jwt 2.1.0 → 2.2.0.pre.beta.0

data/lib/jwt.rb

@@ -1,12 +1,12 @@
 # frozen_string_literal: true
 
-require 'base64'
+require 'jwt/base64'
+require 'jwt/json'
 require 'jwt/decode'
 require 'jwt/default_options'
 require 'jwt/encode'
 require 'jwt/error'
-require 'jwt/signature'
-require 'jwt/verify'
+require 'jwt/jwk'
 
 # JSON Web Token implementation
 #
@@ -18,46 +18,13 @@ module JWT
   module_function
 
   def encode(payload, key, algorithm = 'HS256', header_fields = {})
-    encoder = Encode.new payload, key, algorithm, header_fields
-    encoder.segments
+    Encode.new(payload: payload,
+               key: key,
+               algorithm: algorithm,
+               headers: header_fields).segments
   end
 
-  def decode(jwt, key = nil, verify = true, custom_options = {}, &keyfinder)
-    raise(JWT::DecodeError, 'Nil JSON web token') unless jwt
-
-    merged_options = DEFAULT_OPTIONS.merge(custom_options)
-
-    decoder = Decode.new jwt, verify
-    header, payload, signature, signing_input = decoder.decode_segments
-    decode_verify_signature(key, header, payload, signature, signing_input, merged_options, &keyfinder) if verify
-
-    Verify.verify_claims(payload, merged_options) if verify
-
-    raise(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
-
-    [payload, header]
-  end
-
-  def decode_verify_signature(key, header, payload, signature, signing_input, options, &keyfinder)
-    algo, key = signature_algorithm_and_key(header, payload, key, &keyfinder)
-
-    raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms(options).empty?
-    raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless allowed_algorithms(options).include?(algo)
-
-    Signature.verify(algo, key, signing_input, signature)
-  end
-
-  def signature_algorithm_and_key(header, payload, key, &keyfinder)
-    key = (keyfinder.arity == 2 ? yield(header, payload) : yield(header)) if keyfinder
-    raise JWT::DecodeError, 'No verification key available' unless key
-    [header['alg'], key]
-  end
-
-  def allowed_algorithms(options)
-    if options.key?(:algorithm)
-      [options[:algorithm]]
-    else
-      options[:algorithms] || []
-    end
+  def decode(jwt, key = nil, verify = true, options = {}, &keyfinder)
+    Decode.new(jwt, key, verify, DEFAULT_OPTIONS.merge(options), &keyfinder).decode_segments
   end
 end

data/lib/jwt/algos/ecdsa.rb

@@ -3,7 +3,7 @@ module JWT
     module Ecdsa
       module_function
 
-      SUPPORTED = %(ES256 ES384 ES512).freeze
+      SUPPORTED = %w[ES256 ES384 ES512].freeze
       NAMED_CURVES = {
         'prime256v1' => 'ES256',
         'secp384r1' => 'ES384',

data/lib/jwt/algos/ps.rb

@@ -0,0 +1,43 @@
+module JWT
+  module Algos
+    module Ps
+      # RSASSA-PSS signing algorithms
+
+      module_function
+
+      SUPPORTED = %w[PS256 PS384 PS512].freeze
+
+      def sign(to_sign)
+        require_openssl!
+
+        algorithm, msg, key = to_sign.values
+
+        key_class = key.class
+
+        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
+
+        translated_algorithm = algorithm.sub('PS', 'sha')
+
+        key.sign_pss(translated_algorithm, msg, salt_length: :digest, mgf1_hash: translated_algorithm)
+      end
+
+      def verify(to_verify)
+        require_openssl!
+
+        SecurityUtils.verify_ps(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
+      end
+
+      def require_openssl!
+        if Object.const_defined?('OpenSSL')
+          major, minor = OpenSSL::VERSION.split('.').first(2)
+
+          unless major.to_i >= 2 && minor.to_i >= 1
+            raise JWT::RequiredDependencyError, "You currently have OpenSSL #{OpenSSL::VERSION}. PS support requires >= 2.1"
+          end
+        else
+          raise JWT::RequiredDependencyError, 'PS signing requires OpenSSL +2.1'
+        end
+      end
+    end
+  end
+end

data/lib/jwt/base64.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'base64'
+
+module JWT
+  # Base64 helpers
+  class Base64
+    class << self
+      def url_encode(str)
+        ::Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
+      end
+
+      def url_decode(str)
+        str += '=' * (4 - str.length.modulo(4))
+        ::Base64.decode64(str.tr('-_', '+/'))
+      end
+    end
+  end
+end

data/lib/jwt/claims_validator.rb

@@ -0,0 +1,33 @@
+require_relative './error'
+
+module JWT
+  class ClaimsValidator
+    INTEGER_CLAIMS = %i[
+      exp
+      iat
+      nbf
+    ].freeze
+
+    def initialize(payload)
+      @payload = payload.each_with_object({}) { |(k, v), h| h[k.to_sym] = v }
+    end
+
+    def validate!
+      validate_int_claims
+
+      true
+    end
+
+    private
+
+    def validate_int_claims
+      INTEGER_CLAIMS.each do |claim|
+        validate_is_int(claim) if @payload.key?(claim)
+      end
+    end
+
+    def validate_is_int(claim)
+      raise InvalidPayload, "#{claim} claim must be an Integer but it is a #{@payload[claim].class}" unless @payload[claim].is_a?(Integer)
+    end
+  end
+end

data/lib/jwt/decode.rb

@@ -2,47 +2,98 @@
 
 require 'json'
 
+require 'jwt/signature'
+require 'jwt/verify'
 # JWT::Decode module
 module JWT
   # Decoding logic for JWT
   class Decode
-    attr_reader :header, :payload, :signature
-
-    def self.base64url_decode(str)
-      str += '=' * (4 - str.length.modulo(4))
-      Base64.decode64(str.tr('-_', '+/'))
-    end
-
-    def initialize(jwt, verify)
+    def initialize(jwt, key, verify, options, &keyfinder)
+      raise(JWT::DecodeError, 'Nil JSON web token') unless jwt
       @jwt = jwt
+      @key = key
+      @options = options
+      @segments = jwt.split('.')
       @verify = verify
-      @header = ''
-      @payload = ''
       @signature = ''
+      @keyfinder = keyfinder
     end
 
     def decode_segments
-      header_segment, payload_segment, crypto_segment = raw_segments
-      @header, @payload = decode_header_and_payload(header_segment, payload_segment)
-      @signature = Decode.base64url_decode(crypto_segment.to_s) if @verify
-      signing_input = [header_segment, payload_segment].join('.')
-      [@header, @payload, @signature, signing_input]
+      validate_segment_count!
+      if @verify
+        decode_crypto
+        verify_signature
+        verify_claims
+      end
+      raise(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
+      [payload, header]
     end
 
     private
 
-    def raw_segments
-      segments = @jwt.split('.')
-      required_num_segments = @verify ? [3] : [2, 3]
-      raise(JWT::DecodeError, 'Not enough or too many segments') unless required_num_segments.include? segments.length
-      segments
+    def verify_signature
+      @key = find_key(&@keyfinder) if @keyfinder
+      @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks]
+
+      raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty?
+      raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless options_includes_algo_in_header?
+
+      Signature.verify(header['alg'], @key, signing_input, @signature)
+    end
+
+    def options_includes_algo_in_header?
+      allowed_algorithms.include? header['alg']
+    end
+
+    def allowed_algorithms
+      if @options.key?(:algorithm)
+        [@options[:algorithm]]
+      else
+        @options[:algorithms] || []
+      end
+    end
+
+    def find_key(&keyfinder)
+      key = (keyfinder.arity == 2 ? yield(header, payload) : yield(header))
+      raise JWT::DecodeError, 'No verification key available' unless key
+      key
+    end
+
+    def verify_claims
+      Verify.verify_claims(payload, @options)
+    end
+
+    def validate_segment_count!
+      return if segment_length == 3
+      return if !@verify && segment_length == 2 # If no verifying required, the signature is not needed
+
+      raise(JWT::DecodeError, 'Not enough or too many segments')
+    end
+
+    def segment_length
+      @segments.count
+    end
+
+    def decode_crypto
+      @signature = JWT::Base64.url_decode(@segments[2])
+    end
+
+    def header
+      @header ||= parse_and_decode @segments[0]
+    end
+
+    def payload
+      @payload ||= parse_and_decode @segments[1]
+    end
+
+    def signing_input
+      @segments.first(2).join('.')
     end
 
-    def decode_header_and_payload(header_segment, payload_segment)
-      header = JSON.parse(Decode.base64url_decode(header_segment))
-      payload = JSON.parse(Decode.base64url_decode(payload_segment))
-      [header, payload]
-    rescue JSON::ParserError
+    def parse_and_decode(segment)
+      JWT::JSON.parse(JWT::Base64.url_decode(segment))
+    rescue ::JSON::ParserError
       raise JWT::DecodeError, 'Invalid segment encoding'
     end
   end

data/lib/jwt/encode.rb

@@ -1,51 +1,68 @@
 # frozen_string_literal: true
 
-require 'json'
+require_relative './claims_validator'
 
 # JWT::Encode module
 module JWT
   # Encoding logic for JWT
   class Encode
-    attr_reader :payload, :key, :algorithm, :header_fields, :segments
+    ALG_NONE = 'none'.freeze
+    ALG_KEY  = 'alg'.freeze
 
-    def self.base64url_encode(str)
-      Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
+    def initialize(options)
+      @payload   = options[:payload]
+      @key       = options[:key]
+      @algorithm = options[:algorithm]
+      @headers   = options[:headers].each_with_object({}) { |(key, value), headers| headers[key.to_s] = value }
     end
 
-    def initialize(payload, key, algorithm, header_fields)
-      @payload = payload
-      @key = key
-      @algorithm = algorithm
-      @header_fields = header_fields
-      @segments = encode_segments
+    def segments
+      @segments ||= combine(encoded_header_and_payload, encoded_signature)
     end
 
     private
 
     def encoded_header
-      header = { 'alg' => @algorithm }.merge(@header_fields)
-      Encode.base64url_encode(JSON.generate(header))
+      @encoded_header ||= encode_header
     end
 
     def encoded_payload
-      raise InvalidPayload, 'exp claim must be an integer' if @payload && @payload.is_a?(Hash) && @payload.key?('exp') && !@payload['exp'].is_a?(Integer)
-      Encode.base64url_encode(JSON.generate(@payload))
+      @encoded_payload ||= encode_payload
     end
 
-    def encoded_signature(signing_input)
-      if @algorithm == 'none'
-        ''
-      else
-        signature = JWT::Signature.sign(@algorithm, signing_input, @key)
-        Encode.base64url_encode(signature)
+    def encoded_signature
+      @encoded_signature ||= encode_signature
+    end
+
+    def encoded_header_and_payload
+      @encoded_header_and_payload ||= combine(encoded_header, encoded_payload)
+    end
+
+    def encode_header
+      @headers[ALG_KEY] = @algorithm
+      encode(@headers)
+    end
+
+    def encode_payload
+      if @payload && @payload.is_a?(Hash)
+        ClaimsValidator.new(@payload).validate!
       end
+
+      encode(@payload)
+    end
+
+    def encode_signature
+      return '' if @algorithm == ALG_NONE
+
+      JWT::Base64.url_encode(JWT::Signature.sign(@algorithm, encoded_header_and_payload, @key))
+    end
+
+    def encode(data)
+      JWT::Base64.url_encode(JWT::JSON.generate(data))
     end
 
-    def encode_segments
-      header = encoded_header
-      payload = encoded_payload
-      signature = encoded_signature([header, payload].join('.'))
-      [header, payload, signature].join('.')
+    def combine(*parts)
+      parts.join('.')
     end
   end
 end

data/lib/jwt/error.rb

@@ -1,16 +1,20 @@
 # frozen_string_literal: true
 
 module JWT
-  class EncodeError < StandardError; end
-  class DecodeError < StandardError; end
-  class VerificationError < DecodeError; end
-  class ExpiredSignature < DecodeError; end
-  class IncorrectAlgorithm < DecodeError; end
-  class ImmatureSignature < DecodeError; end
-  class InvalidIssuerError < DecodeError; end
-  class InvalidIatError < DecodeError; end
-  class InvalidAudError < DecodeError; end
-  class InvalidSubError < DecodeError; end
-  class InvalidJtiError < DecodeError; end
-  class InvalidPayload < DecodeError; end
+  EncodeError             = Class.new(StandardError)
+  DecodeError             = Class.new(StandardError)
+  RequiredDependencyError = Class.new(StandardError)
+
+  VerificationError  = Class.new(DecodeError)
+  ExpiredSignature   = Class.new(DecodeError)
+  IncorrectAlgorithm = Class.new(DecodeError)
+  ImmatureSignature  = Class.new(DecodeError)
+  InvalidIssuerError = Class.new(DecodeError)
+  InvalidIatError    = Class.new(DecodeError)
+  InvalidAudError    = Class.new(DecodeError)
+  InvalidSubError    = Class.new(DecodeError)
+  InvalidJtiError    = Class.new(DecodeError)
+  InvalidPayload     = Class.new(DecodeError)
+
+  JWKError           = Class.new(DecodeError)
 end

data/lib/jwt/json.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module JWT
+  # JSON wrapper
+  class JSON
+    class << self
+      def generate(data)
+        ::JSON.generate(data)
+      end
+
+      def parse(data)
+        ::JSON.parse(data)
+      end
+    end
+  end
+end