RubyGems - jwt - Versions diffs - 2.3.0 → 2.4.0.beta1 - Mend

jwt 2.3.0 → 2.4.0.beta1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

checksums.yaml +4 -4
data/.codeclimate.yml +8 -0
data/.github/workflows/coverage.yml +27 -0
data/.github/workflows/test.yml +2 -10
data/.gitignore +2 -0
data/.rubocop.yml +12 -28
data/.rubocop_todo.yml +9 -172
data/AUTHORS +60 -53
data/Appraisals +3 -0
data/CHANGELOG.md +48 -0
data/CODE_OF_CONDUCT.md +84 -0
data/Gemfile +3 -1
data/README.md +59 -8
data/Rakefile +2 -0
data/lib/jwt/algos/ecdsa.rb +23 -5
data/lib/jwt/algos/eddsa.rb +3 -0
data/lib/jwt/algos/hmac.rb +2 -0
data/lib/jwt/algos/none.rb +2 -0
data/lib/jwt/algos/ps.rb +3 -3
data/lib/jwt/algos/rsa.rb +4 -1
data/lib/jwt/algos/unsupported.rb +2 -0
data/lib/jwt/claims_validator.rb +3 -1
data/lib/jwt/decode.rb +43 -9
data/lib/jwt/default_options.rb +2 -0
data/lib/jwt/encode.rb +6 -6
data/lib/jwt/error.rb +1 -0
data/lib/jwt/jwk/ec.rb +5 -5
data/lib/jwt/jwk/hmac.rb +1 -1
data/lib/jwt/jwk/key_base.rb +1 -0
data/lib/jwt/jwk/rsa.rb +4 -3
data/lib/jwt/jwk.rb +1 -0
data/lib/jwt/security_utils.rb +2 -0
data/lib/jwt/signature.rb +3 -7
data/lib/jwt/verify.rb +10 -2
data/lib/jwt/version.rb +2 -3
data/lib/jwt/x5c_key_finder.rb +55 -0
data/lib/jwt.rb +1 -1
data/ruby-jwt.gemspec +4 -2
metadata +10 -7
data/lib/jwt/base64.rb +0 -19

data/lib/jwt/signature.rb CHANGED Viewed

@@ -13,7 +13,8 @@ end
 module JWT
   # Signature logic for JWT
   module Signature
-    extend self
+    module_function
     ToSign = Struct.new(:algorithm, :msg, :key)
     ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
@@ -23,13 +24,8 @@ module JWT
     end
     def verify(algorithm, key, signing_input, signature)
-      return true if algorithm.casecmp('none').zero?
-      raise JWT::DecodeError, 'No verification key available' unless key
       algo, code = Algos.find(algorithm)
-      verified = algo.verify(ToVerify.new(code, key, signing_input, signature))
-      raise(JWT::VerificationError, 'Signature verification raised') unless verified
+      algo.verify(ToVerify.new(code, key, signing_input, signature))
     rescue OpenSSL::PKey::PKeyError
       raise JWT::VerificationError, 'Signature verification raised'
     ensure

data/lib/jwt/verify.rb CHANGED Viewed

@@ -19,6 +19,7 @@ module JWT
       def verify_claims(payload, options)
         options.each do |key, val|
           next unless key.to_s =~ /verify/
           Verify.send(key, payload, options) if val
         end
       end
@@ -53,9 +54,14 @@ module JWT
       iss = @payload['iss']
-      return if Array(options_iss).map(&:to_s).include?(iss.to_s)
+      options_iss = Array(options_iss).map { |item| item.is_a?(Symbol) ? item.to_s : item }
-      raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
+      case iss
+      when *options_iss
+        nil
+      else
+        raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
+      end
     end
     def verify_jti
@@ -77,12 +83,14 @@ module JWT
     def verify_sub
       return unless (options_sub = @options[:sub])
       sub = @payload['sub']
       raise(JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}") unless sub.to_s == options_sub.to_s
     end
     def verify_required_claims
       return unless (options_required_claims = @options[:required_claims])
       options_required_claims.each do |required_claim|
         raise(JWT::MissingRequiredClaim, "Missing required claim #{required_claim}") unless @payload.include?(required_claim)
       end

data/lib/jwt/version.rb CHANGED Viewed

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # frozen_string_literal: true
 # Moments version builder module
@@ -12,11 +11,11 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 3
+    MINOR = 4
     # tiny version
     TINY  = 0
     # alpha, beta, etc. tag
-    PRE   = nil
+    PRE   = 'beta1'
     # Build version string
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

