cf-uaa-lib 3.14.1 → 4.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 46d432989d2af2fe4fa1a5317daffba25c752728
-  data.tar.gz: 4daf1389ceb41788db00d04324a778b688c7397c
+SHA256:
+  metadata.gz: 283326148ca7b9df992d6ea50b3e0161ef74d07626147979c83a5c6e63daec86
+  data.tar.gz: b643f26e60fa73ccdee7e9fc7b89b3b3c010e9c9007be12e98e2f7493cc53a6d
 SHA512:
-  metadata.gz: 57c54fd8ee9caddf71d4580bd909a52e4bad75a6815cb0a595b05e43536aa2a1774a2eddf5d747f9d2feca37e295d50f0a7966ccaf34b4b6e188e19f58083445
-  data.tar.gz: 41b36b3d6df7b9b2d5a55d65b0afadc62ac73837823bca76e3cfc4820fd6f3d0c17f57e9731ce1378a3e02fa272b08262712f5deb8895429eb72785911d0c455
+  metadata.gz: 110d6d2259dcce0a7e1cac4ffbf24625a32c6a265fc5329adf4d2cc3ade2803aed54012021d8ad2238cd0aeb5259d3b973173671c7ca1b54fe6cc775146a5001
+  data.tar.gz: d217c50866d14c2eac62b03dbe406f572398f9f1d747b0a079c26236662474143d6d252b609df03c228123c677b299d1f3b8e700f49af7f0651561d3e715f647

data/.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+- package-ecosystem: bundler
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "11:00"
+  open-pull-requests-limit: 10
+  allow:
+  - dependency-type: direct
+  - dependency-type: indirect

data/.github/workflows/gem-push.yml

@@ -0,0 +1,29 @@
+name: Ruby Gem
+
+on: workflow_dispatch
+
+jobs:
+  build:
+    name: Build + Publish
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby 2.6
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.6.x
+
+    - name: Publish to RubyGems
+      run: |
+        mkdir -p $HOME/.gem
+        touch $HOME/.gem/credentials
+        chmod 0600 $HOME/.gem/credentials
+        printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
+        gem build *.gemspec
+        gem push *.gem
+      env:
+        GEM_HOST_API_KEY: "${{ secrets.RUBYGEMS_AUTH_TOKEN }}"

data/.github/workflows/ruby.yml

@@ -0,0 +1,27 @@
+name: Ruby
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['2.5', '2.7', '3.0', '3.1']
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+    - name: Run tests
+      run: bundle exec rake
+    - name: Run coverage
+      run: bundle exec rake cov

data/README.md

@@ -1,5 +1,5 @@
 # CloudFoundry UAA Gem
-[![Build Status](https://travis-ci.org/cloudfoundry/cf-uaa-lib.png)](https://travis-ci.org/cloudfoundry/cf-uaa-lib)
+![Build status](https://github.com/cloudfoundry/cf-uaa-lib/actions/workflows/ruby.yml/badge.svg?branch=master)
 [![Gem Version](https://badge.fury.io/rb/cf-uaa-lib.png)](http://badge.fury.io/rb/cf-uaa-lib)
 
 Client gem for interacting with the [CloudFoundry UAA server](https://github.com/cloudfoundry/uaa)
@@ -8,31 +8,133 @@ For documentation see: https://rubygems.org/gems/cf-uaa-lib
 
 ## Install from rubygems
 
-    $ gem install cf-uaa-lib
+```plain
+gem install cf-uaa-lib
+```
 
 ## Build from source
 
-    $ bundle install
-    $ gem build cf-uaa-lib.gemspec
-    $ gem install cf-uaa-lib<version>.gem
+```plain
+bundle install
+rake install
+```
 
 ## Use the gem
 
-    #!/usr/bin/env ruby
-    require 'uaa'
-    token_issuer = CF::UAA::TokenIssuer.new("https://uaa.cloudfoundry.com", "vmc")
-    puts token_issuer.prompts.inspect
-    token = token_issuer.implicit_grant_with_creds(username: "<your_username>", password: "<your_password>")
-    token_info = CF::UAA::TokenCoder.decode(token.info["access_token"], nil, nil, false) #token signature not verified
-    puts token_info["user_name"]
+Create a UAA client that allows users to authenticate with username/password and allow client application to use `openid` scope to invoke `/userinfo` endpoint for the user.
+
+```plain
+uaa create-client decode-token-demo -s decode-token-demo -v \
+  --authorized_grant_types password,refresh_token \
+  --scope "openid"  \
+  --authorities uaa.none
+```
+
+Create a user with which to authorize our `decode-token-demo` client application.
+
+```plain
+uaa create-user myuser \
+  --email myuser@example.com \
+  --givenName "My" \
+  --familyName "User" \
+  --password myuser_secret
+```
+
+Create this Ruby script (script is available at `examples/password_grant_and_decode_token.rb`):
+
+```ruby
+#!/usr/bin/env ruby
+
+require 'uaa'
+
+url = ENV["UAA_URL"]
+client, secret = "decode-token-demo", "decode-token-demo"
+username, password = ENV["UAA_USERNAME"], ENV["UAA_PASSWORD"]
+
+def show(title, object)
+  puts "#{title}: #{object.inspect}"
+  puts
+end
+
+uaa_options = {}
+uaa_options[:ssl_ca_file] = ENV["UAA_CA_CERT_FILE"] if ENV["UAA_CA_CERT_FILE"]
+show "uaa_options", uaa_options
+
+uaa_info = CF::UAA::Info.new(url, uaa_options)
+show "UAA server info", uaa_info.server
+
+token_keys = uaa_info.validation_keys_hash
+show "Signing keys for access tokens", token_keys
+
+token_issuer = CF::UAA::TokenIssuer.new(url, client, secret, uaa_options)
+show "Login prompts", token_issuer.prompts
+
+token = token_issuer.owner_password_grant(username, password, "openid")
+show "User '#{username}' password grant", token
+
+auth_header = "bearer #{token.info["access_token"]}"
+show "Auth header for resource server API calls", auth_header
+
+userinfo = uaa_info.whoami(auth_header)
+show "User info", userinfo
+
+last_exception = nil
+token_keys.each_pair do |keyname, token_key|
+  begin
+    token_coder = CF::UAA::TokenCoder.new(uaa_options.merge(pkey: token_key["value"], verify: true))
+    token_info = token_coder.decode(auth_header)
+    show "Decoded access token", token_info
+    last_exception = nil
+  rescue CF::UAA::Decode => e
+    last_exception = e
+  end
+end
+raise last_exception if last_exception
+```
+
+To run the script, setup the env vars for your UAA and run the ruby script:
+
+```bash
+export UAA_URL=https://192.168.50.6:8443
+export UAA_CA_CERT_FILE=/path/to/ca.pem
+export UAA_USERNAME=myuser
+export UAA_PASSWORD=myuser_secret
+ruby examples/password_grant_and_decode_token.rb
+```
+
+The output will look similar to:
+
+```plain
+uaa_options: {:ssl_ca_file=>"/var/folders/wd/xnncwqp96rj0v1y2nms64mq80000gn/T/tmp.R6wpXYdC/ca.pem"}
+
+UAA server info: {"app"=>{"version"=>"4.19.0"}, "links"=>{"uaa"=>"https://192.168.50.6:8443", "passwd"=>"/forgot_password", "login"=>"https://192.168.50.6:8443", "register"=>"/create_account"}, "zone_name"=>"uaa", "entityID"=>"192.168.50.6:8443", "commit_id"=>"7897100", "idpDefinitions"=>{}, "prompts"=>{"username"=>["text", "Email"], "password"=>["password", "Password"]}, "timestamp"=>"2018-06-13T12:02:09-0700"}
+
+Cookie#domain returns dot-less domain name now. Use Cookie#dot_domain if you need "." at the beginning.
+Signing keys for access tokens: {"uaa-jwt-key-1"=>{"kty"=>"RSA", "e"=>"AQAB", "use"=>"sig", "kid"=>"uaa-jwt-key-1", "alg"=>"RS256", "value"=>"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8UNioYHjhyi1qSHrnBZ9\nKE96/1jLBOX2UTShGBo8jP7eDD6zUh5DNHNPAwD1V8gNI4wvNAm+zL1MrSEDWzn2\nPvCANd+XydoNVZU1zhqxvGhoxHmgAA3JbgSS3oLLNDG/HH8wEnjAxb+G1uh2EVSF\nAe/euQ/fEmY4e7uOG34h9WMX84tD1Sf/xvVoNGAL8bTwotzBLFZ12M3P70hrKDi5\n9wEBbY5bllvvNFyjZTYwMbw97RIOdg3FQkOABu8ENCqbPks5gqSpNV33ekaX4rAd\nwYdEX5iUzDBdMyD8jqUopuqTXqBKg2/ealGitXdbSIEAvcBgZWnn1j2vFp6OEYBB\n7wIDAQAB\n-----END PUBLIC KEY-----", "n"=>"APFDYqGB44cotakh65wWfShPev9YywTl9lE0oRgaPIz-3gw-s1IeQzRzTwMA9VfIDSOMLzQJvsy9TK0hA1s59j7wgDXfl8naDVWVNc4asbxoaMR5oAANyW4Ekt6CyzQxvxx_MBJ4wMW_htbodhFUhQHv3rkP3xJmOHu7jht-IfVjF_OLQ9Un_8b1aDRgC_G08KLcwSxWddjNz-9Iayg4ufcBAW2OW5Zb7zRco2U2MDG8Pe0SDnYNxUJDgAbvBDQqmz5LOYKkqTVd93pGl-KwHcGHRF-YlMwwXTMg_I6lKKbqk16gSoNv3mpRorV3W0iBAL3AYGVp59Y9rxaejhGAQe8"}}
