auth0 4.10.0 → 4.15.0

data/lib/auth0/api/v2.rb

@@ -6,6 +6,7 @@ require 'auth0/api/v2/connections'
 require 'auth0/api/v2/device_credentials'
 require 'auth0/api/v2/emails'
 require 'auth0/api/v2/jobs'
+require 'auth0/api/v2/prompts'
 require 'auth0/api/v2/rules'
 require 'auth0/api/v2/roles'
 require 'auth0/api/v2/stats'
@@ -15,6 +16,7 @@ require 'auth0/api/v2/user_blocks'
 require 'auth0/api/v2/tenants'
 require 'auth0/api/v2/tickets'
 require 'auth0/api/v2/logs'
+require 'auth0/api/v2/log_streams'
 require 'auth0/api/v2/resource_servers'
 require 'auth0/api/v2/guardian'
 
@@ -30,6 +32,7 @@ module Auth0
       include Auth0::Api::V2::DeviceCredentials
       include Auth0::Api::V2::Emails
       include Auth0::Api::V2::Jobs
+      include Auth0::Api::V2::Prompts
       include Auth0::Api::V2::Rules
       include Auth0::Api::V2::Roles
       include Auth0::Api::V2::Stats
@@ -39,6 +42,7 @@ module Auth0
       include Auth0::Api::V2::Tenants
       include Auth0::Api::V2::Tickets
       include Auth0::Api::V2::Logs
+      include Auth0::Api::V2::LogStreams
       include Auth0::Api::V2::ResourceServers
       include Auth0::Api::V2::Guardian
     end

data/lib/auth0/api/v2/log_streams.rb

@@ -0,0 +1,78 @@
+module Auth0
+  module Api
+    module V2
+      # Methods to use the log streams endpoints
+      module LogStreams
+        attr_reader :log_streams_path
+
+        # Retrieves a list of all log streams.
+        # @see https://auth0.com/docs/api/management/v2#!/Log_Streams/get_log_streams
+        # @return [json] Returns the log streams.
+        def log_streams()
+          get(log_streams_path)
+        end
+        alias get_log_streams log_streams
+
+        # Retrieves a log stream by its ID.
+        # @see https://auth0.com/docs/api/management/v2#!/Log_Streams/get_log_streams_by_id
+        # @param id [string] The id of the log stream to retrieve.
+        #
+        # @return [json] Returns the log stream.
+        def log_stream(id)
+          raise Auth0::InvalidParameter, 'Must supply a valid log stream id' if id.to_s.empty?
+          path = "#{log_streams_path}/#{id}"
+          get(path)
+        end
+        alias get_log_stream log_stream
+
+        # Creates a new log stream according to the JSON object received in body.
+        # @see https://auth0.com/docs/api/management/v2#!/Log_Streams/post_log_streams
+        # @param name [string] The name of the log stream.
+        # @param type [string] The type of log stream
+        # @param options [hash] The Hash options used to define the log streams's properties.
+        #
+        # @return [json] Returns the log stream.
+        def create_log_stream(name, type, options)
+          raise Auth0::InvalidParameter, 'Name must contain at least one character' if name.to_s.empty?
+          raise Auth0::InvalidParameter, 'Must specify a valid type' if type.to_s.empty?
+          raise Auth0::InvalidParameter, 'Must supply a valid hash for options' unless options.is_a? Hash
+
+          request_params = {}
+          request_params[:name] = name
+          request_params[:type] = type
+          request_params[:sink] = options
+          post(log_streams_path, request_params)
+        end
+
+        # Deletes a log stream by its ID.
+        # @see https://auth0.com/docs/api/management/v2#!/Log_Streams/delete_log_streams_by_id
+        # @param id [string] The id of the log stream to delete.
+        def delete_log_stream(id)
+          raise Auth0::InvalidParameter, 'Must supply a valid log stream id' if id.to_s.empty?
+          path = "#{log_streams_path}/#{id}"
+          delete(path)
+        end
+
+        # Updates a log stream.
+        # @see https://auth0.com/docs/api/management/v2#!/Log_Streams/patch_log_streams_by_id
+        # @param id [string] The id or audience of the log stream to update.
+        # @param status [string] The Hash options used to define the log streams's properties.
+        def patch_log_stream(id, status)
+          raise Auth0::InvalidParameter, 'Must specify a log stream id' if id.to_s.empty?
+          raise Auth0::InvalidParameter, 'Must specify a valid status' if status.to_s.empty?
+
+          request_params = {}
+          request_params[:status] = status
+          path = "#{log_streams_path}/#{id}"
+          patch(path, request_params)
+        end
+        
+        private
+        # Log Streams API path
+        def log_streams_path
+          @log_streams_path ||= '/api/v2/log-streams'
+        end
+      end
+    end
+  end
+end