data/lib/jwt/x5c_key_finder.rb ADDED Viewed

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+require 'base64'
+require 'jwt/error'
+module JWT
+  # If the x5c header certificate chain can be validated by trusted root
+  # certificates, and none of the certificates are revoked, returns the public
+  # key from the first certificate.
+  # See https://tools.ietf.org/html/rfc7515#section-4.1.6
+  class X5cKeyFinder
+    def initialize(root_certificates, crls = nil)
+      raise(ArgumentError, 'Root certificates must be specified') unless root_certificates
+      @store = build_store(root_certificates, crls)
+    end
+    def from(x5c_header_or_certificates)
+      signing_certificate, *certificate_chain = parse_certificates(x5c_header_or_certificates)
+      store_context = OpenSSL::X509::StoreContext.new(@store, signing_certificate, certificate_chain)
+      if store_context.verify
+        signing_certificate.public_key
+      else
+        error = "Certificate verification failed: #{store_context.error_string}."
+        if (current_cert = store_context.current_cert)
+          error = "#{error} Certificate subject: #{current_cert.subject}."
+        end
+        raise(JWT::VerificationError, error)
+      end
+    end
+    private
+    def build_store(root_certificates, crls)
+      store = OpenSSL::X509::Store.new
+      store.purpose = OpenSSL::X509::PURPOSE_ANY
+      store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+      root_certificates.each { |certificate| store.add_cert(certificate) }
+      crls&.each { |crl| store.add_crl(crl) }
+      store
+    end
+    def parse_certificates(x5c_header_or_certificates)
+      if x5c_header_or_certificates.all? { |obj| obj.is_a?(OpenSSL::X509::Certificate) }
+        x5c_header_or_certificates
+      else
+        x5c_header_or_certificates.map do |encoded|
+          OpenSSL::X509::Certificate.new(::Base64.strict_decode64(encoded))
+        end
+      end
+    end
+  end
+end

data/lib/jwt.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
-require 'jwt/base64'
+require 'base64'
 require 'jwt/json'
 require 'jwt/decode'
 require 'jwt/default_options'

data/ruby-jwt.gemspec CHANGED Viewed

@@ -1,4 +1,6 @@
-lib = File.expand_path('../lib/', __FILE__)
+# frozen_string_literal: true
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'jwt/version'
@@ -13,7 +15,7 @@ Gem::Specification.new do |spec|
   spec.description = 'A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.'
   spec.homepage = 'https://github.com/jwt/ruby-jwt'
   spec.license = 'MIT'
-  spec.required_ruby_version = '>= 2.1'
+  spec.required_ruby_version = '>= 2.5'
   spec.metadata = {
     'bug_tracker_uri' => 'https://github.com/jwt/ruby-jwt/issues',
     'changelog_uri'   => "https://github.com/jwt/ruby-jwt/blob/v#{JWT.gem_version}/CHANGELOG.md"

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 2.4.0.beta1
 platform: ruby
 authors:
 - Tim Rudat
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-10-03 00:00:00.000000000 Z
+date: 2022-05-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -87,6 +87,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".codeclimate.yml"
+- ".github/workflows/coverage.yml"
 - ".github/workflows/test.yml"
 - ".gitignore"
 - ".rspec"
@@ -96,6 +98,7 @@ files:
 - AUTHORS
 - Appraisals
 - CHANGELOG.md
+- CODE_OF_CONDUCT.md
 - Gemfile
 - LICENSE
 - README.md
@@ -109,7 +112,6 @@ files:
 - lib/jwt/algos/ps.rb
 - lib/jwt/algos/rsa.rb
 - lib/jwt/algos/unsupported.rb
-- lib/jwt/base64.rb
 - lib/jwt/claims_validator.rb
 - lib/jwt/decode.rb
 - lib/jwt/default_options.rb
@@ -126,13 +128,14 @@ files:
 - lib/jwt/signature.rb
 - lib/jwt/verify.rb
 - lib/jwt/version.rb
+- lib/jwt/x5c_key_finder.rb
 - ruby-jwt.gemspec
 homepage: https://github.com/jwt/ruby-jwt
 licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.3.0/CHANGELOG.md
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.4.0.beta1/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -141,12 +144,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.1'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.2.19
 signing_key:

data/lib/jwt/base64.rb DELETED Viewed

@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-require 'base64'
-module JWT
-  # Base64 helpers
-  class Base64
-    class << self
-      def url_encode(str)
-        ::Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
-      end
-      def url_decode(str)
-        str += '=' * (4 - str.length.modulo(4))
-        ::Base64.decode64(str.tr('-_', '+/'))
-      end
-    end
-  end
-end