+
+Login prompts: {"username"=>["text", "Email"], "password"=>["password", "Password"]}
+
+User 'myuser' password grant: #<CF::UAA::TokenInfo:0x00007fbad5a12c18 @info={"access_token"=>"eyJhbGciOiJSUzI1NiIsImtpZCI6InVhYS1qd3Qta2V5LTEiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJlMTFlZmMwNjI1OGQ0MzA0YTc4ZGIyNzliYjJjMzQ1OCIsInN1YiI6IjM5NzhmZjRkLWQ3MzgtNGI4Yi05OTA4LTdhZTE0N2YzYzNiZSIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJkZWNvZGUtdG9rZW4tZGVtbyIsImNpZCI6ImRlY29kZS10b2tlbi1kZW1vIiwiYXpwIjoiZGVjb2RlLXRva2VuLWRlbW8iLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiMzk3OGZmNGQtZDczOC00YjhiLTk5MDgtN2FlMTQ3ZjNjM2JlIiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoibXl1c2VyIiwiZW1haWwiOiJteXVzZXJAZXhhbXBsZS5jb20iLCJhdXRoX3RpbWUiOjE1MzE2MzAxNDgsInJldl9zaWciOiI5M2E2NzkwNCIsImlhdCI6MTUzMTYzMDE0OCwiZXhwIjoxNTMxNjczMzQ4LCJpc3MiOiJodHRwczovLzE5Mi4xNjguNTAuNjo4NDQzL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbIm9wZW5pZCIsImRlY29kZS10b2tlbi1kZW1vIl19.qtbzxCOW5bebTgMLK-71_zxaT7l5PSmxhXcDtCeA64dZZ6-wXXmJivopm5PFEHnHiZwRpVe43jyEsbJGzBdl8GEsYQ9YIy51-4noby7ClziJv-6rSBYZnZuU5A234QRWclATGksOcz8Ft9PTIKGKLScyLhncwas7W0uiNJ87MFBGWY6Ovvl3Ac5-jHCqiRBXD6vUhzpfmy6_OUr53i9zJgtcQQWgDrOHxnFcRABZcDnhnWdcxh-Hbagtt9dQU46QgpqLJiUvAg-7ypZPGrxnr9UQEO2Q9GrolkbrSeUcfUOkgppxaA_0b6RYpgBR1qg-Ns6jGUxFgPs6Jj8pysfVmA", "token_type"=>"bearer", "refresh_token"=>"6701ddb9397840a1bd339e9f4314448f-r", "expires_in"=>43199, "scope"=>"openid", "jti"=>"e11efc06258d4304a78db279bb2c3458"}>
+
+Auth header for resource server API calls: "bearer eyJhbGciOiJSUzI1NiIsImtpZCI6InVhYS1qd3Qta2V5LTEiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJlMTFlZmMwNjI1OGQ0MzA0YTc4ZGIyNzliYjJjMzQ1OCIsInN1YiI6IjM5NzhmZjRkLWQ3MzgtNGI4Yi05OTA4LTdhZTE0N2YzYzNiZSIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJkZWNvZGUtdG9rZW4tZGVtbyIsImNpZCI6ImRlY29kZS10b2tlbi1kZW1vIiwiYXpwIjoiZGVjb2RlLXRva2VuLWRlbW8iLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiMzk3OGZmNGQtZDczOC00YjhiLTk5MDgtN2FlMTQ3ZjNjM2JlIiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoibXl1c2VyIiwiZW1haWwiOiJteXVzZXJAZXhhbXBsZS5jb20iLCJhdXRoX3RpbWUiOjE1MzE2MzAxNDgsInJldl9zaWciOiI5M2E2NzkwNCIsImlhdCI6MTUzMTYzMDE0OCwiZXhwIjoxNTMxNjczMzQ4LCJpc3MiOiJodHRwczovLzE5Mi4xNjguNTAuNjo4NDQzL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbIm9wZW5pZCIsImRlY29kZS10b2tlbi1kZW1vIl19.qtbzxCOW5bebTgMLK-71_zxaT7l5PSmxhXcDtCeA64dZZ6-wXXmJivopm5PFEHnHiZwRpVe43jyEsbJGzBdl8GEsYQ9YIy51-4noby7ClziJv-6rSBYZnZuU5A234QRWclATGksOcz8Ft9PTIKGKLScyLhncwas7W0uiNJ87MFBGWY6Ovvl3Ac5-jHCqiRBXD6vUhzpfmy6_OUr53i9zJgtcQQWgDrOHxnFcRABZcDnhnWdcxh-Hbagtt9dQU46QgpqLJiUvAg-7ypZPGrxnr9UQEO2Q9GrolkbrSeUcfUOkgppxaA_0b6RYpgBR1qg-Ns6jGUxFgPs6Jj8pysfVmA"
+
+User info: {"user_id"=>"3978ff4d-d738-4b8b-9908-7ae147f3c3be", "user_name"=>"myuser", "name"=>"My User", "given_name"=>"My", "family_name"=>"User", "email"=>"myuser@example.com", "email_verified"=>true, "previous_logon_time"=>nil, "sub"=>"3978ff4d-d738-4b8b-9908-7ae147f3c3be"}
+
+Decoded access token: {"jti"=>"e11efc06258d4304a78db279bb2c3458", "sub"=>"3978ff4d-d738-4b8b-9908-7ae147f3c3be", "scope"=>["openid"], "client_id"=>"decode-token-demo", "cid"=>"decode-token-demo", "azp"=>"decode-token-demo", "grant_type"=>"password", "user_id"=>"3978ff4d-d738-4b8b-9908-7ae147f3c3be", "origin"=>"uaa", "user_name"=>"myuser", "email"=>"myuser@example.com", "auth_time"=>1531630148, "rev_sig"=>"93a67904", "iat"=>1531630148, "exp"=>1531673348, "iss"=>"https://192.168.50.6:8443/oauth/token", "zid"=>"uaa", "aud"=>["openid", "decode-token-demo"]}
+>>>>>>> 21ae635... new example script - password grant + decode using token keys
+```
 
