cf-uaa-lib 3.6.0 → 3.14.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: cbf0e4c510eb02fb7e828ffbe7f227c10fdc9e45
-  data.tar.gz: e5718846645aabe80e2ab0e4bb581e2146110ed4
+  metadata.gz: 903c34141ef900eafea69aa67eac6e998ff8ed4d
+  data.tar.gz: e994669699594790f50be50a10d7c8a1b1c38dc7
 SHA512:
-  metadata.gz: 08568f7f4c4763e269e39e52768c3d738a1c3df347b7d911e63fa48158ccfdc81c53d8c69cdc2b78f19a3fab3c82b5f7f12f42ab8a5f84c3c013e3e3270d5d10
-  data.tar.gz: 72cc5995de5569c12f5e8a0b3a88890bef8df65b424fbccd038ec0d9c673ffaa62291f0ba39cc064b7a43f52f2c21588fd74c2a5784640b7d7514529cbcfe81a
+  metadata.gz: a8c4455646d340f50b5338481bf51f8d00daf6bf8bcce5c189761bb7f43f3b5c44a93e925266632b04aed9cdd0abc6a04df53110805ab94942410e503b68a49d
+  data.tar.gz: 98340c72c9201bea70d77f1dd3df5fc0a7f5ca2138e0534107cdda121dd26b6f512b127ed6c628ae10e02e1257e91c0027973390c83a132c5d0de746608c7877

data/.travis.yml

@@ -5,7 +5,6 @@ before_install:
   - gem install bundler
 
 rvm:
-  - 1.9.3
-
-
-
+  - 2.2.7
+  - 2.3.4
+  - 2.4.1

data/NOTICE

@@ -0,0 +1,12 @@
+
+Copyright (c) 2015-Present CloudFoundry.org Foundation, Inc. All Rights Reserved.
+
+This project contains software that is Copyright (c) 2012-2015 Pivotal Software, Inc.
+
+This project is licensed to you under the Apache License, Version 2.0 (the "License").
+
+You may not use this project except in compliance with the License.
+
+This project may include a number of subcomponents with separate copyright notices
+and license terms. Your use of these subcomponents is subject to the terms and 
+conditions of the subcomponent's license, as noted in the LICENSE file.

data/README.md

@@ -23,7 +23,7 @@ For documentation see: https://rubygems.org/gems/cf-uaa-lib
     token_issuer = CF::UAA::TokenIssuer.new("https://uaa.cloudfoundry.com", "vmc")
     puts token_issuer.prompts.inspect
     token = token_issuer.implicit_grant_with_creds(username: "<your_username>", password: "<your_password>")
-    token_info = TokenCoder.decode(token.info["access_token"], nil, nil, false) #token signature not verified
+    token_info = CF::UAA::TokenCoder.decode(token.info["access_token"], nil, nil, false) #token signature not verified
     puts token_info["user_name"]
 
 ## Tests

data/cf-uaa-lib.gemspec

@@ -16,31 +16,32 @@ $:.push File.expand_path("../lib", __FILE__)
 require "uaa/version"
 
 Gem::Specification.new do |s|
-  s.name        = "cf-uaa-lib"
+  s.name        = 'cf-uaa-lib'
   s.version     = CF::UAA::VERSION
-  s.authors     = ["Dave Syer", "Dale Olds", "Joel D'sa", "Vidya Valmikinathan", "Luke Taylor"]
-  s.email       = ["dsyer@vmware.com", "olds@vmware.com", "jdsa@vmware.com", "vidya@vmware.com", "ltaylor@vmware.com"]
-  s.homepage    = "https://github.com/cloudfoundry/cf-uaa-lib"
+  s.authors     = ['Dave Syer', 'Dale Olds', 'Joel D\'sa', 'Vidya Valmikinathan', 'Luke Taylor']
+  s.email       = ['dsyer@vmware.com', 'olds@vmware.com', 'jdsa@vmware.com', 'vidya@vmware.com', 'ltaylor@vmware.com']
+  s.homepage    = 'https://github.com/cloudfoundry/cf-uaa-lib'
   s.summary     = %q{Client library for CloudFoundry UAA}
   s.description = %q{Client library for interacting with the CloudFoundry User Account and Authorization (UAA) server.  The UAA is an OAuth2 Authorization Server so it can be used by webapps and command line apps to obtain access tokens to act on behalf of users.  The tokens can then be used to access protected resources in a Resource Server.  This library is for use by UAA client applications or resource servers.}
 
   s.rubyforge_project = "cf-uaa-lib"
 
