authentic-rb 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3a3e28c6d5e92fd5fce9edf02b6876814912d5efa4f986b237bf8071ac24e66f
4
- data.tar.gz: 30e8bdef21c0341eee35492d28041405ce291889a4f0868c9ba52089a4f5e2de
3
+ metadata.gz: 9e863c99c2e2d4b8312101c42e2a7079e90d610756156e0a2c57906c1afdf131
4
+ data.tar.gz: 72dff9af3c38d789c32398000f56fc378f355a5f52369a553f389e49692ac7f2
5
5
  SHA512:
6
- metadata.gz: 7a1ff3430a2a8d73566a2c0e77274698395f8f825ae49b4d56db2db740da4c71540123e6f071aaf6c7f93af0559eca24e3129d1ea2b5fa1ea6e5ae7c7d532388
7
- data.tar.gz: 80e3776ff22768e4e1c49810893e103f0484769fc36e1170a5ffa23f9726d1a140863d101d88edbc281688e3bf127037934723bcffdc35fbdc34d2e4872e49f6
6
+ metadata.gz: 90e92d91ef2076db91ca8251ca61ce756636ff0c1e1432ecf1926bbbf8cba1c47e250585e7f841f99b9495673379df2957744cc8371be5fa7818f0d2efb6cd71
7
+ data.tar.gz: 725f1a1e56b8f22d98e18941cde23a66719b3725457938aa1fa43e175aa136e61ac1f95575af4acd17fa62f00bbbebc35febf58a8d9f7544ea5835d9711b1b65
@@ -14,10 +14,6 @@ module Authentic
14
14
  @well_known = '/.well-known/openid-configuration'
15
15
  end
16
16
 
17
- def cache_max_age(max_age)
18
- @store.configure_max_age(max_age)
19
- end
20
-
21
17
  # Public: retrieves JWK.
22
18
  #
23
19
  # jwt - JSON::JWT.
@@ -11,16 +11,7 @@ module Authentic
11
11
 
12
12
  def initialize(max_age, data = {})
13
13
  @data = data
14
- configure_max_age(max_age)
15
- end
16
-
17
- def configure_max_age(max_age)
18
- @max_age = max_age
19
- @max_age_seconds = human_time_to_seconds
20
- end
21
-
22
- def reset_all
23
- @data = {}
14
+ @max_age_seconds = human_time_to_seconds(max_age)
24
15
  end
25
16
 
26
17
  # Public: Sets data, and wraps it in OIDCKey class if not presented as that type.
@@ -70,13 +61,14 @@ module Authentic
70
61
 
71
62
  # frozen_string_literal: true
72
63
 
73
- # Internal: converts human time to seconds for consumption of the cache service. Format ``
64
+ # Internal: converts human time to seconds for consumption of the cache service. Format example: `10h5m30s`.
65
+ # All units are optional.
74
66
  #
75
- # human_time - represents time in hours, minutes, and seconds.
67
+ # time - time to convert, it is a string that represents time in hours, minutes, and seconds.
76
68
  #
77
69
  # Returns seconds.
78
- def human_time_to_seconds
79
- m = /(?:(\d*)h)?\s?(?:(\d*)?m)?\s?(?:(\d*)?s)?/.match(max_age)
70
+ def human_time_to_seconds(time)
71
+ m = /(?:(\d*)h)?\s?(?:(\d*)?m)?\s?(?:(\d*)?s)?/.match(time)
80
72
  h = ((m[1].to_i || 0) * 60) * 60
81
73
  mi = (m[2].to_i || 0) * 60
82
74
  s = (m[3].to_i || 0)
@@ -5,55 +5,16 @@ require 'authentic/key_manager'
5
5
 
