omniauth-cloudiap 1.0.0 → 1.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +45 -0
  3. data/CHANGELOG.md +3 -2
  4. data/Gemfile +1 -1
  5. data/Gemfile.lock +59 -18
  6. data/Rakefile +1 -1
  7. data/lib/omniauth/cloudiap/iapjwt.rb +33 -40
  8. data/lib/omniauth/cloudiap/version.rb +1 -1
  9. data/lib/omniauth/cloudiap.rb +0 -1
  10. data/lib/omniauth/strategies/cloudiap.rb +5 -5
  11. data/omniauth-cloudiap.gemspec +7 -3
  12. metadata +64 -22
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4dd63aa4dba59ff3b4251103f4dc8202f9dfbe39753e967f47133a7cd7b4c907
4
- data.tar.gz: e8aaf738e50bdb425c8cd6a57ac3bc5a3b9a7945323187e46b1498f2cc89225e
3
+ metadata.gz: 71d630cae4e35a08c26c0605fb042a9e9f290a2f5598432521581af23555ff04
4
+ data.tar.gz: 479bc4020c0106fc46361906ff26e83a105a0507453d37f2252e4825f5f71957
5
5
  SHA512:
6
- metadata.gz: 69b1f7761fd89ff7bcb3974ac08d3b836271020fb50dd324bb1226359a15d71a92c0aeb28d27c1f330eae27f406c8a1868f125666c3d5bf2fb0185a1c1d26b5b
7
- data.tar.gz: 2270c3f8e4865b62f81825633b88b2fcdb35beb2fec1cbad77c45937f976e2acb1a6c3926f1adfe4e918d984a364011d7f7d78fcedd742d725d9aaea26cc9160
6
+ metadata.gz: d79d2795cca365f18c65155776790bd1783c6f0fe55e6f93b50fec117407a6129b6b58223ab7e21dab30caa75cb63ea2777aeac2315a5e05278f0ea6c859e5db
7
+ data.tar.gz: 6c3275328d58b65a8806add7d93c6f6bceada32c43ac93c457653eec5b462ca420bebee0c8a9cb152d1fd29fbab4454b8a691c8e8dd6ffd5c2e25a3d20b55f1b
data/.rubocop.yml ADDED
@@ -0,0 +1,45 @@
1
+
2
+ AllCops:
3
+ TargetRubyVersion: 3.0
4
+ NewCops: enable
5
+ Exclude:
6
+ - 'omniauth-cloudiap.gemspec'
7
+
8
+ Metrics/AbcSize:
9
+ Max: 28
10
+
11
+ Metrics/MethodLength:
12
+ Enabled: false
13
+
14
+ Style/NumericLiterals:
15
+ MinDigits: 11
16
+
17
+ Style/FrozenStringLiteralComment:
18
+ Enabled: false
19
+
20
+ Style/StringLiterals:
21
+ EnforcedStyle: double_quotes
22
+
23
+ Style/TrailingCommaInHashLiteral:
24
+ EnforcedStyleForMultiline: consistent_comma
25
+
26
+ Style/TrailingCommaInArguments:
27
+ EnforcedStyleForMultiline: consistent_comma
28
+
29
+ Style/Documentation:
30
+ Enabled: false
31
+
32
+ Style/IfUnlessModifier:
33
+ Enabled: false
34
+
35
+ Style/GuardClause:
36
+ Enabled: false
37
+
38
+ Style/SignalException:
39
+ EnforcedStyle: semantic
40
+
41
+ Style/RescueStandardError:
42
+ EnforcedStyle: implicit
43
+
44
+ Layout/FirstHashElementIndentation:
45
+ EnforcedStyle: consistent
data/CHANGELOG.md CHANGED
@@ -1,8 +1,9 @@
1
1
  Changelog
2
2
  ===========
3
3
 
4
+ ## 1.1.0 - 2024-06-04
5
+ - Change validation method to use ruby-jwt to avoid openssl3 error
4
6
 
5
- 1.0.0 - 2018-11-21
6
- --------------------
7
+ ## 1.0.0 - 2018-11-21
7
8
 
8
9
  - First release
data/Gemfile CHANGED
@@ -1,6 +1,6 @@
1
1
  source "https://rubygems.org"
2
2
 