data/lib/auth0/api/v2/prompts.rb

@@ -0,0 +1,70 @@
+module Auth0
+  module Api
+    module V2
+      module Prompts
+        attr_reader :prompts_path
+
+        # Get prompts settings.
+        # @see https://auth0.com/docs/api/management/v2#!/Prompts/get_prompts
+        # @return [json] Returns the prompts setting.
+        def prompts
+          get(prompts_path)
+        end
+        alias get_prompts prompts
+
+        # Update prompts settings.
+        # @see https://auth0.com/docs/api/management/v2#!/Prompts/patch_prompts
+        # @param options [hash]
+        #   * :universal_login_experience [string] Should be any of: new, classic.
+        #
+        # @return [json] Returns the prompts settings.
+        def patch_prompts(options = {})
+          request_params = {
+            universal_login_experience: options.fetch(:universal_login_experience, nil)
+          }
+          patch(prompts_path, request_params)
+        end
+        alias update_prompts patch_prompts
+
+        # Get custom text for a prompt
+        # Retrieve custom text for a specific prompt and language.
+        # @see https://auth0.com/docs/api/management/v2#!/Prompts/get_custom_text_by_language
+        # @param prompt [string] Prompt of custom texts to update.
+        # @param language [string] Language of custom texts to update.
+        #
+        # @return [json] Returns the custom texts.
+        def custom_text(prompt, language)
+          raise Auth0::InvalidParameter, 'Must supply a valid prompt' if prompt.to_s.empty?
+          raise Auth0::InvalidParameter, 'Must supply a valid language' if language.to_s.empty?
+
+          path = "#{prompts_path}/#{prompt}/custom-text/#{language}"
+          get(path)
+        end
+        alias get_custom_text custom_text
+
+        # Set custom text for a specific prompt
+        # Existing texts will be overwritten.
+        # @see https://auth0.com/docs/api/management/v2#!/Prompts/put_custom_text_by_language
+        # @param prompt [string] Prompt of custom texts to update.
+        # @param language [string] Language of custom texts to update.
+        # @param body [hash] Custom texts.
+        #
+        # @return [json] Returns the custom texts.
+        def put_custom_text(prompt, language, body)
+          raise Auth0::InvalidParameter, 'Must supply a valid prompt' if prompt.to_s.empty?
+          raise Auth0::InvalidParameter, 'Must supply a valid language' if language.to_s.empty?
+
+          path = "#{prompts_path}/#{prompt}/custom-text/#{language}"
+          put(path, body)
+        end
+        alias update_custom_text put_custom_text
+
+        private
+
+        def prompts_path
+          @prompts_path ||= '/api/v2/prompts'
+        end
+      end
+    end
+  end
+end

data/lib/auth0/exception.rb

@@ -59,4 +59,6 @@ module Auth0
       Time.at(headers['X-RateLimit-Reset']).utc
     end
   end
+
+  class InvalidIdToken < Auth0::Exception; end
 end

data/lib/auth0/mixins/httpproxy.rb

@@ -21,7 +21,7 @@ module Auth0
                    elsif method == :delete
                      call(:delete, url(safe_path), timeout, add_headers({params: body}))
                    elsif method == :delete_with_body
-                     call(:delete, url(safe_path), timeout, headers, body)
+                     call(:delete, url(safe_path), timeout, headers, body.to_json)
                    elsif method == :post_file
                      body.merge!(multipart: true)
                      call(:post, url(safe_path), timeout, headers, body)

data/lib/auth0/mixins/validation.rb

@@ -1,3 +1,11 @@
+require 'zache'
+
+class Zache
+  def last(key)
+    @hash[key][:value] if @hash.key?(key)
+  end
+end
+
 module Auth0
   module Mixins
     # Module to provide validation for specific data structures.
@@ -20,6 +28,305 @@ module Auth0
         permissions.map { |permission| permission.to_h }
       end
 
