global_session 3.2.10 → 3.3.0

data/lib/global_session/session/v1.rb

@@ -39,6 +39,9 @@ module GlobalSession::Session
   # * The sign and verify algorithms, while safe, do not comply fully with PKCS7; they rely on the
   #   OpenSSL low-level crypto API instead of using the higher-level EVP (envelope) API.
   class V1 < Abstract
+    # Pattern that matches strings that are probably a V1 session cookie.
+    HEADER = /^eN/
+
     # Utility method to decode a cookie; good for console debugging. This performs no
     # validation or security check of any sort.
     #
@@ -233,15 +236,15 @@ module GlobalSession::Session
       #Check signature
       expected = canonical_digest(hash)
       signer = @directory.authorities[authority]
-      raise SecurityError, "Unknown signing authority #{authority}" unless signer
+      raise GlobalSession::InvalidSignature, "Unknown signing authority #{authority}" unless signer
       got = signer.public_decrypt(GlobalSession::Encoding::Base64Cookie.load(signature))
       unless (got == expected)
-        raise SecurityError, "Signature mismatch on global session cookie; tampering suspected"
+        raise GlobalSession::InvalidSignature, "Global session integrity failure; tampering suspected"
       end
 
       #Check trust in signing authority
       unless @directory.trusted_authority?(authority)
-        raise SecurityError, "Global sessions signed by #{authority} are not trusted"
+        raise GlobalSession::InvalidSignature, "Global sessions signed by #{authority} are not trusted"
       end
 
       #Check expiration
@@ -266,8 +269,6 @@ module GlobalSession::Session
     end
 
     def create_from_scratch # :nodoc:
-      authority_check
-
       @signed = {}
       @insecure = {}
       @created_at = Time.now.utc
@@ -275,14 +276,5 @@ module GlobalSession::Session
       @id = RightSupport::Data::UUID.generate
       renew!
     end
-
-    def create_invalid # :nodoc:
-      @id = nil
-      @created_at = Time.now.utc
-      @expired_at = created_at
-      @signed = {}
-      @insecure = {}
-      @authority = nil
-    end
   end
 end

data/lib/global_session/session/v2.rb

@@ -44,6 +44,9 @@ module GlobalSession::Session
   # * The sign and verify algorithms, while safe, do not comply fully with PKCS7; they rely on the
   #   OpenSSL low-level crypto API instead of using the higher-level EVP (envelope) API.
   class V2 < Abstract
+    # Pattern that matches strings that are probably a V2 session cookie.
+    HEADER = /^l9/
+
     # Utility method to decode a cookie; good for console debugging. This performs no
     # validation or security check of any sort.
     #
@@ -79,8 +82,8 @@ module GlobalSession::Session
         hash['a'] = authority
         signed_hash = RightSupport::Crypto::SignedHash.new(
             hash.reject { |k,v| ['dx', 's'].include?(k) },
-            :encoding=>GlobalSession::Encoding::Msgpack,
-            :private_key=>@directory.private_key)
+            @directory.private_key,
+            encoding: GlobalSession::Encoding::Msgpack)
         @signature = signed_hash.sign(@expired_at)
       end
 
@@ -252,20 +255,20 @@ module GlobalSession::Session
 
       #Check trust in signing authority
       unless @directory.trusted_authority?(authority)
-        raise SecurityError, "Global sessions signed by #{authority.inspect} are not trusted"
+        raise GlobalSession::InvalidSignature, "Global sessions signed by #{authority.inspect} are not trusted"
       end
 
       signed_hash = RightSupport::Crypto::SignedHash.new(
           hash.reject { |k,v| ['dx', 's'].include?(k) },
-          :encoding=>GlobalSession::Encoding::Msgpack,
-          :public_key=>@directory.authorities[authority])
+          @directory.authorities[authority],
+          :encoding=>GlobalSession::Encoding::Msgpack)
 
       begin
         signed_hash.verify!(signature, expired_at)
       rescue RightSupport::Crypto::ExpiredSignature
         raise GlobalSession::ExpiredSession, "Session expired at #{expired_at}"
       rescue RightSupport::Crypto::InvalidSignature => e
-        raise SecurityError, "Global session signature verification failed: " + e.message
+        raise GlobalSession::InvalidSignature, "Integrity check failed: " + e.message
       end
 
