RubyGems - jwt - Versions diffs - 2.8.2 → 2.9.0 - Mend

jwt 2.8.2 → 2.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +14 -0
data/README.md +19 -11
data/lib/jwt/claims/audience.rb +20 -0
data/lib/jwt/claims/expiration.rb +22 -0
data/lib/jwt/claims/issued_at.rb +15 -0
data/lib/jwt/claims/issuer.rb +24 -0
data/lib/jwt/claims/jwt_id.rb +25 -0
data/lib/jwt/claims/not_before.rb +22 -0
data/lib/jwt/claims/numeric.rb +43 -0
data/lib/jwt/claims/required.rb +23 -0
data/lib/jwt/claims/subject.rb +20 -0
data/lib/jwt/claims.rb +38 -0
data/lib/jwt/decode.rb +2 -5
data/lib/jwt/encode.rb +3 -7
data/lib/jwt/jwa/ecdsa.rb +38 -25
data/lib/jwt/jwa/eddsa.rb +19 -27
data/lib/jwt/jwa/hmac.rb +22 -18
data/lib/jwt/jwa/hmac_rbnacl.rb +38 -43
data/lib/jwt/jwa/hmac_rbnacl_fixed.rb +35 -39
data/lib/jwt/jwa/none.rb +7 -3
data/lib/jwt/jwa/ps.rb +20 -14
data/lib/jwt/jwa/rsa.rb +20 -9
data/lib/jwt/jwa/signing_algorithm.rb +59 -0
data/lib/jwt/jwa/unsupported.rb +8 -8
data/lib/jwt/jwa/wrapper.rb +26 -9
data/lib/jwt/jwa.rb +21 -38
data/lib/jwt/version.rb +2 -2
data/lib/jwt.rb +1 -0
metadata +18 -9
data/lib/jwt/claims_validator.rb +0 -37
data/lib/jwt/verify.rb +0 -117

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5fc1b13d678680a3d1b23e06cad091deb0f3ffff77783a99cd1d1f7231938563
-  data.tar.gz: f7d3f5294cb3b6ba57c2772a58c50ee2d55cf6412db6b707a38c74b381662777
+  metadata.gz: 0f3d3ea752a6b4dee8f1b020a3e0af95e003f74a8c40f730faab73b616fc9e98
+  data.tar.gz: 8dcdb470771f56931485824c32739bfcec1ce310b7096d6cd28c656d0f8c21fd
 SHA512:
-  metadata.gz: 5f4602ed313d982db0a2e469c2fc3b58aa0de226f85e332501628d9f7b59ed8a84e78691b57f14ddf153c4be028e9b3caa13d9b3231996c798e9e63f69f4d10a
-  data.tar.gz: a3ed20caccfe2c2979426b41a6e0bbeeabe67157643c4571836642f48ccf76ba8f58bb3270501eeefcbd53e1d027de1b558310a083360ca644157934ce3c06bf
+  metadata.gz: c68cccb66154a824751df6e7cd4d0b9d31372c0bada498097770feb8992ac3c7a462cd11eb759171d096e8d957b2a67b088fb35dc79fe7b4dd6eac6b25140d63
+  data.tar.gz: 03fe234584cce6458fb1a0f64cb399f81bc3c7aee40e25c011f0c27484ede3c6c6a6d950a9c5f3f13e4d66db5a76de98f2801942762df514097b2f663bf79247

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,19 @@
 # Changelog
+## [v2.9.0](https://github.com/jwt/ruby-jwt/tree/v2.9.0) (NEXT)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.8.2...v2.9.0)
+**Features:**
+- Build and push gem using a GH action [#612](https://github.com/jwt/ruby-jwt/pull/612) ([@anakinj](https://github.com/anakinj))
+**Fixes and enhancements:**
+- Refactor claim validators into their own classes [#605](https://github.com/jwt/ruby-jwt/pull/605) ([@anakinj](https://github.com/anakinj), [@MatteoPierro](https://github.com/MatteoPierro))
+- Allow extending available algorithms [#607](https://github.com/jwt/ruby-jwt/pull/607) ([@anakinj](https://github.com/anakinj))
+- Do not include the EdDSA algorithm if rbnacl not available [#613](https://github.com/jwt/ruby-jwt/pull/613) ([@anakinj](https://github.com/anakinj))
 ## [v2.8.2](https://github.com/jwt/ruby-jwt/tree/v2.8.2) (2024-06-18)
 [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.8.1...v2.8.2)

