jwt 2.5.0 → 2.7.1

data/lib/jwt/jwk/set.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require 'forwardable'
+
+module JWT
+  module JWK
+    class Set
+      include Enumerable
+      extend Forwardable
+
+      attr_reader :keys
+
+      def initialize(jwks = nil, options = {}) # rubocop:disable Metrics/CyclomaticComplexity
+        jwks ||= {}
+
+        @keys = case jwks
+                when JWT::JWK::Set # Simple duplication
+                  jwks.keys
+                when JWT::JWK::KeyBase # Singleton
+                  [jwks]
+                when Hash
+                  jwks = jwks.transform_keys(&:to_sym)
+                  [*jwks[:keys]].map { |k| JWT::JWK.new(k, nil, options) }
+                when Array
+                  jwks.map { |k| JWT::JWK.new(k, nil, options) }
+                else
+                  raise ArgumentError, 'Can only create new JWKS from Hash, Array and JWK'
+        end
+      end
+
+      def export(options = {})
+        { keys: @keys.map { |k| k.export(options) } }
+      end
+
+      def_delegators :@keys, :each, :size, :delete, :dig
+
+      def select!(&block)
+        return @keys.select! unless block
+
+        self if @keys.select!(&block)
+      end
+
+      def reject!(&block)
+        return @keys.reject! unless block
+
+        self if @keys.reject!(&block)
+      end
+
+      def uniq!(&block)
+        self if @keys.uniq!(&block)
+      end
+
+      def merge(enum)
+        @keys += JWT::JWK::Set.new(enum.to_a).keys
+        self
+      end
+
+      def union(enum)
+        dup.merge(enum)
+      end
+
+      def add(key)
+        @keys << JWT::JWK.new(key)
+        self
+      end
+
+      def ==(other)
+        other.is_a?(JWT::JWK::Set) && keys.sort == other.keys.sort
+      end
+
+      alias eql? ==
+      alias filter! select!
+      alias length size
+      # For symbolic manipulation
+      alias | union
+      alias + union
+      alias << add
+    end
+  end
+end

data/lib/jwt/jwk.rb

@@ -1,23 +1,24 @@
 # frozen_string_literal: true
 
 require_relative 'jwk/key_finder'
+require_relative 'jwk/set'
 
 module JWT
   module JWK
     class << self
-      def import(jwk_data)
-        jwk_kty = jwk_data[:kty] || jwk_data['kty']
-        raise JWT::JWKError, 'Key type (kty) not provided' unless jwk_kty
-
-        mappings.fetch(jwk_kty.to_s) do |kty|
-          raise JWT::JWKError, "Key type #{kty} not supported"
-        end.import(jwk_data)
-      end
+      def create_from(key, params = nil, options = {})
+        if key.is_a?(Hash)
+          jwk_kty = key[:kty] || key['kty']
+          raise JWT::JWKError, 'Key type (kty) not provided' unless jwk_kty
+
+          return mappings.fetch(jwk_kty.to_s) do |kty|
+            raise JWT::JWKError, "Key type #{kty} not supported"
+          end.new(key, params, options)
+        end
 
-      def create_from(keypair, kid = nil)
-        mappings.fetch(keypair.class) do |klass|
+        mappings.fetch(key.class) do |klass|
           raise JWT::JWKError, "Cannot create JWK from a #{klass.name}"
-        end.new(keypair, kid)
+        end.new(key, params, options)
       end
 
       def classes
@@ -26,6 +27,7 @@ module JWT
       end
 
       alias new create_from
+      alias import create_from
 
       private
 
@@ -50,3 +52,4 @@ require_relative 'jwk/key_base'
 require_relative 'jwk/ec'
 require_relative 'jwk/rsa'
 require_relative 'jwk/hmac'
+require_relative 'jwk/okp_rbnacl' if ::JWT.rbnacl?

data/lib/jwt/version.rb

@@ -11,9 +11,9 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 5
+    MINOR = 7
     # tiny version
-    TINY  = 0
+    TINY  = 1
     # alpha, beta, etc. tag
     PRE   = nil
 
@@ -25,4 +25,20 @@ module JWT
     return false if OpenSSL::OPENSSL_VERSION.include?('LibreSSL')
     return true if OpenSSL::OPENSSL_VERSION_NUMBER >= 3 * 0x10000000
   end
+
+  def self.rbnacl?
+    defined?(::RbNaCl)
+  end
+
+  def self.rbnacl_6_or_greater?
+    rbnacl? && ::Gem::Version.new(::RbNaCl::VERSION) >= ::Gem::Version.new('6.0.0')
+  end
+
+  def self.openssl_3_hmac_empty_key_regression?
+    openssl_3? && openssl_version <= ::Gem::Version.new('3.0.0')
+  end
+
+  def self.openssl_version
+    @openssl_version ||= ::Gem::Version.new(OpenSSL::VERSION)
+  end
 end

data/ruby-jwt.gemspec

@@ -18,18 +18,22 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = '>= 2.5'
   spec.metadata = {
     'bug_tracker_uri' => 'https://github.com/jwt/ruby-jwt/issues',
-    'changelog_uri' => "https://github.com/jwt/ruby-jwt/blob/v#{JWT.gem_version}/CHANGELOG.md"
+    'changelog_uri' => "https://github.com/jwt/ruby-jwt/blob/v#{JWT.gem_version}/CHANGELOG.md",
+    'rubygems_mfa_required' => 'true'
   }
 
-  spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec|gemfiles|coverage|bin)/}) }
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(spec|gemfiles|coverage|bin)/}) || # Irrelevant folders
+      f.match(/^\.+/) || # Files and folders starting with .
+      f.match(/^(Appraisals|Gemfile|Rakefile)$/) # Irrelevant files
+  end
+
   spec.executables = []
-  spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = %w[lib]
 
   spec.add_development_dependency 'appraisal'
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake'
-  spec.add_development_dependency 'reek'
   spec.add_development_dependency 'rspec'
   spec.add_development_dependency 'simplecov'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.5.0
+  version: 2.7.1
 platform: ruby
 authors:
 - Tim Rudat
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-08-25 00:00:00.000000000 Z
+date: 2023-06-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -52,20 +52,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: reek
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -101,28 +87,20 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".codeclimate.yml"
-- ".github/workflows/coverage.yml"
-- ".github/workflows/test.yml"
-- ".gitignore"
-- ".reek.yml"
-- ".rspec"
-- ".rubocop.yml"
-- ".sourcelevel.yml"
 - AUTHORS
-- Appraisals
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
-- Gemfile
 - LICENSE
 - README.md
-- Rakefile
 - lib/jwt.rb
 - lib/jwt/algos.rb
+- lib/jwt/algos/algo_wrapper.rb
 - lib/jwt/algos/ecdsa.rb
 - lib/jwt/algos/eddsa.rb
 - lib/jwt/algos/hmac.rb
+- lib/jwt/algos/hmac_rbnacl.rb
+- lib/jwt/algos/hmac_rbnacl_fixed.rb
 - lib/jwt/algos/none.rb
 - lib/jwt/algos/ps.rb
 - lib/jwt/algos/rsa.rb
@@ -143,10 +121,10 @@ files:
 - lib/jwt/jwk/key_base.rb
 - lib/jwt/jwk/key_finder.rb
 - lib/jwt/jwk/kid_as_key_digest.rb
+- lib/jwt/jwk/okp_rbnacl.rb
 - lib/jwt/jwk/rsa.rb
+- lib/jwt/jwk/set.rb
 - lib/jwt/jwk/thumbprint.rb
-- lib/jwt/security_utils.rb
-- lib/jwt/signature.rb
 - lib/jwt/verify.rb
 - lib/jwt/version.rb
 - lib/jwt/x5c_key_finder.rb
@@ -156,7 +134,8 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.5.0/CHANGELOG.md
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.7.1/CHANGELOG.md
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -172,7 +151,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.21
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: JSON Web Token implementation in Ruby

data/.codeclimate.yml

@@ -1,8 +0,0 @@
-plugins:
-  fixme:
-    enabled: true
-  shellcheck:
-    enabled: true
-  rubocop:
-    enabled: true
-    channel: rubocop-1-23-0

data/.github/workflows/coverage.yml

@@ -1,27 +0,0 @@
----
-name: coverage
-on:
-  push:
-    branches:
-      - "master"
-jobs:
- coverage:
-    name: coverage
-    runs-on: ubuntu-20.04
-    env:
-      BUNDLE_GEMFILE: 'gemfiles/rbnacl.gemfile'
-      CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
-    steps:
-      - uses: actions/checkout@v2
-      - name: Install libsodium
-        run: |
-          sudo apt-get update -q
-          sudo apt-get install libsodium-dev -y
-      - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: "2.7"
-          bundler-cache: true
-      - uses: paambaati/codeclimate-action@v3.0.0
-        with:
-          coverageCommand: bundle exec rspec

data/.github/workflows/test.yml

@@ -1,67 +0,0 @@
----
-name: test
-on:
-  push:
-    branches:
-      - "*"
-  pull_request:
-    branches:
-      - "*"
-jobs:
-  lint:
-    name: RuboCop
-    timeout-minutes: 30
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
-      with:
-        ruby-version: "3.0"
-        bundler-cache: true
-    - name: Run RuboCop
-      run: bundle exec rubocop
-  test:
-    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-          - ubuntu-20.04
-        ruby:
-          - "2.5"
-          - "2.6"
-          - "2.7"
-          - "3.0"
-          - "3.1"
-        gemfile:
-          - gemfiles/standalone.gemfile
-          - gemfiles/openssl.gemfile
-          - gemfiles/rbnacl.gemfile
-        experimental: [false]
-        include:
-          - { os: ubuntu-20.04, ruby: "2.7", gemfile: 'gemfiles/rbnacl.gemfile', experimental: false }
-          - { os: ubuntu-22.04, ruby: "3.1", experimental: false }
-          - { os: ubuntu-20.04, ruby: "truffleruby-head", experimental: true }
-          - { os: ubuntu-22.04, ruby: "head", experimental: true }
-    continue-on-error: ${{ matrix.experimental }}
-    env:
-      BUNDLE_GEMFILE: ${{ matrix.gemfile }}
-
-    steps:
-    - uses: actions/checkout@v3
-
-    - name: Install libsodium
-      run: |
-        sudo apt-get update -q
-        sudo apt-get install libsodium-dev -y
-
-    - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
-      with:
-        ruby-version: ${{ matrix.ruby }}
-        bundler-cache: true
-
-    - name: Run tests
-      run: bundle exec rspec

data/.gitignore

@@ -1,13 +0,0 @@
-.idea/
-jwt.gemspec
-pkg
-Gemfile.lock
-coverage/
-.DS_Store
-.rbenv-gemsets
-.ruby-version
-.vscode/
-.bundle
-*gemfile.lock
-.byebug_history
-*.gem

data/.reek.yml

@@ -1,22 +0,0 @@
----
-detectors:
-  TooManyStatements:
-    max_statements: 10
-  UtilityFunction:
-    enabled: false
-  LongParameterList:
-    enabled: false
-  DuplicateMethodCall:
-    max_calls: 2
-  IrresponsibleModule:
-    enabled: false
-  NestedIterators:
-    max_allowed_nesting: 2
-  UnusedParameters:
-    enabled: false
-  FeatureEnvy:
-    enabled: false
-  ControlParameter:
-    enabled: false
-  UnusedPrivateMethod:
-    enabled: false

data/.rspec

@@ -1,2 +0,0 @@
---require spec_helper
---color

data/.rubocop.yml

@@ -1,67 +0,0 @@
-AllCops:
-  TargetRubyVersion: 2.5
-  NewCops: enable
-  SuggestExtensions: false
-  Exclude:
-    - 'gemfiles/*.gemfile'
-    - 'vendor/**/*'
-
-Style/Documentation:
-  Enabled: false
-
-Style/BlockDelimiters:
-  Exclude:
-    - spec/**/*_spec.rb
-
-Style/GuardClause:
-  Enabled: false
-
-Style/IfUnlessModifier:
-  Enabled: false
-
-Style/Lambda:
-  Enabled: false
-
-Style/RaiseArgs:
-  Enabled: false
-
-Metrics/AbcSize:
-  Max: 25
-
-Metrics/ClassLength:
-  Max: 112
-
-Metrics/ModuleLength:
-  Max: 100
-
-Metrics/MethodLength:
-  Max: 20
-
-Metrics/BlockLength:
-  Exclude:
-    - spec/**/*_spec.rb
-
-Layout/LineLength:
-  Enabled: false
-
-Layout/EndAlignment:
-  EnforcedStyleAlignWith: variable
-
-Layout/EmptyLineBetweenDefs:
-  Enabled: true
-  AllowAdjacentOneLineDefs: true
-
-Style/FormatString:
-  Enabled: false
-
-Layout/MultilineMethodCallIndentation:
-  EnforcedStyle: indented
-
-Layout/MultilineOperationIndentation:
-  EnforcedStyle: indented
-
-Style/WordArray:
-  Enabled: false
-
-Gemspec/RequireMFA:
-  Enabled: false

data/.sourcelevel.yml

@@ -1,17 +0,0 @@
-engines:
-  reek:
-    enabled: true
-  fixme:
-    enabled: true
-  rubocop:
-    enabled: true
-    channel: latest
-  duplication:
-    config:
-      languages:
-      - ruby
-    enabled: true
-  remark-lint:
-    enabled: false
-exclude_paths:
-  - spec

data/Appraisals

@@ -1,13 +0,0 @@
-# frozen_string_literal: true
-
-appraise 'standalone' do
-  # No additions
-end
-
-appraise 'openssl' do
-  gem 'openssl', '~> 2.1'
-end
-
-appraise 'rbnacl' do
-  gem 'rbnacl'
-end

data/Gemfile

@@ -1,7 +0,0 @@
-# frozen_string_literal: true
-
-source 'https://rubygems.org'
-
-gemspec
-
-gem 'rubocop', '~> 1.23.0' # Keep .codeclimate.yml channel in sync with this one

data/Rakefile

@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-require 'bundler/setup'
-require 'bundler/gem_tasks'
-
-begin
-  require 'rspec/core/rake_task'
-  require 'rubocop/rake_task'
-
-  RSpec::Core::RakeTask.new(:test)
-  RuboCop::RakeTask.new(:rubocop)
-
-  task default: %i[rubocop test]
-rescue LoadError
-  puts 'RSpec rake tasks not available. Please run "bundle install" to install missing dependencies.'
-end

data/lib/jwt/security_utils.rb

@@ -1,59 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  # Collection of security methods
-  #
-  # @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
-  module SecurityUtils
-    module_function
-
-    def secure_compare(left, right)
-      left_bytesize = left.bytesize
-
-      return false unless left_bytesize == right.bytesize
-
-      unpacked_left = left.unpack "C#{left_bytesize}"
-      result = 0
-      right.each_byte { |byte| result |= byte ^ unpacked_left.shift }
-      result.zero?
-    end
-
-    def verify_rsa(algorithm, public_key, signing_input, signature)
-      public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
-    end
-
-    def verify_ps(algorithm, public_key, signing_input, signature)
-      formatted_algorithm = algorithm.sub('PS', 'sha')
-
-      public_key.verify_pss(formatted_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: formatted_algorithm)
-    end
-
-    def asn1_to_raw(signature, public_key)
-      byte_size = (public_key.group.degree + 7) / 8
-      OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
-    end
-
-    def raw_to_asn1(signature, private_key)
-      byte_size = (private_key.group.degree + 7) / 8
-      sig_bytes = signature[0..(byte_size - 1)]
-      sig_char = signature[byte_size..-1] || ''
-      OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
-    end
-
-    def rbnacl_fixup(algorithm, key)
-      algorithm = algorithm.sub('HS', 'SHA').to_sym
-
-      return [] unless defined?(RbNaCl) && RbNaCl::HMAC.constants(false).include?(algorithm)
-
-      authenticator = RbNaCl::HMAC.const_get(algorithm)
-
-      # Fall back to OpenSSL for keys larger than 32 bytes.
-      return [] if key.bytesize > authenticator.key_bytes
-
-      [
-        authenticator,
-        key.bytes.fill(0, key.bytesize...authenticator.key_bytes).pack('C*')
-      ]
-    end
-  end
-end

data/lib/jwt/signature.rb

@@ -1,35 +0,0 @@
-# frozen_string_literal: true
-
-require 'jwt/security_utils'
-require 'openssl'
-require 'jwt/algos'
-begin
-  require 'rbnacl'
-rescue LoadError
-  raise if defined?(RbNaCl)
-end
-
-# JWT::Signature module
-module JWT
-  # Signature logic for JWT
-  module Signature
-    module_function
-
-    ToSign = Struct.new(:algorithm, :msg, :key)
-    ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
-
-    def sign(algorithm, msg, key)
-      algo, code = Algos.find(algorithm)
-      algo.sign ToSign.new(code, msg, key)
-    end
-
-    def verify(algorithm, key, signing_input, signature)
-      algo, code = Algos.find(algorithm)
-      algo.verify(ToVerify.new(code, key, signing_input, signature))
-    rescue OpenSSL::PKey::PKeyError
-      raise JWT::VerificationError, 'Signature verification raised'
-    ensure
-      OpenSSL.errors.clear
-    end
-  end
-end