-  s.license       = "Apache 2.0"
+  s.license       = "Apache-2.0"
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
-  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
-  s.require_paths = ["lib"]
+  s.executables   = `git ls-files -- bin/*`.split('\n').map{ |f| File.basename(f) }
+  s.require_paths = ['lib']
 
   # dependencies
-  s.add_dependency "multi_json"
+  s.add_dependency 'multi_json', '~> 1.12.0', '>= 1.12.1'
+  s.add_dependency 'httpclient', '~> 2.8', '>= 2.8.2.4'
 
-  s.add_development_dependency "bundler"
-  s.add_development_dependency "rake", "~> 10.3.2"
-  s.add_development_dependency "rspec", "~> 2.14.1"
-  s.add_development_dependency "simplecov", "~> 0.8.2"
-  s.add_development_dependency "simplecov-rcov", "~> 0.2.3"
-  s.add_development_dependency "ci_reporter", "~> 1.9.2"
-  s.add_development_dependency "json_pure", "~> 1.8.1"
+  s.add_development_dependency 'bundler', '~> 1.14'
+  s.add_development_dependency 'rake', '~> 10.3', '>= 10.3.2'
+  s.add_development_dependency 'rspec', '~> 2.14', '>= 2.14.1'
+  s.add_development_dependency 'simplecov', '~> 0.8.2'
+  s.add_development_dependency 'simplecov-rcov', '~> 0.2.3'
+  s.add_development_dependency 'ci_reporter', '~> 1.9', '>= 1.9.2'
+  s.add_development_dependency 'json_pure', '~> 1.8', '>= 1.8.1'
 
 end

data/lib/uaa/http.rb

@@ -12,9 +12,8 @@
 #++
 
 require 'base64'
-require 'net/http'
 require 'uaa/util'
-require 'uaa/proxy_options'
+require 'httpclient'
 
 module CF::UAA
 
@@ -46,14 +45,20 @@ class InvalidToken < TargetError; end
 
 # Utility accessors and methods for objects that want to access JSON web APIs.
 module Http
-  include ProxyOptions
 
   def self.included(base)
     base.class_eval do
-      attr_accessor :http_proxy, :https_proxy, :skip_ssl_validation, :ssl_ca_file, :ssl_cert_store, :zone
+      attr_reader :skip_ssl_validation, :ssl_ca_file, :ssl_cert_store, :http_timeout
     end
   end
 
+  def initialize_http_options(options)
+    @skip_ssl_validation = options[:skip_ssl_validation]
+    @ssl_ca_file = options[:ssl_ca_file]
+    @ssl_cert_store = options[:ssl_cert_store]
+    @http_timeout = options[:http_timeout]
+  end
+
   # Sets the current logger instance to recieve error messages.
   # @param [Logger] logr
   # @return [Logger]
@@ -78,30 +83,30 @@ module Http
   # @return [String]
   def self.basic_auth(name, password)
     str = "#{name}:#{password}"
-    "Basic " + (Base64.respond_to?(:strict_encode64)?
-        Base64.strict_encode64(str): [str].pack("m").gsub(/\n/, ''))
+    'Basic ' + (Base64.respond_to?(:strict_encode64)?
+        Base64.strict_encode64(str): [str].pack('m').gsub(/\n/, ''))
   end
 
