ibanity 2.3 → 2.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 48dd4b01d72e61f94d0f750657abe36e7598ae92cbc4112b1be54bc5385900a6
-  data.tar.gz: e2958c684d2b6e9b41474c372407cd78d2f4cc9d54ce9cb0128c68babc5eb9ce
+  metadata.gz: 319589bf55ec8cd48ca771266da34bc5374f8ebfa9ec4894c6b9b6ef7c8ca1bf
+  data.tar.gz: 5f7c0cc44590541555d51dfc96e1f1e70eabd54b19dbb14b66ffdb40f967a87d
 SHA512:
-  metadata.gz: 36edf303e46ef38ccbd09c2f45b5537f534035d39715163599dbe35c9f74e113e920146bb98fe64fb9fac1ee73ee41e448a60a35a608ed54ea7a6844a444eb9f
-  data.tar.gz: 94fb8e370e15e770fbb2791496ed7fac35ef1e4936ee38f020ce8c0556dedd9e02d572014ac490bb08ff1da0984f439e912bcd4f1a75405b5d74b8c48693ee38
+  metadata.gz: 31ec94ee483bc7926d7a66dbb59a34d8bfcdec5e27daedcd7599a53b54c80611ff4d829a1f634b6d6c3c033592e321ab1faf9638c2e52fa00a7664aeac996250
+  data.tar.gz: 6f8bd1c3ff75e41c7e32178e9f060896de45245ec6fb8261cd406432eae62653071b4babbf5dd93d976978d63d3dab70e51f4bd3ade1afbcfbd22c753a567179

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 2.3.1
+
+* Migrate from Jose to JWT gem following incompatibly with OpenSSL 3. Only used in webhooks signature validation.
+
 ## 2.3
 
 * [Ponto Connect] Add IntegrationAccount

data/ibanity.gemspec

@@ -19,6 +19,6 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "rest-client", ">= 1.8.0"
-  spec.add_dependency "jose", ">= 1.1.3"
+  spec.add_dependency "jwt", ">= 2.0.0"
   spec.add_development_dependency "rspec", "3.9.0"
 end

data/lib/ibanity/version.rb

@@ -1,3 +1,3 @@
 module Ibanity
-  VERSION = "2.3"
+  VERSION = "2.3.1"
 end

data/lib/ibanity/webhook.rb

@@ -26,66 +26,56 @@ module Ibanity
       #
       # Returns true otherwise
       def self.verify!(payload, signature_header, tolerance)
-        begin
-          key_details = JOSE::JWT.peek_protected(signature_header).to_hash
-          raise unless key_details["alg"] == SIGNING_ALGORITHM && key_details["kid"]
-        rescue
-          raise Ibanity::Error.new("Key details could not be parsed from the header", nil)
-        end
-
-        key = Ibanity.webhook_keys.find { |key| key.kid == key_details["kid"] }
+        jwks_loader = ->(options) do
+          raise Ibanity::Error.new("The key id from the header didn't match an available signing key", nil) if options[:kid_not_found]
 
-        if key.nil?
-          raise Ibanity::Error.new("The key id from the header didn't match an available signing key", nil)
+          keys = Ibanity.webhook_keys.select { |key| key.use == "sig" }
+                                     .map { |key| JWT::JWK.new(key.to_h {|key, value| [key.to_s, value] }) }
+          JWT::JWK::Set.new(keys)
         end
-        signer = JOSE::JWK.from(key.to_h {|key, value| [key.to_s, value] })
-        verified, claims_string, _jws = JOSE::JWT.verify_strict(signer, [SIGNING_ALGORITHM], signature_header)
-
-        raise Ibanity::Error.new("The signature verification failed", nil) unless verified
 
-        jwt = JOSE::JWT.from(claims_string)
+        options = {
+          aud: Ibanity.client.application_id,
+          algorithm: SIGNING_ALGORITHM,
+          exp_leeway: tolerance,
+          iss: Ibanity.client.base_uri,
+          jwks: jwks_loader,
+          verify_aud: true,
+          verify_iss: true
+        }
+        jwts = JWT.decode(signature_header, nil, true, options)
+        jwt = jwts.first
 
         validate_digest!(jwt, payload)
         validate_issued_at!(jwt, tolerance)
-        validate_expiration!(jwt, tolerance)
-        validate_issuer!(jwt)
-        validate_audience!(jwt)
 
         true
+      rescue JWT::ExpiredSignature
+        raise_invalid_signature_error!("exp")
+      rescue JWT::IncorrectAlgorithm
+        raise Ibanity::Error.new("Incorrect algorithm for signature", nil)
+      rescue JWT::InvalidAudError
+        raise_invalid_signature_error!("aud")
+      rescue JWT::InvalidIssuerError
+        raise_invalid_signature_error!("iss")
+      rescue JWT::DecodeError
+        raise Ibanity::Error.new("The signature verification failed", nil)
       end
 
       private
 
       def self.validate_digest!(jwt, payload)
-        unless Digest::SHA512.base64digest(payload) == jwt.fields["digest"]
+        unless Digest::SHA512.base64digest(payload) == jwt["digest"]
           raise_invalid_signature_error!("digest")
         end
       end
 
       def self.validate_issued_at!(jwt, tolerance)
-        unless jwt.fields["iat"] <= Time.now.to_i + tolerance
+        unless jwt["iat"] <= Time.now.to_i + tolerance
           raise_invalid_signature_error!("iat")
         end
       end
 
-      def self.validate_expiration!(jwt, tolerance)
-        unless jwt.fields["exp"] >= Time.now.to_i - tolerance
-          raise_invalid_signature_error!("exp")
-        end
-      end
-
-      def self.validate_issuer!(jwt)
-        unless jwt.fields["iss"] == Ibanity.client.base_uri
-          raise_invalid_signature_error!("iss")
-        end
-      end
-
-      def self.validate_audience!(jwt)
-        unless jwt.fields["aud"] == Ibanity.client.application_id
-          raise_invalid_signature_error!("aud")
-        end
-      end
-
       def self.raise_invalid_signature_error!(field)
         raise Ibanity::Error.new("The signature #{field} is invalid", nil)
       end

data/lib/ibanity.rb

@@ -4,7 +4,7 @@ require "uri"
 require "rest_client"
 require "json"
 require "securerandom"
-require "jose"
+require "jwt"
 
 require_relative "ibanity/util"
 require_relative "ibanity/error"

data/spec/lib/ibanity/webhook_signature_spec.rb

@@ -0,0 +1,75 @@
+require 'ibanity'
+
+RSpec.describe Ibanity::Webhook::Signature do
+  subject(:signature_module) { described_class }
+
+  let(:client) { instance_double("Ibanity::Client") }
+
+  before do
+    allow(Ibanity).to receive(:client).and_return(client)
+    allow(Ibanity).to receive(:webhook_keys).and_return(
+      [
+        Ibanity::Webhooks::Key.new(
+          alg: "RS512",
+          e: "AQAB",
+          kid: "sandbox_events_signature_1",
+          kty: "RSA",
+          n: "v9qVZmotpil47Pw2NOmP11bpE5B_GtG6ICfqtm13Uusa4asf4FWedclr-kQTV2Ly5rSItq2f3RGRNyove_4TiTIbx21rwM5HP0iFhlVaqHjkr1iSmKzCFojOnTM4UwKQNROhDVDC6TWIzSafZkBacUrCX5l0PLSh2aEK8aiopu5ajYpOr8Ipjw_mbKXxBfcxtjgskbXPyEcf6xlB_Dygl9-btAvRTKiuie4qAWANTdVAgSnddjZMJxFnndZMCH1h-z4ISwphBYbwG2aZrZ7RfHnoIROxsdmKeostYtHy3gMR4_poufzFRR8lpvODd3m7lzdXKBTCvzlQYBNpmf6gmG9p08laE-h67F1GoqvuqspcvRlVpGZEzEwRIbPMAaS4_omCSj4HFZyo58PLUsAp--AD8GGFfVMyBdFhTEkr2235O5AP4UMdHuvyP-NPFCsqibqKK1GIl_Hy0UXnqg7-MCGqs4jX1k4IZZ3wDwza30f1O6tUtaOT8YXzZ2ZWnVWyMLcNx6gep8t3A7gTzEXcselrJgO6SLFRhYA0QmtIRtTwnl-8OmjEi5AJVzO0e-yiRj7g_JLEmgG3pDwmvbiXzEqkY5mPqJMB9G5qcd0SWgvvZs02_1tRRhvw0D5BTKfcEcLW9PKm8Nts1_BGSXKOhTSeQgxuw4iC63ST3dtpl-0=",
+          status: "ACTIVE",
+          use: "sig"
+        )
+      ]
+    )
+    allow(client).to receive(:application_id).and_return("e643b5be-ccb1-4a38-b7b6-36689853bef5")
+    allow(client).to receive(:base_uri).and_return("https://api.ibanity.com")
+  end
+
+  describe ".verify!" do
+    let(:payload) { Fixture.load_unparsed_json("webhooks/example_payload.json") }
+    let(:signature) { Fixture.load_signature("webhooks/example_signature.sig") }
+    let(:tolerance) { Time.now.to_i + 10 - 1691670985 }
+
+    it "returns true for a correct signature" do
+      expect(signature_module.verify!(payload, signature, tolerance)).to be_truthy
+    end
+
+    it "raises an error if the contents are altered" do
+      expect do
+        signature_module.verify!(payload + "altered", signature, tolerance)
+      end.to raise_error(Ibanity::Error, /The signature digest is invalid/)
+    end
+
+    it "raises an error if the signature is expired" do
+      expect do
+        signature_module.verify!(payload, signature, 0)
+      end.to raise_error(Ibanity::Error, /The signature exp is invalid/)
+    end
+
+    it "raises an error if the audience is invalid" do
+      allow(client).to receive(:application_id).and_return("invalid")
+      expect do
+        signature_module.verify!(payload, signature, tolerance)
+      end.to raise_error(Ibanity::Error, /The signature aud is invalid/)
+    end
+
+    it "raises an error if the issuer is invalid" do
+      allow(client).to receive(:base_uri).and_return("invalid")
+      expect do
+        signature_module.verify!(payload, signature, tolerance)
+      end.to raise_error(Ibanity::Error, /The signature iss is invalid/)
+    end
+
+    it "raises an error if the signing key is unavailable" do
+      allow(Ibanity).to receive(:webhook_keys).and_return([])
+      expect do
+        signature_module.verify!(payload, signature, tolerance)
+      end.to raise_error(Ibanity::Error, /The key id from the header didn't match an available signing key/)
+    end
+
+    it "raises an error if the signature is altered" do
+      expect do
+        signature_module.verify!(payload, signature + "altered", tolerance)
+      end.to raise_error(Ibanity::Error, /The signature verification failed/)
+    end
+  end
+end