       #Check other validity (delegate to directory)
@@ -285,8 +288,6 @@ module GlobalSession::Session
     end
 
     def create_from_scratch # :nodoc:
-      authority_check
-
       @signed = {}
       @insecure = {}
       @created_at = Time.now.utc
@@ -294,14 +295,5 @@ module GlobalSession::Session
       @id = RightSupport::Data::UUID.generate
       renew!
     end
-
-    def create_invalid # :nodoc:
-      @id = nil
-      @created_at = Time.now.utc
-      @expired_at = created_at
-      @signed = {}
-      @insecure = {}
-      @authority = nil
-    end
   end
 end

data/lib/global_session/session/v3.rb

@@ -22,7 +22,7 @@
 # Standard library dependencies
 require 'set'
 
-# Cryptographical Hash
+# SignedHash, which encapsulates the crypto bit of global sessions
 require 'right_support/crypto'
 
 module GlobalSession::Session
@@ -47,6 +47,9 @@ module GlobalSession::Session
   # encoding (instead of msgpack), and uses the undocumented OpenSSL::PKey#sign and #verify
   # operations which rely on the PKCS7-compliant OpenSSL EVP API.
   class V3 < Abstract
+    # Pattern that matches strings that are probably a V3 session cookie.
+    HEADER = /^WzM/
+
     STRING_ENCODING = !!(RUBY_VERSION !~ /1.8/)
 
     # Utility method to decode a cookie; good for console debugging. This performs no
@@ -110,33 +113,6 @@ module GlobalSession::Session
       result
     end
 
-    # Delete a key from the global session attributes. If the key exists,
-    # mark the global session dirty
-    #
-    # @param [String] the key to delete
-    # @return [Object] the value of the key deleted, or nil if not found
-    def delete(key)
-      key = key.to_s #take care of symbol-style keys
-      raise GlobalSession::InvalidSession unless valid?
-
-      if @schema_signed.include?(key)
-        authority_check
-
-        # Only mark dirty if the key actually exists
-        @dirty_secure = true if @signed.keys.include? key
-        value = @signed.delete(key)
-      elsif @schema_insecure.include?(key)
-
-        # Only mark dirty if the key actually exists
-        @dirty_insecure = true if @insecure.keys.include? key
-        value = @insecure.delete(key)
-      else
-        raise ArgumentError, "Attribute '#{key}' is not specified in global session configuration"
-      end
-
-      return value
-    end
-
     # Serialize the session to a form suitable for use with HTTP cookies. If any
     # secure attributes have changed since the session was instantiated, compute
     # a fresh RSA signature.
@@ -168,9 +144,9 @@ module GlobalSession::Session
         hash['a'] = authority
         signed_hash = RightSupport::Crypto::SignedHash.new(
           hash,
-          :envelope=>true,
-          :encoding=>GlobalSession::Encoding::JSON,
-          :private_key=>@directory.private_key)
+          @directory.private_key,
+          envelope: true,
+          encoding: GlobalSession::Encoding::JSON)
         @signature = signed_hash.sign(@expired_at)
       end
 
@@ -183,87 +159,6 @@ module GlobalSession::Session
       return GlobalSession::Encoding::Base64Cookie.dump(bin)
     end
 
-    # Determine whether any state has changed since the session was loaded.
-    #
-    # @return [Boolean] true if something has changed
-    def dirty?
-      !!(super || @dirty_secure || @dirty_insecure)
-    end
-
-    # Return the keys that are currently present in the global session.
-    #
-    # === Return
-    # keys(Array):: List of keys contained in the global session
-    def keys
-      @signed.keys + @insecure.keys
-    end
-
-    # Return the values that are currently present in the global session.
-    #
-    # === Return
-    # values(Array):: List of values contained in the global session
-    def values
-      @signed.values + @insecure.values
-    end
-
-    # Iterate over each key/value pair
-    #
-    # === Block
-    # An iterator which will be called with each key/value pair
-    #
-    # === Return
-    # Returns the value of the last expression evaluated by the block
-    def each_pair(&block) # :yields: |key, value|
-      @signed.each_pair(&block)
-      @insecure.each_pair(&block)
-    end
-
-    # Lookup a value by its key.
-    #
-    # === Parameters
-    # key(String):: the key
-    #
-    # === Return
-    # value(Object):: The value associated with +key+, or nil if +key+ is not present
-    def [](key)
-      key = key.to_s #take care of symbol-style keys
-      @signed[key] || @insecure[key]
-    end
-
-    # Set a value in the global session hash. If the supplied key is denoted as
-    # secure by the global session schema, causes a new signature to be computed
-    # when the session is next serialized.
-    #
-    # === Parameters
-    # key(String):: The key to set
-    # value(Object):: The value to set
-    #
-    # === Return
-    # value(Object):: Always returns the value that was set
-    #
-    # ===Raise
-    # InvalidSession:: if the session has been invalidated (and therefore can't be written to)
-    # ArgumentError:: if the configuration doesn't define the specified key as part of the global session
-    # NoAuthority:: if the specified key is secure and the local node is not an authority
-    # UnserializableType:: if the specified value can't be serialized as JSON
-    def []=(key, value)
-      key = key.to_s #take care of symbol-style keys
-      raise GlobalSession::InvalidSession unless valid?
-
-      if @schema_signed.include?(key)
-        authority_check
-        @signed[key] = value
-        @dirty_secure = true
-      elsif @schema_insecure.include?(key)
-        @insecure[key] = value
-        @dirty_insecure = true
-      else
-        raise ArgumentError, "Attribute '#{key}' is not specified in global session configuration"
-      end
-
-      return value
-    end
-
     # Return the SHA1 hash of the most recently-computed RSA signature of this session.
     # This isn't really intended for the end user; it exists so the Web framework integration
     # code can optimize request speed by caching the most recently verified signature in the
@@ -277,16 +172,6 @@ module GlobalSession::Session
 
