fridge 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f4a824a32d9980601cfa696083b4a7c2765f26e0
-  data.tar.gz: 27f1e343ab6fdd60a947254f3c9eb428370cb11e
+  metadata.gz: 28164c99b4a71e24796559da6b1fc0663d0f42c9
+  data.tar.gz: db5603732b2c608dd063cdf0b3c8e6cf33f8ead6
 SHA512:
-  metadata.gz: b7f135652cd8d9702f9fd3f5ed32f9b6b31ba702ef107a18f32b73303200b89302659991a666c98f432cb9cb5bc2109444b88f9239e3781dd9378c738cc05567
-  data.tar.gz: 446fb0d2f82514a9d978159f699fc1f031948ad48c0364b46bae54d285c700fc84f86b6c6d2b6a126fef340f51dd97fdb07a36b250df0018c7f3350b390552fc
+  metadata.gz: 44f92c7854c7d359fe5cf9596b165c9ff93815f9f1d0040782f2b230de38a47ea314aed24bc48ed531d4fffb880dacd0cbaa85c83261f8739f0b17b5727245e4
+  data.tar.gz: 2fbf80cfddbade814f62fb21e9492f393d155a5df6e55e49ebf310ee5a4c5218382277d473c518f1b93b7978e592a7edaeac213fc7f0e5d57db3aa48309451c1

data/.travis.yml

@@ -1,3 +1,4 @@
+sudo: false
 rvm:
   - 2.0.0
   - jruby

data/fridge.gemspec

@@ -16,7 +16,7 @@ Gem::Specification.new do |spec|
   spec.license       = 'MIT'
 
   spec.files         = `git ls-files`.split($RS)
-  spec.test_files    = spec.files.grep(/^spec\//)
+  spec.test_files    = spec.files.grep(%r{^spec/})
   spec.require_paths = ['lib']
 
   spec.add_dependency 'gem_config'

data/lib/fridge/access_token.rb

@@ -2,7 +2,7 @@ require 'jwt'
 
 module Fridge
   class AccessToken
-    attr_accessor :id, :issuer, :subject, :scope, :expires_at,
+    attr_accessor :id, :issuer, :subject, :scope, :expires_at, :actor,
                   :jwt, :attributes
 
     # rubocop:disable MethodLength
@@ -15,11 +15,11 @@ module Fridge
                 when Hash then jwt_or_options
                 else {}
                 end
-      [:id, :issuer, :subject, :scope, :expires_at].each do |key|
+
+      [:id, :issuer, :subject, :scope, :expires_at, :actor].each do |key|
         send "#{key}=", options.delete(key)
       end
-      self.attributes = options.reject { |_, v| v.nil? }
-      self.attributes = Hash[attributes.map { |k, v| [k.to_sym, v] }]
+      self.attributes = options
     end
     # rubocop:enable MethodLength
 
@@ -35,13 +35,13 @@ module Fridge
     end
 
     def encode_and_sign
-      JWT.encode({
-        id: id,
-        iss: issuer,
-        sub: subject,
-        scope: scope,
-        exp: expires_at.to_i
-      }.merge(attributes), private_key, algorithm)
+      h = {}
+      [:id, :issuer, :subject, :scope, :expires_at, :actor].each do |key|
+        h[key] = send(key)
+      end
+      h.merge!(attributes)
+      h = encode_for_jwt(h)
+      JWT.encode(h, private_key, algorithm)
     rescue
       raise SerializationError, 'Invalid private key or signing algorithm'
     end
@@ -49,14 +49,7 @@ module Fridge
     # rubocop:disable MethodLength
     def decode_and_verify(jwt)
       hash = JWT.decode(jwt, public_key)
-      base = {
-        id: hash.delete('id'),
-        issuer: hash.delete('iss'),
-        subject: hash.delete('sub'),
-        scope: hash.delete('scope'),
-        expires_at: Time.at(hash.delete('exp'))
-      }
-      base.merge(hash)
+      decode_from_jwt(hash)
     rescue JWT::DecodeError
       raise InvalidToken, 'Invalid access token'
     end
@@ -123,5 +116,49 @@ module Fridge
     def validate_public_key!
       fail SerializationError, 'No public key configured' unless public_key
     end
+
+    # Internally, we use "subject" to refer to "sub", and so on. We also
+    # represent some objects (expiry) differently. These functions do the
+    # mapping from Fridge to JWT and vice-versa.
+
+    def encode_for_jwt(hash)
+      out = {
+        id: hash.delete(:id),
+        iss: hash.delete(:issuer),
+        sub: hash.delete(:subject),
+        scope: hash.delete(:scope)
+      }.delete_if { |_, v| v.nil? }
+
+      # Unfortunately, nil.to_i returns 0, which means we can't
+      # easily clean out exp if we include it although it wasn't passed
+      # in like we do for other keys. So, we only include it if it's
+      # actually passed in and non-nil. Either way, we delete the keys.
+      hash.delete(:expires_at).tap { |e| out[:exp] = e.to_i if e }
+      hash.delete(:actor).tap { |a| out[:act] = encode_for_jwt(a) if a }
+
+      # Extra attributes passed through as-is
+      out.merge!(hash)
+
+      out
+    end
+
+    def decode_from_jwt(hash)
+      out = {
+        id: hash.delete('id'),
+        issuer: hash.delete('iss'),
+        subject: hash.delete('sub'),
+        scope: hash.delete('scope')
+      }.delete_if { |_, v| v.nil? }
+
+      hash.delete('exp').tap { |e| out[:expires_at] = Time.at(e) if e }
+      hash.delete('act').tap { |a| out[:actor] = decode_from_jwt(a) if a }
+
+      # Extra attributes
+      hash.delete_if { |_, v| v.nil? }
+      hash = Hash[hash.map { |k, v| [k.to_sym, v] }]
+      out.merge!(hash)
+
+      out
+    end
   end
 end

