RubyGems - jwt - Versions diffs - 2.3.0 → 2.4.1 - Mend

jwt 2.3.0 → 2.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

checksums.yaml +4 -4
data/.codeclimate.yml +8 -0
data/.github/workflows/coverage.yml +27 -0
data/.github/workflows/test.yml +2 -10
data/.gitignore +2 -0
data/.reek.yml +22 -0
data/.rubocop.yml +17 -47
data/.sourcelevel.yml +3 -4
data/AUTHORS +60 -53
data/Appraisals +3 -0
data/CHANGELOG.md +28 -0
data/CODE_OF_CONDUCT.md +84 -0
data/CONTRIBUTING.md +99 -0
data/Gemfile +3 -1
data/README.md +68 -27
data/Rakefile +2 -0
data/lib/jwt/algos/ecdsa.rb +37 -8
data/lib/jwt/algos/eddsa.rb +3 -0
data/lib/jwt/algos/hmac.rb +2 -0
data/lib/jwt/algos/none.rb +2 -0
data/lib/jwt/algos/ps.rb +3 -3
data/lib/jwt/algos/rsa.rb +4 -1
data/lib/jwt/algos/unsupported.rb +2 -0
data/lib/jwt/claims_validator.rb +3 -1
data/lib/jwt/decode.rb +45 -9
data/lib/jwt/default_options.rb +2 -0
data/lib/jwt/encode.rb +6 -6
data/lib/jwt/error.rb +1 -0
data/lib/jwt/jwk/ec.rb +9 -5
data/lib/jwt/jwk/hmac.rb +2 -2
data/lib/jwt/jwk/key_base.rb +1 -0
data/lib/jwt/jwk/rsa.rb +5 -4
data/lib/jwt/jwk.rb +1 -0
data/lib/jwt/security_utils.rb +2 -0
data/lib/jwt/signature.rb +3 -7
data/lib/jwt/verify.rb +10 -2
data/lib/jwt/version.rb +2 -3
data/lib/jwt/x5c_key_finder.rb +55 -0
data/lib/jwt.rb +2 -2
data/ruby-jwt.gemspec +6 -3
metadata +25 -7
data/.rubocop_todo.yml +0 -185
data/lib/jwt/base64.rb +0 -19

data/lib/jwt/signature.rb CHANGED Viewed

@@ -13,7 +13,8 @@ end
 module JWT
   # Signature logic for JWT
   module Signature
-    extend self
+    module_function
     ToSign = Struct.new(:algorithm, :msg, :key)
     ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
@@ -23,13 +24,8 @@ module JWT
     end
     def verify(algorithm, key, signing_input, signature)
-      return true if algorithm.casecmp('none').zero?
-      raise JWT::DecodeError, 'No verification key available' unless key
       algo, code = Algos.find(algorithm)
-      verified = algo.verify(ToVerify.new(code, key, signing_input, signature))
-      raise(JWT::VerificationError, 'Signature verification raised') unless verified
+      algo.verify(ToVerify.new(code, key, signing_input, signature))
     rescue OpenSSL::PKey::PKeyError
       raise JWT::VerificationError, 'Signature verification raised'
     ensure

data/lib/jwt/verify.rb CHANGED Viewed

@@ -19,6 +19,7 @@ module JWT
       def verify_claims(payload, options)
         options.each do |key, val|
           next unless key.to_s =~ /verify/
           Verify.send(key, payload, options) if val
         end
       end
@@ -53,9 +54,14 @@ module JWT
       iss = @payload['iss']
-      return if Array(options_iss).map(&:to_s).include?(iss.to_s)
+      options_iss = Array(options_iss).map { |item| item.is_a?(Symbol) ? item.to_s : item }
-      raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
+      case iss
+      when *options_iss
+        nil
+      else
+        raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
+      end
     end
     def verify_jti
@@ -77,12 +83,14 @@ module JWT
     def verify_sub
       return unless (options_sub = @options[:sub])
       sub = @payload['sub']
       raise(JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}") unless sub.to_s == options_sub.to_s
     end
     def verify_required_claims
       return unless (options_required_claims = @options[:required_claims])
       options_required_claims.each do |required_claim|
         raise(JWT::MissingRequiredClaim, "Missing required claim #{required_claim}") unless @payload.include?(required_claim)
       end

data/lib/jwt/version.rb CHANGED Viewed

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # frozen_string_literal: true
 # Moments version builder module
@@ -12,9 +11,9 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 3
+    MINOR = 4
     # tiny version
-    TINY  = 0
+    TINY  = 1
     # alpha, beta, etc. tag
     PRE   = nil

data/lib/jwt/x5c_key_finder.rb ADDED Viewed

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+require 'base64'
+require 'jwt/error'
+module JWT
+  # If the x5c header certificate chain can be validated by trusted root
+  # certificates, and none of the certificates are revoked, returns the public
+  # key from the first certificate.
+  # See https://tools.ietf.org/html/rfc7515#section-4.1.6
+  class X5cKeyFinder
+    def initialize(root_certificates, crls = nil)
+      raise(ArgumentError, 'Root certificates must be specified') unless root_certificates
+      @store = build_store(root_certificates, crls)
+    end
+    def from(x5c_header_or_certificates)
+      signing_certificate, *certificate_chain = parse_certificates(x5c_header_or_certificates)
+      store_context = OpenSSL::X509::StoreContext.new(@store, signing_certificate, certificate_chain)
+      if store_context.verify
+        signing_certificate.public_key
+      else
+        error = "Certificate verification failed: #{store_context.error_string}."
+        if (current_cert = store_context.current_cert)
+          error = "#{error} Certificate subject: #{current_cert.subject}."
+        end
+        raise(JWT::VerificationError, error)
+      end
+    end
+    private
+    def build_store(root_certificates, crls)
+      store = OpenSSL::X509::Store.new
+      store.purpose = OpenSSL::X509::PURPOSE_ANY
+      store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+      root_certificates.each { |certificate| store.add_cert(certificate) }
+      crls&.each { |crl| store.add_crl(crl) }
+      store
+    end
+    def parse_certificates(x5c_header_or_certificates)
+      if x5c_header_or_certificates.all? { |obj| obj.is_a?(OpenSSL::X509::Certificate) }
+        x5c_header_or_certificates
+      else
+        x5c_header_or_certificates.map do |encoded|
+          OpenSSL::X509::Certificate.new(::Base64.strict_decode64(encoded))
+        end
+      end
+    end
+  end
+end

data/lib/jwt.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
-require 'jwt/base64'
+require 'base64'
 require 'jwt/json'
 require 'jwt/decode'
 require 'jwt/default_options'
@@ -24,7 +24,7 @@ module JWT
                headers: header_fields).segments
   end
-  def decode(jwt, key = nil, verify = true, options = {}, &keyfinder)
+  def decode(jwt, key = nil, verify = true, options = {}, &keyfinder) # rubocop:disable Style/OptionalBooleanParameter
     Decode.new(jwt, key, verify, DEFAULT_OPTIONS.merge(options), &keyfinder).decode_segments
   end
 end

data/ruby-jwt.gemspec CHANGED Viewed

@@ -1,4 +1,6 @@
-lib = File.expand_path('../lib/', __FILE__)
+# frozen_string_literal: true
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'jwt/version'
@@ -13,10 +15,10 @@ Gem::Specification.new do |spec|
   spec.description = 'A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.'
   spec.homepage = 'https://github.com/jwt/ruby-jwt'
   spec.license = 'MIT'
-  spec.required_ruby_version = '>= 2.1'
+  spec.required_ruby_version = '>= 2.5'
   spec.metadata = {
     'bug_tracker_uri' => 'https://github.com/jwt/ruby-jwt/issues',
-    'changelog_uri'   => "https://github.com/jwt/ruby-jwt/blob/v#{JWT.gem_version}/CHANGELOG.md"
+    'changelog_uri' => "https://github.com/jwt/ruby-jwt/blob/v#{JWT.gem_version}/CHANGELOG.md"
   }
   spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec|gemfiles|coverage|bin)/}) }
@@ -27,6 +29,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'appraisal'
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'reek'
   spec.add_development_dependency 'rspec'
   spec.add_development_dependency 'simplecov'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 2.4.1
 platform: ruby
 authors:
 - Tim Rudat
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-10-03 00:00:00.000000000 Z
+date: 2022-06-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: reek
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -87,15 +101,19 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".codeclimate.yml"
+- ".github/workflows/coverage.yml"
 - ".github/workflows/test.yml"
 - ".gitignore"
+- ".reek.yml"
 - ".rspec"
 - ".rubocop.yml"
-- ".rubocop_todo.yml"
 - ".sourcelevel.yml"
 - AUTHORS
 - Appraisals
 - CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
 - Gemfile
 - LICENSE
 - README.md
@@ -109,7 +127,6 @@ files:
 - lib/jwt/algos/ps.rb
 - lib/jwt/algos/rsa.rb
 - lib/jwt/algos/unsupported.rb
-- lib/jwt/base64.rb
 - lib/jwt/claims_validator.rb
 - lib/jwt/decode.rb
 - lib/jwt/default_options.rb
@@ -126,13 +143,14 @@ files:
 - lib/jwt/signature.rb
 - lib/jwt/verify.rb
 - lib/jwt/version.rb
+- lib/jwt/x5c_key_finder.rb
 - ruby-jwt.gemspec
 homepage: https://github.com/jwt/ruby-jwt
 licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.3.0/CHANGELOG.md
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.4.1/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -141,14 +159,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.1'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.19
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: JSON Web Token implementation in Ruby

data/.rubocop_todo.yml DELETED Viewed

@@ -1,185 +0,0 @@
-# This configuration was generated by
-# `rubocop --auto-gen-config`
-# on 2020-12-21 23:11:43 +0200 using RuboCop version 0.52.1.
-# The point is for the user to remove these configuration records
-# one by one as the offenses are removed from the code base.
-# Note that changes in the inspected code, or installation of new
-# versions of RuboCop, may require this file to be generated again.
-# Offense count: 2
-# Cop supports --auto-correct.
-# Configuration parameters: Include, TreatCommentsAsGroupSeparators.
-# Include: **/*.gemspec
-Gemspec/OrderedDependencies:
-  Exclude:
-    - 'ruby-jwt.gemspec'
-# Offense count: 1
-# Cop supports --auto-correct.
-Layout/EmptyLines:
-  Exclude:
-    - 'spec/integration/readme_examples_spec.rb'
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: empty_lines, no_empty_lines
-Layout/EmptyLinesAroundBlockBody:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: AllowForAlignment, ForceEqualSignAlignment.
-Layout/ExtraSpacing:
-  Exclude:
-    - 'spec/jwk_spec.rb'
-# Offense count: 2
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: normal, rails
-Layout/IndentationConsistency:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: Width, IgnoredPatterns.
-Layout/IndentationWidth:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-# Offense count: 3
-# Cop supports --auto-correct.
-Layout/SpaceAfterComma:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-# Offense count: 2
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, EnforcedStyleForEmptyBraces.
-# SupportedStyles: space, no_space
-# SupportedStylesForEmptyBraces: space, no_space
-Layout/SpaceBeforeBlockBraces:
-  Exclude:
-    - 'spec/jwk/ec_spec.rb'
-    - 'spec/jwt/verify_spec.rb'
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, EnforcedStyleForEmptyBraces, SpaceBeforeBlockParameters.
-# SupportedStyles: space, no_space
-# SupportedStylesForEmptyBraces: space, no_space
-Layout/SpaceInsideBlockBraces:
-  Exclude:
-    - 'spec/jwt/verify_spec.rb'
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: final_newline, final_blank_line
-Layout/TrailingBlankLines:
-  Exclude:
-    - 'bin/console.rb'
-# Offense count: 3
-# Cop supports --auto-correct.
-# Configuration parameters: IgnoreEmptyBlocks, AllowUnusedKeywordArguments.
-Lint/UnusedBlockArgument:
-  Exclude:
-    - 'spec/jwk/decode_with_jwk_spec.rb'
-    - 'spec/jwk/ec_spec.rb'
-    - 'spec/jwt/verify_spec.rb'
-# Offense count: 2
-Metrics/CyclomaticComplexity:
-  Max: 7
-# Offense count: 1
-Metrics/PerceivedComplexity:
-  Max: 8
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: MaxKeyValuePairs.
-Performance/RedundantMerge:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-# Offense count: 1
-# Cop supports --auto-correct.
-Style/Encoding:
-  Exclude:
-    - 'lib/jwt/version.rb'
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: InverseMethods, InverseBlocks.
-Style/InverseMethods:
-  Exclude:
-    - 'spec/jwk/ec_spec.rb'
-# Offense count: 2
-# Cop supports --auto-correct.
-Style/MethodCallWithoutArgsParentheses:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-# Offense count: 2
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: module_function, extend_self
-Style/ModuleFunction:
-  Exclude:
-    - 'lib/jwt/algos.rb'
-    - 'lib/jwt/signature.rb'
-# Offense count: 1
-# Cop supports --auto-correct.
-Style/MutableConstant:
-  Exclude:
-    - 'lib/jwt/version.rb'
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: Strict.
-Style/NumericLiterals:
-  MinDigits: 6
-# Offense count: 1
-# Cop supports --auto-correct.
-Style/ParallelAssignment:
-  Exclude:
-    - 'spec/integration/readme_examples_spec.rb'
-# Offense count: 11
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, ConsistentQuotesInMultiline.
-# SupportedStyles: single_quotes, double_quotes
-Style/StringLiterals:
-  Exclude:
-    - 'bin/console.rb'
-    - 'spec/jwk/ec_spec.rb'
-    - 'spec/jwk/rsa_spec.rb'
-    - 'spec/jwk_spec.rb'
-    - 'spec/jwt_spec.rb'
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyleForMultiline.
-# SupportedStylesForMultiline: comma, consistent_comma, no_comma
-Style/TrailingCommaInArguments:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-# Offense count: 1
-# Cop supports --auto-correct.
-Style/UnlessElse:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-# Offense count: 162
-# Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns.
-# URISchemes: http, https
-Metrics/LineLength:
-  Max: 420

data/lib/jwt/base64.rb DELETED Viewed

@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-require 'base64'
-module JWT
-  # Base64 helpers
-  class Base64
-    class << self
-      def url_encode(str)
-        ::Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
-      end
-      def url_decode(str)
-        str += '=' * (4 - str.length.modulo(4))
-        ::Base64.decode64(str.tr('-_', '+/'))
-      end
-    end
-  end
-end