 ## Tests
 
 Run the tests with rake:
 
-    $ bundle exec rake test
+```plain
+bundle exec rake test
+```
 
 Run the tests and see a fancy coverage report:
 
-    $ bundle exec rake cov
+```plain
+bundle exec rake cov
+```
 

data/cf-uaa-lib.gemspec

@@ -24,8 +24,6 @@ Gem::Specification.new do |s|
   s.summary     = %q{Client library for CloudFoundry UAA}
   s.description = %q{Client library for interacting with the CloudFoundry User Account and Authorization (UAA) server.  The UAA is an OAuth2 Authorization Server so it can be used by webapps and command line apps to obtain access tokens to act on behalf of users.  The tokens can then be used to access protected resources in a Resource Server.  This library is for use by UAA client applications or resource servers.}
 
-  s.rubyforge_project = "cf-uaa-lib"
-
   s.license       = "Apache-2.0"
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
@@ -33,15 +31,17 @@ Gem::Specification.new do |s|
   s.require_paths = ['lib']
 
   # dependencies
-  s.add_dependency 'multi_json', '~> 1.12.0', '>= 1.12.1'
+  s.add_dependency 'multi_json', '>= 1.12.1', '< 1.16'
   s.add_dependency 'httpclient', '~> 2.8', '>= 2.8.2.4'
+  s.add_dependency 'addressable', '~> 2.8', '>= 2.8.0'
 
-  s.add_development_dependency 'bundler', '~> 1.14'
-  s.add_development_dependency 'rake', '~> 10.3', '>= 10.3.2'
-  s.add_development_dependency 'rspec', '~> 2.14', '>= 2.14.1'
-  s.add_development_dependency 'simplecov', '~> 0.8.2'
+  s.add_development_dependency 'bundler', '~> 2.2'
+  s.add_development_dependency 'rake', '>= 10.3.2', '~> 13.0'
+  s.add_development_dependency 'rspec', '>= 2.14.1', '~> 3.9'
+  s.add_development_dependency 'simplecov', '~> 0.21.2'
   s.add_development_dependency 'simplecov-rcov', '~> 0.2.3'
-  s.add_development_dependency 'ci_reporter', '~> 1.9', '>= 1.9.2'
-  s.add_development_dependency 'json_pure', '~> 1.8', '>= 1.8.1'
+  s.add_development_dependency 'ci_reporter', '>= 1.9.2', '~> 2.0'
+  s.add_development_dependency 'json_pure', '>= 1.8.1', '~> 2.5'
+  s.add_development_dependency 'ci_reporter_rspec', '~> 1.0'
 
