mauth-client 6.2.0 → 6.4.0

data/exe/mauth-proxy

@@ -1,14 +1,14 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 $LOAD_PATH.unshift File.expand_path('../lib', File.dirname(__FILE__))
 
-require 'rubygems'
 require 'mauth/proxy'
 require 'rack'
 
 headers = []
 headers_index = ARGV.find_index('--header')
-while(headers_index) do
+while headers_index
   headers << ARGV[headers_index + 1]
   ARGV.delete_at(headers_index + 1)
   ARGV.delete_at(headers_index)
@@ -16,25 +16,25 @@ while(headers_index) do
 end
 
 authenticate_responses = !ARGV.delete('--no-authenticate')
-browser_proxy = !(ARGV.delete('--browser_proxy').nil?)
+browser_proxy = !ARGV.delete('--browser_proxy').nil?
 
 target_uri = browser_proxy ? ARGV : ARGV.pop
 
 if !target_uri || target_uri.empty?
-  abort("Usage: mauth-proxy [rack options] --browser_proxy [--no-authenticate] <target URI> <target URI> ...\n" +
-    "or: mauth-proxy [rack options] <target URI>")
+  abort("Usage: mauth-proxy [rack options] --browser_proxy [--no-authenticate] <target URI> <target URI> ...\n" \
+        'or: mauth-proxy [rack options] <target URI>')
 end
 
 rack_server_options = Rack::Server::Options.new.parse!(ARGV)
 
-# for security, this rack server will only accept local connections, so override Host 
+# for security, this rack server will only accept local connections, so override Host
 # to 127.0.0.1 (from the default of 0.0.0.0)
 #
-# this means that the '-o' / '--host' option to Rack::Server::Options is ignored. 
-rack_server_options[:Host] = "127.0.0.1"
+# this means that the '-o' / '--host' option to Rack::Server::Options is ignored.
+rack_server_options[:Host] = '127.0.0.1'
 
-rack_server_options[:app] = MAuth::Proxy.new(target_uri, :authenticate_responses => authenticate_responses,
-  :browser_proxy => browser_proxy, :headers => headers)
+rack_server_options[:app] = MAuth::Proxy.new(target_uri, authenticate_responses: authenticate_responses,
+  browser_proxy: browser_proxy, headers: headers)
 
 mauth_proxy_server = Rack::Server.new(rack_server_options)
 mauth_proxy_server.start

data/gemfiles/faraday_2.x.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "faraday", "~> 2.0"
+
+gemspec path: "../"

data/lib/mauth/autoload.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module MAuth
   autoload :Client, 'mauth/client'
   autoload :Middleware, 'mauth/middleware'

data/lib/mauth/client/authenticator_base.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # methods common to RemoteRequestAuthenticator and LocalAuthenticator
 
 module MAuth
@@ -21,7 +23,8 @@ module MAuth
       # authenticate with v2 if the environment variable V2_ONLY_AUTHENTICATE
       # is set. Otherwise will fall back to v1 when v2 authentication fails
       def authenticate!(object)
-        if object.protocol_version == 2
+        case object.protocol_version
+        when 2
           begin
             authenticate_v2!(object)
           rescue InauthenticError => e
@@ -33,9 +36,9 @@ module MAuth
 
             log_authentication_request(object)
             authenticate_v1!(object)
-            logger.warn("Completed successful authentication attempt after fallback to v1")
+            logger.warn('Completed successful authentication attempt after fallback to v1')
           end
-        elsif object.protocol_version == 1
+        when 1
           if v2_only_authenticate?
             # If v2 is required but not present and v1 is present we raise MissingV2Error
             msg = 'This service requires mAuth v2 mcc-authentication header but only v1 x-mws-authentication is present'
@@ -54,13 +57,13 @@ module MAuth
 
       private
 
-      # Note: This log is likely consumed downstream and the contents SHOULD NOT
+      # NOTE: This log is likely consumed downstream and the contents SHOULD NOT
       # be changed without a thorough review of downstream consumers.
       def log_authentication_request(object)
         object_app_uuid = object.signature_app_uuid || '[none provided]'
         object_token = object.signature_token || '[none provided]'
         logger.info(
-          "Mauth-client attempting to authenticate request from app with mauth" \
+          'Mauth-client attempting to authenticate request from app with mauth' \
           " app uuid #{object_app_uuid} to app with mauth app uuid #{client_app_uuid}" \
           " using version #{object_token}."
         )
@@ -71,7 +74,7 @@ module MAuth
       end
 
