Update tests for fine-grained ACLs

Author: bstopp

package-lock.json

@@ -29,11 +29,16 @@
     "url": "https://github.com/adobe/da-admin"
   },
   "license": "Apache-2.0",
+  "mocha": {
+    "require": [
+      "nock"
+    ]
+  },
   "dependencies": {
     "@aws-sdk/client-s3": "^3.456.0",
     "@aws-sdk/s3-request-presigner": "^3.468.0",
     "@ssttevee/cfw-formdata-polyfill": "^0.2.1",
-    "jose": "^5.1.3"
+    "jose": "^5.9.6"
   },
   "devDependencies": {
     "@adobe/eslint-config-helix": "2.0.6",
@@ -52,6 +57,7 @@
     "husky": "^9.1.7",
     "lint-staged": "^15.4.3",
     "mocha": "^10.2.0",
+    "nock": "^14.0.1",
     "semantic-release": "^24.2.2",
     "wrangler": "^3.107.3"
   },

package.json

@@ -9,7 +9,7 @@
  * OF ANY KIND, either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
-import { decodeJwt } from 'jose';
+import { createRemoteJWKSet, jwtVerify, jwksCache } from 'jose';
 
 export async function logout({ daCtx, env }) {
   await Promise.all(daCtx.users.map((u) => env.DA_AUTH.delete(u.ident)));
@@ -53,14 +53,77 @@ export async function setUser(userId, expiration, headers, env) {
   return value;
 }
 
+/**
+ * Retrieve cached IMS keys from KV Store
+ * @param {*} env
+ * @param {string} keysUrl
+ * @returns {Promise<import('jose').ExportedJWKSCache>}
+ */
+async function getPreviouslyCachedJWKS(env, keysUrl) {
+  const cachedJwks = await env.DA_AUTH.get(keysUrl);
+  if (!cachedJwks) return {};
+  return JSON.parse(cachedJwks);
+}
+
+/**
+ * Store new set of IMS keys in the KV Store
+ * @param {*} env
+ * @param {string} keysUrl
+ * @param {import('jose').ExportedJWKSCache} keysCache
+ * @returns {Promise<void>}
+ */
+async function storeJWSInCache(env, keysUrl, keysCache) {
+  try {
+    await env.DA_AUTH.put(
+      keysUrl,
+      JSON.stringify(keysCache),
+      {
+        expirationTtl: 24 * 60 * 60, // 24 hours in seconds
+      },
+    );
+  } catch (err) {
+    // An error may be thrown if a write to the same key is made within 1 second
+    // eslint-disable-next-line no-console
+    console.error('Failed to store keys in cache', err);
+  }
+}
+
 export async function getUsers(req, env) {
   const authHeader = req.headers?.get('authorization');
   if (!authHeader) return [{ email: 'anonymous' }];
 
   async function parseUser(token) {
     if (!token || token.trim().length === 0) return { email: 'anonymous' };
 
-    const { user_id: userId, created_at: createdAt, expires_in: expiresIn } = decodeJwt(token);
+    let payload;
+    try {
+      const keysURL = `${env.IMS_ORIGIN}/ims/keys`;
+
+      const keysCache = await getPreviouslyCachedJWKS(env, keysURL);
+      const { uat } = keysCache;
+
+      const jwks = createRemoteJWKSet(
+        new URL(keysURL),
+        {
+          [jwksCache]: keysCache,
+          cacheMaxAge: 24 * 60 * 60 * 1000, // 24 hours in milliseconds
+        },
+      );
+
+      ({ payload } = await jwtVerify(token, jwks));
+
+      if (uat !== keysCache.uat) {
+        await storeJWSInCache(env, keysURL, keysCache);
+      }
+    } catch (e) {
+      // eslint-disable-next-line no-console
+      console.log('IMS token offline verification failed', e);
+      return { email: 'anonymous' };
+    }
+
+    if (!payload) return { email: 'anonymous' };
+
+    const { user_id: userId, created_at: createdAt, expires_in: expiresIn } = payload;
     const expires = Number(createdAt) + Number(expiresIn);
     const now = Math.floor(new Date().getTime() / 1000);
 

src/utils/auth.js

@@ -25,6 +25,7 @@ const env = {
   S3_DEF_URL: 'https://s3.com',
   S3_ACCESS_KEY_ID: 'an-id',
   S3_SECRET_ACCESS_KEY: 'too-many-secrets',
+  IMS_ORIGIN: 'https://ims-na1.adobelogin.com',
   DA_AUTH: {
     get: (kvNamespace) => {
       return NAMESPACES[kvNamespace];

test/utils/mocks/env.js

@@ -9,15 +9,17 @@
  * OF ANY KIND, either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
-const decodeJwt = (token) => {
+const jwtVerify = (token) => {
   let [email, created_at = 0, expires_in = 0] = token.split(':');
   created_at += Math.floor(new Date().getTime() / 1000);
   expires_in += created_at;
   return {
-    user_id: email,
-    created_at,
-    expires_in: expires_in || created_at + 1000,
+    payload: {
+      user_id: email,
+      created_at,
+      expires_in: expires_in || created_at + 1000,
+    },
   };
 };
 
-export default { decodeJwt };
+export default { jwtVerify };