cf-uaa-lib 4.0.7 → 4.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b781e21fc1ba09d3b505c1364732c06796e300b3ebe6cd2aa47ae5db97273980
-  data.tar.gz: a779db80778bf2cf71a3f6e6f3d4f25f06a78893ef41fc954d7ff16fc88c11cf
+  metadata.gz: b1bef252c395d0a9dfbd30cb9b4e60be278d01ae09b496d97d7f8665ff273ba5
+  data.tar.gz: 0bfd4b2af11ca2261e399bf2c73e4710ba49de67fed16766e22ac110cac19ad9
 SHA512:
-  metadata.gz: 6db15f33f198143ae11a1cb34017c33b4aa0427342a037946e4c2b4a1e98825ee315ea3e715ddbec34a567620a262f1a24c5200f985f58d51dffcf3a1160e83e
-  data.tar.gz: de7b59d47820e1541caad9f333f62cc5b264038766e1cb5c4e8f074c857dcf36888b0920df1c98bede83735d7db67470905df181e7da23056889075222c9f136
+  metadata.gz: c7ebce508854b456f17ca0980cbaa10326cc472c81008d0956d5c70401bd671a17a959ab41e6e3d1a4829819985daa9076f4a627c399726249fad9104aa9c787
+  data.tar.gz: 0d2a4528589995a7e5b9cf4badef1e8612232fdc07fa1af02bc5ee8d7211ad2e94489af2332f2a4e7271ea0d2bb0e8000361d6f8a446596c070618cc7e8974c9

data/.github/workflows/ruby.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby-version: ['2.5', '2.7', '3.1', '3.2', '3.3']
+        ruby-version: ['2.5', '2.7', '3.1', '3.2', '3.3', '3.4']
 
     steps:
     - uses: actions/checkout@v4

data/cf-uaa-lib.gemspec

@@ -32,6 +32,8 @@ Gem::Specification.new do |s|
 
   # dependencies
   s.add_dependency 'json', '~>2.7'
+  s.add_dependency 'mutex_m'
+  s.add_dependency 'base64'
   s.add_dependency 'httpclient', '~> 2.8', '>= 2.8.2.4'
   s.add_dependency 'addressable', '~> 2.8', '>= 2.8.0'
 

data/lib/uaa/http.rb

@@ -11,6 +11,7 @@
 # subcomponent's license, as noted in the LICENSE file.
 #++
 
+require 'mutex_m'
 require 'base64'
 require 'uaa/util'
 require 'httpclient'

data/lib/uaa/scim.rb

@@ -380,13 +380,19 @@ class Scim
   # @param [String] jwks the JSON Web Key Set
   # @param [String] kid If changeMode is DELETE provide the id of key
   # @param [String] changeMode Change mode, possible is ADD, UPDATE, DELETE
+  # @param [String] iss Issuer in case of federation JWT trust
+  # @param [String] sub Subject in case of federation JWT trust
+  # @param [String] aud Audience in case of federation JWT trust
   # @return [Hash] success message from server
-  def change_clientjwt(client_id, jwks_uri = nil, jwks = nil, kid = nil, changeMode = nil)
+  def change_clientjwt(client_id, jwks_uri = nil, jwks = nil, kid = nil, changeMode = nil, iss = nil, sub = nil, aud = nil)
     req = {"client_id" => client_id }
     req["jwks_uri"] = jwks_uri if jwks_uri
     req["jwks"] = jwks if jwks
     req["kid"] = kid if kid
     req["changeMode"] = changeMode if changeMode
+    req["iss"] = iss if iss
+    req["sub"] = sub if sub
+    req["aud"] = aud if aud
     json_parse_reply(@key_style, *json_put(@target,
                                            "#{type_info(:client, :path)}/#{Addressable::URI.encode(client_id)}/clientjwt", req, headers))
   end

data/lib/uaa/token_issuer.rb

@@ -83,6 +83,9 @@ class TokenIssuer
         headers['X-CF-ENCODED-CREDENTIALS'] = 'true'
         headers['authorization'] = Http.basic_auth(CGI.escape(@client_id), CGI.escape(@client_secret))
       end
+    elsif @client_auth_method == 'client_secret_post' && @client_secret && @client_id
+      params[:client_id] = @client_id
+      params[:client_secret] = @client_secret
     elsif @client_id && params[:code_verifier]
       params[:client_id] = @client_id
     else

data/lib/uaa/version.rb

@@ -14,6 +14,6 @@
 # Cloud Foundry namespace
 module CF
   module UAA
-    VERSION = '4.0.7'
+    VERSION = '4.0.9'
   end
 end

data/spec/scim_spec.rb

@@ -184,6 +184,18 @@ describe Scim do
     result['id'].should == 'id12345'
   end
 
