zaikio-jwt_auth 0.1.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 3e888abf5976a9f6837a1723da1f586f317add69e45caa8527c68c086e1f4c40
+  data.tar.gz: 3ccd16afb7cdc1e808b01dab786cf24cdab31e2eff44bffaa695a0c8231afad5
+SHA512:
+  metadata.gz: 36540e2d6588c39f994e4ae5dc62c2bb274d505feb32404f3d0dd7568c57f665024ed164686bc3056c5f236b4471f271917d2f42090d62a3685952010bf27ba9
+  data.tar.gz: 13447cfaf7386af9cbbfe83f54ccb0ffed13e310c9dd7fab94705ee1b321bf3d82daeb40a4ba9bb273dc313e355aaf822b33f702e5386674c5ce223cd629155f

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2020 Jalyna
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,92 @@
+# Zaikio::JWTAuth
+
+Gem for JWT-Based authentication and authorization with zaikio.
+
+## Usage
+
+## Installation
+
+1. Add this line to your application's Gemfile:
+
+```ruby
+gem 'zaikio-jwt_auth'
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install zaikio-jwt_auth
+```
+
+2. Configure the gem:
+
+```rb
+# config/initializers/zaikio_jwt_auth.rb
+
+Zaikio::JWTAuth.configure do |config|
+  config.environment = :sandbox # or production
+  config.app_name = "test_app" # Your Zaikio App-Name
+  config.redis = Redis.new
+end
+```
+
+3. Extend your API application controller:
+
+```rb
+class API::ApplicationController < ActionController::Base
+  include Zaikio::JWTAuth
+
+  before_action :authenticate_by_jwt
+
+  def after_jwt_auth(token_data)
+    klass = token_data.subject_type == 'Organization' ? Organization : Person
+    Current.scope = klass.find(token_data.subject_id)
+  end
+end
+```
+
+4. Update Revoked Access Tokens by Webhook
+
+```rb
+# ENV['ZAIKIO_SHARED_SECRET'] needs to be defined first, you can find it on your
+# app details page in zaikio. Fore more help read:
+# https://docs.zaikio.com/guide/loom/receiving-events.html
+class WebhooksController < ActionController::Base
+  include Zaikio::JWTAuth
+
+  before_action :verify_signature
+  before_action :update_blacklisted_access_tokens_by_webhook
+
+  def create
+    case params[:name]
+      # Manage other events
+    end
+  end
+
+  private
+
+  def verify_signature
+    # Read More: https://docs.zaikio.com/guide/loom/receiving-events.html
+    unless ActiveSupport::SecurityUtils.secure_compare(
+      OpenSSL::HMAC.hexdigest("SHA256", "shared-secret", request.body.read),
+      request.headers["X-Loom-Signature"]
+    )
+      render status: :unauthorized, json: { errors: ["invalid_signature"] }
+    end
+  end
+end
+```
+
+
+5. Add more restrictions to your resources:
+
+```rb
+class API::ResourcesController < API::ApplicationController
+  authorize_by_jwt_subject_type 'Organization'
+  authorize_by_jwt_scopes 'resources'
+end
+```

data/Rakefile

@@ -0,0 +1,37 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+require 'rubocop/rake_task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Zaikio::JWTAuth'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test
+
+namespace :test do
+  desc 'Runs RuboCop on specified directories'
+  RuboCop::RakeTask.new(:rubocop) do |task|
+    task.fail_on_error = false
+  end
+end
+
+Rake::Task[:test].enhance ['test:rubocop']

data/lib/tasks/zaikio/jwt_auth_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :zaikio_jwt_auth do
+#   # Task goes here
+# end

