Update AuthProvider to use cached permissions token

1 files changed, 52 insertions, 19 deletions

diff --git a/src/test/scala/xyz/driver/core/AuthTest.scala b/src/test/scala/xyz/driver/core/AuthTest.scala
index ad8cec8..441b9c8 100644
--- a/src/test/scala/xyz/driver/core/AuthTest.scala
+++ b/src/test/scala/xyz/driver/core/AuthTest.scala
@@ -3,39 +3,49 @@ package xyz.driver.core
 import akka.http.scaladsl.model.headers.{HttpChallenges, RawHeader}
 import akka.http.scaladsl.server.AuthenticationFailedRejection.CredentialsRejected
 import akka.http.scaladsl.server.Directives._
-import akka.http.scaladsl.server._
+import akka.http.scaladsl.server.{RequestContext => _, _}
 import akka.http.scaladsl.testkit.ScalatestRouteTest
 import org.scalatest.mock.MockitoSugar
 import org.scalatest.{FlatSpec, Matchers}
+import pdi.jwt.{Jwt, JwtAlgorithm}
 import xyz.driver.core.auth._
 import xyz.driver.core.logging._
-import xyz.driver.core.rest.{AuthProvider, Authorization, ServiceRequestContext}
+import xyz.driver.core.rest.{AuthProvider, AuthenticatedRequestContext, Authorization, RequestContext}
 
 import scala.concurrent.Future
 import scalaz.OptionT
 
 class AuthTest extends FlatSpec with Matchers with MockitoSugar with ScalatestRouteTest {
 
-  case object TestRoleAllowedPermission    extends Permission
-  case object TestRoleNotAllowedPermission extends Permission
+  case object TestRoleAllowedPermission        extends Permission
+  case object TestRoleAllowedByTokenPermission extends Permission
+  case object TestRoleNotAllowedPermission     extends Permission
 
   val TestRole = Role(Id("1"), Name("testRole"))
 
-  implicit val exec = scala.concurrent.ExecutionContext.global
+  val (publicKey, privateKey) = {
+    import java.security.KeyPairGenerator
 
-  val authorization: Authorization = new Authorization {
-    override def userHasPermission(user: User, permission: Permission)(
-            implicit ctx: ServiceRequestContext): Future[Boolean] = {
-      Future.successful(permission === TestRoleAllowedPermission)
-    }
+    val keygen = KeyPairGenerator.getInstance("RSA")
+    keygen.initialize(2048)
+
+    val keyPair = keygen.generateKeyPair()
+    (keyPair.getPublic, keyPair.getPrivate)
   }
 
-  val authStatusService = new AuthProvider[User](authorization, NoLogger) {
+  val authorization: Authorization[User] = new Authorization[User] {
 
-    override def isSessionValid(user: User)(implicit ctx: ServiceRequestContext): Future[Boolean] =
-      Future.successful(true)
+    override def userHasPermissions(permissions: Seq[Permission])(
+            implicit ctx: AuthenticatedRequestContext[User]): OptionT[Future,
+                                                                      (Map[Permission, Boolean], PermissionsToken)] = {
+      val permissionsMap = permissions.map(p => p -> (p === TestRoleAllowedPermission)).toMap
+      val token          = PermissionsToken("TODO")
+      OptionT.optionT(Future.successful(Option((permissionsMap, token))))
+    }
+  }
 
-    override def authenticatedUser(implicit ctx: ServiceRequestContext): OptionT[Future, User] =
+  val authStatusService = new AuthProvider[User](authorization, publicKey, NoLogger) {
+    override def authenticatedUser(implicit ctx: RequestContext): OptionT[Future, User] =
       OptionT.optionT[Future] {
         if (ctx.contextHeaders.keySet.contains(AuthProvider.AuthenticationTokenHeader)) {
           Future.successful(Some(BasicUser(Id[User]("1"), Set(TestRole))))
@@ -47,7 +57,7 @@ class AuthTest extends FlatSpec with Matchers with MockitoSugar with ScalatestRo
 
   import authStatusService._
 
-  "'authorize' directive" should "throw error is auth token is not in the request" in {
+  "'authorize' directive" should "throw error if auth token is not in the request" in {
 
     Get("/naive/attempt") ~>
       authorize(TestRoleAllowedPermission) { user =>
@@ -59,7 +69,7 @@ class AuthTest extends FlatSpec with Matchers with MockitoSugar with ScalatestRo
       }
   }
 
-  it should "throw error is authorized user is not having the requested permission" in {
+  it should "throw error if authorized user does not have the requested permission" in {
 
     val referenceAuthToken = AuthToken("I am a test role's token")
 
@@ -85,12 +95,35 @@ class AuthTest extends FlatSpec with Matchers with MockitoSugar with ScalatestRo
     Get("/valid/attempt/?a=2&b=5").addHeader(
       RawHeader(AuthProvider.AuthenticationTokenHeader, referenceAuthToken.value)
     ) ~>
-      authorize(TestRoleAllowedPermission) { user =>
-        complete("Alright, user \"" + user.id + "\" is authorized")
+      authorize(TestRoleAllowedPermission) { ctx =>
+        complete(s"Alright, user ${ctx.authenticatedUser.id} is authorized")
+      } ~>
+      check {
+        handled shouldBe true
+        responseAs[String] shouldBe "Alright, user 1 is authorized"
+      }
+  }
+
+  it should "authorize permission found in permissions token" in {
+    import spray.json._
+
+    val claim = JsObject(Map(
+      "iss"         -> JsString("users"),
+      "sub"         -> JsString("1"),
+      "permissions" -> JsObject(Map(TestRoleAllowedByTokenPermission.toString -> JsBoolean(true)))
+    )).prettyPrint
+    val permissionsToken   = PermissionsToken(Jwt.encode(claim, privateKey, JwtAlgorithm.RS256))
+    val referenceAuthToken = AuthToken("I am token")
+
+    Get("/alic/attempt/?a=2&b=5")
+      .addHeader(RawHeader(AuthProvider.AuthenticationTokenHeader, referenceAuthToken.value))
+      .addHeader(RawHeader(AuthProvider.PermissionsTokenHeader, permissionsToken.value)) ~>
+      authorize(TestRoleAllowedByTokenPermission) { ctx =>
+        complete(s"Alright, user ${ctx.authenticatedUser.id} is authorized by permissions token")
       } ~>
       check {
         handled shouldBe true
-        responseAs[String] shouldBe "Alright, user \"1\" is authorized"
+        responseAs[String] shouldBe "Alright, user 1 is authorized by permissions token"
       }
   }
 }