3
- git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
3
+ git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
4
4
 
5
5
  # Specify your gem's dependencies in omniauth-cloudiap.gemspec
6
6
  gemspec
data/Gemfile.lock CHANGED
@@ -1,40 +1,81 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- omniauth-cloudiap (0.1.0)
4
+ omniauth-cloudiap (1.1.0)
5
5
  jwt
6
6
  omniauth
7
7
 
8
8
  GEM
9
9
  remote: https://rubygems.org/
10
10
  specs:
11
- hashie (3.5.7)
12
- jwt (2.1.0)
13
- minitest (5.11.3)
14
- minitest-power_assert (0.3.0)
11
+ ast (2.4.2)
12
+ base64 (0.2.0)
13
+ hashie (5.0.0)
14
+ json (2.7.2)
15
+ jwt (2.8.1)
16
+ base64
17
+ language_server-protocol (3.17.0.3)
18
+ minitest (5.23.1)
19
+ minitest-power_assert (0.3.1)
15
20
  minitest
16
21
  power_assert (>= 1.1)
17
- omniauth (1.8.1)
18
- hashie (>= 3.4.6, < 3.6.0)
19
- rack (>= 1.6.2, < 3)
20
- power_assert (1.1.3)
21
- rack (2.0.6)
22
- rack-test (1.1.0)
23
- rack (>= 1.0, < 3)
24
- rake (10.5.0)
25
- timecop (0.9.1)
22
+ minitest-stub_any_instance (1.0.3)
23
+ omniauth (2.1.2)
24
+ hashie (>= 3.4.6)
25
+ rack (>= 2.2.3)
26
+ rack-protection
27
+ parallel (1.24.0)
28
+ parser (3.3.2.0)
29
+ ast (~> 2.4.1)
30
+ racc
31
+ power_assert (2.0.3)
32
+ racc (1.8.0)
33
+ rack (3.0.11)
34
+ rack-protection (4.0.0)
35
+ base64 (>= 0.1.0)
36
+ rack (>= 3.0.0, < 4)
37
+ rack-session (2.0.0)
38
+ rack (>= 3.0.0)
39
+ rack-test (2.1.0)
40
+ rack (>= 1.3)
41
+ rainbow (3.1.1)
42
+ rake (13.2.1)
43
+ regexp_parser (2.9.2)
44
+ rexml (3.2.8)
45
+ strscan (>= 3.0.9)
46
+ rubocop (1.64.1)
47
+ json (~> 2.3)
48
+ language_server-protocol (>= 3.17.0)
49
+ parallel (~> 1.10)
50
+ parser (>= 3.3.0.2)
51
+ rainbow (>= 2.2.2, < 4.0)
52
+ regexp_parser (>= 1.8, < 3.0)
53
+ rexml (>= 3.2.5, < 4.0)
54
+ rubocop-ast (>= 1.31.1, < 2.0)
55
+ ruby-progressbar (~> 1.7)
56
+ unicode-display_width (>= 2.4.0, < 3.0)
57
+ rubocop-ast (1.31.3)
58
+ parser (>= 3.3.1.0)
59
+ ruby-progressbar (1.13.0)
60
+ strscan (3.1.0)
61
+ timecop (0.9.9)
62
+ unicode-display_width (2.5.0)
26
63
 
27
64
  PLATFORMS
65
+ arm64-darwin-22
28
66
  ruby
29
67
 
30
68
  DEPENDENCIES
31
- bundler (~> 1.17)
32
- minitest (~> 5.0)
69
+ bundler
70
+ minitest
33
71
  minitest-power_assert
72
+ minitest-stub_any_instance
34
73
  omniauth-cloudiap!
74
+ rack-session
35
75
  rack-test
36
- rake (~> 10.0)
76
+ rake
77
+ rubocop
37
78
  timecop
38
79
 
39
80
  BUNDLED WITH
40
- 1.17.1
81
+ 2.5.11
data/Rakefile CHANGED
@@ -7,4 +7,4 @@ Rake::TestTask.new(:test) do |t|
7
7
  t.test_files = FileList["test/**/*_test.rb"]
8
8
  end
9
9
 
10
- task :default => :test
10
+ task default: :test
data/lib/omniauth/cloudiap/iapjwt.rb CHANGED
@@ -1,11 +1,10 @@
1
- require 'jwt'
2
- require 'open-uri'
3
- require 'json'
1
+ require "jwt"
2
+ require "open-uri"
3
+ require "json"
4
4
 
5
5
  module OmniAuth
6
6
  module Cloudiap
7
7
  class IAPJWT
8
-
9
8
  class InvalidAudError < Error; end
10
9
 
11
10
  def initialize(aud: nil)
@@ -13,56 +12,51 @@ module OmniAuth
13
12
  end
14
13
 
15
14
  def decode_with_validate(token)
16
- payload, header = validate(token)
15
+ payload, = validate(token)
17
16
  { identifier: payload["sub"], email: payload["email"] }
18
17
  end
19
18
 
20
19
  def parse(token)
21
- JWT.decode token, nil, false
20
+ JWT.decode(token, nil, true, algorithms: algorithms, jwks: jwks)
22
21
  end
23
22
 
24
23
  def jwk_keys
25
- @jwk_keys ||= begin
26
- url = "https://www.gstatic.com/iap/verify/public_key-jwk"
27
- open(url) { |f| JSON.parse(f.read) }
28
- end
24
+ url = "https://www.gstatic.com/iap/verify/public_key-jwk"
25
+ URI.open(url) { |f| JSON.parse(f.read) } # rubocop:disable Security/Open
29
26
  end
30
27
 
31
- def jwk_key(token)
32
- _, header = parse(token)
33
- jwk = jwk_keys["keys"].find{|k| k["kid"] == header["kid"] }
34
- curve_name = \
35
- case jwk["crv"]
36
- when "P-256"
37
- "prime256v1"
38
- when "P-384"
39
- "secp384r1"
40
- when "P-521"
41
- "secp521r1"
42
- else
43
- raise AugumentError, "Unknown crv: #{jwk["crv"]}"
44
- end
45
- x = Base64.urlsafe_decode64(jwk["x"])
46
- y = Base64.urlsafe_decode64(jwk["y"])
47
-
48
- key = OpenSSL::PKey::EC.new(curve_name)
49
- group = OpenSSL::PKey::EC::Group.new(curve_name)
50
- bn = OpenSSL::BN.new(["04" + x.unpack("H*").first + y.unpack("H*").first].pack("H*"), 2)
51
- key.public_key = OpenSSL::PKey::EC::Point.new(group, bn)
52
- key
28
+ def jwks_loader(options)
29
+ if options[:kid_not_found] && @cache_last_update < Time.now.to_i - 300
30
+ logger.info("Invalidating JWK cache. #{options[:kid]} not found from previous cache")
31
+ @cached_keys = nil
32
+ end
33
+ @cached_keys ||= begin # rubocop:disable Naming/MemoizedInstanceVariableName
34
+ @cache_last_update = Time.now.to_i
35
+ jwks = JWT::JWK::Set.new(jwk_keys)
36
+ jwks.select! { |key| key[:use] == "sig" } # Signing Keys only
37
+ jwks
38
+ end
53
39
  end
54
40
 
55
- def validate(token)
56
- iss = "https://cloud.google.com/iap"
57
- options = {
58
- algorithm: "ES256",
41
+ def default_jwt_decode_options
42
+ {
59
43
  verify_expiration: true,
60
44
  verify_iat: true,
61
45
  verify_aud: true,
62
46
  verify_iss: true,
63
- iss: iss,
64
47
  }
65
- payload, header = JWT.decode(token, jwk_key(token), true, options)
48
+ end
49
+
50
+ def validate(token)
51
+ iss = "https://cloud.google.com/iap"
52
+ options = default_jwt_decode_options.merge(
53
+ iss: iss,
54
+ algorithm: "ES256",
55
+ jwks: method(:jwks_loader),
56
+ )
57
+
58
+ payload, header = JWT.decode(token, nil, true, options)
59
+
66
60
  if @required_aud
67
61
  validate_aud(@required_aud, payload["aud"])
68
62
  else
@@ -81,7 +75,7 @@ module OmniAuth
81
75
 