data/lib/zaikio/jwt_auth.rb

@@ -0,0 +1,113 @@
+require "jwt"
+require "oj"
+require "zaikio/jwt_auth/railtie"
+require "zaikio/jwt_auth/configuration"
+require "zaikio/jwt_auth/directory_cache"
+require "zaikio/jwt_auth/jwk"
+require "zaikio/jwt_auth/token_data"
+
+module Zaikio
+  module JWTAuth
+    class << self
+      attr_accessor :configuration
+    end
+
+    def self.configure
+      self.configuration ||= Configuration.new
+      yield(configuration)
+    end
+
+    def self.included(base)
+      base.send :include, InstanceMethods
+      base.send :extend, ClassMethods
+    end
+
+    module ClassMethods
+      def authorize_by_jwt_subject_type(type = nil)
+        @authorize_by_jwt_subject_type ||= type
+      end
+
+      def authorize_by_jwt_scopes(scopes = nil, options = {})
+        @authorize_by_jwt_scopes ||= options.merge(scopes: scopes)
+      end
+    end
+
+    module InstanceMethods
+      def authenticate_by_jwt
+        render_error("no_jwt_passed", status: :unauthorized) && return unless jwt_from_auth_header
+
+        token_data = TokenData.new(jwt_payload)
+
+        return if show_error_if_token_is_blacklisted(token_data)
+
+        return if show_error_if_authorize_by_jwt_subject_type_fails(token_data)
+
+        return if show_error_if_authorize_by_jwt_scopes_fails(token_data)
+
+        send(:after_jwt_auth, token_data) if respond_to?(:after_jwt_auth)
+      rescue JWT::ExpiredSignature
+        render_error("jwt_expired") && (return)
+      rescue JWT::DecodeError
+        render_error("invalid_jwt") && (return)
+      end
+
+      def update_blacklisted_access_tokens_by_webhook
+        return unless params[:name] == "directory.revoked_access_token"
+
+        DirectoryCache.update("api/v1/blacklisted_token_ids.json", expires_after: 60.minutes) do |data|
+          data["blacklisted_token_ids"] << params[:payload][:access_token_id]
+          data
+        end
+
+        render json: { received: true }
+      end
+
+      private
+
+      def jwt_from_auth_header
+        auth_header = request.headers["Authorization"]
+        auth_header.split("Bearer ").last if /Bearer/.match?(auth_header)
+      end
+
+      def jwt_payload
+        payload, = JWT.decode(jwt_from_auth_header, nil, true, algorithms: ["RS256"], jwks: JWK.loader)
+
+        payload
+      end
+
+      def show_error_if_authorize_by_jwt_scopes_fails(token_data)
+        scope_data = self.class.authorize_by_jwt_scopes
+        return if !scope_data[:scopes] || token_data.scope?(scope_data[:scopes], action_name, scope_data[:app_name])
+
+        render_error("unpermitted_scope")
+      end
+
+      def show_error_if_authorize_by_jwt_subject_type_fails(token_data)
+        if !self.class.authorize_by_jwt_subject_type ||
+           self.class.authorize_by_jwt_subject_type == token_data.subject_type
+          return
+        end
+
+        render_error("unpermitted_subject")
+      end
+
+      def show_error_if_token_is_blacklisted(token_data)
+        return unless blacklisted_token_ids.include?(token_data.jti)
+
+        render_error("invalid_jwt")
+      end
+
+      def blacklisted_token_ids
+        if Zaikio::JWTAuth.configuration.blacklisted_token_ids
+          return Zaikio::JWTAuth.configuration.blacklisted_token_ids
+        end
+
+        DirectoryCache.fetch("api/v1/blacklisted_token_ids.json", expires_after: 60.minutes)["blacklisted_token_ids"]
+      end
+
+      def render_error(error, status: :forbidden)
+        render(status: status, json: { "errors" => [error] })
+      end
+    end
+  end
+end

