cf-uaa-lib 1.3.5 → 1.3.6

data/lib/uaa/http.rb

@@ -26,9 +26,6 @@ class NotFound < UAAError; end
 # Indicates a syntax error in a response from the UAA, e.g. missing required response field.
 class BadResponse < UAAError; end
 
-# Indicates a token is malformed or expired.
-class InvalidToken < UAAError; end
-
 # Indicates an error from the http client stack.
 class HTTPException < UAAError; end
 
@@ -40,6 +37,9 @@ class TargetError < UAAError
   end
 end
 
+# Indicates a token is malformed or expired.
+class InvalidToken < TargetError; end
+
 # Utility accessors and methods for objects that want to access JSON web APIs.
 module Http
 
@@ -91,7 +91,7 @@ module Http
 
   def json_parse_reply(style, status, body, headers)
     raise ArgumentError unless style.nil? || style.is_a?(Symbol)
-    unless [200, 201, 204, 400, 401, 403].include? status
+    unless [200, 201, 204, 400, 401, 403, 409].include? status
       raise (status == 404 ? NotFound : BadResponse), "invalid status response: #{status}"
     end
     if body && !body.empty? && (status == 204 || headers.nil? ||
@@ -99,9 +99,9 @@ module Http
       raise BadResponse, "received invalid response content or type"
     end
     parsed_reply = Util.json_parse(body, style)
-  if status >= 400
+    if status >= 400
       raise parsed_reply && parsed_reply["error"] == "invalid_token" ?
-          InvalidToken : TargetError.new(parsed_reply), "error response"
+          InvalidToken.new(parsed_reply) : TargetError.new(parsed_reply), "error response"
     end
     parsed_reply
   rescue DecodeError
@@ -133,8 +133,7 @@ module Http
     [status, body, headers]
 
   rescue Exception => e
-    e.message.replace "Target #{target}, #{e.message}"
-    logger.debug { "<---- no response due to exception: #{e}" }
+    logger.debug { "<---- no response due to exception: #{e.inspect}" }
     raise e
   end
 

data/lib/uaa/token_coder.rb

@@ -16,6 +16,17 @@ require "uaa/util"
 
 module CF::UAA
 
+# this code does not support the given token signature algorithim
+class SignatureNotSupported < DecodeError; end
+
+# this instance policy does not accept the given token signature algorithim
+class SignatureNotAccepted < DecodeError; end
+
+class InvalidSignature < DecodeError; end
+class InvalidTokenFormat < DecodeError; end
+class TokenExpired < AuthError; end
+class InvalidAudience < AuthError; end
+
 # This class is for OAuth Resource Servers.
 # Resource Servers get tokens and need to validate and decode them,
 # but they do not obtain them from the Authorization Server. This
@@ -68,7 +79,7 @@ class TokenCoder
     elsif algo == "none"
       sig = ""
     else
-      raise ArgumentError, "unsupported signing method"
+      raise SignatureNotSupported, "unsupported signing method"
     end
     segments << Util.encode64(sig)
     segments.join('.')
@@ -90,24 +101,24 @@ class TokenCoder
     end
     options = normalize_options(options)
     segments = token.split('.')
-    raise DecodeError, "Not enough or too many segments" unless [2,3].include? segments.length
+    raise InvalidTokenFormat, "Not enough or too many segments" unless [2,3].include? segments.length
     header_segment, payload_segment, crypto_segment = segments
     signing_input = [header_segment, payload_segment].join('.')
     header = Util.json_decode64(header_segment)
     payload = Util.json_decode64(payload_segment, (:sym if options[:symbolize_keys]))
     return payload unless options[:verify]
-    raise DecodeError, "Signature algorithm not accepted" unless
+    raise SignatureNotAccepted, "Signature algorithm not accepted" unless
         options[:accept_algorithms].include?(algo = header["alg"])
     return payload if algo == 'none'
     signature = Util.decode64(crypto_segment)
     if ["HS256", "HS384", "HS512"].include?(algo)
-      raise DecodeError, "Signature verification failed" unless
+      raise InvalidSignature, "Signature verification failed" unless
           signature == OpenSSL::HMAC.digest(init_digest(algo), options[:skey], signing_input)
     elsif ["RS256", "RS384", "RS512"].include?(algo)
-      raise DecodeError, "Signature verification failed" unless
+      raise InvalidSignature, "Signature verification failed" unless
           options[:pkey].verify(init_digest(algo), signature, signing_input)
     else
-      raise DecodeError, "Algorithm not supported"
+      raise SignatureNotSupported, "Algorithm not supported"
     end
     payload
   end
@@ -166,16 +177,16 @@ class TokenCoder
   # @return (see TokenCoder.decode)
   def decode(auth_header)
     unless auth_header && (tkn = auth_header.split(' ')).length == 2 && tkn[0] =~ /^bearer$/i
-      raise DecodeError, "invalid authentication header: #{auth_header}"
+      raise InvalidTokenFormat, "invalid authentication header: #{auth_header}"
     end
     reply = self.class.decode(tkn[1], @options)
     auds = Util.arglist(reply[:aud] || reply['aud'])
     if @options[:audience_ids] && (!auds || (auds & @options[:audience_ids]).empty?)
-      raise AuthError, "invalid audience: #{auds}"
+      raise InvalidAudience, "invalid audience: #{auds}"
     end
     exp = reply[:exp] || reply['exp']
     unless exp.is_a?(Integer) && exp > Time.now.to_i
-      raise AuthError, "token expired"
+      raise TokenExpired, "token expired"
     end
     reply
   end