data/spec/support/fixture.rb

@@ -5,4 +5,14 @@ module Fixture
     path = Pathname([File.dirname(__FILE__ ), "fixtures", "json", filename].join("/"))
     JSON.parse(File.read(path))
   end
+
+  def self.load_unparsed_json(filename)
+    path = Pathname([File.dirname(__FILE__ ), "fixtures", "json", filename].join("/"))
+    File.read(path)
+  end
+
+  def self.load_signature(filename)
+    path = Pathname([File.dirname(__FILE__ ), "fixtures", "signature", filename].join("/"))
+    File.read(path)
+  end
 end

data/spec/support/fixtures/json/webhooks/example_payload.json

@@ -0,0 +1 @@
+{"data":{"attributes":{"createdAt":"2023-08-10T12:24:42.224Z","synchronizationSubtype":"accountTransactions"},"id":"3465fd2f-6c9a-484e-971e-56bf44c9181a","relationships":{"account":{"data":{"id":"1d89d411-e310-4802-bbb7-aad7d98371e7","type":"account"}},"organization":{"data":{"id":"9315d6b3-129a-481a-9604-e2a95e0f967d","type":"organization"}},"synchronization":{"data":{"id":"178b59a6-679f-43d4-b5ad-28caea0bc08b","type":"synchronization"}}},"type":"pontoConnect.synchronization.succeededWithoutChange"}}