+  it "add federated client's jwt trust using issuer, subject and audience" do
+    subject.set_request_handler do |url, method, body, headers|
+      url.should == "#{@target}/oauth/clients/id12345/clientjwt"
+      method.should == :put
+      check_headers(headers, :json, :json, nil)
+      body.should include('"iss":"issuer"', '"sub":"subject"', '"aud":"audience"')
+      [200, '{"id":"id12345"}', {'content-type' => 'application/json'}]
+    end
+    result = subject.change_clientjwt('id12345', jwks_uri=nil, jwks=nil, kid=nil, changemod='ADD', iss='issuer', sub='subject', aud='audience')
+    result['id'].should == 'id12345'
+  end
+
   it 'unlocks a user' do
     subject.set_request_handler do |url, method, body, headers|
       url.should == "#{@target}/Users/id12345/status"

data/spec/token_issuer_spec.rb

@@ -310,6 +310,41 @@ describe TokenIssuer do
 
   end
 
+
+  context 'with basic_auth using auth code grant' do
+    let(:options) { {basic_auth: true} }
+
+    it 'basic_auth with authorization code' do
+      subject.set_request_handler do |url, method, body, headers|
+        headers['content-type'].should =~ /application\/x-www-form-urlencoded/
+        headers['accept'].should =~ /application\/json/
+        headers['X-CF-ENCODED-CREDENTIALS'].should_not
+        headers['authorization'].should == 'Basic dGVzdF9jbGllbnQ6dGVzdCFzZWNyZXQ='
+        params = Util.decode_form(body)
+        params['code_verifier'].should_not
+        params['grant_type'].should == 'authorization_code'
+        url.should match 'http://test.uaa.target/oauth/token'
+        method.should == :post
+        reply = {access_token: 'test_access_token', token_type: 'BEARER',
+                 scope: 'openid', expires_in: 98765}
+        [200, Util.json(reply), {'content-type' => 'application/json'}]
+      end
+      cburi = 'http://call.back/uri_path'
+      params = Util.decode_form(cburi[1])
+      params['code_challenge'].should_not
+      params['code_challenge_method'].should_not
+      redir_uri = subject.authcode_uri(cburi)
+      state = /state=([^&]+)/.match(redir_uri)[1]
+      reply_query = "state=#{state}&code=kz8%2F5gQZ2pc%3D"
+      token = subject.authcode_grant(redir_uri, reply_query)
+      token.should be_an_instance_of TokenInfo
+      token.info['access_token'].should == 'test_access_token'
+      token.info['token_type'].should =~ /^bearer$/i
+      token.info['scope'].should == 'openid'
+      token.info['expires_in'].should == 98765
+    end
+  end
+
   context 'pkce with own code verifier' do
     let(:options) { {basic_auth: false, code_verifier: 'umoq1e_4XMYXvfHlaO9mSlSI17OKfxnwfR5ZD-oYreFxyn8yQZ-ZHPZfUZ4n3WjY_tkOB_MAisSy4ddqsa6aoTU5ZOcX4ps3de933PczYlC8pZpKL8EQWaDZOnpOyB2W'} }
 
