warden-cognito 0.2.3 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6162b68479e99705070713da8dfe0e70fdcad9653e4813226823b822ad8a4e21
-  data.tar.gz: 6e4bd989b4877cdeb23d59b8cdc68948ccfbc2a14dddc7161098e62ad9b8ff21
+  metadata.gz: 67b38f626935f1b428eade990cec7e0aa79be73de6ecdf12f747a0cf9fca8b9d
+  data.tar.gz: f9e1ae36d5bc9508e02e57c479848d195ad5d47baa01b597f819479dd285d954
 SHA512:
-  metadata.gz: 9f49d78156bf56c63caf72cdb12657d9050a0684dc9cf35dfe2c87a29de2bebb40dcae7f6f04ae39d24297988e1bdb34ffa634079e3696a1ce871bc94f7a9ebc
-  data.tar.gz: 9e9bccc3c7f92a852e608fe336c056676c6c7248712bbf6309cb6a51f842b6362b93d9eca57f86af20c2985f1817f1a1ed6f7b159b63372117cb17d3da929bb6
+  metadata.gz: 185dc40763cc5a39964b9f088cb122597abc78bef86b6937a8a630bb5813bb3cfbaa7bc7a7e32732d8daff9892f1033e30a408b8bf2121376b16b220f6c4afae
+  data.tar.gz: 49917c80e5c75c2a29fc62597e697438e8e21bffe15f53ec4c79ec701f50dc57de8e836f87b16cf39ff5fb6390f0d4a10016167ca7140622d5a97b42b6b336f1

data/CHANGELOG.md

@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.0]
+- **Breaking Changes**: Configuration explicitly moved to `user_pools` object
+
 ## [0.2.3]
 - Require the HTTP dependency
 
@@ -24,7 +27,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Scratching the gem
 
-[Unreleased]: https://github.com/barkibu/warden-cognito/compare/v0.2.3...HEAD
+[Unreleased]: https://github.com/barkibu/warden-cognito/compare/v0.3.0...HEAD
+[0.3.0]: https://github.com/barkibu/warden-cognito/compare/v0.2.3...v0.3.0
 [0.2.3]: https://github.com/barkibu/warden-cognito/compare/v0.2.2...v0.2.3
 [0.2.2]: https://github.com/barkibu/warden-cognito/compare/v0.2.1...v0.2.2
 [0.2.1]: https://github.com/barkibu/warden-cognito/compare/v0.2.0...v0.2.1

data/README.md

@@ -29,16 +29,12 @@ Configure how the gem maps Cognito users to local ones adding to your initialize
  Warden::Cognito.configure do |config|
     config.user_repository = User
     config.identifying_attribute = 'sub'
-    config.after_local_user_not_found = ->(cognito_user) { User.create(username: cognito_user.username) }
+    config.after_local_user_not_found = ->(cognito_user, pool_identifier) { User.create(username: cognito_user.username) }
     config.cache =  ActiveSupport::Cache::MemCacheStore.new
+    config.user_pools = { default: {region: 'AWS_REGION', pool_id: 'AWS Cognito UserPool Id', client_id: 'AWS Cognito Client Id'} }
 end
 ```
 
-This gem will look for the following the env variables:
-- **AWS_REGION**
-- **AWS_COGNITO_USER_POOL_ID**
-- **AWS_COGNITO_CLIENT_ID**
-
 ### With Devise
 
 You can know protects endpoints by settings the available strategies in the Warden section of your Device's configuration:
@@ -56,8 +52,8 @@ You can know protects endpoints by settings the available strategies in the Ward
 ### User Repository
 
 The user repository will be used to look for an entity to mark as authenticated, it must implement the following:
-- `find_by_cognito_username` that should return the user identified by the given username or nil
-- `find_by_cognito_attribute` that should return the user identified by the given Cognito User attribute (`config.identifying_attribute`) or nil
+- `find_by_cognito_username` that should return the user identified by the given username or nil (receives as second param the pool_identifier)
+- `find_by_cognito_attribute` that should return the user identified by the given Cognito User attribute (`config.identifying_attribute`) or nil (receives as second param the pool_identifier)
 
 ### User Model
 
@@ -65,7 +61,7 @@ The user model must expose a message `cognito_id` that returns the `identifying_
 
 ### `after_local_user_not_found` Callback
 
-A callback triggered whenever the user correctly authenticated on Cognito but no local user exists (receives the full [cognito user](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/GetUserResponse.html))
+A callback triggered whenever the user correctly authenticated on Cognito but no local user exists (receives the full [cognito user](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/GetUserResponse.html), and the pool_identifier as second parameter).
 
 ### Cache 
 The cache used to store the AWS Json Web Keys as well as the mapping between local and remote identifiers.
@@ -118,7 +114,7 @@ This gem also exposes classes that you can use to validate tokens and/or fetch a
 