 end

data/examples/password_grant_and_decode_token.rb

@@ -0,0 +1,53 @@
+#!/usr/bin/env ruby
+
+# uaa create-client decode-token-demo -s decode-token-demo -v \
+#   --authorized_grant_types password,refresh_token \
+#   --scope "openid"  \
+#   --authorities uaa.none
+
+require 'uaa'
+
+url = ENV["UAA_URL"]
+client, secret = "decode-token-demo", "decode-token-demo"
+username, password = ENV["UAA_USERNAME"], ENV["UAA_PASSWORD"]
+
+def show(title, object)
+  puts "#{title}: #{object.inspect}"
+  puts
+end
+
+uaa_options = {}
+uaa_options[:ssl_ca_file] = ENV["UAA_CA_CERT_FILE"] if ENV["UAA_CA_CERT_FILE"]
+show "uaa_options", uaa_options
+
+uaa_info = CF::UAA::Info.new(url, uaa_options)
+show "UAA server info", uaa_info.server
+
+token_keys = uaa_info.validation_keys_hash
+show "Signing keys for access tokens", token_keys
+
+token_issuer = CF::UAA::TokenIssuer.new(url, client, secret, uaa_options)
+show "Login prompts", token_issuer.prompts
+
+token = token_issuer.owner_password_grant(username, password, "openid")
+show "User '#{username}' password grant", token
+
+auth_header = "bearer #{token.info["access_token"]}"
+show "Auth header for resource server API calls", auth_header
+
+userinfo = uaa_info.whoami(auth_header)
+show "User info", userinfo
+
+last_exception = nil
+token_keys.each_pair do |keyname, token_key|
+  begin
+    token_coder = CF::UAA::TokenCoder.new(uaa_options.merge(pkey: token_key["value"], verify: true))
+    token_info = token_coder.decode(auth_header)
+    show "Decoded access token", token_info
+    last_exception = nil
+  rescue CF::UAA::Decode => e
+    last_exception = e
+  end
+end
+raise last_exception if last_exception
+

data/lib/uaa/http.rb

@@ -183,6 +183,8 @@ module Http
     raise SSLException, "Invalid SSL Cert for #{url}. Use '--skip-ssl-validation' to continue with an insecure target"
   rescue URI::Error, SocketError, SystemCallError => e
     raise BadTarget, "error: #{e.message}"
+  rescue HTTPClient::ConnectTimeoutError => e
+    raise HTTPException.new "http timeout"
   end
 
   def http_request(uri)

data/lib/uaa/info.rb

@@ -54,14 +54,6 @@ class Info
     json_get(target, "/userinfo?schema=openid", key_style, "authorization" => auth_header)
   end
 
-  # Gets various monitoring and status variables from the server.
-  # Authenticates using +name+ and +pwd+ for basic authentication.
-  # @param (see Misc.server)
-  # @return [Hash]
-  def varz(name, pwd)
-    json_get(target, "/varz", key_style, "authorization" => Http.basic_auth(name, pwd))
-  end
-
   # Gets basic information about the target server, including version number,
   # commit ID, and links to API endpoints.
   # @return [Hash]
@@ -129,7 +121,7 @@ class Info
   # @return [Hash] contents of the token
   def decode_token(client_id, client_secret, token, token_type = "bearer", audience_ids = nil)
     reply = json_parse_reply(key_style, *request(target, :post, '/check_token',
-                                                 Util.encode_form(:token => token),
+                                                 Util.encode_form(token: token),
                                                  "authorization" => Http.basic_auth(client_id, client_secret),
                                                  "content-type" => Http::FORM_UTF8,"accept" => Http::JSON_UTF8))
 
@@ -146,7 +138,7 @@ class Info
   # @return [Hash]
   def password_strength(password)
     json_parse_reply(key_style, *request(target, :post, '/password/score',
-        Util.encode_form(:password => password), "content-type" => Http::FORM_UTF8,
+        Util.encode_form(password: password), "content-type" => Http::FORM_UTF8,
         "accept" => Http::JSON_UTF8))
   end
 

data/lib/uaa/scim.rb

@@ -12,7 +12,7 @@
 #++
 
 require 'uaa/http'
-require 'uri'
+require 'addressable/uri'
 
 module CF::UAA
 
@@ -177,7 +177,7 @@ class Scim
   # @param [String] id the id attribute of the SCIM object
   # @return [nil]
   def delete(type, id)
-    http_delete @target, "#{type_info(type, :path)}/#{URI.encode(id)}", @auth_header, @zone
+    http_delete @target, "#{type_info(type, :path)}/#{Addressable::URI.encode(id)}", @auth_header, @zone
   end
 
