warden-cognito 0.2.2 → 0.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5d5790601adacfa6e03722383c258c265230fc7da5e807d20b4dbee07e778445
-  data.tar.gz: 53e85cbb949c46fff67c737b3f19aaad7a8e8106ac63bd5900dad8788e73c66d
+  metadata.gz: 40fa2362bb3ef3268cbecf7b60d3570ed4883e431c1705e8f9c90f8478eaac56
+  data.tar.gz: f29115a0f11806c184f78070b468b2e5841f8ab609ff780d1fa94a87ef3d8c16
 SHA512:
-  metadata.gz: 9fe02b4d86f39633610658649173db4526091433b8ef609132d4103333555a024cd2d1557609296e598ce49f2c94a89124abf20ca4b1545ee3e28d61f7631649
-  data.tar.gz: e9ef51005f5e83b8a4ecca6387f6cef0c8b095286e2a4c880438b5e7747438d9f8539584dc92e37099580697f6ee5f254c8766ece27eaf78a8c38d39a5901f34
+  metadata.gz: 10d0c0098ef31565f797f73c210a2634d02f641fcff5736bc28a4a44bd749e68edc165c2fbc691f86454d1fa17a8ff21caddcafdf02e17f1dd47b5d9ed05f83c
+  data.tar.gz: d3405f6873a37d95d119f88150c6e5e4c3ff03afe440acef16daafcd78368562e770df42e2ed64350ead50854965eae8e8c93ca3b6836ba4c756d6601ab6f175

data/.rubocop.yml

@@ -4,6 +4,8 @@ AllCops:
     - 'db/**/*'
     - 'vendor/**/*'
 
+  TargetRubyVersion: 2.6
+
 Style/FrozenStringLiteralComment:
   Enabled: false
 

data/CHANGELOG.md

@@ -6,8 +6,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.3]
+- Improve test helpers to include `jti` and `exp` claims and accept user-supplied claims.
+
+## [0.3.2]
+- Fix - specify region on scoped aws client
+
+## [0.3.1]
+- Allow selection of `user_pool` when generating a jwt through the test helper
+
+## [0.3.0]
+- **Breaking Changes**: Configuration explicitly moved to `user_pools` object
+
+## [0.2.3]
+- Require the HTTP dependency
+
 ## [0.2.2]
-- Fix missin HTTP dependency
+- Fix missing HTTP dependency
 
 ## [0.2.1]
 - Fix rspec dependency in implementation
@@ -21,7 +36,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Scratching the gem
 
-[Unreleased]: https://github.com/barkibu/warden-cognito/compare/v0.2.2...HEAD
+[Unreleased]: https://github.com/barkibu/warden-cognito/compare/v0.3.3...HEAD
+[0.3.3]: https://github.com/barkibu/warden-cognito/compare/v0.3.2...v0.3.3
+[0.3.2]: https://github.com/barkibu/warden-cognito/compare/v0.3.1...v0.3.2
+[0.3.1]: https://github.com/barkibu/warden-cognito/compare/v0.3.0...v0.3.1
+[0.3.0]: https://github.com/barkibu/warden-cognito/compare/v0.2.3...v0.3.0
+[0.2.3]: https://github.com/barkibu/warden-cognito/compare/v0.2.2...v0.2.3
 [0.2.2]: https://github.com/barkibu/warden-cognito/compare/v0.2.1...v0.2.2
 [0.2.1]: https://github.com/barkibu/warden-cognito/compare/v0.2.0...v0.2.1
 [0.2.0]: https://github.com/barkibu/warden-cognito/compare/v0.1.0...v0.2.0

data/README.md

@@ -29,16 +29,12 @@ Configure how the gem maps Cognito users to local ones adding to your initialize
  Warden::Cognito.configure do |config|
     config.user_repository = User
     config.identifying_attribute = 'sub'
-    config.after_local_user_not_found = ->(cognito_user) { User.create(username: cognito_user.username) }
+    config.after_local_user_not_found = ->(cognito_user, pool_identifier) { User.create(username: cognito_user.username) }
     config.cache =  ActiveSupport::Cache::MemCacheStore.new
+    config.user_pools = { default: {region: 'AWS_REGION', pool_id: 'AWS Cognito UserPool Id', client_id: 'AWS Cognito Client Id'} }
 end
 ```
 
-This gem will look for the following the env variables:
-- **AWS_REGION**
-- **AWS_COGNITO_USER_POOL_ID**
-- **AWS_COGNITO_CLIENT_ID**
-
 ### With Devise
 
 You can know protects endpoints by settings the available strategies in the Warden section of your Device's configuration:
@@ -56,8 +52,8 @@ You can know protects endpoints by settings the available strategies in the Ward
 ### User Repository
 
 The user repository will be used to look for an entity to mark as authenticated, it must implement the following:
-- `find_by_cognito_username` that should return the user identified by the given username or nil
-- `find_by_cognito_attribute` that should return the user identified by the given Cognito User attribute (`config.identifying_attribute`) or nil
+- `find_by_cognito_username` that should return the user identified by the given username or nil (receives as second param the pool_identifier)
+- `find_by_cognito_attribute` that should return the user identified by the given Cognito User attribute (`config.identifying_attribute`) or nil (receives as second param the pool_identifier)
 
 ### User Model
 
@@ -65,7 +61,7 @@ The user model must expose a message `cognito_id` that returns the `identifying_
 
 ### `after_local_user_not_found` Callback
 
-A callback triggered whenever the user correctly authenticated on Cognito but no local user exists (receives the full [cognito user](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/GetUserResponse.html))
+A callback triggered whenever the user correctly authenticated on Cognito but no local user exists (receives the full [cognito user](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/GetUserResponse.html), and the pool_identifier as second parameter).
 
 ### Cache 
 The cache used to store the AWS Json Web Keys as well as the mapping between local and remote identifiers.
@@ -86,12 +82,12 @@ module Helpers
       end
     end
 
-    def auth_headers_for_user(user, headers = {})
-      Warden::Cognito::TestHelpers.auth_headers(headers, user)
+    def auth_headers_for_user(user, pool_identifier, headers = {})
+      Warden::Cognito::TestHelpers.auth_headers(headers, user, pool_identifier)
     end
 
-    def jwt_for_user(user)
-      auth_headers_for_user(user)[:Authorization].split[1]
+    def jwt_for_user(user, pool_identifier)
+      auth_headers_for_user(user, pool_identifier)[:Authorization].split[1]
     end
   end
 end
@@ -118,7 +114,7 @@ This gem also exposes classes that you can use to validate tokens and/or fetch a
 
 ```ruby
 token = 'The token a user passed along in a request'
-token_decoder = TokenDecoder.new(token)
+token_decoder = TokenDecoder.new(token, nil) # Pass nil as pool_identifier to loop over all the configured pools and automatically bind the right one [Based on the issuer]
 
 # Is the token valid ?
 token_decoder.validate!

data/docker-compose.yml

@@ -5,5 +5,8 @@ services:
     command: tail -f Gemfile
     volumes:
       - .:/app
+      - bundle:/usr/local/bundle
       - ~/.gitconfig:/root/.gitconfig
 
+volumes:
+  bundle:

data/lib/warden/cognito.rb

@@ -1,3 +1,4 @@
+require 'http'
 require 'jwt'
 require 'warden'
 require 'dry/configurable'
@@ -8,6 +9,8 @@ require 'active_support/core_ext'
 
 module Warden
   module Cognito
+    class CognitoError < StandardError; end
+
     extend Dry::Configurable
 
     def jwk_config_keys
@@ -19,7 +22,18 @@ module Warden
       Struct.new(*jwk_config_keys, keyword_init: true).new(attributes)
     end
 
-    module_function :jwk_config_keys, :jwk_instance
+    def user_pool_configuration_keys
+      %i[identifier region pool_id client_id]
+    end
+
+    def user_pool_configurations(value)
+      value.map do |key, conf|
+        attributes = conf.symbolize_keys.slice(*user_pool_configuration_keys).merge(identifier: key)
+        Struct.new(*user_pool_configuration_keys, keyword_init: true).new(attributes)
+      end
+    end
+
+    module_function :jwk_config_keys, :jwk_instance, :user_pool_configuration_keys, :user_pool_configurations
 
     setting :user_repository
     setting(:identifying_attribute, 'sub', &:to_s)
@@ -28,10 +42,14 @@ module Warden
 
     setting(:jwk, nil) { |value| jwk_instance(value) }
 
+    setting(:user_pools, []) { |value| user_pool_configurations(value) }
+
     Import = Dry::AutoInject(config)
   end
 end
 
