cf-uaa-lib 4.0.2 → 4.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7b74dffd99890350b0ed57b02a6a79343e47967be405bf6fc48e0630f534e6d3
-  data.tar.gz: 229fb7742d1503f18bb6a9097741c11b4de378e68e9ea66f198645031d92d381
+  metadata.gz: 9eebcd4d0b7e5068266fceab3b4686335b5446bb18a6bf4f0a68139ee958dcf6
+  data.tar.gz: d010ba705cca4e1c78c87b782e17faab10f3c3f1008a5337ff2345634053e0bc
 SHA512:
-  metadata.gz: 0d2b41fbb96a3fbf94aa5e27ea7f5f408bd7c23c7555736a01750970b5a52672ae9318376a7615141ab2a777def229d587a431f887be67247747bc230b18a2fd
-  data.tar.gz: 5ccb01cb63301c8abf33a11a1fbb3bba8e3ccc40d200e8b7ae12106cb8a6320c4ba5be912858cbfa25dadde377e2b859aaad8c60dcd27673d046801b40be4564
+  metadata.gz: fedcc696e77cd58fb6a53b24d1eb24482c487e239bbf3e1c6470c66480f5e7f29fc8bd4ab178deb13c010cac2284a21a191c8025870961c4182ffcf212c03c03
+  data.tar.gz: 10a6ca261845b1d773b941da11fc1abffa37ee910fe1175bc5fa9a716a213ab38c70056e44d3d73e2a891ce9c3747243f00342d0a8c3ff8076e373ebeceb3b42

data/.github/workflows/gem-push.yml

@@ -11,7 +11,7 @@ jobs:
       packages: write
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Ruby 2.6
       uses: ruby/setup-ruby@v1
       with:

data/.github/workflows/ruby.yml

@@ -15,7 +15,7 @@ jobs:
         ruby-version: ['2.5', '2.7', '3.0', '3.1', '3.2']
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:

data/examples/authorization_grant_public_pkce.rb

@@ -0,0 +1,42 @@
+#!/usr/bin/env ruby
+
+# Start a develop UAA with default profile or add client with allowpublic=true
+# uaac client add login -s loginsecret \
+#   --authorized_grant_types authorization_code,refresh_token \
+#   --scope "openid"  \
+#   --authorities uaa.none \
+#   --allowpublic true \
+#   --redirect_uri=http://localhost:7000/callback
+
+require 'uaa'
+require 'cgi'
+
+url = ENV["UAA_URL"] || 'http://localhost:8080/uaa'
+client = "login"
+secret = nil
+
+def show(title, object)
+  puts "#{title}: #{object.inspect}"
+  puts
+end
+
+uaa_options = { skip_ssl_validation: true, use_pkce:true, client_auth_method: 'none'}
+uaa_options[:ssl_ca_file] = ENV["UAA_CA_CERT_FILE"] if ENV["UAA_CA_CERT_FILE"]
+show "uaa_options", uaa_options
+
+uaa_info = CF::UAA::Info.new(url, uaa_options)
+show "UAA server info", uaa_info.server
+
+token_issuer = CF::UAA::TokenIssuer.new(url, client, secret, uaa_options)
+auth_uri = token_issuer.authcode_uri("http://localhost:7000/callback", nil)
+show "UAA authorization URL", auth_uri
+
+puts "Enter Callback URL: "
+callback_url = gets
+show "Perform Token Request with: ", callback_url
+
+token = token_issuer.authcode_grant(auth_uri, URI.parse(callback_url).query.to_s)
+show "User authorization grant", token
+
+token_info = CF::UAA::TokenCoder.decode(token.info["access_token"], nil, nil, false) #token signature not verified
+show "Decoded access token", token_info

data/lib/uaa/token_issuer.rb

@@ -12,6 +12,7 @@
 #++
 
 require 'securerandom'
+require "digest"
 require 'uaa/http'
 require 'cgi'
 
@@ -53,6 +54,7 @@ class TokenIssuer
   include Http
 
   private
+  @client_auth_method = 'client_secret_basic'
 
   def random_state; SecureRandom.hex end
 
@@ -74,8 +76,15 @@ class TokenIssuer
       params[:scope] = Util.strlist(scope)
     end
     headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8}
-    if @basic_auth
-      headers['authorization'] = Http.basic_auth(@client_id, @client_secret)
+    if @client_auth_method == 'client_secret_basic' && @client_secret && @client_id
+      if @basic_auth
+        headers['authorization'] = Http.basic_auth(@client_id, @client_secret)
+      else
+        headers['X-CF-ENCODED-CREDENTIALS'] = 'true'
+        headers['authorization'] = Http.basic_auth(CGI.escape(@client_id), CGI.escape(@client_secret))
+      end
+    elsif @client_id && params[:code_verifier]
+      params[:client_id] = @client_id
     else
       headers['X-CF-ENCODED-CREDENTIALS'] = 'true'
       headers['authorization'] = Http.basic_auth(CGI.escape(@client_id || ''), CGI.escape(@client_secret || ''))
@@ -91,6 +100,10 @@ class TokenIssuer
         redirect_uri: redirect_uri, state: state)
     params[:scope] = scope = Util.strlist(scope) if scope = Util.arglist(scope)
     params[:nonce] = state
+    if not @code_verifier.nil?
+      params[:code_challenge] = get_challenge
+      params[:code_challenge_method] = 'S256'
+    end
     "/oauth/authorize?#{Util.encode_form(params)}"
   end
 
