cf-uaa-lib 4.0.2 → 4.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7b74dffd99890350b0ed57b02a6a79343e47967be405bf6fc48e0630f534e6d3
-  data.tar.gz: 229fb7742d1503f18bb6a9097741c11b4de378e68e9ea66f198645031d92d381
+  metadata.gz: ec18b7af2736542f939dab136eb1f7d2b728fa394a6c845423eb1e5c1a9c5b59
+  data.tar.gz: 1aaa66c33d5070d78b22e6e8f6ee4d31940182bd23918e8b8e4ff5203c271e68
 SHA512:
-  metadata.gz: 0d2b41fbb96a3fbf94aa5e27ea7f5f408bd7c23c7555736a01750970b5a52672ae9318376a7615141ab2a777def229d587a431f887be67247747bc230b18a2fd
-  data.tar.gz: 5ccb01cb63301c8abf33a11a1fbb3bba8e3ccc40d200e8b7ae12106cb8a6320c4ba5be912858cbfa25dadde377e2b859aaad8c60dcd27673d046801b40be4564
+  metadata.gz: b4b3af6298e27f3941596509fc3cfcd90434d173d83ecc3d70094ca366ce550fdf9e78c54aaa29753d831cfb1cfae06cf077fb57c5bce8acd8109f4c2e35ae31
+  data.tar.gz: daaf82f350b34392b3cf2fef2748a9403ede4e311e8856e0ce6a4df48d1d70a294f506f15292e5f17762a1c327e46800a29acf48d5d13266f705d28f97be8535

data/.github/workflows/gem-push.yml

@@ -11,7 +11,7 @@ jobs:
       packages: write
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Ruby 2.6
       uses: ruby/setup-ruby@v1
       with:

data/.github/workflows/ruby.yml

@@ -15,7 +15,7 @@ jobs:
         ruby-version: ['2.5', '2.7', '3.0', '3.1', '3.2']
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:

data/examples/authorization_grant_public_pkce.rb

@@ -0,0 +1,42 @@
+#!/usr/bin/env ruby
+
+# Start a develop UAA with default profile or add client with allowpublic=true
+# uaac client add login -s loginsecret \
+#   --authorized_grant_types authorization_code,refresh_token \
+#   --scope "openid"  \
+#   --authorities uaa.none \
+#   --allowpublic true \
+#   --redirect_uri=http://localhost:7000/callback
+
+require 'uaa'
+require 'cgi'
+
+url = ENV["UAA_URL"] || 'http://localhost:8080/uaa'
+client = "login"
+secret = nil
+
+def show(title, object)
+  puts "#{title}: #{object.inspect}"
+  puts
+end
+
+uaa_options = { skip_ssl_validation: true, use_pkce:true, client_auth_method: 'none'}
+uaa_options[:ssl_ca_file] = ENV["UAA_CA_CERT_FILE"] if ENV["UAA_CA_CERT_FILE"]
+show "uaa_options", uaa_options
+
+uaa_info = CF::UAA::Info.new(url, uaa_options)
+show "UAA server info", uaa_info.server
+
+token_issuer = CF::UAA::TokenIssuer.new(url, client, secret, uaa_options)
+auth_uri = token_issuer.authcode_uri("http://localhost:7000/callback", nil)
+show "UAA authorization URL", auth_uri
+
+puts "Enter Callback URL: "
+callback_url = gets
+show "Perform Token Request with: ", callback_url
+
+token = token_issuer.authcode_grant(auth_uri, URI.parse(callback_url).query.to_s)
+show "User authorization grant", token
+
+token_info = CF::UAA::TokenCoder.decode(token.info["access_token"], nil, nil, false) #token signature not verified
+show "Decoded access token", token_info

data/lib/uaa/scim.rb

@@ -369,6 +369,28 @@ class Scim
         "#{type_info(:client, :path)}/#{Addressable::URI.encode(client_id)}/secret", req, headers))
   end
 
+  # Change client jwt trust configuration.
+  # * For a client to change its jwt client trust, the token in @auth_header must contain
+  #   "client.trust" scope.
+  # * For an admin to set a client secret, the token in @auth_header must contain
+  #   "uaa.admin" scope.
+  # @see https://docs.cloudfoundry.org/api/uaa/index.html#change-client-jwt
+  # @param [String] client_id the {Scim} +id+ attribute of the client
+  # @param [String] jwks_uri the URI to token endpoint
+  # @param [String] jwks the JSON Web Key Set
+  # @param [String] kid If changeMode is DELETE provide the id of key
+  # @param [String] changeMode Change mode, possible is ADD, UPDATE, DELETE
+  # @return [Hash] success message from server
+  def change_clientjwt(client_id, jwks_uri = nil, jwks = nil, kid = nil, changeMode = nil)
+    req = {"client_id" => client_id }
+    req["jwks_uri"] = jwks_uri if jwks_uri
+    req["jwks"] = jwks if jwks
+    req["kid"] = kid if kid
+    req["changeMode"] = changeMode if changeMode
+    json_parse_reply(@key_style, *json_put(@target,
+                                           "#{type_info(:client, :path)}/#{Addressable::URI.encode(client_id)}/clientjwt", req, headers))
+  end
+
   def unlock_user(user_id)
     req = {"locked" => false}
     json_parse_reply(@key_style, *json_patch(@target,