     private
 
-    # This is called by #clone and is used to augment the shallow clone behavior
-    #
-    # @return [Object] this global session object which doesn't reference the
-    # the hashes from the original object
-    def initialize_copy(source)
-      super
-      @signed = ::RightSupport::Data::HashTools.deep_clone2(@signed)
-      @insecure = ::RightSupport::Data::HashTools.deep_clone2(@insecure)
-    end
-
     def load_from_cookie(cookie) # :nodoc:
       hash = nil
 
@@ -311,20 +196,20 @@ module GlobalSession::Session
       if @directory.trusted_authority?(authority)
         signed_hash = RightSupport::Crypto::SignedHash.new(
           hash,
+          @directory.authorities[authority],
           :envelope=>true,
-          :encoding=>GlobalSession::Encoding::JSON,
-          :public_key=>@directory.authorities[authority])
+          :encoding=>GlobalSession::Encoding::JSON)
 
         begin
           signed_hash.verify!(signature, expired_at)
         rescue RightSupport::Crypto::ExpiredSignature
           raise GlobalSession::ExpiredSession, "Session expired at #{expired_at}"
         rescue RightSupport::Crypto::InvalidSignature => e
-          raise SecurityError, "Global session signature verification failed: " + e.message
+          raise GlobalSession::InvalidSignature, "Global session signature verification failed: " + e.message
         end
 
       else
-        raise SecurityError, "Global sessions signed by #{authority.inspect} are not trusted"
+        raise GlobalSession::InvalidSignature, "Global sessions signed by #{authority.inspect} are not trusted"
       end
 
       #Check expiration
@@ -349,8 +234,6 @@ module GlobalSession::Session
     end
 
     def create_from_scratch # :nodoc:
-      authority_check
-
       @signed = {}
       @insecure = {}
       @created_at = Time.now.utc
@@ -359,15 +242,6 @@ module GlobalSession::Session
       renew!
     end
 
-    def create_invalid # :nodoc:
-      @id = nil
-      @created_at = Time.now.utc
-      @expired_at = created_at
-      @signed = {}
-      @insecure = {}
-      @authority = nil
-    end
-
     # Transform a V1-style attribute hash to an Array with fixed placement for
     # each element. The V3 scheme is serialized as an array to save space.
     #