data/README.md CHANGED Viewed

@@ -223,18 +223,22 @@ puts decoded_token
 ### **Custom algorithms**
-An object implementing custom signing or verification behaviour can be passed in the `algorithm` option when encoding and decoding. The given object needs to implement the method `valid_alg?` and `verify` and/or `alg` and `sign`, depending if object is used for encoding or decoding.
+When encoding or decoding a token, you can pass in a custom object through the `algorithm` option to handle signing or verification. This custom object must include or extend the `JWT::JWA::SigningAlgorithm` module and implement certain methods:
+- For decoding/verifying: The object must implement the methods `alg` and `verify`.
+- For encoding/signing: The object must implement the methods `alg` and `sign`.
+For customization options check the details from `JWT::JWA::SigningAlgorithm`.
 ```ruby
 module CustomHS512Algorithm
+  extend JWT::JWA::SigningAlgorithm
   def self.alg
     'HS512'
   end
-  def self.valid_alg?(alg_to_validate)
-    alg_to_validate == alg
-  end
   def self.sign(data:, signing_key:)
     OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha512'), data, signing_key)
   end
@@ -690,21 +694,25 @@ jwk_hash = jwk.export
 thumbprint_as_the_kid = jwk_hash[:kid]
 ```
-# Development and Tests
+# Development and testing
-We depend on [Bundler](http://rubygems.org/gems/bundler) for defining gemspec and performing releases to rubygems.org, which can be done with
+The tests are written with rspec. [Appraisal](https://github.com/thoughtbot/appraisal) is used to ensure compatibility with 3rd party dependencies providing cryptographic features.
 ```bash
-rake release
+bundle install
+bundle exec appraisal rake test
 ```
-The tests are written with rspec. [Appraisal](https://github.com/thoughtbot/appraisal) is used to ensure compatibility with 3rd party dependencies providing cryptographic features.
+# Releasing
+To cut a new release adjust the [version.rb](lib/jwt/version.rb) and [CHANGELOG](CHANGELOG.md) with desired version numbers and dates and commit the changes. Tag the release with the version number using the following command:
 ```bash
-bundle install
-bundle exec appraisal rake test
+rake release:source_control_push
 ```
+This will tag a new version an trigger a [GitHub action](.github/workflows/push_gem.yml) that eventually will push the gem to rubygems.org.
 ## How to contribute
 See [CONTRIBUTING](CONTRIBUTING.md).

data/lib/jwt/claims/audience.rb ADDED Viewed

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class Audience
+      def initialize(expected_audience:)
+        @expected_audience = expected_audience
+      end
+      def verify!(context:, **_args)
+        aud = context.payload['aud']
+        raise JWT::InvalidAudError, "Invalid audience. Expected #{expected_audience}, received #{aud || '<none>'}" if ([*aud] & [*expected_audience]).empty?
+      end
+      private
+      attr_reader :expected_audience
+    end
+  end
+end

data/lib/jwt/claims/expiration.rb ADDED Viewed

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class Expiration
+      def initialize(leeway:)
+        @leeway = leeway || 0
+      end
+      def verify!(context:, **_args)
+        return unless context.payload.is_a?(Hash)
+        return unless context.payload.key?('exp')
+        raise JWT::ExpiredSignature, 'Signature has expired' if context.payload['exp'].to_i <= (Time.now.to_i - leeway)
+      end
+      private
+      attr_reader :leeway
+    end
+  end
+end

data/lib/jwt/claims/issued_at.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class IssuedAt
+      def verify!(context:, **_args)
+        return unless context.payload.is_a?(Hash)
+        return unless context.payload.key?('iat')
+        iat = context.payload['iat']
+        raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(::Numeric) || iat.to_f > Time.now.to_f
+      end
+    end
+  end
+end

data/lib/jwt/claims/issuer.rb ADDED Viewed

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class Issuer
+      def initialize(issuers:)
+        @issuers = Array(issuers).map { |item| item.is_a?(Symbol) ? item.to_s : item }
+      end
+      def verify!(context:, **_args)
+        case (iss = context.payload['iss'])
+        when *issuers
+          nil
+        else
+          raise JWT::InvalidIssuerError, "Invalid issuer. Expected #{issuers}, received #{iss || '<none>'}"
+        end
+      end
+      private
+      attr_reader :issuers
+    end
+  end
+end

