jwt-authorizer 1.0.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 574e87e13f93a85345b4ed43bcb8263cd043c3eca38be8091ad36b8914fab552
-  data.tar.gz: 896da83de80dbb5f670b096b5a7e7fcbf66fc1958eeaab44ca163c02e5c901c4
+  metadata.gz: c254092f30d5fb5f9d152e33ae49e915eb102cb831258ba231312e9204d36f24
+  data.tar.gz: 4ac378bd9ece18fc5cfd4243415b0e820d2c82a48180da5b012120499c60346d
 SHA512:
-  metadata.gz: 75a902f8ebc415dae716e4cf83cc90b03df82de6e50b70941720222995c9d70eedb68e904863972f19df551f43073c383d4d79ec69b6e63bc62da6316da12609
-  data.tar.gz: 0cadbcb705af0e7ef9e13ced3902f01bbbfeecf20792b06c7e2d5d449701c8d6f906ca9c99e7273f82b44d46dccf42969c723ff7cfc6b2655200630119ec8702
+  metadata.gz: '05694a5caddeef86498257f5768d4f57be2ccc6a41e638c93a5ec8ec7bc202a2d5ba7fa940e326ccaf360f9758f28bfa037d5ed402c820e6ec24c872cca71197'
+  data.tar.gz: f7689a3b2c287c79e2294eacbbd39a6dcb245272853065b0f3c3264b2d6105dc60cc4849005b7be488cce95cd5658683835d4126f8434131eee12f31a91d692b

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+## 2.0.0
+- Change the way public and private keys are configured, allowing checking JWT signatures against multiple public keys in RSA and ECDSA strategies
+
 ## 1.0.0
 
 - First release :fireworks:

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    jwt-authorizer (1.0.0)
+    jwt-authorizer (2.0.0)
       jwt (~> 2.1)
 
 GEM
@@ -10,20 +10,21 @@ GEM
     ast (2.4.0)
     coderay (1.1.2)
     diff-lcs (1.3)
-    docile (1.1.5)
+    docile (1.3.1)
+    jaro_winkler (1.5.1)
     json (2.1.0)
     jwt (2.1.0)
     method_source (0.9.0)
     parallel (1.12.1)
-    parser (2.5.0.2)
+    parser (2.5.1.0)
       ast (~> 2.4.0)
-    powerpack (0.1.1)
+    powerpack (0.1.2)
     pry (0.11.3)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
-    rack (2.0.4)
+    rack (2.0.5)
     rainbow (3.0.0)
-    rake (12.3.0)
+    rake (12.3.1)
     rspec (3.7.0)
       rspec-core (~> 3.7.0)
       rspec-expectations (~> 3.7.0)
@@ -37,7 +38,8 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.7.0)
     rspec-support (3.7.1)
-    rubocop (0.53.0)
+    rubocop (0.57.2)
+      jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
       parser (>= 2.5)
       powerpack (~> 0.1)
@@ -45,13 +47,13 @@ GEM
       ruby-progressbar (~> 1.7)
       unicode-display_width (~> 1.0, >= 1.0.1)
     ruby-progressbar (1.9.0)
-    simplecov (0.15.1)
-      docile (~> 1.1.0)
+    simplecov (0.16.1)
+      docile (~> 1.1)
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
     timecop (0.9.1)
-    unicode-display_width (1.3.0)
+    unicode-display_width (1.4.0)
 
