global_session 3.2.10 → 3.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 277ed2049447151c9efbcbe7f0a53cc5860bcdd9
-  data.tar.gz: 515d8873815c891c2e1b0bc03ec3ae0e26ecd333
+  metadata.gz: bdc242048b36de58af17de56b0b99eb35749402b
+  data.tar.gz: 21c79fa5ca975c6fd8dddaa623c00f24f385276f
 SHA512:
-  metadata.gz: 7d19d6f8f399ae201e2969bf4c529549dc2250615cb82521d6edc3eaae63b3174de74aa66edf3afff9aedafc3922626977ddc9a207ab48b55869a5f4140f4ec5
-  data.tar.gz: 8518212d89097547ac73c6ca7301d9db19e91ab22e24669b52d2f72a6f4f59fbcf2ca6a03777873d639b1adb0fb8666afaab44275ec7961efb4d2877c654977e
+  metadata.gz: b2030dc06623067a3ebbbdbdfda30d465e2d7f84c9cef19fbc9bff55f7ea11e65e656cd10854b0abf0e0f5ee2e6273a54076d99ff0fd85aaaac65fbd552e4bbd
+  data.tar.gz: b2d3249a309714a84b47699adb4bc7531c3a56aaa5a76ea3b2df81a4d2ee778ab75e439e2870089223c212d6f42254eb5874b9debcb92f4030272a987a7c05b1

data/global_session.gemspec

@@ -1,91 +1,26 @@
-# Generated by jeweler
-# DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
-# -*- encoding: utf-8 -*-
-# stub: global_session 3.2.9 ruby lib
+# encoding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'global_session/version'
 
-Gem::Specification.new do |s|
-  s.name = "global_session"
-  s.version = "3.2.9"
+Gem::Specification.new do |spec|
+  spec.name    = 'global_session'
+  spec.version = GlobalSession::VERSION
+  spec.authors = ['Tony Spataro']
+  spec.email   = 'rubygems@rightscale.com'
 
-  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.require_paths = ["lib"]
-  s.authors = ["Tony Spataro"]
-  s.date = "2016-09-13"
-  s.description = "This Rack middleware allows several web apps in an authentication domain to share session state, facilitating single sign-on in a distributed web app. It only provides session sharing and does not concern itself with authentication or replication of the user database."
-  s.email = "support@rightscale.com"
-  s.extra_rdoc_files = [
-    "LICENSE",
-    "README.rdoc"
-  ]
-  s.files = [
-    ".ruby-version",
-    ".travis.yml",
-    "CHANGELOG.md",
-    "LICENSE",
-    "README.rdoc",
-    "Rakefile",
-    "VERSION",
-    "global_session.gemspec",
-    "init.rb",
-    "lib/global_session.rb",
-    "lib/global_session/configuration.rb",
-    "lib/global_session/directory.rb",
-    "lib/global_session/encoding.rb",
-    "lib/global_session/keystore.rb",
-    "lib/global_session/rack.rb",
-    "lib/global_session/rails.rb",
-    "lib/global_session/rails/action_controller_class_methods.rb",
-    "lib/global_session/rails/action_controller_instance_methods.rb",
-    "lib/global_session/session.rb",
-    "lib/global_session/session/abstract.rb",
-    "lib/global_session/session/v1.rb",
-    "lib/global_session/session/v2.rb",
-    "lib/global_session/session/v3.rb",
-    "rails/init.rb",
-    "rails_generators/global_session/USAGE",
-    "rails_generators/global_session/global_session_generator.rb",
-    "rails_generators/global_session/templates/global_session.yml.erb",
-    "rails_generators/global_session_authority/USAGE",
-    "rails_generators/global_session_authority/global_session_authority_generator.rb"
-  ]
-  s.homepage = "https://github.com/rightscale/global_session"
-  s.licenses = ["MIT"]
-  s.required_ruby_version = Gem::Requirement.new("~> 2.0")
-  s.rubygems_version = "2.2.3"
-  s.summary = "Secure single-domain session sharing plugin for Rack and Rails."
+  spec.summary = 'Reusable foundation code.'
+  spec.description = 'A toolkit of useful, reusable foundation code created by RightScale.'
+  spec.homepage = 'https://github.com/rightscale/right_support'
+  spec.license = 'MIT'
 
