omniauth-cloudiap 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +45 -0
  3. data/CHANGELOG.md +3 -2
  4. data/Gemfile +1 -1
  5. data/Gemfile.lock +59 -18
  6. data/Rakefile +1 -1
  7. data/lib/omniauth/cloudiap/iapjwt.rb +33 -40
  8. data/lib/omniauth/cloudiap/version.rb +1 -1
  9. data/lib/omniauth/cloudiap.rb +0 -1
  10. data/lib/omniauth/strategies/cloudiap.rb +5 -5
  11. data/omniauth-cloudiap.gemspec +7 -3
  12. metadata +64 -22
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4dd63aa4dba59ff3b4251103f4dc8202f9dfbe39753e967f47133a7cd7b4c907
4
- data.tar.gz: e8aaf738e50bdb425c8cd6a57ac3bc5a3b9a7945323187e46b1498f2cc89225e
3
+ metadata.gz: 71d630cae4e35a08c26c0605fb042a9e9f290a2f5598432521581af23555ff04
4
+ data.tar.gz: 479bc4020c0106fc46361906ff26e83a105a0507453d37f2252e4825f5f71957
5
5
  SHA512:
6
- metadata.gz: 69b1f7761fd89ff7bcb3974ac08d3b836271020fb50dd324bb1226359a15d71a92c0aeb28d27c1f330eae27f406c8a1868f125666c3d5bf2fb0185a1c1d26b5b
7
- data.tar.gz: 2270c3f8e4865b62f81825633b88b2fcdb35beb2fec1cbad77c45937f976e2acb1a6c3926f1adfe4e918d984a364011d7f7d78fcedd742d725d9aaea26cc9160
6
+ metadata.gz: d79d2795cca365f18c65155776790bd1783c6f0fe55e6f93b50fec117407a6129b6b58223ab7e21dab30caa75cb63ea2777aeac2315a5e05278f0ea6c859e5db
7
+ data.tar.gz: 6c3275328d58b65a8806add7d93c6f6bceada32c43ac93c457653eec5b462ca420bebee0c8a9cb152d1fd29fbab4454b8a691c8e8dd6ffd5c2e25a3d20b55f1b
data/.rubocop.yml ADDED
@@ -0,0 +1,45 @@
1
+
2
+ AllCops:
3
+ TargetRubyVersion: 3.0
4
+ NewCops: enable
5
+ Exclude:
6
+ - 'omniauth-cloudiap.gemspec'
7
+
8
+ Metrics/AbcSize:
9
+ Max: 28
10
+
11
+ Metrics/MethodLength:
12
+ Enabled: false
13
+
14
+ Style/NumericLiterals:
15
+ MinDigits: 11
16
+
17
+ Style/FrozenStringLiteralComment:
18
+ Enabled: false
19
+
20
+ Style/StringLiterals:
21
+ EnforcedStyle: double_quotes
22
+
23
+ Style/TrailingCommaInHashLiteral:
24
+ EnforcedStyleForMultiline: consistent_comma
25
+
26
+ Style/TrailingCommaInArguments:
27
+ EnforcedStyleForMultiline: consistent_comma
28
+
29
+ Style/Documentation:
30
+ Enabled: false
31
+
32
+ Style/IfUnlessModifier:
33
+ Enabled: false
34
+
35
+ Style/GuardClause:
36
+ Enabled: false
37
+
38
+ Style/SignalException:
39
+ EnforcedStyle: semantic
40
+
41
+ Style/RescueStandardError:
42
+ EnforcedStyle: implicit
43
+
44
+ Layout/FirstHashElementIndentation:
45
+ EnforcedStyle: consistent
data/CHANGELOG.md CHANGED
@@ -1,8 +1,9 @@
1
1
  Changelog
2
2
  ===========
3
3
 
4
+ ## 1.1.0 - 2024-06-04
5
+ - Change validation method to use ruby-jwt to avoid openssl3 error
4
6
 
5
- 1.0.0 - 2018-11-21
6
- --------------------
7
+ ## 1.0.0 - 2018-11-21
7
8
 
8
9
  - First release
data/Gemfile CHANGED
@@ -1,6 +1,6 @@
1
1
  source "https://rubygems.org"
2
2
 
