aspera-cli 4.22.0 → 4.24.0

data/lib/aspera/keychain/encrypted_hash.rb

@@ -4,20 +4,21 @@ require 'aspera/hash_ext'
 require 'aspera/environment'
 require 'aspera/log'
 require 'aspera/assert'
+require 'aspera/keychain/base'
 require 'symmetric_encryption/core'
 require 'yaml'
 
 module Aspera
   module Keychain
     # Manage secrets in a simple Hash
-    class EncryptedHash
+    class EncryptedHash < Base
       LEGACY_CIPHER_NAME = 'aes-256-cbc'
       DEFAULT_CIPHER_NAME = 'aes-256-cbc'
       FILE_TYPE = 'encrypted_hash_vault'
-      CONTENT_KEYS = %i[label username password url description].freeze
       FILE_KEYS = %w[version type cipher data].sort.freeze
-      private_constant :LEGACY_CIPHER_NAME, :DEFAULT_CIPHER_NAME, :FILE_TYPE, :CONTENT_KEYS, :FILE_KEYS
+      private_constant :LEGACY_CIPHER_NAME, :DEFAULT_CIPHER_NAME, :FILE_TYPE, :FILE_KEYS
       def initialize(file:, password:)
+        super()
         Aspera.assert_type(file, String){'path to vault file'}
         @path = file
         @all_secrets = {}
@@ -38,9 +39,7 @@ module Aspera
         end
         # setting password also creates the cipher
         @cipher = cipher(password)
-        if !vault_encrypted_data.nil?
-          @all_secrets = YAML.load_stream(@cipher.decrypt(vault_encrypted_data)).first
-        end
+        @all_secrets = YAML.load_stream(@cipher.decrypt(vault_encrypted_data)).first if !vault_encrypted_data.nil?
       end
 
       def info
@@ -63,12 +62,7 @@ module Aspera
       # set a secret
       # @param options [Hash] with keys :label, :username, :password, :url, :description
       def set(options)
-        Aspera.assert_type(options, Hash){'options'}
-        unsupported = options.keys - CONTENT_KEYS
-        Aspera.assert(unsupported.empty?){"unsupported options: #{unsupported}"}
-        options.each_pair do |k, v|
-          Aspera.assert_type(v, String){k.to_s}
-        end
+        validate_set(options)
         label = options.delete(:label)
         raise "secret #{label} already exist, delete first" if @all_secrets.key?(label)
         @all_secrets[label] = options.symbolize_keys

data/lib/aspera/keychain/factory.rb

@@ -6,6 +6,11 @@ module Aspera
     class Factory
       LIST = %i[file system vault].freeze
       class << self
+        # Create a vault instance
+        # @param info     [Hash]   vault options
+        # @param name     [String] name of the vault
+        # @param folder   [String] folder to store the vault (if needed)
+        # @param password [String] password to open the vault
         def create(info, name, folder, password)
           Aspera.assert_type(info, Hash)
           Aspera.assert(info.values.all?(String)){'vault info shall have only string values'}
@@ -14,7 +19,7 @@ module Aspera
           Aspera.assert_values(vault_type, LIST.map(&:to_s)){'vault.type'}
           case vault_type
           when 'file'
-            info[:file] ||= 'vault.bin'
+            info[:file] = name || 'vault.bin'
             info[:file] = File.join(folder, info[:file]) unless File.absolute_path?(info[:file])
             Aspera.assert(!password.nil?){'please provide password'}
             info[:password] = password
@@ -22,15 +27,16 @@ module Aspera
             require 'aspera/keychain/encrypted_hash'
             @vault = Keychain::EncryptedHash.new(**info)
           when 'system'
-            case Environment.os
+            case Environment.instance.os
             when Environment::OS_MACOS
               info[:name] ||= name
               @vault = Keychain::MacosSystem.new(**info)
             else
-              raise 'not implemented for this OS'
+              raise Error, 'not implemented for this OS'
             end
           when 'vault'
             require 'aspera/keychain/hashicorp_vault'
+            info[:token] ||= password
             @vault = Keychain::HashicorpVault.new(**info)
           else Aspera.error_unexpected_value(vault_type)
           end

