authentic-rb 1.0.4 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/authentic/key_manager.rb +5 -1
- data/lib/authentic/key_store.rb +8 -0
- data/lib/authentic/validator.rb +29 -10
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 569cb68126c88d020f7a3a97f492a197f104054c766d0725de7650842fbc935d
|
4
|
+
data.tar.gz: 4276afbae6032bd9d2ed20ca93a3c9e1d2af1a3c59a4cefe6e67e39ee0895a7a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f68c71db7fa9f9c129b740b9599b25f3500735a2bd7bb16056a1e8a0ab5c3889abd47cf81804c8d2b6790d61e0ba7b113fb6a2eb54a32a396fb37a9b121815a9
|
7
|
+
data.tar.gz: 50eba9c344040ce7f91e63d350eadfd096334937aa6eb0b11ddb54da2772dae61c31c297cb880c8dbf9d4b0e1ceb71279b24c71ae40d3b6a60af53a7bd145c3d
|
@@ -10,10 +10,14 @@ module Authentic
|
|
10
10
|
attr_reader :store, :well_known
|
11
11
|
|
12
12
|
def initialize(max_age)
|
13
|
-
@store = KeyStore.new(max_age
|
13
|
+
@store = KeyStore.new(max_age)
|
14
14
|
@well_known = '/.well-known/openid-configuration'
|
15
15
|
end
|
16
16
|
|
17
|
+
def cache_max_age(max_age)
|
18
|
+
@store.configure_max_age(max_age)
|
19
|
+
end
|
20
|
+
|
17
21
|
# Public: retrieves JWK.
|
18
22
|
#
|
19
23
|
# jwt - JSON::JWT.
|
data/lib/authentic/key_store.rb
CHANGED
@@ -11,10 +11,18 @@ module Authentic
|
|
11
11
|
|
12
12
|
def initialize(max_age, data = {})
|
13
13
|
@data = data
|
14
|
+
configure_max_age(max_age)
|
15
|
+
end
|
16
|
+
|
17
|
+
def configure_max_age(max_age)
|
14
18
|
@max_age = max_age
|
15
19
|
@max_age_seconds = human_time_to_seconds
|
16
20
|
end
|
17
21
|
|
22
|
+
def reset_all
|
23
|
+
@data = {}
|
24
|
+
end
|
25
|
+
|
18
26
|
# Public: Sets data, and wraps it in OIDCKey class if not presented as that type.
|
19
27
|
#
|
20
28
|
# iss - issuer
|
data/lib/authentic/validator.rb
CHANGED
@@ -8,9 +8,11 @@ module Authentic
|
|
8
8
|
# Public: validate JWTs against JWKs using iss whitelist in an environment variable.
|
9
9
|
#
|
10
10
|
# token - raw JWT.
|
11
|
+
# opts - Optionally pass configuration options.
|
11
12
|
#
|
12
13
|
# Returns boolean.
|
13
|
-
def self.valid?(token)
|
14
|
+
def self.valid?(token, opts = {})
|
15
|
+
Validator.configure(opts) unless opts.empty?
|
14
16
|
Validator.new.valid?(token)
|
15
17
|
end
|
16
18
|
|
@@ -18,23 +20,40 @@ module Authentic
|
|
18
20
|
# raises an error for invalid JWTs, errors requesting JWKs, the lack of valid JWKs, or non white listed ISS.
|
19
21
|
#
|
20
22
|
# token - raw JWT.
|
23
|
+
# opts - Optionally pass configuration options.
|
21
24
|
#
|
22
25
|
# Returns nothing.
|
23
|
-
def self.ensure_valid(token)
|
26
|
+
def self.ensure_valid(token, opts = {})
|
27
|
+
Validator.configure(opts) unless opts.empty?
|
24
28
|
Validator.new.ensure_valid(token)
|
25
29
|
end
|
26
30
|
|
27
31
|
# Public: validates JWTs against JWKs.
|
28
32
|
class Validator
|
29
|
-
|
33
|
+
@@manager = KeyManager.new('10h')
|
34
|
+
@@iss_whitelist = []
|
30
35
|
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
36
|
+
# Public: Configures iss_whitelist and cache_max_age
|
37
|
+
#
|
38
|
+
# opts - options to configure the validator with
|
39
|
+
#
|
40
|
+
# Returns nothing.
|
41
|
+
def self.configure(opts)
|
42
|
+
@@iss_whitelist = opts[:iss_whitelist]
|
43
|
+
@@manager.cache_max_age(opts.fetch(:cache_max_age, '10h'))
|
44
|
+
end
|
45
|
+
|
46
|
+
def initialize
|
47
|
+
# Default iss whitelist if it is empty
|
48
|
+
@@iss_whitelist = @@iss_whitelist&.empty? ? ENV['AUTHENTIC_ISS_WHITELIST']&.split(',') : @@iss_whitelist
|
49
|
+
|
50
|
+
valid_opts = !@@iss_whitelist&.empty?
|
35
51
|
raise IncompleteOptions unless valid_opts
|
52
|
+
end
|
36
53
|
|
37
|
-
|
54
|
+
# Private: resets key manager cache
|
55
|
+
def reset_cache
|
56
|
+
@@manager.store.reset_all
|
38
57
|
end
|
39
58
|
|
40
59
|
# Public: validates JWT, returns true if valid, false if not.
|
@@ -59,7 +78,7 @@ module Authentic
|
|
59
78
|
jwt = decode_jwt token
|
60
79
|
|
61
80
|
begin
|
62
|
-
key = manager.get jwt
|
81
|
+
key = @@manager.get jwt
|
63
82
|
|
64
83
|
# Slightly more accurate to raise a key error here for nil key,
|
65
84
|
# rather then verify raising an error that would lead to InvalidToken
|
@@ -82,7 +101,7 @@ module Authentic
|
|
82
101
|
raise InvalidToken, 'invalid nil JWT provided' unless token
|
83
102
|
|
84
103
|
JSON::JWT.decode(token, :skip_verification).tap do |jwt|
|
85
|
-
raise InvalidToken, 'JWT iss was not located in provided whitelist' unless iss_whitelist.index jwt[:iss]
|
104
|
+
raise InvalidToken, 'JWT iss was not located in provided whitelist' unless @@iss_whitelist.index jwt[:iss]
|
86
105
|
end
|
87
106
|
rescue JSON::JWT::InvalidFormat
|
88
107
|
raise InvalidToken, 'invalid JWT format'
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: authentic-rb
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.0
|
4
|
+
version: 1.1.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Articulate
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date:
|
12
|
+
date: 2019-01-14 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: json-jwt
|