+      # rubocop:disable Metrics/ClassLength
+      class IdTokenValidator
+        def initialize(context)
+          @context = context
+        end
+
+        def validate(id_token)
+          decoding_error = 'ID token could not be decoded'
+
+          unless !id_token.to_s.empty? && id_token.split('.').count == 3
+            raise Auth0::InvalidIdToken, decoding_error
+          end
+
+          begin
+            header = JWT::JSON.parse(JWT::Base64.url_decode(id_token.split('.').first))
+          rescue
+            raise Auth0::InvalidIdToken, decoding_error
+          end
+
+          claims = decode_and_validate_signature(id_token, header)
+          validate_claims(claims)
+        end
+
+        private
+
+        # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Metrics/CyclomaticComplexity
+        def decode_and_validate_signature(id_token, header)
+          algorithm = @context[:algorithm]
+
+          unless algorithm.is_a?(Auth0::Mixins::Validation::JWTAlgorithm)
+            raise Auth0::InvalidIdToken, "Signature algorithm of \"#{algorithm}\" is not supported"
+          end
+
+          # The expiration verification will be performed in the validate_claims method
+          options = { algorithms: [algorithm.name], verify_expiration: false, verify_not_before: false }
+          secret = nil
+
+          case algorithm
+          when Auth0::Algorithm::RS256
+            kid = header['kid']
+            jwks = JSON.parse(JSON[algorithm.jwks], symbolize_names: true)
+
+            if !jwks[:keys].find { |key| key[:kid] == kid } && !algorithm.fetched_jwks?
+              jwks = JSON.parse(JSON[algorithm.jwks(force: true)], symbolize_names: true)
+            end
+
+            options[:jwks] = jwks
+          when Auth0::Algorithm::HS256
+            secret = algorithm.secret
+          end
+
+          begin
+            result = JWT.decode(id_token, secret, true, options)
+            result.first
+          rescue JWT::VerificationError
+            raise Auth0::InvalidIdToken, 'Invalid ID token signature'
+          rescue JWT::IncorrectAlgorithm
+            alg = header['alg']
+            raise Auth0::InvalidIdToken, "Signature algorithm of \"#{alg}\" is not supported. Expected the ID token"\
+                                         " to be signed with \"#{algorithm.name}\""
+          rescue JWT::DecodeError
+            raise Auth0::InvalidIdToken, "Could not find a public key for Key ID (kid) \"#{kid}\""
+          end
+        end
+
+        # rubocop:disable Metrics/PerceivedComplexity
+        def validate_claims(claims)
+          leeway = @context[:leeway]
+          nonce = @context[:nonce]
+          issuer = @context[:issuer]
+          audience = @context[:audience]
+          max_age = @context[:max_age]
+
+          raise Auth0::InvalidParameter, 'Must supply a valid leeway' unless leeway.is_a?(Integer) && leeway >= 0
+          raise Auth0::InvalidParameter, 'Must supply a valid nonce' unless nonce.nil? || !nonce.to_s.empty?
+          raise Auth0::InvalidParameter, 'Must supply a valid issuer' unless issuer.nil? || !issuer.to_s.empty?
+          raise Auth0::InvalidParameter, 'Must supply a valid audience' unless audience.nil? || !audience.to_s.empty?
+
+          unless max_age.nil? || (max_age.is_a?(Integer) && max_age >= 0)
+            raise Auth0::InvalidParameter, 'Must supply a valid max_age'
+          end
+
+          validate_iss(claims, issuer)
+          validate_sub(claims)
+          validate_aud(claims, audience)
+          validate_exp(claims, leeway)
+          validate_iat(claims, leeway)
+          validate_nonce(claims, nonce) if nonce
+          validate_azp(claims, audience) if claims['aud'].is_a?(Array) && claims['aud'].count > 1
+          validate_auth_time(claims, max_age, leeway) if max_age
+        end
+        # rubocop:enable Metrics/MethodLength, Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+
+        def validate_iss(claims, expected)
+          unless claims.key?('iss') && claims['iss'].is_a?(String)