 PLATFORMS
   ruby

data/README.md

@@ -32,14 +32,18 @@ JWT::Token.configuration
 JWT::Token.configure do |config|
   config.expiry = 12 * 60 * 60
   config.algorithm = "RS256"
-  config.secret = { private_key: nil, public_key: ENV["SECRET_KEY"] }
+  config.rsa.authorized_keys = [OpenSSL::PKey::RSA.new(ENV["SECRET_KEY"])]
 end
 ```
 
 `JWT::Token` have following options available:
 
 * `algorithm` - determines algorithm used on signing and verifying JWT tokens. Defaults to `"HS256"`.
-* `secret` - for [`HMAC`](https://en.wikipedia.org/wiki/HMAC) algorithms it accepts simple `String` with symmetric key, for [`RSA`](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) and [`ECDSA`](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) it requires hash with `:private_key` and `:public_key` keys.
+* `hmac` - [`HMAC`](https://en.wikipedia.org/wiki/HMAC) configuration:
+   - `hmac.key` - symmetric key used by HMAC algorithm
+* `rsa` | `ecdsa` - [`RSA`](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) and [`ECDSA`](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) configuration:
+   - `rsa.authorized_keys` | `ecdsa.authorized_keys` - `Array` of `OpenSSL::PKey::PKey` objects with allowed public keys
+   - `rsa.authorized_keys_file` | `ecdsa.authorized_keys_file` - path to file containing authorized public keys in PEM format
 * `expiry` - sets default expiry for generated tokens. Defaults to 1 hour. It can be set to `nil` in order to not include `exp` claim in the token
 * `issuer` - sets `iss` claim in the token. Defaults to `nil`.
 * `allowed_issuers` - array of issuers that will be allowed on token verification. Defaults to empty array, tokens with any value in `iss` claim (and without this claim) will be valid. If array contains any elements, *only* listed issuers will be valid.

data/lib/jwt/authorizer/version.rb

@@ -2,6 +2,6 @@
 
 module JWT
   module Authorizer
-    VERSION = "1.0.0"
+    VERSION = "2.0.0"
   end
 end

data/lib/jwt/authorizer.rb

@@ -3,7 +3,10 @@
 require "jwt/authorizer/version"
 require "jwt"
 
+require "jwt/token/asymmetric_key_configuration"
 require "jwt/token/builder"
+require "jwt/token/hmac_configuration"
+require "jwt/token/configuration"
 require "jwt/token/configuration"
 require "jwt/token/configurable"
 require "jwt/token/verifier"

data/lib/jwt/token/asymmetric_key_configuration.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module JWT
+  class Token
+    class AsymmetricKeyConfiguration
+      class PublicKeySet
+        def initialize(keys)
+          @keys = keys
+        end
+
+        def verify(digest, signature, data)
+          @keys.any? { |key| key.verify(digest, signature, data) }
+        end
+      end
+
+      attr_accessor :authorized_keys, :private_key
+
+      def initialize(key_class)
+        @key_class = key_class
+      end
+
+      def authorized_keys_file=(file_path)
+        self.authorized_keys =
+          File.read(file_path)
+              .each_line("-----END PUBLIC KEY-----\n")
+              .map { |pem| @key_class.new(pem) }
+      end
+
+      def public_key
+        PublicKeySet.new(authorized_keys) if authorized_keys
+      end
+
+      def freeze
+        super
+        authorized_keys&.freeze
+        authorized_keys&.map(&:freeze)
+      end
+
+      def dup
+        super.tap do |new_config|
+          new_config.instance_variable_set("@private_key", private_key.dup)
+          new_config.instance_variable_set("@authorized_keys", authorized_keys&.map(&:dup))
+        end
+      end
+    end
+  end
+end

data/lib/jwt/token/builder.rb

@@ -8,7 +8,7 @@ module JWT
       end
 
       def to_jwt
-        JWT.encode claims.compact, secret[:private], algorithm
+        JWT.encode claims.compact, private_key, algorithm
       end; alias to_s to_jwt
     end
   end

data/lib/jwt/token/configurable.rb

@@ -6,7 +6,7 @@ module JWT
       def self.included(base)
         base.extend(ClassMethods)
         base.extend(Forwardable)
-        base.delegate %i[algorithm secret allowed_issuers] => "self.class.configuration"
+        base.delegate %i[algorithm private_key allowed_issuers] => "self.class.configuration"
       end
 
       module ClassMethods

data/lib/jwt/token/configuration.rb

@@ -3,7 +3,7 @@
 module JWT
   class Token
     class Configuration
-      ATTRIBUTES = %i[algorithm secret expiry issuer allowed_issuers].freeze
+      ATTRIBUTES = %i[algorithm hmac rsa ecdsa expiry issuer allowed_issuers allowed_algorithms].freeze
 
       ALGORITHMS = {
         "HS256" => :hmac, "HS512256" => :hmac, "HS384" => :hmac, "HS512" => :hmac,
@@ -15,29 +15,28 @@ module JWT
         @algorithm = "HS256"
         @expiry = 60 * 60