data/lib/zaikio/jwt_auth/configuration.rb

@@ -0,0 +1,49 @@
+require "logger"
+
+module Zaikio
+  module JWTAuth
+    class Configuration
+      HOSTS = {
+        development: "http://directory.zaikio.test",
+        test: "http://directory.zaikio.test",
+        staging: "https://directory.staging.zaikio.com",
+        sandbox: "https://directory.sandbox.zaikio.com",
+        production: "https://directory.zaikio.com"
+      }.freeze
+
+      attr_accessor :app_name
+      attr_accessor :redis, :host
+      attr_reader :environment
+      attr_writer :logger, :blacklisted_token_ids, :keys
+
+      def initialize
+        @environment = :sandbox
+      end
+
+      def logger
+        @logger ||= Logger.new(STDOUT)
+      end
+
+      def environment=(env)
+        @environment = env.to_sym
+        @host = host_for(environment)
+      end
+
+      def keys
+        @keys.is_a?(Proc) ? @keys.call : @keys
+      end
+
+      def blacklisted_token_ids
+        @blacklisted_token_ids.is_a?(Proc) ? @blacklisted_token_ids.call : @blacklisted_token_ids
+      end
+
+      private
+
+      def host_for(environment)
+        HOSTS.fetch(environment) do
+          raise StandardError.new, "Invalid Zaikio::JWTAuth environment '#{environment}'"
+        end
+      end
+    end
+  end
+end

data/lib/zaikio/jwt_auth/directory_cache.rb

@@ -0,0 +1,67 @@
+require "net/http"
+require "json"
+require "logger"
+
+module Zaikio
+  module JWTAuth
+    class DirectoryCache
+      class << self
+        def fetch(directory_path, options = {})
+          cache = Zaikio::JWTAuth.configuration.redis.get("zaikio::jwt_auth::#{directory_path}")
+
+          json = Oj.load(cache) if cache
+
+          if !cache || options[:invalidate] || cache_expired?(json, options[:expires_after])
+            return reload(directory_path)
+          end
+
+          json["data"]
+        end
+
+        def update(directory_path, options = {})
+          data = fetch(directory_path, options)
+          data = yield(data)
+          Zaikio::JWTAuth.configuration.redis.set("zaikio::jwt_auth::#{directory_path}", {
+            fetched_at: Time.now.to_i,
+            data: data
+          }.to_json)
+        end
+
+        def reset(directory_path)
+          Zaikio::JWTAuth.configuration.redis.del("zaikio::jwt_auth::#{directory_path}")
+        end
+
+        private
+
+        def cache_expired?(json, expires_after)
+          DateTime.strptime(json["fetched_at"].to_s, "%s") < Time.now.utc - (expires_after || 1.hour)
+        end
+
+        def reload(directory_path)
+          retries = 0
+
+          begin
+            data = fetch_from_directory(directory_path)
+            Zaikio::JWTAuth.configuration.redis.set("zaikio::jwt_auth::#{directory_path}", {
+              fetched_at: Time.now.to_i,
+              data: data
+            }.to_json)
+
+            data
+          rescue Errno::ECONNREFUSED, Net::ReadTimeout => e
+            raise unless (retries += 1) <= 3
+
+            Zaikio::JWTAuth.configuration.logger.log("Timeout (#{e}), retrying in 1 second...")
+            sleep(1)
+            retry
+          end
+        end
+
+        def fetch_from_directory(directory_path)
+          uri = URI("#{Zaikio::JWTAuth.configuration.host}/#{directory_path}")
+          Oj.load(Net::HTTP.get(uri))
+        end
+      end
+    end
+  end
+end

data/lib/zaikio/jwt_auth/jwk.rb

@@ -0,0 +1,44 @@
+require "net/http"
+require "json"
+require "logger"
+
+module Zaikio
+  module JWTAuth
+    class JWK
+      CACHE_EXPIRES_AFTER = 1.hour.freeze
+
+      class << self
+        def loader
+          lambda do |options|
+            reload_keys if options[:invalidate]
+            {
+              keys: keys.map do |key_data|
+                JWT::JWK.import(key_data.with_indifferent_access).export
+              end
+            }
+          end
+        end
+
+        private
+
+        def reload_keys
+          return if Zaikio::JWTAuth.configuration.keys
+
+          fetch_from_cache(invalidate: true)
+        end
+
+        def keys
+          return Zaikio::JWTAuth.configuration.keys if Zaikio::JWTAuth.configuration.keys
+
+          fetch_from_cache["keys"]
+        end
+
+        def fetch_from_cache(options = {})
+          DirectoryCache.fetch("api/v1/jwt_public_keys.json", {
+            expires_after: CACHE_EXPIRES_AFTER
+          }.merge(options))
+        end
+      end
+    end
+  end
+end

data/lib/zaikio/jwt_auth/railtie.rb

@@ -0,0 +1,6 @@
+module Zaikio
+  module JWTAuth
+    class Railtie < ::Rails::Railtie
+    end
+  end
+end

data/lib/zaikio/jwt_auth/token_data.rb

@@ -0,0 +1,75 @@
+module Zaikio
+  module JWTAuth
+    class TokenData
+      def self.subject_format
+        %r{^((\w+)/((\w|-)+)\>)?(\w+)/((\w|-)+)$}
+      end
+
+      def self.actions_by_permission
+        {
+          "r" => %w[show index],
+          "w" => %w[update create destroy],
+          "rw" => %w[show index update create destroy]
+        }.freeze
+      end
+
+      def initialize(payload)
+        @payload = payload
+      end
+
+      def audience
+        audiences.first
+      end
+
+      def audiences
+        @payload["aud"] || []
+      end
+
+      def scope
+        @payload["scope"]
+      end
+
+      def jti
+        @payload["jti"]
+      end
+
+      def scope?(allowed_scopes, action_name, app_name = nil)
+        app_name ||= Zaikio::JWTAuth.configuration.app_name
+        Array(allowed_scopes).map(&:to_s).any? do |allowed_scope|
+          scope.any? do |s|
+            parts = s.split(".")
+            parts[0] == app_name &&
+              parts[1] == allowed_scope &&
+              action_in_permission?(action_name, parts[2])
+          end
+        end
+      end
+
+      def subject_id
+        subject_match[6]
+      end
+
+      def subject_type
+        subject_match[5]
+      end
+
+      def on_behalf_of_id
+        subject_match[3]
+      end
+
+      def on_behalf_of_type
+        subject_match[2]
+      end
+
+      def subject_match
+        self.class.subject_format.match(@payload["sub"]) || []
+      end
+
+      private
+
+      def action_in_permission?(action_name, permission)
+        self.class.actions_by_permission[permission].include?(action_name)
+      end
+    end
+  end
+end

data/lib/zaikio/jwt_auth/version.rb

@@ -0,0 +1,5 @@
+module Zaikio
+  module JWTAuth
+    VERSION = "0.1.3".freeze
+  end
+end

metadata

@@ -0,0 +1,96 @@
+--- !ruby/object:Gem::Specification
+name: zaikio-jwt_auth
+version: !ruby/object:Gem::Version
+  version: 0.1.3
+platform: ruby
+authors:
+- Crispy Mountain GmbH
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-02-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: oj
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.0.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 6.0.1
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.1
+description: JWT-Based authentication and authorization with zaikio.
+email:
+- js@crispymtn.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- lib/tasks/zaikio/jwt_auth_tasks.rake
+- lib/zaikio/jwt_auth.rb
+- lib/zaikio/jwt_auth/configuration.rb
+- lib/zaikio/jwt_auth/directory_cache.rb
+- lib/zaikio/jwt_auth/jwk.rb
+- lib/zaikio/jwt_auth/railtie.rb
+- lib/zaikio/jwt_auth/token_data.rb
+- lib/zaikio/jwt_auth/version.rb
+homepage: https://www.zaikio.com/
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key: 
+specification_version: 4
+summary: JWT-Based authentication and authorization with zaikio
+test_files: []