config.keys_path = 'config/keys'
-  config.public_keys_path = 'config/public_keys'
-
-  config.jwt = {
-    audience: ENV.fetch('JWT_AUDIENCE'),
-    issuer_base: ENV.fetch('JWT_ISSUER_BASE', 'usps:1'),
-    issuers: ENV.fetch('JWT_ISSUERS', 'admin:1').split(',')
-  }
+  # config.keys_path = 'config/keys'
+  # config.public_keys_path = 'config/public_keys'
+  # config.key_size = 4096
+  # config.algorithm = 'RS512'
+
+  config.audience = ENV.fetch('JWT_AUDIENCE')
+  # config.issuer_base = ENV.fetch('JWT_ISSUER_BASE', 'usps:1')
+  config.issuers = ENV.fetch('JWT_ISSUERS', 'admin:1').split(',')
 
   config.is_admin = ->(user) { Pundit.policy(user, :admin).admin? }
   config.find_member = ->(certificate) { Members::Member.find(certificate) }

data/lib/tasks/jwt_auth.rake

@@ -5,18 +5,18 @@ namespace :usps do
     desc 'Setup JWT Authentication'
     task install: :environment do
       # Ensure keys directories exist
-      FileUtils.mkdir_p(Usps::JwtAuth.configuration.keys_path)
-      FileUtils.touch(Usps::JwtAuth.configuration.keys_path.join('.keep'))
-      FileUtils.mkdir_p(Usps::JwtAuth.configuration.public_keys_path)
-      FileUtils.touch(Usps::JwtAuth.configuration.public_keys_path.join('.keep'))
+      FileUtils.mkdir_p(Usps::JwtAuth.config.keys_path)
+      FileUtils.touch(Usps::JwtAuth.config.keys_path.join('.keep'))
+      FileUtils.mkdir_p(Usps::JwtAuth.config.public_keys_path)
+      FileUtils.touch(Usps::JwtAuth.config.public_keys_path.join('.keep'))
 
       # Ignore keys directories from git
       File.open('.gitignore', 'a') do |file|
         file.puts <<~IGNORE
-          /#{Usps::JwtAuth.configuration.keys_path}
-          /!#{Usps::JwtAuth.configuration.keys_path.join('.keep')}
-          /#{Usps::JwtAuth.configuration.public_keys_path}
-          /!#{Usps::JwtAuth.configuration.public_keys_path.join('.keep')}
+          /#{Usps::JwtAuth.config.keys_path}
+          /!#{Usps::JwtAuth.config.keys_path.join('.keep')}
+          /#{Usps::JwtAuth.config.public_keys_path}
+          /!#{Usps::JwtAuth.config.public_keys_path.join('.keep')}
         IGNORE
       end
     end

data/lib/usps/jwt_auth/concern.rb

@@ -20,7 +20,7 @@ module Usps
       def current_user
         return @current_user if defined?(@current_user)
 
-        stub_jwt! if JwtAuth.configuration.environment.test? && fetch_jwt.nil?
+        stub_jwt! if JwtAuth.config.environment.test? && fetch_jwt.nil?
 
         current_user_from_jwt
       end
@@ -49,10 +49,10 @@ module Usps
 
       def load_current_user
         @current_user = jwt_user
-        return @current_user unless JwtAuth.configuration.is_admin.call(@current_user) && session.key?('impersonate')
+        return @current_user unless JwtAuth.config.is_admin.call(@current_user) && session.key?('impersonate')
 
         # Admin has entered impersonation mode -- override current_user
-        @current_user = JwtAuth.configuration.find_member.call(session['impersonate']['impersonated'])
+        @current_user = JwtAuth.config.find_member.call(session['impersonate']['impersonated'])
       rescue JWT::ExpiredSignature
         clear_jwt
         nil
@@ -63,7 +63,7 @@ module Usps
       end
 
       def jwt_user
-        @jwt_user ||= JwtAuth.configuration.find_member.call(jwt['certificate']) if fetch_jwt
+        @jwt_user ||= JwtAuth.config.find_member.call(jwt['certificate']) if fetch_jwt
       end
 
       def set_new_jwt
@@ -80,7 +80,7 @@ module Usps
       end
 
       def cookie_domain
-        JwtAuth.configuration.environment.production? ? '.aws.usps.org' : 'localhost'
+        JwtAuth.config.environment.production? ? '.aws.usps.org' : 'localhost'
       end
 