82
76
  def validate_aud_format(aud)
83
77
  case aud
84
- when %r|/projects/\d+/apps/\d+|, %r|/projects/\d+/global/backendServices/\d+|
78
+ when %r{/projects/\d+/apps/\d+}, %r{/projects/\d+/global/backendServices/\d+}
85
79
  # do nothing
86
80
  else
87
81
  fail InvalidAudError, aud
@@ -90,4 +84,3 @@ module OmniAuth
90
84
  end
91
85
  end
92
86
  end
93
-
data/lib/omniauth/cloudiap/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module OmniAuth
2
2
  module Cloudiap
3
- VERSION = "1.0.0"
3
+ VERSION = "1.1.0".freeze
4
4
  end
5
5
  end
data/lib/omniauth/cloudiap.rb CHANGED
@@ -7,4 +7,3 @@ module OmniAuth
7
7
  end
8
8
 
9
9
  require "omniauth/strategies/cloudiap"
10
-
data/lib/omniauth/strategies/cloudiap.rb CHANGED
@@ -51,11 +51,11 @@ module OmniAuth
51
51
  end
52
52
 
53
53
  def userinfo_from_jwt
54
- if token = env["HTTP_X_GOOG_IAP_JWT_ASSERTION"]
55
- payload, header = ::OmniAuth::Cloudiap::IAPJWT.new(aud: options[:aud]).validate(token)
54
+ if (token = env["HTTP_X_GOOG_IAP_JWT_ASSERTION"])
55
+ payload, = ::OmniAuth::Cloudiap::IAPJWT.new(aud: options[:aud]).validate(token)
56
56
  uid = payload["sub"].sub(/^accounts.google.com:/, "")
57
57
  email = payload["email"]
58
- result = {
58
+ {
59
59
  uid: uid,
60
60
  email: email,
61
61
  name: username_from_email(email),
@@ -70,7 +70,7 @@ module OmniAuth
70
70
  uid = env["HTTP_X_GOOG_AUTHENTICATED_USER_ID"].sub(/^accounts.google.com:/, "")
71
71
  email = env["HTTP_X_GOOG_AUTHENTICATED_USER_EMAIL"].sub(/^accounts.google.com:/, "")
72
72
 
73
- result = {
73
+ {
74
74
  uid: uid,
75
75
  email: email,
76
76
  name: username_from_email(email),
@@ -78,7 +78,7 @@ module OmniAuth
78
78
  end
79
79
 
80
80
  def username_from_email(email)
81
- if options[:username_callback] && options[:username_callback].respond_to?(:[])
81
+ if options[:username_callback].respond_to?(:[])
82
82
  options[:username_callback][email]
83
83
  else
84
84
  email
data/omniauth-cloudiap.gemspec CHANGED
@@ -35,13 +35,17 @@ Gem::Specification.new do |spec|
35
35
  spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
36
36
  spec.require_paths = ["lib"]
37
37
 
38
- spec.add_development_dependency "bundler", "~> 1.17"
39
- spec.add_development_dependency "rake", "~> 10.0"
40
- spec.add_development_dependency "minitest", "~> 5.0"
38
+ spec.add_development_dependency "bundler"
39
+ spec.add_development_dependency "minitest"
41
40
  spec.add_development_dependency "minitest-power_assert"
41
+ spec.add_development_dependency "minitest-stub_any_instance"
42
+ spec.add_development_dependency "rack-session"
42
43
  spec.add_development_dependency "rack-test"
44
+ spec.add_development_dependency "rake"
45
+ spec.add_development_dependency "rubocop"
43
46
  spec.add_development_dependency "timecop"
44
47
 