-  JSON_UTF8 = "application/json;charset=utf-8"
-  FORM_UTF8 = "application/x-www-form-urlencoded;charset=utf-8"
+  JSON_UTF8 = 'application/json;charset=utf-8'
+  FORM_UTF8 = 'application/x-www-form-urlencoded;charset=utf-8'
 
   private
 
   def json_get(target, path = nil, style = nil, headers = {})
     raise ArgumentError unless style.nil? || style.is_a?(Symbol)
-    json_parse_reply(style, *http_get(target, path, headers.merge("accept" => JSON_UTF8)))
+    json_parse_reply(style, *http_get(target, path, headers.merge('accept' => JSON_UTF8)))
   end
 
   def json_post(target, path, body, headers = {})
-    http_post(target, path, Util.json(body), headers.merge("content-type" => JSON_UTF8))
+    http_post(target, path, Util.json(body), headers.merge('content-type' => JSON_UTF8))
   end
 
   def json_put(target, path, body, headers = {})
-    http_put(target, path, Util.json(body), headers.merge("content-type" => JSON_UTF8))
+    http_put(target, path, Util.json(body), headers.merge('content-type' => JSON_UTF8))
   end
 
   def json_patch(target, path, body, headers = {})
-    http_patch(target, path, Util.json(body), headers.merge("content-type" => JSON_UTF8))
+    http_patch(target, path, Util.json(body), headers.merge('content-type' => JSON_UTF8))
   end
 
   def json_parse_reply(style, status, body, headers)
@@ -110,17 +115,17 @@ module Http
       raise (status == 404 ? NotFound : BadResponse), "invalid status response: #{status}"
     end
     if body && !body.empty? && (status == 204 || headers.nil? ||
-          headers["content-type"] !~ /application\/json/i)
-      raise BadResponse, "received invalid response content or type"
+          headers['content-type'] !~ /application\/json/i)
+      raise BadResponse, 'received invalid response content or type'
     end
     parsed_reply = Util.json_parse(body, style)
     if status >= 400
-      raise parsed_reply && parsed_reply["error"] == "invalid_token" ?
-          InvalidToken.new(parsed_reply) : TargetError.new(parsed_reply), "error response"
+      raise parsed_reply && parsed_reply['error'] == 'invalid_token' ?
+          InvalidToken.new(parsed_reply) : TargetError.new(parsed_reply), 'error response'
     end
     parsed_reply
   rescue DecodeError
-    raise BadResponse, "invalid JSON response"
+    raise BadResponse, 'invalid JSON response'
   end
 
   def http_get(target, path = nil, headers = {}) request(target, :get, path, nil, headers) end
@@ -129,7 +134,7 @@ module Http
   def http_patch(target, path, body, headers = {}) request(target, :patch, path, body, headers) end
 
   def http_delete(target, path, authorization, zone = nil)
-    hdrs = { "authorization" => authorization }
+    hdrs = { 'authorization' => authorization }
     hdrs['X-Identity-Zone-Subdomain'] = zone if zone
     status = request(target, :delete, path, nil, hdrs)[0]
     unless [200, 204].include?(status)
@@ -138,7 +143,7 @@ module Http
   end
 
   def request(target, method, path, body = nil, headers = {})
-    headers["accept"] = headers["content-type"] if headers["content-type"] && !headers["accept"]
+    headers['accept'] = headers['content-type'] if headers['content-type'] && !headers['accept']
     url = "#{target}#{path}"
 
     logger.debug { "--->\nrequest: #{method} #{url}\n" +
@@ -156,44 +161,59 @@ module Http
   end
 
   def net_http_request(url, method, body, headers)
-    raise ArgumentError unless reqtype = {:delete => Net::HTTP::Delete,
-        :get => Net::HTTP::Get, :post => Net::HTTP::Post, :put => Net::HTTP::Put, :patch => Net::HTTP::Patch}[method]
-    headers["content-length"] = body.length if body
     uri = URI.parse(url)
-    req = reqtype.new(uri.request_uri)
-    headers.each { |k, v| req[k] = v }
     http = http_request(uri)
-    reply, outhdrs = http.request(req, body), {}
-    reply.each_header { |k, v| outhdrs[k] = v }
-    [reply.code.to_i, reply.body, outhdrs]
+    headers['content-length'] = body.length.to_s if body
+    case method
+      when :get, :delete
+        response = http.send(method, uri, nil, headers)
+      when :post, :put, :patch
+        response = http.send(method, uri, body, headers)
+      else
+        raise ArgumentError
+    end
 