data/lib/aspera/keychain/hashicorp_vault.rb

@@ -3,17 +3,19 @@
 require 'aspera/environment'
 require 'aspera/log'
 require 'aspera/assert'
+require 'aspera/keychain/base'
 require 'vault'
 
 module Aspera
   module Keychain
     # Manage secrets in a Hashicorp Vault
-    class HashicorpVault
-      SECRET_PATH = 'secret/data/'
+    class HashicorpVault < Base
+      STORE_PATH = 'secret/data/'
 
-      private_constant :SECRET_PATH
+      private_constant :STORE_PATH
 
       def initialize(url:, token:)
+        super()
         Vault.configure do |config|
           config.address = url
           config.token = token
@@ -28,7 +30,7 @@ module Aspera
       end
 
       def list
-        metadata_path = SECRET_PATH.sub('/data/', '/metadata/')
+        metadata_path = STORE_PATH.sub('/data/', '/metadata/')
         return Vault.logical.list(metadata_path).filter_map do |label|
           get(label: label).merge(label: label)
         end
@@ -37,6 +39,7 @@ module Aspera
       # Set a secret
       # @param options [Hash] with keys :label, :username, :password, :url, :description
       def set(options)
+        validate_set(options)
         label = options.fetch(:label)
         data = {
           username:    options[:username],
@@ -51,7 +54,7 @@ module Aspera
         secret = Vault.logical.read(path(label))
         if secret.nil?
           raise "Secret '#{label}' not found" if exception
-          return nil
+          return
         end
         return secret.data[:data]
       end
@@ -64,7 +67,7 @@ module Aspera
       private
 
       def path(label)
-        "#{SECRET_PATH}#{label}"
+        "#{STORE_PATH}#{label}"
       end
     end
   end

data/lib/aspera/keychain/macos_security.rb

@@ -5,6 +5,7 @@ require 'aspera/cli/info'
 require 'aspera/log'
 require 'aspera/assert'
 require 'aspera/environment'
+require 'aspera/keychain/base'
 
 # enhance the gem to support other key chains
 module Aspera
@@ -37,13 +38,13 @@ module Aspera
           getpass:  :g
         }.freeze
         class << self
-          def execute(command, options=nil, supported=nil, last_opt=nil)
+          def execute(command, options = nil, supported = nil, last_opt = nil)
             url = options&.delete(:url)
             if !url.nil?
               uri = URI.parse(url)
               Aspera.assert(uri.scheme.eql?('https')){'only https'}
               options[:protocol] = 'htps' # cspell: disable-line
-              raise 'host required in URL' if uri.host.nil?
+              raise Error, 'host required in URL' if uri.host.nil?
               options[:server] = uri.host
               options[:path] = uri.path unless ['', '/'].include?(uri.path)
               options[:port] = uri.port unless uri.port.eql?(443) && !url.include?(':443/')
@@ -71,8 +72,8 @@ module Aspera
             key_chains(execute('login-keychain')).first
           end
 
-          def list(options={})
-            Aspera.assert_values(options[:domain], DOMAINS, exception_class: ArgumentError){'domain'} unless options[:domain].nil?
+          def list(options = {})
+            Aspera.assert_values(options[:domain], DOMAINS, type: ArgumentError){'domain'} unless options[:domain].nil?
             key_chains(execute('list-keychains', options, LIST_OPTIONS))
           end
 
