jwt 2.3.0 → 2.10.1

data/.rubocop_todo.yml

@@ -1,185 +0,0 @@
-# This configuration was generated by
-# `rubocop --auto-gen-config`
-# on 2020-12-21 23:11:43 +0200 using RuboCop version 0.52.1.
-# The point is for the user to remove these configuration records
-# one by one as the offenses are removed from the code base.
-# Note that changes in the inspected code, or installation of new
-# versions of RuboCop, may require this file to be generated again.
-
-# Offense count: 2
-# Cop supports --auto-correct.
-# Configuration parameters: Include, TreatCommentsAsGroupSeparators.
-# Include: **/*.gemspec
-Gemspec/OrderedDependencies:
-  Exclude:
-    - 'ruby-jwt.gemspec'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-Layout/EmptyLines:
-  Exclude:
-    - 'spec/integration/readme_examples_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: empty_lines, no_empty_lines
-Layout/EmptyLinesAroundBlockBody:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: AllowForAlignment, ForceEqualSignAlignment.
-Layout/ExtraSpacing:
-  Exclude:
-    - 'spec/jwk_spec.rb'
-
-# Offense count: 2
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: normal, rails
-Layout/IndentationConsistency:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: Width, IgnoredPatterns.
-Layout/IndentationWidth:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 3
-# Cop supports --auto-correct.
-Layout/SpaceAfterComma:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 2
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, EnforcedStyleForEmptyBraces.
-# SupportedStyles: space, no_space
-# SupportedStylesForEmptyBraces: space, no_space
-Layout/SpaceBeforeBlockBraces:
-  Exclude:
-    - 'spec/jwk/ec_spec.rb'
-    - 'spec/jwt/verify_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, EnforcedStyleForEmptyBraces, SpaceBeforeBlockParameters.
-# SupportedStyles: space, no_space
-# SupportedStylesForEmptyBraces: space, no_space
-Layout/SpaceInsideBlockBraces:
-  Exclude:
-    - 'spec/jwt/verify_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: final_newline, final_blank_line
-Layout/TrailingBlankLines:
-  Exclude:
-    - 'bin/console.rb'
-
-# Offense count: 3
-# Cop supports --auto-correct.
-# Configuration parameters: IgnoreEmptyBlocks, AllowUnusedKeywordArguments.
-Lint/UnusedBlockArgument:
-  Exclude:
-    - 'spec/jwk/decode_with_jwk_spec.rb'
-    - 'spec/jwk/ec_spec.rb'
-    - 'spec/jwt/verify_spec.rb'
-
-# Offense count: 2
-Metrics/CyclomaticComplexity:
-  Max: 7
-
-# Offense count: 1
-Metrics/PerceivedComplexity:
-  Max: 8
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: MaxKeyValuePairs.
-Performance/RedundantMerge:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-Style/Encoding:
-  Exclude:
-    - 'lib/jwt/version.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: InverseMethods, InverseBlocks.
-Style/InverseMethods:
-  Exclude:
-    - 'spec/jwk/ec_spec.rb'
-
-# Offense count: 2
-# Cop supports --auto-correct.
-Style/MethodCallWithoutArgsParentheses:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 2
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: module_function, extend_self
-Style/ModuleFunction:
-  Exclude:
-    - 'lib/jwt/algos.rb'
-    - 'lib/jwt/signature.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-Style/MutableConstant:
-  Exclude:
-    - 'lib/jwt/version.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: Strict.
-Style/NumericLiterals:
-  MinDigits: 6
-
-# Offense count: 1
-# Cop supports --auto-correct.
-Style/ParallelAssignment:
-  Exclude:
-    - 'spec/integration/readme_examples_spec.rb'
-
-# Offense count: 11
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, ConsistentQuotesInMultiline.
-# SupportedStyles: single_quotes, double_quotes
-Style/StringLiterals:
-  Exclude:
-    - 'bin/console.rb'
-    - 'spec/jwk/ec_spec.rb'
-    - 'spec/jwk/rsa_spec.rb'
-    - 'spec/jwk_spec.rb'
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyleForMultiline.
-# SupportedStylesForMultiline: comma, consistent_comma, no_comma
-Style/TrailingCommaInArguments:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-Style/UnlessElse:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 162
-# Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns.
-# URISchemes: http, https
-Metrics/LineLength:
-  Max: 420

data/.sourcelevel.yml

@@ -1,18 +0,0 @@
-styleguide: excpt/linters
-engines:
-  reek:
-    enabled: true
-  fixme:
-    enabled: true
-  rubocop:
-    enabled: true
-    channel: rubocop-0-52
-  duplication:
-    config:
-      languages:
-      - ruby
-    enabled: true
-  remark-lint:
-    enabled: true
-exclude_paths:
-- spec

data/Appraisals

@@ -1,10 +0,0 @@
-appraise 'standalone' do
-end
-
-appraise 'openssl' do
-  gem 'openssl', '~> 2.1'
-end
-
-appraise 'rbnacl' do
-  gem 'rbnacl'
-end

data/Gemfile

@@ -1,5 +0,0 @@
-source 'https://rubygems.org'
-
-gemspec
-
-gem 'rubocop', '~> 0.52.0' # Same as codeclimate default

data/Rakefile

@@ -1,14 +0,0 @@
-require 'bundler/setup'
-require 'bundler/gem_tasks'
-
-begin
-  require 'rspec/core/rake_task'
-  require 'rubocop/rake_task'
-
-  RSpec::Core::RakeTask.new(:test)
-  RuboCop::RakeTask.new(:rubocop)
-
-  task default: %i[rubocop test]
-rescue LoadError
-  puts 'RSpec rake tasks not available. Please run "bundle install" to install missing dependencies.'
-end

data/lib/jwt/algos/ecdsa.rb

@@ -1,35 +0,0 @@
-module JWT
-  module Algos
-    module Ecdsa
-      module_function
-
-      SUPPORTED = %w[ES256 ES384 ES512].freeze
-      NAMED_CURVES = {
-        'prime256v1' => 'ES256',
-        'secp384r1' => 'ES384',
-        'secp521r1' => 'ES512'
-      }.freeze
-
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        key_algorithm = NAMED_CURVES[key.group.curve_name]
-        if algorithm != key_algorithm
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
-        end
-
-        digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-        SecurityUtils.asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
-      end
-
-      def verify(to_verify)
-        algorithm, public_key, signing_input, signature = to_verify.values
-        key_algorithm = NAMED_CURVES[public_key.group.curve_name]
-        if algorithm != key_algorithm
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
-        end
-        digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-        public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
-      end
-    end
-  end
-end

data/lib/jwt/algos/eddsa.rb

@@ -1,30 +0,0 @@
-module JWT
-  module Algos
-    module Eddsa
-      module_function
-
-      SUPPORTED = %w[ED25519 EdDSA].freeze
-
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        if key.class != RbNaCl::Signatures::Ed25519::SigningKey
-          raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
-        end
-        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
-        end
-
-        key.sign(msg)
-      end
-
-      def verify(to_verify)
-        algorithm, public_key, signing_input, signature = to_verify.values
-        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
-        end
-        raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey" if public_key.class != RbNaCl::Signatures::Ed25519::VerifyKey
-        public_key.verify(signature, signing_input)
-      end
-    end
-  end
-end