data/lib/fridge/rails_helpers.rb

@@ -15,6 +15,10 @@ module Fridge
       current_token.subject if current_token
     end
 
+    def token_actor
+      current_token.actor if current_token
+    end
+
     def current_token
       return unless bearer_token
       @current_token ||= AccessToken.new(bearer_token).tap do |token|
@@ -31,6 +35,10 @@ module Fridge
       session_token.subject if session_token
     end
 
+    def session_actor
+      session_token.actor if session_token
+    end
+
     def session_token
       return unless session_cookie
       @session_token ||= AccessToken.new(session_cookie).tap do |token|

data/lib/fridge/version.rb

@@ -1,3 +1,3 @@
 module Fridge
-  VERSION = '0.3.0'
+  VERSION = '0.3.1'
 end

data/spec/fridge/access_token_spec.rb

@@ -1,4 +1,5 @@
 require 'spec_helper'
+require 'json'
 
 describe Fridge::AccessToken do
   describe '#initialize' do
@@ -26,6 +27,14 @@ describe Fridge::AccessToken do
       jwt = JWT.encode({ id: 'foobar' }, OpenSSL::PKey::RSA.new(1024), 'RS512')
       expect { described_class.new(jwt) }.to raise_error Fridge::InvalidToken
     end
+
+    # http://bit.ly/jwt-none-vulnerability
+    it 'should raise an error with { "alg": "none" }' do
+      jwt = "#{Base64.encode64({ typ: 'JWT', alg: 'none' }.to_json).chomp}." \
+            "#{Base64.encode64({ id: 'foobar' }.to_json).chomp}"
+      expect(JWT.decode(jwt, nil, false)).to eq('id' => 'foobar')
+      expect { described_class.new(jwt) }.to raise_error Fridge::InvalidToken
+    end
   end
 
   describe '#serialize' do
@@ -99,6 +108,24 @@ describe Fridge::AccessToken do
       subject.subject = nil
       expect { subject.serialize }.to raise_error Fridge::SerializationError
     end
+
+    it 'should encode and decode :actor as :act' do
+      # The `act` field can recursively encode additional
+      # claims, so we check those too.
+      actor = { subject: 'foo', username: 'test', actor: { subject: 'bar' } }
+      subject = described_class.new(options.merge(actor: actor))
+
+      # The JWT lib will return everything as strings, so we'll
+      # test that, although eventually we'll want to see symbols back.
+      actor_s = { 'sub' => 'foo', 'username' => 'test',
+                  'act' => { 'sub' => 'bar' } }
+      hash = JWT.decode(subject.serialize, public_key)
+      expect(hash['act']).to eq(actor_s)
+
+      # Now, check that we properly get symbols back
+      new = described_class.new(subject.serialize)
+      expect(new.actor).to eq(actor)
+    end
   end
 
   describe '#expired?' do

data/spec/fridge/rails_helpers_spec.rb

@@ -104,7 +104,7 @@ describe Controller, type: :controller do
       it 'should delete all cookies on error' do
         cookies[:fridge_session] = 'foobar'
         controller.session_token
-        expect(cookies.deleted?(:fridge_session, domain: :all)).to be_true
+        expect(cookies.deleted?(:fridge_session, domain: :all)).to be true
       end
 
       it 'should return nil on error' do
@@ -135,12 +135,12 @@ describe Controller, type: :controller do
     describe '#validate_token' do
       it 'should return false if the token is invalid' do
         Fridge.configuration.validator = ->(_) { false }
-        expect(controller.validate_token(access_token)).to be_false
+        expect(controller.validate_token(access_token)).to be false
       end
 
       it 'should return false if the token validator fails' do
         Fridge.configuration.validator = ->(_) { fail 'Foobar' }
-        expect(controller.validate_token(access_token)).to be_false
+        expect(controller.validate_token(access_token)).to be false
       end
 
       it 'should return the token if valid' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fridge
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Frank Macreery
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-04-01 00:00:00.000000000 Z
+date: 2016-03-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gem_config
@@ -183,7 +183,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
 summary: Token validation for distributed resource servers