zaikio-jwt_auth 0.1.1 → 0.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fc049533f5e0a82a2fa15f189514a997ae95b2a5cda50a8142d28d4776bacba3
-  data.tar.gz: 9e0cd0c5aee054152abc83dfa717711ae0f3b4aedd53a1eae321091c3c2b0a9f
+  metadata.gz: d7b4d20c732061b0d41453bfa9f8b6b92bbeb6ff07dc146d17b0fd833356ca4a
+  data.tar.gz: c18a3da38ad85e0a04915ef11f865de78ea358ee8fa456d1244dde0bb3809d46
 SHA512:
-  metadata.gz: dd1cf4ac348ab2fba0d05a94e3accf3db35f3170043bf51953810ef3d19538e9be1ecd2a130f921f22bd1b4e5351b051b5c92f9c7f47b28b5bbb4cc4f04f036a
-  data.tar.gz: 9c0725178d406e5ce35c8af71b0c5f480739a65579b5c65d3fc8d0e79cba9714af14f64eb1e3e777f925f18d8314a8f61646dfac60d93eaf82d19c2cb5a9ac32
+  metadata.gz: df04a88a338e76b4ce746043e33ab172aa804d1e6b5079849325650ac0fe9f29f7c6d7b0aa9327e70f090b7e08c3acac21b9ad05da80356cf76c336c8f815d71
+  data.tar.gz: 58d19b43b1c68be4c983f3b03eaacac1d46ea3fdee6946b1151182ada650860c537761406db3352881103d5185b4827a835384de7288e4181174e856e1ca2da5

data/README.md

@@ -6,7 +6,7 @@ Gem for JWT-Based authentication and authorization with zaikio.
 
 ## Installation
 
-Add this line to your application's Gemfile:
+1. Add this line to your application's Gemfile:
 
 ```ruby
 gem 'zaikio-jwt_auth'
@@ -22,7 +22,7 @@ Or install it yourself as:
 $ gem install zaikio-jwt_auth
 ```
 
-Configure the gem:
+2. Configure the gem:
 
 ```rb
 # config/initializers/zaikio_jwt_auth.rb
@@ -34,7 +34,7 @@ Zaikio::JWTAuth.configure do |config|
 end
 ```
 
-Extend your API application controller:
+3. Extend your API application controller:
 
 ```rb
 class API::ApplicationController < ActionController::Base
@@ -49,7 +49,42 @@ class API::ApplicationController < ActionController::Base
 end
 ```
 
-Add more restrictions to your resources:
+4. Update Revoked Access Tokens by Webhook
+
+```rb
+# ENV['ZAIKIO_SHARED_SECRET'] needs to be defined first, you can find it on your
+# app details page in zaikio. Fore more help read:
+# https://docs.zaikio.com/guide/loom/receiving-events.html
+class WebhooksController < ActionController::Base
+  include Zaikio::JWTAuth
+
+  before_action :verify_signature
+  before_action :update_blacklisted_access_tokens_by_webhook
+
+  def create
+    case params[:name]
+      # Manage other events
+    end
+
+    render json: { received: true }
+  end
+
+  private
+
+  def verify_signature
+    # Read More: https://docs.zaikio.com/guide/loom/receiving-events.html
+    unless ActiveSupport::SecurityUtils.secure_compare(
+      OpenSSL::HMAC.hexdigest("SHA256", "shared-secret", request.body.read),
+      request.headers["X-Loom-Signature"]
+    )
+      render json: { received: true }
+    end
+  end
+end
+```
+
+
+5. Add more restrictions to your resources:
 
 ```rb
 class API::ResourcesController < API::ApplicationController
@@ -57,3 +92,21 @@ class API::ResourcesController < API::ApplicationController
   authorize_by_jwt_scopes 'resources'
 end
 ```
+
+6. Optionally, if you are using SSO: Check revoked tokens
+
+Additionally, the API provides a method called `revoked_jwt?` which expects the `jti` of the JWT.
+
+```rb
+Zaikio::JWTAuth.revoked_jwt?('jti-of-token') # returns true if token was revoked
+```
+
+7. Optionally, use the test helper module to mock JWTs in your minitests
+
+```rb
+# in your test_helper.rb
+include Zaikio::JWTAuth::TestHelper
+
+# in your tests you can use:
+mock_jwt(sub: 'Organization/123', scope: ['directory.organization.r'])
+```

data/lib/zaikio/jwt_auth.rb

@@ -5,6 +5,7 @@ require "zaikio/jwt_auth/configuration"
 require "zaikio/jwt_auth/directory_cache"
 require "zaikio/jwt_auth/jwk"
 require "zaikio/jwt_auth/token_data"
+require "zaikio/jwt_auth/test_helper"
 
 module Zaikio
   module JWTAuth
@@ -17,18 +18,42 @@ module Zaikio
       yield(configuration)
     end
 
+    def self.revoked_jwt?(jti)
+      blacklisted_token_ids.include?(jti)
+    end
+
+    def self.blacklisted_token_ids
+      return [] if mocked_jwt_payload
+
+      return configuration.blacklisted_token_ids if configuration.blacklisted_token_ids
+
+      DirectoryCache.fetch("api/v1/blacklisted_access_tokens.json", expires_after: 60.minutes)["blacklisted_token_ids"]
+    end
+
     def self.included(base)
       base.send :include, InstanceMethods
       base.send :extend, ClassMethods
     end
 
+    def self.mocked_jwt_payload
+      @mocked_jwt_payload
+    end
+
+    def self.mocked_jwt_payload=(payload)
+      @mocked_jwt_payload = payload
+    end
+
     module ClassMethods
       def authorize_by_jwt_subject_type(type = nil)
         @authorize_by_jwt_subject_type ||= type
       end
 
-      def authorize_by_jwt_scopes(scopes = nil)
-        @authorize_by_jwt_scopes ||= scopes
+      def authorize_by_jwt_scopes(scopes = nil, options = {})
+        @authorize_by_jwt_scopes ||= []
+
+        @authorize_by_jwt_scopes << options.merge(scopes: scopes) if scopes
+
+        @authorize_by_jwt_scopes
       end
     end
 
@@ -51,23 +76,39 @@ module Zaikio
         render_error("invalid_jwt") && (return)
       end
 
+      def update_blacklisted_access_tokens_by_webhook
+        return unless params[:name] == "directory.revoked_access_token"
+
+        DirectoryCache.update("api/v1/blacklisted_access_tokens.json", expires_after: 60.minutes) do |data|
+          data["blacklisted_token_ids"] << params[:payload][:access_token_id]
+          data
+        end
+
+        render json: { received: true }
+      end
+
       private
 
       def jwt_from_auth_header
+        return true if Zaikio::JWTAuth.mocked_jwt_payload
+
         auth_header = request.headers["Authorization"]
         auth_header.split("Bearer ").last if /Bearer/.match?(auth_header)
       end
 
       def jwt_payload
+        return Zaikio::JWTAuth.mocked_jwt_payload if Zaikio::JWTAuth.mocked_jwt_payload
+
         payload, = JWT.decode(jwt_from_auth_header, nil, true, algorithms: ["RS256"], jwks: JWK.loader)
 
         payload
       end
 
       def show_error_if_authorize_by_jwt_scopes_fails(token_data)
-        if !self.class.authorize_by_jwt_scopes || token_data.scope?(self.class.authorize_by_jwt_scopes, action_name)
-          return
-        end
+        return if token_data.scope_by_configurations?(
+          self.class.authorize_by_jwt_scopes,
+          action_name
+        )
 
         render_error("unpermitted_scope")
       end
@@ -82,19 +123,11 @@ module Zaikio
       end
 
       def show_error_if_token_is_blacklisted(token_data)
-        return unless blacklisted_token_ids.include?(token_data.jti)
+        return unless Zaikio::JWTAuth.revoked_jwt?(token_data.jti)
 
         render_error("invalid_jwt")
       end
 
-      def blacklisted_token_ids
-        if Zaikio::JWTAuth.configuration.blacklisted_token_ids
-          return Zaikio::JWTAuth.configuration.blacklisted_token_ids
-        end
-
-        DirectoryCache.fetch("api/v1/blacklisted_token_ids.json", expires_after: 5.minutes)["blacklisted_token_ids"]
-      end
-
       def render_error(error, status: :forbidden)
         render(status: status, json: { "errors" => [error] })
       end

