mauth-client 7.0.0 → 7.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2bba0c6eb1611b4662a09c82bb2a0493ccdf10ad18519ca6cdfec4436da12fed
-  data.tar.gz: ea9cc4c97792777115f3e612a2baa1b7135c43f7b34302e66150a962f8dfd422
+  metadata.gz: 13c58b1677a77952cf139df370154dbbe079aeb4aa3be211520796edf3ff5a02
+  data.tar.gz: cf39996376710d65d3e6fdecda46248788641028783d98b42f02e747a1ac1e74
 SHA512:
-  metadata.gz: 7cd8843becf3ad4eb6595fd2de37fe17d459178c0ee2648794e117fa4cb13283fa359a3d154031fc466a4448a796616d4727e3f1e4cae725f797ec33a8a540b8
-  data.tar.gz: d43181445129e3a8fa350547d29bb10e8b02ef9762d35ff85b4fb87a6f26c47c08a2a1c227ff7618f07544dd6deebb8c6fe60ddfe2ebeda6fa12f3fd89a74807
+  metadata.gz: daee87957cb651a32d8a7f5b07004a90c7ac3f690fa5d59069f5b8a73ca22d5afcdb014ea8113b96661da59790e0fa190f16ef01264336c951ccdab20980f2d8
+  data.tar.gz: '0774058a011e491316dc0e264fd56c301028fc9f5e450499021d6a1e5736e476b49104c44b0a05d785f1b855feb88fa528b1d5fb4c03398676dc54b16da7e728'

data/.travis.yml

@@ -12,17 +12,7 @@ env:
   global:
     - BUNDLE_JOBS=4
 
-jobs:
-  exclude:
-    - rvm: 3.0
-      gemfile: gemfiles/faraday_0.x.gemfile # Faraday v0.x does not officially support Ruby 3 (see: https://github.com/lostisland/faraday/releases/tag/v1.3.0)
-    - rvm: 3.1
-      gemfile: gemfiles/faraday_0.x.gemfile # Faraday v0.x does not officially support Ruby 3 (see: https://github.com/lostisland/faraday/releases/tag/v1.3.0)
-    - rvm: 3.2
-      gemfile: gemfiles/faraday_0.x.gemfile # Faraday v0.x does not officially support Ruby 3 (see: https://github.com/lostisland/faraday/releases/tag/v1.3.0)
-
 gemfile:
-  - gemfiles/faraday_0.x.gemfile
   - gemfiles/faraday_1.x.gemfile
   - gemfiles/faraday_2.x.gemfile
 

data/Appraisals

@@ -1,11 +1,7 @@
 # frozen_string_literal: true
 
-appraise 'faraday_0.x' do
-  gem 'faraday', '~> 0.9'
-end
-
 appraise 'faraday_1.x' do
-  gem 'faraday', '~> 1.0'
+  gem 'faraday', '~> 1.9'
 end
 
 appraise 'faraday_2.x' do

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## v7.1.0
+- Add MAuth::PrivateKeyHelper.load method to process RSA private keys.
+- Update Faraday configuration in SecurityTokenCacher:
+  - Add the `MAUTH_USE_RAILS_CACHE` environment variable to make `Rails.cache` usable to cache public keys.
+  - Shorten timeout for connection, add retries, and use persistent HTTP connections.
+- Drop support for Faraday < 1.9.
+
 ## v7.0.0
 - Remove dice_bag and set configuration through environment variables directly.
 - Rename the `V2_ONLY_SIGN_REQUESTS`, `V2_ONLY_AUTHENTICATE`, `DISABLE_FALLBACK_TO_V1_ON_V2_FAILURE` and `V1_ONLY_SIGN_REQUESTS` environment variables.

data/README.md

@@ -30,7 +30,7 @@ $ gem install mauth-client
 Configuration is set through environment variables:
 
 - `MAUTH_PRIVATE_KEY`
-  - Required for signing and for authenticating responses.
+  - Required for signing and for authentication.
 
 - `MAUTH_PRIVATE_KEY_FILE`
   - May be used instead of `MAUTH_PRIVATE_KEY`, mauth-client will load the file instead.
@@ -56,6 +56,8 @@ Configuration is set through environment variables:
 - `MAUTH_V1_ONLY_SIGN_REQUESTS`
   - If true, all outgoing requests will be signed with only the V1 protocol. Defaults to true. Note, cannot be `true` if `MAUTH_V2_ONLY_SIGN_REQUESTS` is also `true`.
 
+- `MAUTH_USE_RAILS_CACHE`
+  - If true, `Rails.cache` is used to cache public keys for authentication.
 
 This is simply loaded and passed to either middleware or directly to a MAuth::Client instance.
 See the documentation for [MAuth::Client#initialize](lib/mauth/client.rb) for more details of what it accepts. Usually you will want:
@@ -67,10 +69,10 @@ MAUTH_CONF = MAuth::Client.default_config
 The `.default_config` method takes a number of options to tweak its expectations regarding defaults. See the
 documentation for [MAuth::Client.default_config](lib/mauth/client.rb) for details.
 
-The `private_key` and `app_uuid` enable local authentication (see section [Local Authentication](#local-authentication) below).
+The `private_key` and `app_uuid` are required for signing and for authentication.
 They’ll only work if the `app_uuid` has been stored in MAuth with a public key corresponding to the `private_key`.
 
-The `mauth_baseurl` and `mauth_api_version` are required.
+The `mauth_baseurl` and `mauth_api_version` are required for authentication.
 These tell the MAuth-Client where and how to communicate with the MAuth service.
 
 The `v2_only_sign_requests` and `v2_only_authenticate` flags were added to facilitate conversion from the MAuth V1 protocol to the MAuth
@@ -248,9 +250,7 @@ Only use the `MAuth::Faraday::ResponseAuthenticator` middleware if you are expec
 `MAUTH_CONF` is the same as in Rack middleware, and as with the Rack middleware is used to initialize a `MAuth::Client` instance.
 Also as with the Rack middleware, you can pass in a `MAuth::Client` instance you are using yourself on the `:mauth_client` key, and omit any other configuration.
 
-Behavior is likewise similar to rack: if a `private_key` and `app_uuid` are specified, then ResponseAuthenticator will authenticate locally (see [Local Authentication](#local-authentication) below); if not, then it will go to the
-mauth service to authenticate.
-`MAuth::Faraday::RequestSigner` cannot be used without a `private_key` and `app_uuid`.
+Both `MAuth::Faraday::ResponseAuthenticator` and `MAuth::Faraday::RequestSigner` cannot be used without a `private_key` and `app_uuid`.
 
 If a response which does not appear to be authentic is received by the `MAuth::Faraday::ResponseAuthenticator` middleware, a `MAuth::InauthenticError` will be raised.
 
@@ -272,18 +272,6 @@ request = MAuth::Request.new(verb: my_verb, request_url: my_request_url, body: m
 ```
 `mauth_client.signed_headers(request)` will then return mauth headers which you can apply to your request.
 
-## Local Authentication
-
-When doing local authentication, the MAuth-Client will periodically fetch and cache public keys from MAuth.
-Each public key will be cached locally for 60 seconds.
-Applications which connect frequently to the app will benefit most from this caching strategy.
-When fetching public keys from MAuth, the following rules apply:
-
-1. If MAuth returns the public key for a given `app_uuid`, MAuth-Client will refresh its local cache with this new public key.
-2. If MAuth cannot find the public key for a given `app_uuid` (i.e. returns a 404 status code), MAuth-Client will remove the corresponding public key from its local cache and authentication of any message from the application with this public key will fail as a consequence.
-3. If the request to MAuth times out or MAuth returns a 500 status code, the requested public key will not be removed from local MAuth-Client cache (if it exists there in the first place).
-   The cached version will continue to be used for local authentication until MAuth::Client is able to again communicate with MAuth.
-
 ## Warning
 
 During development classes are typically not cached in Rails applications.

data/gemfiles/faraday_1.x.gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "faraday", "~> 1.0"
+gem "faraday", "~> 1.9"
 
 group :development do
   gem "appraisal", "~> 2.4"

data/lib/mauth/client/security_token_cacher.rb

@@ -1,16 +1,24 @@
 # frozen_string_literal: true
 
 require 'faraday-http-cache'
+require 'faraday/retry'
+if Gem::Version.new(Faraday::VERSION) >= Gem::Version.new('2.0')
+  require 'faraday/net_http_persistent'
+else
+  require 'net/http/persistent'
+end
 require 'mauth/faraday'
 
 module MAuth
   class Client
     module Authenticator
       class SecurityTokenCacher
+        attr_reader :mauth_client
+
         def initialize(mauth_client)
           @mauth_client = mauth_client
           # TODO: should this be UnableToSignError?
-          @mauth_client.assert_private_key(
+          mauth_client.assert_private_key(
             UnableToAuthenticateError.new('Cannot fetch public keys from mAuth service without a private key!')
           )
         end
@@ -19,7 +27,7 @@ module MAuth
           # url-encode the app_uuid to prevent trickery like escaping upward with ../../ in a malicious
           # app_uuid - probably not exploitable, but this is the right way to do it anyway.
           url_encoded_app_uuid = CGI.escape(app_uuid)
-          path = "/mauth/#{@mauth_client.mauth_api_version}/security_tokens/#{url_encoded_app_uuid}.json"
+          path = "/mauth/#{mauth_client.mauth_api_version}/security_tokens/#{url_encoded_app_uuid}.json"
           response = signed_mauth_connection.get(path)
 
           case response.status
@@ -29,11 +37,11 @@ module MAuth
             # signing with a key mAuth doesn't know about is considered inauthentic
             raise InauthenticError, "mAuth service responded with 404 looking up public key for #{app_uuid}"
           else
-            @mauth_client.send(:mauth_service_response_error, response)
+            mauth_client.send(:mauth_service_response_error, response)
           end
         rescue ::Faraday::ConnectionFailed, ::Faraday::TimeoutError => e
           msg = "mAuth service did not respond; received #{e.class}: #{e.message}"
-          @mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
+          mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
           raise UnableToAuthenticateError, msg
         end
 
@@ -43,21 +51,20 @@ module MAuth
           JSON.parse response_body
         rescue JSON::ParserError => e
           msg = "mAuth service responded with unparseable json: #{response_body}\n#{e.class}: #{e.message}"
-          @mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
+          mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
           raise UnableToAuthenticateError, msg
         end
 
         def signed_mauth_connection
           @signed_mauth_connection ||= begin
-            if @mauth_client.ssl_certs_path