+            raise Auth0::InvalidIdToken, 'Issuer (iss) claim must be a string present in the ID token'
+          end
+
+          unless expected == claims['iss']
+            raise Auth0::InvalidIdToken, "Issuer (iss) claim mismatch in the ID token; expected \"#{expected}\","\
+                                         " found \"#{claims['iss']}\""
+          end
+        end
+
+        def validate_sub(claims)
+          unless claims.key?('sub') && claims['sub'].is_a?(String)
+            raise Auth0::InvalidIdToken, 'Subject (sub) claim must be a string present in the ID token'
+          end
+        end
+
+        def validate_aud(claims, expected)
+          unless claims.key?('aud') && (claims['aud'].is_a?(String) || claims['aud'].is_a?(Array))
+            raise Auth0::InvalidIdToken, 'Audience (aud) claim must be a string or array of strings present'\
+                                         ' in the ID token'
+          end
+
+          if claims['aud'].is_a?(String) && expected != claims['aud']
+            raise Auth0::InvalidIdToken, "Audience (aud) claim mismatch in the ID token; expected \"#{expected}\","\
+                                         " found \"#{claims['aud']}\""
+          elsif claims['aud'].is_a?(Array) && !claims['aud'].include?(expected)
+            raise Auth0::InvalidIdToken, "Audience (aud) claim mismatch in the ID token; expected \"#{expected}\""\
+                                         " but was not one of \"#{claims['aud'].join ', '}\""
+          end
+        end
+
+        def validate_exp(claims, leeway)
+          unless claims.key?('exp') && claims['exp'].is_a?(Integer)
+            raise Auth0::InvalidIdToken, 'Expiration Time (exp) claim must be a number present in the ID token'
+          end
+
+          now = @context[:clock] || Time.now.to_i
+          exp_time = claims['exp'] + leeway
+
+          unless now < exp_time
+            raise Auth0::InvalidIdToken, 'Expiration Time (exp) claim mismatch in the ID token; current time'\
+                                         " \"#{now}\" is after expiration time \"#{exp_time}\""
+          end
+        end
+
+        def validate_iat(claims, leeway)
+          unless claims.key?('iat') && claims['iat'].is_a?(Integer)
+            raise Auth0::InvalidIdToken, 'Issued At (iat) claim must be a number present in the ID token'
+          end
+        end
+
+        def validate_nonce(claims, expected)
+          unless claims.key?('nonce') && claims['nonce'].is_a?(String)
+            raise Auth0::InvalidIdToken, 'Nonce (nonce) claim must be a string present in the ID token'
+          end
+
+          unless expected == claims['nonce']
+            raise Auth0::InvalidIdToken, "Nonce (nonce) claim mismatch in the ID token; expected \"#{expected}\","\
+                                         " found \"#{claims['nonce']}\""
+          end
+        end
+
+        def validate_azp(claims, expected)
+          unless claims.key?('azp') && claims['azp'].is_a?(String)
+            raise Auth0::InvalidIdToken, 'Authorized Party (azp) claim must be a string present in the ID token'
+          end
+
+          unless expected == claims['azp']
+            raise Auth0::InvalidIdToken, 'Authorized Party (azp) claim mismatch in the ID token; expected'\
+                                         " \"#{expected}\", found \"#{claims['azp']}\""
+          end
+        end
+
+        def validate_auth_time(claims, max_age, leeway)
+          unless claims.key?('auth_time') && claims['auth_time'].is_a?(Integer)
+            raise Auth0::InvalidIdToken, 'Authentication Time (auth_time) claim must be a number present in the ID'\
+                                         ' token when Max Age (max_age) is specified'
+          end
+
+          now = @context[:clock] || Time.now.to_i
+          auth_valid_until = claims['auth_time'] + max_age + leeway
+
+          unless now < auth_valid_until
+            raise Auth0::InvalidIdToken, 'Authentication Time (auth_time) claim in the ID token indicates that too'\
