authentic-rb 1.0.4 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/authentic/key_manager.rb +5 -1
- data/lib/authentic/key_store.rb +8 -0
- data/lib/authentic/validator.rb +29 -10
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 569cb68126c88d020f7a3a97f492a197f104054c766d0725de7650842fbc935d
|
|
4
|
+
data.tar.gz: 4276afbae6032bd9d2ed20ca93a3c9e1d2af1a3c59a4cefe6e67e39ee0895a7a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f68c71db7fa9f9c129b740b9599b25f3500735a2bd7bb16056a1e8a0ab5c3889abd47cf81804c8d2b6790d61e0ba7b113fb6a2eb54a32a396fb37a9b121815a9
|
|
7
|
+
data.tar.gz: 50eba9c344040ce7f91e63d350eadfd096334937aa6eb0b11ddb54da2772dae61c31c297cb880c8dbf9d4b0e1ceb71279b24c71ae40d3b6a60af53a7bd145c3d
|
|
@@ -10,10 +10,14 @@ module Authentic
|
|
|
10
10
|
attr_reader :store, :well_known
|
|
11
11
|
|
|
12
12
|
def initialize(max_age)
|
|
13
|
-
@store = KeyStore.new(max_age
|
|
13
|
+
@store = KeyStore.new(max_age)
|
|
14
14
|
@well_known = '/.well-known/openid-configuration'
|
|
15
15
|
end
|
|
16
16
|
|
|
17
|
+
def cache_max_age(max_age)
|
|
18
|
+
@store.configure_max_age(max_age)
|
|
19
|
+
end
|
|
20
|
+
|
|
17
21
|
# Public: retrieves JWK.
|
|
18
22
|
#
|
|
19
23
|
# jwt - JSON::JWT.
|
data/lib/authentic/key_store.rb
CHANGED
|
@@ -11,10 +11,18 @@ module Authentic
|
|
|
11
11
|
|
|
12
12
|
def initialize(max_age, data = {})
|
|
13
13
|
@data = data
|
|
14
|
+
configure_max_age(max_age)
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def configure_max_age(max_age)
|
|
14
18
|
@max_age = max_age
|
|
15
19
|
@max_age_seconds = human_time_to_seconds
|
|
16
20
|
end
|
|
17
21
|
|
|
22
|
+
def reset_all
|
|
23
|
+
@data = {}
|
|
24
|
+
end
|
|
25
|
+
|
|
18
26
|
# Public: Sets data, and wraps it in OIDCKey class if not presented as that type.
|
|
19
27
|
#
|
|
20
28
|
# iss - issuer
|
data/lib/authentic/validator.rb
CHANGED
|
@@ -8,9 +8,11 @@ module Authentic
|
|
|
8
8
|
# Public: validate JWTs against JWKs using iss whitelist in an environment variable.
|
|
9
9
|
#
|
|
10
10
|
# token - raw JWT.
|
|
11
|
+
# opts - Optionally pass configuration options.
|
|
11
12
|
#
|
|
12
13
|
# Returns boolean.
|
|
13
|
-
def self.valid?(token)
|
|
14
|
+
def self.valid?(token, opts = {})
|
|
15
|
+
Validator.configure(opts) unless opts.empty?
|
|
14
16
|
Validator.new.valid?(token)
|
|
15
17
|
end
|
|
16
18
|
|
|
@@ -18,23 +20,40 @@ module Authentic
|
|
|
18
20
|
# raises an error for invalid JWTs, errors requesting JWKs, the lack of valid JWKs, or non white listed ISS.
|
|
19
21
|
#
|
|
20
22
|
# token - raw JWT.
|
|
23
|
+
# opts - Optionally pass configuration options.
|
|
21
24
|
#
|
|
22
25
|
# Returns nothing.
|
|
23
|
-
def self.ensure_valid(token)
|
|
26
|
+
def self.ensure_valid(token, opts = {})
|
|
27
|
+
Validator.configure(opts) unless opts.empty?
|
|
24
28
|
Validator.new.ensure_valid(token)
|
|
25
29
|
end
|
|
26
30
|
|
|
27
31
|
# Public: validates JWTs against JWKs.
|
|
28
32
|
class Validator
|
|
29
|
-
|
|
33
|
+
@@manager = KeyManager.new('10h')
|
|
34
|
+
@@iss_whitelist = []
|
|
30
35
|
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
36
|
+
# Public: Configures iss_whitelist and cache_max_age
|
|
37
|
+
#
|
|
38
|
+
# opts - options to configure the validator with
|
|
39
|
+
#
|
|
40
|
+
# Returns nothing.
|
|
41
|
+
def self.configure(opts)
|
|
42
|
+
@@iss_whitelist = opts[:iss_whitelist]
|
|
43
|
+
@@manager.cache_max_age(opts.fetch(:cache_max_age, '10h'))
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
def initialize
|
|
47
|
+
# Default iss whitelist if it is empty
|
|
48
|
+
@@iss_whitelist = @@iss_whitelist&.empty? ? ENV['AUTHENTIC_ISS_WHITELIST']&.split(',') : @@iss_whitelist
|
|
49
|
+
|
|
50
|
+
valid_opts = !@@iss_whitelist&.empty?
|
|
35
51
|
raise IncompleteOptions unless valid_opts
|
|
52
|
+
end
|
|
36
53
|
|
|
37
|
-
|
|
54
|
+
# Private: resets key manager cache
|
|
55
|
+
def reset_cache
|
|
56
|
+
@@manager.store.reset_all
|
|
38
57
|
end
|
|
39
58
|
|
|
40
59
|
# Public: validates JWT, returns true if valid, false if not.
|
|
@@ -59,7 +78,7 @@ module Authentic
|
|
|
59
78
|
jwt = decode_jwt token
|
|
60
79
|
|
|
61
80
|
begin
|
|
62
|
-
key = manager.get jwt
|
|
81
|
+
key = @@manager.get jwt
|
|
63
82
|
|
|
64
83
|
# Slightly more accurate to raise a key error here for nil key,
|
|
65
84
|
# rather then verify raising an error that would lead to InvalidToken
|
|
@@ -82,7 +101,7 @@ module Authentic
|
|
|
82
101
|
raise InvalidToken, 'invalid nil JWT provided' unless token
|
|
83
102
|
|
|
84
103
|
JSON::JWT.decode(token, :skip_verification).tap do |jwt|
|
|
85
|
-
raise InvalidToken, 'JWT iss was not located in provided whitelist' unless iss_whitelist.index jwt[:iss]
|
|
104
|
+
raise InvalidToken, 'JWT iss was not located in provided whitelist' unless @@iss_whitelist.index jwt[:iss]
|
|
86
105
|
end
|
|
87
106
|
rescue JSON::JWT::InvalidFormat
|
|
88
107
|
raise InvalidToken, 'invalid JWT format'
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: authentic-rb
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0
|
|
4
|
+
version: 1.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Articulate
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date:
|
|
12
|
+
date: 2019-01-14 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: json-jwt
|