json-jwt 1.13.0 → 1.15.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e18796342211bf21448b9bb5b43749894717bc0a270ae7e1679efbbaa387fc4b
-  data.tar.gz: 19b56b26f69a78d2b3ac842865571b973426006b371674ebb6f19cfaf9156385
+  metadata.gz: 0bc8f7f5b23b61360c4b6a72c253b52beb5f7226ebf441d6a6561729155ea55d
+  data.tar.gz: 7175e7ea9121d74d633bb32ce6f88e2d50ddbc3b0109426c562508e40a119727
 SHA512:
-  metadata.gz: 90e611ff8e6f87f4b4008c15839008b0eaea3abf498e1d40dcfb875c99c7212d558d38ea5e93f74e3dcbfb4c0f05d29d712b8e64152179ccd02602b6ec79c8ca
-  data.tar.gz: 82eb46ca549465d81027f9953f2cde953a582a7912e534a828b1114c78e1f469c9e03c9ebfb6b6609bddf11e1686defe10134fe287ed2b5768e05b8a3b53babf
+  metadata.gz: f169ddb8eafd2b66e84c8fd32328793e040477a376ab7dfedef29990d330afa667f5f563bc540a0479b095cc2c16cb38b6bb7a7a6c9842656ea41425e63c87b7
+  data.tar.gz: 53e010725185c4acab07988025b1dd70d7def52f27c285ed502a21f1d8e8ad1eedca780db14378824ff7891fbd852265b06a2256281c5a07d40545487ad9241c

data/.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: nov

data/.github/workflows/test_ruby.yml

@@ -0,0 +1,30 @@
+name: Test Ruby
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    strategy:
+      matrix:
+        os: ['ubuntu-20.04']
+        ruby-version: ['2.6', '2.7', '3.0', '3.1']
+        # ubuntu 22.04 only supports ssl 3 and thus only ruby 3.1
+        include:
+        - os: 'ubuntu-22.04'
+          ruby-version: '3.1'
+    runs-on: ${{ matrix.os }}
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    - name: Run tests
+      run: bundle exec rake

data/.gitmodules

@@ -1,3 +1,3 @@
 [submodule "spec/helpers/json-jwt-nimbus"]
 	path = spec/helpers/json-jwt-nimbus
-	url = git://github.com/nov/json-jwt-nimbus.git
+	url = https://github.com/nov/json-jwt-nimbus.git

data/.travis.yml

@@ -3,9 +3,10 @@ before_install:
   - git submodule update --init --recursive
 
 rvm:
-  - 2.5.8
-  - 2.6.6
-  - 2.7.1
+  - 2.6.10
+  - 2.7.6
+  - 3.0.4
+  - 3.1.2
 
 jdk:
   - openjdk11

data/README.md

@@ -49,6 +49,17 @@ input = "jwt_header.jwt_claims.jwt_signature"
 JSON::JWT.decode(input, public_key)
 ```
 
+If you need to get a JWK from `jwks_uri` of OpenID Connect IdP, you can use `JSON::JWK::Set::Fetcher` to fetch (& optionally cache) it.
+
+```ruby
+# JWK Set Fetching & Caching
+# NOTE: Optionally by setting cache instance, JWKs are cached by kid.
+JSON::JWK::Set::Fetcher.cache = Rails.cache
+
+JSON::JWK::Set::Fetcher.fetch(jwks_uri, kid: kid)
+# => returns JSON::JWK instance or raise JSON::JWK::Set::KidNotFound
+```
+
 For more details, read [Documentation Wiki](https://github.com/nov/json-jwt/wiki).
 
 ## Note on Patches/Pull Requests

data/VERSION

@@ -1 +1 @@
-1.13.0
+1.15.3

data/json-jwt.gemspec

@@ -16,8 +16,10 @@ Gem::Specification.new do |gem|
   gem.add_runtime_dependency 'activesupport', '>= 4.2'
   gem.add_runtime_dependency 'bindata'
   gem.add_runtime_dependency 'aes_key_wrap'
+  gem.add_runtime_dependency 'httpclient'
   gem.add_development_dependency 'rake'
   gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'webmock'
   gem.add_development_dependency 'rspec'
   gem.add_development_dependency 'rspec-its'
 end

data/lib/json/jose.rb

@@ -26,9 +26,7 @@ module JSON
       when JSON::JWK
         key.to_key
       when JSON::JWK::Set
-        key.detect do |jwk|
-          jwk[:kid] && jwk[:kid] == kid
-        end&.to_key or raise JWK::Set::KidNotFound
+        key[kid]&.to_key or raise JWK::Set::KidNotFound
       else
         key
       end

data/lib/json/jwk/set/fetcher/debugger/request_filter.rb

@@ -0,0 +1,34 @@
+module JSON
+  class JWK
+    class Set
+      module Fetcher
+        module Debugger
+          class RequestFilter
+            # Callback called in HTTPClient (before sending a request)
+            # request:: HTTP::Message
+            def filter_request(request)
+              started = "======= [JSON::JWK::Set::Fetcher] HTTP REQUEST STARTED ======="
+              log started, request.dump
+            end
+
+            # Callback called in HTTPClient (after received a response)
+            # request::  HTTP::Message
+            # response:: HTTP::Message
+            def filter_response(request, response)
+              finished = "======= [JSON::JWK::Set::Fetcher] HTTP REQUEST FINISHED ======="
+              log '-' * 50, response.dump, finished
+            end
+
+            private
+
+            def log(*outputs)
+              outputs.each do |output|
+                JSON::JWK::Set::Fetcher.logger.info output
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/json/jwk/set/fetcher.rb

@@ -0,0 +1,87 @@
+module JSON
+  class JWK
+    class Set
+      module Fetcher
+        class Cache
+          def fetch(cache_key, options = {})
+            yield
+          end
+        end
+
+        def self.logger
+          @@logger
+        end
+        def self.logger=(logger)
+          @@logger = logger
+        end
+        self.logger = Logger.new(STDOUT)
+        self.logger.progname = 'JSON::JWK::Set::Fetcher'
+
+        def self.debugging?
+          @@debugging
+        end
+        def self.debugging=(boolean)
+          @@debugging = boolean
+        end
+        def self.debug!
+          self.debugging = true
+        end
+        def self.debug(&block)
+          original = self.debugging?
+          debug!
+          yield
+        ensure
+          self.debugging = original
+        end
+        self.debugging = false
+
+        def self.http_client
+          _http_client_ = HTTPClient.new(
+            agent_name: "JSON::JWK::Set::Fetcher (#{JSON::JWT::VERSION})"
+          )
+
+          # NOTE: httpclient gem seems stopped maintaining root certtificate set, use OS default.
+          _http_client_.ssl_config.clear_cert_store
+          _http_client_.ssl_config.cert_store.set_default_paths
+
+          _http_client_.request_filter << Debugger::RequestFilter.new if debugging?
+          http_config.try(:call, _http_client_)
+          _http_client_
+        end
+        def self.http_config(&block)
+          @@http_config ||= block
+        end
+
+        def self.cache=(cache)
+          @@cache = cache
+        end
+        def self.cache
+          @@cache
+        end
+        self.cache = Cache.new
+
+        def self.fetch(jwks_uri, kid:, auto_detect: true, **options)
+          cache_key = [
+            'json:jwk:set',
+            OpenSSL::Digest::MD5.hexdigest(jwks_uri),
+            kid
+          ].collect(&:to_s).join(':')
+
+          jwks = Set.new(
+            JSON.parse(
+              cache.fetch(cache_key, options) do
+                http_client.get_content(jwks_uri)
+              end
+            )
+          )
+
+          if auto_detect
+            jwks[kid] or raise KidNotFound
+          else
+            jwks
+          end
+        end
+      end
+    end
+  end
+end