data/spec/support/fixtures/signature/webhooks/example_signature.sig

@@ -0,0 +1 @@
+eyJhbGciOiJSUzUxMiIsImtpZCI6InNhbmRib3hfZXZlbnRzX3NpZ25hdHVyZV8xIn0.eyJhdWQiOiJlNjQzYjViZS1jY2IxLTRhMzgtYjdiNi0zNjY4OTg1M2JlZjUiLCJkaWdlc3QiOiJDZEJPWGwzMGsyM0lsVVdkM2JPL1FtazhXek5lN1NERjVCV3FUQnIyVzQ0VjlqRnhjZW4wSEFHVGsra0Nka0NjWVZsRW9PYmtZM0JCc2lPRnNFV0hIUT09IiwiZXhwIjoxNjkxNjcwOTg1LCJpYXQiOjE2OTE2NzA5MjUsImlzcyI6Imh0dHBzOi8vYXBpLmliYW5pdHkuY29tIiwianRpIjoiMWMyOTNkNTYtOTk1Yi00NDg5LTlhODMtMDEzZTg2ZTk4NjQ2In0.ooEZQDTfGmfYr5DmD7wVxdIN_0YXDBiwwL1_fFwSlTiIcr8vehAbDtcsyf3XrycySkUbWvtZYbhYXJw1BH4eDKdhCd2MnrxNX8BzxEjbAKzsGTT4l1YnrbBEIfcL_Z3qCzxJOzWErkSAgIi1XbiNFbw1YTU0c_Y0bBwxY6EEZgQVpG0-OXbzxhT7GRnsdSmYCAEkbLUzhRDj37fOz0oTfuimn04ANqVNJbTrOnQ2md_lOIS1XWl_WaDrk8pExUQ5JQii7dIxnzaHLB5J6U8zAOUchNLYJW1tcJmpVE_3baO_W6MvsWfEG9wY5Jud55WsnSHOOA4ak0KQJx3owqXt3uzlKH0MjPe6UeuJagZo1nXPW8IV6QCyvqtJ6TMwXqN67GHzh2YTS-Ct7qFxgHKFutlSfBfV4PaTTRd0ywqgTIVXY9P_hQmTSL_J0WiTg_2Di0ty10ehCau9rF1Bmpf2ZnSMK2Rr4JRPIMnFQsU-W5jZbZNF_tDaECzzkDoZgMDRrQT1TsdfSWU-XWG2f0ytiHKVcFJE9mMd25b2SJ6rx2e-TZaQwb5jO61uL1Q8zjvPWqofWZ5emiby9FWNFS-0fqF0UUJdlb7XU1fo_cQi0q4pYGgN2_2sgNETXr99zcTT2vpCf9x9RZGUzXne_WhZP_gp49m0kTX1W0s8O_2g2Do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ibanity
 version: !ruby/object:Gem::Version
-  version: '2.3'
+  version: 2.3.1
 platform: ruby
 authors:
 - Ibanity
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-04-20 00:00:00.000000000 Z
+date: 2023-08-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -25,19 +25,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 1.8.0
 - !ruby/object:Gem::Dependency
-  name: jose
+  name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.1.3
+        version: 2.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.1.3
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -136,6 +136,7 @@ files:
 - spec/lib/ibanity/base_resource_spec.rb
 - spec/lib/ibanity/http_signature_spec.rb
 - spec/lib/ibanity/util_spec.rb
+- spec/lib/ibanity/webhook_signature_spec.rb
 - spec/spec_helper.rb
 - spec/support/crypto_helper.rb
 - spec/support/fixture.rb
@@ -143,9 +144,11 @@ files:
 - spec/support/fixtures/json/relationships/data_without_type.json
 - spec/support/fixtures/json/relationships/meta_with_type.json
 - spec/support/fixtures/json/relationships/no_links_related.json
+- spec/support/fixtures/json/webhooks/example_payload.json
 - spec/support/fixtures/signature/test-certificate.pem
 - spec/support/fixtures/signature/test-private_key.pem
 - spec/support/fixtures/signature/test-public_key.pem
+- spec/support/fixtures/signature/webhooks/example_signature.sig
 homepage: https://documentation.ibanity.com/api/ruby
 licenses:
 - MIT
@@ -173,6 +176,7 @@ test_files:
 - spec/lib/ibanity/base_resource_spec.rb
 - spec/lib/ibanity/http_signature_spec.rb
 - spec/lib/ibanity/util_spec.rb
+- spec/lib/ibanity/webhook_signature_spec.rb
 - spec/spec_helper.rb
 - spec/support/crypto_helper.rb
 - spec/support/fixture.rb
@@ -180,6 +184,8 @@ test_files:
 - spec/support/fixtures/json/relationships/data_without_type.json
 - spec/support/fixtures/json/relationships/meta_with_type.json
 - spec/support/fixtures/json/relationships/no_links_related.json
+- spec/support/fixtures/json/webhooks/example_payload.json
 - spec/support/fixtures/signature/test-certificate.pem
 - spec/support/fixtures/signature/test-private_key.pem
 - spec/support/fixtures/signature/test-public_key.pem
+- spec/support/fixtures/signature/webhooks/example_signature.sig