auth0 4.7.0 → 4.12.0

data/lib/auth0/mixins.rb

@@ -1,14 +1,19 @@
 require 'base64'
 require 'rest-client'
 require 'uri'
-require 'auth0/mixins/httpproxy'
-require 'auth0/mixins/initializer'
-require 'auth0/mixins/headers'
+
 require 'auth0/mixins/access_token_struct'
 require 'auth0/mixins/api_token_struct'
+require 'auth0/mixins/headers'
+require 'auth0/mixins/httpproxy'
+require 'auth0/mixins/initializer'
+require 'auth0/mixins/permission_struct'
+require 'auth0/mixins/validation'
+
 require 'auth0/api/authentication_endpoints'
 require 'auth0/api/v1'
 require 'auth0/api/v2'
+
 module Auth0
   # Collecting dependencies here
   module Mixins

data/lib/auth0/mixins/httpproxy.rb

@@ -6,7 +6,7 @@ module Auth0
       attr_accessor :headers, :base_uri, :timeout
 
       # proxying requests from instance methods to HTTP class methods
-      %i(get post post_file put patch delete).each do |method|
+      %i(get post post_file put patch delete delete_with_body).each do |method|
         define_method(method) do |path, body = {}, extra_headers = {}|
           safe_path = URI.escape(path)
           body = body.delete_if { |_, v| v.nil? }
@@ -20,6 +20,8 @@ module Auth0
                      call(:get, url(safe_path), timeout, get_headers)
                    elsif method == :delete
                      call(:delete, url(safe_path), timeout, add_headers({params: body}))
+                   elsif method == :delete_with_body
+                     call(:delete, url(safe_path), timeout, headers, body)
                    elsif method == :post_file
                      body.merge!(multipart: true)
                      call(:post, url(safe_path), timeout, headers, body)
@@ -28,12 +30,13 @@ module Auth0
                    end
           case result.code
           when 200...226 then safe_parse_json(result.body)
-          when 400       then raise Auth0::BadRequest, result.to_s
-          when 401       then raise Auth0::Unauthorized, result.body
-          when 403       then raise Auth0::AccessDenied, result.body
-          when 404       then raise Auth0::NotFound, result.body
-          when 500       then raise Auth0::ServerError, result.body
-          else                raise Auth0::Unsupported, result.body
+          when 400       then raise Auth0::BadRequest.new(result.body, code: result.code, headers: result.headers)
+          when 401       then raise Auth0::Unauthorized.new(result.body, code: result.code, headers: result.headers)
+          when 403       then raise Auth0::AccessDenied.new(result.body, code: result.code, headers: result.headers)
+          when 404       then raise Auth0::NotFound.new(result.body, code: result.code, headers: result.headers)
+          when 429       then raise Auth0::RateLimitEncountered.new(result.body, code: result.code, headers: result.headers)
+          when 500       then raise Auth0::ServerError.new(result.body, code: result.code, headers: result.headers)
+          else                raise Auth0::Unsupported.new(result.body, code: result.code, headers: result.headers)
           end
         end
       end
@@ -65,7 +68,7 @@ module Auth0
       rescue RestClient::Exception => e
         case e
         when RestClient::RequestTimeout
-          raise Auth0::RequestTimeout
+          raise Auth0::RequestTimeout.new(e.message)
         else
           return e.response
         end

data/lib/auth0/mixins/permission_struct.rb

@@ -0,0 +1,3 @@
+Permission = Struct.new :permission_name, :resource_server_identifier do
+
+end

