warden-cognito 0.2.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ad71888695cae9d89e314a98ee48954af77ae821210bc11c4585027f770d6e6b
-  data.tar.gz: a0cf1379d7ac70acb57d9f96aa606ff9760c6d50529d3206f77ee79cfaea8b42
+  metadata.gz: 3b095b8a15788cd3682947dcde6cec111c7b83aae11e34a4d74d6b342aae3f57
+  data.tar.gz: 7f20572a8c319295e09977d94d6bb0a51e953e5203e285828ed6c20ad21e4642
 SHA512:
-  metadata.gz: e74522ac52fc4986766bbdea18437a6996eef668ccd547c80b7cc4f048c1d31c0293614f889f241c86fb67cdbda2e837b1142ce1e69439ff296ff4ae63306827
-  data.tar.gz: b7911fa57b3eccc01bffee7a660e6c70c40fad15aa1e42d83b9895d5f8920220345cead762c51b1d9a20424dca4cc9314f6b49681ad010eedfa394e8f2480669
+  metadata.gz: 7cf1a2da60f1bc7cc6cbc977bb0e80f27e339360a133cc9e806c101a8f475a6de5060738598f31627fad13505e2e27d444cdad710df026b87c17077cdf77a9aa
+  data.tar.gz: b5ab73c7baf42f23901af0d3a485c6b4ddfef645685642f13a1a2304972f997b798d8debbbb3a12f65ac293fb8dacd20e339bb56ae40017951a0ab874edcfaa6

data/.rubocop.yml

@@ -4,6 +4,8 @@ AllCops:
     - 'db/**/*'
     - 'vendor/**/*'
 
+  TargetRubyVersion: 2.6
+
 Style/FrozenStringLiteralComment:
   Enabled: false
 

data/CHANGELOG.md

@@ -5,6 +5,19 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+- Allow selection of `user_pool` when generating a jwt through the test helper
+
+## [0.3.0]
+- **Breaking Changes**: Configuration explicitly moved to `user_pools` object
+
+## [0.2.3]
+- Require the HTTP dependency
+
+## [0.2.2]
+- Fix missing HTTP dependency
+
+## [0.2.1]
+- Fix rspec dependency in implementation
 
 ## [0.2.0]
 - Extended exposed API
@@ -15,6 +28,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Scratching the gem
 
-[Unreleased]: https://github.com/barkibu/warden-cognito/compare/v0.2.0...HEAD
+[Unreleased]: https://github.com/barkibu/warden-cognito/compare/v0.3.0...HEAD
+[0.3.0]: https://github.com/barkibu/warden-cognito/compare/v0.2.3...v0.3.0
+[0.2.3]: https://github.com/barkibu/warden-cognito/compare/v0.2.2...v0.2.3
+[0.2.2]: https://github.com/barkibu/warden-cognito/compare/v0.2.1...v0.2.2
+[0.2.1]: https://github.com/barkibu/warden-cognito/compare/v0.2.0...v0.2.1
 [0.2.0]: https://github.com/barkibu/warden-cognito/compare/v0.1.0...v0.2.0
 [0.1.0]: https://github.com/barkibu/warden-cognito/releases/tag/v0.1.0