+    unless response.status
+      raise HTTPException.new "Can't parse response from the server #{response.content}"
+    end
+    response_headers = {}
+    response.header.all.each { |k, v| response_headers[k.downcase] = v }
+    return [response.status.to_i, response.content, response_headers]
   rescue OpenSSL::SSL::SSLError => e
     raise SSLException, "Invalid SSL Cert for #{url}. Use '--skip-ssl-validation' to continue with an insecure target"
   rescue URI::Error, SocketError, SystemCallError => e
     raise BadTarget, "error: #{e.message}"
-  rescue Net::HTTPBadResponse => e
-    raise HTTPException, "HTTP exception: #{e.class}: #{e}"
+  rescue HTTPClient::ConnectTimeoutError => e
+    raise HTTPException.new "http timeout"
   end
 
   def http_request(uri)
-    cache_key = URI.join(uri.to_s, "/")
+    cache_key = URI.join(uri.to_s, '/')
     @http_cache ||= {}
     return @http_cache[cache_key] if @http_cache[cache_key]
 
-    http = Net::HTTP.new(uri.host, uri.port, *proxy_options_for(uri))
-
     if uri.is_a?(URI::HTTPS)
-      http.use_ssl = true
-
-      if skip_ssl_validation
-        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-      elsif ssl_ca_file
-        http.ca_file = File.expand_path(ssl_ca_file)
-        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-      elsif ssl_cert_store
-        http.cert_store = ssl_cert_store
-        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      http = HTTPClient.new.tap do |c|
+        if skip_ssl_validation
+          c.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        elsif ssl_ca_file
+          c.ssl_config.set_trust_ca File.expand_path(ssl_ca_file)
+          c.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        elsif ssl_cert_store
+          c.ssl_config.cert_store = ssl_cert_store
+          c.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        else
+          c.ssl_config.set_default_paths
+        end
       end
+    else
+      http = HTTPClient.new
+    end
+
+    if http_timeout
+      http.connect_timeout = http_timeout
+      http.send_timeout = http_timeout
+      http.receive_timeout = http_timeout
     end
 
     @http_cache[cache_key] = http

data/lib/uaa/info.rb

@@ -31,12 +31,8 @@ class Info
   #     string keys are returned.
   def initialize(target, options = {})
     self.target = target
-    self.skip_ssl_validation = options[:skip_ssl_validation]
-    self.ssl_ca_file = options[:ssl_ca_file]
-    self.ssl_cert_store = options[:ssl_cert_store]
     self.symbolize_keys = options[:symbolize_keys]
-    self.http_proxy = options[:http_proxy]
-    self.https_proxy = options[:https_proxy]
+    initialize_http_options(options)
   end
 
   # sets whether the keys in returned hashes should be symbols.
@@ -132,8 +128,11 @@ class Info
   # @param [String] token_type as retrieved by {TokenIssuer}. See {TokenInfo}.
   # @return [Hash] contents of the token
   def decode_token(client_id, client_secret, token, token_type = "bearer", audience_ids = nil)
-    reply = json_get(target, "/check_token?token_type=#{token_type}&token=#{token}",
-        key_style, "authorization" => Http.basic_auth(client_id, client_secret))
+    reply = json_parse_reply(key_style, *request(target, :post, '/check_token',
+                                                 Util.encode_form(:token => token),
+                                                 "authorization" => Http.basic_auth(client_id, client_secret),
+                                                 "content-type" => Http::FORM_UTF8,"accept" => Http::JSON_UTF8))
+
     auds = Util.arglist(reply[:aud] || reply['aud'])
     if audience_ids && (!auds || (auds & audience_ids).empty?)
       raise AuthError, "invalid audience: #{auds.join(' ')}"

