zaikio-jwt_auth 0.1.3 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3e888abf5976a9f6837a1723da1f586f317add69e45caa8527c68c086e1f4c40
-  data.tar.gz: 3ccd16afb7cdc1e808b01dab786cf24cdab31e2eff44bffaa695a0c8231afad5
+  metadata.gz: 608b4341e5cb5797a302e65439882e050044fd2676b0fc01f7931783529ee032
+  data.tar.gz: 1dcaeb58daa1f352c352b8a3e65bab7e46618c4dba30f64af2141c25bb1f2dee
 SHA512:
-  metadata.gz: 36540e2d6588c39f994e4ae5dc62c2bb274d505feb32404f3d0dd7568c57f665024ed164686bc3056c5f236b4471f271917d2f42090d62a3685952010bf27ba9
-  data.tar.gz: 13447cfaf7386af9cbbfe83f54ccb0ffed13e310c9dd7fab94705ee1b321bf3d82daeb40a4ba9bb273dc313e355aaf822b33f702e5386674c5ce223cd629155f
+  metadata.gz: 2289f1f2fc4ddc1a84070f6df75ebbfb143b4b0634ff8a64d3c54cfa5fb2741de8734aaa398989fd9fb63a43dde8ccb4849fa497eee8f6e3a1897acd5fde4dcf
+  data.tar.gz: 4b935055a6461f2f2e22dec109634e41b40222773fb363811e76d29327eea22d81210a470e6d9865092473d114c1c21646a99bcbb0942cdc4e39229f7f4e8291

data/README.md

@@ -2,11 +2,9 @@
 
 Gem for JWT-Based authentication and authorization with zaikio.
 
-## Usage
-
 ## Installation
 
-1. Add this line to your application's Gemfile:
+### 1. Add this line to your application's Gemfile:
 
 ```ruby
 gem 'zaikio-jwt_auth'
@@ -22,7 +20,7 @@ Or install it yourself as:
 $ gem install zaikio-jwt_auth
 ```
 
-2. Configure the gem:
+### 2. Configure the gem:
 
 ```rb
 # config/initializers/zaikio_jwt_auth.rb
@@ -34,7 +32,7 @@ Zaikio::JWTAuth.configure do |config|
 end
 ```
 
-3. Extend your API application controller:
+### 3. Extend your API application controller:
 
 ```rb
 class API::ApplicationController < ActionController::Base
@@ -49,44 +47,59 @@ class API::ApplicationController < ActionController::Base
 end
 ```
 
-4. Update Revoked Access Tokens by Webhook
+### 4. Update Revoked Access Tokens by Webhook
+
+This gem automatically registers a webhook, if you have properly setup [Zaikio::Webhooks](https://github.com/crispymtn/zaikio-webhooks).
+
+
+### 5. Add more restrictions to your resources:
 
 ```rb
-# ENV['ZAIKIO_SHARED_SECRET'] needs to be defined first, you can find it on your
-# app details page in zaikio. Fore more help read:
-# https://docs.zaikio.com/guide/loom/receiving-events.html
-class WebhooksController < ActionController::Base
-  include Zaikio::JWTAuth
+class API::ResourcesController < API::ApplicationController
+  authorize_by_jwt_subject_type 'Organization'
+  authorize_by_jwt_scopes 'resources'
+end
+```
 
-  before_action :verify_signature
-  before_action :update_blacklisted_access_tokens_by_webhook
+### 6. Optionally, if you are using SSO: Check revoked tokens
 
-  def create
-    case params[:name]
-      # Manage other events
-    end
-  end
+Additionally, the API provides a method called `revoked_jwt?` which expects the `jti` of the JWT.
 
-  private
+```rb
+Zaikio::JWTAuth.revoked_jwt?('jti-of-token') # returns true if token was revoked
+```
 
-  def verify_signature
-    # Read More: https://docs.zaikio.com/guide/loom/receiving-events.html
-    unless ActiveSupport::SecurityUtils.secure_compare(
-      OpenSSL::HMAC.hexdigest("SHA256", "shared-secret", request.body.read),
-      request.headers["X-Loom-Signature"]
-    )
-      render status: :unauthorized, json: { errors: ["invalid_signature"] }
-    end
-  end
-end
+### 7. Optionally, use the test helper module to mock JWTs in your minitests
+
+```rb
+# in your test_helper.rb
+include Zaikio::JWTAuth::TestHelper
+
+# in your tests you can use:
+mock_jwt(sub: 'Organization/123', scope: ['directory.organization.r'])
 ```
 
+## Advanced
 
-5. Add more restrictions to your resources:
+### `only` and `except`
+
+Similar to Rails' controller callbacks, `authorize_by_jwt_scopes` can also be passed a list of actions:
 
 ```rb
 class API::ResourcesController < API::ApplicationController
   authorize_by_jwt_subject_type 'Organization'
-  authorize_by_jwt_scopes 'resources'
+  authorize_by_jwt_scopes 'resources', except: :destroy
+  authorize_by_jwt_scopes 'remove_resources', only: [:destroy]
+end
+```
+
+
+### `if` and `unless`
+
+Similar to Rails' controller callbacks, `authorize_by_jwt_scopes` can also handle a lambda in the context of the controller to request parameters.
+
+```rb
+class API::ResourcesController < API::ApplicationController
+  authorize_by_jwt_scopes 'resources', unless: -> { params[:skip] == '1' }
 end
 ```

data/app/jobs/zaikio/jwt_auth/revoke_access_token_job.rb

@@ -0,0 +1,12 @@
+module Zaikio
+  module JWTAuth
+    class RevokeAccessTokenJob < ApplicationJob
+      def perform(event)
+        DirectoryCache.update("api/v1/blacklisted_access_tokens.json", expires_after: 60.minutes) do |data|
+          data["blacklisted_token_ids"] << event.payload["access_token_id"]
+          data
+        end
+      end
+    end
+  end
+end

data/lib/zaikio/jwt_auth.rb

@@ -5,6 +5,8 @@ require "zaikio/jwt_auth/configuration"
 require "zaikio/jwt_auth/directory_cache"
 require "zaikio/jwt_auth/jwk"
 require "zaikio/jwt_auth/token_data"
+require "zaikio/jwt_auth/engine"
+require "zaikio/jwt_auth/test_helper"
 
 module Zaikio
   module JWTAuth
@@ -14,21 +16,51 @@ module Zaikio
 
     def self.configure
       self.configuration ||= Configuration.new
+
+      if Zaikio.const_defined?("Webhooks")
+        Zaikio::Webhooks.on "directory.revoked_access_token", Zaikio::JWTAuth::RevokeAccessTokenJob,
+                            perform_now: true
+      end
+
       yield(configuration)
     end
 
+    def self.revoked_jwt?(jti)
+      blacklisted_token_ids.include?(jti)
+    end
+
+    def self.blacklisted_token_ids
+      return [] if mocked_jwt_payload
+
+      return configuration.blacklisted_token_ids if configuration.blacklisted_token_ids
+
+      DirectoryCache.fetch("api/v1/blacklisted_access_tokens.json", expires_after: 60.minutes)["blacklisted_token_ids"]
+    end
+
     def self.included(base)
       base.send :include, InstanceMethods
       base.send :extend, ClassMethods
     end
 
+    def self.mocked_jwt_payload
+      @mocked_jwt_payload
+    end
+
+    def self.mocked_jwt_payload=(payload)
+      @mocked_jwt_payload = payload
+    end
+
     module ClassMethods
       def authorize_by_jwt_subject_type(type = nil)
         @authorize_by_jwt_subject_type ||= type
       end
 
       def authorize_by_jwt_scopes(scopes = nil, options = {})
-        @authorize_by_jwt_scopes ||= options.merge(scopes: scopes)
+        @authorize_by_jwt_scopes ||= []
+
+        @authorize_by_jwt_scopes << options.merge(scopes: scopes) if scopes
+
+        @authorize_by_jwt_scopes
       end
     end
 
@@ -54,7 +86,7 @@ module Zaikio
       def update_blacklisted_access_tokens_by_webhook
         return unless params[:name] == "directory.revoked_access_token"
 
-        DirectoryCache.update("api/v1/blacklisted_token_ids.json", expires_after: 60.minutes) do |data|
+        DirectoryCache.update("api/v1/blacklisted_access_tokens.json", expires_after: 60.minutes) do |data|
           data["blacklisted_token_ids"] << params[:payload][:access_token_id]
           data
         end
@@ -65,19 +97,26 @@ module Zaikio
       private
 
       def jwt_from_auth_header
+        return true if Zaikio::JWTAuth.mocked_jwt_payload
+
         auth_header = request.headers["Authorization"]
         auth_header.split("Bearer ").last if /Bearer/.match?(auth_header)
       end
 
       def jwt_payload
+        return Zaikio::JWTAuth.mocked_jwt_payload if Zaikio::JWTAuth.mocked_jwt_payload
+
         payload, = JWT.decode(jwt_from_auth_header, nil, true, algorithms: ["RS256"], jwks: JWK.loader)
 
         payload
       end
 
       def show_error_if_authorize_by_jwt_scopes_fails(token_data)
-        scope_data = self.class.authorize_by_jwt_scopes
-        return if !scope_data[:scopes] || token_data.scope?(scope_data[:scopes], action_name, scope_data[:app_name])
+        return if token_data.scope_by_configurations?(
+          self.class.authorize_by_jwt_scopes,
+          action_name,
+          self
+        )
 
         render_error("unpermitted_scope")
       end
@@ -92,19 +131,11 @@ module Zaikio
       end
 