       def time_within_valid_range!(object, time_signed, now = Time.now)
-        return if  (-ALLOWED_DRIFT_SECONDS..ALLOWED_DRIFT_SECONDS).cover?(now.to_i - time_signed)
+        return if (-ALLOWED_DRIFT_SECONDS..ALLOWED_DRIFT_SECONDS).cover?(now.to_i - time_signed)
 
         msg = "Time verification failed. #{time_signed} not within #{ALLOWED_DRIFT_SECONDS} of #{now}"
         log_inauthentic(object, msg)

data/lib/mauth/client/local_authenticator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'mauth/client/security_token_cacher'
 require 'mauth/client/signer'
 require 'openssl'
@@ -25,11 +27,13 @@ module MAuth
 
         # do a simple percent reencoding variant of the path
         object.attributes_for_signing[:request_url] = CGI.escape(original_request_uri.to_s)
-        expected_for_percent_reencoding = object.string_to_sign_v1(time: object.x_mws_time, app_uuid: object.signature_app_uuid)
+        expected_for_percent_reencoding = object.string_to_sign_v1(time: object.x_mws_time,
+          app_uuid: object.signature_app_uuid)
 
         # do a moderately complex Euresource-style reencoding of the path
         object.attributes_for_signing[:request_url] = euresource_escape(original_request_uri.to_s)
-        expected_euresource_style_reencoding = object.string_to_sign_v1(time: object.x_mws_time, app_uuid: object.signature_app_uuid)
+        expected_euresource_style_reencoding = object.string_to_sign_v1(time: object.x_mws_time,
+          app_uuid: object.signature_app_uuid)
 
         # reset the object original request_uri, just in case we need it again
         object.attributes_for_signing[:request_url] = original_request_uri
@@ -44,8 +48,8 @@ module MAuth
         end
 
         unless verify_signature_v1!(actual, expected_no_reencoding) ||
-           verify_signature_v1!(actual, expected_euresource_style_reencoding) ||
-           verify_signature_v1!(actual, expected_for_percent_reencoding)
+               verify_signature_v1!(actual, expected_euresource_style_reencoding) ||
+               verify_signature_v1!(actual, expected_for_percent_reencoding)
           msg = "Signature verification failed for #{object.class}"
           log_inauthentic(object, msg)
           raise InauthenticError, msg
@@ -53,7 +57,7 @@ module MAuth
       end
 
       def verify_signature_v1!(actual, expected_str_to_sign)
-        actual == Digest::SHA512.hexdigest(expected_str_to_sign)
+        actual == OpenSSL::Digest::SHA512.hexdigest(expected_str_to_sign)
       end
 
       def signature_valid_v2!(object)
@@ -93,8 +97,8 @@ module MAuth
         actual = Base64.decode64(object.signature)
 
         unless verify_signature_v2!(object, actual, pubkey, expected_no_reencoding) ||
-           verify_signature_v2!(object, actual, pubkey, expected_euresource_style_reencoding) ||
-           verify_signature_v2!(object, actual, pubkey, expected_for_percent_reencoding)
+               verify_signature_v2!(object, actual, pubkey, expected_euresource_style_reencoding) ||
+               verify_signature_v2!(object, actual, pubkey, expected_for_percent_reencoding)
           msg = "Signature inauthentic for #{object.class}"
           log_inauthentic(object, msg)
           raise InauthenticError, msg
@@ -113,7 +117,7 @@ module MAuth
         raise InauthenticError, msg
       end
 