         @allowed_issuers = []
+        @allowed_algorithms = ["HS256"]
+        @hmac = HMACConfiguration.new
+        @rsa = AsymmetricKeyConfiguration.new(OpenSSL::PKey::RSA)
+        @ecdsa = AsymmetricKeyConfiguration.new(OpenSSL::PKey::EC)
       end
 
-      attr_accessor :expiry, :allowed_issuers, :issuer
-      attr_reader :secret, :algorithm
+      attr_accessor :expiry, :allowed_issuers, :allowed_algorithms, :issuer
+      attr_reader :algorithm, :hmac, :rsa, :ecdsa
 
       def algorithm=(value)
         assert_algorithm_valid(value)
         @algorithm = value.to_s
       end
 
-      def secret=(hmac_key = nil, private_key: nil, public_key: nil)
-        @secret = case algorithm_type
-                  when :hmac
-                    { private: hmac_key, public: hmac_key }
-                  else
-                    { private: private_key, public: public_key }
-                  end
-      end
-
       def algorithm_type
         ALGORITHMS[algorithm]
       end
 
+      def private_key
+        send(algorithm_type).private_key
+      end
+
       def to_h
         ATTRIBUTES.each_with_object({}) { |attribute, hash| hash[attribute] = send(attribute) }
       end
@@ -47,7 +46,11 @@ module JWT
         raise ArgumentError, "Unpermitted options: #{unpermitted_options.join(', ')}" if unpermitted_options.any?
 
         options.each do |key, value|
-          send("#{key}=", value)
+          if value.is_a?(Hash)
+            send(key).tap { |option| value.each { |suboption, subvalue| option.send("#{suboption}=", subvalue) } }
+          else
+            send("#{key}=", value)
+          end
         end
 
         self
@@ -55,15 +58,15 @@ module JWT
 
       def dup
         super.tap do |new_config|
-          new_config.instance_variable_set("@allowed_issuers", allowed_issuers.dup)
-          new_config.instance_variable_set("@secret", secret.dup)
+          %i[allowed_issuers allowed_algorithms hmac rsa ecdsa].each do |option|
+            new_config.instance_variable_set("@#{option}", send(option).dup)
+          end
         end
       end
 
       def freeze
         super
-        allowed_issuers.freeze
-        secret.freeze
+        [allowed_issuers, allowed_algorithms, hmac, rsa, ecdsa].each(&:freeze)
       end
 
       private

data/lib/jwt/token/hmac_configuration.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module JWT
+  class Token
+    class HMACConfiguration
+      attr_accessor :key
+      alias public_key key
+      alias private_key key
+
+      def dup
+        super.tap do |new_config|
+          new_config.instance_variable_set("@key", key.dup)
+        end
+      end
+    end
+  end
+end

data/lib/jwt/token/verifier.rb

@@ -10,7 +10,10 @@ module JWT
 
       module ClassMethods
         def verify(jwt_token, context = nil)
-          decoded = JWT.decode(jwt_token, configuration.secret[:public], true, decode_options)
+          decoded = JWT.decode(jwt_token, nil, true, decode_options) do |header|
+            algorithm_type = JWT::Token::Configuration::ALGORITHMS[header["alg"]]
+            configuration.send(algorithm_type).public_key if algorithm_type
+          end
 
           new(decoded[0]).tap do |token|
             claims.each do |claim|
@@ -22,12 +25,8 @@ module JWT
         private
 
         def decode_options
-          {}.tap do |result|
-            if configuration.allowed_issuers.any?
-              result[:iss] = configuration.allowed_issuers
-              result[:verify_iss] = true
-            end
-            result[:algorithm] = configuration.algorithm
+          { algorithms: configuration.allowed_algorithms }.tap do |result|
+            result.merge!(iss: configuration.allowed_issuers, verify_iss: true) if configuration.allowed_issuers.any?
           end
         end
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt-authorizer
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Michał Begejowicz
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-08 00:00:00.000000000 Z
+date: 2018-06-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -162,12 +162,14 @@ files:
 - lib/jwt/authorizer/version.rb
 - lib/jwt/endpoint_token.rb
 - lib/jwt/token.rb
+- lib/jwt/token/asymmetric_key_configuration.rb
 - lib/jwt/token/builder.rb
 - lib/jwt/token/claim.rb
 - lib/jwt/token/claim_builder.rb
 - lib/jwt/token/configurable.rb
 - lib/jwt/token/configuration.rb
 - lib/jwt/token/default_claims.rb
+- lib/jwt/token/hmac_configuration.rb
 - lib/jwt/token/verifier.rb
 homepage: https://github.com/codesthq/jwt-authorizer
 licenses:
@@ -189,7 +191,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Authorization of requests for microservices based on JWT