@@ -324,6 +359,38 @@ describe TokenIssuer do
       code_verifier.should == options[:code_verifier]
       code_challenge.should == 'TAnM2AKGgiQKOC16cRpMdF_55qwmz3B333cq6T18z0s'
     end
+
+    let(:client_secret) { nil }
+    it 'public token request with pkce without client_secret' do
+      subject.set_request_handler do |url, method, body, headers|
+        headers['content-type'].should =~ /application\/x-www-form-urlencoded/
+        headers['accept'].should =~ /application\/json/
+        headers['X-CF-ENCODED-CREDENTIALS'].should_not
+        headers['authorization'].should_not
+        params = Util.decode_form(body)
+        params['code_verifier'].should_not
+        params['grant_type'].should == 'authorization_code'
+        params['client_secret'].should_not
+        url.should match 'http://test.uaa.target/oauth/token'
+        method.should == :post
+        reply = {access_token: 'test_access_token', token_type: 'BEARER',
+                 scope: 'openid', expires_in: 98765}
+        [200, Util.json(reply), {'content-type' => 'application/json'}]
+      end
+      cburi = 'http://call.back/uri_path'
+      params = Util.decode_form(cburi[1])
+      params['code_challenge'].should_not
+      params['code_challenge_method'].should_not
+      redir_uri = subject.authcode_uri(cburi)
+      state = /state=([^&]+)/.match(redir_uri)[1]
+      reply_query = "state=#{state}&code=kz8%2F5gQZ2pc%3D"
+      token = subject.authcode_grant(redir_uri, reply_query)
+      token.should be_an_instance_of TokenInfo
+      token.info['access_token'].should == 'test_access_token'
+      token.info['token_type'].should =~ /^bearer$/i
+      token.info['scope'].should == 'openid'
+      token.info['expires_in'].should == 98765
+    end
   end
 
   context 'no pkce active as this is the default' do
@@ -338,6 +405,40 @@ describe TokenIssuer do
       end
   end
 
+  context 'with client_auth_method using client_secret_post' do
+    let(:options) { {client_auth_method: 'client_secret_post'} }
+    let(:client_secret) { 'body!secret' }
+
+    it 'use client_secret_post in authorization code and expect client_id and secret in body' do
+      subject.set_request_handler do |url, method, body, headers|
+        headers['content-type'].should =~ /application\/x-www-form-urlencoded/
+        headers['accept'].should =~ /application\/json/
+        headers['X-CF-ENCODED-CREDENTIALS'].should_not
+        headers['authorization'].should_not
+        params = Util.decode_form(body)
+        params['code_verifier'].should_not
+        params['grant_type'].should == 'authorization_code'
+        params['client_id'].should == 'test_client'
+        params['client_secret'].should == 'body!secret'
+        url.should match 'http://test.uaa.target/oauth/token'
+        method.should == :post
+        reply = {access_token: 'test_access_token', token_type: 'BEARER',
+                 scope: 'openid', expires_in: 98765}
+        [200, Util.json(reply), {'content-type' => 'application/json'}]
+      end
+      cburi = 'http://call.back/uri_path'
+      redir_uri = subject.authcode_uri(cburi)
+      state = /state=([^&]+)/.match(redir_uri)[1]
+      reply_query = "state=#{state}&code=kz8%2F5gQZ2pc%3D"
+      token = subject.authcode_grant(redir_uri, reply_query)
+      token.should be_an_instance_of TokenInfo
+      token.info['access_token'].should == 'test_access_token'
+      token.info['token_type'].should =~ /^bearer$/i
+      token.info['scope'].should == 'openid'
+      token.info['expires_in'].should == 98765
+    end
+  end
+
 end
 
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cf-uaa-lib
 version: !ruby/object:Gem::Version
-  version: 4.0.7
+  version: 4.0.9
 platform: ruby
 authors:
 - Dave Syer
@@ -9,10 +9,9 @@ authors:
 - Joel D'sa
 - Vidya Valmikinathan
 - Luke Taylor
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-11-19 00:00:00.000000000 Z
+date: 2025-02-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -28,6 +27,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.7'
+- !ruby/object:Gem::Dependency
+  name: mutex_m
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: httpclient
   requirement: !ruby/object:Gem::Requirement
@@ -232,7 +259,6 @@ homepage: https://github.com/cloudfoundry/cf-uaa-lib
 licenses:
 - Apache-2.0
 metadata: {}
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -247,8 +273,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key: 
+rubygems_version: 3.6.2
 specification_version: 4
 summary: Client library for CloudFoundry UAA
 test_files: []