       def clear_jwt
@@ -95,28 +95,28 @@ module Usps
       def jwt
         Decode.decode(
           fetch_jwt,
-          audience: [JwtAuth.configuration.jwt.audience],
-          issuer: JwtAuth.configuration.jwt.issuer
+          audience: [JwtAuth.config.jwt.audience],
+          issuer: JwtAuth.config.jwt.issuer
         )
       end
 
       def redirect_to_login
         url = 'https://www.usps.org/jwt'
         local = "#{url}?local&port=#{ENV.fetch('PORT', '3000')}"
-        production = "#{url}?application=#{JwtAuth.configuration.jwt.audience}"
-        url = JwtAuth.configuration.environment.development? ? local : production
+        production = "#{url}?application=#{JwtAuth.config.jwt.audience}"
+        url = JwtAuth.config.environment.development? ? local : production
         url = "#{url}&path=#{request.path}"
 
         redirect_to(url, allow_other_host: true)
       end
 
       def stub_jwt!
-        raise 'Cannot stub JWT outside of test environment!' unless JwtAuth.configuration.environment.test?
+        raise 'Cannot stub JWT outside of test environment!' unless JwtAuth.config.environment.test?
 
         store_jwt(
           Encode.encode(
             { certificate: ENV['STUB_CERTIFICATE'].presence || 'E123456' },
-            audience: [JwtAuth.configuration.jwt.audience], issuer: JwtAuth.configuration.jwt.issuers.first
+            audience: [JwtAuth.config.jwt.audience], issuer: JwtAuth.config.jwt.issuers.first
           )
         )
       end

data/lib/usps/jwt_auth/config.rb

@@ -5,16 +5,22 @@ module Usps
     # Configure JWT Authentication
     #
     class Config
-      attr_accessor :environment, :is_admin, :find_member
-      attr_writer :key_size
-      attr_reader :keys_path, :public_keys_path, :jwt
+      REQUIRED_OPTIONS = %i[audience is_admin find_member].freeze
+
+      attr_accessor :environment, :key_size, :algorithm, :issuer_base, :issuers, :audience, :is_admin, :find_member
+      attr_reader :keys_path, :public_keys_path
 
       def initialize
-        yield self if block_given?
-      end
+        @environment = ActiveSupport::StringInquirer.new('development')
+        @keys_path = Pathname.new('config/keys')
+        @public_keys_path = Pathname.new('config/public_keys')
+        @key_size = 4096
+        @algorithm = 'RS512'
+        @issuer_base = 'usps:1'
+        @issuers = []
+        @audience = nil
 
-      def key_size
-        @key_size || 4096
+        yield self if block_given? # Also support setting options on initialize
       end
 
       def keys_path=(path)
@@ -25,18 +31,15 @@ module Usps
         @public_keys_path = path.is_a?(Pathname) ? path : Pathname.new(path)
       end
 
-      def jwt=(hash)
-        @jwt = ActiveSupport::InheritableOptions.new(
-          {
-            issuer_base: 'usps:1',
-            issuers: [],
-            audience: nil
-          }.merge(hash)
-        )
+      def issuer
+        /\A#{issuer_base}(?::#{Regexp.union(issuers)})?\z/
       end
 
-      def issuer
-        /\A#{jwt.issuer_base}(?::#{RegExp.union(jwt.issuers)})?\z/
+      def validate!
+        missing_required_options = REQUIRED_OPTIONS.select { public_send(it).nil? }
+        return unless missing_required_options.any?
+
+        raise "Missing required options: #{missing_required_options.join(', ')}"
       end
     end
   end

data/lib/usps/jwt_auth/decode.rb

@@ -5,19 +5,19 @@ module Usps
     # Decode and validate data from a JWT
     #
     class Decode
-      CONFIG = {
-        required_claims: %w[iss exp],
-        verify_iss: true,
-        verify_aud: true,
-        algorithm: JwtAuth::ALGORITHM
-      }.freeze
-
       def self.decode(token, audience: [], issuer: nil)
         new.decode(token, audience: audience, issuer: issuer)
       end
 