3
- git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
3
+ git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
4
4
 
5
5
  # Specify your gem's dependencies in omniauth-cloudiap.gemspec
6
6
  gemspec
data/Gemfile.lock CHANGED
@@ -1,40 +1,81 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- omniauth-cloudiap (0.1.0)
4
+ omniauth-cloudiap (1.1.0)
5
5
  jwt
6
6
  omniauth
7
7
 
8
8
  GEM
9
9
  remote: https://rubygems.org/
10
10
  specs:
11
- hashie (3.5.7)
12
- jwt (2.1.0)
13
- minitest (5.11.3)
14
- minitest-power_assert (0.3.0)
11
+ ast (2.4.2)
12
+ base64 (0.2.0)
13
+ hashie (5.0.0)
14
+ json (2.7.2)
15
+ jwt (2.8.1)
16
+ base64
17
+ language_server-protocol (3.17.0.3)
18
+ minitest (5.23.1)
19
+ minitest-power_assert (0.3.1)
15
20
  minitest
16
21
  power_assert (>= 1.1)
17
- omniauth (1.8.1)
18
- hashie (>= 3.4.6, < 3.6.0)
19
- rack (>= 1.6.2, < 3)
20
- power_assert (1.1.3)
21
- rack (2.0.6)
22
- rack-test (1.1.0)
23
- rack (>= 1.0, < 3)
24
- rake (10.5.0)
25
- timecop (0.9.1)
22
+ minitest-stub_any_instance (1.0.3)
23
+ omniauth (2.1.2)
24
+ hashie (>= 3.4.6)
25
+ rack (>= 2.2.3)
26
+ rack-protection
27
+ parallel (1.24.0)
28
+ parser (3.3.2.0)
29
+ ast (~> 2.4.1)
30
+ racc
31
+ power_assert (2.0.3)
32
+ racc (1.8.0)
33
+ rack (3.0.11)
34
+ rack-protection (4.0.0)
35
+ base64 (>= 0.1.0)
36
+ rack (>= 3.0.0, < 4)
37
+ rack-session (2.0.0)
38
+ rack (>= 3.0.0)
39
+ rack-test (2.1.0)
40
+ rack (>= 1.3)
41
+ rainbow (3.1.1)
42
+ rake (13.2.1)
43
+ regexp_parser (2.9.2)
44
+ rexml (3.2.8)
45
+ strscan (>= 3.0.9)
46
+ rubocop (1.64.1)
47
+ json (~> 2.3)
48
+ language_server-protocol (>= 3.17.0)
49
+ parallel (~> 1.10)
50
+ parser (>= 3.3.0.2)
51
+ rainbow (>= 2.2.2, < 4.0)
52
+ regexp_parser (>= 1.8, < 3.0)
53
+ rexml (>= 3.2.5, < 4.0)
54
+ rubocop-ast (>= 1.31.1, < 2.0)
55
+ ruby-progressbar (~> 1.7)
56
+ unicode-display_width (>= 2.4.0, < 3.0)
57
+ rubocop-ast (1.31.3)
58
+ parser (>= 3.3.1.0)
59
+ ruby-progressbar (1.13.0)
60
+ strscan (3.1.0)
61
+ timecop (0.9.9)
62
+ unicode-display_width (2.5.0)
26
63
 
27
64
  PLATFORMS
65
+ arm64-darwin-22
28
66
  ruby
29
67
 
30
68
  DEPENDENCIES
31
- bundler (~> 1.17)
32
- minitest (~> 5.0)
69
+ bundler
70
+ minitest
33
71
  minitest-power_assert
72
+ minitest-stub_any_instance
34
73
  omniauth-cloudiap!
74
+ rack-session
35
75
  rack-test
36
- rake (~> 10.0)
76
+ rake
77
+ rubocop
37
78
  timecop
38
79
 
39
80
  BUNDLED WITH
40
- 1.17.1
81
+ 2.5.11
data/Rakefile CHANGED
@@ -7,4 +7,4 @@ Rake::TestTask.new(:test) do |t|
7
7
  t.test_files = FileList["test/**/*_test.rb"]
8
8
  end
9
9
 
10
- task :default => :test
10
+ task default: :test
data/lib/omniauth/cloudiap/iapjwt.rb CHANGED
@@ -1,11 +1,10 @@
1
- require 'jwt'
2
- require 'open-uri'
3
- require 'json'
1
+ require "jwt"
2
+ require "open-uri"
3
+ require "json"
4
4
 
5
5
  module OmniAuth
6
6
  module Cloudiap
7
7
  class IAPJWT
8
-
9
8
  class InvalidAudError < Error; end
10
9
 
11
10
  def initialize(aud: nil)
@@ -13,56 +12,51 @@ module OmniAuth
13
12
  end
14
13
 
15
14
  def decode_with_validate(token)
16
- payload, header = validate(token)
15
+ payload, = validate(token)
17
16
  { identifier: payload["sub"], email: payload["email"] }
18
17
  end
19
18
 
20
19
  def parse(token)
21
- JWT.decode token, nil, false
20
+ JWT.decode(token, nil, true, algorithms: algorithms, jwks: jwks)
22
21
  end
23
22
 
24
23
  def jwk_keys
25
- @jwk_keys ||= begin
26
- url = "https://www.gstatic.com/iap/verify/public_key-jwk"
27
- open(url) { |f| JSON.parse(f.read) }
28
- end
24
+ url = "https://www.gstatic.com/iap/verify/public_key-jwk"
25
+ URI.open(url) { |f| JSON.parse(f.read) } # rubocop:disable Security/Open
29
26
  end
30
27
 
31
- def jwk_key(token)
32
- _, header = parse(token)
33
- jwk = jwk_keys["keys"].find{|k| k["kid"] == header["kid"] }
34
- curve_name = \
35
- case jwk["crv"]
36
- when "P-256"
37
- "prime256v1"
38
- when "P-384"
39
- "secp384r1"
40
- when "P-521"
41
- "secp521r1"
42
- else
43
- raise AugumentError, "Unknown crv: #{jwk["crv"]}"
44
- end
45
- x = Base64.urlsafe_decode64(jwk["x"])
46
- y = Base64.urlsafe_decode64(jwk["y"])
47
-
48
- key = OpenSSL::PKey::EC.new(curve_name)
49
- group = OpenSSL::PKey::EC::Group.new(curve_name)
50
- bn = OpenSSL::BN.new(["04" + x.unpack("H*").first + y.unpack("H*").first].pack("H*"), 2)
51
- key.public_key = OpenSSL::PKey::EC::Point.new(group, bn)
52
- key
28
+ def jwks_loader(options)
29
+ if options[:kid_not_found] && @cache_last_update < Time.now.to_i - 300
30
+ logger.info("Invalidating JWK cache. #{options[:kid]} not found from previous cache")
31
+ @cached_keys = nil
32
+ end
33
+ @cached_keys ||= begin # rubocop:disable Naming/MemoizedInstanceVariableName
34
+ @cache_last_update = Time.now.to_i
35
+ jwks = JWT::JWK::Set.new(jwk_keys)
36
+ jwks.select! { |key| key[:use] == "sig" } # Signing Keys only
37
+ jwks
38
+ end
53
39
  end
54
40
 
55
- def validate(token)
56
- iss = "https://cloud.google.com/iap"
57
- options = {
58
- algorithm: "ES256",
41
+ def default_jwt_decode_options
42
+ {
59
43
  verify_expiration: true,
60
44
  verify_iat: true,
61
45
  verify_aud: true,
62
46
  verify_iss: true,
63
- iss: iss,
64
47
  }
65
- payload, header = JWT.decode(token, jwk_key(token), true, options)
48
+ end
49
+
50
+ def validate(token)
51
+ iss = "https://cloud.google.com/iap"
52
+ options = default_jwt_decode_options.merge(
53
+ iss: iss,
54
+ algorithm: "ES256",
55
+ jwks: method(:jwks_loader),
56
+ )
57
+
58
+ payload, header = JWT.decode(token, nil, true, options)
59
+
66
60
  if @required_aud
67
61
  validate_aud(@required_aud, payload["aud"])
68
62
  else
@@ -81,7 +75,7 @@ module OmniAuth
81
75
 