-      # Note: RFC 3986 (https://www.ietf.org/rfc/rfc3986.txt) reserves the forward slash "/"
+      # NOTE: RFC 3986 (https://www.ietf.org/rfc/rfc3986.txt) reserves the forward slash "/"
       #   and number sign "#" as component delimiters. Since these are valid URI components,
       #   they are decoded back into characters here to avoid signature invalidation
       def euresource_escape(str)
@@ -139,7 +143,6 @@ module MAuth
       def security_token_cacher
         @security_token_cacher ||= SecurityTokenCacher.new(self)
       end
-
     end
   end
 end

data/lib/mauth/client/remote_authenticator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # methods for remotely authenticating a request by sending it to the mauth service
 
 module MAuth
@@ -8,7 +10,11 @@ module MAuth
       # takes an incoming request object (no support for responses currently), and errors if the
       # object is not authentic according to its signature
       def signature_valid_v1!(object)
-        raise ArgumentError, "Remote Authenticator can only authenticate requests; received #{object.inspect}" unless object.is_a?(MAuth::Request)
+        unless object.is_a?(MAuth::Request)
+          raise ArgumentError,
+            "Remote Authenticator can only authenticate requests; received #{object.inspect}"
+        end
+
         authentication_ticket = {
           'verb' => object.attributes_for_signing[:verb],
           'app_uuid' => object.signature_app_uuid,
@@ -41,15 +47,17 @@ module MAuth
 
       def make_mauth_request(authentication_ticket)
         begin
-          response = mauth_connection.post("/mauth/#{mauth_api_version}/authentication_tickets.json", 'authentication_ticket' => authentication_ticket)
+          request_body = JSON.generate(authentication_ticket: authentication_ticket)
+          response = mauth_connection.post("/mauth/#{mauth_api_version}/authentication_tickets.json", request_body)
         rescue ::Faraday::ConnectionFailed, ::Faraday::TimeoutError => e
           msg = "mAuth service did not respond; received #{e.class}: #{e.message}"
           logger.error("Unable to authenticate with MAuth. Exception #{msg}")
           raise UnableToAuthenticateError, msg
         end
-        if (200..299).cover?(response.status)
+        case response.status
+        when 200..299
           nil
-        elsif response.status == 412 || response.status == 404
+        when 412, 404
           # the mAuth service responds with 412 when the given request is not authentically signed.
           # older versions of the mAuth service respond with 404 when the given app_uuid
           # does not exist, which is also considered to not be authentically signed. newer
@@ -62,12 +70,14 @@ module MAuth
       end
 
       def mauth_connection
-        require 'faraday'
-        require 'faraday_middleware'
-        @mauth_connection ||= ::Faraday.new(mauth_baseurl, faraday_options) do |builder|
-          builder.use MAuth::Faraday::MAuthClientUserAgent
-          builder.use FaradayMiddleware::EncodeJson
-          builder.adapter ::Faraday.default_adapter
+        @mauth_connection ||= begin
+          require 'faraday'
+
+          ::Faraday.new(mauth_baseurl,
+            faraday_options.merge(headers: { 'Content-Type' => 'application/json' })) do |builder|
+            builder.use MAuth::Faraday::MAuthClientUserAgent
+            builder.adapter ::Faraday.default_adapter
+          end
         end
       end
     end

data/lib/mauth/client/security_token_cacher.rb

@@ -1,44 +1,40 @@
+# frozen_string_literal: true
+
 require 'faraday-http-cache'
-require 'oj'
+require 'mauth/faraday'
 
 module MAuth
   class Client
     module LocalAuthenticator
       class SecurityTokenCacher
-
         def initialize(mauth_client)
           @mauth_client = mauth_client
           # TODO: should this be UnableToSignError?
-          @mauth_client.assert_private_key(UnableToAuthenticateError.new("Cannot fetch public keys from mAuth service without a private key!"))
-          @cache = {}
-          require 'thread'
-          @cache_write_lock = Mutex.new
+          @mauth_client.assert_private_key(
+            UnableToAuthenticateError.new('Cannot fetch public keys from mAuth service without a private key!')
+          )
         end
 