data/lib/json/jwk/set.rb

@@ -19,6 +19,12 @@ module JSON
         'application/jwk-set+json'
       end
 
+      def [](kid)
+        detect do |jwk|
+          jwk[:kid] && jwk[:kid] == kid
+        end
+      end
+
       def as_json(options = {})
         # NOTE: Array.new wrapper is requied to avoid CircularReferenceError
         {keys: Array.new(self)}

data/lib/json/jwk.rb

@@ -101,22 +101,29 @@ module JSON
           OpenSSL::BN.new Base64.urlsafe_decode64(self[key]), 2
         end
       end
-      key = OpenSSL::PKey::RSA.new
-      if key.respond_to? :set_key
-        key.set_key n, e, d
-        key.set_factors p, q if p && q
-        key.set_crt_params dp, dq, qi if dp && dq && qi
-      else
-        key.e = e
-        key.n = n
-        key.d = d if d
-        key.p = p if p
-        key.q = q if q
-        key.dmp1 = dp if dp
-        key.dmq1 = dq if dq
-        key.iqmp = qi if qi
+
+      # Public key
+      data_sequence = OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Integer(n),
+        OpenSSL::ASN1::Integer(e),
+      ])
+
+      if d && p && q && dp && dq && qi
+        data_sequence = OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer(0),
+          OpenSSL::ASN1::Integer(n),
+          OpenSSL::ASN1::Integer(e),
+          OpenSSL::ASN1::Integer(d),
+          OpenSSL::ASN1::Integer(p),
+          OpenSSL::ASN1::Integer(q),
+          OpenSSL::ASN1::Integer(dp),
+          OpenSSL::ASN1::Integer(dq),
+          OpenSSL::ASN1::Integer(qi),
+        ])
       end
-      key
+
+      asn1 = OpenSSL::ASN1::Sequence(data_sequence)
+      OpenSSL::PKey::RSA.new(asn1.to_der)
     end
 
     def to_ec_key
@@ -137,13 +144,32 @@ module JSON
           Base64.urlsafe_decode64(self[key])
         end
       end
-      key = OpenSSL::PKey::EC.new curve_name
-      key.private_key = OpenSSL::BN.new(d, 2) if d
-      key.public_key = OpenSSL::PKey::EC::Point.new(
+
+      point = OpenSSL::PKey::EC::Point.new(
         OpenSSL::PKey::EC::Group.new(curve_name),
         OpenSSL::BN.new(['04' + x.unpack('H*').first + y.unpack('H*').first].pack('H*'), 2)
       )
-      key
+
+      # Public key
+      data_sequence = OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
+          OpenSSL::ASN1::ObjectId(curve_name)
+        ]),
+        OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed))
+      ])
+
+      if d
+        # Private key
+        data_sequence = OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer(1),
+          OpenSSL::ASN1::OctetString(OpenSSL::BN.new(d, 2).to_s(2)),
+          OpenSSL::ASN1::ObjectId(curve_name, 0, :EXPLICIT),
+          OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed), 1, :EXPLICIT)
+        ])
+      end
+
+      OpenSSL::PKey::EC.new(data_sequence.to_der)
     end
   end
 end

data/lib/json/jws.rb

@@ -156,8 +156,8 @@ module JSON
       when 512
         :secp521r1
       end
-      key.group = OpenSSL::PKey::EC::Group.new group_name.to_s
-      key.check_key
+      newkey = OpenSSL::PKey::EC.generate(group_name.to_s)
+      newkey.check_key
     end
 
     def raw_to_asn1(signature, public_key)

data/lib/json/jwt.rb

@@ -1,11 +1,16 @@
 require 'openssl'
 require 'base64'
+require 'httpclient'
 require 'active_support'
 require 'active_support/core_ext'
 require 'json/jose'
 
 module JSON
   class JWT < ActiveSupport::HashWithIndifferentAccess
+    VERSION = ::File.read(
+      ::File.join(::File.dirname(__FILE__), '../../VERSION')
+    ).chomp
+
     attr_accessor :blank_payload
     attr_accessor :signature
 
@@ -132,3 +137,5 @@ require 'json/jwe'
 require 'json/jwk'
 require 'json/jwk/jwkizable'
 require 'json/jwk/set'
+require 'json/jwk/set/fetcher'
+require 'json/jwk/set/fetcher/debugger/request_filter'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: json-jwt
 version: !ruby/object:Gem::Version
-  version: 1.13.0
+  version: 1.15.3
 platform: ruby
 authors:
 - nov matake
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-05-31 00:00:00.000000000 Z
+date: 2022-08-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: httpclient
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -80,6 +94,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -116,6 +144,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/FUNDING.yml"
+- ".github/workflows/test_ruby.yml"
 - ".gitignore"
 - ".gitmodules"
 - ".rspec"
@@ -131,13 +161,15 @@ files:
 - lib/json/jwk.rb
 - lib/json/jwk/jwkizable.rb
 - lib/json/jwk/set.rb
+- lib/json/jwk/set/fetcher.rb
+- lib/json/jwk/set/fetcher/debugger/request_filter.rb
 - lib/json/jws.rb
 - lib/json/jwt.rb
 homepage: https://github.com/nov/json-jwt
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -152,8 +184,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.1.6
+signing_key:
 specification_version: 4
 summary: JSON Web Token and its family (JSON Web Signature, JSON Web Encryption and
   JSON Web Key) in Ruby