data/lib/global_session/session/v4.rb

@@ -0,0 +1,140 @@
+require 'securerandom'
+
+module GlobalSession::Session
+  # Version 4 is based on JSON Web Token; in fact, if there is no insecure
+  # state, then a V4 session _is_ a JWT. Otherwise, it's a JWT with a
+  # nonstandard fourth component containing the insecure state.
+  class V4 < Abstract
+    EXPIRED_AT = 'exp'.freeze
+    ID         = 'id'.freeze
+    ISSUED_AT  = 'iat'.freeze
+    ISSUER     = 'iss'.freeze
+    NOT_BEFORE = 'nbf'.freeze
+
+    # Pattern that matches strings that are probably a V4 session cookie.
+    HEADER = /^eyJ0eXAiOiJKV1QiL/
+
+    def self.decode_cookie(cookie)
+      header, payload, sig, insec = cookie.split('.')
+      header, payload, insec = [header, payload, insec].
+        map { |c| c && RightSupport::Data::Base64URL.decode(c) }.
+        map { |j| j && GlobalSession::Encoding::JSON.load(j) }
+      sig = RightSupport::Data::Base64URL.decode(sig)
+      insec ||= {}
+
+      unless Hash === header && header['typ'] == 'JWT'
+        raise GlobalSession::MalformedCookie, "JWT header not present"
+      end
+      unless Hash === payload
+        raise GlobalSession::MalformedCookie, "JWT payload not present"
+      end
+
+      [header, payload, sig, insec]
+    rescue JSON::ParserError => e
+      raise GlobalSession::MalformedCookie, e.message
+    end
+
+    # Serialize the session. If any secure attributes have changed since the
+    # session was instantiated, compute a fresh RSA signature.
+    #
+    # @return [String]
+    def to_s
+      if @cookie && !dirty?
+        # nothing has changed; just return cached cookie
+        return @cookie
+      end
+
+      unless @insecure.nil? || @insecure.empty?
+        insec = GlobalSession::Encoding::JSON.dump(@insecure)
+        insec = RightSupport::Data::Base64URL.encode(insec)
+      end
+
+      if @signature && !(@dirty_timestamps || @dirty_secure)
+        # secure state hasn't changed; reuse JWT piece of cookie
+        jwt = @cookie.split('.')[0..2].join('.')
+      else
+        # secure state has changed; recompute signature & make new JWT
+        authority_check
+
+        payload = @signed.dup
+        payload[ID] = id
+        payload[EXPIRED_AT] = @expired_at.to_i
+        payload[ISSUED_AT] = @created_at.to_i
+        payload[ISSUER] = @directory.local_authority_name
+
+        sh = RightSupport::Crypto::SignedHash.new(payload, @directory.private_key, envelope: :jwt)
+        jwt = sh.to_jwt(@expired_at)
+      end
+
+      if insec && !insec.empty?
+        return "#{jwt}.#{insec}"
+      else
+        return jwt
+      end
+    end
+
+    private
+
+    def load_from_cookie(cookie)
+      # Get the basic facts
+      header, payload, sig, insec = self.class.decode_cookie(cookie)
+      id         = payload[ID]
+      created_at = payload[ISSUED_AT]
+      issuer     = payload[ISSUER]
+      expired_at = payload[EXPIRED_AT]
+      not_before = payload[NOT_BEFORE]
+      raise GlobalSession::InvalidSignature, "JWT iat claim missing/wrong" unless Integer === created_at
+      raise GlobalSession::InvalidSignature, "JWT iat claim missing/wrong" unless Integer === expired_at
+      created_at = Time.at(created_at)
+      expired_at = Time.at(expired_at)
+      if Numeric === not_before
+        not_before = Time.at(not_before)
+        raise GlobalSession::PrematureSession, "Session not valid before #{not_before}" unless Time.now >= not_before
+      end
+
+      #Check trust in signing authority
+      if @directory.trusted_authority?(issuer)
+        signed_hash =
+          RightSupport::Crypto::SignedHash.new(payload,
+            @directory.authorities[issuer],
+            envelope: :jwt
+          )
+
+        begin
+          signed_hash.verify!(sig, expired_at)
+        rescue RightSupport::Crypto::ExpiredSignature
+          raise GlobalSession::ExpiredSession, "Session expired at #{expired_at}"
+        rescue RightSupport::Crypto::InvalidSignature => e
+          raise GlobalSession::InvalidSignature, "Global session signature verification failed: " + e.message
+        end
+
+      else
+        raise GlobalSession::InvalidSignature, "Global sessions signed by #{authority.inspect} are not trusted"
+      end
+
+      #Check other validity (delegate to directory)
+      unless @directory.valid_session?(id, expired_at)
+        raise GlobalSession::InvalidSession, "Global session has been invalidated"
+      end
+
+      #If all validation stuff passed, assign our instance variables.
+      @id = id
+      @authority = issuer
+      @created_at = created_at
+      @expired_at = expired_at
+      @signed = payload
+      @insecure = insec
+      @signature = sig
+      @cookie = cookie
+    end
+
+    def create_from_scratch
+      @signed = {}
+      @insecure = {}
+      @created_at = Time.now.utc
+      @authority = @directory.local_authority_name
+      @id = generate_id
+      renew!
+    end
+  end
+end