data/lib/auth0/mixins/validation.rb

@@ -0,0 +1,340 @@
+require 'zache'
+
+class Zache
+  def last(key)
+    @hash[key][:value] if @hash.key?(key)
+  end
+end
+
+module Auth0
+  module Mixins
+    # Module to provide validation for specific data structures.
+    module Validation
+
+      # Check a roles array
+      def validate_strings_array(strings)
+        raise Auth0::InvalidParameter, 'Must supply an array of strings' unless strings.kind_of?(Array)
+        raise Auth0::MissingParameter, 'Must supply an array of strings' if strings.empty?
+        raise Auth0::InvalidParameter, 'All array elements must be strings' unless strings.all? {|str| str.is_a? String}
+      end
+
+      # Check a permissions array
+      def validate_permissions_array(permissions)
+        raise Auth0::InvalidParameter, 'Must supply an array of Permissions' unless permissions.kind_of?(Array)
+        raise Auth0::MissingParameter, 'Must supply an array of Permissions' if permissions.empty?
+        raise Auth0::InvalidParameter, 'All array elements must be Permissions' unless permissions.all? do |permission|
+          permission.kind_of? Permission
+        end
+        permissions.map { |permission| permission.to_h }
+      end
+
+      # rubocop:disable Metrics/ClassLength
+      class IdTokenValidator
+        def initialize(context)
+          @context = context
+        end
+
+        def validate(id_token)
+          decoding_error = 'ID token could not be decoded'
+
+          unless !id_token.to_s.empty? && id_token.split('.').count == 3
+            raise Auth0::InvalidIdToken, decoding_error
+          end
+
+          begin
+            header = JWT::JSON.parse(JWT::Base64.url_decode(id_token.split('.').first))
+          rescue
+            raise Auth0::InvalidIdToken, decoding_error
+          end
+
+          claims = decode_and_validate_signature(id_token, header)
+          validate_claims(claims)
+        end
+
+        private
+
+        # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Metrics/CyclomaticComplexity
+        def decode_and_validate_signature(id_token, header)
+          algorithm = @context[:algorithm]
+
+          unless algorithm.is_a?(Auth0::Mixins::Validation::JWTAlgorithm)
+            raise Auth0::InvalidIdToken, "Signature algorithm of \"#{algorithm}\" is not supported"
+          end
+
+          # The expiration verification will be performed in the validate_claims method
+          options = { algorithms: [algorithm.name], verify_expiration: false, verify_not_before: false }
+          secret = nil
+
+          case algorithm
+          when Auth0::Algorithm::RS256
+            kid = header['kid']
+            jwks = JSON.parse(JSON[algorithm.jwks], symbolize_names: true)
+
+            if !jwks[:keys].find { |key| key[:kid] == kid } && !algorithm.fetched_jwks?
+              jwks = JSON.parse(JSON[algorithm.jwks(force: true)], symbolize_names: true)
+            end
+
+            options[:jwks] = jwks
+          when Auth0::Algorithm::HS256
+            secret = algorithm.secret
+          end
+
+          begin
+            result = JWT.decode(id_token, secret, true, options)
+            result.first
+          rescue JWT::VerificationError
+            raise Auth0::InvalidIdToken, 'Invalid ID token signature'
+          rescue JWT::IncorrectAlgorithm
+            alg = header['alg']
+            raise Auth0::InvalidIdToken, "Signature algorithm of \"#{alg}\" is not supported. Expected the ID token"\
+                                         " to be signed with \"#{algorithm.name}\""
+          rescue JWT::DecodeError
+            raise Auth0::InvalidIdToken, "Could not find a public key for Key ID (kid) \"#{kid}\""
+          end
+        end
+
+        # rubocop:disable Metrics/PerceivedComplexity
+        def validate_claims(claims)
+          leeway = @context[:leeway]
+          nonce = @context[:nonce]
+          issuer = @context[:issuer]
+          audience = @context[:audience]
+          max_age = @context[:max_age]
+
+          raise Auth0::InvalidParameter, 'Must supply a valid leeway' unless leeway.is_a?(Integer) && leeway >= 0
+          raise Auth0::InvalidParameter, 'Must supply a valid nonce' unless nonce.nil? || !nonce.to_s.empty?
+          raise Auth0::InvalidParameter, 'Must supply a valid issuer' unless issuer.nil? || !issuer.to_s.empty?
+          raise Auth0::InvalidParameter, 'Must supply a valid audience' unless audience.nil? || !audience.to_s.empty?
+
+          unless max_age.nil? || (max_age.is_a?(Integer) && max_age >= 0)