         def get(app_uuid)
-          if !@cache[app_uuid]
-            # url-encode the app_uuid to prevent trickery like escaping upward with ../../ in a malicious
-            # app_uuid - probably not exploitable, but this is the right way to do it anyway.
-            url_encoded_app_uuid = CGI.escape(app_uuid)
-            begin
-              response = signed_mauth_connection.get("/mauth/#{@mauth_client.mauth_api_version}/security_tokens/#{url_encoded_app_uuid}.json")
-            rescue ::Faraday::ConnectionFailed, ::Faraday::TimeoutError => e
-              msg = "mAuth service did not respond; received #{e.class}: #{e.message}"
-              @mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
-              raise UnableToAuthenticateError, msg
-            end
-            if response.status == 200
-              @cache_write_lock.synchronize do
-                @cache[app_uuid] = security_token_from(response.body)
-              end
-            elsif response.status == 404
-              # signing with a key mAuth doesn't know about is considered inauthentic
-              raise InauthenticError, "mAuth service responded with 404 looking up public key for #{app_uuid}"
-            else
-              @mauth_client.send(:mauth_service_response_error, response)
-            end
+          # url-encode the app_uuid to prevent trickery like escaping upward with ../../ in a malicious
+          # app_uuid - probably not exploitable, but this is the right way to do it anyway.
+          url_encoded_app_uuid = CGI.escape(app_uuid)
+          path = "/mauth/#{@mauth_client.mauth_api_version}/security_tokens/#{url_encoded_app_uuid}.json"
+          response = signed_mauth_connection.get(path)
+
+          case response.status
+          when 200
+            security_token_from(response.body)
+          when 404
+            # signing with a key mAuth doesn't know about is considered inauthentic
+            raise InauthenticError, "mAuth service responded with 404 looking up public key for #{app_uuid}"
+          else
+            @mauth_client.send(:mauth_service_response_error, response)
           end
-          @cache[app_uuid]
+        rescue ::Faraday::ConnectionFailed, ::Faraday::TimeoutError => e
+          msg = "mAuth service did not respond; received #{e.class}: #{e.message}"
+          @mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
+          raise UnableToAuthenticateError, msg
         end
 
         private
@@ -46,20 +42,23 @@ module MAuth
         def security_token_from(response_body)
           JSON.parse response_body
         rescue JSON::ParserError => e
-          msg =  "mAuth service responded with unparseable json: #{response_body}\n#{e.class}: #{e.message}"
+          msg = "mAuth service responded with unparseable json: #{response_body}\n#{e.class}: #{e.message}"
           @mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
           raise UnableToAuthenticateError, msg
         end
 
         def signed_mauth_connection
-          require 'faraday'
-          require 'mauth/faraday'
-          @mauth_client.faraday_options[:ssl] = { ca_path: @mauth_client.ssl_certs_path } if @mauth_client.ssl_certs_path
-          @signed_mauth_connection ||= ::Faraday.new(@mauth_client.mauth_baseurl, @mauth_client.faraday_options) do |builder|
-            builder.use MAuth::Faraday::MAuthClientUserAgent
-            builder.use MAuth::Faraday::RequestSigner, 'mauth_client' => @mauth_client
-            builder.use :http_cache, serializer: Oj, logger: MAuth::Client.new.logger, shared_cache: false
-            builder.adapter ::Faraday.default_adapter
+          @signed_mauth_connection ||= begin
+            if @mauth_client.ssl_certs_path
+              @mauth_client.faraday_options[:ssl] = { ca_path: @mauth_client.ssl_certs_path }
+            end
+
+            ::Faraday.new(@mauth_client.mauth_baseurl, @mauth_client.faraday_options) do |builder|
+              builder.use MAuth::Faraday::MAuthClientUserAgent
+              builder.use MAuth::Faraday::RequestSigner, 'mauth_client' => @mauth_client
+              builder.use :http_cache, logger: MAuth::Client.new.logger, shared_cache: false
+              builder.adapter ::Faraday.default_adapter
+            end
           end
         end
       end

data/lib/mauth/client/signer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'openssl'
 require 'mauth/errors'
 
@@ -5,7 +7,7 @@ require 'mauth/errors'
 
 module MAuth
   class Client
-    SIGNING_DIGEST = OpenSSL::Digest::SHA512.new
+    SIGNING_DIGEST = OpenSSL::Digest.new('SHA512')
 
     module Signer
       UNABLE_TO_SIGN_ERR = UnableToSignError.new('mAuth client cannot sign without a private key!')
@@ -40,14 +42,14 @@ module MAuth
       def signed_headers_v1(object, attributes = {})
         attributes = { time: Time.now.to_i.to_s, app_uuid: client_app_uuid }.merge(attributes)
         string_to_sign = object.string_to_sign_v1(attributes)
-        signature = self.signature_v1(string_to_sign)
+        signature = signature_v1(string_to_sign)
         { 'X-MWS-Authentication' => "#{MWS_TOKEN} #{client_app_uuid}:#{signature}", 'X-MWS-Time' => attributes[:time] }
       end
 
       def signed_headers_v2(object, attributes = {})
         attributes = { time: Time.now.to_i.to_s, app_uuid: client_app_uuid }.merge(attributes)
         string_to_sign = object.string_to_sign_v2(attributes)
-        signature = self.signature_v2(string_to_sign)
+        signature = signature_v2(string_to_sign)
         {
           'MCC-Authentication' => "#{MWSV2_TOKEN} #{client_app_uuid}:#{signature}#{AUTH_HEADER_DELIMITER}",
           'MCC-Time' => attributes[:time]
@@ -56,7 +58,7 @@ module MAuth
 
       def signature_v1(string_to_sign)
         assert_private_key(UNABLE_TO_SIGN_ERR)
-        hashed_string_to_sign = Digest::SHA512.hexdigest(string_to_sign)
+        hashed_string_to_sign = OpenSSL::Digest::SHA512.hexdigest(string_to_sign)
         Base64.encode64(private_key.private_encrypt(hashed_string_to_sign)).delete("\n")
       end
 

data/lib/mauth/client.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'uri'
 require 'openssl'
 require 'base64'
@@ -24,9 +26,9 @@ module MAuth
   # that the object responds to the methods of MAuth::Signable and/or MAuth::Signed (as
   # appropriate)
   class Client
-    MWS_TOKEN = 'MWS'.freeze
-    MWSV2_TOKEN = 'MWSV2'.freeze
-    AUTH_HEADER_DELIMITER = ';'.freeze
+    MWS_TOKEN = 'MWS'
+    MWSV2_TOKEN = 'MWSV2'
+    AUTH_HEADER_DELIMITER = ';'
 
     include AuthenticatorBase
     include Signer
@@ -53,7 +55,7 @@ module MAuth
       # find the app_root (relative to which we look for yaml files). note that this
       # is different than MAuth::Client.root, the root of the mauth-client library.
       app_root = options['root'] || begin
-        if Object.const_defined?('Rails') && ::Rails.respond_to?(:root) && ::Rails.root
+        if Object.const_defined?(:Rails) && ::Rails.respond_to?(:root) && ::Rails.root
           Rails.root
         else
           ENV['RAILS_ROOT'] || ENV['RACK_ROOT'] || ENV['APP_ROOT'] || '.'
@@ -62,7 +64,7 @@ module MAuth
 
       # find the environment (with which yaml files are keyed)
       env = options['environment'] || begin
-        if Object.const_defined?('Rails') && ::Rails.respond_to?(:environment)
+        if Object.const_defined?(:Rails) && ::Rails.respond_to?(:environment)
           Rails.environment
         else
           ENV['RAILS_ENV'] || ENV['RACK_ENV'] || 'development'
@@ -82,16 +84,17 @@ module MAuth
           errmessage = "#{mauth_config_yml} config has no key #{env} - it has keys #{whole_config.keys.inspect}"
           whole_config[env] || raise(MAuth::Client::ConfigurationError, errmessage)
         else
-          raise MAuth::Client::ConfigurationError, "could not find mauth config yaml file. this file may be " \
+          raise MAuth::Client::ConfigurationError,
+            'could not find mauth config yaml file. this file may be ' \
             "placed in #{default_loc}, specified with the mauth_config_yml option, or specified with the " \
-            "MAUTH_CONFIG_YML environment variable."
+            'MAUTH_CONFIG_YML environment variable.'
         end
       end
 