data/lib/jwt/claims/jwt_id.rb ADDED Viewed

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class JwtId
+      def initialize(validator:)
+        @validator = validator
+      end
+      def verify!(context:, **_args)
+        jti = context.payload['jti']
+        if validator.respond_to?(:call)
+          verified = validator.arity == 2 ? validator.call(jti, context.payload) : validator.call(jti)
+          raise(JWT::InvalidJtiError, 'Invalid jti') unless verified
+        elsif jti.to_s.strip.empty?
+          raise(JWT::InvalidJtiError, 'Missing jti')
+        end
+      end
+      private
+      attr_reader :validator
+    end
+  end
+end

data/lib/jwt/claims/not_before.rb ADDED Viewed

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class NotBefore
+      def initialize(leeway:)
+        @leeway = leeway || 0
+      end
+      def verify!(context:, **_args)
+        return unless context.payload.is_a?(Hash)
+        return unless context.payload.key?('nbf')
+        raise JWT::ImmatureSignature, 'Signature nbf has not been reached' if context.payload['nbf'].to_i > (Time.now.to_i + leeway)
+      end
+      private
+      attr_reader :leeway
+    end
+  end
+end

data/lib/jwt/claims/numeric.rb ADDED Viewed

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class Numeric
+      def self.verify!(payload:, **_args)
+        return unless payload.is_a?(Hash)
+        new(payload).verify!
+      end
+      NUMERIC_CLAIMS = %i[
+        exp
+        iat
+        nbf
+      ].freeze
+      def initialize(payload)
+        @payload = payload.transform_keys(&:to_sym)
+      end
+      def verify!
+        validate_numeric_claims
+        true
+      end
+      private
+      def validate_numeric_claims
+        NUMERIC_CLAIMS.each do |claim|
+          validate_is_numeric(claim) if @payload.key?(claim)
+        end
+      end
+      def validate_is_numeric(claim)
+        return if @payload[claim].is_a?(::Numeric)
+        raise InvalidPayload, "#{claim} claim must be a Numeric value but it is a #{@payload[claim].class}"
+      end
+    end
+  end
+end

data/lib/jwt/claims/required.rb ADDED Viewed

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class Required
+      def initialize(required_claims:)
+        @required_claims = required_claims
+      end
+      def verify!(context:, **_args)
+        required_claims.each do |required_claim|
+          next if context.payload.is_a?(Hash) && context.payload.key?(required_claim)
+          raise JWT::MissingRequiredClaim, "Missing required claim #{required_claim}"
+        end
+      end
+      private
+      attr_reader :required_claims
+    end
+  end
+end

data/lib/jwt/claims/subject.rb ADDED Viewed

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class Subject
+      def initialize(expected_subject:)
+        @expected_subject = expected_subject.to_s
+      end
+      def verify!(context:, **_args)
+        sub = context.payload['sub']
+        raise(JWT::InvalidSubError, "Invalid subject. Expected #{expected_subject}, received #{sub || '<none>'}") unless sub.to_s == expected_subject
+      end
+      private
+      attr_reader :expected_subject
+    end
+  end
+end

data/lib/jwt/claims.rb ADDED Viewed

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+require_relative 'claims/audience'
+require_relative 'claims/expiration'
+require_relative 'claims/issued_at'
+require_relative 'claims/issuer'
+require_relative 'claims/jwt_id'
+require_relative 'claims/not_before'
+require_relative 'claims/numeric'
+require_relative 'claims/required'
+require_relative 'claims/subject'
+module JWT
+  module Claims
+    VerificationContext = Struct.new(:payload, keyword_init: true)
+    VERIFIERS = {
+      verify_expiration: ->(options) { Claims::Expiration.new(leeway: options[:exp_leeway] || options[:leeway]) },
+      verify_not_before: ->(options) { Claims::NotBefore.new(leeway: options[:nbf_leeway] || options[:leeway]) },
+      verify_iss: ->(options) { Claims::Issuer.new(issuers: options[:iss]) },
+      verify_iat: ->(*) { Claims::IssuedAt.new },
+      verify_jti: ->(options) { Claims::JwtId.new(validator: options[:verify_jti]) },
+      verify_aud: ->(options) { Claims::Audience.new(expected_audience: options[:aud]) },
+      verify_sub: ->(options) { options[:sub] && Claims::Subject.new(expected_subject: options[:sub]) },
+      required_claims: ->(options) { Claims::Required.new(required_claims: options[:required_claims]) }
+    }.freeze
+    class << self
+      def verify!(payload, options)
+        VERIFIERS.each do |key, verifier_builder|
+          next unless options[key]
+          verifier_builder&.call(options)&.verify!(context: VerificationContext.new(payload: payload))
+        end
+      end
+    end
+  end
+end

data/lib/jwt/decode.rb CHANGED Viewed

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 require 'json'
-require 'jwt/verify'
 require 'jwt/x5c_key_finder'
 # JWT::Decode module
@@ -92,7 +90,7 @@ module JWT
     end
     def resolve_allowed_algorithms
-      algs = given_algorithms.map { |alg| JWA.create(alg) }
+      algs = given_algorithms.map { |alg| JWA.resolve(alg) }
       sort_by_alg_header(algs)
     end
@@ -113,8 +111,7 @@ module JWT
     end
     def verify_claims
-      Verify.verify_claims(payload, @options)
-      Verify.verify_required_claims(payload, @options)
+      Claims.verify!(payload, @options)
     end
     def validate_segment_count!

data/lib/jwt/encode.rb CHANGED Viewed

@@ -1,20 +1,16 @@
 # frozen_string_literal: true
 require_relative 'jwa'
-require_relative 'claims_validator'
 # JWT::Encode module
 module JWT
   # Encoding logic for JWT
   class Encode
-    ALG_KEY = 'alg'
     def initialize(options)
       @payload          = options[:payload]
       @key              = options[:key]
-      @algorithm        = JWA.create(options[:algorithm])
+      @algorithm        = JWA.resolve(options[:algorithm])
       @headers          = options[:headers].transform_keys(&:to_s)
-      @headers[ALG_KEY] = @algorithm.alg
     end
     def segments
@@ -41,7 +37,7 @@ module JWT
     end
     def encode_header
-      encode_data(@headers)
+      encode_data(@headers.merge(@algorithm.header(signing_key: @key)))
     end
     def encode_payload
@@ -55,7 +51,7 @@ module JWT
     def validate_claims!
       return unless @payload.is_a?(Hash)
-      ClaimsValidator.new(@payload).validate!
+      Claims::Numeric.new(@payload).verify!
     end
     def encode_signature

data/lib/jwt/jwa/ecdsa.rb CHANGED Viewed

@@ -2,8 +2,35 @@
 module JWT
   module JWA
-    module Ecdsa
-      module_function
+    class Ecdsa
+      include JWT::JWA::SigningAlgorithm
+      def initialize(alg, digest)
+        @alg = alg
+        @digest = OpenSSL::Digest.new(digest)
+      end
+      def sign(data:, signing_key:)
+        curve_definition = curve_by_name(signing_key.group.curve_name)
+        key_algorithm = curve_definition[:algorithm]
+        if alg != key_algorithm
+          raise IncorrectAlgorithm, "payload algorithm is #{alg} but #{key_algorithm} signing key was provided"
+        end
+        asn1_to_raw(signing_key.dsa_sign_asn1(digest.digest(data)), signing_key)
+      end
+      def verify(data:, signature:, verification_key:)
+        curve_definition = curve_by_name(verification_key.group.curve_name)
+        key_algorithm = curve_definition[:algorithm]
+        if alg != key_algorithm
+          raise IncorrectAlgorithm, "payload algorithm is #{alg} but #{key_algorithm} verification key was provided"
+        end
+        verification_key.dsa_verify_asn1(digest.digest(data), raw_to_asn1(signature, verification_key))
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
+      end
       NAMED_CURVES = {
         'prime256v1' => {
@@ -28,36 +55,22 @@ module JWT
         }
       }.freeze
-      SUPPORTED = NAMED_CURVES.map { |_, c| c[:algorithm] }.uniq.freeze
+      NAMED_CURVES.each_value do |v|
+        register_algorithm(new(v[:algorithm], v[:digest]))
+      end
-      def sign(algorithm, msg, key)
-        curve_definition = curve_by_name(key.group.curve_name)
-        key_algorithm = curve_definition[:algorithm]
-        if algorithm != key_algorithm
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
+      def self.curve_by_name(name)
+        NAMED_CURVES.fetch(name) do
+          raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
         end
-        digest = OpenSSL::Digest.new(curve_definition[:digest])
-        asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
       end
-      def verify(algorithm, public_key, signing_input, signature)
-        curve_definition = curve_by_name(public_key.group.curve_name)
-        key_algorithm = curve_definition[:algorithm]
-        if algorithm != key_algorithm
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
-        end
+      private
-        digest = OpenSSL::Digest.new(curve_definition[:digest])
-        public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
-      rescue OpenSSL::PKey::PKeyError
-        raise JWT::VerificationError, 'Signature verification raised'
-      end
+      attr_reader :digest
       def curve_by_name(name)
-        NAMED_CURVES.fetch(name) do
-          raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
-        end
+        self.class.curve_by_name(name)
       end
       def raw_to_asn1(signature, private_key)

data/lib/jwt/jwa/eddsa.rb CHANGED Viewed

@@ -2,41 +2,33 @@
 module JWT
   module JWA
-    module Eddsa
-      SUPPORTED = %w[ED25519 EdDSA].freeze
-      SUPPORTED_DOWNCASED = SUPPORTED.map(&:downcase).freeze
+    class Eddsa
+      include JWT::JWA::SigningAlgorithm
-      class << self
-        def sign(algorithm, msg, key)
-          unless key.is_a?(RbNaCl::Signatures::Ed25519::SigningKey)
-            raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
-          end
-          validate_algorithm!(algorithm)
+      def initialize(alg)
+        @alg = alg
+      end
-          key.sign(msg)
+      def sign(data:, signing_key:)
+        unless signing_key.is_a?(RbNaCl::Signatures::Ed25519::SigningKey)
+          raise_encode_error!("Key given is a #{signing_key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey")
         end
-        def verify(algorithm, public_key, signing_input, signature)
-          unless public_key.is_a?(RbNaCl::Signatures::Ed25519::VerifyKey)
-            raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey"
-          end
-          validate_algorithm!(algorithm)
+        signing_key.sign(data)
+      end
-          public_key.verify(signature, signing_input)
-        rescue RbNaCl::CryptoError
-          false
+      def verify(data:, signature:, verification_key:)
+        unless verification_key.is_a?(RbNaCl::Signatures::Ed25519::VerifyKey)
+          raise_decode_error!("key given is a #{verification_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey")
         end
-        private
-        def validate_algorithm!(algorithm)
-          return if SUPPORTED_DOWNCASED.include?(algorithm.downcase)
-          raise IncorrectAlgorithm, "Algorithm #{algorithm} not supported. Supported algoritms are #{SUPPORTED.join(', ')}"
-        end
+        verification_key.verify(signature, data)
+      rescue RbNaCl::CryptoError
+        false
       end
+      register_algorithm(new('ED25519'))
+      register_algorithm(new('EdDSA'))
     end
   end
 end

data/lib/jwt/jwa/hmac.rb CHANGED Viewed

@@ -2,35 +2,39 @@
 module JWT
   module JWA
-    module Hmac
-      module_function
+    class Hmac
+      include JWT::JWA::SigningAlgorithm
-      MAPPING = {
-        'HS256' => OpenSSL::Digest::SHA256,
-        'HS384' => OpenSSL::Digest::SHA384,
-        'HS512' => OpenSSL::Digest::SHA512
-      }.freeze
-      SUPPORTED = MAPPING.keys
-      def sign(algorithm, msg, key)
-        key ||= ''
+      def initialize(alg, digest)
+        @alg = alg
+        @digest = digest
+      end
-        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+      def sign(data:, signing_key:)
+        signing_key ||= ''
+        raise_verify_error!('HMAC key expected to be a String') unless signing_key.is_a?(String)
-        OpenSSL::HMAC.digest(MAPPING[algorithm].new, key, msg)
+        OpenSSL::HMAC.digest(digest.new, signing_key, data)
       rescue OpenSSL::HMACError => e
-        if key == '' && e.message == 'EVP_PKEY_new_mac_key: malloc failure'
-          raise JWT::DecodeError, 'OpenSSL 3.0 does not support nil or empty hmac_secret'
+        if signing_key == '' && e.message == 'EVP_PKEY_new_mac_key: malloc failure'
+          raise_verify_error!('OpenSSL 3.0 does not support nil or empty hmac_secret')
         end
         raise e
       end
-      def verify(algorithm, key, signing_input, signature)
-        SecurityUtils.secure_compare(signature, sign(algorithm, signing_input, key))
+      def verify(data:, signature:, verification_key:)
+        SecurityUtils.secure_compare(signature, sign(data: data, signing_key: verification_key))
       end
+      register_algorithm(new('HS256', OpenSSL::Digest::SHA256))
+      register_algorithm(new('HS384', OpenSSL::Digest::SHA384))
+      register_algorithm(new('HS512', OpenSSL::Digest::SHA512))
+      private
+      attr_reader :digest
       # Copy of https://github.com/rails/rails/blob/v7.0.3.1/activesupport/lib/active_support/security_utils.rb
       # rubocop:disable Naming/MethodParameterName, Style/StringLiterals, Style/NumericPredicate
       module SecurityUtils