+                                         ' much time has passed since the last end-user authentication. Current time'\
+                                         " \"#{now}\" is after last auth at \"#{auth_valid_until}\""
+          end
+        end
+      end
+      # rubocop:enable Metrics/ClassLength
+
+      class JWTAlgorithm
+        private_class_method :new
+
+        def name
+          raise RuntimeError, 'Must be overriden by the subclasses'
+        end
+      end
+
+      module Algorithm
+        # Represents the HS256 algorithm, which rely on shared secrets.
+        # @see https://auth0.com/docs/tokens/concepts/signing-algorithms
+        class HS256 < JWTAlgorithm
+          class << self
+            private :new
+
+            # Create a new instance passing the shared secret.
+            # @param secret [string] The HMAC shared secret.
+            # @return [HS256] A new instance.
+            def secret(secret)
+              new secret
+            end
+          end
+
+          attr_accessor :secret
+
+          def initialize(secret)
+            raise Auth0::InvalidParameter, 'Must supply a valid secret' if secret.to_s.empty?
+
+            @secret = secret
+          end
+
+          # Returns the algorithm name.
+          # @return [string] The algorithm name.
+          def name
+            'HS256'
+          end
+        end
+
+        # Represents the RS256 algorithm, which rely on public key certificates.
+        # @see https://auth0.com/docs/tokens/concepts/signing-algorithms
+        class RS256 < JWTAlgorithm
+          include Auth0::Mixins::HTTPProxy
+
+          @@cache = Zache.new.freeze
+
+          class << self
+            private :new
+
+            # Create a new instance passing the JWK set url.
+            # @param url [string] The url where the JWK set is located.
+            # @param lifetime [integer] The lifetime of the JWK set in-memory cache in seconds.
+            #   Must be a non-negative value. Defaults to *600 seconds* (10 minutes).
+            # @return [RS256] A new instance.
+            def jwks_url(url, lifetime: 10 * 60)
+              new url, lifetime
+            end
+
+            # Clear the JWK set cache.
+            def remove_jwks
+              @@cache.remove(:jwks)
+            end
+          end
+
+          def initialize(jwks_url, lifetime)
+            raise Auth0::InvalidParameter, 'Must supply a valid jwks_url' if jwks_url.to_s.empty?
+            raise Auth0::InvalidParameter, 'Must supply a valid lifetime' unless lifetime.is_a?(Integer) && lifetime >= 0
+
+            @lifetime = lifetime
+            @jwks_url = jwks_url
+            @did_fetch_jwks = false
+          end
+
+          # Returns the algorithm name.
+          # @return [string] The algorithm name.
+          def name
+            'RS256'
+          end
+
+          # Fetches the JWK set from the in-memory cache or from the url.
+          # @return [hash] A JWK set.
+          def jwks(force: false)
+            result = fetch_jwks if force
+
+            if result
+              @@cache.put(:jwks, result, lifetime: @lifetime)
+              return result
+            end
+
+            previous_value = @@cache.last(:jwks)
+
+            @@cache.get(:jwks, lifetime: @lifetime, dirty: true) do
+              new_value = fetch_jwks
+
+              raise Auth0::InvalidIdToken, 'Could not fetch the JWK set' unless new_value || previous_value
+
+              new_value || previous_value
+            end
+          end
+
+          # Returns whether or not the JWK set was fetched from the url.
+          # @return [boolean] +true+ if a request to the JWK set url was made, +false+ otherwise.
+          def fetched_jwks?
+            @did_fetch_jwks
+          end
+
+          private
+
+          def fetch_jwks
+            result = get(@jwks_url)
+            @did_fetch_jwks = result.is_a?(Hash) && result.key?('keys')
+            result if @did_fetch_jwks
+          end
+        end
+      end
     end
   end
 end