inst_access 0.4.1 → 0.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3725e7d832fcddd123708c45dadc6541942fbd9dd01828a5b263aa76f9f048ef
-  data.tar.gz: aa296914f1621d6b2f54829b3659b8ede1c719a89ea6357b9c65a8b4ce825990
+  metadata.gz: a559457afcb20a5ef4814c6320932e837a2c40713956ca89c72dbae487e41a47
+  data.tar.gz: a075d8e49d0244b3a2a36b7246500f4bbd833cdacc954b5320e066164824a822
 SHA512:
-  metadata.gz: 3fb2fbe2884970be8de2a6a82b6a8b7011631f1243ab3accb9b547396591ada3a6f2741644ee4d1e2bf2cd598a434b2e978ec5ce93998ef0ff35ee69f5f2dabd
-  data.tar.gz: 8d64e7490c1a4ae99216a94c6cd4b18227daec66d96111ba4497713ab8fb3300ee176318f24eb3dd18eab89efe8afef67949a35facca09103e9cd36c8c6d1f31
+  metadata.gz: d0de198d5e310d3262dbe9bb558b2fee295dba2977e50b83cfdd4cb5e54d8582f8de9d209e2c0c3d590a84456c367a40b030e574cf0ccbcd5ee99a7572a33322
+  data.tar.gz: 97d977d4b0a4f83b93702d3b71635629ba710046f23dcd71f3f7ff333c15ed5eca5263dfccd667adc2f2397fb35e95e0cc7d25482276870d2fda6d87899d3ec3

data/lib/inst_access/config.rb

@@ -22,14 +22,16 @@ require 'openssl'
 
 module InstAccess
   class Config
-    attr_reader :signing_key
+    attr_reader :signing_key, :issuers, :service_jwks
 
-    def initialize(raw_signing_key, raw_encryption_key = nil)
+    def initialize(raw_signing_key, raw_encryption_key = nil, issuers: nil, service_jwks: [])
       @signing_key = OpenSSL::PKey::RSA.new(raw_signing_key)
       if raw_encryption_key
         @encryption_key = OpenSSL::PKey::RSA.new(raw_encryption_key)
         raise ArgumentError, 'the encryption key should be a public RSA key' if @encryption_key.private?
       end
+      @issuers = issuers
+      @service_jwks = service_jwks
     rescue OpenSSL::PKey::RSAError => e
       raise ArgumentError, e
     end

data/lib/inst_access/token.rb

@@ -62,6 +62,10 @@ module InstAccess
       jwt_payload[:instructure_service] == true
     end
 
+    def canvas_shard_id
+      jwt_payload[:canvas_shard_id]
+    end
+
     def jti
       jwt_payload[:jti]
     end
@@ -101,14 +105,16 @@ module InstAccess
         real_user_global_id: nil,
         region: nil,
         client_id: nil,
-        instructure_service: nil
+        instructure_service: nil,
+        canvas_shard_id: nil,
+        issuer: nil
       )
         raise ArgumentError, 'Must provide user uuid and account uuid' if user_uuid.blank? || account_uuid.blank?
 
         now = Time.now.to_i
 
         payload = {
-          iss: ISSUER,
+          iss: issuer || ISSUER,
           jti: SecureRandom.uuid,
           iat: now,
           exp: now + 1.hour.to_i,
@@ -121,7 +127,8 @@ module InstAccess
           debug_masq_global_id: real_user_global_id&.to_s,
           region: region,
           client_id: client_id,
-          instructure_service: instructure_service
+          instructure_service: instructure_service,
+          canvas_shard_id: canvas_shard_id
         }.compact
 
         new(payload)
@@ -130,8 +137,17 @@ module InstAccess
 
       # Takes an unencrypted (but signed) token string
       def from_token_string(jws)
+        service_jwks = InstAccess.config.service_jwks
+        jwt = if service_jwks.present?
+          begin
+            JSON::JWT.decode(jws, service_jwks)
+          rescue StandardError
+            nil
+          end
+        end
+
         sig_key = InstAccess.config.signing_key
-        jwt = begin
+        jwt ||= begin
           JSON::JWT.decode(jws, sig_key)
         rescue StandardError => e
           raise InvalidToken, e
@@ -143,7 +159,8 @@ module InstAccess
 
       def token?(string)
         jwt = JSON::JWT.decode(string, :skip_verification)
-        jwt[:iss] == ISSUER
+        issuers = InstAccess.configured? && (issuers = InstAccess.config.issuers)
+        issuers ? issuers.include?(jwt[:iss]) : jwt[:iss] == ISSUER
       rescue StandardError
         false
       end

data/lib/inst_access/version.rb

@@ -19,5 +19,5 @@
 #
 
 module InstAccess
-  VERSION = '0.4.1'
+  VERSION = '0.4.3'
 end

data/lib/inst_access.rb

@@ -32,15 +32,15 @@ module InstAccess
     # consuming tokens, it can be the RSA public key corresponding to the
     # private key that signed them.
     # encryption_key is only required if you are going to be producing tokens.
-    def configure(signing_key:, encryption_key: nil)
-      @config = Config.new(signing_key, encryption_key)
+    def configure(signing_key:, encryption_key: nil, issuers: nil, service_jwks: nil)
+      @config = Config.new(signing_key, encryption_key, issuers: issuers, service_jwks: service_jwks)
     end
 
