From a12ae7843f9a1482d9be4f8c85f42205f162c26a Mon Sep 17 00:00:00 2001 From: "Yann Esposito (Yogsototh)" Date: Mon, 30 Oct 2017 16:38:37 +0100 Subject: [PATCH] Initial commit --- .gitignore | 11 ++ CHANGELOG.md | 3 + LICENSE | 214 +++++++++++++++++++++ README.org | 72 +++++++ doc/intro.md | 3 + project.clj | 7 + src/ring_api_key_middleware/core.clj | 27 +++ test/ring_api_key_middleware/core_test.clj | 43 +++++ 8 files changed, 380 insertions(+) create mode 100644 .gitignore create mode 100644 CHANGELOG.md create mode 100644 LICENSE create mode 100644 README.org create mode 100644 doc/intro.md create mode 100644 project.clj create mode 100644 src/ring_api_key_middleware/core.clj create mode 100644 test/ring_api_key_middleware/core_test.clj diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c53038e --- /dev/null +++ b/.gitignore @@ -0,0 +1,11 @@ +/target +/classes +/checkouts +pom.xml +pom.xml.asc +*.jar +*.class +/.lein-* +/.nrepl-port +.hgignore +.hg/ diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..1e49df4 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,3 @@ +# Change Log +All notable changes to this project will be documented in this file. This change log follows the conventions of [keepachangelog.com](http://keepachangelog.com/). + diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d921d3d --- /dev/null +++ b/LICENSE @@ -0,0 +1,214 @@ +THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE PUBLIC +LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM +CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT. + +1. DEFINITIONS + +"Contribution" means: + +a) in the case of the initial Contributor, the initial code and +documentation distributed under this Agreement, and + +b) in the case of each subsequent Contributor: + +i) changes to the Program, and + +ii) additions to the Program; + +where such changes and/or additions to the Program originate from and are +distributed by that particular Contributor. A Contribution 'originates' from +a Contributor if it was added to the Program by such Contributor itself or +anyone acting on such Contributor's behalf. Contributions do not include +additions to the Program which: (i) are separate modules of software +distributed in conjunction with the Program under their own license +agreement, and (ii) are not derivative works of the Program. + +"Contributor" means any person or entity that distributes the Program. + +"Licensed Patents" mean patent claims licensable by a Contributor which are +necessarily infringed by the use or sale of its Contribution alone or when +combined with the Program. + +"Program" means the Contributions distributed in accordance with this +Agreement. + +"Recipient" means anyone who receives the Program under this Agreement, +including all Contributors. + +2. GRANT OF RIGHTS + +a) Subject to the terms of this Agreement, each Contributor hereby grants +Recipient a non-exclusive, worldwide, royalty-free copyright license to +reproduce, prepare derivative works of, publicly display, publicly perform, +distribute and sublicense the Contribution of such Contributor, if any, and +such derivative works, in source code and object code form. + +b) Subject to the terms of this Agreement, each Contributor hereby grants +Recipient a non-exclusive, worldwide, royalty-free patent license under +Licensed Patents to make, use, sell, offer to sell, import and otherwise +transfer the Contribution of such Contributor, if any, in source code and +object code form. This patent license shall apply to the combination of the +Contribution and the Program if, at the time the Contribution is added by the +Contributor, such addition of the Contribution causes such combination to be +covered by the Licensed Patents. The patent license shall not apply to any +other combinations which include the Contribution. No hardware per se is +licensed hereunder. + +c) Recipient understands that although each Contributor grants the licenses +to its Contributions set forth herein, no assurances are provided by any +Contributor that the Program does not infringe the patent or other +intellectual property rights of any other entity. Each Contributor disclaims +any liability to Recipient for claims brought by any other entity based on +infringement of intellectual property rights or otherwise. As a condition to +exercising the rights and licenses granted hereunder, each Recipient hereby +assumes sole responsibility to secure any other intellectual property rights +needed, if any. For example, if a third