data/README.md

@@ -29,16 +29,12 @@ Configure how the gem maps Cognito users to local ones adding to your initialize
  Warden::Cognito.configure do |config|
     config.user_repository = User
     config.identifying_attribute = 'sub'
-    config.after_local_user_not_found = ->(cognito_user) { User.create(username: cognito_user.username) }
+    config.after_local_user_not_found = ->(cognito_user, pool_identifier) { User.create(username: cognito_user.username) }
     config.cache =  ActiveSupport::Cache::MemCacheStore.new
+    config.user_pools = { default: {region: 'AWS_REGION', pool_id: 'AWS Cognito UserPool Id', client_id: 'AWS Cognito Client Id'} }
 end
 ```
 
-This gem will look for the following the env variables:
-- **AWS_REGION**
-- **AWS_COGNITO_USER_POOL_ID**
-- **AWS_COGNITO_CLIENT_ID**
-
 ### With Devise
 
 You can know protects endpoints by settings the available strategies in the Warden section of your Device's configuration:
@@ -56,8 +52,8 @@ You can know protects endpoints by settings the available strategies in the Ward
 ### User Repository
 
 The user repository will be used to look for an entity to mark as authenticated, it must implement the following:
-- `find_by_cognito_username` that should return the user identified by the given username or nil
-- `find_by_cognito_attribute` that should return the user identified by the given Cognito User attribute (`config.identifying_attribute`) or nil
+- `find_by_cognito_username` that should return the user identified by the given username or nil (receives as second param the pool_identifier)
+- `find_by_cognito_attribute` that should return the user identified by the given Cognito User attribute (`config.identifying_attribute`) or nil (receives as second param the pool_identifier)
 
 ### User Model
 
@@ -65,7 +61,7 @@ The user model must expose a message `cognito_id` that returns the `identifying_
 
 ### `after_local_user_not_found` Callback
 
-A callback triggered whenever the user correctly authenticated on Cognito but no local user exists (receives the full [cognito user](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/GetUserResponse.html))
+A callback triggered whenever the user correctly authenticated on Cognito but no local user exists (receives the full [cognito user](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/GetUserResponse.html), and the pool_identifier as second parameter).
 
 ### Cache 
 The cache used to store the AWS Json Web Keys as well as the mapping between local and remote identifiers.
@@ -86,12 +82,12 @@ module Helpers
       end
     end
 
-    def auth_headers_for_user(user, headers = {})
-      Warden::Cognito::TestHelpers.auth_headers(headers, user)
+    def auth_headers_for_user(user, pool_identifier, headers = {})
+      Warden::Cognito::TestHelpers.auth_headers(headers, user, pool_identifier)
     end
 
-    def jwt_for_user(user)
-      auth_headers_for_user(user)[:Authorization].split[1]
+    def jwt_for_user(user, pool_identifier)
+      auth_headers_for_user(user, pool_identifier)[:Authorization].split[1]
     end
   end
 end
@@ -118,7 +114,7 @@ This gem also exposes classes that you can use to validate tokens and/or fetch a
 
 ```ruby
 token = 'The token a user passed along in a request'
-token_decoder = TokenDecoder.new(token)
+token_decoder = TokenDecoder.new(token, nil) # Pass nil as pool_identifier to loop over all the configured pools and automatically bind the right one [Based on the issuer]
 
 # Is the token valid ?
 token_decoder.validate!

data/docker-compose.yml

@@ -5,5 +5,8 @@ services:
     command: tail -f Gemfile
     volumes:
       - .:/app
+      - bundle:/usr/local/bundle
       - ~/.gitconfig:/root/.gitconfig
 
+volumes:
+  bundle:

data/lib/warden/cognito.rb

@@ -1,3 +1,4 @@
+require 'http'
 require 'jwt'
 require 'warden'
 require 'dry/configurable'
@@ -8,6 +9,8 @@ require 'active_support/core_ext'
 
 module Warden
   module Cognito
+    class CognitoError < StandardError; end
+
     extend Dry::Configurable
 
     def jwk_config_keys
@@ -19,7 +22,18 @@ module Warden
       Struct.new(*jwk_config_keys, keyword_init: true).new(attributes)
     end
 
-    module_function :jwk_config_keys, :jwk_instance
+    def user_pool_configuration_keys
+      %i[identifier region pool_id client_id]
+    end
+
+    def user_pool_configurations(value)
+      value.map do |key, conf|
+        attributes = conf.symbolize_keys.slice(*user_pool_configuration_keys).merge(identifier: key)
+        Struct.new(*user_pool_configuration_keys, keyword_init: true).new(attributes)
+      end
+    end
+
+    module_function :jwk_config_keys, :jwk_instance, :user_pool_configuration_keys, :user_pool_configurations
 
     setting :user_repository
     setting(:identifying_attribute, 'sub', &:to_s)
@@ -28,10 +42,14 @@ module Warden
 
     setting(:jwk, nil) { |value| jwk_instance(value) }
 
+    setting(:user_pools, []) { |value| user_pool_configurations(value) }
+
     Import = Dry::AutoInject(config)
   end
 end
 