data/lib/uaa/version.rb

@@ -14,6 +14,6 @@
 # Cloud Foundry namespace
 module CF
   module UAA
-    VERSION = "1.3.5"
+    VERSION = "1.3.6"
   end
 end

data/spec/token_coder_spec.rb

@@ -26,9 +26,9 @@ describe TokenCoder do
     @tkn_secret = "test_secret"
   end
 
-  it "raises a decode error if the given auth header is bad" do
-    expect { subject.decode(nil) }.to raise_exception(DecodeError)
-    expect { subject.decode("one two three") }.to raise_exception(DecodeError)
+  it "raises error if the given auth header is bad" do
+    expect { subject.decode(nil) }.to raise_exception(InvalidTokenFormat)
+    expect { subject.decode("one two three") }.to raise_exception(InvalidTokenFormat)
   end
 
   it "encodes/decodes a token using a symmetrical key" do
@@ -73,37 +73,40 @@ describe TokenCoder do
 
   it "rejects a token with 'none' signature by default" do
     tkn = subject.encode(@tkn_body, 'none')
-    expect { TokenCoder.decode(tkn) }.to raise_exception(DecodeError)
+    expect { TokenCoder.decode(tkn) }.to raise_exception(SignatureNotAccepted)
   end
 
   it "raises an error if the signing algorithm is not supported" do
-    expect { subject.encode(@tkn_body, 'baz') }.to raise_exception(ArgumentError)
+    expect { subject.encode(@tkn_body, 'baz') }.to raise_exception(SignatureNotSupported)
   end
 
-  it "raises an auth error if the token is for another resource server" do
+  it "raises an error if the token is for another resource server" do
     tkn = subject.encode({'aud' => ["other_resource"], 'foo' => "bar"})
-    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(AuthError)
+    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(InvalidAudience)
   end
 
-  it "raises a decode error if the token is signed by an unknown signing key" do
+  it "raises an error if the token is signed by an unknown signing key" do
     other = TokenCoder.new(:audience_ids => "test_resource", :skey => "other_secret")
     tkn = other.encode(@tkn_body)
-    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(DecodeError)
+    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(InvalidSignature)
   end
 
-  it "raises a decode error if the token is an unknown signing algorithm" do
+  it "raises an error if the token is an unknown signing algorithm" do
     segments = [Util.json_encode64(:typ => "JWT", :alg =>"BADALGO")]
     segments << Util.json_encode64(@tkn_body)
     segments << Util.encode64("BADSIG")
     tkn = segments.join('.')
-    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(DecodeError)
+    tc = TokenCoder.new(:audience_ids => "test_resource",
+        :skey => "test_secret", :pkey => OpenSSL::PKey::RSA.generate(512),
+        :accept_algorithms => "BADALGO")
+    expect { tc.decode("bEaReR #{tkn}") }.to raise_exception(SignatureNotSupported)
   end
 
-  it "raises a decode error if the token is malformed" do
+  it "raises an error if the token is malformed" do
     tkn = "one.two.three.four"
-    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(DecodeError)
+    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(InvalidTokenFormat)
     tkn = "onlyone"
-    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(DecodeError)
+    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(InvalidTokenFormat)
   end
 
   it "raises a decode error if a token segment is malformed" do
@@ -114,9 +117,9 @@ describe TokenCoder do
     expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(DecodeError)
   end
 
-  it "raises an auth error if the token has expired" do
+  it "raises an error if the token has expired" do
     tkn = subject.encode({'foo' => "bar", 'exp' => Time.now.to_i - 60 })
-    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(AuthError)
+    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(TokenExpired)
   end
 
   it "decodes a token without validation" do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cf-uaa-lib
 version: !ruby/object:Gem::Version
-  version: 1.3.5
+  version: 1.3.6
   prerelease: 
 platform: ruby
 authors:
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-01-22 00:00:00.000000000 Z
+date: 2013-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multi_json
@@ -193,12 +193,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: 1720438765571027333
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: 1720438765571027333
 requirements: []
 rubyforge_project: cf-uaa-lib
 rubygems_version: 1.8.23
@@ -206,4 +212,3 @@ signing_key:
 specification_version: 3
 summary: Client library for CloudFoundry UAA
 test_files: []
-has_rdoc: