jwt 1.5.6 → 2.2.2

data/lib/jwt/default_options.rb

@@ -0,0 +1,15 @@
+module JWT
+  module DefaultOptions
+    DEFAULT_OPTIONS = {
+      verify_expiration: true,
+      verify_not_before: true,
+      verify_iss: false,
+      verify_iat: false,
+      verify_jti: false,
+      verify_aud: false,
+      verify_sub: false,
+      leeway: 0,
+      algorithms: ['HS256']
+    }.freeze
+  end
+end

data/lib/jwt/encode.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require_relative './claims_validator'
+
+# JWT::Encode module
+module JWT
+  # Encoding logic for JWT
+  class Encode
+    ALG_NONE = 'none'.freeze
+    ALG_KEY  = 'alg'.freeze
+
+    def initialize(options)
+      @payload   = options[:payload]
+      @key       = options[:key]
+      @algorithm = options[:algorithm]
+      @headers   = options[:headers].each_with_object({}) { |(key, value), headers| headers[key.to_s] = value }
+    end
+
+    def segments
+      @segments ||= combine(encoded_header_and_payload, encoded_signature)
+    end
+
+    private
+
+    def encoded_header
+      @encoded_header ||= encode_header
+    end
+
+    def encoded_payload
+      @encoded_payload ||= encode_payload
+    end
+
+    def encoded_signature
+      @encoded_signature ||= encode_signature
+    end
+
+    def encoded_header_and_payload
+      @encoded_header_and_payload ||= combine(encoded_header, encoded_payload)
+    end
+
+    def encode_header
+      @headers[ALG_KEY] = @algorithm
+      encode(@headers)
+    end
+
+    def encode_payload
+      if @payload && @payload.is_a?(Hash)
+        ClaimsValidator.new(@payload).validate!
+      end
+
+      encode(@payload)
+    end
+
+    def encode_signature
+      return '' if @algorithm == ALG_NONE
+
+      JWT::Base64.url_encode(JWT::Signature.sign(@algorithm, encoded_header_and_payload, @key))
+    end
+
+    def encode(data)
+      JWT::Base64.url_encode(JWT::JSON.generate(data))
+    end
+
+    def combine(*parts)
+      parts.join('.')
+    end
+  end
+end

data/lib/jwt/error.rb

@@ -1,6 +1,10 @@
 # frozen_string_literal: true
+
 module JWT
+  class EncodeError < StandardError; end
   class DecodeError < StandardError; end
+  class RequiredDependencyError < StandardError; end
+
   class VerificationError < DecodeError; end
   class ExpiredSignature < DecodeError; end
   class IncorrectAlgorithm < DecodeError; end
@@ -11,4 +15,6 @@ module JWT
   class InvalidSubError < DecodeError; end
   class InvalidJtiError < DecodeError; end
   class InvalidPayload < DecodeError; end
+
+  class JWKError < DecodeError; end
 end

data/lib/jwt/json.rb

@@ -1,17 +1,18 @@
 # frozen_string_literal: true
+
 require 'json'
 
 module JWT
-  # JSON fallback implementation or ruby 1.8.x
-  module Json
-    def decode_json(encoded)
-      JSON.parse(encoded)
-    rescue JSON::ParserError
-      raise JWT::DecodeError, 'Invalid segment encoding'
-    end
+  # JSON wrapper
+  class JSON
+    class << self
+      def generate(data)
+        ::JSON.generate(data)
+      end
 
-    def encode_json(raw)
-      JSON.generate(raw)
+      def parse(data)
+        ::JSON.parse(data)
+      end
     end
   end
 end

data/lib/jwt/jwk.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require_relative 'jwk/rsa'
+require_relative 'jwk/key_finder'
+
+module JWT
+  module JWK
+    MAPPINGS = {
+      'RSA' => ::JWT::JWK::RSA,
+      OpenSSL::PKey::RSA => ::JWT::JWK::RSA
+    }.freeze
+
+    class << self
+      def import(jwk_data)
+        raise JWT::JWKError, 'Key type (kty) not provided' unless jwk_data[:kty]
+
+        MAPPINGS.fetch(jwk_data[:kty].to_s) do |kty|
+          raise JWT::JWKError, "Key type #{kty} not supported"
+        end.import(jwk_data)
+      end
+
+      def create_from(keypair)
+        MAPPINGS.fetch(keypair.class) do |klass|
+          raise JWT::JWKError, "Cannot create JWK from a #{klass.name}"
+        end.new(keypair)
+      end
+
+      alias new create_from
+    end
+  end
+end

data/lib/jwt/jwk/key_finder.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWK
+    class KeyFinder
+      def initialize(options)
+        jwks_or_loader = options[:jwks]
+        @jwks          = jwks_or_loader if jwks_or_loader.is_a?(Hash)
+        @jwk_loader    = jwks_or_loader if jwks_or_loader.respond_to?(:call)
+      end
+
+      def key_for(kid)
+        raise ::JWT::DecodeError, 'No key id (kid) found from token headers' unless kid
+
+        jwk = resolve_key(kid)
+
+        raise ::JWT::DecodeError, "Could not find public key for kid #{kid}" unless jwk
+
+        ::JWT::JWK.import(jwk).keypair
+      end
+
+      private
+
+      def resolve_key(kid)
+        jwk = find_key(kid)
+
+        return jwk if jwk
+
+        if reloadable?
+          load_keys(invalidate: true)
+          return find_key(kid)
+        end
+
+        nil
+      end
+
+      def jwks
+        return @jwks if @jwks
+
+        load_keys
+        @jwks
+      end
+
+      def load_keys(opts = {})
+        @jwks = @jwk_loader.call(opts)
+      end
+
+      def find_key(kid)
+        Array(jwks[:keys]).find { |key| key[:kid] == kid }
+      end
+
+      def reloadable?
+        @jwk_loader
+      end
+    end
+  end
+end

data/lib/jwt/jwk/rsa.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module JWT
+  module JWK
+    class RSA
+      attr_reader :keypair
+
+      BINARY = 2
+      KTY    = 'RSA'.freeze
+
+      def initialize(keypair)
+        raise ArgumentError, 'keypair must be of type OpenSSL::PKey::RSA' unless keypair.is_a?(OpenSSL::PKey::RSA)
+
+        @keypair = keypair
+      end
+
+      def private?
+        keypair.private?
+      end
+
+      def public_key
+        keypair.public_key
+      end
+
+      def kid
+        sequence = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer.new(public_key.n),
+                                            OpenSSL::ASN1::Integer.new(public_key.e)])
+        OpenSSL::Digest::SHA256.hexdigest(sequence.to_der)
+      end
+
+      def export
+        {
+          kty: KTY,
+          n: ::Base64.urlsafe_encode64(public_key.n.to_s(BINARY), padding: false),
+          e: ::Base64.urlsafe_encode64(public_key.e.to_s(BINARY), padding: false),
+          kid: kid
+        }
+      end
+
+      def self.import(jwk_data)
+        imported_key = OpenSSL::PKey::RSA.new
+        if imported_key.respond_to?(:set_key)
+          imported_key.set_key(OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:n]), BINARY),
+            OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:e]), BINARY),
+            nil)
+        else
+          imported_key.n = OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:n]), BINARY)
+          imported_key.e = OpenSSL::BN.new(::Base64.urlsafe_decode64(jwk_data[:e]), BINARY)
+        end
+        self.new(imported_key)
+      end
+    end
+  end
+end

data/lib/jwt/security_utils.rb

@@ -0,0 +1,57 @@
+module JWT
+  # Collection of security methods
+  #
+  # @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
+  module SecurityUtils
+    module_function
+
+    def secure_compare(left, right)
+      left_bytesize = left.bytesize
+
+      return false unless left_bytesize == right.bytesize
+
+      unpacked_left = left.unpack "C#{left_bytesize}"
+      result = 0
+      right.each_byte { |byte| result |= byte ^ unpacked_left.shift }
+      result.zero?
+    end
+
+    def verify_rsa(algorithm, public_key, signing_input, signature)
+      public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
+    end
+
+    def verify_ps(algorithm, public_key, signing_input, signature)
+      formatted_algorithm = algorithm.sub('PS', 'sha')
+
+      public_key.verify_pss(formatted_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: formatted_algorithm)
+    end
+
+    def asn1_to_raw(signature, public_key)
+      byte_size = (public_key.group.degree + 7) / 8
+      OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
+    end
+
+    def raw_to_asn1(signature, private_key)
+      byte_size = (private_key.group.degree + 7) / 8
+      sig_bytes = signature[0..(byte_size - 1)]
+      sig_char = signature[byte_size..-1] || ''
+      OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
+    end
+
+    def rbnacl_fixup(algorithm, key)
+      algorithm = algorithm.sub('HS', 'SHA').to_sym
+
+      return [] unless defined?(RbNaCl) && RbNaCl::HMAC.constants(false).include?(algorithm)
+
+      authenticator = RbNaCl::HMAC.const_get(algorithm)
+
+      # Fall back to OpenSSL for keys larger than 32 bytes.
+      return [] if key.bytesize > authenticator.key_bytes
+
+      [
+        authenticator,
+        key.bytes.fill(0, key.bytesize...authenticator.key_bytes).pack('C*')
+      ]
+    end
+  end
+end

data/lib/jwt/signature.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'jwt/security_utils'
+require 'openssl'
+require 'jwt/algos/hmac'
+require 'jwt/algos/eddsa'
+require 'jwt/algos/ecdsa'
+require 'jwt/algos/rsa'
+require 'jwt/algos/ps'
+require 'jwt/algos/unsupported'
+begin
+  require 'rbnacl'
+rescue LoadError
+  raise if defined?(RbNaCl)
+end
+
+# JWT::Signature module
+module JWT
+  # Signature logic for JWT
+  module Signature
+    extend self
+    ALGOS = [
+      Algos::Hmac,
+      Algos::Ecdsa,
+      Algos::Rsa,
+      Algos::Eddsa,
+      Algos::Ps,
+      Algos::Unsupported
+    ].freeze
+    ToSign = Struct.new(:algorithm, :msg, :key)
+    ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
+
+    def sign(algorithm, msg, key)
+      algo = ALGOS.find do |alg|
+        alg.const_get(:SUPPORTED).include? algorithm
+      end
+      algo.sign ToSign.new(algorithm, msg, key)
+    end
+
+    def verify(algorithm, key, signing_input, signature)
+      raise JWT::DecodeError, 'No verification key available' unless key
+
+      algo = ALGOS.find do |alg|
+        alg.const_get(:SUPPORTED).include? algorithm
+      end
+      verified = algo.verify(ToVerify.new(algorithm, key, signing_input, signature))
+      raise(JWT::VerificationError, 'Signature verification raised') unless verified
+    rescue OpenSSL::PKey::PKeyError
+      raise JWT::VerificationError, 'Signature verification raised'
+    ensure
+      OpenSSL.errors.clear
+    end
+  end
+end

data/lib/jwt/verify.rb

@@ -1,106 +1,98 @@
 # frozen_string_literal: true
+
 require 'jwt/error'
 
 module JWT
   # JWT verify methods
   class Verify
+    DEFAULTS = {
+      leeway: 0
+    }.freeze
+
     class << self
-      %w(verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub).each do |method_name|
+      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub].each do |method_name|
         define_method method_name do |payload, options|
           new(payload, options).send(method_name)
         end
       end
+
+      def verify_claims(payload, options)
+        options.each do |key, val|
+          next unless key.to_s =~ /verify/
+          Verify.send(key, payload, options) if val
+        end
+      end
     end
 
     def initialize(payload, options)
       @payload = payload
-      @options = options
+      @options = DEFAULTS.merge(options)
     end
 
     def verify_aud
-      return unless (options_aud = extract_option(:aud))
-
-      if @payload['aud'].is_a?(Array)
-        verify_aud_array(@payload['aud'], options_aud)
-      else
-        raise(
-          JWT::InvalidAudError,
-          "Invalid audience. Expected #{options_aud}, received #{@payload['aud'] || '<none>'}"
-        ) unless @payload['aud'].to_s == options_aud.to_s
-      end
-    end
+      return unless (options_aud = @options[:aud])
 
-    def verify_aud_array(audience, options_aud)
-      if options_aud.is_a?(Array)
-        options_aud.each do |aud|
-          raise(JWT::InvalidAudError, 'Invalid audience') unless audience.include?(aud.to_s)
-        end
-      else
-        raise(JWT::InvalidAudError, 'Invalid audience') unless audience.include?(options_aud.to_s)
-      end
+      aud = @payload['aud']
+      raise(JWT::InvalidAudError, "Invalid audience. Expected #{options_aud}, received #{aud || '<none>'}") if ([*aud] & [*options_aud]).empty?
     end
 
     def verify_expiration
       return unless @payload.include?('exp')
-
-      if @payload['exp'].to_i <= (Time.now.to_i - leeway)
-        raise(JWT::ExpiredSignature, 'Signature has expired')
-      end
+      raise(JWT::ExpiredSignature, 'Signature has expired') if @payload['exp'].to_i <= (Time.now.to_i - exp_leeway)
     end
 
     def verify_iat
       return unless @payload.include?('iat')
 
-      if !@payload['iat'].is_a?(Numeric) || @payload['iat'].to_f > (Time.now.to_f + leeway)
-        raise(JWT::InvalidIatError, 'Invalid iat')
-      end
+      iat = @payload['iat']
+      raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(Numeric) || iat.to_f > Time.now.to_f
     end
 
     def verify_iss
-      return unless (options_iss = extract_option(:iss))
+      return unless (options_iss = @options[:iss])
 
-      if @payload['iss'].to_s != options_iss.to_s
-        raise(
-          JWT::InvalidIssuerError,
-          "Invalid issuer. Expected #{options_iss}, received #{@payload['iss'] || '<none>'}"
-        )
-      end
+      iss = @payload['iss']
+
+      return if Array(options_iss).map(&:to_s).include?(iss.to_s)
+
+      raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
     end
 
     def verify_jti
-      options_verify_jti = extract_option(:verify_jti)
+      options_verify_jti = @options[:verify_jti]
+      jti = @payload['jti']
+
       if options_verify_jti.respond_to?(:call)
-        raise(JWT::InvalidJtiError, 'Invalid jti') unless options_verify_jti.call(@payload['jti'])
-      else
-        raise(JWT::InvalidJtiError, 'Missing jti') if @payload['jti'].to_s.strip.empty?
+        verified = options_verify_jti.arity == 2 ? options_verify_jti.call(jti, @payload) : options_verify_jti.call(jti)
+        raise(JWT::InvalidJtiError, 'Invalid jti') unless verified
+      elsif jti.to_s.strip.empty?
+        raise(JWT::InvalidJtiError, 'Missing jti')
       end
     end
 
     def verify_not_before
       return unless @payload.include?('nbf')
-
-      if @payload['nbf'].to_i > (Time.now.to_i + leeway)
-        raise(JWT::ImmatureSignature, 'Signature nbf has not been reached')
-      end
+      raise(JWT::ImmatureSignature, 'Signature nbf has not been reached') if @payload['nbf'].to_i > (Time.now.to_i + nbf_leeway)
     end
 
     def verify_sub
-      return unless (options_sub = extract_option(:sub))
-
-      raise(
-        JWT::InvalidSubError,
-        "Invalid subject. Expected #{options_sub}, received #{@payload['sub'] || '<none>'}"
-      ) unless @payload['sub'].to_s == options_sub.to_s
+      return unless (options_sub = @options[:sub])
+      sub = @payload['sub']
+      raise(JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}") unless sub.to_s == options_sub.to_s
     end
 
     private
 
-    def extract_option(key)
-      @options.values_at(key.to_sym, key.to_s).compact.first
+    def global_leeway
+      @options[:leeway]
+    end
+
+    def exp_leeway
+      @options[:exp_leeway] || global_leeway
     end
 
-    def leeway
-      extract_option :leeway
+    def nbf_leeway
+      @options[:nbf_leeway] || global_leeway
     end
   end
 end