@@ -122,9 +123,9 @@ module Aspera
       end
     end
 
-    class MacosSystem
-      OPTIONS = %i[label username password url description].freeze
+    class MacosSystem < Base
       def initialize(name: nil)
+        super()
         @keychain_name = name.nil? ? 'default keychain' : name
         @keychain = name.nil? ? MacosSecurity::Keychain.default : MacosSecurity::Keychain.by_name(name)
         raise "no such keychain #{name}" if @keychain.nil?
@@ -138,16 +139,15 @@ module Aspera
 
       def list
         # the only way to list is `dump-keychain` which triggers security alert
-        raise 'list not implemented, use macos keychain app'
+        raise Error, 'list not implemented, use macos keychain app'
       end
 
       def set(options)
-        Aspera.assert_type(options, Hash){'options'}
-        unsupported = options.keys - OPTIONS
-        Aspera.assert(unsupported.empty?){"unsupported options: #{unsupported}, use #{OPTIONS.join(', ')}"}
+        validate_set(options)
         @keychain.password(
           :add, :generic, service: options[:label],
-          account: options[:username] || 'none', password: options[:password], comment: options[:description])
+          account: options[:username] || 'none', password: options[:password], comment: options[:description]
+        )
       end
 
       def get(options)
@@ -155,7 +155,7 @@ module Aspera
         unsupported = options.keys - %i[label]
         Aspera.assert(unsupported.empty?){"unsupported options: #{unsupported}"}
         info = @keychain.password(:find, :generic, label: options[:label])
-        raise 'not found' if info.nil?
+        raise Error, 'not found' if info.nil?
         result = options.clone
         result[:secret] = info['password']
         result[:description] = info['icmt'] # cspell: disable-line
@@ -166,7 +166,7 @@ module Aspera
         Aspera.assert_type(options, Hash){'options'}
         unsupported = options.keys - %i[label]
         Aspera.assert(unsupported.empty?){"unsupported options: #{unsupported}"}
-        raise 'delete not implemented, use macos keychain app'
+        raise Error, 'delete not implemented, use macos keychain app'
       end
     end
   end

data/lib/aspera/log.rb

@@ -48,30 +48,57 @@ module Aspera
   # Singleton object for logging
   class Log
     include Singleton
+
     # Where logs are sent to
     LOG_TYPES = %i[stderr stdout syslog].freeze
-    @@format = :json # rubocop:disable Style/ClassVars
+    DEFAULT_FORMATTER = ->(s, _d, _p, m){"#{Log.color_level(s)} #{m}\n"}
+    FORMATTERS = {
+      standard: Logger::Formatter.new,
+      default:  DEFAULT_FORMATTER
+    }.freeze
     # Class methods
     class << self
+      def color_level(level)
+        case level
+        when :TRACE2 then 'TR2'.dim
+        when :TRACE1 then 'TR1'.blue
+        when :DEBUG then 'DBG'.cyan
+        when :INFO  then 'INF'.green
+        when :WARN  then 'WRN'.bg_brown.black
+        when :ERROR then 'ERR'.bg_red.blink
+        when :FATAL then 'FTL'.magenta
+        when :UNKNOWN then 'UKN'.blink
+        else Aspera.error_unexpected_value(level){'log level'}
+        end
+      end
+
       # levels are :debug,:info,:warn,:error,fatal,:unknown
       def levels; Logger::Severity.constants.sort{ |a, b| Logger::Severity.const_get(a) <=> Logger::Severity.const_get(b)}.map{ |c| c.downcase.to_sym}; end
 
       # get the logger object of singleton
       def log; instance.logger; end
 
-      # dump object suitable for Log.log.debug
-      # @param name string or symbol
-      # @param format either pp or json format
-      def dump(name, object)
-        result =
-          case @@format
-          when :json
-            JSON.pretty_generate(object) rescue PP.pp(object, +'')
-          when :ruby
-            PP.pp(object, +'')
-          else error_unexpected_value(@@format){'dump format'}
-          end
-        "#{name.to_s.green} (#{@@format})=\n#{result}"
+      # Dump object (`Hash`) using specified level
+      #
+      # @param name   [String, Symbol]  Name of object dumped
+      # @param object [Hash, nil]       Data to dump
+      # @param level  [Symbol]          Debug level
+      # @param block  [Proc, nil]       Give computed object
+      def dump(name, object = nil, level: :debug)
+        return unless instance.logger.send(:"#{level}?")
+        object = yield if block_given?
+        instance.logger.send(level, obj_dump(name, object))
+      end
+
+      def obj_dump(name, object)
+        dump_text = case instance.dump_format
+        when :json
+          JSON.pretty_generate(object) rescue PP.pp(object, +'')
+        when :ruby
+          PP.pp(object, +'')
+        else error_unexpected_value(instance.dump_format){'dump format'}
+        end
+        "#{name.to_s.green} (#{instance.dump_format})=\n#{dump_text}"
       end
 
       # Capture the output of $stderr and log it at debug level
@@ -86,13 +113,33 @@ module Aspera
     end
 
     attr_reader :logger_type, :logger
-    attr_writer :program_name
+    attr_accessor :dump_format
+
+    def program_name=(value)
+      @program_name = value
+      self.logger_type = @logger_type
+    end
 
     # Set log level of underlying logger given symbol level
     def level=(new_level)
       @logger.level = Logger::Severity.const_get(new_level.to_sym.upcase)
     end
 
+    def formatter=(formatter)
+      if formatter.is_a?(String)
+        raise Error, "Unknown formatter #{formatter}, use one of: #{FORMATTERS.keys.join(', ')}" unless FORMATTERS.key?(formatter.to_sym)
+        formatter = FORMATTERS[formatter.to_sym]
+      elsif !formatter.respond_to?(:call) && !formatter.is_a?(Logger::Formatter)
+        raise Error, 'Formatter must be a String, a Logger::Formatter or a Proc'
+      end
+      # Update formatter with password hiding
+      @logger.formatter = SecretHider.instance.log_formatter(formatter)
+    end
+
+    def formatter
+      @logger.formatter
+    end
+
     # Get symbol of debug level of underlying logger
     def level
       Logger::Severity.constants.each do |name|
@@ -108,9 +155,9 @@ module Aspera
       current_severity_integer = Logger::Severity::WARN if current_severity_integer.nil?
       case new_log_type
       when :stderr
-        @logger = Logger.new($stderr)
+        @logger = Logger.new($stderr, progname: @program_name, formatter: DEFAULT_FORMATTER)
       when :stdout
-        @logger = Logger.new($stdout)
+        @logger = Logger.new($stdout, progname: @program_name, formatter: DEFAULT_FORMATTER)
       when :syslog
         require 'syslog/logger'
         # the syslog class automatically creates methods from the severity names
@@ -121,13 +168,14 @@ module Aspera
         Logger::Severity.constants.each do |severity|
           Syslog::Logger.make_methods(severity.downcase)
         end
+        # Use `local2` facility, like other Aspera components
         @logger = Syslog::Logger.new(@program_name, Syslog::LOG_LOCAL2)
       else error_unexpected_value(new_log_type){"log type (#{LOG_TYPES.join(', ')})"}
       end
       @logger.level = current_severity_integer
       @logger_type = new_log_type
-      # Update formatter with password hiding
-      @logger.formatter = SecretHider.log_formatter(@logger.formatter)
+      # add secret hider to default logger
+      self.formatter = @logger.formatter
     end
 
     private
@@ -135,8 +183,10 @@ module Aspera
     def initialize
       @logger = nil
       @program_name = 'aspera'
+      @dump_format = :json
+      @logger_type = :stderr
       # This sets @logger and @logger_type (self needed to call method instead of local var)
-      self.logger_type = :stderr
+      self.logger_type = @logger_type
     end
   end
 end