+require 'warden/cognito/pool_related_iterator'
+require 'warden/cognito/has_user_pool_identifier'
 require 'warden/cognito/jwk_loader'
 require 'warden/cognito/version'
 require 'warden/cognito/user_not_found_callback'

data/lib/warden/cognito/authenticatable_strategy.rb

@@ -17,7 +17,7 @@ module Warden
       end
 
       def authenticate!
-        attempt = CognitoClient.initiate_auth(email, password)
+        attempt = cognito_client.initiate_auth(email, password)
 
         return fail(:unknow_cognito_response) unless attempt
 
@@ -33,13 +33,17 @@ module Warden
 
       private
 
+      def cognito_client
+        CognitoClient.scope pool_identifier
+      end
+
       def trigger_callback(authentication_result)
-        cognito_user = CognitoClient.fetch(authentication_result.access_token)
-        user_not_found_callback.call(cognito_user)
+        cognito_user = cognito_client.fetch(authentication_result.access_token)
+        user_not_found_callback.call(cognito_user, cognito_client.pool_identifier)
       end
 
       def local_user
-        helper.find_by_cognito_username(email)
+        helper.find_by_cognito_username(email, cognito_client.pool_identifier)
       end
 
       def cognito_authenticable?
@@ -54,8 +58,12 @@ module Warden
         auth_params[:password]
       end
 
+      def pool_identifier
+        auth_params[:pool_identifier]&.to_sym
+      end
+
       def auth_params
-        params[scope.to_s].symbolize_keys.slice(:password, :email)
+        params[scope.to_s].symbolize_keys.slice(:password, :email, :pool_identifier)
       end
     end
   end

data/lib/warden/cognito/cognito_client.rb

@@ -1,27 +1,42 @@
 module Warden
   module Cognito
     class CognitoClient
-      class << self
-        # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/GetUserResponse.html
-        def fetch(access_token)
-          client.get_user(access_token: access_token)
-        end
+      include Cognito::Import['user_pools']
+      include HasUserPoolIdentifier
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/GetUserResponse.html
+      def fetch(access_token)
+        client.get_user(access_token: access_token)
+      end
+
+      def initiate_auth(email, password)
+        client.initiate_auth(
+          client_id: user_pool.client_id,
+          auth_flow: 'USER_PASSWORD_AUTH',
+          auth_parameters: {
+            'USERNAME' => email,
+            'PASSWORD' => password
+          }
+        )
+      end
+
+      private
 
-        def initiate_auth(email, password)
-          client.initiate_auth(
-            client_id: ENV['AWS_COGNITO_CLIENT_ID'],
-            auth_flow: 'USER_PASSWORD_AUTH',
-            auth_parameters: {
-              'USERNAME' => email,
-              'PASSWORD' => password
-            }
-          )
+      def client
+        Aws::CognitoIdentityProvider::Client.new region: user_pool.region
+      end
+
+      class << self
+        def scope(pool_identifier)
+          new.tap do |client|
+            client.user_pool = pool_identifier || default_pool_identifier
+          end
         end
 
         private
 
-        def client
-          Aws::CognitoIdentityProvider::Client.new
+        def default_pool_identifier
+          Warden::Cognito.config.user_pools.first.identifier
         end
       end
     end

data/lib/warden/cognito/has_user_pool_identifier.rb

@@ -0,0 +1,34 @@
+module Warden
+  module Cognito
+    module HasUserPoolIdentifier
+      def self.included(base)
+        base.extend ClassMethods
+        base.class_eval do
+          attr_reader :user_pool
+        end
+      end
+
+      def user_pool=(pool_identifier)
+        @user_pool = user_pools.detect(self.class.invalid_issuer_error) { |pool| pool.identifier == pool_identifier }
+      end
+
+      def pool_identifier
+        user_pool.identifier
+      end
+
+      module ClassMethods
+        def pool_iterator
+          PoolRelatedIterator.new do |pool|
+            new.tap do |pool_related|
+              pool_related.user_pool = pool.identifier
+            end
+          end
+        end
+
+        def invalid_issuer_error
+          -> { raise ::JWT::InvalidIssuerError, 'The token was not generated by any of the configured User Pools' }
+        end
+      end
+    end
+  end
+end