-      def self.issuer_pattern(issuer)
-        /\A#{JwtAuth.configuration.jwt.issuer_base}(?:\z|:#{issuer})/
+      def self.token_options(audience: [], issuer: nil)
+        {
+          required_claims: %w[iss exp],
+          verify_iss: true,
+          verify_aud: true,
+          algorithm: JwtAuth.config.algorithm,
+          aud: audience,
+          iss: /\A#{JwtAuth.config.issuer_base}(?:\z|:#{issuer})/
+        }
       end
 
       def decode(token, audience: [], issuer: nil)
@@ -25,10 +25,7 @@ module Usps
           token,
           public_key(token),
           true,
-          CONFIG.merge(
-            aud: audience,
-            iss: self.class.issuer_pattern(issuer)
-          )
+          self.class.token_options(audience:, issuer:)
         )
         result[0]['data']
       end
@@ -36,7 +33,7 @@ module Usps
     private
 
       def public_key(token)
-        OpenSSL::PKey::RSA.new(File.read("#{JwtAuth.configuration.public_keys_path}/#{fingerprint(token)}.pub"))
+        OpenSSL::PKey::RSA.new(File.read("#{JwtAuth.config.public_keys_path}/#{fingerprint(token)}.pub"))
       end
 
       def fingerprint(token)

data/lib/usps/jwt_auth/encode.rb

@@ -23,7 +23,7 @@ module Usps
       end
 
       def encode(data)
-        JWT.encode(payload(data), private_key, JwtAuth::ALGORITHM)
+        JWT.encode(payload(data), private_key, JwtAuth.config.algorithm)
       end
 
       def public_key
@@ -44,7 +44,7 @@ module Usps
         {
           data: data,
           exp: expires_at.to_i,
-          iss: [JwtAuth.configuration.jwt.issuer_base, @issuer].join(':'),
+          iss: [JwtAuth.config.issuer_base, @issuer].join(':'),
           aud: @audience,
           key: fingerprint
         }
@@ -55,23 +55,23 @@ module Usps
       end
 
       def keys
-        Dir["#{JwtAuth.configuration.keys_path}/*"]
+        Dir["#{JwtAuth.config.keys_path}/*"]
       end
 
       def store_private_key
-        path = "#{JwtAuth.configuration.keys_path}/#{fingerprint}"
+        path = "#{JwtAuth.config.keys_path}/#{fingerprint}"
         File.open(path, 'w+') { |f| f.puts(private_key) }
         ::FileUtils.chmod(0o600, path)
       end
 
       def store_public_key
-        path = "#{JwtAuth.configuration.public_keys_path}/#{fingerprint}.pub"
+        path = "#{JwtAuth.config.public_keys_path}/#{fingerprint}.pub"
         File.open(path, 'w+') { |f| f.puts(public_key) }
         ::FileUtils.chmod(0o644, path)
       end
 
       def generate_private_key
-        OpenSSL::PKey::RSA.generate(JwtAuth.configuration.key_size)
+        OpenSSL::PKey::RSA.generate(JwtAuth.config.key_size)
       end
     end
   end

data/lib/usps/jwt_auth/version.rb

@@ -2,6 +2,6 @@
 
 module Usps
   module JwtAuth
-    VERSION = '0.1.1'
+    VERSION = '0.2.1-1'
   end
 end

data/lib/usps/jwt_auth.rb

@@ -1,22 +1,21 @@
 # frozen_string_literal: true
 
 require 'jwt'
-require 'active_support/ordered_options'
 require 'fileutils'
 
 module Usps
   # Unified configuration for handling JWT Authentication
   #
   module JwtAuth
-    ALGORITHM = 'RS512'
-
     class << self
       def configuration
         @configuration ||= Config.new
       end
+      alias config configuration
 
       def configure
         yield(configuration) if block_given?
+        configuration.validate!
         configuration
       end
 
@@ -38,4 +37,6 @@ require_relative 'jwt_auth/encode'
 require_relative 'jwt_auth/decode'
 require_relative 'jwt_auth/concern'
 
+# :nocov:
 require 'usps/jwt_auth/railtie' if defined?(Rails)
+# :nocov:

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: usps-jwt_auth
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.1.pre.1
 platform: ruby
 authors:
 - Julian Fiander
@@ -9,6 +9,20 @@ bindir: bin
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '8.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '8.0'
 - !ruby/object:Gem::Dependency
   name: fileutils
   requirement: !ruby/object:Gem::Requirement
@@ -45,6 +59,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".ruby-version"
+- ".simplecov"
 - README.md
 - Rakefile
 - lib/tasks/jwt_auth.rake