       def show_error_if_token_is_blacklisted(token_data)
-        return unless blacklisted_token_ids.include?(token_data.jti)
+        return unless Zaikio::JWTAuth.revoked_jwt?(token_data.jti)
 
         render_error("invalid_jwt")
       end
 
-      def blacklisted_token_ids
-        if Zaikio::JWTAuth.configuration.blacklisted_token_ids
-          return Zaikio::JWTAuth.configuration.blacklisted_token_ids
-        end
-
-        DirectoryCache.fetch("api/v1/blacklisted_token_ids.json", expires_after: 60.minutes)["blacklisted_token_ids"]
-      end
-
       def render_error(error, status: :forbidden)
         render(status: status, json: { "errors" => [error] })
       end

data/lib/zaikio/jwt_auth/configuration.rb

@@ -18,6 +18,7 @@ module Zaikio
 
       def initialize
         @environment = :sandbox
+        @blacklisted_token_ids = nil
       end
 
       def logger

data/lib/zaikio/jwt_auth/engine.rb

@@ -0,0 +1,9 @@
+module Zaikio
+  module JWTAuth
+    class Engine < ::Rails::Engine
+      isolate_namespace Zaikio::JWTAuth
+      engine_name "zaikio_jwt_auth"
+      config.generators.api_only = true
+    end
+  end
+end

data/lib/zaikio/jwt_auth/test_helper.rb

@@ -0,0 +1,23 @@
+module Zaikio
+  module JWTAuth
+    module TestHelper
+      def after_setup
+        Zaikio::JWTAuth.mocked_jwt_payload = nil
+        super
+      end
+
+      def mock_jwt(extra_payload)
+        Zaikio::JWTAuth.mocked_jwt_payload = {
+          iss: "ZAI",
+          sub: nil,
+          aud: %w[test_app],
+          jti: "unique-access-token-id",
+          nbf: Time.now.to_i,
+          exp: 1.hour.from_now.to_i,
+          jku: "http://directory.zaikio.test/api/v1/jwt_public_keys.json",
+          scope: []
+        }.merge(extra_payload).stringify_keys
+      end
+    end
+  end
+end

data/lib/zaikio/jwt_auth/token_data.rb

@@ -33,6 +33,36 @@ module Zaikio
         @payload["jti"]
       end
 
+      # scope_options is an array of objects with:
+      # scope, app_name (optional), except/only (array, optional)
+      def scope_by_configurations?(scope_configurations, action_name, context)
+        configuration = scope_configurations.find do |scope_configuration|
+          action_matches = action_matches_config?(scope_configuration, action_name)
+
+          if action_matches && scope_configuration[:if] && !context.instance_exec(&scope_configuration[:if])
+            false
+          elsif action_matches && scope_configuration[:unless] && context.instance_exec(&scope_configuration[:unless])
+            false
+          else
+            action_matches
+          end
+        end
+
+        return true unless configuration
+
+        scope?(configuration[:scopes], action_name, configuration[:app_name])
+      end
+
+      def action_matches_config?(scope_configuration, action_name)
+        if scope_configuration[:only]
+          Array(scope_configuration[:only]).any? { |a| a.to_s == action_name }
+        elsif scope_configuration[:except]
+          Array(scope_configuration[:except]).none? { |a| a.to_s == action_name }
+        else
+          true
+        end
+      end
+
       def scope?(allowed_scopes, action_name, app_name = nil)
         app_name ||= Zaikio::JWTAuth.configuration.app_name
         Array(allowed_scopes).map(&:to_s).any? do |allowed_scope|

data/lib/zaikio/jwt_auth/version.rb

@@ -1,5 +1,5 @@
 module Zaikio
   module JWTAuth
-    VERSION = "0.1.3".freeze
+    VERSION = "0.2.0".freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: zaikio-jwt_auth
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.2.0
 platform: ruby
 authors:
 - Crispy Mountain GmbH
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-03 00:00:00.000000000 Z
+date: 2020-03-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oj
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.1
+        version: 6.0.2.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.1
+        version: 6.0.2.2
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -62,12 +62,15 @@ files:
 - MIT-LICENSE
 - README.md
 - Rakefile
+- app/jobs/zaikio/jwt_auth/revoke_access_token_job.rb
 - lib/tasks/zaikio/jwt_auth_tasks.rake
 - lib/zaikio/jwt_auth.rb
 - lib/zaikio/jwt_auth/configuration.rb
 - lib/zaikio/jwt_auth/directory_cache.rb
+- lib/zaikio/jwt_auth/engine.rb
 - lib/zaikio/jwt_auth/jwk.rb
 - lib/zaikio/jwt_auth/railtie.rb
+- lib/zaikio/jwt_auth/test_helper.rb
 - lib/zaikio/jwt_auth/token_data.rb
 - lib/zaikio/jwt_auth/version.rb
 homepage: https://www.zaikio.com/