82
76
  def validate_aud_format(aud)
83
77
  case aud
84
- when %r|/projects/\d+/apps/\d+|, %r|/projects/\d+/global/backendServices/\d+|
78
+ when %r{/projects/\d+/apps/\d+}, %r{/projects/\d+/global/backendServices/\d+}
85
79
  # do nothing
86
80
  else
87
81
  fail InvalidAudError, aud
@@ -90,4 +84,3 @@ module OmniAuth
90
84
  end
91
85
  end
92
86
  end
93
-
data/lib/omniauth/cloudiap/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module Cloudiap
3
- VERSION = "1.0.0"
3
+ VERSION = "1.1.0".freeze
4
4
  end
5
5
  end
data/lib/omniauth/cloudiap.rb CHANGED
@@ -7,4 +7,3 @@ module OmniAuth
7
7
  end
8
8
 
9
9
  require "omniauth/strategies/cloudiap"
10
-
data/lib/omniauth/strategies/cloudiap.rb CHANGED
@@ -51,11 +51,11 @@ module OmniAuth
51
51
  end
52
52
 
53
53
  def userinfo_from_jwt
54
- if token = env["HTTP_X_GOOG_IAP_JWT_ASSERTION"]
55
- payload, header = ::OmniAuth::Cloudiap::IAPJWT.new(aud: options[:aud]).validate(token)
54
+ if (token = env["HTTP_X_GOOG_IAP_JWT_ASSERTION"])
55
+ payload, = ::OmniAuth::Cloudiap::IAPJWT.new(aud: options[:aud]).validate(token)
56
56
  uid = payload["sub"].sub(/^accounts.google.com:/, "")
57
57
  email = payload["email"]
58
- result = {
58
+ {
59
59
  uid: uid,
60
60
  email: email,
61
61
  name: username_from_email(email),
@@ -70,7 +70,7 @@ module OmniAuth
70
70
  uid = env["HTTP_X_GOOG_AUTHENTICATED_USER_ID"].sub(/^accounts.google.com:/, "")
71
71
  email = env["HTTP_X_GOOG_AUTHENTICATED_USER_EMAIL"].sub(/^accounts.google.com:/, "")
72
72
 
73
- result = {
73
+ {
74
74
  uid: uid,
75
75
  email: email,
76
76
  name: username_from_email(email),
@@ -78,7 +78,7 @@ module OmniAuth
78
78
  end
79
79
 
80
80
  def username_from_email(email)
81
- if options[:username_callback] && options[:username_callback].respond_to?(:[])
81
+ if options[:username_callback].respond_to?(:[])
82
82
  options[:username_callback][email]
83
83
  else
84
84
  email
data/omniauth-cloudiap.gemspec CHANGED
@@ -35,13 +35,17 @@ Gem::Specification.new do |spec|
35
35
  spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
36
36
  spec.require_paths = ["lib"]
37
37
 
38
- spec.add_development_dependency "bundler", "~> 1.17"
39
- spec.add_development_dependency "rake", "~> 10.0"
40
- spec.add_development_dependency "minitest", "~> 5.0"
38
+ spec.add_development_dependency "bundler"
39
+ spec.add_development_dependency "minitest"
41
40
  spec.add_development_dependency "minitest-power_assert"
41
+ spec.add_development_dependency "minitest-stub_any_instance"
42
+ spec.add_development_dependency "rack-session"
42
43
  spec.add_development_dependency "rack-test"
44
+ spec.add_development_dependency "rake"
45
+ spec.add_development_dependency "rubocop"
43
46
  spec.add_development_dependency "timecop"
44
47
 