+            raise Auth0::InvalidParameter, 'Must supply a valid max_age'
+          end
+
+          validate_iss(claims, issuer)
+          validate_sub(claims)
+          validate_aud(claims, audience)
+          validate_exp(claims, leeway)
+          validate_iat(claims, leeway)
+          validate_nonce(claims, nonce) if nonce
+          validate_azp(claims, audience) if claims['aud'].is_a?(Array) && claims['aud'].count > 1
+          validate_auth_time(claims, max_age, leeway) if max_age
+        end
+        # rubocop:enable Metrics/MethodLength, Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+
+        def validate_iss(claims, expected)
+          unless claims.key?('iss') && claims['iss'].is_a?(String)
+            raise Auth0::InvalidIdToken, 'Issuer (iss) claim must be a string present in the ID token'
+          end
+
+          unless expected == claims['iss']
+            raise Auth0::InvalidIdToken, "Issuer (iss) claim mismatch in the ID token; expected \"#{expected}\","\
+                                         " found \"#{claims['iss']}\""
+          end
+        end
+
+        def validate_sub(claims)
+          unless claims.key?('sub') && claims['sub'].is_a?(String)
+            raise Auth0::InvalidIdToken, 'Subject (sub) claim must be a string present in the ID token'
+          end
+        end
+
+        def validate_aud(claims, expected)
+          unless claims.key?('aud') && (claims['aud'].is_a?(String) || claims['aud'].is_a?(Array))
+            raise Auth0::InvalidIdToken, 'Audience (aud) claim must be a string or array of strings present'\
+                                         ' in the ID token'
+          end
+
+          if claims['aud'].is_a?(String) && expected != claims['aud']
+            raise Auth0::InvalidIdToken, "Audience (aud) claim mismatch in the ID token; expected \"#{expected}\","\
+                                         " found \"#{claims['aud']}\""
+          elsif claims['aud'].is_a?(Array) && !claims['aud'].include?(expected)
+            raise Auth0::InvalidIdToken, "Audience (aud) claim mismatch in the ID token; expected \"#{expected}\""\
+                                         " but was not one of \"#{claims['aud'].join ', '}\""
+          end
+        end
+
+        def validate_exp(claims, leeway)
+          unless claims.key?('exp') && claims['exp'].is_a?(Integer)
+            raise Auth0::InvalidIdToken, 'Expiration Time (exp) claim must be a number present in the ID token'
+          end
+
+          now = @context[:clock] || Time.now.to_i
+          exp_time = claims['exp'] + leeway
+
+          unless now < exp_time
+            raise Auth0::InvalidIdToken, 'Expiration Time (exp) claim mismatch in the ID token; current time'\
+                                         " \"#{now}\" is after expiration time \"#{exp_time}\""
+          end
+        end
+
+        def validate_iat(claims, leeway)
+          unless claims.key?('iat') && claims['iat'].is_a?(Integer)
+            raise Auth0::InvalidIdToken, 'Issued At (iat) claim must be a number present in the ID token'
+          end
+
+          now = @context[:clock] || Time.now.to_i
+          iat_time = claims['iat'] - leeway
+
+          unless now > iat_time
+            raise Auth0::InvalidIdToken, "Issued At (iat) claim mismatch in the ID token; current time \"#{now}\""\
+                                         " is before issued at time \"#{iat_time}\""
+          end
+        end
+
+        def validate_nonce(claims, expected)
+          unless claims.key?('nonce') && claims['nonce'].is_a?(String)
+            raise Auth0::InvalidIdToken, 'Nonce (nonce) claim must be a string present in the ID token'
+          end
+
+          unless expected == claims['nonce']
+            raise Auth0::InvalidIdToken, "Nonce (nonce) claim mismatch in the ID token; expected \"#{expected}\","\
+                                         " found \"#{claims['nonce']}\""
+          end
+        end
+
+        def validate_azp(claims, expected)
+          unless claims.key?('azp') && claims['azp'].is_a?(String)
+            raise Auth0::InvalidIdToken, 'Authorized Party (azp) claim must be a string present in the ID token'
+          end
+
+          unless expected == claims['azp']
+            raise Auth0::InvalidIdToken, 'Authorized Party (azp) claim mismatch in the ID token; expected'\
+                                         " \"#{expected}\", found \"#{claims['azp']}\""
+          end
+        end
+
+        def validate_auth_time(claims, max_age, leeway)
+          unless claims.key?('auth_time') && claims['auth_time'].is_a?(Integer)
+            raise Auth0::InvalidIdToken, 'Authentication Time (auth_time) claim must be a number present in the ID'\
+                                         ' token when Max Age (max_age) is specified'
+          end
+
+          now = @context[:clock] || Time.now.to_i
+          auth_valid_until = claims['auth_time'] + max_age + leeway
+
+          unless now < auth_valid_until
+            raise Auth0::InvalidIdToken, 'Authentication Time (auth_time) claim in the ID token indicates that too'\
+                                         ' much time has passed since the last end-user authentication. Current time'\
+                                         " \"#{now}\" is after last auth at \"#{auth_valid_until}\""
+          end
+        end
+      end
+      # rubocop:enable Metrics/ClassLength
+
+      class JWTAlgorithm
+        private_class_method :new
+
+        def name
+          raise RuntimeError, 'Must be overriden by the subclasses'
+        end
+      end
+
+      module Algorithm
+        # Represents the HS256 algorithm, which rely on shared secrets.
+        # @see https://auth0.com/docs/tokens/concepts/signing-algorithms
+        class HS256 < JWTAlgorithm
+          class << self
+            private :new
+
+            # Create a new instance passing the shared secret.
+            # @param secret [string] The HMAC shared secret.
+            # @return [HS256] A new instance.
+            def secret(secret)
+              new secret
+            end
+          end
+
+          attr_accessor :secret
+
+          def initialize(secret)
+            raise Auth0::InvalidParameter, 'Must supply a valid secret' if secret.to_s.empty?
+
+            @secret = secret
+          end
+
+          # Returns the algorithm name.
+          # @return [string] The algorithm name.
+          def name
+            'HS256'
+          end
+        end
+
+        # Represents the RS256 algorithm, which rely on public key certificates.
+        # @see https://auth0.com/docs/tokens/concepts/signing-algorithms
+        class RS256 < JWTAlgorithm
+          include Auth0::Mixins::HTTPProxy
+
+          @@cache = Zache.new.freeze
+
+          class << self
+            private :new
+
+            # Create a new instance passing the JWK set url.
+            # @param url [string] The url where the JWK set is located.
+            # @param lifetime [integer] The lifetime of the JWK set in-memory cache in seconds.
+            #   Must be a non-negative value. Defaults to *600 seconds* (10 minutes).
+            # @return [RS256] A new instance.
+            def jwks_url(url, lifetime: 10 * 60)
+              new url, lifetime
+            end
+
+            # Clear the JWK set cache.
+            def remove_jwks
+              @@cache.remove(:jwks)
+            end
+          end
+
+          def initialize(jwks_url, lifetime)
+            raise Auth0::InvalidParameter, 'Must supply a valid jwks_url' if jwks_url.to_s.empty?
+            raise Auth0::InvalidParameter, 'Must supply a valid lifetime' unless lifetime.is_a?(Integer) && lifetime >= 0
+
+            @lifetime = lifetime
+            @jwks_url = jwks_url
+            @did_fetch_jwks = false
+          end
+
+          # Returns the algorithm name.
+          # @return [string] The algorithm name.
+          def name
+            'RS256'
+          end
+
+          # Fetches the JWK set from the in-memory cache or from the url.
+          # @return [hash] A JWK set.
+          def jwks(force: false)
+            result = fetch_jwks if force
+
+            if result
+              @@cache.put(:jwks, result, lifetime: @lifetime)
+              return result
+            end
+
+            previous_value = @@cache.last(:jwks)
+
+            @@cache.get(:jwks, lifetime: @lifetime, dirty: true) do
+              new_value = fetch_jwks
+
+              raise Auth0::InvalidIdToken, 'Could not fetch the JWK set' unless new_value || previous_value
+
+              new_value || previous_value
+            end
+          end
+
+          # Returns whether or not the JWK set was fetched from the url.
+          # @return [boolean] +true+ if a request to the JWK set url was made, +false+ otherwise.
+          def fetched_jwks?
+            @did_fetch_jwks
+          end
+
+          private
+
+          def fetch_jwks
+            result = get(@jwks_url)
+            @did_fetch_jwks = result.is_a?(Hash) && result.key?('keys')
+            result if @did_fetch_jwks
+          end
+        end
+      end
+    end
+  end
+end

data/lib/auth0/version.rb

@@ -1,4 +1,4 @@
 # current version of gem
 module Auth0
-  VERSION = '4.7.0'.freeze
+  VERSION = '4.12.0'.freeze
 end

data/spec/fixtures/vcr_cassettes/Auth0_Api_V2_Anomaly/_check_if_ip_is_blocked/should_return_200_response_code.yml

@@ -0,0 +1,65 @@
+---
+http_interactions:
+- request:
+    method: get
+    uri: https://auth0-sdk-tests.auth0.com/api/v2/anomaly/blocks/ips/192.0.2.0
+    body:
+      encoding: US-ASCII
+      string: ''
+    headers:
+      Accept:
+      - "*/*"
+      Accept-Encoding:
+      - gzip, deflate
+      User-Agent:
+      - rest-client/2.0.2 (darwin18.6.0 x86_64) ruby/2.6.3p62
+      Content-Type:
+      - application/json
+      Auth0-Client:
+      - eyJuYW1lIjoicnVieS1hdXRoMCIsInZlcnNpb24iOiI0LjUuMCJ9
+      Authorization:
+      - Bearer API_TOKEN
+      Host:
+      - auth0-sdk-tests.auth0.com
+  response:
+    status:
+      code: 200
+      message: OK
+    headers:
+      Date:
+      - Sat, 06 Jul 2019 23:02:59 GMT
+      Content-Type:
+      - application/json; charset=utf-8
+      Transfer-Encoding:
+      - chunked
+      Connection:
+      - keep-alive
+      Ot-Tracer-Spanid:
+      - '0539a861079ec5ad'
+      Ot-Tracer-Traceid:
+      - 14cbee1b1f015043
+      Ot-Tracer-Sampled:
+      - 'true'
+      X-Ratelimit-Limit:
+      - '10'
+      X-Ratelimit-Remaining:
+      - '9'
+      X-Ratelimit-Reset:
+      - '1562454181'
+      Vary:
+      - origin,accept-encoding
+      Cache-Control:
+      - private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
+      Content-Encoding:
+      - gzip
+      Strict-Transport-Security:
+      - max-age=15724800
+      X-Robots-Tag:
+      - noindex, nofollow, nosnippet, noarchive
+    body:
+      encoding: ASCII-8BIT
+      string: !binary |-
+        H4sIAAAAAAAAA6uuBQBDv6ajAgAAAA==
+    http_version: 
+  recorded_at: Sat, 06 Jul 2019 23:02:59 GMT
+recorded_with: VCR 4.0.0