data/lib/warden/cognito/jwk_loader.rb

@@ -1,11 +1,19 @@
 module Warden
   module Cognito
     class JwkLoader
-      include Cognito::Import['cache']
-      include Cognito::Import['jwk']
+      include Cognito::Import['cache', 'jwk', 'user_pools']
+      include HasUserPoolIdentifier
 
       def jwt_issuer
-        jwk.issuer || "https://cognito-idp.#{ENV['AWS_REGION']}.amazonaws.com/#{ENV['AWS_COGNITO_USER_POOL_ID']}"
+        return "#{user_pool.identifier}-#{jwk.issuer}" if jwk.issuer.present?
+
+        "https://cognito-idp.#{user_pool.region}.amazonaws.com/#{user_pool.pool_id}"
+      end
+
+      def issued?(token)
+        ::JWT.decode(token, nil, false).first['iss'] == jwt_issuer
+      rescue StandardError
+        false
       end
 
       def call(options)

data/lib/warden/cognito/local_user_mapper.rb

@@ -14,13 +14,13 @@ module Warden
       end
 
       def call(token_decoder)
-        helper.find_by_cognito_attribute local_identifier(token_decoder)
+        helper.find_by_cognito_attribute local_identifier(token_decoder), token_decoder.pool_identifier
       end
 
       private
 
       def local_identifier(token_decoder)
-        cache_key = "COGNITO_LOCAL_IDENTIFIER_#{token_decoder.sub}"
+        cache_key = "COGNITO_POOL_#{token_decoder.pool_identifier}LOCAL_IDENTIFIER_#{token_decoder.sub}"
         cache.fetch(cache_key, skip_nil: true) do
           token_decoder.user_attribute(identifying_attribute)
         end

data/lib/warden/cognito/pool_related_iterator.rb

@@ -0,0 +1,15 @@
+class PoolRelatedIterator
+  include Enumerable
+
+  attr_reader :factory
+
+  def initialize(&factory)
+    @factory = factory
+  end
+
+  def each(&block)
+    Warden::Cognito.config.user_pools.each do |pool|
+      block.call factory.call(pool)
+    end
+  end
+end

data/lib/warden/cognito/test_helpers.rb

@@ -12,8 +12,9 @@ module Warden
           Warden::Cognito.config.jwk = { key: jwk, issuer: local_issuer }
         end
 
-        def auth_headers(headers, user)
-          headers.merge(Authorization: "Bearer #{generate_token(user)}")
+        def auth_headers(headers, user, pool_identifier = Warden::Cognito.config.user_pools.first.identifier,
+                         claims = {})
+          headers.merge(Authorization: "Bearer #{generate_token(user, pool_identifier, claims)}")
         end
 
         def local_issuer
@@ -22,10 +23,14 @@ module Warden
 
         private
 
-        def generate_token(user)
-          payload = { sub: user.object_id,
-                      "#{identifying_attribute}": user.cognito_id,
-                      iss: local_issuer }
+        def generate_token(user, pool_identifier, claims = {})
+          payload = {
+            sub: user.object_id,
+            "#{identifying_attribute}": user.cognito_id,
+            iss: "#{pool_identifier}-#{local_issuer}",
+            jti: SecureRandom.uuid,
+            exp: 1.hour.from_now.to_i
+          }.merge(claims)
           headers = { kid: jwk.kid }
           JWT.encode(payload, jwk.keypair, 'RS256', headers)
         end

data/lib/warden/cognito/token_authenticatable_strategy.rb

@@ -22,7 +22,7 @@ module Warden
       end
 
       def authenticate!
-        user = local_user || UserNotFoundCallback.call(cognito_user)
+        user = local_user || UserNotFoundCallback.call(cognito_user, token_decoder.pool_identifier)
 