+require 'warden/cognito/pool_related_iterator'
+require 'warden/cognito/has_user_pool_identifier'
 require 'warden/cognito/jwk_loader'
 require 'warden/cognito/version'
 require 'warden/cognito/user_not_found_callback'

data/lib/warden/cognito/authenticatable_strategy.rb

@@ -17,7 +17,7 @@ module Warden
       end
 
       def authenticate!
-        attempt = CognitoClient.initiate_auth(email, password)
+        attempt = cognito_client.initiate_auth(email, password)
 
         return fail(:unknow_cognito_response) unless attempt
 
@@ -33,13 +33,17 @@ module Warden
 
       private
 
+      def cognito_client
+        CognitoClient.scope pool_identifier
+      end
+
       def trigger_callback(authentication_result)
-        cognito_user = CognitoClient.fetch(authentication_result.access_token)
-        user_not_found_callback.call(cognito_user)
+        cognito_user = cognito_client.fetch(authentication_result.access_token)
+        user_not_found_callback.call(cognito_user, cognito_client.pool_identifier)
       end
 
       def local_user
-        helper.find_by_cognito_username(email)
+        helper.find_by_cognito_username(email, cognito_client.pool_identifier)
       end
 
       def cognito_authenticable?
@@ -54,8 +58,12 @@ module Warden
         auth_params[:password]
       end
 
+      def pool_identifier
+        auth_params[:pool_identifier]&.to_sym
+      end
+
       def auth_params
-        params[scope.to_s].symbolize_keys.slice(:password, :email)
+        params[scope.to_s].symbolize_keys.slice(:password, :email, :pool_identifier)
       end
     end
   end

data/lib/warden/cognito/cognito_client.rb

@@ -1,27 +1,42 @@
 module Warden
   module Cognito
     class CognitoClient
-      class << self
-        # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/GetUserResponse.html
-        def fetch(access_token)
-          client.get_user(access_token: access_token)
-        end
+      include Cognito::Import['user_pools']
+      include HasUserPoolIdentifier
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/GetUserResponse.html
+      def fetch(access_token)
+        client.get_user(access_token: access_token)
+      end
+
+      def initiate_auth(email, password)
+        client.initiate_auth(
+          client_id: user_pool.client_id,
+          auth_flow: 'USER_PASSWORD_AUTH',
+          auth_parameters: {
+            'USERNAME' => email,
+            'PASSWORD' => password
+          }
+        )
+      end
+
+      private
 
-        def initiate_auth(email, password)
-          client.initiate_auth(
-            client_id: ENV['AWS_COGNITO_CLIENT_ID'],
-            auth_flow: 'USER_PASSWORD_AUTH',
-            auth_parameters: {
-              'USERNAME' => email,
-              'PASSWORD' => password
-            }
-          )
+      def client
+        Aws::CognitoIdentityProvider::Client.new
+      end
+
+      class << self
+        def scope(pool_identifier)
+          new.tap do |client|
+            client.user_pool = pool_identifier || default_pool_identifier
+          end
         end
 
         private
 
-        def client
-          Aws::CognitoIdentityProvider::Client.new
+        def default_pool_identifier
+          Warden::Cognito.config.user_pools.first.identifier
         end
       end
     end

data/lib/warden/cognito/has_user_pool_identifier.rb

@@ -0,0 +1,34 @@
+module Warden
+  module Cognito
+    module HasUserPoolIdentifier
+      def self.included(base)
+        base.extend ClassMethods
+        base.class_eval do
+          attr_reader :user_pool
+        end
+      end
+
+      def user_pool=(pool_identifier)
+        @user_pool = user_pools.detect(self.class.invalid_issuer_error) { |pool| pool.identifier == pool_identifier }
+      end
+
+      def pool_identifier
+        user_pool.identifier
+      end
+
+      module ClassMethods
+        def pool_iterator
+          PoolRelatedIterator.new do |pool|
+            new.tap do |pool_related|
+              pool_related.user_pool = pool.identifier
+            end
+          end
+        end
+
+        def invalid_issuer_error
+          -> { raise ::JWT::InvalidIssuerError, 'The token was not generated by any of the configured User Pools' }
+        end
+      end
+    end
+  end
+end

data/lib/warden/cognito/jwk_loader.rb

@@ -1,11 +1,19 @@
 module Warden
   module Cognito
     class JwkLoader
-      include Cognito::Import['cache']
-      include Cognito::Import['jwk']
+      include Cognito::Import['cache', 'jwk', 'user_pools']
+      include HasUserPoolIdentifier
 
       def jwt_issuer
-        jwk.issuer || "https://cognito-idp.#{ENV['AWS_REGION']}.amazonaws.com/#{ENV['AWS_COGNITO_USER_POOL_ID']}"
+        return "#{user_pool.identifier}-#{jwk.issuer}" if jwk.issuer.present?
+
+        "https://cognito-idp.#{user_pool.region}.amazonaws.com/#{user_pool.pool_id}"
+      end
+
+      def issued?(token)
+        ::JWT.decode(token, nil, false).first['iss'] == jwt_issuer
+      rescue StandardError
+        false
       end
 
       def call(options)

data/lib/warden/cognito/local_user_mapper.rb

@@ -14,13 +14,13 @@ module Warden
       end
 
       def call(token_decoder)
-        helper.find_by_cognito_attribute local_identifier(token_decoder)
+        helper.find_by_cognito_attribute local_identifier(token_decoder), token_decoder.pool_identifier
       end
 
       private
 
       def local_identifier(token_decoder)
-        cache_key = "COGNITO_LOCAL_IDENTIFIER_#{token_decoder.sub}"
+        cache_key = "COGNITO_POOL_#{token_decoder.pool_identifier}LOCAL_IDENTIFIER_#{token_decoder.sub}"
         cache.fetch(cache_key, skip_nil: true) do
           token_decoder.user_attribute(identifying_attribute)
         end

data/lib/warden/cognito/pool_related_iterator.rb

@@ -0,0 +1,15 @@
+class PoolRelatedIterator
+  include Enumerable
+
+  attr_reader :factory
+
+  def initialize(&factory)
+    @factory = factory
+  end
+
+  def each(&block)
+    Warden::Cognito.config.user_pools.each do |pool|
+      block.call factory.call(pool)
+    end
+  end
+end

data/lib/warden/cognito/test_helpers.rb

@@ -1,5 +1,3 @@
-require 'rspec'
-
 module Warden
   module Cognito
     class TestHelpers
@@ -14,8 +12,8 @@ module Warden
           Warden::Cognito.config.jwk = { key: jwk, issuer: local_issuer }
         end
 
-        def auth_headers(headers, user)
-          headers.merge(Authorization: "Bearer #{generate_token(user)}")
+        def auth_headers(headers, user, pool_identifier = Warden::Cognito.config.user_pools.first.identifier)
+          headers.merge(Authorization: "Bearer #{generate_token(user, pool_identifier)}")
         end
 
         def local_issuer
@@ -24,10 +22,10 @@ module Warden
 
         private
 
-        def generate_token(user)
+        def generate_token(user, pool_identifier)
           payload = { sub: user.object_id,
                       "#{identifying_attribute}": user.cognito_id,
-                      iss: local_issuer }
+                      iss: "#{pool_identifier}-#{local_issuer}" }
           headers = { kid: jwk.kid }
           JWT.encode(payload, jwk.keypair, 'RS256', headers)
         end

data/lib/warden/cognito/token_authenticatable_strategy.rb

@@ -22,7 +22,7 @@ module Warden
       end
 
       def authenticate!
-        user = local_user || UserNotFoundCallback.call(cognito_user)
+        user = local_user || UserNotFoundCallback.call(cognito_user, token_decoder.pool_identifier)
 
         fail!(:unknown_user) unless user.present?
         success!(user)
@@ -43,7 +43,11 @@ module Warden
       end
 
       def token_decoder
-        @token_decoder ||= TokenDecoder.new(token)
+        @token_decoder ||= TokenDecoder.new(token, pool_identifier)
+      end
+
+      def pool_identifier
+        env['HTTP_X_AUTHORIZATION_POOL_IDENTIFIER']
       end
 
       def token

data/lib/warden/cognito/token_decoder.rb

@@ -3,9 +3,9 @@ module Warden
     class TokenDecoder
       attr_reader :jwk_loader, :token
 
-      def initialize(token)
+      def initialize(token, pool_identifier = nil)
         @token = token
-        @jwk_loader = JwkLoader.new
+        @jwk_loader = find_loader(pool_identifier)
       end
 
       def validate!
@@ -22,13 +22,17 @@ module Warden
       end
 
       def cognito_user
-        @cognito_user ||= CognitoClient.fetch(token)
+        @cognito_user ||= CognitoClient.scope(pool_identifier).fetch(token)
       end
 
       def user_attribute(attribute_name)
         token_attribute(attribute_name).presence || cognito_user_attribute(attribute_name)
       end
 
+      def pool_identifier
+        jwk_loader.pool_identifier
+      end
+
       private
 
       def token_attribute(attribute_name)
@@ -40,6 +44,17 @@ module Warden
           attribute.name == attribute_name
         end&.value
       end
+
+      def find_loader(pool_identifier)
+        if pool_identifier.present?
+          return JwkLoader.new.tap do |loader|
+            loader.user_pool = pool_identifier
+          end
+        end
+        JwkLoader.pool_iterator.detect(JwkLoader.invalid_issuer_error) do |loader|
+          loader.issued? token
+        end
+      end
     end
   end
 end

data/lib/warden/cognito/user_helper.rb

@@ -3,12 +3,12 @@ module Warden
     class UserHelper
       include Cognito::Import['user_repository']
 
-      def find_by_cognito_username(username)
-        user_repository.find_by_cognito_username(username)
+      def find_by_cognito_username(username, pool_identifier)
+        user_repository.find_by_cognito_username(username, pool_identifier)
       end
 
-      def find_by_cognito_attribute(arg)
-        user_repository.find_by_cognito_attribute(arg)
+      def find_by_cognito_attribute(arg, pool_identifier)
+        user_repository.find_by_cognito_attribute(arg, pool_identifier)
       end
     end
   end

data/lib/warden/cognito/user_not_found_callback.rb

@@ -4,13 +4,13 @@ module Warden
       include Cognito::Import['after_local_user_not_found']
 
       class << self
-        def call(cognito_user)
-          new.call(cognito_user)
+        def call(cognito_user, pool_identifier)
+          new.call(cognito_user, pool_identifier)
         end
       end
 
-      def call(cognito_user)
-        after_local_user_not_found&.call(cognito_user)
+      def call(cognito_user, pool_identifier)
+        after_local_user_not_found&.call(cognito_user, pool_identifier)
       end
     end
   end

data/lib/warden/cognito/version.rb

@@ -1,5 +1,5 @@
 module Warden
   module Cognito
-    VERSION = '0.2.0'.freeze
+    VERSION = '0.3.1'.freeze
   end
 end

data/warden-cognito.gemspec

@@ -36,6 +36,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'aws-sdk-cognitoidentityprovider', '~> 1.47'
   spec.add_dependency 'dry-auto_inject', '~> 0.6'
   spec.add_dependency 'dry-configurable', '~> 0.9'
+  spec.add_dependency 'http'
   spec.add_dependency 'jwt', '~> 2.1'
   spec.add_dependency 'warden', '~> 1.2'
 

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: warden-cognito
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Juan F. Pérez
 - Léo Figea
-autorequire:
+autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-11-26 00:00:00.000000000 Z
+date: 2021-02-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -67,6 +67,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: http
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -203,8 +217,10 @@ files:
 - lib/warden/cognito.rb
 - lib/warden/cognito/authenticatable_strategy.rb
 - lib/warden/cognito/cognito_client.rb
+- lib/warden/cognito/has_user_pool_identifier.rb
 - lib/warden/cognito/jwk_loader.rb
 - lib/warden/cognito/local_user_mapper.rb
+- lib/warden/cognito/pool_related_iterator.rb
 - lib/warden/cognito/test_helpers.rb
 - lib/warden/cognito/token_authenticatable_strategy.rb
 - lib/warden/cognito/token_decoder.rb
@@ -219,7 +235,7 @@ metadata:
   homepage_uri: https://github.com/barkibu/warden-cognito
   source_code_uri: https://github.com/barkibu/warden-cognito
   changelog_uri: https://github.com/barkibu/warden-cognito/blob/master/CHANGELOG.md
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -234,8 +250,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
-signing_key:
+rubygems_version: 3.0.3
+signing_key: 
 specification_version: 4
 summary: Amazon Cognito authentication for Warden
 test_files: []