RubyGems - jwt - Versions diffs - 2.8.2 → 2.9.0 - Mend

jwt 2.8.2 → 2.9.0

Files changed (32) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +14 -0
data/README.md +19 -11
data/lib/jwt/claims/audience.rb +20 -0
data/lib/jwt/claims/expiration.rb +22 -0
data/lib/jwt/claims/issued_at.rb +15 -0
data/lib/jwt/claims/issuer.rb +24 -0
data/lib/jwt/claims/jwt_id.rb +25 -0
data/lib/jwt/claims/not_before.rb +22 -0
data/lib/jwt/claims/numeric.rb +43 -0
data/lib/jwt/claims/required.rb +23 -0
data/lib/jwt/claims/subject.rb +20 -0
data/lib/jwt/claims.rb +38 -0
data/lib/jwt/decode.rb +2 -5
data/lib/jwt/encode.rb +3 -7
data/lib/jwt/jwa/ecdsa.rb +38 -25
data/lib/jwt/jwa/eddsa.rb +19 -27
data/lib/jwt/jwa/hmac.rb +22 -18
data/lib/jwt/jwa/hmac_rbnacl.rb +38 -43
data/lib/jwt/jwa/hmac_rbnacl_fixed.rb +35 -39
data/lib/jwt/jwa/none.rb +7 -3
data/lib/jwt/jwa/ps.rb +20 -14
data/lib/jwt/jwa/rsa.rb +20 -9
data/lib/jwt/jwa/signing_algorithm.rb +59 -0
data/lib/jwt/jwa/unsupported.rb +8 -8
data/lib/jwt/jwa/wrapper.rb +26 -9
data/lib/jwt/jwa.rb +21 -38
data/lib/jwt/version.rb +2 -2
data/lib/jwt.rb +1 -0
metadata +18 -9
data/lib/jwt/claims_validator.rb +0 -37
data/lib/jwt/verify.rb +0 -117

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5fc1b13d678680a3d1b23e06cad091deb0f3ffff77783a99cd1d1f7231938563
-  data.tar.gz: f7d3f5294cb3b6ba57c2772a58c50ee2d55cf6412db6b707a38c74b381662777
+  metadata.gz: 0f3d3ea752a6b4dee8f1b020a3e0af95e003f74a8c40f730faab73b616fc9e98
+  data.tar.gz: 8dcdb470771f56931485824c32739bfcec1ce310b7096d6cd28c656d0f8c21fd
 SHA512:
-  metadata.gz: 5f4602ed313d982db0a2e469c2fc3b58aa0de226f85e332501628d9f7b59ed8a84e78691b57f14ddf153c4be028e9b3caa13d9b3231996c798e9e63f69f4d10a
-  data.tar.gz: a3ed20caccfe2c2979426b41a6e0bbeeabe67157643c4571836642f48ccf76ba8f58bb3270501eeefcbd53e1d027de1b558310a083360ca644157934ce3c06bf
+  metadata.gz: c68cccb66154a824751df6e7cd4d0b9d31372c0bada498097770feb8992ac3c7a462cd11eb759171d096e8d957b2a67b088fb35dc79fe7b4dd6eac6b25140d63
+  data.tar.gz: 03fe234584cce6458fb1a0f64cb399f81bc3c7aee40e25c011f0c27484ede3c6c6a6d950a9c5f3f13e4d66db5a76de98f2801942762df514097b2f663bf79247

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,19 @@
 # Changelog
+## [v2.9.0](https://github.com/jwt/ruby-jwt/tree/v2.9.0) (NEXT)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.8.2...v2.9.0)
+**Features:**
+- Build and push gem using a GH action [#612](https://github.com/jwt/ruby-jwt/pull/612) ([@anakinj](https://github.com/anakinj))
+**Fixes and enhancements:**
+- Refactor claim validators into their own classes [#605](https://github.com/jwt/ruby-jwt/pull/605) ([@anakinj](https://github.com/anakinj), [@MatteoPierro](https://github.com/MatteoPierro))
+- Allow extending available algorithms [#607](https://github.com/jwt/ruby-jwt/pull/607) ([@anakinj](https://github.com/anakinj))
+- Do not include the EdDSA algorithm if rbnacl not available [#613](https://github.com/jwt/ruby-jwt/pull/613) ([@anakinj](https://github.com/anakinj))
 ## [v2.8.2](https://github.com/jwt/ruby-jwt/tree/v2.8.2) (2024-06-18)
 [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.8.1...v2.8.2)

data/README.md CHANGED Viewed

@@ -223,18 +223,22 @@ puts decoded_token
 ### **Custom algorithms**
-An object implementing custom signing or verification behaviour can be passed in the `algorithm` option when encoding and decoding. The given object needs to implement the method `valid_alg?` and `verify` and/or `alg` and `sign`, depending if object is used for encoding or decoding.
+When encoding or decoding a token, you can pass in a custom object through the `algorithm` option to handle signing or verification. This custom object must include or extend the `JWT::JWA::SigningAlgorithm` module and implement certain methods:
+- For decoding/verifying: The object must implement the methods `alg` and `verify`.
+- For encoding/signing: The object must implement the methods `alg` and `sign`.
+For customization options check the details from `JWT::JWA::SigningAlgorithm`.
 ```ruby
 module CustomHS512Algorithm
+  extend JWT::JWA::SigningAlgorithm
   def self.alg
     'HS512'
   end
-  def self.valid_alg?(alg_to_validate)
-    alg_to_validate == alg
-  end
   def self.sign(data:, signing_key:)
     OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha512'), data, signing_key)
   end
@@ -690,21 +694,25 @@ jwk_hash = jwk.export
 thumbprint_as_the_kid = jwk_hash[:kid]
 ```
-# Development and Tests
+# Development and testing
-We depend on [Bundler](http://rubygems.org/gems/bundler) for defining gemspec and performing releases to rubygems.org, which can be done with
+The tests are written with rspec. [Appraisal](https://github.com/thoughtbot/appraisal) is used to ensure compatibility with 3rd party dependencies providing cryptographic features.
 ```bash
-rake release
+bundle install
+bundle exec appraisal rake test
 ```
-The tests are written with rspec. [Appraisal](https://github.com/thoughtbot/appraisal) is used to ensure compatibility with 3rd party dependencies providing cryptographic features.
+# Releasing
+To cut a new release adjust the [version.rb](lib/jwt/version.rb) and [CHANGELOG](CHANGELOG.md) with desired version numbers and dates and commit the changes. Tag the release with the version number using the following command:
 ```bash
-bundle install
-bundle exec appraisal rake test
+rake release:source_control_push
 ```
+This will tag a new version an trigger a [GitHub action](.github/workflows/push_gem.yml) that eventually will push the gem to rubygems.org.
 ## How to contribute
 See [CONTRIBUTING](CONTRIBUTING.md).

data/lib/jwt/claims/audience.rb ADDED Viewed

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class Audience
+      def initialize(expected_audience:)
+        @expected_audience = expected_audience
+      end
+      def verify!(context:, **_args)
+        aud = context.payload['aud']
+        raise JWT::InvalidAudError, "Invalid audience. Expected #{expected_audience}, received #{aud || '<none>'}" if ([*aud] & [*expected_audience]).empty?
+      end
+      private
+      attr_reader :expected_audience
+    end
+  end
+end

data/lib/jwt/claims/expiration.rb ADDED Viewed

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class Expiration
+      def initialize(leeway:)
+        @leeway = leeway || 0
+      end
+      def verify!(context:, **_args)
+        return unless context.payload.is_a?(Hash)
+        return unless context.payload.key?('exp')
+        raise JWT::ExpiredSignature, 'Signature has expired' if context.payload['exp'].to_i <= (Time.now.to_i - leeway)
+      end
+      private
+      attr_reader :leeway
+    end
+  end
+end

data/lib/jwt/claims/issued_at.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class IssuedAt
+      def verify!(context:, **_args)
+        return unless context.payload.is_a?(Hash)
+        return unless context.payload.key?('iat')
+        iat = context.payload['iat']
+        raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(::Numeric) || iat.to_f > Time.now.to_f
+      end
+    end
+  end
+end

data/lib/jwt/claims/issuer.rb ADDED Viewed

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class Issuer
+      def initialize(issuers:)
+        @issuers = Array(issuers).map { |item| item.is_a?(Symbol) ? item.to_s : item }
+      end
+      def verify!(context:, **_args)
+        case (iss = context.payload['iss'])
+        when *issuers
+          nil
+        else
+          raise JWT::InvalidIssuerError, "Invalid issuer. Expected #{issuers}, received #{iss || '<none>'}"
+        end
+      end
+      private
+      attr_reader :issuers
+    end
+  end
+end

data/lib/jwt/claims/jwt_id.rb ADDED Viewed

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class JwtId
+      def initialize(validator:)
+        @validator = validator
+      end
+      def verify!(context:, **_args)
+        jti = context.payload['jti']
+        if validator.respond_to?(:call)
+          verified = validator.arity == 2 ? validator.call(jti, context.payload) : validator.call(jti)
+          raise(JWT::InvalidJtiError, 'Invalid jti') unless verified
+        elsif jti.to_s.strip.empty?
+          raise(JWT::InvalidJtiError, 'Missing jti')
+        end
+      end
+      private
+      attr_reader :validator
+    end
+  end
+end

data/lib/jwt/claims/not_before.rb ADDED Viewed

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class NotBefore
+      def initialize(leeway:)
+        @leeway = leeway || 0
+      end
+      def verify!(context:, **_args)
+        return unless context.payload.is_a?(Hash)
+        return unless context.payload.key?('nbf')
+        raise JWT::ImmatureSignature, 'Signature nbf has not been reached' if context.payload['nbf'].to_i > (Time.now.to_i + leeway)
+      end
+      private
+      attr_reader :leeway
+    end
+  end
+end

data/lib/jwt/claims/numeric.rb ADDED Viewed

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class Numeric
+      def self.verify!(payload:, **_args)
+        return unless payload.is_a?(Hash)
+        new(payload).verify!
+      end
+      NUMERIC_CLAIMS = %i[
+        exp
+        iat
+        nbf
+      ].freeze
+      def initialize(payload)
+        @payload = payload.transform_keys(&:to_sym)
+      end
+      def verify!
+        validate_numeric_claims
+        true
+      end
+      private
+      def validate_numeric_claims
+        NUMERIC_CLAIMS.each do |claim|
+          validate_is_numeric(claim) if @payload.key?(claim)
+        end
+      end
+      def validate_is_numeric(claim)
+        return if @payload[claim].is_a?(::Numeric)
+        raise InvalidPayload, "#{claim} claim must be a Numeric value but it is a #{@payload[claim].class}"
+      end
+    end
+  end
+end

data/lib/jwt/claims/required.rb ADDED Viewed

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class Required
+      def initialize(required_claims:)
+        @required_claims = required_claims
+      end
+      def verify!(context:, **_args)
+        required_claims.each do |required_claim|
+          next if context.payload.is_a?(Hash) && context.payload.key?(required_claim)
+          raise JWT::MissingRequiredClaim, "Missing required claim #{required_claim}"
+        end
+      end
+      private
+      attr_reader :required_claims
+    end
+  end
+end

data/lib/jwt/claims/subject.rb ADDED Viewed

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+module JWT
+  module Claims
+    class Subject
+      def initialize(expected_subject:)
+        @expected_subject = expected_subject.to_s
+      end
+      def verify!(context:, **_args)
+        sub = context.payload['sub']
+        raise(JWT::InvalidSubError, "Invalid subject. Expected #{expected_subject}, received #{sub || '<none>'}") unless sub.to_s == expected_subject
+      end
+      private
+      attr_reader :expected_subject
+    end
+  end
+end

data/lib/jwt/claims.rb ADDED Viewed

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+require_relative 'claims/audience'
+require_relative 'claims/expiration'
+require_relative 'claims/issued_at'
+require_relative 'claims/issuer'
+require_relative 'claims/jwt_id'
+require_relative 'claims/not_before'
+require_relative 'claims/numeric'
+require_relative 'claims/required'
+require_relative 'claims/subject'
+module JWT
+  module Claims
+    VerificationContext = Struct.new(:payload, keyword_init: true)
+    VERIFIERS = {
+      verify_expiration: ->(options) { Claims::Expiration.new(leeway: options[:exp_leeway] || options[:leeway]) },
+      verify_not_before: ->(options) { Claims::NotBefore.new(leeway: options[:nbf_leeway] || options[:leeway]) },
+      verify_iss: ->(options) { Claims::Issuer.new(issuers: options[:iss]) },
+      verify_iat: ->(*) { Claims::IssuedAt.new },
+      verify_jti: ->(options) { Claims::JwtId.new(validator: options[:verify_jti]) },
+      verify_aud: ->(options) { Claims::Audience.new(expected_audience: options[:aud]) },
+      verify_sub: ->(options) { options[:sub] && Claims::Subject.new(expected_subject: options[:sub]) },
+      required_claims: ->(options) { Claims::Required.new(required_claims: options[:required_claims]) }
+    }.freeze
+    class << self
+      def verify!(payload, options)
+        VERIFIERS.each do |key, verifier_builder|
+          next unless options[key]
+          verifier_builder&.call(options)&.verify!(context: VerificationContext.new(payload: payload))
+        end
+      end
+    end
+  end
+end

data/lib/jwt/decode.rb CHANGED Viewed

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 require 'json'
-require 'jwt/verify'
 require 'jwt/x5c_key_finder'
 # JWT::Decode module
@@ -92,7 +90,7 @@ module JWT
     end
     def resolve_allowed_algorithms
-      algs = given_algorithms.map { |alg| JWA.create(alg) }
+      algs = given_algorithms.map { |alg| JWA.resolve(alg) }
       sort_by_alg_header(algs)
     end
@@ -113,8 +111,7 @@ module JWT
     end
     def verify_claims
-      Verify.verify_claims(payload, @options)
-      Verify.verify_required_claims(payload, @options)
+      Claims.verify!(payload, @options)
     end
     def validate_segment_count!

data/lib/jwt/encode.rb CHANGED Viewed

@@ -1,20 +1,16 @@
 # frozen_string_literal: true
 require_relative 'jwa'
-require_relative 'claims_validator'
 # JWT::Encode module
 module JWT
   # Encoding logic for JWT
   class Encode
-    ALG_KEY = 'alg'
     def initialize(options)
       @payload          = options[:payload]
       @key              = options[:key]
-      @algorithm        = JWA.create(options[:algorithm])
+      @algorithm        = JWA.resolve(options[:algorithm])
       @headers          = options[:headers].transform_keys(&:to_s)
-      @headers[ALG_KEY] = @algorithm.alg
     end
     def segments
@@ -41,7 +37,7 @@ module JWT
     end
     def encode_header
-      encode_data(@headers)
+      encode_data(@headers.merge(@algorithm.header(signing_key: @key)))
     end
     def encode_payload
@@ -55,7 +51,7 @@ module JWT
     def validate_claims!
       return unless @payload.is_a?(Hash)
-      ClaimsValidator.new(@payload).validate!
+      Claims::Numeric.new(@payload).verify!
     end
     def encode_signature

data/lib/jwt/jwa/ecdsa.rb CHANGED Viewed

@@ -2,8 +2,35 @@
 module JWT
   module JWA
-    module Ecdsa
-      module_function
+    class Ecdsa
+      include JWT::JWA::SigningAlgorithm
+      def initialize(alg, digest)
+        @alg = alg
+        @digest = OpenSSL::Digest.new(digest)
+      end
+      def sign(data:, signing_key:)
+        curve_definition = curve_by_name(signing_key.group.curve_name)
+        key_algorithm = curve_definition[:algorithm]
+        if alg != key_algorithm
+          raise IncorrectAlgorithm, "payload algorithm is #{alg} but #{key_algorithm} signing key was provided"
+        end
+        asn1_to_raw(signing_key.dsa_sign_asn1(digest.digest(data)), signing_key)
+      end
+      def verify(data:, signature:, verification_key:)
+        curve_definition = curve_by_name(verification_key.group.curve_name)
+        key_algorithm = curve_definition[:algorithm]
+        if alg != key_algorithm
+          raise IncorrectAlgorithm, "payload algorithm is #{alg} but #{key_algorithm} verification key was provided"
+        end
+        verification_key.dsa_verify_asn1(digest.digest(data), raw_to_asn1(signature, verification_key))
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
+      end
       NAMED_CURVES = {
         'prime256v1' => {
@@ -28,36 +55,22 @@ module JWT
         }
       }.freeze
-      SUPPORTED = NAMED_CURVES.map { |_, c| c[:algorithm] }.uniq.freeze
+      NAMED_CURVES.each_value do |v|
+        register_algorithm(new(v[:algorithm], v[:digest]))
+      end
-      def sign(algorithm, msg, key)
-        curve_definition = curve_by_name(key.group.curve_name)
-        key_algorithm = curve_definition[:algorithm]
-        if algorithm != key_algorithm
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
+      def self.curve_by_name(name)
+        NAMED_CURVES.fetch(name) do
+          raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
         end
-        digest = OpenSSL::Digest.new(curve_definition[:digest])
-        asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
       end
-      def verify(algorithm, public_key, signing_input, signature)
-        curve_definition = curve_by_name(public_key.group.curve_name)
-        key_algorithm = curve_definition[:algorithm]
-        if algorithm != key_algorithm
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
-        end
+      private
-        digest = OpenSSL::Digest.new(curve_definition[:digest])
-        public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
-      rescue OpenSSL::PKey::PKeyError
-        raise JWT::VerificationError, 'Signature verification raised'
-      end
+      attr_reader :digest
       def curve_by_name(name)
-        NAMED_CURVES.fetch(name) do
-          raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
-        end
+        self.class.curve_by_name(name)
       end
       def raw_to_asn1(signature, private_key)

data/lib/jwt/jwa/eddsa.rb CHANGED Viewed

@@ -2,41 +2,33 @@
 module JWT
   module JWA
-    module Eddsa
-      SUPPORTED = %w[ED25519 EdDSA].freeze
-      SUPPORTED_DOWNCASED = SUPPORTED.map(&:downcase).freeze
+    class Eddsa
+      include JWT::JWA::SigningAlgorithm
-      class << self
-        def sign(algorithm, msg, key)
-          unless key.is_a?(RbNaCl::Signatures::Ed25519::SigningKey)
-            raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
-          end
-          validate_algorithm!(algorithm)
+      def initialize(alg)
+        @alg = alg
+      end
-          key.sign(msg)
+      def sign(data:, signing_key:)
+        unless signing_key.is_a?(RbNaCl::Signatures::Ed25519::SigningKey)
+          raise_encode_error!("Key given is a #{signing_key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey")
         end
-        def verify(algorithm, public_key, signing_input, signature)
-          unless public_key.is_a?(RbNaCl::Signatures::Ed25519::VerifyKey)
-            raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey"
-          end
-          validate_algorithm!(algorithm)
+        signing_key.sign(data)
+      end
-          public_key.verify(signature, signing_input)
-        rescue RbNaCl::CryptoError
-          false
+      def verify(data:, signature:, verification_key:)
+        unless verification_key.is_a?(RbNaCl::Signatures::Ed25519::VerifyKey)
+          raise_decode_error!("key given is a #{verification_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey")
         end
-        private
-        def validate_algorithm!(algorithm)
-          return if SUPPORTED_DOWNCASED.include?(algorithm.downcase)
-          raise IncorrectAlgorithm, "Algorithm #{algorithm} not supported. Supported algoritms are #{SUPPORTED.join(', ')}"
-        end
+        verification_key.verify(signature, data)
+      rescue RbNaCl::CryptoError
+        false
       end
+      register_algorithm(new('ED25519'))
+      register_algorithm(new('EdDSA'))
     end
   end
 end

data/lib/jwt/jwa/hmac.rb CHANGED Viewed

@@ -2,35 +2,39 @@
 module JWT
   module JWA
-    module Hmac
-      module_function
+    class Hmac
+      include JWT::JWA::SigningAlgorithm
-      MAPPING = {
-        'HS256' => OpenSSL::Digest::SHA256,
-        'HS384' => OpenSSL::Digest::SHA384,
-        'HS512' => OpenSSL::Digest::SHA512
-      }.freeze
-      SUPPORTED = MAPPING.keys
-      def sign(algorithm, msg, key)
-        key ||= ''
+      def initialize(alg, digest)
+        @alg = alg
+        @digest = digest
+      end
-        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
+      def sign(data:, signing_key:)
+        signing_key ||= ''
+        raise_verify_error!('HMAC key expected to be a String') unless signing_key.is_a?(String)
-        OpenSSL::HMAC.digest(MAPPING[algorithm].new, key, msg)
+        OpenSSL::HMAC.digest(digest.new, signing_key, data)
       rescue OpenSSL::HMACError => e
-        if key == '' && e.message == 'EVP_PKEY_new_mac_key: malloc failure'
-          raise JWT::DecodeError, 'OpenSSL 3.0 does not support nil or empty hmac_secret'
+        if signing_key == '' && e.message == 'EVP_PKEY_new_mac_key: malloc failure'
+          raise_verify_error!('OpenSSL 3.0 does not support nil or empty hmac_secret')
         end
         raise e
       end
-      def verify(algorithm, key, signing_input, signature)
-        SecurityUtils.secure_compare(signature, sign(algorithm, signing_input, key))
+      def verify(data:, signature:, verification_key:)
+        SecurityUtils.secure_compare(signature, sign(data: data, signing_key: verification_key))
       end
+      register_algorithm(new('HS256', OpenSSL::Digest::SHA256))
+      register_algorithm(new('HS384', OpenSSL::Digest::SHA384))
+      register_algorithm(new('HS512', OpenSSL::Digest::SHA512))
+      private
+      attr_reader :digest
       # Copy of https://github.com/rails/rails/blob/v7.0.3.1/activesupport/lib/active_support/security_utils.rb
       # rubocop:disable Naming/MethodParameterName, Style/StringLiterals, Style/NumericPredicate
       module SecurityUtils