data/lib/zaikio/jwt_auth/directory_cache.rb

@@ -18,6 +18,19 @@ module Zaikio
           json["data"]
         end
 
+        def update(directory_path, options = {})
+          data = fetch(directory_path, options)
+          data = yield(data)
+          Zaikio::JWTAuth.configuration.redis.set("zaikio::jwt_auth::#{directory_path}", {
+            fetched_at: Time.now.to_i,
+            data: data
+          }.to_json)
+        end
+
+        def reset(directory_path)
+          Zaikio::JWTAuth.configuration.redis.del("zaikio::jwt_auth::#{directory_path}")
+        end
+
         private
 
         def cache_expired?(json, expires_after)

data/lib/zaikio/jwt_auth/test_helper.rb

@@ -0,0 +1,23 @@
+module Zaikio
+  module JWTAuth
+    module TestHelper
+      def after_setup
+        Zaikio::JWTAuth.mocked_jwt_payload = nil
+        super
+      end
+
+      def mock_jwt(extra_payload)
+        Zaikio::JWTAuth.mocked_jwt_payload = {
+          iss: "ZAI",
+          sub: nil,
+          aud: %w[test_app],
+          jti: "unique-access-token-id",
+          nbf: Time.now.to_i,
+          exp: 1.hour.from_now.to_i,
+          jku: "http://directory.zaikio.test/api/v1/jwt_public_keys.json",
+          scope: []
+        }.merge(extra_payload).stringify_keys
+      end
+    end
+  end
+end

data/lib/zaikio/jwt_auth/token_data.rb

@@ -17,6 +17,14 @@ module Zaikio
         @payload = payload
       end
 
+      def audience
+        audiences.first
+      end
+
+      def audiences
+        @payload["aud"] || []
+      end
+
       def scope
         @payload["scope"]
       end
@@ -25,11 +33,30 @@ module Zaikio
         @payload["jti"]
       end
 
-      def scope?(allowed_scopes, action_name)
+      # scope_options is an array of objects with:
+      # scope, app_name (optional), except/only (array, optional)
+      def scope_by_configurations?(scope_configurations, action_name)
+        configuration = scope_configurations.find do |scope_configuration|
+          if scope_configuration[:only]
+            Array(scope_configuration[:only]).any? { |a| a.to_s == action_name }
+          elsif scope_configuration[:except]
+            Array(scope_configuration[:except]).none? { |a| a.to_s == action_name }
+          else
+            true
+          end
+        end
+
+        return true unless configuration
+
+        scope?(configuration[:scopes], action_name, configuration[:app_name])
+      end
+
+      def scope?(allowed_scopes, action_name, app_name = nil)
+        app_name ||= Zaikio::JWTAuth.configuration.app_name
         Array(allowed_scopes).map(&:to_s).any? do |allowed_scope|
           scope.any? do |s|
             parts = s.split(".")
-            parts[0] == Zaikio::JWTAuth.configuration.app_name &&
+            parts[0] == app_name &&
               parts[1] == allowed_scope &&
               action_in_permission?(action_name, parts[2])
           end

data/lib/zaikio/jwt_auth/version.rb

@@ -1,5 +1,5 @@
 module Zaikio
   module JWTAuth
-    VERSION = "0.1.1".freeze
+    VERSION = "0.1.6".freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: zaikio-jwt_auth
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.6
 platform: ruby
 authors:
 - Crispy Mountain GmbH
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-01-20 00:00:00.000000000 Z
+date: 2020-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oj
@@ -68,6 +68,7 @@ files:
 - lib/zaikio/jwt_auth/directory_cache.rb
 - lib/zaikio/jwt_auth/jwk.rb
 - lib/zaikio/jwt_auth/railtie.rb
+- lib/zaikio/jwt_auth/test_helper.rb
 - lib/zaikio/jwt_auth/token_data.rb
 - lib/zaikio/jwt_auth/version.rb
 homepage: https://www.zaikio.com/