   # Replaces the contents of a SCIM object.
@@ -192,7 +192,7 @@ class Scim
       hdrs.merge!('if-match' => etag)
     end
     reply = json_parse_reply(@key_style,
-        *json_put(@target, "#{path}/#{URI.encode(id)}", info, hdrs))
+        *json_put(@target, "#{path}/#{Addressable::URI.encode(id)}", info, hdrs))
 
     # hide client endpoints that are not quite scim compatible
     type == :client && !reply ? get(type, info['client_id']): reply
@@ -210,7 +210,7 @@ class Scim
       hdrs.merge!('if-match' => etag)
     end
     reply = json_parse_reply(@key_style,
-        *json_patch(@target, "#{path}/#{URI.encode(id)}", info, hdrs))
+        *json_patch(@target, "#{path}/#{Addressable::URI.encode(id)}", info, hdrs))
 
     # hide client endpoints that are not quite scim compatible
     type == :client && !reply ? get(type, info['client_id']): reply
@@ -258,7 +258,7 @@ class Scim
   # @param (see #delete)
   # @return (see #add)
   def get(type, id)
-    info = json_get(@target, "#{type_info(type, :path)}/#{URI.encode(id)}",
+    info = json_get(@target, "#{type_info(type, :path)}/#{Addressable::URI.encode(id)}",
         @key_style, headers)
 
     fake_client_id(info) if type == :client # hide client reply, not quite scim
@@ -270,7 +270,7 @@ class Scim
   # @return (client meta)
   def get_client_meta(client_id)
     path = type_info(:client, :path)
-    json_get(@target, "#{path}/#{URI.encode(client_id)}/meta", @key_style, headers)
+    json_get(@target, "#{path}/#{Addressable::URI.encode(client_id)}/meta", @key_style, headers)
   end
 
   # Collects all pages of entries from a query
@@ -350,7 +350,7 @@ class Scim
     req = {"password" => new_password}
     req["oldPassword"] = old_password if old_password
     json_parse_reply(@key_style, *json_put(@target,
-        "#{type_info(:user, :path)}/#{URI.encode(user_id)}/password", req, headers))
+        "#{type_info(:user, :path)}/#{Addressable::URI.encode(user_id)}/password", req, headers))
   end
 
   # Change client secret.
@@ -366,18 +366,18 @@ class Scim
     req = {"secret" => new_secret }
     req["oldSecret"] = old_secret if old_secret
     json_parse_reply(@key_style, *json_put(@target,
-        "#{type_info(:client, :path)}/#{URI.encode(client_id)}/secret", req, headers))
+        "#{type_info(:client, :path)}/#{Addressable::URI.encode(client_id)}/secret", req, headers))
   end
 
   def unlock_user(user_id)
     req = {"locked" => false}
     json_parse_reply(@key_style, *json_patch(@target,
-        "#{type_info(:user, :path)}/#{URI.encode(user_id)}/status", req, headers))
+        "#{type_info(:user, :path)}/#{Addressable::URI.encode(user_id)}/status", req, headers))
   end
 
   def map_group(group, is_id, external_group, origin = "ldap")
     key_name = is_id ? :groupId : :displayName
-    request = {key_name => group, :externalGroup => external_group, :schemas => ["urn:scim:schemas:core:1.0"], :origin => origin }
+    request = {key_name => group, externalGroup: external_group, schemas: ["urn:scim:schemas:core:1.0"], origin: origin }
     result = json_parse_reply(@key_style, *json_post(@target,
                                                      "#{type_info(:group_mapping, :path)}", request,
                                                      headers))
@@ -385,7 +385,7 @@ class Scim
   end
 
   def unmap_group(group_id, external_group, origin = "ldap")
-    http_delete(@target, "#{type_info(:group_mapping, :path)}/groupId/#{group_id}/externalGroup/#{URI.encode(external_group)}/origin/#{origin}",
+    http_delete(@target, "#{type_info(:group_mapping, :path)}/groupId/#{group_id}/externalGroup/#{Addressable::URI.encode(external_group)}/origin/#{origin}",
                           @auth_header, @zone)
   end
 

data/lib/uaa/token_coder.rb

@@ -64,8 +64,8 @@ class TokenCoder
   def self.encode(token_body, options = {}, obsolete1 = nil, obsolete2 = nil)
     unless options.is_a?(Hash) && obsolete1.nil? && obsolete2.nil?
       # deprecated: def self.encode(token_body, skey, pkey = nil, algo = 'HS256')
-      warn "#{self.class}##{__method__} is deprecated with these parameters. Please use options hash."
-      options = {:skey => options }
+      warn "WARNING: #{self.class}##{__method__} is deprecated with these parameters. Please use options hash."
+      options = {skey: options}
       options[:pkey], options[:algorithm] = obsolete1, obsolete2
     end
     options = normalize_options(options)
@@ -95,8 +95,8 @@ class TokenCoder
   def self.decode(token, options = {}, obsolete1 = nil, obsolete2 = nil)
     unless options.is_a?(Hash) && obsolete1.nil? && obsolete2.nil?
       # deprecated: def self.decode(token, skey = nil, pkey = nil, verify = true)
-      warn "#{self.class}##{__method__} is deprecated with these parameters. Please use options hash."
-      options = {:skey => options }
+      warn "WARNING: #{self.class}##{__method__} is deprecated with these parameters. Please use options hash."
+      options = {skey: options}
       options[:pkey], options[:verify] = obsolete1, obsolete2
     end
     options = normalize_options(options)
@@ -106,10 +106,16 @@ class TokenCoder
     signing_input = [header_segment, payload_segment].join('.')
     header = Util.json_decode64(header_segment)
     payload = Util.json_decode64(payload_segment, (:sym if options[:symbolize_keys]))
-    return payload unless options[:verify]
+    unless options[:verify]
+      warn "WARNING: Decoding token without verifying it was signed by its authoring UAA"
+      return payload
+    end
     raise SignatureNotAccepted, "Signature algorithm not accepted" unless
         options[:accept_algorithms].include?(algo = header["alg"])
-    return payload if algo == 'none'
+    if algo == 'none'
+      warn "WARNING: Decoding token that explicitly states it has not been signed by an authoring UAA"
+      return payload
+    end
     signature = Util.decode64(crypto_segment)
     if ["HS256", "HS384", "HS512"].include?(algo)
       raise InvalidSignature, "Signature verification failed" unless
@@ -123,6 +129,17 @@ class TokenCoder
     payload
   end
 
+  # Decodes a JWT token to extract its expiry time
+  # @param [String] token A JWT token as returned by {TokenCoder.encode}
+  # @return [Integer] exp expiry timestamp
+  def self.decode_token_expiry(token)
+    segments = token.split('.')
+    raise InvalidTokenFormat, "Not enough or too many segments" unless [2,3].include? segments.length
+    header_segment, payload_segment, crypto_segment = segments
+    payload = Util.json_decode64(payload_segment, :sym)
+    payload[:exp]
+  end
+
   # Takes constant time to compare 2 strings (HMAC digests in this case)
   # to avoid timing attacks while comparing the HMAC digests
   # @param [String] a: the first digest to compare
@@ -170,7 +187,7 @@ class TokenCoder
     unless options.is_a?(Hash) && obsolete1.nil? && obsolete2.nil?
       # deprecated: def initialize(audience_ids, skey, pkey = nil)
       warn "#{self.class}##{__method__} is deprecated with these parameters. Please use options hash."
-      options = {:audience_ids => options }
+      options = {audience_ids: options }
       options[:skey], options[:pkey] = obsolete1, obsolete2
     end
     @options = self.class.normalize_options(options)
@@ -184,7 +201,7 @@ class TokenCoder
   def encode(token_body = {}, algorithm = nil)
     token_body[:aud] = @options[:audience_ids] if @options[:audience_ids] && !token_body[:aud] && !token_body['aud']
     token_body[:exp] = Time.now.to_i + 7 * 24 * 60 * 60 unless token_body[:exp] || token_body['exp']
-    self.class.encode(token_body, algorithm ? @options.merge(:algorithm => algorithm) : @options)
+    self.class.encode(token_body, algorithm ? @options.merge(algorithm: algorithm) : @options)
   end
 