-              @mauth_client.faraday_options[:ssl] = { ca_path: @mauth_client.ssl_certs_path }
-            end
+            mauth_client.faraday_options[:ssl] = { ca_path: mauth_client.ssl_certs_path } if mauth_client.ssl_certs_path
 
-            ::Faraday.new(@mauth_client.mauth_baseurl, @mauth_client.faraday_options) do |builder|
+            ::Faraday.new(mauth_client.mauth_baseurl, mauth_client.faraday_options) do |builder|
               builder.use MAuth::Faraday::MAuthClientUserAgent
-              builder.use MAuth::Faraday::RequestSigner, 'mauth_client' => @mauth_client
-              builder.use :http_cache, logger: MAuth::Client.new.logger, shared_cache: false
-              builder.adapter ::Faraday.default_adapter
+              builder.use MAuth::Faraday::RequestSigner, 'mauth_client' => mauth_client
+              builder.use :http_cache, store: mauth_client.cache_store, logger: mauth_client.logger, shared_cache: false
+              builder.request :retry, max: 2
+              builder.adapter :net_http_persistent
             end
           end
         end

data/lib/mauth/client.rb

@@ -12,6 +12,7 @@ require 'mauth/client/authenticator'
 require 'mauth/client/signer'
 require 'mauth/config_env'
 require 'mauth/errors'
+require 'mauth/private_key_helper'
 
 module MAuth
   # does operations which require a private key and corresponding app uuid. this is primarily:
@@ -60,7 +61,7 @@ module MAuth
 
     # new client with the given App UUID and public key. config may include the following (all
     # config keys may be strings or symbols):
-    # - private_key - required for signing and for authenticating responses.
+    # - private_key - required for signing and for authentication.
     #   may be given as a string or a OpenSSL::PKey::RSA instance.
     # - app_uuid - required in the same circumstances where a private_key is required
     # - mauth_baseurl - required. needed to retrieve public keys.
@@ -80,7 +81,7 @@ module MAuth
         when nil
           nil
         when String
-          OpenSSL::PKey::RSA.new(given_config['private_key'])
+          PrivateKeyHelper.load(given_config['private_key'])
         when OpenSSL::PKey::RSA
           given_config['private_key']
         else
@@ -102,7 +103,7 @@ module MAuth
         end
       end
 
-      request_config = { timeout: 10, open_timeout: 10 }
+      request_config = { timeout: 10, open_timeout: 3 }
       request_config.merge!(symbolize_keys(given_config['faraday_options'])) if given_config['faraday_options']
       @config['faraday_options'] = { request: request_config } || {}
       @config['ssl_certs_path'] = given_config['ssl_certs_path'] if given_config['ssl_certs_path']
@@ -115,6 +116,7 @@ module MAuth
 
       @config['disable_fallback_to_v1_on_v2_failure'] =
         given_config['disable_fallback_to_v1_on_v2_failure'].to_s.casecmp('true').zero?
+      @config['use_rails_cache'] = given_config['use_rails_cache']
     end
 
     def logger
@@ -165,6 +167,10 @@ module MAuth
       raise err unless private_key
     end
 
+    def cache_store
+      Rails.cache if @config['use_rails_cache'] && Object.const_defined?(:Rails) && ::Rails.respond_to?(:cache)
+    end
+
     private
 
     def mauth_service_response_error(response)

data/lib/mauth/config_env.rb

@@ -13,7 +13,8 @@ module MAuth
       'MAUTH_V2_ONLY_AUTHENTICATE' => false,
       'MAUTH_V2_ONLY_SIGN_REQUESTS' => false,
       'MAUTH_DISABLE_FALLBACK_TO_V1_ON_V2_FAILURE' => false,
-      'MAUTH_V1_ONLY_SIGN_REQUESTS' => true
+      'MAUTH_V1_ONLY_SIGN_REQUESTS' => true,
+      'MAUTH_USE_RAILS_CACHE' => false
     }.freeze
 
     class << self
@@ -24,11 +25,12 @@ module MAuth
           'mauth_baseurl' => env[:mauth_url] || 'http://localhost:7000',
           'mauth_api_version' => env[:mauth_api_version],
           'app_uuid' => env[:mauth_app_uuid] || 'fb17460e-9868-11e1-8399-0090f5ccb4d3',
-          'private_key' => private_key || generate_private_key,
+          'private_key' => private_key || PrivateKeyHelper.generate.to_s,
           'v2_only_authenticate' => env[:mauth_v2_only_authenticate],
           'v2_only_sign_requests' => env[:mauth_v2_only_sign_requests],
           'disable_fallback_to_v1_on_v2_failure' => env[:mauth_disable_fallback_to_v1_on_v2_failure],