6
6
  # Public: proper validation of JWTs against JWKs.
7
7
  module Authentic
8
- # Public: validate JWTs against JWKs using iss whitelist in an environment variable.
9
- #
10
- # token - raw JWT.
11
- # opts - Optionally pass configuration options.
12
- #
13
- # Returns boolean.
14
- def self.valid?(token, opts = {})
15
- Validator.configure(opts) unless opts.empty?
16
- Validator.new.valid?(token)
17
- end
18
-
19
- # Public: uses environment variable for iss whitelist and validates JWT,
20
- # raises an error for invalid JWTs, errors requesting JWKs, the lack of valid JWKs, or non white listed ISS.
21
- #
22
- # token - raw JWT.
23
- # opts - Optionally pass configuration options.
24
- #
25
- # Returns nothing.
26
- def self.ensure_valid(token, opts = {})
27
- Validator.configure(opts) unless opts.empty?
28
- Validator.new.ensure_valid(token)
29
- end
30
-
31
8
  # Public: validates JWTs against JWKs.
32
9
  class Validator
33
- @@manager = KeyManager.new('10h')
34
- @@iss_whitelist = []
10
+ attr_reader :iss_whitelist, :manager, :opts
35
11
 
36
- # Public: Configures iss_whitelist and cache_max_age
37
- #
38
- # opts - options to configure the validator with
39
- #
40
- # Returns nothing.
41
- def self.configure(opts)
42
- @@iss_whitelist = opts[:iss_whitelist]
43
- @@manager.cache_max_age(opts.fetch(:cache_max_age, '10h'))
44
- end
45
-
46
- def initialize
47
- # Default iss whitelist if it is empty
48
- @@iss_whitelist = @@iss_whitelist&.empty? ? ENV['ISS_WHITELIST']&.split('|') : @@iss_whitelist
49
-
50
- valid_opts = !@@iss_whitelist&.empty?
51
- raise IncompleteOptions unless valid_opts
52
- end
12
+ def initialize(options = {})
13
+ @iss_whitelist = options.fetch(:iss_whitelist) { [] }
14
+ raise IncompleteOptions if iss_whitelist.empty?
53
15
 
54
- # Private: resets key manager cache
55
- def reset_cache
56
- @@manager.store.reset_all
16
+ max_age = options.fetch(:cache_max_age) { '10h' }
17
+ @manager = options.fetch(:key_manager) { KeyManager.new(max_age) }
57
18
  end
58
19
 
59
20
  # Public: validates JWT, returns true if valid, false if not.
@@ -62,7 +23,7 @@ module Authentic
62
23
  #
63
24
  # Returns boolean.
64
25
  def valid?(token)
65
- ensure_valid token
26
+ ensure_valid(token)
66
27
  true
67
28
  rescue InvalidToken, InvalidKey, RequestError
68
29
  false
@@ -75,16 +36,16 @@ module Authentic
75
36
  #
76
37
  # Returns nothing.
77
38
  def ensure_valid(token)
78
- jwt = decode_jwt token
39
+ jwt = decode_jwt(token)
79
40
 
80
41
  begin
81
- key = @@manager.get jwt
42
+ key = manager.get(jwt)
82
43
 
83
44
  # Slightly more accurate to raise a key error here for nil key,
84
45
  # rather then verify raising an error that would lead to InvalidToken
85
46
  raise InvalidKey, 'invalid JWK' if key.nil?
86
47
 
87
- jwt.verify! key
48
+ jwt.verify!(key)
88
49
  rescue JSON::JWT::UnexpectedAlgorithm, JSON::JWT::VerificationFailed
89
50
  raise InvalidToken, 'failed to validate token against JWK'
90
51
  rescue OpenSSL::PKey::PKeyError
@@ -101,7 +62,7 @@ module Authentic
101
62
  raise InvalidToken, 'invalid nil JWT provided' unless token
102
63
 
103
64
  JSON::JWT.decode(token, :skip_verification).tap do |jwt|
104
- raise InvalidToken, 'JWT iss was not located in provided whitelist' unless @@iss_whitelist.index jwt[:iss]
65
+ raise InvalidToken, 'JWT iss was not located in provided whitelist' unless iss_whitelist.include?(jwt[:iss])
105
66
  end
106
67
  rescue JSON::JWT::InvalidFormat
107
68
  raise InvalidToken, 'invalid JWT format'
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: authentic-rb
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.0
4
+ version: 1.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Articulate
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2019-01-14 00:00:00.000000000 Z
12
+ date: 2019-01-22 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: json-jwt