-  if s.respond_to? :specification_version then
-    s.specification_version = 4
+  spec.files         = `git ls-files -z`.split("\x0").select { |f| f.match(%r{lib/|gemspec}) }
+  spec.require_paths = ['lib']
 
-    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<json>, ["~> 1.4"])
-      s.add_runtime_dependency(%q<rack-contrib>, ["~> 1.0"])
-      s.add_runtime_dependency(%q<right_support>, ["< 4.0", ">= 2.8.2"])
-      s.add_runtime_dependency(%q<simple_uuid>, [">= 0.2.0"])
-      s.add_development_dependency(%q<ruby-debug>, ["~> 0.10"])
-      s.add_development_dependency(%q<pry>, ["~> 0.10"])
-      s.add_development_dependency(%q<pry-byebug>, ["~> 2.0"])
-      s.add_development_dependency(%q<jeweler>, ["~> 1.8"])
-    else
-      s.add_dependency(%q<json>, ["~> 1.4"])
-      s.add_dependency(%q<rack-contrib>, ["~> 1.0"])
-      s.add_dependency(%q<right_support>, ["< 4.0", ">= 2.8.2"])
-      s.add_dependency(%q<simple_uuid>, [">= 0.2.0"])
-      s.add_dependency(%q<ruby-debug>, ["~> 0.10"])
-      s.add_dependency(%q<pry>, ["~> 0.10"])
-      s.add_dependency(%q<pry-byebug>, ["~> 2.0"])
-      s.add_dependency(%q<jeweler>, ["~> 1.8"])
-    end
-  else
-    s.add_dependency(%q<json>, ["~> 1.4"])
-    s.add_dependency(%q<rack-contrib>, ["~> 1.0"])
-    s.add_dependency(%q<right_support>, ["< 4.0", ">= 2.8.2"])
-    s.add_dependency(%q<simple_uuid>, [">= 0.2.0"])
-    s.add_dependency(%q<ruby-debug>, ["~> 0.10"])
-    s.add_dependency(%q<pry>, ["~> 0.10"])
-    s.add_dependency(%q<pry-byebug>, ["~> 2.0"])
-    s.add_dependency(%q<jeweler>, ["~> 1.8"])
-  end
-end
+  spec.required_ruby_version = Gem::Requirement.new('~> 2.1')
 
+  spec.add_runtime_dependency('json', ['~> 1.4'])
+  spec.add_runtime_dependency('rack-contrib', ['~> 1.0'])
+  spec.add_runtime_dependency('right_support', ['>= 2.14.1', '< 3.0'])
+  spec.add_runtime_dependency('simple_uuid', ['>= 0.2.0'])
+end

data/lib/global_session.rb

@@ -27,24 +27,26 @@ module GlobalSession
   # The general category of client-side errors. Used solely as a base class.
   class ClientError < Exception; end
 
-  # Indicates that the global session configuration file is missing from disk.
+  # Global session configuration is missing from the environment or filesystem.
   #
   class MissingConfiguration < ConfigurationError; end
 
-  # Indicates that a client submitted a request with a valid session cookie, but the
-  # session ID was reported as invalid by the Directory.
+  # The request has a valid session cookie, but the session ID was reported as
+  # invalid by the Directory.
   #
   # See Directory#valid_session? for more information.
   #
   class InvalidSession < ClientError; end
 
-  # Indicates that a client submitted a request with a valid session cookie, but the
-  # session has expired.
+  # The request has a valid session cookie, but the session has expired.
   #
   class ExpiredSession < ClientError; end
 
-  # Indicates that a client submitted a request with a session cookie that could not
-  # be decoded or decompressed.
+  # The request has a valid session cookie, but the session has expired.
+  class PrematureSession < ExpiredSession; end
+
+  # The request has a session cookie, but the cookie is malformed and cannot be
+  # interpreted as session state.
   #
   class MalformedCookie < ClientError
     attr_reader :cookie
@@ -76,6 +78,9 @@ module GlobalSession
   # information.
   #
   class NoAuthority < ConfigurationError; end
+
+  # The request has a session cookie, but its signature is invalid.
+  class InvalidSignature < SecurityError; end
 end
 