data/lib/uaa/scim.rb

@@ -42,16 +42,28 @@ class Scim
 
   def force_attr(k)
     kd = k.to_s.downcase
-    kc = {"username" => "userName", "familyname" => "familyName",
-      "givenname" => "givenName", "middlename" => "middleName",
-      "honorificprefix" => "honorificPrefix",
-      "honorificsuffix" => "honorificSuffix", "displayname" => "displayName",
-      "nickname" => "nickName", "profileurl" => "profileUrl",
-      "streetaddress" => "streetAddress", "postalcode" => "postalCode",
-      "usertype" => "userType", "preferredlanguage" => "preferredLanguage",
-      "x509certificates" => "x509Certificates", "lastmodified" => "lastModified",
-      "externalid" => "externalId", "phonenumbers" => "phoneNumbers",
-      "startindex" => "startIndex"}[kd]
+    kc = {
+        'username' => 'userName',
+        'familyname' => 'familyName',
+        'givenname' => 'givenName',
+        'middlename' => 'middleName',
+        'honorificprefix' => 'honorificPrefix',
+        'honorificsuffix' => 'honorificSuffix',
+        'displayname' => 'displayName',
+        'nickname' => 'nickName',
+        'profileurl' => 'profileUrl',
+        'streetaddress' => 'streetAddress',
+        'postalcode' => 'postalCode',
+        'usertype' => 'userType',
+        'preferredlanguage' => 'preferredLanguage',
+        'x509certificates' => 'x509Certificates',
+        'lastmodified' => 'lastModified',
+        'externalid' => 'externalId',
+        'phonenumbers' => 'phoneNumbers',
+        'startindex' => 'startIndex',
+        'zoneid' => 'zoneId',
+        'includeinactive' => 'includeInactive'
+    }[kd]
     kc || kd
   end
 
@@ -76,15 +88,46 @@ class Scim
 
   # an attempt to hide some scim and uaa oddities
   def type_info(type, elem)
-    scimfo = {:user => ["/Users", "userName"], :group => ["/Groups", "displayName"],
-      :client => ["/oauth/clients", 'client_id'], :user_id => ["/ids/Users", 'userName'], :group_mapping => ["/Groups/External", "externalGroup"]}
-    unless elem == :path || elem == :name_attr
-      raise ArgumentError, "scim schema element must be :path or :name_attr"
-    end
-    unless ary = scimfo[type]
+    scimfo = {
+        user: {
+            path: '/Users',
+            name_attr: 'userName',
+            origin_attr: 'origin'
+        },
+        group: {
+            path: '/Groups',
+            name_attr: 'displayName',
+            origin_attr: 'zoneid'
+        },
+        client: {
+            path: '/oauth/clients',
+            name_attr: 'client_id'
+        },
+        user_id: {
+            path: '/ids/Users',
+            name_attr: 'userName',
+            origin_attr: 'origin',
+        },
+        group_mapping: {
+            path: '/Groups/External',
+            name_attr: 'externalGroup',
+            origin_attr: 'origin'
+        }
+    }
+
+    type_info = scimfo[type]
+
+    unless type_info
       raise ArgumentError, "scim resource type must be one of #{scimfo.keys.inspect}"
     end
-    ary[elem == :path ? 0 : 1]
+
+    value = type_info[elem]
+
+    unless value
+      raise ArgumentError, "scim schema element must be one of #{type_info.keys.inspect}"
+    end
+
+    value
   end
 
   def jkey(k) @key_style == :down ? k.to_s : k end
@@ -106,12 +149,8 @@ class Scim
   def initialize(target, auth_header, options = {})
     @target, @auth_header = target, auth_header
     @key_style = options[:symbolize_keys] ? :downsym : :down
-    self.skip_ssl_validation = options[:skip_ssl_validation]
-    self.ssl_ca_file = options[:ssl_ca_file]
-    self.ssl_cert_store = options[:ssl_cert_store]
-    self.http_proxy = options[:http_proxy]
-    self.https_proxy = options[:https_proxy]
     @zone = options[:zone]
+    initialize_http_options(options)
   end
 