-          'v1_only_sign_requests' => env[:mauth_v1_only_sign_requests]
+          'v1_only_sign_requests' => env[:mauth_v1_only_sign_requests],
+          'use_rails_cache' => env[:mauth_use_rails_cache]
         }
       end
 
@@ -74,11 +76,6 @@ module MAuth
 
         File.read(env[:mauth_private_key_file])
       end
-
-      def generate_private_key
-        require 'openssl'
-        OpenSSL::PKey::RSA.generate(2048).to_s
-      end
     end
   end
 end

data/lib/mauth/private_key_helper.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+module MAuth
+  module PrivateKeyHelper
+    HEADER = '-----BEGIN RSA PRIVATE KEY-----'
+    FOOTER = '-----END RSA PRIVATE KEY-----'
+
+    module_function
+
+    def generate
+      OpenSSL::PKey::RSA.generate(2048)
+    end
+
+    def load(key)
+      OpenSSL::PKey::RSA.new(to_rsa_format(key))
+    rescue OpenSSL::PKey::RSAError
+      raise 'The private key provided is invalid'
+    end
+
+    def to_rsa_format(key)
+      return key if key.include?("\n")
+
+      body = key.strip.delete_prefix(HEADER).delete_suffix(FOOTER).strip
+      body = body.include?("\s") ? body.tr("\s", "\n") : body.scan(/.{1,64}/).join("\n")
+      "#{HEADER}\n#{body}\n#{FOOTER}"
+    end
+  end
+end

data/lib/mauth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MAuth
-  VERSION = '7.0.0'
+  VERSION = '7.1.0'
 end

data/mauth-client.gemspec

@@ -23,8 +23,11 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'addressable', '~> 2.0'
   spec.add_dependency 'coderay', '~> 1.0'
-  spec.add_dependency 'faraday', '>= 0.9', '< 3.0'
+  spec.add_dependency 'faraday', '>= 1.9', '< 3.0'
   spec.add_dependency 'faraday-http-cache', '>= 2.0', '< 3.0'
+  spec.add_dependency 'faraday-net_http_persistent'
+  spec.add_dependency 'faraday-retry'
+  spec.add_dependency 'net-http-persistent', '>= 3.1'
   spec.add_dependency 'rack', '> 2.2.3'
   spec.add_dependency 'term-ansicolor', '~> 1.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mauth-client
 version: !ruby/object:Gem::Version
-  version: 7.0.0
+  version: 7.1.0
 platform: ruby
 authors:
 - Matthew Szenher
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-05-24 00:00:00.000000000 Z
+date: 2023-06-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -47,7 +47,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: '1.9'
     - - "<"
       - !ruby/object:Gem::Version
         version: '3.0'
@@ -57,7 +57,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: '1.9'
     - - "<"
       - !ruby/object:Gem::Version
         version: '3.0'
@@ -81,6 +81,48 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: faraday-net_http_persistent
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: faraday-retry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: net-http-persistent
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.1'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -120,7 +162,6 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- ".fossa.yml"
 - ".gitignore"
 - ".gitmodules"
 - ".rspec"
@@ -145,7 +186,6 @@ files:
 - examples/mauth_key
 - exe/mauth-client
 - exe/mauth-proxy
-- gemfiles/faraday_0.x.gemfile
 - gemfiles/faraday_1.x.gemfile
 - gemfiles/faraday_2.x.gemfile
 - lib/mauth-client.rb
@@ -160,6 +200,7 @@ files:
 - lib/mauth/fake/rack.rb
 - lib/mauth/faraday.rb
 - lib/mauth/middleware.rb
+- lib/mauth/private_key_helper.rb
 - lib/mauth/proxy.rb
 - lib/mauth/rack.rb
 - lib/mauth/request_and_response.rb

data/.fossa.yml

@@ -1,14 +0,0 @@
-# Generated by FOSSA CLI (https://github.com/fossas/fossa-cli)
-# Visit https://fossa.io to learn more
-
-version: 1
-cli:
-  server: https://app.fossa.io
-  fetcher: custom
-  project: mauth-client-ruby
-analyze:
-  modules:
-  - name: Gemfile
-    type: gem
-    target: .
-    path: .

data/gemfiles/faraday_0.x.gemfile

@@ -1,23 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "faraday", "~> 0.9"
-
-group :development do
-  gem "appraisal", "~> 2.4"
-  gem "benchmark-ips", "~> 2.7"
-  gem "bundler", ">= 1.17"
-  gem "byebug", "~> 11.1"
-  gem "rack-test", "~> 1.1"
-  gem "rake", "~> 12.0"
-  gem "rspec", "~> 3.8"
-  gem "rubocop", "~> 1.25"
-  gem "rubocop-mdsol", "~> 0.1"
-  gem "rubocop-performance", "~> 1.13"
-  gem "simplecov", "~> 0.16"
-  gem "timecop", "~> 0.9"
-  gem "webmock", "~> 3.0"
-end
-
-gemspec path: "../"