party patent license is required to +allow Recipient to distribute the Program, it is Recipient's responsibility +to acquire that license before distributing the Program. + +d) Each Contributor represents that to its knowledge it has sufficient +copyright rights in its Contribution, if any, to grant the copyright license +set forth in this Agreement. + +3. REQUIREMENTS + +A Contributor may choose to distribute the Program in object code form under +its own license agreement, provided that: + +a) it complies with the terms and conditions of this Agreement; and + +b) its license agreement: + +i) effectively disclaims on behalf of all Contributors all warranties and +conditions, express and implied, including warranties or conditions of title +and non-infringement, and implied warranties or conditions of merchantability +and fitness for a particular purpose; + +ii) effectively excludes on behalf of all Contributors all liability for +damages, including direct, indirect, special, incidental and consequential +damages, such as lost profits; + +iii) states that any provisions which differ from this Agreement are offered +by that Contributor alone and not by any other party; and + +iv) states that source code for the Program is available from such +Contributor, and informs licensees how to obtain it in a reasonable manner on +or through a medium customarily used for software exchange. + +When the Program is made available in source code form: + +a) it must be made available under this Agreement; and + +b) a copy of this Agreement must be included with each copy of the Program. + +Contributors may not remove or alter any copyright notices contained within +the Program. + +Each Contributor must identify itself as the originator of its Contribution, +if any, in a manner that reasonably allows subsequent Recipients to identify +the originator of the Contribution. + +4. COMMERCIAL DISTRIBUTION + +Commercial distributors of software may accept certain responsibilities with +respect to end users, business partners and the like. While this license is +intended to facilitate the commercial use of the Program, the Contributor who +includes the Program in a commercial product offering should do so in a +manner which does not create potential liability for other Contributors. +Therefore, if a Contributor includes the Program in a commercial product +offering, such Contributor ("Commercial Contributor") hereby agrees to defend +and indemnify every other Contributor ("Indemnified Contributor") against any +losses, damages and costs (collectively "Losses") arising from claims, +lawsuits and other legal actions brought by a third party against the +Indemnified Contributor to the extent caused by the acts or omissions of such +Commercial Contributor in connection with its distribution of the Program in +a commercial product offering. The obligations in this section do not apply +to any claims or Losses relating to any actual or alleged intellectual +property infringement. In order to qualify, an Indemnified Contributor must: +a) promptly notify the Commercial Contributor in writing of such claim, and +b) allow the Commercial Contributor to control, and cooperate with the +Commercial Contributor in, the defense and any related settlement +negotiations. The Indemnified Contributor may participate in any such claim +at its own expense. + +For example, a Contributor might include the Program in a commercial product +offering, Product X. That Contributor is then a Commercial Contributor. If +that Commercial Contributor then makes performance claims, or offers +warranties related to Product X, those performance claims and warranties are +such Commercial Contributor's responsibility alone. Under this section, the +Commercial Contributor would have to defend claims against the other +Contributors related to those performance claims and warranties, and if a +court requires any other Contributor to pay any damages as a result, the +Commercial Contributor must pay those damages. + +5. NO WARRANTY + +EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON +AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER +EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR +CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A +PARTICULAR PURPOSE. Each Recipient is solely responsible for determining the +appropriateness of using and distributing the Program and assumes all risks +associated with its exercise of rights under this Agreement , including but +not limited to the risks and