fridge 0.4.5 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f95fc7ff6e87f6f8d584736fe30f491611b63fc216e0d4453fccfa6f83d46c98
-  data.tar.gz: 02b45faa47f7bcfa6bb572247d1f331a99d254e28e6d28eb982589ebc812dcdc
+  metadata.gz: ddbc9d80db231fbec0b2e9a00b5ea26ffafa3ae005eef43ca167e82d2712aca1
+  data.tar.gz: 7e6ec26850164a9e6b593233cd28fc4da06b4bdb0a917297362e41eea3007401
 SHA512:
-  metadata.gz: 1fd27cadc2aadbf83e25d3b6215d504123438f401a36e614ed2c6734476cf53acb78f2d8a9d1957bffeecec071202ddca4f4ce746c319a4fcdc14ec771763ab7
-  data.tar.gz: 00ade0f6d5133df541f4859904cc76951407d058d90c93ddb7b4e8f4925848242c6d86c6e91fca9bb0efbc0438b93c5e211f8f85273cf5e4a0259c0d5eb161f7
+  metadata.gz: 46f205b7cd98c6306aa2835fd62a8fee6784996ab58e05d1b3feca2678dc11e409c09ff87c2401d41e7e5c3f00bf6f72d2d4f284d59b98ffcca539c5213a5d52
+  data.tar.gz: e728b646ddb3fd02e95602d502e055c035ac1a74f4a7b433dcb27de55e0ad36b3b3c5daf289980c476ba242a00876cb3e9a3659761ae07bec55951af314637c9

data/.github/CODEOWNERS

@@ -1 +1,2 @@
-*   @dawenster
+*   @aguilinger
+*   @neurosnap

data/.github/workflows/test.yml

@@ -0,0 +1,48 @@
+name: Tests
+
+on:
+  pull_request:
+    branches:
+      - main
+      - master
+  push:
+    branches:
+      - main
+      - master
+
+jobs:
+
+  test:
+    name: Test
+    runs-on: ubuntu-20.04
+    strategy:
+      fail-fast: false
+      matrix:
+        RUBY_VERSION: ["2.5", "2.6", "3.1"]
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Install Ruby ${{ matrix.RUBY_VERSION }}
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.RUBY_VERSION }}
+          bundler-cache: true
+
+      - name: Run Tests
+        run: bundle exec rake
+
+  results:
+    if: ${{ always() }}
+    runs-on: ubuntu-latest
+    name: Final Results
+    needs: [test]
+    steps:
+      - run: exit 1
+        # see https://stackoverflow.com/a/67532120/4907315
+        if: >-
+          ${{
+               contains(needs.*.result, 'failure')
+            || contains(needs.*.result, 'cancelled')
+          }}

data/SECURITY.md

@@ -0,0 +1,23 @@
+# Aptible Open Source Security Policies and Procedures
+
+This document outlines security procedures and general policies for the Aptible open source projects as found on https://github.com/aptible.
+
+  * [Reporting a Vulnerability](#reporting-a-vulnerability)
+  * [Responsible Disclosure Policy](#responsible-disclosure-policy)
+
+## Reporting a Vulnerability 
+
+The Aptible team and community take all security vulnerabilities
+seriously. Thank you for improving the security of our open source software. We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions.
+
+Report security vulnerabilities by emailing the Aptible security team at:
+    
+    security@aptible.com
+
+Security researchers can also privately report security vulnerabilities to repository maintainers using the GitHub "Report a Vulnerability" feature. [See how-to here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+
+The Aptible team will acknowledge your email within 24 business hours and send a detailed response within 48 business hours indicating the next steps in handling your report. The Aptible security team will keep you informed of the progress and may ask for additional information or guidance.
+
+## Responsible Disclosure Policy
+
+Please see Aptible's Responsible Disclosure Policy here: https://www.aptible.com/legal/responsible-disclosure/

data/fridge.gemspec

@@ -21,7 +21,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
 
   spec.add_dependency 'gem_config'
-  spec.add_dependency 'jwt', '~> 1.5.6'
+  spec.add_dependency 'jwt', '~> 2.3.0'
 
   spec.add_development_dependency 'aptible-tasks'
   spec.add_development_dependency 'pry'

data/lib/fridge/version.rb

@@ -1,3 +1,3 @@
 module Fridge
-  VERSION = '0.4.5'.freeze
+  VERSION = '1.0.0'.freeze
 end

data/spec/fridge/access_token_spec.rb

@@ -79,21 +79,22 @@ describe Fridge::AccessToken do
     end
 
     it 'should be verifiable with the application public key' do
-      expect { JWT.decode(subject.serialize, public_key) }.not_to raise_error
+      expect { JWT.decode(subject.serialize, public_key, true, algorithm: 'RS512') }
+        .not_to raise_error
     end
 
     it 'should be tamper-resistant' do
       header, _, signature = subject.serialize.split('.')
-      tampered_claim = JWT.base64url_encode({ foo: 'bar' }.to_json)
+      tampered_claim = JWT::Base64.url_encode({ foo: 'bar' }.to_json)
       tampered_token = [header, tampered_claim, signature].join('.')
 
       expect do
-        JWT.decode(tampered_token, public_key)
+        JWT.decode(tampered_token, public_key, true, algorithm: 'RS512')
       end.to raise_error JWT::DecodeError
     end
 
     it 'should represent :exp in seconds since the epoch' do
-      hash, = JWT.decode(subject.serialize, public_key)
+      hash, = JWT.decode(subject.serialize, public_key, true, algorithm: 'RS512')
       expect(hash['exp']).to be_a Integer
     end
 
@@ -133,7 +134,7 @@ describe Fridge::AccessToken do
       # test that, although eventually we'll want to see symbols back.
       actor_s = { 'sub' => 'foo', 'username' => 'test',
                   'act' => { 'sub' => 'bar' } }
-      hash, = JWT.decode(subject.serialize, public_key)
+      hash, = JWT.decode(subject.serialize, public_key, true, algorithm: 'RS512')
       expect(hash['act']).to eq(actor_s)
 
       # Now, check that we properly get symbols back

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fridge
 version: !ruby/object:Gem::Version
-  version: 0.4.5
+  version: 1.0.0
 platform: ruby
 authors:
 - Frank Macreery
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-11-30 00:00:00.000000000 Z
+date: 2024-09-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gem_config
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.5.6
+        version: 2.3.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.5.6
+        version: 2.3.0
 - !ruby/object:Gem::Dependency
   name: aptible-tasks
   requirement: !ruby/object:Gem::Requirement
@@ -130,13 +130,14 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".github/CODEOWNERS"
+- ".github/workflows/test.yml"
 - ".gitignore"
 - ".rspec"
-- ".travis.yml"
 - Gemfile
 - LICENSE.md
 - README.md
 - Rakefile
+- SECURITY.md
 - fridge.gemspec
 - lib/fridge.rb
 - lib/fridge/access_token.rb
@@ -169,7 +170,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Token validation for distributed resource servers

data/.travis.yml

@@ -1,6 +0,0 @@
-sudo: false
-rvm:
-  - 2.2
-  - 2.5
-  - 2.6
-  - 3.1