 #Make sure gem dependencies are activated.

data/lib/global_session/directory.rb

@@ -28,7 +28,7 @@ module GlobalSession
   # The default implementation is simplistic, but should be suitable for most applications.
   # Directory is designed to be specialized via subclassing. To override the behavior to
   # suit your needs, simply create a subclass of Directory and add a configuration file
-  # setting to specify the class name of your implementation:  
+  # setting to specify the class name of your implementation:
   #
   #     common:
   #       directory:
@@ -108,21 +108,23 @@ module GlobalSession
     # InvalidSession:: if the session contained in the cookie has been invalidated
     # ExpiredSession:: if the session contained in the cookie has expired
     # MalformedCookie:: if the cookie was corrupt or malformed
-    # SecurityError:: if signature is invalid or cookie is not signed by a trusted authority
+    # InvalidSignature:: if signature is invalid or cookie is not signed by a trusted authority
     def create_session(cookie=nil)
       forced_version = configuration['cookie']['version']
 
       if cookie.nil?
         # Create a legitimately new session
         case forced_version
-        when 3, nil
+        when 4
+          Session::V4.new(self, cookie)
+        when nil, 3
           Session::V3.new(self, cookie)
         when 2
           Session::V2.new(self, cookie)
         when 1
           Session::V1.new(self, cookie)
         else
-          raise ArgumentError, "Unknown value #{forced_version} for configuration.cookie.version" 
+          raise ArgumentError, "Unknown value #{forced_version} for configuration.cookie.version"
         end
       else
         warn "GlobalSession::Directory#create_session with an existing session is DEPRECATED -- use #load_session instead"
@@ -142,7 +144,7 @@ module GlobalSession
     # InvalidSession:: if the session contained in the cookie has been invalidated
     # ExpiredSession:: if the session contained in the cookie has expired
     # MalformedCookie:: if the cookie was corrupt or malformed
-    # SecurityError:: if signature is invalid or cookie is not signed by a trusted authority
+    # InvalidSignature:: if signature is invalid or cookie is not signed by a trusted authority
     def load_session(cookie)
       Session.new(self, cookie)
     end
@@ -170,7 +172,7 @@ module GlobalSession
     def local_authority_name
       @keystore.private_key_name
     end
-    
+
     # Determine whether this system trusts a particular named authority based on
     # the settings specified in Configuration and/or the presence of public key
     # files on disk.

data/lib/global_session/keystore.rb

@@ -64,11 +64,23 @@ module GlobalSession
 
     # Factory method to generate a new keypair for use with GlobalSession.
     #
+    # @param [Integer,String] parameter keylength in bits (for RSA/DSA) or curve name (for EC)
     # @raise [ArgumentError] if cryptosystem is unknown to OpenSSL
     # @return [OpenSSL::PKey::PKey] a public/private keypair
-    def self.create_keypair(cryptosystem=:RSA, keysize=1024)
+    def self.create_keypair(cryptosystem=:RSA, parameter=nil)
       factory = OpenSSL::PKey.const_get(cryptosystem)
-      factory.generate( 1024 )
+      if factory.respond_to?(:generate)
+        # parameter-free cryptosystem e.g. RSA, DSA. Default key length 1024,
+        # which is really too small, but whose signatures are quite large.
+        parameter ||= 1024
+        factory.generate( parameter )
+      else
+        # parameterized family of cryptosystems (e.g. EC). Default curve is
+        # compatible with JSON Web Signature (JWS) ES256 algorithm.
+        parameter ||= 'prime256v1'
+        alg = factory.new(parameter)
+        alg.generate_key
+      end
     rescue NameError => e
       raise ArgumentError, e.message
     end
@@ -106,9 +118,17 @@ module GlobalSession
         end
       elsif File.file?(path)
         name = File.basename(path, '.*')
-        key  = OpenSSL::PKey::RSA.new(File.read(path))
+        pem  = File.read(path)
+
+        # Deal with modern ("BEGIN PUBLIC/PRIVATE KEY") and legacy ("BEGIN RSA PUBLIC KEY") formats
+        if pem =~ /BEGIN RSA/
+          key  = OpenSSL::PKey::RSA.new(pem)
+        else
+          key  = OpenSSL::PKey.read(pem)
+        end
+
         # ignore private keys (which legacy config allowed to coexist with public keys)
-        unless key.private?
+        unless (key.private? rescue nil) || (key.private_key? rescue nil)
           if @public_keys.has_key?(name)
             raise ConfigurationError, "Duplicate public key for authority: #{name}"
           else
@@ -135,8 +155,10 @@ module GlobalSession
       if File.file?(path)
         if @private_key.nil?
           name        = File.basename(path, '.*')
-          private_key = OpenSSL::PKey::RSA.new(File.read(path))
-          raise ConfigurationError, "Expected #{key_file} to contain an RSA private key" unless private_key.private?
+          pem         = File.read(path)
+          private_key = OpenSSL::PKey.read(pem)
+
+          raise ConfigurationError, "Expected #{key_file} to contain an RSA private key" unless (private_key.private? rescue nil) || (private_key.private_key? rescue nil)
           @private_key      = private_key
           @private_key_name = name
         else