costs of program errors, compliance with +applicable laws, damage to or loss of data, programs or equipment, and +unavailability or interruption of operations. + +6. DISCLAIMER OF LIABILITY + +EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR ANY +CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION +LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE +EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY +OF SUCH DAMAGES. + +7. GENERAL + +If any provision of this Agreement is invalid or unenforceable under +applicable law, it shall not affect the validity or enforceability of the +remainder of the terms of this Agreement, and without further action by the +parties hereto, such provision shall be reformed to the minimum extent +necessary to make such provision valid and enforceable. + +If Recipient institutes patent litigation against any entity (including a +cross-claim or counterclaim in a lawsuit) alleging that the Program itself +(excluding combinations of the Program with other software or hardware) +infringes such Recipient's patent(s), then such Recipient's rights granted +under Section 2(b) shall terminate as of the date such litigation is filed. + +All Recipient's rights under this Agreement shall terminate if it fails to +comply with any of the material terms or conditions of this Agreement and +does not cure such failure in a reasonable period of time after becoming +aware of such noncompliance. If all Recipient's rights under this Agreement +terminate, Recipient agrees to cease use and distribution of the Program as +soon as reasonably practicable. However, Recipient's obligations under this +Agreement and any licenses granted by Recipient relating to the Program shall +continue and survive. + +Everyone is permitted to copy and distribute copies of this Agreement, but in +order to avoid inconsistency the Agreement is copyrighted and may only be +modified in the following manner. The Agreement Steward reserves the right to +publish new versions (including revisions) of this Agreement from time to +time. No one other than the Agreement Steward has the right to modify this +Agreement. The Eclipse Foundation is the initial Agreement Steward. The +Eclipse Foundation may assign the responsibility to serve as the Agreement +Steward to a suitable separate entity. Each new version of the Agreement will +be given a distinguishing version number. The Program (including +Contributions) may always be distributed subject to the version of the +Agreement under which it was received. In addition, after a new version of +the Agreement is published, Contributor may elect to distribute the Program +(including its Contributions) under the new version. Except as expressly +stated in Sections 2(a) and 2(b) above, Recipient receives no rights or +licenses to the intellectual property of any Contributor under this +Agreement, whether expressly, by implication, estoppel or otherwise. All +rights in the Program not expressly granted under this Agreement are +reserved. + +This Agreement is governed by the laws of the State of New York and the +intellectual property laws of the United States of America. No party to this +Agreement will bring a legal action under this Agreement more than one year +after the cause of action arose. Each party waives its rights to a jury trial +in any resulting litigation. diff --git a/README.org b/README.org new file mode 100644 index 0000000..ed5580e --- /dev/null +++ b/README.org @@ -0,0 +1,72 @@ +[[https://travis-ci.org/threatgrid/ring-jwt-middleware][https://travis-ci.org/threatgrid/ring-api-key-middleware.png?branch=master]] + +* =ring-api-key-middleware= + +A simple middleware to authenticate users using API Key + +** Features + +- the function to check the validity of API Key should be provided and not part + of this middleware. + +** Usage + +*** Middleware & options + +Use =wrap-api-key-auth-fn= to create an instance of the middleware, +wrap your routes with it: + +#+BEGIN_SRC clojure +(defn get-auth-from-api-key [token] + (when (= token "secret-api-key") + {:user "user-01" + :groups ["admin-id" "user-id"] + :username "username" + :group-names ["admin" "users"] + :admin true + :auth-type :api-key})) +(def app + (wrap-api-key-auth-fn handler get-auth-from-api-key)) +#+END_SRC + +When configured like this all requests with the header: + +#+BEGIN_SRC +Authorization: apiKey secret-api-key +#+END_SRC + +will be modified to be passed to the handler with the new key `:api-key-info` +containing: + +#+BEGIN_SRC clojure +{:user "user-01" + :groups ["admin-id" "user-id"] + :username "username" + :group-names ["admin" "users"] + :admin true} +#+END_SRC + +If the header contain an Authorization header with an unknown `api-key` the +request will be rejected with a 403. + +#+BEGIN_SRC +Authorization: apiKey unknown-api-key +#+END_SRC + +If the header contain something with another authorization kind or no +authorization header like: + +#+BEGIN_SRC +Authorization: Bearer something-else +#+END_SRC + +Then the request will be passed to the handler without any `api-key-info`. This +provide the ability for other authentication middleware to be used. Deciding +what to do about authenticated or non-authenticated user is left for another +middleware or to be handled by the app handler. + + +** License + +Copyright © 2015-2017 Cisco Systems +Eclipse Public License v1.0 diff --git a/doc/intro.md b/doc/intro.md new file mode 100644 index 0000000..ff7336b --- /dev/null +++ b/doc/intro.md @@ -0,0 +1,3 @@ +# Introduction to ring-api-key-middleware + +TODO: write [great documentation](http://jacobian.org/writing/what-to-write/) diff --git a/project.clj b/project.clj new file mode 100644 index 0000000..e0cb057 --- /dev/null +++ b/project.clj @@ -0,0 +1,7 @@ +(defproject threatgrid/ring-api-key-middleware "0.1.0" + :description "A simple middleware to deal with API keys Authentication" + :url "http://github.com/threatgrid/ring-api-key-middleware" + :license {:name "Eclipse Public License - v 1.0" + :url "http://www.eclipse.org/legal/epl-v10.html" + :distribution :repo} + :dependencies [[org.clojure/clojure "1.8.0"]]) diff --git a/src/ring_api_key_middleware/core.clj b/src/ring_api_key_middleware/core.clj new file mode 100644 index 0000000..d8e4671 --- /dev/null +++ b/src/ring_api_key_middleware/core.clj @@ -0,0 +1,27 @@ +(ns ring-api-key-middleware.core + (:require [clojure.string :as s])) + +(defn get-api-key + "Given a ring request extract an api-key if it exists" + [request] + (when-let [auth-header (get-in request [:headers "authorization"])] + (when-let [token (s/starts-with? auth-header "apiKey ")] + (s/replace-first auth-header #"^apiKey " "")))) + +(defn unauthorized + "401 Unauthorized (ClientError) + Authentication is possible but has failed or not yet been provided" + [body] + {:status 401 + :headers {} + :body body}) + +(defn wrap-api-key-fn + "I check " + [handler get-infos] + (fn [request] + (if-let [api-key (get-api-key request)] + (if-let [infos (get-infos api-key)] + (handler (assoc request :api-key-infos infos)) + (unauthorized "wrong access key")) + (handler request)))) diff --git a/test/ring_api_key_middleware/core_test.clj b/test/ring_api_key_middleware/core_test.clj new file mode 100644 index 0000000..4706676 --- /dev/null +++ b/test/ring_api_key_middleware/core_test.clj @@ -0,0 +1,43 @@ +(ns ring-api-key-middleware.core-test + (:require [clojure.test :refer :all] + [ring-api-key-middleware.core :refer :all])) + +(deftest get-api-key-test + (testing "If recover correctly authorization header from a request" + (is (= (get-api-key {:headers {"authorization" "apiKey foo"}}) + "foo") + "the right API should be parsed correctly") + (is (nil? (get-api-key {:headers {"authorization" "Bearer foo"}})) + "Wrong header style shouldn't return any api-key") + (is (nil? (get-api-key {:headers {"authorization" " apiKey foo"}})) + "space at the begining of the header is forbidden"))) + +(deftest wrap-api-key-fn-test + (testing "test the middleware" + (let [request-with-known-auth {:headers {"authorization" "apiKey foo"}} + request-with-unknown-auth {:headers {"authorization" "apiKey bar"}} + request-with-other-auth {:headers {"authorization" "Bearer foo"}} + request-with-no-auth {} + + check-is-foo (fn [x] (when (= x "foo") {:user "UserFoo"}))] + (is (= ((wrap-api-key-fn identity check-is-foo) + request-with-known-auth) + (assoc request-with-known-auth + :api-key-infos {:user "UserFoo"})) + "apiKey foo should provide the user UserFoo") + + (is (= (:status + ((wrap-api-key-fn identity check-is-foo) + request-with-unknown-auth)) + 401) + "bad API Key are refused") + + (is (= ((wrap-api-key-fn identity check-is-foo) + request-with-other-auth) + request-with-other-auth) + "When not using apiKey Authorization kind, the middleware should let the request pass as-is to the handler") + + (is (= ((wrap-api-key-fn identity check-is-foo) + request-with-no-auth) + request-with-no-auth) + "When no Authorization header is used the middleware should let the request pass as-is to the handler"))))