RubyGems - atlas_rb - Versions diffs - 1.3.8 → 1.3.9 - Mend

atlas_rb 1.3.8 → 1.3.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/.version +1 -1
data/Gemfile.lock +1 -1
data/README.md +8 -6
data/lib/atlas_rb/faraday_helper.rb +20 -19
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7f2a9947778ab6d15d96514cdeb949a82ffce8023f6fe0aeee39bfce1c198ce3
-  data.tar.gz: 864fd37a55f2275417dc5f45f1c60466b41baefc3351ed6f712c7f7dfdcda28d
+  metadata.gz: cf2f8c7f9ef316468a2544efe2f4471c23c547ae36d50b9abfee2efd03db38c8
+  data.tar.gz: 9da90557d04f84ddad26c05b6c50eab0d9a7378ccf57fbb37ba6b3e7e4355cd4
 SHA512:
-  metadata.gz: afef167fa0ed86fb7ebd4d28fe693fb41fe20f2ade2e9b96ce0f1109aec7340038b4a9c9425cf53d3463bc346aa9cf4fa90fd012cf3ad2636dad42784d040fa2
-  data.tar.gz: aec3edc7ce6cb88a6d9421b449e3420521073bd20083c86afa451d74c74d903c5dc222a85f0bff2bd2a87c094f06fe3066bae7f4b814fd367a6c0640e5a6800e
+  metadata.gz: 640d113ae6693aacb7d7d2a943634561281ebb5324d7db5284429673a48ff1ae9cbedda4d55b058710c497573e4c7c379dee18b08119925c5a0e7e73f7105088
+  data.tar.gz: 8e7209552ebc5b7b8db138809bd89ef077ac282342c39d483f1c125f68d757c155ff12865f7a1c24bb65040bf287eb13c7ecd81549117cb0cf01d3a1bf58cc79

data/.version CHANGED Viewed

	@@ -1 +1 @@
1	- 1.3.8
1	+ 1.3.9

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    atlas_rb (1.3.8)
+    atlas_rb (1.3.9)
       faraday (~> 2.7)
       faraday-follow_redirects (~> 0.3.0)
       faraday-multipart (~> 1)

data/README.md CHANGED Viewed

@@ -130,12 +130,14 @@ signs instead of sending `ATLAS_TOKEN` + `User:`. Otherwise it behaves exactly a
 before — so signing **coexists with `ATLAS_TOKEN` during cutover** (turn it on by
 configuring the key; roll back by clearing it).
-Two carve-outs keep the boundaries safe:
-- **Acting-as auto-falls-back to the `ATLAS_TOKEN` relay.** An `on_behalf_of`
-  request is *not* signed — Atlas rejects `On-Behalf-Of` on the assertion path
-  (403) until a signed `obo` claim ships, so the gem keeps acting-as on the
-  legacy relay rather than letting it 403.
+Two things to know:
+- **Acting-as rides a signed `obo` claim.** An `on_behalf_of` request is signed
+  with `sub` = the operator and `obo` = the target, inside the signature — so the
+  target can't be forged onto a stolen assertion, and no `On-Behalf-Of` header is
+  sent. Atlas admin-gates the operator and ignores any header obo on this path.
+  (Requires an Atlas on the signed-obo release; older Atlas would silently ignore
+  the claim — don't enable signing for acting-as traffic until Atlas is current.)
 - **`ATLAS_JWT` still wins.** A personal token (BYO-JWT) takes precedence over
   relay-signing.

data/lib/atlas_rb/faraday_helper.rb CHANGED Viewed

@@ -36,12 +36,16 @@ module AtlasRb
   # short-lived assertion (ES256, `iss=cerberus`, `aud=atlas`, `sub` = the
   # acting nuid) with Cerberus's private key — Atlas verifies it with the
   # public key. No `User:` header; identity is the proven `sub`. **Acting-as
-  # auto-falls-back to the legacy relay**: an `on_behalf_of` request is NOT
-  # signed (Atlas 403s `On-Behalf-Of` on the assertion path until a signed
-  # `obo` claim ships), so the boundary cannot be violated by a caller. Off
+  # rides a signed `obo` claim** inside the assertion (the target can't be forged
+  # onto a stolen assertion; Atlas admin-gates the operator and ignores any
+  # header obo on this path) — it is no longer punted to the legacy relay. Off
   # unless a signing key is configured (so it coexists with `ATLAS_TOKEN`
   # during cutover). `ATLAS_JWT`, if set, still wins over signing.
   #
+  # Requires an Atlas that verifies the signed `obo` claim (the signed-obo
+  # release); against an older Atlas an `obo` would be silently ignored, so
+  # don't enable signing for acting-as traffic until Atlas is on that version.
+  #
   # The module is mixed in via `extend`, so its methods become class methods on
   # the host (e.g. `AtlasRb::Work.connection({})`).
   module FaradayHelper
@@ -184,17 +188,17 @@ module AtlasRb
     end
     # A signed-assertion Authorization header (sub = acting nuid), or nil to
-    # defer to the legacy relay. nil when signing isn't configured, there is no
-    # acting nuid to put in `sub`, or this is an acting-as request — On-Behalf-Of
-    # stays on the cerberus_token relay (Atlas 403s it on the assertion path),
-    # so the boundary can't be violated by a caller.
+    # defer to the legacy relay. nil when signing isn't configured or there is no
+    # acting nuid to put in `sub`. Acting-as is carried IN the assertion as a
+    # signed `obo` claim (Atlas honours it on the assertion path as of the
+    # signed-obo release), so it is no longer punted to the cerberus_token relay.
     def signed_relay_headers(nuid, on_behalf_of)
-      return nil unless nuid && on_behalf_of.nil?
+      return nil unless nuid
       key = assertion_signing_key
       return nil unless key
-      { "Authorization" => "Bearer #{signed_assertion(nuid.to_s, key)}" }
+      { "Authorization" => "Bearer #{signed_assertion(nuid.to_s, key, on_behalf_of)}" }
     end
     # Legacy relay headers: ATLAS_TOKEN bearer + acting-user identity headers.
@@ -209,17 +213,14 @@ module AtlasRb
     # Mint a Cerberus relay assertion for `nuid`, signed ES256 with `key`. The
     # `kid` header tells Atlas which public key to verify against; iss/aud are
     # the fixed contract; the short TTL bounds replay; `jti` is forward-compat
-    # for an Atlas-side one-time cache.
-    def signed_assertion(nuid, key)
+    # for an Atlas-side one-time cache. When `on_behalf_of` is given, it rides as
+    # a SIGNED `obo` claim — acting-as that can't be forged onto a stolen
+    # assertion (Atlas admin-gates the operator and ignores any header obo here).
+    def signed_assertion(nuid, key, on_behalf_of = nil)
       now = Time.now.to_i
-      payload = {
-        "iss" => ASSERTION_ISSUER,
-        "aud" => ASSERTION_AUDIENCE,
-        "sub" => nuid,
-        "iat" => now,
-        "exp" => now + ASSERTION_TTL,
-        "jti" => SecureRandom.uuid
-      }
+      payload = { "iss" => ASSERTION_ISSUER, "aud" => ASSERTION_AUDIENCE, "sub" => nuid,
+                  "iat" => now, "exp" => now + ASSERTION_TTL, "jti" => SecureRandom.uuid,
+                  "obo" => on_behalf_of&.to_s }.compact # obo only when acting-as
       JWT.encode(payload, key, "ES256", { kid: assertion_signing_kid })
     end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: atlas_rb
 version: !ruby/object:Gem::Version
-  version: 1.3.8
+  version: 1.3.9
 platform: ruby
 authors:
 - David Cliff
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-06-14 00:00:00.000000000 Z
+date: 2026-06-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday