keypairs 0.1.0 → 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/db/migrate/20201116144600_add_validity_to_keypairs.rb +29 -0
- data/lib/keypair.rb +61 -8
- data/lib/keypairs.rb +1 -0
- data/lib/keypairs/public_keys_controller.rb +3 -1
- data/lib/keypairs/version.rb +1 -1
- metadata +17 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b147b6ede46b3ddb570fcf22a695d6cf4cb1b9d1ccba3f5b7f8afdd9419e0747
|
|
4
|
+
data.tar.gz: ebe56e66f398850c478b73ec5ee7cab7ff37ed660df886b5e01d43f2f154bf4e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7a8c50b775aeb0786f43489f1ddc9fc9196071ce7f87d36fff7db7bc9eba63b08ea3b5c1ef97798904b3205bc3e7f9b511fed322e84227a98a5712cd863be797
|
|
7
|
+
data.tar.gz: b0b30cc23347d5a4c0d0add46ac6944cb1881a75aebd2577db470742e81b72613b6808bd63d36385897e4a304c328adbafe7ef196cb495fdab919defc1626410
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
class AddValidityToKeypairs < ActiveRecord::Migration[6.0]
|
|
4
|
+
class Keypair < ActiveRecord::Base; end
|
|
5
|
+
|
|
6
|
+
def change # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
|
|
7
|
+
change_table :keypairs, bulk: true do |t|
|
|
8
|
+
t.datetime :not_before, precision: 6
|
|
9
|
+
t.datetime :not_after, precision: 6
|
|
10
|
+
t.datetime :expires_at, precision: 6
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
reversible do |dir|
|
|
14
|
+
dir.up do
|
|
15
|
+
Keypair.find_each do |keypair|
|
|
16
|
+
keypair.update!(
|
|
17
|
+
not_before: keypair.created_at,
|
|
18
|
+
not_after: keypair.created_at + 1.month,
|
|
19
|
+
expires_at: keypair.created_at + 2.months
|
|
20
|
+
)
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
change_column_null :keypairs, :not_before, false
|
|
26
|
+
change_column_null :keypairs, :not_after, false
|
|
27
|
+
change_column_null :keypairs, :expires_at, false
|
|
28
|
+
end
|
|
29
|
+
end
|
data/lib/keypair.rb
CHANGED
|
@@ -6,8 +6,18 @@ require 'jwt'
|
|
|
6
6
|
# This class contains functionality needed for signing messages
|
|
7
7
|
# and publishing JWK[s].
|
|
8
8
|
#
|
|
9
|
-
#
|
|
10
|
-
#
|
|
9
|
+
# Keypairs are considered valid based on their {#not_before}, {#not_after} and {#expires_at} attributes.
|
|
10
|
+
#
|
|
11
|
+
# A keypair can be used for signing if:
|
|
12
|
+
# - The current time is greater than or equal to {#not_before}
|
|
13
|
+
# - The current time is less than or equal to {#not_after}
|
|
14
|
+
#
|
|
15
|
+
# A keypair can be used for validation if:
|
|
16
|
+
# - The current time is less than {#expires_at}.
|
|
17
|
+
#
|
|
18
|
+
# By default, this means that when a key is created, it can be used for signing for 1 month and can still be used
|
|
19
|
+
# for signature validation 1 month after it is not used for signing (i.e. for 2 months since it started being used
|
|
20
|
+
# for signing).
|
|
11
21
|
#
|
|
12
22
|
# If you need to sign messages, use the {Keypair.current} keypair for this. This method
|
|
13
23
|
# performs the rotation of the keypairs if required.
|
|
@@ -21,6 +31,9 @@ require 'jwt'
|
|
|
21
31
|
# decoded = Keypair.jwt_decode(id_token)
|
|
22
32
|
#
|
|
23
33
|
# @attr [String] jwk_kid The public external id of the key used to find the associated key on decoding.
|
|
34
|
+
# @attr [Time] not_before The time before which no payloads may be signed using the keypair.
|
|
35
|
+
# @attr [Time] not_after The time after which no payloads may be signed using the keypair.
|
|
36
|
+
# @attr [Time] expires_at The time after which the keypair may not be used for signature validation.
|
|
24
37
|
class Keypair < ActiveRecord::Base
|
|
25
38
|
ALGORITHM = 'RS256'
|
|
26
39
|
ROTATION_INTERVAL = 1.month
|
|
@@ -29,18 +42,22 @@ class Keypair < ActiveRecord::Base
|
|
|
29
42
|
|
|
30
43
|
validates :_keypair, presence: true
|
|
31
44
|
validates :jwk_kid, presence: true
|
|
45
|
+
validates :not_before, :expires_at, presence: true
|
|
46
|
+
|
|
47
|
+
validate :not_after_after_not_before
|
|
48
|
+
validate :expires_at_after_not_after
|
|
32
49
|
|
|
33
50
|
after_initialize :set_keypair
|
|
51
|
+
after_initialize :set_validity
|
|
34
52
|
|
|
35
53
|
# @!method valid
|
|
36
54
|
# @!scope class
|
|
37
|
-
#
|
|
38
|
-
|
|
39
|
-
scope :valid, -> { where(id: unscoped.order(created_at: :desc).limit(3)) }
|
|
55
|
+
# Non-expired keypairs are considered valid and can be used to validate signatures and export public jwks.
|
|
56
|
+
scope :valid, -> { where(arel_table[:expires_at].gt(Time.zone.now)) }
|
|
40
57
|
|
|
41
|
-
# @return [Keypair] the keypair used to sign messages and autorotates if it
|
|
58
|
+
# @return [Keypair] the keypair used to sign messages and autorotates if it has expired.
|
|
42
59
|
def self.current
|
|
43
|
-
order(:
|
|
60
|
+
order(not_before: :asc).where(arel_table[:not_before].lteq(Time.zone.now)).where(arel_table[:not_after].gteq(Time.zone.now)).last || create!
|
|
44
61
|
end
|
|
45
62
|
|
|
46
63
|
# The JWK Set of our valid keypairs.
|
|
@@ -66,11 +83,26 @@ class Keypair < ActiveRecord::Base
|
|
|
66
83
|
#
|
|
67
84
|
# @see https://www.imsglobal.org/spec/security/v1p0/#h_key-set-url
|
|
68
85
|
def self.keyset
|
|
86
|
+
valid_keys = valid.order(expires_at: :asc).to_a
|
|
87
|
+
# If we don't have any keys or if we don't have a future key (i.e. the last key is the current key)
|
|
88
|
+
if valid_keys.last.nil? || valid_keys.last.not_before <= Time.zone.now
|
|
89
|
+
# There is an automatic fallback to Time.zone.now if not_before is not set
|
|
90
|
+
valid_keys << create!(not_before: valid_keys.last&.not_after)
|
|
91
|
+
end
|
|
92
|
+
|
|
69
93
|
{
|
|
70
|
-
keys:
|
|
94
|
+
keys: valid_keys.map(&:public_jwk_export)
|
|
71
95
|
}
|
|
72
96
|
end
|
|
73
97
|
|
|
98
|
+
# @return [Hash] a cached version of the keyset
|
|
99
|
+
# @see #keyset
|
|
100
|
+
def self.cached_keyset
|
|
101
|
+
Rails.cache.fetch('keypairs/Keypair/keyset', expires_in: 12.hours) do
|
|
102
|
+
keyset
|
|
103
|
+
end
|
|
104
|
+
end
|
|
105
|
+
|
|
74
106
|
# Encodes the payload with the current keypair.
|
|
75
107
|
# It forewards the call to the instance method {Keypair#jwt_encode}.
|
|
76
108
|
# @return [String] Encoded JWT token with security credentials.
|
|
@@ -173,4 +205,25 @@ class Keypair < ActiveRecord::Base
|
|
|
173
205
|
self._keypair ||= OpenSSL::PKey::RSA.new(2048).to_pem
|
|
174
206
|
self.jwk_kid = public_jwk.kid
|
|
175
207
|
end
|
|
208
|
+
|
|
209
|
+
# Set the validity timestamps based on the rotation interval.
|
|
210
|
+
def set_validity
|
|
211
|
+
self.not_before ||= created_at || Time.zone.now
|
|
212
|
+
self.not_after ||= not_before + ROTATION_INTERVAL
|
|
213
|
+
self.expires_at ||= not_after + ROTATION_INTERVAL
|
|
214
|
+
end
|
|
215
|
+
|
|
216
|
+
def not_after_after_not_before
|
|
217
|
+
return if not_before.nil? || not_after.nil?
|
|
218
|
+
return if not_after > not_before
|
|
219
|
+
|
|
220
|
+
errors.add(:not_after, 'must be after not before')
|
|
221
|
+
end
|
|
222
|
+
|
|
223
|
+
def expires_at_after_not_after
|
|
224
|
+
return if not_after.nil? || expires_at.nil?
|
|
225
|
+
return if expires_at > not_after
|
|
226
|
+
|
|
227
|
+
errors.add(:expires_at, 'must be after not after')
|
|
228
|
+
end
|
|
176
229
|
end
|
data/lib/keypairs.rb
CHANGED
|
@@ -18,7 +18,9 @@ module Keypairs
|
|
|
18
18
|
# }
|
|
19
19
|
class PublicKeysController < ActionController::API
|
|
20
20
|
def index
|
|
21
|
-
|
|
21
|
+
# Always cache for 1 week, our rotation interval is much more than a week
|
|
22
|
+
expires_in 1.week, public: true
|
|
23
|
+
render json: Keypair.cached_keyset
|
|
22
24
|
end
|
|
23
25
|
end
|
|
24
26
|
end
|
data/lib/keypairs/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: keypairs
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 1.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Stef Schenkelaars
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-11-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: actionpack
|
|
@@ -206,6 +206,20 @@ dependencies:
|
|
|
206
206
|
- - ">="
|
|
207
207
|
- !ruby/object:Gem::Version
|
|
208
208
|
version: '0'
|
|
209
|
+
- !ruby/object:Gem::Dependency
|
|
210
|
+
name: timecop
|
|
211
|
+
requirement: !ruby/object:Gem::Requirement
|
|
212
|
+
requirements:
|
|
213
|
+
- - ">="
|
|
214
|
+
- !ruby/object:Gem::Version
|
|
215
|
+
version: '0'
|
|
216
|
+
type: :development
|
|
217
|
+
prerelease: false
|
|
218
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
219
|
+
requirements:
|
|
220
|
+
- - ">="
|
|
221
|
+
- !ruby/object:Gem::Version
|
|
222
|
+
version: '0'
|
|
209
223
|
description: Manage application level keypairs with automatic rotation and JWT support
|
|
210
224
|
email:
|
|
211
225
|
- stef.schenkelaars@gmail.com
|
|
@@ -216,6 +230,7 @@ files:
|
|
|
216
230
|
- LICENSE
|
|
217
231
|
- README.md
|
|
218
232
|
- db/migrate/20201024100500_create_keypairs.rb
|
|
233
|
+
- db/migrate/20201116144600_add_validity_to_keypairs.rb
|
|
219
234
|
- lib/keypair.rb
|
|
220
235
|
- lib/keypairs.rb
|
|
221
236
|
- lib/keypairs/engine.rb
|