         fail!(:unknown_user) unless user.present?
         success!(user)
@@ -43,7 +43,11 @@ module Warden
       end
 
       def token_decoder
-        @token_decoder ||= TokenDecoder.new(token)
+        @token_decoder ||= TokenDecoder.new(token, pool_identifier)
+      end
+
+      def pool_identifier
+        env['HTTP_X_AUTHORIZATION_POOL_IDENTIFIER']
       end
 
       def token

data/lib/warden/cognito/token_decoder.rb

@@ -3,9 +3,9 @@ module Warden
     class TokenDecoder
       attr_reader :jwk_loader, :token
 
-      def initialize(token)
+      def initialize(token, pool_identifier = nil)
         @token = token
-        @jwk_loader = JwkLoader.new
+        @jwk_loader = find_loader(pool_identifier)
       end
 
       def validate!
@@ -22,13 +22,17 @@ module Warden
       end
 
       def cognito_user
-        @cognito_user ||= CognitoClient.fetch(token)
+        @cognito_user ||= CognitoClient.scope(pool_identifier).fetch(token)
       end
 
       def user_attribute(attribute_name)
         token_attribute(attribute_name).presence || cognito_user_attribute(attribute_name)
       end
 
+      def pool_identifier
+        jwk_loader.pool_identifier
+      end
+
       private
 
       def token_attribute(attribute_name)
@@ -40,6 +44,17 @@ module Warden
           attribute.name == attribute_name
         end&.value
       end
+
+      def find_loader(pool_identifier)
+        if pool_identifier.present?
+          return JwkLoader.new.tap do |loader|
+            loader.user_pool = pool_identifier
+          end
+        end
+        JwkLoader.pool_iterator.detect(JwkLoader.invalid_issuer_error) do |loader|
+          loader.issued? token
+        end
+      end
     end
   end
 end

data/lib/warden/cognito/user_helper.rb

@@ -3,12 +3,12 @@ module Warden
     class UserHelper
       include Cognito::Import['user_repository']
 
-      def find_by_cognito_username(username)
-        user_repository.find_by_cognito_username(username)
+      def find_by_cognito_username(username, pool_identifier)
+        user_repository.find_by_cognito_username(username, pool_identifier)
       end
 
-      def find_by_cognito_attribute(arg)
-        user_repository.find_by_cognito_attribute(arg)
+      def find_by_cognito_attribute(arg, pool_identifier)
+        user_repository.find_by_cognito_attribute(arg, pool_identifier)
       end
     end
   end

data/lib/warden/cognito/user_not_found_callback.rb

@@ -4,13 +4,13 @@ module Warden
       include Cognito::Import['after_local_user_not_found']
 
       class << self
-        def call(cognito_user)
-          new.call(cognito_user)
+        def call(cognito_user, pool_identifier)
+          new.call(cognito_user, pool_identifier)
         end
       end
 
-      def call(cognito_user)
-        after_local_user_not_found&.call(cognito_user)
+      def call(cognito_user, pool_identifier)
+        after_local_user_not_found&.call(cognito_user, pool_identifier)
       end
     end
   end

data/lib/warden/cognito/version.rb

@@ -1,5 +1,5 @@
 module Warden
   module Cognito
-    VERSION = '0.2.2'.freeze
+    VERSION = '0.3.3'.freeze
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: warden-cognito
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.3.3
 platform: ruby
 authors:
 - Juan F. Pérez
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-11-27 00:00:00.000000000 Z
+date: 2021-05-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -217,8 +217,10 @@ files:
 - lib/warden/cognito.rb
 - lib/warden/cognito/authenticatable_strategy.rb
 - lib/warden/cognito/cognito_client.rb
+- lib/warden/cognito/has_user_pool_identifier.rb
 - lib/warden/cognito/jwk_loader.rb
 - lib/warden/cognito/local_user_mapper.rb
+- lib/warden/cognito/pool_related_iterator.rb
 - lib/warden/cognito/test_helpers.rb
 - lib/warden/cognito/token_authenticatable_strategy.rb
 - lib/warden/cognito/token_decoder.rb