data/lib/uaa/token_issuer.rb

@@ -12,6 +12,7 @@
 #++
 
 require 'securerandom'
+require "digest"
 require 'uaa/http'
 require 'cgi'
 
@@ -53,6 +54,7 @@ class TokenIssuer
   include Http
 
   private
+  @client_auth_method = 'client_secret_basic'
 
   def random_state; SecureRandom.hex end
 
@@ -74,8 +76,15 @@ class TokenIssuer
       params[:scope] = Util.strlist(scope)
     end
     headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8}
-    if @basic_auth
-      headers['authorization'] = Http.basic_auth(@client_id, @client_secret)
+    if @client_auth_method == 'client_secret_basic' && @client_secret && @client_id
+      if @basic_auth
+        headers['authorization'] = Http.basic_auth(@client_id, @client_secret)
+      else
+        headers['X-CF-ENCODED-CREDENTIALS'] = 'true'
+        headers['authorization'] = Http.basic_auth(CGI.escape(@client_id), CGI.escape(@client_secret))
+      end
+    elsif @client_id && params[:code_verifier]
+      params[:client_id] = @client_id
     else
       headers['X-CF-ENCODED-CREDENTIALS'] = 'true'
       headers['authorization'] = Http.basic_auth(CGI.escape(@client_id || ''), CGI.escape(@client_secret || ''))
@@ -91,6 +100,10 @@ class TokenIssuer
         redirect_uri: redirect_uri, state: state)
     params[:scope] = scope = Util.strlist(scope) if scope = Util.arglist(scope)
     params[:nonce] = state
+    if not @code_verifier.nil?
+      params[:code_challenge] = get_challenge
+      params[:code_challenge_method] = 'S256'
+    end
     "/oauth/authorize?#{Util.encode_form(params)}"
   end
 
@@ -116,6 +129,11 @@ class TokenIssuer
     @token_target = options[:token_target] || target
     @key_style = options[:symbolize_keys] ? :sym : nil
     @basic_auth = options[:basic_auth] == true ? true : false
+    @client_auth_method = options[:client_auth_method] || 'client_secret_basic'
+    @code_verifier = options[:code_verifier] || nil
+    if @code_verifier.nil? && options[:use_pkce] && options[:use_pkce] == true
+      @code_verifier = get_verifier
+    end
     initialize_http_options(options)
   end
 
@@ -235,8 +253,27 @@ class TokenIssuer
     rescue URI::InvalidURIError, ArgumentError, BadResponse
       raise BadResponse, "received invalid response from target #{@target}"
     end
-    request_token(grant_type: 'authorization_code', code: authcode,
-        redirect_uri: ac_params['redirect_uri'])
+    if not @code_verifier.nil?
+      request_token(grant_type: 'authorization_code', code: authcode,
+          redirect_uri: ac_params['redirect_uri'], code_verifier: @code_verifier)
+    else
+      request_token(grant_type: 'authorization_code', code: authcode,
+                    redirect_uri: ac_params['redirect_uri'])
+    end
+  end
+
+  # Generates a random verifier for PKCE usage
+  def get_verifier
+    if not @code_verifier.nil?
+      @verifier = @code_verifier
+    else
+      @verifier ||= SecureRandom.base64(96).tr("+/", "-_").tr("=", "")
+    end
+  end
+
+  # Calculates the challenge from code_verifier
+  def get_challenge
+    @challenge ||= Digest::SHA256.base64digest(get_verifier).tr("+/", "-_").tr("=", "")
   end
 
   # Uses the instance client credentials in addition to the +username+

data/lib/uaa/version.rb

@@ -14,6 +14,6 @@
 # Cloud Foundry namespace
 module CF
   module UAA
-    VERSION = '4.0.2'
+    VERSION = '4.0.4'
   end
 end

data/spec/scim_spec.rb

@@ -160,6 +160,30 @@ describe Scim do
     result['id'].should == 'id12345'
   end
 
+  it "add a client's jwt trust using jwks_uri" do
+    subject.set_request_handler do |url, method, body, headers|
+      url.should == "#{@target}/oauth/clients/id12345/clientjwt"
+      method.should == :put
+      check_headers(headers, :json, :json, nil)
+      body.should include('"jwks_uri":"http://localhost:8080/uaa/token_keys"')
+      [200, '{"id":"id12345"}', {'content-type' => 'application/json'}]
+    end
+    result = subject.change_clientjwt('id12345', 'http://localhost:8080/uaa/token_keys')
+    result['id'].should == 'id12345'
+  end
+
+  it "add a client's jwt trust using jwks" do
+    subject.set_request_handler do |url, method, body, headers|
+      url.should == "#{@target}/oauth/clients/id12345/clientjwt"
+      method.should == :put
+      check_headers(headers, :json, :json, nil)
+      body.should include('"jwks":"keys"')
+      [200, '{"id":"id12345"}', {'content-type' => 'application/json'}]
+    end
+    result = subject.change_clientjwt('id12345', nil, 'keys')
+    result['id'].should == 'id12345'
+  end
+
   it 'unlocks a user' do
     subject.set_request_handler do |url, method, body, headers|
       url.should == "#{@target}/Users/id12345/status"

data/spec/token_issuer_spec.rb

@@ -264,6 +264,7 @@ describe TokenIssuer do
   end
 
   context 'with auth code grant' do
+    let(:options) { {use_pkce: true} }
 
     it 'gets the authcode uri to be sent to the user agent for an authcode' do
       redir_uri = 'http://call.back/uri_path'
@@ -275,6 +276,8 @@ describe TokenIssuer do
       params['scope'].should == 'openid'
       params['redirect_uri'].should == redir_uri
       params['state'].should_not be_nil
+      params['code_challenge'].should =~ /^[0-9A-Za-z_-]{43}$/i
+      params['code_challenge_method'].should == 'S256'
     end
 
     it 'gets an access token with an authorization code' do
@@ -292,6 +295,10 @@ describe TokenIssuer do
       cburi = 'http://call.back/uri_path'
       redir_uri = subject.authcode_uri(cburi)
       state = /state=([^&]+)/.match(redir_uri)[1]
+      challenge = /code_challenge=([^&]+)/.match(redir_uri)[1]
+      challenge.should =~ /^[0-9A-Za-z_-]{43}$/i
+      challenge_method = /code_challenge_method=([^&]+)/.match(redir_uri)[1]
+      challenge_method.should == 'S256'
       reply_query = "state=#{state}&code=kz8%2F5gQZ2pc%3D"
       token = subject.authcode_grant(redir_uri, reply_query)
       token.should be_an_instance_of TokenInfo
@@ -303,6 +310,34 @@ describe TokenIssuer do
 
   end
 
+  context 'pkce with own code verifier' do
+    let(:options) { {basic_auth: false, code_verifier: 'umoq1e_4XMYXvfHlaO9mSlSI17OKfxnwfR5ZD-oYreFxyn8yQZ-ZHPZfUZ4n3WjY_tkOB_MAisSy4ddqsa6aoTU5ZOcX4ps3de933PczYlC8pZpKL8EQWaDZOnpOyB2W'} }
+
+    it 'calculate code_challenge on existing verifier' do
+      redir_uri = 'http://call.back/uri_path'
+      uri_parts = subject.authcode_uri(redir_uri, 'openid').split('?')
+      code_challenge = subject.get_challenge
+      code_verifier = subject.get_verifier
+      params = Util.decode_form(uri_parts[1])
+      params['code_challenge'].should == code_challenge
+      params['code_challenge_method'].should == 'S256'
+      code_verifier.should == options[:code_verifier]
+      code_challenge.should == 'TAnM2AKGgiQKOC16cRpMdF_55qwmz3B333cq6T18z0s'
+    end
+  end
+
+  context 'no pkce active as this is the default' do
+      #let(:options) { {use_pkce: false} }
+      # by default PKCE is off
+      it 'no code pkce generation with an authorization code' do
+        redir_uri = 'http://call.back/uri_path'
+        uri_parts = subject.authcode_uri(redir_uri, 'openid').split('?')
+        params = Util.decode_form(uri_parts[1])
+        params['code_challenge'].should_not
+        params['code_challenge_method'].should_not
+      end
+  end
+
 end
 
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cf-uaa-lib
 version: !ruby/object:Gem::Version
-  version: 4.0.2
+  version: 4.0.4
 platform: ruby
 authors:
 - Dave Syer
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-05-10 00:00:00.000000000 Z
+date: 2023-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multi_json
@@ -237,6 +237,7 @@ files:
 - README.md
 - Rakefile
 - cf-uaa-lib.gemspec
+- examples/authorization_grant_public_pkce.rb
 - examples/password_grant_and_decode_token.rb
 - lib/uaa.rb
 - lib/uaa/http.rb