       unless mauth_config.key?('logger')
         # the logger. Rails.logger if it exists, otherwise, no logger
         mauth_config['logger'] = options['logger'] || begin
-          if Object.const_defined?('Rails') && ::Rails.respond_to?(:logger)
+          if Object.const_defined?(:Rails) && ::Rails.respond_to?(:logger)
             Rails.logger
           end
         end
@@ -122,22 +125,24 @@ module MAuth
       if given_config['private_key_file'] && !given_config['private_key']
         given_config['private_key'] = File.read(given_config['private_key_file'])
       end
-      @config['private_key'] = case given_config['private_key']
-       when nil
-         nil
-       when String
-         OpenSSL::PKey::RSA.new(given_config['private_key'])
-       when OpenSSL::PKey::RSA
-         given_config['private_key']
-       else
-         raise MAuth::Client::ConfigurationError, "unrecognized value given for 'private_key' - this may be a " \
-           "String, a OpenSSL::PKey::RSA, or omitted; instead got: #{given_config['private_key'].inspect}"
-      end
+      @config['private_key'] =
+        case given_config['private_key']
+        when nil
+          nil
+        when String
+          OpenSSL::PKey::RSA.new(given_config['private_key'])
+        when OpenSSL::PKey::RSA
+          given_config['private_key']
+        else
+          raise MAuth::Client::ConfigurationError,
+            "unrecognized value given for 'private_key' - this may be a " \
+            "String, a OpenSSL::PKey::RSA, or omitted; instead got: #{given_config['private_key'].inspect}"
+        end
       @config['app_uuid'] = given_config['app_uuid']
       @config['mauth_baseurl'] = given_config['mauth_baseurl']
       @config['mauth_api_version'] = given_config['mauth_api_version']
       @config['logger'] = given_config['logger'] || begin
-        if Object.const_defined?('Rails') && Rails.logger
+        if Object.const_defined?(:Rails) && Rails.logger
           Rails.logger
         else
           require 'logger'
@@ -151,26 +156,25 @@ module MAuth
       request_config.merge!(symbolize_keys(given_config['faraday_options'])) if given_config['faraday_options']
       @config['faraday_options'] = { request: request_config } || {}
       @config['ssl_certs_path'] = given_config['ssl_certs_path'] if given_config['ssl_certs_path']
-      @config['v2_only_authenticate'] = given_config['v2_only_authenticate'].to_s.downcase == 'true'
-      @config['v2_only_sign_requests'] = given_config['v2_only_sign_requests'].to_s.downcase == 'true'
-      @config['disable_fallback_to_v1_on_v2_failure'] = given_config['disable_fallback_to_v1_on_v2_failure'].to_s.downcase == 'true'
-      @config['v1_only_sign_requests'] = given_config['v1_only_sign_requests'].to_s.downcase == 'true'
+      @config['v2_only_authenticate'] = given_config['v2_only_authenticate'].to_s.casecmp('true').zero?
+      @config['v2_only_sign_requests'] = given_config['v2_only_sign_requests'].to_s.casecmp('true').zero?
+      @config['disable_fallback_to_v1_on_v2_failure'] =
+        given_config['disable_fallback_to_v1_on_v2_failure'].to_s.casecmp('true').zero?
+      @config['v1_only_sign_requests'] = given_config['v1_only_sign_requests'].to_s.casecmp('true').zero?
 
       if @config['v2_only_sign_requests'] && @config['v1_only_sign_requests']
-        raise MAuth::Client::ConfigurationError, "v2_only_sign_requests and v1_only_sign_requests may not both be true"
+        raise MAuth::Client::ConfigurationError, 'v2_only_sign_requests and v1_only_sign_requests may not both be true'
       end
 
       # if 'authenticator' was given, don't override that - including if it was given as nil / false
       if given_config.key?('authenticator')
         @config['authenticator'] = given_config['authenticator']
+      elsif client_app_uuid && private_key
+        @config['authenticator'] = LocalAuthenticator
+      # MAuth::Client can authenticate locally if it's provided a client_app_uuid and private_key
       else
-        if client_app_uuid && private_key
-          # MAuth::Client can authenticate locally if it's provided a client_app_uuid and private_key
-          @config['authenticator'] = LocalAuthenticator
-        else
-          # otherwise, it will authenticate remotely (requests only)
-          @config['authenticator'] = RemoteRequestAuthenticator
-        end
+        # otherwise, it will authenticate remotely (requests only)
+        @config['authenticator'] = RemoteRequestAuthenticator
       end
       extend @config['authenticator'] if @config['authenticator']
     end
@@ -184,11 +188,11 @@ module MAuth
     end
 
     def mauth_baseurl
-      @config['mauth_baseurl'] || raise(MAuth::Client::ConfigurationError, "no configured mauth_baseurl!")
+      @config['mauth_baseurl'] || raise(MAuth::Client::ConfigurationError, 'no configured mauth_baseurl!')
     end
 
     def mauth_api_version
-      @config['mauth_api_version'] || raise(MAuth::Client::ConfigurationError, "no configured mauth_api_version!")
+      @config['mauth_api_version'] || raise(MAuth::Client::ConfigurationError, 'no configured mauth_api_version!')
     end
 
     def private_key
@@ -235,7 +239,7 @@ module MAuth
 
     # Changes all keys in the top level of the hash to symbols.  Does not affect nested hashes inside this one.
     def symbolize_keys(hash)
-      hash.keys.each do |key|
+      hash.keys.each do |key| # rubocop:disable Style/HashEachMethods
         hash[(key.to_sym rescue key) || key] = hash.delete(key)
       end
       hash
@@ -243,7 +247,7 @@ module MAuth
   end
 
   module ConfigFile
-    GITHUB_URL = 'https://github.com/mdsol/mauth-client-ruby'.freeze
+    GITHUB_URL = 'https://github.com/mdsol/mauth-client-ruby'
     @config = {}
 
     def self.load(path)
@@ -251,12 +255,17 @@ module MAuth
         raise "File #{path} not found. Please visit #{GITHUB_URL} for details."
       end
 
-      @config[path] ||= YAML.load_file(path)
+      @config[path] ||= yaml_safe_load_file(path)
       unless @config[path]
         raise "File #{path} does not contain proper YAML information. Visit #{GITHUB_URL} for details."
       end
 
       @config[path]
     end
+
+    def self.yaml_safe_load_file(path)
+      yml_data = File.read(path)
+      YAML.safe_load(yml_data, aliases: true)
+    end
   end
 end

data/lib/mauth/core_ext.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Hash
   # like stringify_keys, but does not attempt to stringify anything other than Symbols.
   # other keys are left alone.

data/lib/mauth/dice_bag/mauth_templates.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'dice_bag'
 
 class MauthTemplate < DiceBag::AvailableTemplates
@@ -14,6 +16,6 @@ class MauthInitializerTemplate < DiceBag::AvailableTemplates
   end
 
   def templates
-    [File.join(File.dirname(__FILE__), 'mauth.rb.dice')] if Object.const_defined?('Rails')
+    [File.join(File.dirname(__FILE__), 'mauth.rb.dice')] if Object.const_defined?(:Rails)
   end
 end

data/lib/mauth/errors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module MAuth
   # mAuth client was unable to verify the authenticity of a signed object (this does NOT mean the
   # object is inauthentic). typically due to a failure communicating with the mAuth service, in

data/lib/mauth/fake/rack.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'mauth/rack'
 
 module MAuth
@@ -14,30 +16,32 @@ module MAuth
     # (rather than switching to this fake one), as all this does is add those keys to the request env.
     class RequestAuthenticationFaker < MAuth::Rack::RequestAuthenticator
       class << self
-        def is_authentic?
+        def is_authentic? # rubocop:disable Naming/PredicateName
           @is_authentic.nil? ? true : @is_authentic
         end
 
-        def authentic=(is_auth = true)
+        def authentic=(is_auth = true) # rubocop:disable Style/OptionalBooleanParameter
           @is_authentic = is_auth
         end
       end
 
       def call(env)
         retval = if should_authenticate?(env)
-          mauth_request = MAuth::Rack::Request.new(env)
-          env['mauth.protocol_version'] = mauth_request.protocol_version
+                   mauth_request = MAuth::Rack::Request.new(env)
+                   env['mauth.protocol_version'] = mauth_request.protocol_version
 
-          if self.class.is_authentic?
-            @app.call(env.merge!('mauth.app_uuid' => mauth_request.signature_app_uuid, 'mauth.authentic' => true))
-          else
-            response_for_inauthentic_request(env)
-          end
-        else
-          @app.call(env)
-        end
+                   if self.class.is_authentic?
+                     @app.call(env.merge!('mauth.app_uuid' => mauth_request.signature_app_uuid,
+                       'mauth.authentic' => true))
+                   else
+                     response_for_inauthentic_request(env)
+                   end
+                 else
+                   @app.call(env)
+                 end
 
-        # ensure that the next request is marked authenic unless the consumer of this middleware explicitly deems otherwise
+        # ensure that the next request is marked authenic unless the consumer of this middleware explicitly deems
+        # otherwise
         self.class.authentic = true
 
         retval