 ```ruby
 token = 'The token a user passed along in a request'
-token_decoder = TokenDecoder.new(token)
+token_decoder = TokenDecoder.new(token, nil) # Pass nil as pool_identifier to loop over all the configured pools and automatically bind the right one [Based on the issuer]
 
 # Is the token valid ?
 token_decoder.validate!

data/docker-compose.yml

@@ -5,5 +5,9 @@ services:
     command: tail -f Gemfile
     volumes:
       - .:/app
+      - bundle:/usr/local/bundle
+      - ~/.ssh:/root/.ssh
       - ~/.gitconfig:/root/.gitconfig
 
+volumes:
+  bundle:

data/lib/warden/cognito.rb

@@ -9,6 +9,8 @@ require 'active_support/core_ext'
 
 module Warden
   module Cognito
+    class CognitoError < StandardError; end
+
     extend Dry::Configurable
 
     def jwk_config_keys
@@ -20,7 +22,18 @@ module Warden
       Struct.new(*jwk_config_keys, keyword_init: true).new(attributes)
     end
 
-    module_function :jwk_config_keys, :jwk_instance
+    def user_pool_configuration_keys
+      %i[identifier region pool_id client_id]
+    end
+
+    def user_pool_configurations(value)
+      value.map do |key, conf|
+        attributes = conf.symbolize_keys.slice(*user_pool_configuration_keys).merge(identifier: key)
+        Struct.new(*user_pool_configuration_keys, keyword_init: true).new(attributes)
+      end
+    end
+
+    module_function :jwk_config_keys, :jwk_instance, :user_pool_configuration_keys, :user_pool_configurations
 
     setting :user_repository
     setting(:identifying_attribute, 'sub', &:to_s)
@@ -29,10 +42,14 @@ module Warden
 
     setting(:jwk, nil) { |value| jwk_instance(value) }
 
+    setting(:user_pools, []) { |value| user_pool_configurations(value) }
+
     Import = Dry::AutoInject(config)
   end
 end
 
+require 'warden/cognito/pool_related_iterator'
+require 'warden/cognito/has_user_pool_identifier'
 require 'warden/cognito/jwk_loader'
 require 'warden/cognito/version'
 require 'warden/cognito/user_not_found_callback'

data/lib/warden/cognito/authenticatable_strategy.rb

@@ -17,7 +17,7 @@ module Warden
       end
 
       def authenticate!
-        attempt = CognitoClient.initiate_auth(email, password)
+        attempt = cognito_client.initiate_auth(email, password)
 
         return fail(:unknow_cognito_response) unless attempt
 
@@ -33,13 +33,17 @@ module Warden
 
       private
 
+      def cognito_client
+        CognitoClient.scope pool_identifier
+      end
+
       def trigger_callback(authentication_result)
-        cognito_user = CognitoClient.fetch(authentication_result.access_token)
-        user_not_found_callback.call(cognito_user)
+        cognito_user = cognito_client.fetch(authentication_result.access_token)
+        user_not_found_callback.call(cognito_user, cognito_client.pool_identifier)
       end
 
       def local_user
-        helper.find_by_cognito_username(email)
+        helper.find_by_cognito_username(email, cognito_client.pool_identifier)
       end
 
       def cognito_authenticable?
@@ -54,8 +58,12 @@ module Warden
         auth_params[:password]
       end
 
+      def pool_identifier
+        auth_params[:pool_identifier]&.to_sym
+      end
+
       def auth_params
-        params[scope.to_s].symbolize_keys.slice(:password, :email)
+        params[scope.to_s].symbolize_keys.slice(:password, :email, :pool_identifier)
       end
     end
   end

data/lib/warden/cognito/cognito_client.rb

@@ -1,27 +1,42 @@
 module Warden
   module Cognito
     class CognitoClient
-      class << self
-        # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/GetUserResponse.html
-        def fetch(access_token)
-          client.get_user(access_token: access_token)
-        end
+      include Cognito::Import['user_pools']
+      include HasUserPoolIdentifier
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/GetUserResponse.html
+      def fetch(access_token)
+        client.get_user(access_token: access_token)
+      end
+
+      def initiate_auth(email, password)
+        client.initiate_auth(
+          client_id: user_pool.client_id,
+          auth_flow: 'USER_PASSWORD_AUTH',
+          auth_parameters: {
+            'USERNAME' => email,
+            'PASSWORD' => password
+          }
+        )
+      end
+
+      private
 
-        def initiate_auth(email, password)
-          client.initiate_auth(
-            client_id: ENV['AWS_COGNITO_CLIENT_ID'],
-            auth_flow: 'USER_PASSWORD_AUTH',
-            auth_parameters: {
-              'USERNAME' => email,
-              'PASSWORD' => password
-            }
-          )
+      def client
+        Aws::CognitoIdentityProvider::Client.new
+      end
+
+      class << self
+        def scope(pool_identifier)
+          new.tap do |client|
+            client.user_pool = pool_identifier || default_pool_identifier
+          end
         end
 
         private
 
-        def client
-          Aws::CognitoIdentityProvider::Client.new
+        def default_pool_identifier
+          Warden::Cognito.config.user_pools.first.identifier
         end
       end
     end

data/lib/warden/cognito/has_user_pool_identifier.rb

@@ -0,0 +1,34 @@
+module Warden
+  module Cognito
+    module HasUserPoolIdentifier
+      def self.included(base)
+        base.extend ClassMethods
+        base.class_eval do
+          attr_reader :user_pool
+        end
+      end
+
+      def user_pool=(pool_identifier)
+        @user_pool = user_pools.detect(self.class.invalid_issuer_error) { |pool| pool.identifier == pool_identifier }
+      end
+
+      def pool_identifier
+        user_pool.identifier
+      end
+
+      module ClassMethods
+        def pool_iterator
+          PoolRelatedIterator.new do |pool|
+            new.tap do |pool_related|
+              pool_related.user_pool = pool.identifier
+            end
+          end
+        end
+
+        def invalid_issuer_error
+          -> { raise ::JWT::InvalidIssuerError, 'The token was not generated by any of the configured User Pools' }
+        end
+      end
+    end
+  end
+end

data/lib/warden/cognito/jwk_loader.rb

@@ -1,11 +1,17 @@
 module Warden
   module Cognito
     class JwkLoader
-      include Cognito::Import['cache']
-      include Cognito::Import['jwk']
+      include Cognito::Import['cache', 'jwk', 'user_pools']
+      include HasUserPoolIdentifier
 
       def jwt_issuer
-        jwk.issuer || "https://cognito-idp.#{ENV['AWS_REGION']}.amazonaws.com/#{ENV['AWS_COGNITO_USER_POOL_ID']}"
+        jwk.issuer || "https://cognito-idp.#{user_pool.region}.amazonaws.com/#{user_pool.pool_id}"
+      end
+
+      def issued?(token)
+        ::JWT.decode(token, nil, false).first['iss'] == jwt_issuer
+      rescue StandardError
+        false
       end
 
       def call(options)

data/lib/warden/cognito/local_user_mapper.rb

@@ -14,13 +14,13 @@ module Warden
       end
 
       def call(token_decoder)
-        helper.find_by_cognito_attribute local_identifier(token_decoder)
+        helper.find_by_cognito_attribute local_identifier(token_decoder), token_decoder.pool_identifier
       end
 
       private
 
       def local_identifier(token_decoder)
-        cache_key = "COGNITO_LOCAL_IDENTIFIER_#{token_decoder.sub}"
+        cache_key = "COGNITO_POOL_#{token_decoder.pool_identifier}LOCAL_IDENTIFIER_#{token_decoder.sub}"
         cache.fetch(cache_key, skip_nil: true) do
           token_decoder.user_attribute(identifying_attribute)
         end

data/lib/warden/cognito/pool_related_iterator.rb

@@ -0,0 +1,15 @@
+class PoolRelatedIterator
+  include Enumerable
+
+  attr_reader :factory
+
+  def initialize(&factory)
+    @factory = factory
+  end
+
+  def each(&block)
+    Warden::Cognito.config.user_pools.each do |pool|
+      block.call factory.call(pool)
+    end
+  end
+end