   # Returns hash of values decoded from the token contents. If the

data/lib/uaa/token_issuer.rb

@@ -13,6 +13,7 @@
 
 require 'securerandom'
 require 'uaa/http'
+require 'cgi'
 
 module CF::UAA
 
@@ -72,8 +73,13 @@ class TokenIssuer
     if scope = Util.arglist(params.delete(:scope))
       params[:scope] = Util.strlist(scope)
     end
-    headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8,
-        'authorization' => Http.basic_auth(@client_id, @client_secret) }
+    headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8}
+    if @basic_auth
+      headers['authorization'] = Http.basic_auth(@client_id, @client_secret)
+    else
+      headers['X-CF-ENCODED-CREDENTIALS'] = 'true'
+      headers['authorization'] = Http.basic_auth(CGI.escape(@client_id || ''), CGI.escape(@client_secret || ''))
+    end
     reply = json_parse_reply(@key_style, *request(@token_target, :post,
         '/oauth/token', Util.encode_form(params), headers))
     raise BadResponse unless reply[jkey :token_type] && reply[jkey :access_token]
@@ -81,8 +87,8 @@ class TokenIssuer
   end
 
   def authorize_path_args(response_type, redirect_uri, scope, state = random_state, args = {})
-    params = args.merge(:client_id => @client_id, :response_type => response_type,
-        :redirect_uri => redirect_uri, :state => state)
+    params = args.merge(client_id: @client_id, response_type: response_type,
+        redirect_uri: redirect_uri, state: state)
     params[:scope] = scope = Util.strlist(scope) if scope = Util.arglist(scope)
     params[:nonce] = state
     "/oauth/authorize?#{Util.encode_form(params)}"
@@ -109,6 +115,7 @@ class TokenIssuer
     @target, @client_id, @client_secret = target, client_id, client_secret
     @token_target = options[:token_target] || target
     @key_style = options[:symbolize_keys] ? :sym : nil
+    @basic_auth = options[:basic_auth] == true ? true : false
     initialize_http_options(options)
   end
 
@@ -137,7 +144,7 @@ class TokenIssuer
 
     # the accept header is only here so the uaa will issue error replies in json to aid debugging
     headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8 }
-    body = Util.encode_form(credentials.merge(:source => 'credentials'))
+    body = Util.encode_form(credentials.merge(source: 'credentials'))
     status, body, headers = request(@target, :post, uri, body, headers)
     raise BadResponse, "status #{status}" unless status == 302
     req_uri, reply_uri = URI.parse(redir_uri), URI.parse(headers['location'])
@@ -194,7 +201,7 @@ class TokenIssuer
     reply = json_parse_reply(nil, *request(@target, :post, "/autologin", body, headers))
     raise BadResponse, "no autologin code in reply" unless reply['code']
     @target + authorize_path_args('code', redirect_uri, scope,
-        random_state, :code => reply['code'])
+        random_state, code: reply['code'])
   end
 
   # Constructs a uri that the client is to return to the browser to direct
@@ -228,8 +235,8 @@ class TokenIssuer
     rescue URI::InvalidURIError, ArgumentError, BadResponse
       raise BadResponse, "received invalid response from target #{@target}"
     end
-    request_token(:grant_type => 'authorization_code', :code => authcode,
-        :redirect_uri => ac_params['redirect_uri'])
+    request_token(grant_type: 'authorization_code', code: authcode,
+        redirect_uri: ac_params['redirect_uri'])
   end
 
   # Uses the instance client credentials in addition to the +username+
@@ -237,15 +244,15 @@ class TokenIssuer
   # See {http://tools.ietf.org/html/rfc6749#section-4.3}.
   # @return [TokenInfo]
   def owner_password_grant(username, password, scope = nil)
-    request_token(:grant_type => 'password', :username => username,
-        :password => password, :scope => scope)
+    request_token(grant_type: 'password', username: username,
+        password: password, scope: scope)
   end
 
   # Uses a one-time passcode obtained from the UAA to get a
   # token.
   # @return [TokenInfo]
   def passcode_grant(passcode, scope = nil)
-    request_token(:grant_type => 'password', :passcode => passcode, :scope => scope)
+    request_token(grant_type: 'password', passcode: passcode, scope: scope)
   end
 
   # Gets an access token with the user credentials used for authentication
@@ -264,14 +271,14 @@ class TokenIssuer
   # credentials grant. See http://tools.ietf.org/html/rfc6749#section-4.4
   # @return [TokenInfo]
   def client_credentials_grant(scope = nil)
-    request_token(:grant_type => 'client_credentials', :scope => scope)
+    request_token(grant_type: 'client_credentials', scope: scope)
   end
 
   # Uses the instance client credentials and the given +refresh_token+ to get
   # a new access token. See http://tools.ietf.org/html/rfc6749#section-6
   # @return [TokenInfo] which may include a new refresh token as well as an access token.
   def refresh_token_grant(refresh_token, scope = nil)
-    request_token(:grant_type => 'refresh_token', :refresh_token => refresh_token, :scope => scope)
+    request_token(grant_type: 'refresh_token', refresh_token: refresh_token, scope: scope)
   end
 
 end