data/lib/aspera/nagios.rb

@@ -36,9 +36,8 @@ module Aspera
         # build message: if multiple components: concatenate
         # message = data.map{|i|"#{i['component']}:#{i['message']}"}.join(', ').gsub("\n",' ')
         message = data
-          .map{ |i| i['component']}
-          .uniq
-          .map{ |comp| comp + ':' + data.select{ |d| d['component'].eql?(comp)}.map{ |d| d['message']}.join(',')}
+          .group_by{ |d| d['component']}
+          .map{ |comp, items| "#{comp}:#{items.map{ |d| d['message']}.join(',')}"}
           .join(', ')
           .tr("\n", ' ')
         status = data.first['status'].upcase
@@ -58,8 +57,8 @@ module Aspera
     # compare remote time with local time
     def check_time_offset(remote_date, component)
       # check date if specified : 2015-10-13T07:32:01Z
-      remote_time = DateTime.strptime(remote_date)
-      diff_time = (remote_time - DateTime.now).abs
+      remote_time = Time.strptime(remote_date)
+      diff_time = (remote_time - Time.now).abs
       diff_rounded = diff_time.round(-2)
       Log.log.debug{"DATE: #{remote_date} #{remote_time} diff=#{diff_rounded}"}
       msg = "offset #{diff_rounded} sec"
@@ -79,7 +78,7 @@ module Aspera
 
     # translate for display
     def result
-      raise 'missing result' if @data.empty?
+      Aspera.assert(!@data.empty?){'missing result'}
       {type: :object_list, data: @data.map{ |i| {'status' => LEVELS[i[:code]].to_s, 'component' => i[:comp], 'message' => i[:msg]}}}
     end
   end

data/lib/aspera/node_simulator.rb

@@ -119,9 +119,10 @@ module Aspera
           checksum:        nil,
           start_byte:      0,
           bytes_written:   26,
-          session_id:      'bafc72b8-366c-4501-8095-47208183d6b8'}]
+          session_id:      'bafc72b8-366c-4501-8095-47208183d6b8'
+        }]
       }
-      Log.log.trace2{Log.dump(:job, result)}
+      Log.dump(:job, result, level: :trace2)
       return result
     end
 
@@ -276,7 +277,8 @@ module Aspera
               token_encryption_key
               byok_enabled
               bandwidth_flow_network_rc_module
-              file_checksum_type],
+              file_checksum_type
+            ],
             server:   %w[
               activity_event_logging
               activity_file_event_logging
@@ -289,7 +291,8 @@ module Aspera
               discovery
               auto_delete
               allow
-              deny]
+              deny
+            ]
           },
           capabilities:                          [
             {name:  'sync', value: true},
@@ -302,7 +305,8 @@ module Aspera
             {name:  'aej_version', value: '1.0'},
             {name:  'page', value: true},
             {name:  'file_id_version', value: '2.0'},
-            {name:  'auto_delete', value: false}],
+            {name:  'auto_delete', value: false}
+          ],
           settings:                              [
             {name:  'content_protection_required', value: false},
             {name:  'content_protection_strong_pass_required', value: false},
@@ -310,7 +314,8 @@ module Aspera
             {name:  'ssh_fingerprint', value: nil},
             {name:  'wss_enabled', value: false},
             {name:  'wss_port', value: 443}
-          ]})
+          ]
+        })
       when PATH_TRANSFERS
         set_json_response(request, response, @simulator.all_sessions)
       when PATH_ONE_TRANSFER
@@ -325,7 +330,7 @@ module Aspera
       response.status = code
       response['Content-Type'] = Rest::MIME_JSON
       response.body = json.to_json
-      Log.log.trace1{Log.dump("response for #{request.request_method} #{request.path}", json)}
+      Log.log.trace1{Log.obj_dump("response for #{request.request_method} #{request.path}", json)}
     end
   end
 end

data/lib/aspera/oauth/base.rb

@@ -31,9 +31,11 @@ module Aspera
         cache_ids: nil,
         **rest_params
       )
-        Aspera.assert(respond_to?(:create_token), 'create_token method must be defined', exception_class: InternalError)
+        Aspera.assert(respond_to?(:create_token), 'create_token method must be defined', type: InternalError)
         # this is the OAuth API
         @api = Rest.new(**rest_params)
+        @scope = nil
+        @token_cache_id = nil
         @path_token = path_token
         @token_field = token_field
         @client_id = client_id
@@ -54,6 +56,8 @@ module Aspera
         @token_cache_id = Factory.cache_id(@api.base_url, self.class, @base_cache_ids, @scope)
       end
 