@@ -116,6 +129,11 @@ class TokenIssuer
     @token_target = options[:token_target] || target
     @key_style = options[:symbolize_keys] ? :sym : nil
     @basic_auth = options[:basic_auth] == true ? true : false
+    @client_auth_method = options[:client_auth_method] || 'client_secret_basic'
+    @code_verifier = options[:code_verifier] || nil
+    if @code_verifier.nil? && options[:use_pkce] && options[:use_pkce] == true
+      @code_verifier = get_verifier
+    end
     initialize_http_options(options)
   end
 
@@ -235,8 +253,27 @@ class TokenIssuer
     rescue URI::InvalidURIError, ArgumentError, BadResponse
       raise BadResponse, "received invalid response from target #{@target}"
     end
-    request_token(grant_type: 'authorization_code', code: authcode,
-        redirect_uri: ac_params['redirect_uri'])
+    if not @code_verifier.nil?
+      request_token(grant_type: 'authorization_code', code: authcode,
+          redirect_uri: ac_params['redirect_uri'], code_verifier: @code_verifier)
+    else
+      request_token(grant_type: 'authorization_code', code: authcode,
+                    redirect_uri: ac_params['redirect_uri'])
+    end
+  end
+
+  # Generates a random verifier for PKCE usage
+  def get_verifier
+    if not @code_verifier.nil?
+      @verifier = @code_verifier
+    else
+      @verifier ||= SecureRandom.base64(96).tr("+/", "-_").tr("=", "")
+    end
+  end
+
+  # Calculates the challenge from code_verifier
+  def get_challenge
+    @challenge ||= Digest::SHA256.base64digest(get_verifier).tr("+/", "-_").tr("=", "")
   end
 
   # Uses the instance client credentials in addition to the +username+

data/lib/uaa/version.rb

@@ -14,6 +14,6 @@
 # Cloud Foundry namespace
 module CF
   module UAA
-    VERSION = '4.0.2'
+    VERSION = '4.0.3'
   end
 end

data/spec/token_issuer_spec.rb

@@ -264,6 +264,7 @@ describe TokenIssuer do
   end
 
   context 'with auth code grant' do
+    let(:options) { {use_pkce: true} }
 
     it 'gets the authcode uri to be sent to the user agent for an authcode' do
       redir_uri = 'http://call.back/uri_path'
@@ -275,6 +276,8 @@ describe TokenIssuer do
       params['scope'].should == 'openid'
       params['redirect_uri'].should == redir_uri
       params['state'].should_not be_nil
+      params['code_challenge'].should =~ /^[0-9A-Za-z_-]{43}$/i
+      params['code_challenge_method'].should == 'S256'
     end
 
     it 'gets an access token with an authorization code' do
@@ -292,6 +295,10 @@ describe TokenIssuer do
       cburi = 'http://call.back/uri_path'
       redir_uri = subject.authcode_uri(cburi)
       state = /state=([^&]+)/.match(redir_uri)[1]
+      challenge = /code_challenge=([^&]+)/.match(redir_uri)[1]
+      challenge.should =~ /^[0-9A-Za-z_-]{43}$/i
+      challenge_method = /code_challenge_method=([^&]+)/.match(redir_uri)[1]
+      challenge_method.should == 'S256'
       reply_query = "state=#{state}&code=kz8%2F5gQZ2pc%3D"
       token = subject.authcode_grant(redir_uri, reply_query)
       token.should be_an_instance_of TokenInfo
@@ -303,6 +310,34 @@ describe TokenIssuer do
 
   end
 
+  context 'pkce with own code verifier' do
+    let(:options) { {basic_auth: false, code_verifier: 'umoq1e_4XMYXvfHlaO9mSlSI17OKfxnwfR5ZD-oYreFxyn8yQZ-ZHPZfUZ4n3WjY_tkOB_MAisSy4ddqsa6aoTU5ZOcX4ps3de933PczYlC8pZpKL8EQWaDZOnpOyB2W'} }
+
+    it 'calculate code_challenge on existing verifier' do
+      redir_uri = 'http://call.back/uri_path'
+      uri_parts = subject.authcode_uri(redir_uri, 'openid').split('?')
+      code_challenge = subject.get_challenge
+      code_verifier = subject.get_verifier
+      params = Util.decode_form(uri_parts[1])
+      params['code_challenge'].should == code_challenge
+      params['code_challenge_method'].should == 'S256'
+      code_verifier.should == options[:code_verifier]
+      code_challenge.should == 'TAnM2AKGgiQKOC16cRpMdF_55qwmz3B333cq6T18z0s'
+    end
+  end
+
+  context 'no pkce active as this is the default' do
+      #let(:options) { {use_pkce: false} }
+      # by default PKCE is off
+      it 'no code pkce generation with an authorization code' do
+        redir_uri = 'http://call.back/uri_path'
+        uri_parts = subject.authcode_uri(redir_uri, 'openid').split('?')
+        params = Util.decode_form(uri_parts[1])
+        params['code_challenge'].should_not
+        params['code_challenge_method'].should_not
+      end
+  end
+
 end
 
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cf-uaa-lib
 version: !ruby/object:Gem::Version
-  version: 4.0.2
+  version: 4.0.3
 platform: ruby
 authors:
 - Dave Syer
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-05-10 00:00:00.000000000 Z
+date: 2023-09-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multi_json
@@ -237,6 +237,7 @@ files:
 - README.md
 - Rakefile
 - cf-uaa-lib.gemspec
+- examples/authorization_grant_public_pkce.rb
 - examples/password_grant_and_decode_token.rb
 - lib/uaa.rb
 - lib/uaa/http.rb