cf-uaa-lib 1.3.3 → 1.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/lib/uaa/scim.rb CHANGED
@@ -94,7 +94,8 @@ class Scim
94
94
  # authorization header. For OAuth2 with JWT tokens this would be something
95
95
  # like "bearer xxxx.xxxx.xxxx". The {TokenInfo} class provides
96
96
  # {TokenInfo#auth_header} for this purpose.
97
- # @param style (see Util.hash_key)
97
+ # @param [Hash] options can be
98
+ # * +:symbolize_keys+, if true, returned hash keys are symbols.
98
99
  def initialize(target, auth_header, options = {})
99
100
  @target, @auth_header = target, auth_header
100
101
  @key_style = options[:symbolize_keys] ? :downsym : :down
@@ -41,6 +41,8 @@ class TokenCoder
41
41
  opts[:audience_ids] = Util.arglist(opts[:audience_ids])
42
42
  opts[:algorithm] = 'HS256' unless opts[:algorithm]
43
43
  opts[:verify] = true unless opts.key?(:verify)
44
+ opts[:accept_algorithms] = Util.arglist(opts[:accept_algorithms],
45
+ ["HS256", "HS384", "HS512", "RS256", "RS384", "RS512"])
44
46
  opts
45
47
  end
46
48
 
@@ -93,7 +95,10 @@ class TokenCoder
93
95
  signing_input = [header_segment, payload_segment].join('.')
94
96
  header = Util.json_decode64(header_segment)
95
97
  payload = Util.json_decode64(payload_segment, (:sym if options[:symbolize_keys]))
96
- return payload if !options[:verify] || (algo = header["alg"]) == "none"
98
+ return payload unless options[:verify]
99
+ raise DecodeError, "Signature algorithm not accepted" unless
100
+ options[:accept_algorithms].include?(algo = header["alg"])
101
+ return payload if algo == 'none'
97
102
  signature = Util.decode64(crypto_segment)
98
103
  if ["HS256", "HS384", "HS512"].include?(algo)
99
104
  raise DecodeError, "Signature verification failed" unless
@@ -125,6 +130,9 @@ class TokenCoder
125
130
  # HS384, HS512, RS256, RS384, RS512, or none.
126
131
  # * :verify [String] -- Verifies signatures when decoding tokens. Defaults
127
132
  # to +true+.
133
+ # * :accept_algorithms [String, Array<String>] -- An Array or space separated
134
+ # string of values which list what algorthms are accepted for token
135
+ # signatures. Defaults to all possible values of :algorithm except 'none'.
128
136
  # @note the TokenCoder instance must be configured with the appropriate
129
137
  # key material to support particular algorithm families and operations
130
138
  # -- i.e. :pkey must include a private key in order to sign tokens with
data/lib/uaa/version.rb CHANGED
@@ -14,6 +14,6 @@
14
14
  # Cloud Foundry namespace
15
15
  module CF
16
16
  module UAA
17
- VERSION = "1.3.3"
17
+ VERSION = "1.3.4"
18
18
  end
19
19
  end
@@ -64,13 +64,18 @@ describe TokenCoder do
64
64
  result["foo"].should == "bar"
65
65
  end
66
66
 
67
- it "encodes/decodes with 'none' signature" do
67
+ it "encodes/decodes with 'none' signature if explicitly accepted" do
68
68
  tkn = subject.encode(@tkn_body, 'none')
69
- result = subject.decode("bEaReR #{tkn}")
69
+ result = TokenCoder.decode(tkn, :accept_algorithms => "none")
70
70
  result.should_not be_nil
71
71
  result["foo"].should == "bar"
72
72
  end
73
73
 
74
+ it "rejects a token with 'none' signature by default" do
75
+ tkn = subject.encode(@tkn_body, 'none')
76
+ expect { TokenCoder.decode(tkn) }.to raise_exception(DecodeError)
77
+ end
78
+
74
79
  it "raises an error if the signing algorithm is not supported" do
75
80
  expect { subject.encode(@tkn_body, 'baz') }.to raise_exception(ArgumentError)
76
81
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cf-uaa-lib
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.3
4
+ version: 1.3.4
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -13,7 +13,7 @@ authors:
13
13
  autorequire:
14
14
  bindir: bin
15
15
  cert_chain: []
16
- date: 2012-12-21 00:00:00.000000000 Z
16
+ date: 2013-01-05 00:00:00.000000000 Z
17
17
  dependencies:
18
18
  - !ruby/object:Gem::Dependency
19
19
  name: multi_json
@@ -195,7 +195,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
195
195
  version: '0'
196
196
  segments:
197
197
  - 0
198
- hash: 1871594390469590559
198
+ hash: -2055415488226018803
199
199
  required_rubygems_version: !ruby/object:Gem::Requirement
200
200
  none: false
201
201
  requirements:
@@ -204,10 +204,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
204
204
  version: '0'
205
205
  segments:
206
206
  - 0
207
- hash: 1871594390469590559
207
+ hash: -2055415488226018803
208
208
  requirements: []
209
209
  rubyforge_project: cf-uaa-lib
210
- rubygems_version: 1.8.24
210
+ rubygems_version: 1.8.23
211
211
  signing_key:
212
212
  specification_version: 3
213
213
  summary: Client library for CloudFoundry UAA