jwt 2.3.0 → 2.5.0

data/lib/jwt/signature.rb

@@ -13,7 +13,8 @@ end
 module JWT
   # Signature logic for JWT
   module Signature
-    extend self
+    module_function
+
     ToSign = Struct.new(:algorithm, :msg, :key)
     ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
 
@@ -23,13 +24,8 @@ module JWT
     end
 
     def verify(algorithm, key, signing_input, signature)
-      return true if algorithm.casecmp('none').zero?
-
-      raise JWT::DecodeError, 'No verification key available' unless key
-
       algo, code = Algos.find(algorithm)
-      verified = algo.verify(ToVerify.new(code, key, signing_input, signature))
-      raise(JWT::VerificationError, 'Signature verification raised') unless verified
+      algo.verify(ToVerify.new(code, key, signing_input, signature))
     rescue OpenSSL::PKey::PKeyError
       raise JWT::VerificationError, 'Signature verification raised'
     ensure

data/lib/jwt/verify.rb

@@ -19,6 +19,7 @@ module JWT
       def verify_claims(payload, options)
         options.each do |key, val|
           next unless key.to_s =~ /verify/
+
           Verify.send(key, payload, options) if val
         end
       end
@@ -53,9 +54,14 @@ module JWT
 
       iss = @payload['iss']
 
-      return if Array(options_iss).map(&:to_s).include?(iss.to_s)
+      options_iss = Array(options_iss).map { |item| item.is_a?(Symbol) ? item.to_s : item }
 
-      raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
+      case iss
+      when *options_iss
+        nil
+      else
+        raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
+      end
     end
 
     def verify_jti
@@ -77,12 +83,14 @@ module JWT
 
     def verify_sub
       return unless (options_sub = @options[:sub])
+
       sub = @payload['sub']
       raise(JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}") unless sub.to_s == options_sub.to_s
     end
 
     def verify_required_claims
       return unless (options_required_claims = @options[:required_claims])
+
       options_required_claims.each do |required_claim|
         raise(JWT::MissingRequiredClaim, "Missing required claim #{required_claim}") unless @payload.include?(required_claim)
       end

data/lib/jwt/version.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 # frozen_string_literal: true
 
 # Moments version builder module
@@ -12,7 +11,7 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 3
+    MINOR = 5
     # tiny version
     TINY  = 0
     # alpha, beta, etc. tag
@@ -21,4 +20,9 @@ module JWT
     # Build version string
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
+
+  def self.openssl_3?
+    return false if OpenSSL::OPENSSL_VERSION.include?('LibreSSL')
+    return true if OpenSSL::OPENSSL_VERSION_NUMBER >= 3 * 0x10000000
+  end
 end

data/lib/jwt/x5c_key_finder.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'jwt/error'
+
+module JWT
+  # If the x5c header certificate chain can be validated by trusted root
+  # certificates, and none of the certificates are revoked, returns the public
+  # key from the first certificate.
+  # See https://tools.ietf.org/html/rfc7515#section-4.1.6
+  class X5cKeyFinder
+    def initialize(root_certificates, crls = nil)
+      raise(ArgumentError, 'Root certificates must be specified') unless root_certificates
+
+      @store = build_store(root_certificates, crls)
+    end
+
+    def from(x5c_header_or_certificates)
+      signing_certificate, *certificate_chain = parse_certificates(x5c_header_or_certificates)
+      store_context = OpenSSL::X509::StoreContext.new(@store, signing_certificate, certificate_chain)
+
+      if store_context.verify
+        signing_certificate.public_key
+      else
+        error = "Certificate verification failed: #{store_context.error_string}."
+        if (current_cert = store_context.current_cert)
+          error = "#{error} Certificate subject: #{current_cert.subject}."
+        end
+
+        raise(JWT::VerificationError, error)
+      end
+    end
+
+    private
+
+    def build_store(root_certificates, crls)
+      store = OpenSSL::X509::Store.new
+      store.purpose = OpenSSL::X509::PURPOSE_ANY
+      store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+      root_certificates.each { |certificate| store.add_cert(certificate) }
+      crls&.each { |crl| store.add_crl(crl) }
+      store
+    end
+
+    def parse_certificates(x5c_header_or_certificates)
+      if x5c_header_or_certificates.all? { |obj| obj.is_a?(OpenSSL::X509::Certificate) }
+        x5c_header_or_certificates
+      else
+        x5c_header_or_certificates.map do |encoded|
+          OpenSSL::X509::Certificate.new(::JWT::Base64.url_decode(encoded))
+        end
+      end
+    end
+  end
+end

data/lib/jwt.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
+require 'jwt/version'
 require 'jwt/base64'
 require 'jwt/json'
 require 'jwt/decode'
-require 'jwt/default_options'
+require 'jwt/configuration'
 require 'jwt/encode'
 require 'jwt/error'
 require 'jwt/jwk'
@@ -13,7 +14,7 @@ require 'jwt/jwk'
 # Should be up to date with the latest spec:
 # https://tools.ietf.org/html/rfc7519
 module JWT
-  include JWT::DefaultOptions
+  extend ::JWT::Configuration
 
   module_function
 
@@ -24,7 +25,7 @@ module JWT
                headers: header_fields).segments
   end
 
-  def decode(jwt, key = nil, verify = true, options = {}, &keyfinder)
-    Decode.new(jwt, key, verify, DEFAULT_OPTIONS.merge(options), &keyfinder).decode_segments
+  def decode(jwt, key = nil, verify = true, options = {}, &keyfinder) # rubocop:disable Style/OptionalBooleanParameter
+    Decode.new(jwt, key, verify, configuration.decode.to_h.merge(options), &keyfinder).decode_segments
   end
 end

data/ruby-jwt.gemspec

@@ -1,4 +1,6 @@
-lib = File.expand_path('../lib/', __FILE__)
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'jwt/version'
 
@@ -13,10 +15,10 @@ Gem::Specification.new do |spec|
   spec.description = 'A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.'
   spec.homepage = 'https://github.com/jwt/ruby-jwt'
   spec.license = 'MIT'
-  spec.required_ruby_version = '>= 2.1'
+  spec.required_ruby_version = '>= 2.5'
   spec.metadata = {
     'bug_tracker_uri' => 'https://github.com/jwt/ruby-jwt/issues',
-    'changelog_uri'   => "https://github.com/jwt/ruby-jwt/blob/v#{JWT.gem_version}/CHANGELOG.md"
+    'changelog_uri' => "https://github.com/jwt/ruby-jwt/blob/v#{JWT.gem_version}/CHANGELOG.md"
   }
 
   spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec|gemfiles|coverage|bin)/}) }
@@ -27,6 +29,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'appraisal'
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'reek'
   spec.add_development_dependency 'rspec'
   spec.add_development_dependency 'simplecov'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 2.5.0
 platform: ruby
 authors:
 - Tim Rudat
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-10-03 00:00:00.000000000 Z
+date: 2022-08-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: reek
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -87,15 +101,19 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".codeclimate.yml"
+- ".github/workflows/coverage.yml"
 - ".github/workflows/test.yml"
 - ".gitignore"
+- ".reek.yml"
 - ".rspec"
 - ".rubocop.yml"
-- ".rubocop_todo.yml"
 - ".sourcelevel.yml"
 - AUTHORS
 - Appraisals
 - CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
 - Gemfile
 - LICENSE
 - README.md
@@ -111,8 +129,11 @@ files:
 - lib/jwt/algos/unsupported.rb
 - lib/jwt/base64.rb
 - lib/jwt/claims_validator.rb
+- lib/jwt/configuration.rb
+- lib/jwt/configuration/container.rb
+- lib/jwt/configuration/decode_configuration.rb
+- lib/jwt/configuration/jwk_configuration.rb
 - lib/jwt/decode.rb
-- lib/jwt/default_options.rb
 - lib/jwt/encode.rb
 - lib/jwt/error.rb
 - lib/jwt/json.rb
@@ -121,18 +142,21 @@ files:
 - lib/jwt/jwk/hmac.rb
 - lib/jwt/jwk/key_base.rb
 - lib/jwt/jwk/key_finder.rb
+- lib/jwt/jwk/kid_as_key_digest.rb
 - lib/jwt/jwk/rsa.rb
+- lib/jwt/jwk/thumbprint.rb
 - lib/jwt/security_utils.rb
 - lib/jwt/signature.rb
 - lib/jwt/verify.rb
 - lib/jwt/version.rb
+- lib/jwt/x5c_key_finder.rb
 - ruby-jwt.gemspec
 homepage: https://github.com/jwt/ruby-jwt
 licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.3.0/CHANGELOG.md
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.5.0/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -141,14 +165,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.1'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.19
+rubygems_version: 3.3.21
 signing_key:
 specification_version: 4
 summary: JSON Web Token implementation in Ruby

data/.rubocop_todo.yml

@@ -1,185 +0,0 @@
-# This configuration was generated by
-# `rubocop --auto-gen-config`
-# on 2020-12-21 23:11:43 +0200 using RuboCop version 0.52.1.
-# The point is for the user to remove these configuration records
-# one by one as the offenses are removed from the code base.
-# Note that changes in the inspected code, or installation of new
-# versions of RuboCop, may require this file to be generated again.
-
-# Offense count: 2
-# Cop supports --auto-correct.
-# Configuration parameters: Include, TreatCommentsAsGroupSeparators.
-# Include: **/*.gemspec
-Gemspec/OrderedDependencies:
-  Exclude:
-    - 'ruby-jwt.gemspec'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-Layout/EmptyLines:
-  Exclude:
-    - 'spec/integration/readme_examples_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: empty_lines, no_empty_lines
-Layout/EmptyLinesAroundBlockBody:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: AllowForAlignment, ForceEqualSignAlignment.
-Layout/ExtraSpacing:
-  Exclude:
-    - 'spec/jwk_spec.rb'
-
-# Offense count: 2
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: normal, rails
-Layout/IndentationConsistency:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: Width, IgnoredPatterns.
-Layout/IndentationWidth:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 3
-# Cop supports --auto-correct.
-Layout/SpaceAfterComma:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 2
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, EnforcedStyleForEmptyBraces.
-# SupportedStyles: space, no_space
-# SupportedStylesForEmptyBraces: space, no_space
-Layout/SpaceBeforeBlockBraces:
-  Exclude:
-    - 'spec/jwk/ec_spec.rb'
-    - 'spec/jwt/verify_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, EnforcedStyleForEmptyBraces, SpaceBeforeBlockParameters.
-# SupportedStyles: space, no_space
-# SupportedStylesForEmptyBraces: space, no_space
-Layout/SpaceInsideBlockBraces:
-  Exclude:
-    - 'spec/jwt/verify_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: final_newline, final_blank_line
-Layout/TrailingBlankLines:
-  Exclude:
-    - 'bin/console.rb'
-
-# Offense count: 3
-# Cop supports --auto-correct.
-# Configuration parameters: IgnoreEmptyBlocks, AllowUnusedKeywordArguments.
-Lint/UnusedBlockArgument:
-  Exclude:
-    - 'spec/jwk/decode_with_jwk_spec.rb'
-    - 'spec/jwk/ec_spec.rb'
-    - 'spec/jwt/verify_spec.rb'
-
-# Offense count: 2
-Metrics/CyclomaticComplexity:
-  Max: 7
-
-# Offense count: 1
-Metrics/PerceivedComplexity:
-  Max: 8
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: MaxKeyValuePairs.
-Performance/RedundantMerge:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-Style/Encoding:
-  Exclude:
-    - 'lib/jwt/version.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: InverseMethods, InverseBlocks.
-Style/InverseMethods:
-  Exclude:
-    - 'spec/jwk/ec_spec.rb'
-
-# Offense count: 2
-# Cop supports --auto-correct.
-Style/MethodCallWithoutArgsParentheses:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 2
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: module_function, extend_self
-Style/ModuleFunction:
-  Exclude:
-    - 'lib/jwt/algos.rb'
-    - 'lib/jwt/signature.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-Style/MutableConstant:
-  Exclude:
-    - 'lib/jwt/version.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: Strict.
-Style/NumericLiterals:
-  MinDigits: 6
-
-# Offense count: 1
-# Cop supports --auto-correct.
-Style/ParallelAssignment:
-  Exclude:
-    - 'spec/integration/readme_examples_spec.rb'
-
-# Offense count: 11
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, ConsistentQuotesInMultiline.
-# SupportedStyles: single_quotes, double_quotes
-Style/StringLiterals:
-  Exclude:
-    - 'bin/console.rb'
-    - 'spec/jwk/ec_spec.rb'
-    - 'spec/jwk/rsa_spec.rb'
-    - 'spec/jwk_spec.rb'
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyleForMultiline.
-# SupportedStylesForMultiline: comma, consistent_comma, no_comma
-Style/TrailingCommaInArguments:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-Style/UnlessElse:
-  Exclude:
-    - 'spec/jwt_spec.rb'
-
-# Offense count: 162
-# Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns.
-# URISchemes: http, https
-Metrics/LineLength:
-  Max: 420

data/lib/jwt/default_options.rb

@@ -1,16 +0,0 @@
-module JWT
-  module DefaultOptions
-    DEFAULT_OPTIONS = {
-      verify_expiration: true,
-      verify_not_before: true,
-      verify_iss: false,
-      verify_iat: false,
-      verify_jti: false,
-      verify_aud: false,
-      verify_sub: false,
-      leeway: 0,
-      algorithms: ['HS256'],
-      required_claims: []
-    }.freeze
-  end
-end