data/lib/jwt/algos/hmac.rb

@@ -1,34 +0,0 @@
-module JWT
-  module Algos
-    module Hmac
-      module_function
-
-      SUPPORTED = %w[HS256 HS512256 HS384 HS512].freeze
-
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        key ||= ''
-        authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, key)
-        if authenticator && padded_key
-          authenticator.auth(padded_key, msg.encode('binary'))
-        else
-          OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
-        end
-      end
-
-      def verify(to_verify)
-        algorithm, public_key, signing_input, signature = to_verify.values
-        authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, public_key)
-        if authenticator && padded_key
-          begin
-            authenticator.verify(padded_key, signature.encode('binary'), signing_input.encode('binary'))
-          rescue RbNaCl::BadAuthenticatorError
-            false
-          end
-        else
-          SecurityUtils.secure_compare(signature, sign(JWT::Signature::ToSign.new(algorithm, signing_input, public_key)))
-        end
-      end
-    end
-  end
-end

data/lib/jwt/algos/none.rb

@@ -1,15 +0,0 @@
-module JWT
-  module Algos
-    module None
-      module_function
-
-      SUPPORTED = %w[none].freeze
-
-      def sign(*); end
-
-      def verify(*)
-        true
-      end
-    end
-  end
-end

data/lib/jwt/algos/ps.rb

@@ -1,43 +0,0 @@
-module JWT
-  module Algos
-    module Ps
-      # RSASSA-PSS signing algorithms
-
-      module_function
-
-      SUPPORTED = %w[PS256 PS384 PS512].freeze
-
-      def sign(to_sign)
-        require_openssl!
-
-        algorithm, msg, key = to_sign.values
-
-        key_class = key.class
-
-        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
-
-        translated_algorithm = algorithm.sub('PS', 'sha')
-
-        key.sign_pss(translated_algorithm, msg, salt_length: :digest, mgf1_hash: translated_algorithm)
-      end
-
-      def verify(to_verify)
-        require_openssl!
-
-        SecurityUtils.verify_ps(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
-      end
-
-      def require_openssl!
-        if Object.const_defined?('OpenSSL')
-          major, minor = OpenSSL::VERSION.split('.').first(2)
-
-          unless major.to_i >= 2 && minor.to_i >= 1
-            raise JWT::RequiredDependencyError, "You currently have OpenSSL #{OpenSSL::VERSION}. PS support requires >= 2.1"
-          end
-        else
-          raise JWT::RequiredDependencyError, 'PS signing requires OpenSSL +2.1'
-        end
-      end
-    end
-  end
-end

data/lib/jwt/algos/rsa.rb

@@ -1,19 +0,0 @@
-module JWT
-  module Algos
-    module Rsa
-      module_function
-
-      SUPPORTED = %w[RS256 RS384 RS512].freeze
-
-      def sign(to_sign)
-        algorithm, msg, key = to_sign.values
-        raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.class == String
-        key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
-      end
-
-      def verify(to_verify)
-        SecurityUtils.verify_rsa(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
-      end
-    end
-  end
-end

data/lib/jwt/algos/unsupported.rb

@@ -1,17 +0,0 @@
-module JWT
-  module Algos
-    module Unsupported
-      module_function
-
-      SUPPORTED = [].freeze
-
-      def sign(*)
-        raise NotImplementedError, 'Unsupported signing method'
-      end
-
-      def verify(*)
-        raise JWT::VerificationError, 'Algorithm not supported'
-      end
-    end
-  end
-end

data/lib/jwt/algos.rb

@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-
-require 'jwt/algos/hmac'
-require 'jwt/algos/eddsa'
-require 'jwt/algos/ecdsa'
-require 'jwt/algos/rsa'
-require 'jwt/algos/ps'
-require 'jwt/algos/none'
-require 'jwt/algos/unsupported'
-
-# JWT::Signature module
-module JWT
-  # Signature logic for JWT
-  module Algos
-    extend self
-
-    ALGOS = [
-      Algos::Hmac,
-      Algos::Ecdsa,
-      Algos::Rsa,
-      Algos::Eddsa,
-      Algos::Ps,
-      Algos::None,
-      Algos::Unsupported
-    ].freeze
-
-    def find(algorithm)
-      indexed[algorithm && algorithm.downcase]
-    end
-
-    private
-
-    def indexed
-      @indexed ||= begin
-        fallback = [Algos::Unsupported, nil]
-        ALGOS.each_with_object(Hash.new(fallback)) do |alg, hash|
-          alg.const_get(:SUPPORTED).each do |code|
-            hash[code.downcase] = [alg, code]
-          end
-        end
-      end
-    end
-  end
-end

data/lib/jwt/default_options.rb

@@ -1,16 +0,0 @@
-module JWT
-  module DefaultOptions
-    DEFAULT_OPTIONS = {
-      verify_expiration: true,
-      verify_not_before: true,
-      verify_iss: false,
-      verify_iat: false,
-      verify_jti: false,
-      verify_aud: false,
-      verify_sub: false,
-      leeway: 0,
-      algorithms: ['HS256'],
-      required_claims: []
-    }.freeze
-  end
-end

data/lib/jwt/security_utils.rb

@@ -1,57 +0,0 @@
-module JWT
-  # Collection of security methods
-  #
-  # @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
-  module SecurityUtils
-    module_function
-
-    def secure_compare(left, right)
-      left_bytesize = left.bytesize
-
-      return false unless left_bytesize == right.bytesize
-
-      unpacked_left = left.unpack "C#{left_bytesize}"
-      result = 0
-      right.each_byte { |byte| result |= byte ^ unpacked_left.shift }
-      result.zero?
-    end
-
-    def verify_rsa(algorithm, public_key, signing_input, signature)
-      public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
-    end
-
-    def verify_ps(algorithm, public_key, signing_input, signature)
-      formatted_algorithm = algorithm.sub('PS', 'sha')
-
-      public_key.verify_pss(formatted_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: formatted_algorithm)
-    end
-
-    def asn1_to_raw(signature, public_key)
-      byte_size = (public_key.group.degree + 7) / 8
-      OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
-    end
-
-    def raw_to_asn1(signature, private_key)
-      byte_size = (private_key.group.degree + 7) / 8
-      sig_bytes = signature[0..(byte_size - 1)]
-      sig_char = signature[byte_size..-1] || ''
-      OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
-    end
-
-    def rbnacl_fixup(algorithm, key)
-      algorithm = algorithm.sub('HS', 'SHA').to_sym
-
-      return [] unless defined?(RbNaCl) && RbNaCl::HMAC.constants(false).include?(algorithm)
-
-      authenticator = RbNaCl::HMAC.const_get(algorithm)
-
-      # Fall back to OpenSSL for keys larger than 32 bytes.
-      return [] if key.bytesize > authenticator.key_bytes
-
-      [
-        authenticator,
-        key.bytes.fill(0, key.bytesize...authenticator.key_bytes).pack('C*')
-      ]
-    end
-  end
-end

data/lib/jwt/signature.rb

@@ -1,39 +0,0 @@
-# frozen_string_literal: true
-
-require 'jwt/security_utils'
-require 'openssl'
-require 'jwt/algos'
-begin
-  require 'rbnacl'
-rescue LoadError
-  raise if defined?(RbNaCl)
-end
-
-# JWT::Signature module
-module JWT
-  # Signature logic for JWT
-  module Signature
-    extend self
-    ToSign = Struct.new(:algorithm, :msg, :key)
-    ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
-
-    def sign(algorithm, msg, key)
-      algo, code = Algos.find(algorithm)
-      algo.sign ToSign.new(code, msg, key)
-    end
-
-    def verify(algorithm, key, signing_input, signature)
-      return true if algorithm.casecmp('none').zero?
-
-      raise JWT::DecodeError, 'No verification key available' unless key
-
-      algo, code = Algos.find(algorithm)
-      verified = algo.verify(ToVerify.new(code, key, signing_input, signature))
-      raise(JWT::VerificationError, 'Signature verification raised') unless verified
-    rescue OpenSSL::PKey::PKeyError
-      raise JWT::VerificationError, 'Signature verification raised'
-    ensure
-      OpenSSL.errors.clear
-    end
-  end
-end