48
+
45
49
  spec.add_dependency "omniauth"
46
50
  spec.add_dependency "jwt"
47
51
  end
metadata CHANGED
@@ -1,59 +1,73 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-cloudiap
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 1.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - HORII Keima
8
- autorequire:
8
+ autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2018-11-21 00:00:00.000000000 Z
11
+ date: 2024-06-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
15
15
  requirement: !ruby/object:Gem::Requirement
16
16
  requirements:
17
- - - "~>"
17
+ - - ">="
18
18
  - !ruby/object:Gem::Version
19
- version: '1.17'
19
+ version: '0'
20
20
  type: :development
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
- - - "~>"
24
+ - - ">="
25
25
  - !ruby/object:Gem::Version
26
- version: '1.17'
26
+ version: '0'
27
27
  - !ruby/object:Gem::Dependency
28
- name: rake
28
+ name: minitest
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
- - - "~>"
31
+ - - ">="
32
32
  - !ruby/object:Gem::Version
33
- version: '10.0'
33
+ version: '0'
34
34
  type: :development
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
- - - "~>"
38
+ - - ">="
39
39
  - !ruby/object:Gem::Version
40
- version: '10.0'
40
+ version: '0'
41
41
  - !ruby/object:Gem::Dependency
42
- name: minitest
42
+ name: minitest-power_assert
43
43
  requirement: !ruby/object:Gem::Requirement
44
44
  requirements:
45
- - - "~>"
45
+ - - ">="
46
46
  - !ruby/object:Gem::Version
47
- version: '5.0'
47
+ version: '0'
48
48
  type: :development
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
- - - "~>"
52
+ - - ">="
53
53
  - !ruby/object:Gem::Version
54
- version: '5.0'
54
+ version: '0'
55
55
  - !ruby/object:Gem::Dependency
56
- name: minitest-power_assert
56
+ name: minitest-stub_any_instance
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ">="
60
+ - !ruby/object:Gem::Version
61
+ version: '0'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ">="
67
+ - !ruby/object:Gem::Version
68
+ version: '0'
69
+ - !ruby/object:Gem::Dependency
70
+ name: rack-session
57
71
  requirement: !ruby/object:Gem::Requirement
58
72
  requirements:
59
73
  - - ">="
@@ -80,6 +94,34 @@ dependencies:
80
94
  - - ">="
81
95
  - !ruby/object:Gem::Version
82
96
  version: '0'
97
+ - !ruby/object:Gem::Dependency
98
+ name: rake
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - ">="
102
+ - !ruby/object:Gem::Version
103
+ version: '0'
104
+ type: :development
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - ">="
109
+ - !ruby/object:Gem::Version
110
+ version: '0'
111
+ - !ruby/object:Gem::Dependency
112
+ name: rubocop
113
+ requirement: !ruby/object:Gem::Requirement
114
+ requirements:
115
+ - - ">="
116
+ - !ruby/object:Gem::Version
117
+ version: '0'
118
+ type: :development
119
+ prerelease: false
120
+ version_requirements: !ruby/object:Gem::Requirement
121
+ requirements:
122
+ - - ">="
123
+ - !ruby/object:Gem::Version
124
+ version: '0'
83
125
  - !ruby/object:Gem::Dependency
84
126
  name: timecop
85
127
  requirement: !ruby/object:Gem::Requirement
@@ -130,6 +172,7 @@ extensions: []
130
172
  extra_rdoc_files: []
131
173
  files:
132
174
  - ".gitignore"
175
+ - ".rubocop.yml"
133
176
  - CHANGELOG.md
134
177
  - Gemfile
135
178
  - Gemfile.lock
@@ -150,7 +193,7 @@ metadata:
150
193
  allowed_push_host: https://rubygems.org
151
194
  homepage_uri: https://github.com/holysugar/omniauth-cloudiap
152
195
  source_code_uri: https://github.com/holysugar/omniauth-cloudiap
153
- post_install_message:
196
+ post_install_message:
154
197
  rdoc_options: []
155
198
  require_paths:
156
199
  - lib
@@ -165,9 +208,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
165
208
  - !ruby/object:Gem::Version
166
209
  version: '0'
167
210
  requirements: []
168
- rubyforge_project:
169
- rubygems_version: 2.7.6
170
- signing_key:
211
+ rubygems_version: 3.5.9
212
+ signing_key:
171
213
  specification_version: 4
172
214
  summary: omniauth strategy using Google Cloud IAP
173
215
  test_files: []