data/lib/global_session/rack.rb

@@ -298,7 +298,7 @@ module GlobalSession
           env['rack.logger'].error(msg)
         end
 
-        if e.is_a?(ClientError) || e.is_a?(SecurityError)
+        if e.is_a?(ClientError) || e.is_a?(InvalidSignature)
           env['global_session.error'] = e
           wipe_cookie(env)
         elsif e.is_a? ConfigurationError

data/lib/global_session/session.rb

@@ -7,6 +7,7 @@ require 'global_session/session/abstract'
 require 'global_session/session/v1'
 require 'global_session/session/v2'
 require 'global_session/session/v3'
+require 'global_session/session/v4'
 
 # Ladies and gentlemen: the one and only, star of the show, GLOBAL SESSION!
 #
@@ -32,20 +33,24 @@ module GlobalSession::Session
 
   # Decode a global session cookie. Use a heuristic to determine the version.
   # @raise [GlobalSession::MalformedCookie] if the cookie is not a valid serialized global session
-  def self.new(directory, cookie=nil, valid_signature_digest=nil)
+  def self.new(directory, cookie=nil)
     guess_version(cookie).new(directory, cookie)
   end
 
+  # Figure out the protocol version of a serialized session cookie.
+  #
+  # @param [String] cookie
+  # @return [Class] implementation class that can probably deserialize cookie
   def self.guess_version(cookie)
     case cookie
-    when /^WzM/ # == "[3"
+    when V4::HEADER
+      V4
+    when nil, V3::HEADER
       V3
-    when /^l9/  # == binary msgpack symbol for "beginning of array"
+    when V2::HEADER
       V2
-    when /^eN/  # == zlib-compressed form of "{"
-      V1
     else
-      V1        # due to zlib compression, there might be corner cases with the eN prefix
+      V1 # due to zlib compression, no foolproof way to spot V1 sessoins
     end
   end
 end

data/lib/global_session/session/abstract.rb

@@ -14,7 +14,7 @@ module GlobalSession::Session
     # InvalidSession:: if the session contained in the cookie has been invalidated
     # ExpiredSession:: if the session contained in the cookie has expired
     # MalformedCookie:: if the cookie was corrupt or malformed
-    # SecurityError:: if signature is invalid or cookie is not signed by a trusted authority
+    # InvalidSignature:: if signature is invalid or cookie is not signed by a trusted authority
     def initialize(directory, cookie=nil)
       @directory = directory
       @signed = {}
@@ -75,6 +75,80 @@ module GlobalSession::Session
       @cookie.nil?
     end
 