data/lib/warden/cognito/token_authenticatable_strategy.rb

@@ -22,7 +22,7 @@ module Warden
       end
 
       def authenticate!
-        user = local_user || UserNotFoundCallback.call(cognito_user)
+        user = local_user || UserNotFoundCallback.call(cognito_user, token_decoder.pool_identifier)
 
         fail!(:unknown_user) unless user.present?
         success!(user)
@@ -43,7 +43,11 @@ module Warden
       end
 
       def token_decoder
-        @token_decoder ||= TokenDecoder.new(token)
+        @token_decoder ||= TokenDecoder.new(token, pool_identifier)
+      end
+
+      def pool_identifier
+        env['HTTP_X_AUTHORIZATION_POOL_IDENTIFIER']
       end
 
       def token

data/lib/warden/cognito/token_decoder.rb

@@ -3,9 +3,9 @@ module Warden
     class TokenDecoder
       attr_reader :jwk_loader, :token
 
-      def initialize(token)
+      def initialize(token, pool_identifier = nil)
         @token = token
-        @jwk_loader = JwkLoader.new
+        @jwk_loader = find_loader(pool_identifier)
       end
 
       def validate!
@@ -22,13 +22,17 @@ module Warden
       end
 
       def cognito_user
-        @cognito_user ||= CognitoClient.fetch(token)
+        @cognito_user ||= CognitoClient.scope(pool_identifier).fetch(token)
       end
 
       def user_attribute(attribute_name)
         token_attribute(attribute_name).presence || cognito_user_attribute(attribute_name)
       end
 
+      def pool_identifier
+        jwk_loader.pool_identifier
+      end
+
       private
 
       def token_attribute(attribute_name)
@@ -40,6 +44,17 @@ module Warden
           attribute.name == attribute_name
         end&.value
       end
+
+      def find_loader(pool_identifier)
+        if pool_identifier.present?
+          return JwkLoader.new.tap do |loader|
+            loader.user_pool = pool_identifier
+          end
+        end
+        JwkLoader.pool_iterator.detect(JwkLoader.invalid_issuer_error) do |loader|
+          loader.issued? token
+        end
+      end
     end
   end
 end

data/lib/warden/cognito/user_helper.rb

@@ -3,12 +3,12 @@ module Warden
     class UserHelper
       include Cognito::Import['user_repository']
 
-      def find_by_cognito_username(username)
-        user_repository.find_by_cognito_username(username)
+      def find_by_cognito_username(username, pool_identifier)
+        user_repository.find_by_cognito_username(username, pool_identifier)
       end
 
-      def find_by_cognito_attribute(arg)
-        user_repository.find_by_cognito_attribute(arg)
+      def find_by_cognito_attribute(arg, pool_identifier)
+        user_repository.find_by_cognito_attribute(arg, pool_identifier)
       end
     end
   end

data/lib/warden/cognito/user_not_found_callback.rb

@@ -4,13 +4,13 @@ module Warden
       include Cognito::Import['after_local_user_not_found']
 
       class << self
-        def call(cognito_user)
-          new.call(cognito_user)
+        def call(cognito_user, pool_identifier)
+          new.call(cognito_user, pool_identifier)
         end
       end
 
-      def call(cognito_user)
-        after_local_user_not_found&.call(cognito_user)
+      def call(cognito_user, pool_identifier)
+        after_local_user_not_found&.call(cognito_user, pool_identifier)
       end
     end
   end

data/lib/warden/cognito/version.rb

@@ -1,5 +1,5 @@
 module Warden
   module Cognito
-    VERSION = '0.2.3'.freeze
+    VERSION = '0.3.0'.freeze
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: warden-cognito
 version: !ruby/object:Gem::Version
-  version: 0.2.3
+  version: 0.3.0
 platform: ruby
 authors:
 - Juan F. Pérez
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-11-27 00:00:00.000000000 Z
+date: 2021-01-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -217,8 +217,10 @@ files:
 - lib/warden/cognito.rb
 - lib/warden/cognito/authenticatable_strategy.rb
 - lib/warden/cognito/cognito_client.rb
+- lib/warden/cognito/has_user_pool_identifier.rb
 - lib/warden/cognito/jwk_loader.rb
 - lib/warden/cognito/local_user_mapper.rb
+- lib/warden/cognito/pool_related_iterator.rb
 - lib/warden/cognito/test_helpers.rb
 - lib/warden/cognito/token_authenticatable_strategy.rb
 - lib/warden/cognito/token_decoder.rb