+      attr_reader :scope, :api, :path_token
+
       # helper method to create token as per RFC
       def create_token_call(creation_params)
         Log.log.debug{'Generating a new token'.bg_green}
@@ -82,7 +86,7 @@ module Aspera
 
       # @return value suitable for Authorization header
       def authorization(**kwargs)
-        return OAuth::Factory.bearer_build(token(**kwargs))
+        return OAuth::Factory.bearer_authorization(token(**kwargs))
       end
 
       # get an OAuth v2 token (generated, cached, refreshed)

data/lib/aspera/oauth/factory.rb

@@ -9,34 +9,40 @@ module Aspera
     # Factory to create tokens and manage their cache
     class Factory
       include Singleton
+
       # a prefix for persistency of tokens (simplify garbage collect)
       PERSIST_CATEGORY_TOKEN = 'token'
-      # prefix for bearer token when in header
-      BEARER_PREFIX = 'Bearer '
+      # prefix for bearer authorization when in header
+      SPACE_BEARER_AUTH_SCHEME = 'Bearer '
       TOKEN_FIELD = 'access_token'
 
-      private_constant :PERSIST_CATEGORY_TOKEN, :BEARER_PREFIX
+      private_constant :PERSIST_CATEGORY_TOKEN, :SPACE_BEARER_AUTH_SCHEME
 
       class << self
-        def bearer_build(token)
-          return "#{BEARER_PREFIX}#{token}"
+        # @param token [String] The token alone
+        # @return [String] Value suitable for Authorization header
+        def bearer_authorization(token)
+          return "#{SPACE_BEARER_AUTH_SCHEME}#{token}"
         end
 
-        def bearer?(token)
-          return token.start_with?(BEARER_PREFIX)
+        # @return true if the authorization contains a bearer token , i.e. auth scheme is bearer
+        def bearer_auth?(authorization)
+          return authorization.start_with?(SPACE_BEARER_AUTH_SCHEME)
         end
 
-        def bearer_extract(token)
-          Aspera.assert(bearer?(token)){'not a bearer token, wrong prefix'}
-          return token[BEARER_PREFIX.length..-1]
+        # Extract only token from Authorization (remove scheme)
+        def bearer_token(authorization)
+          Aspera.assert(bearer_auth?(authorization)){'not a bearer token, wrong prefix scheme'}
+          return authorization[SPACE_BEARER_AUTH_SCHEME.length..-1]
         end
 
-        # @return a cache identifier
+        # @return a unique cache identifier
         def cache_id(url, creator_class, *params)
           return IdGenerator.from_list([
             PERSIST_CATEGORY_TOKEN,
             url,
-            Factory.class_to_id(creator_class)] +
+            Factory.class_to_id(creator_class)
+          ] +
             params)
         end
 
@@ -53,6 +59,7 @@ module Aspera
         @persist = nil
         # token creation methods
         @token_type_classes = {}
+        # list of lambda
         @decoders = []
         # default parameters, others can be added by handlers
         @parameters = {
@@ -79,7 +86,7 @@ module Aspera
           Log.log.debug('Not using persistency')
           # create NULL persistency class
           @persist = Class.new do
-            def get(_x); nil; end; def delete(_x); nil; end; def put(_x, _y); nil; end; def garbage_collect(_x, _y); nil; end # rubocop:disable Layout/EmptyLineBetweenDefs, Style/Semicolon, Layout/LineLength
+            def get(_x); nil; end; def delete(_x); nil; end; def put(_x, _y); nil; end; def garbage_collect(_x, _y); nil; end # rubocop:disable Style/Semicolon
           end.new
         end
         return @persist
@@ -106,17 +113,17 @@ module Aspera
       # @return [Hash] token internal information , including Date object for `expiration_date`
       def get_token_info(id)
         token_raw_string = persist_mgr.get(id)
-        return nil if token_raw_string.nil?
+        return if token_raw_string.nil?
         token_data = JSON.parse(token_raw_string)
         Aspera.assert_type(token_data, Hash)
         decoded_token = decode_token(token_data[TOKEN_FIELD])
         info = {data: token_data}
-        Log.log.debug{Log.dump('decoded_token', decoded_token)}
+        Log.dump(:decoded_token, decoded_token)
         if decoded_token.is_a?(Hash)
           info[:decoded] = decoded_token
           # TODO: move date decoding to token decoder ?
           expiration_date =
-            if    decoded_token['expires_at'].is_a?(String) then DateTime.parse(decoded_token['expires_at']).to_time
+            if    decoded_token['expires_at'].is_a?(String) then Time.parse(decoded_token['expires_at']).to_time
             elsif decoded_token['exp'].is_a?(Integer)       then Time.at(decoded_token['exp'])
             end
           unless expiration_date.nil?
@@ -139,7 +146,7 @@ module Aspera
           result = decoder.call(token) rescue nil
           return result unless result.nil?
         end
-        return nil
+        return
       end
 
       # register a token creation method
@@ -163,6 +170,6 @@ module Aspera
       end
     end
     # JSON Web Signature (JWS) compact serialization: https://datatracker.ietf.org/doc/html/rfc7515
-    Factory.instance.register_decoder(lambda{ |token| parts = token.split('.'); Aspera.assert(parts.length.eql?(3)){'not JWS token'}; JSON.parse(Base64.decode64(parts[1]))}) # rubocop:disable Style/Semicolon, Layout/LineLength
+    Factory.instance.register_decoder(lambda{ |token| parts = token.split('.'); Aspera.assert(parts.length.eql?(3)){'not JWS token'}; JSON.parse(Base64.decode64(parts[1]))}) # rubocop:disable Style/Semicolon
   end
 end

data/lib/aspera/oauth/jwt.rb

@@ -3,6 +3,7 @@
 require 'aspera/oauth/base'
 require 'aspera/assert'
 require 'securerandom'
+require 'openssl'
 module Aspera
   module OAuth
     # remove 5 minutes to account for time offset between client and server (TODO: configurable?)
@@ -13,6 +14,17 @@ module Aspera
     # https://tools.ietf.org/html/rfc7523
     # https://tools.ietf.org/html/rfc7519
     class Jwt < Base
+      class << self
+        def generate_rsa_private_key(path:, length: DEFAULT_PRIV_KEY_LENGTH)
+          priv_key = OpenSSL::PKey::RSA.new(length)
+          File.write(path, priv_key.to_s)
+          File.write("#{path}.pub", priv_key.public_key.to_s)
+          Environment.restrict_file_access(path)
+          Environment.restrict_file_access("#{path}.pub")
+          nil
+        end
+      end
+      DEFAULT_PRIV_KEY_LENGTH = 4096
       GRANT_TYPE = 'urn:ietf:params:oauth:grant-type:jwt-bearer'
       # @param private_key_obj private key object
       # @param payload payload to be included in the JWT
@@ -45,7 +57,7 @@ module Aspera
           iat: seconds_since_epoch - OAuth::Factory.instance.parameters[:jwt_accepted_offset_sec] + 1, # issued at
           jti: SecureRandom.uuid # JWT id
         }.merge(@additional_payload)
-        Log.log.debug{Log.dump(:jwt_payload, jwt_payload)}
+        Log.dump(:jwt_payload, jwt_payload)
         Log.log.debug{"private=[#{@private_key_obj}]"}
         assertion = JWT.encode(jwt_payload, @private_key_obj, 'RS256', @headers)
         Log.log.debug{"assertion=[#{assertion}]"}

data/lib/aspera/oauth/url_json.rb

@@ -19,10 +19,10 @@ module Aspera
       end
 
       def create_token
-        @api.call(
+        api.call(
           operation:    'POST',
-          subpath:      @path_token,
-          query:        @query.merge(scope: @scope), # scope is here because it may change over time (node)
+          subpath:      path_token,
+          query:        @query.merge(scope: scope), # scope is here because it may change over time (node)
           content_type: Rest::MIME_JSON,
           body:         @body,
           headers:      {'Accept' => Rest::MIME_JSON}