   # Convenience method to get the naming attribute, e.g. userName for user,
@@ -226,6 +265,14 @@ class Scim
     info
   end
 
+  # Get meta information about client
+  # @param client_id
+  # @return (client meta)
+  def get_client_meta(client_id)
+    path = type_info(:client, :path)
+    json_get(@target, "#{path}/#{URI.encode(client_id)}/meta", @key_style, headers)
+  end
+
   # Collects all pages of entries from a query
   # @param type (see #query)
   # @param [Hash] query may contain the following keys:
@@ -256,9 +303,16 @@ class Scim
   # @param type (see #add)
   # @return [Array] array of name/id hashes for each object found
   def ids(type, *names)
-    na = type_info(type, :name_attr)
-    filter = names.map { |n| "#{na} eq \"#{n}\""}
-    all_pages(type, :attributes => "id,#{na}", :filter => filter.join(" or "))
+    name_attr = type_info(type, :name_attr)
+    origin_attr = type_info(type, :origin_attr)
+
+    filter = names.map do |n|
+      "#{name_attr} eq \"#{n}\""
+    end
+
+    attributes = ['id', name_attr, origin_attr]
+
+    all_pages(type, attributes: attributes.join(','), filter: filter.join(' or '))
   end
 
   # Convenience method to query for single object by name.

data/lib/uaa/token_coder.rb

@@ -113,7 +113,7 @@ class TokenCoder
     signature = Util.decode64(crypto_segment)
     if ["HS256", "HS384", "HS512"].include?(algo)
       raise InvalidSignature, "Signature verification failed" unless
-          options[:skey] && signature == OpenSSL::HMAC.digest(init_digest(algo), options[:skey], signing_input)
+          options[:skey] && constant_time_compare(signature, OpenSSL::HMAC.digest(init_digest(algo), options[:skey], signing_input))
     elsif ["RS256", "RS384", "RS512"].include?(algo)
       raise InvalidSignature, "Signature verification failed" unless
           options[:pkey] && options[:pkey].verify(init_digest(algo), signature, signing_input)
@@ -123,6 +123,24 @@ class TokenCoder
     payload
   end
 
+  # Takes constant time to compare 2 strings (HMAC digests in this case)
+  # to avoid timing attacks while comparing the HMAC digests
+  # @param [String] a: the first digest to compare
+  # @param [String] b: the second digest to compare
+  # @return [boolean] true if they are equal, false otherwise
+  def self.constant_time_compare(a, b)
+    if a.length != b.length
+      return false
+    end
+  
+    result = 0
+    a.chars.zip(b.chars).each do |x, y|
+      result |= x.ord ^ y.ord
+    end
+    
+    result == 0
+  end
+
   # Creates a new token en/decoder for a service that is associated with
   # the the audience_ids, the symmetrical token validation key, and the
   # public and/or private keys.

data/lib/uaa/token_issuer.rb

@@ -109,11 +109,7 @@ class TokenIssuer
     @target, @client_id, @client_secret = target, client_id, client_secret
     @token_target = options[:token_target] || target
     @key_style = options[:symbolize_keys] ? :sym : nil
-    self.skip_ssl_validation = options[:skip_ssl_validation]
-    self.ssl_ca_file = options[:ssl_ca_file]
-    self.ssl_cert_store = options[:ssl_cert_store]
-    self.http_proxy = options[:http_proxy]
-    self.https_proxy = options[:https_proxy]
+    initialize_http_options(options)
   end
 
   # Allows an app to discover what credentials are required for

data/lib/uaa/version.rb

@@ -14,6 +14,6 @@
 # Cloud Foundry namespace
 module CF
   module UAA
-    VERSION = "3.6.0"
+    VERSION = '3.14.3'
   end
 end