+    # Return the keys that are currently present in the global session.
+    #
+    # === Return
+    # keys(Array):: List of keys contained in the global session
+    def keys
+      @signed.keys + @insecure.keys
+    end
+
+    # Return the values that are currently present in the global session.
+    #
+    # === Return
+    # values(Array):: List of values contained in the global session
+    def values
+      @signed.values + @insecure.values
+    end
+
+    # Iterate over each key/value pair
+    #
+    # === Block
+    # An iterator which will be called with each key/value pair
+    #
+    # === Return
+    # Returns the value of the last expression evaluated by the block
+    def each_pair(&block) # :yields: |key, value|
+      @signed.each_pair(&block)
+      @insecure.each_pair(&block)
+    end
+
+    # Lookup a value by its key.
+    #
+    # === Parameters
+    # key(String):: the key
+    #
+    # === Return
+    # value(Object):: The value associated with +key+, or nil if +key+ is not present
+    def [](key)
+      key = key.to_s #take care of symbol-style keys
+      @signed[key] || @insecure[key]
+    end
+
+    # Set a value in the global session hash. If the supplied key is denoted as
+    # secure by the global session schema, causes a new signature to be computed
+    # when the session is next serialized.
+    #
+    # === Parameters
+    # key(String):: The key to set
+    # value(Object):: The value to set
+    #
+    # === Return
+    # value(Object):: Always returns the value that was set
+    #
+    # ===Raise
+    # InvalidSession:: if the session has been invalidated (and therefore can't be written to)
+    # ArgumentError:: if the configuration doesn't define the specified key as part of the global session
+    # NoAuthority:: if the specified key is secure and the local node is not an authority
+    # UnserializableType:: if the specified value can't be serialized as JSON
+    def []=(key, value)
+      key = key.to_s #take care of symbol-style keys
+      raise GlobalSession::InvalidSession unless valid?
+
+      if @schema_signed.include?(key)
+        authority_check
+        @signed[key] = value
+        @dirty_secure = true
+      elsif @schema_insecure.include?(key)
+        @insecure[key] = value
+        @dirty_insecure = true
+      else
+        raise ArgumentError, "Attribute '#{key}' is not specified in global session configuration"
+      end
+
+      return value
+    end
+
     # Determine whether the session is valid. This method simply delegates to the
     # directory associated with this session.
     #
@@ -88,7 +162,7 @@ module GlobalSession::Session
     #
     # @return [Boolean] true if something has changed
     def dirty?
-      !!(new_record? || @dirty_timestamps)
+      !!(new_record? || @dirty_timestamps || @dirty_secure || @dirty_insecure)
     end
 
     # Determine whether the global session schema allows a given key to be placed
@@ -116,6 +190,34 @@ module GlobalSession::Session
 
     alias key? has_key?
 
+    # Delete a key from the global session attributes. If the key exists,
+    # mark the global session dirty
+    #
+    # @param [String] the key to delete
+    # @return [Object] the value of the key deleted, or nil if not found
+    def delete(key)
+      key = key.to_s #take care of symbol-style keys
+      raise GlobalSession::InvalidSession unless valid?
+
+      if @schema_signed.include?(key)
+        authority_check
+
+        # Only mark dirty if the key actually exists
+        @dirty_secure = true if @signed.keys.include? key
+        value = @signed.delete(key)
+      elsif @schema_insecure.include?(key)
+
+        # Only mark dirty if the key actually exists
+        @dirty_insecure = true if @insecure.keys.include? key
+        value = @insecure.delete(key)
+      else
+        raise ArgumentError, "Attribute '#{key}' is not specified in global session configuration"
+      end
+
+      return value
+    end
+
+
     # Invalidate this session by reporting its UUID to the Directory.
     #
     # === Return
@@ -140,6 +242,10 @@ module GlobalSession::Session
 
     private
 
+    def generate_id
+      RightSupport::Data::Base64URL.encode(SecureRandom.random_bytes(8))
+    end
+
     def authority_check # :nodoc:
       unless @directory.local_authority_name
         raise GlobalSession::NoAuthority, 'Cannot change secure session attributes; we are not an authority'
@@ -155,7 +261,20 @@ module GlobalSession::Session
     end
 
     def create_invalid
-      raise NotImplementedError, "Subclass responsibility"
+      @id = nil
+      @created_at = Time.now.utc
+      @expired_at = created_at
+      @signed = {}
+      @insecure = {}
+      @authority = nil
+    end
+
+    # This is called by Object#clone and is used to augment our "shallow clone"
+    # behavior so that we don't share state hashes between clones.
+    def initialize_copy(source)
+      super
+      @signed = ::RightSupport::Data::HashTools.deep_clone2(@signed)
+      @insecure = ::RightSupport::Data::HashTools.deep_clone2(@insecure)
     end
   end
-end
+end