48
+
45
49
  spec.add_dependency "omniauth"
46
50
  spec.add_dependency "jwt"
47
51
  end
metadata CHANGED
@@ -1,59 +1,73 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-cloudiap
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 1.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - HORII Keima
8
- autorequire:
8
+ autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2018-11-21 00:00:00.000000000 Z
11
+ date: 2024-06-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
15
15
  requirement: !ruby/object:Gem::Requirement
16
16
  requirements:
17
- - - "~>"
17
+ - - ">="
18
18
  - !ruby/object:Gem::Version
19
- version: '1.17'
19
+ version: '0'
20
20
  type: :development
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
- - - "~>"
24
+ - - ">="
25
25
  - !ruby/object:Gem::Version
26
- version: '1.17'
26
+ version: '0'
27
27
  - !ruby/object:Gem::Dependency
28
- name: rake
28
+ name: minitest
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
- - - "~>"
31
+ - - ">="
32
32
  - !ruby/object:Gem::Version
33
- version: '10.0'
33
+ version: '0'
34
34
  type: :development
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
- - - "~>"
38
+ - - ">="
39
39
  - !ruby/object:Gem::Version
40
- version: '10.0'
40
+ version: '0'
41
41
  - !ruby/object:Gem::Dependency
42
- name: minitest
42
+ name: minitest-power_assert
43
43
  requirement: !ruby/object:Gem::Requirement
44
44
  requirements:
45
- - - "~>"
45
+ - - ">="
46
46
  - !ruby/object:Gem::Version
47
- version: '5.0'
47
+ version: '0'
48
48
  type: :development
49
49
  prerelease: false
50
50
  version_requirements: !ruby/object:Gem::Requirement
51
51
  requirements:
52
- - - "~>"
52
+ - - ">="
53
53
  - !ruby/object:Gem::Version
54
- version: '5.0'
54
+ version: '0'
55
55
  - !ruby/object:Gem::Dependency
56
- name: minitest-power_assert
56
+ name: minitest-stub_any_instance
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ">="
60
+ - !ruby/object:Gem::Version
61
+ version: '0'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ">="
67
+ - !ruby/object:Gem::Version
68
+ version: '0'
69
+ - !ruby/object:Gem::Dependency
70
+ name: rack-session
57
71
  requirement: !ruby/object:Gem::Requirement
58
72
  requirements:
59
73
  - - ">="
@@ -80,6 +94,34 @@ dependencies:
80
94
  - - ">="
81
95
  - !ruby/object:Gem::Version
82
96
  version: '0'
97
+ - !ruby/object:Gem::Dependency
98
+ name: rake
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - ">="
102
+ - !ruby/object:Gem::Version
103
+ version: '0'
104
+ type: :development
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - ">="
109
+ - !ruby/object:Gem::Version
110
+ version: '0'
111
+ - !ruby/object:Gem::Dependency
112
+ name: rubocop
113
+ requirement: !ruby/object:Gem::Requirement
114
+ requirements:
115
+ - - ">="
116
+ - !ruby/object:Gem::Version
117
+ version: '0'
118
+ type: :development
119
+ prerelease: false
120
+ version_requirements: !ruby/object:Gem::Requirement
121
+ requirements:
122
+ - - ">="
123
+ - !ruby/object:Gem::Version
124
+ version: '0'
83
125
  - !ruby/object:Gem::Dependency
84
126
  name: timecop
85
127
  requirement: !ruby/object:Gem::Requirement
@@ -130,6 +172,7 @@ extensions: []
130
172
  extra_rdoc_files: []
131
173
  files:
132
174
  - ".gitignore"
175
+ - ".rubocop.yml"
133
176
  - CHANGELOG.md
134
177
  - Gemfile
135
178
  - Gemfile.lock
@@ -150,7 +193,7 @@ metadata:
150
193
  allowed_push_host: https://rubygems.org
151
194
  homepage_uri: https://github.com/holysugar/omniauth-cloudiap
152
195
  source_code_uri: https://github.com/holysugar/omniauth-cloudiap
153
- post_install_message:
196
+ post_install_message:
154
197
  rdoc_options: []
155
198
  require_paths:
156
199
  - lib
@@ -165,9 +208,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
165
208
  - !ruby/object:Gem::Version
166
209
  version: '0'
167
210
  requirements: []
168
- rubyforge_project:
169
- rubygems_version: 2.7.6
170
- signing_key:
211
+ rubygems_version: 3.5.9
212
+ signing_key:
171
213
  specification_version: 4
172
214
  summary: omniauth strategy using Google Cloud IAP
173
215
  test_files: []