     # set a configuration only for the duration of the given block, then revert
     # it.  useful for testing.
-    def with_config(signing_key:, encryption_key: nil)
+    def with_config(signing_key:, encryption_key: nil, issuers: nil, service_jwks: nil)
       old_config = @config
-      configure(signing_key: signing_key, encryption_key: encryption_key)
+      configure(signing_key: signing_key, encryption_key: encryption_key, issuers: issuers, service_jwks: service_jwks)
       yield
     ensure
       @config = old_config
@@ -49,5 +49,9 @@ module InstAccess
     def config
       @config || raise(ConfigError, 'InstAccess is not configured!')
     end
+
+    def configured?
+      @config.present?
+    end
   end
 end

data/spec/inst_access/inst_access_spec.rb

@@ -44,4 +44,16 @@ describe InstAccess do
       end.to raise_error(ArgumentError)
     end
   end
+
+  describe '.configured?' do
+    it 'returns false if not configured' do
+      expect(described_class.configured?).to eq(false)
+    end
+
+    it 'returns true if configured' do
+      InstAccess.with_config(signing_key: signing_priv_key) do
+        expect(described_class.configured?).to eq(true)
+      end
+    end
+  end
 end

data/spec/inst_access/token_spec.rb

@@ -28,10 +28,12 @@ describe InstAccess::Token do
   let(:signing_pub_key) { signing_keypair.public_key.to_s }
   let(:encryption_priv_key) { encryption_keypair.to_s }
   let(:encryption_pub_key) { encryption_keypair.public_key.to_s }
+  let(:issuers) {}
+  let(:issuer) {}
 
-  let(:a_token) { described_class.for_user(user_uuid: 'user-uuid', account_uuid: 'acct-uuid') }
+  let(:a_token) { described_class.for_user(user_uuid: 'user-uuid', account_uuid: 'acct-uuid', issuer: issuer) }
   let(:unencrypted_token) do
-    InstAccess.with_config(signing_key: signing_priv_key) do
+    InstAccess.with_config(signing_key: signing_priv_key, issuers: issuers) do
       a_token.to_unencrypted_token_string
     end
   end
@@ -41,7 +43,7 @@ describe InstAccess::Token do
       expect(described_class.token?('asdf1234stuff')).to eq(false)
     end
 
-    it 'returns false for JWTs from a different issuer' do
+    it 'returns false for JWTs from an issuer not in the list' do
       jwt = JSON::JWT.new(iss: 'bridge').to_s
       expect(described_class.token?(jwt)).to eq(false)
     end
@@ -50,6 +52,19 @@ describe InstAccess::Token do
       expect(described_class.token?(unencrypted_token)).to eq(true)
     end
 
+    context 'with issuers configured' do
+      let(:issuers) { ['token_from_other_service'] }
+      let(:issuer) { 'token_from_other_service' }
+
+      it 'returns true for JWTs from an issuer in the list' do
+        jwt = JSON::JWT.decode(unencrypted_token, :skip_verification)
+        expect(jwt[:iss]).to eq('token_from_other_service')
+        InstAccess.with_config(signing_key: signing_priv_key, issuers: issuers) do
+          expect(described_class.token?(unencrypted_token)).to eq(true)
+        end
+      end
+    end
+
     it 'returns true for an expired InstAccess token' do
       token = unencrypted_token # instantiate it to set the expiration
       Timecop.travel(3601) do
@@ -87,7 +102,8 @@ describe InstAccess::Token do
         real_user_shard_id: 5,
         region: 'us-west-2',
         client_id: 'client-id',
-        instructure_service: true
+        instructure_service: true,
+        canvas_shard_id: 3
       )
       expect(id.canvas_domain).to eq('z.instructure.com')
       expect(id.masquerading_user_uuid).to eq('masq-id')
@@ -95,6 +111,7 @@ describe InstAccess::Token do
       expect(id.region).to eq('us-west-2')
       expect(id.client_id).to eq('client-id')
       expect(id.instructure_service?).to eq true
+      expect(id.canvas_shard_id).to eq(3)
     end
 
     it 'generates a unique jti' do
@@ -110,7 +127,8 @@ describe InstAccess::Token do
         real_user_shard_id: 5,
         region: 'us-west-2',
         client_id: 'client-id',
-        instructure_service: true
+        instructure_service: true,
+        canvas_shard_id: 3
       )
 
       expect(id.jti).to eq uuid
@@ -186,6 +204,17 @@ describe InstAccess::Token do
         end.to raise_error(InstAccess::InvalidToken)
       end
     end
+
+    it '.from_token_string decodes a token signed by a key in a configured JSON::JWK::Set' do
+      jwk = JSON::JWK.new(kid: 'token_from_other_service/file_authorization', k: 'hmac_secret', kty: 'oct')
+      payload = { sub: 'user-uuid', account_uuid: 'acct-uuid', issuer: 'other_service', exp: 5.minutes.from_now }
+      jws = JSON::JWT.new(payload).sign(jwk).to_s
+      jwk_set = JSON::JWK::Set.new([jwk])
+      InstAccess.with_config(signing_key: signing_priv_key, issuers: ['other_service'], service_jwks: jwk_set) do
+        token = described_class.from_token_string(jws)
+        expect(token.user_uuid).to eq('user-uuid')
+      end
+    end
   end
 
   context 'when configured for token generation' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inst_access
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 0.4.3
 platform: ruby
 authors:
 - Michael Ziwisky
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-09-06 00:00:00.000000000 Z
+date: 2024-09-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport