omniauth-doximity-oauth2 1.0.0 → 1.2.0.pre

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5f4f596bfdb48f1bdf6ae160dc0297a15182a24257857308a1b5180e70040275
-  data.tar.gz: 60bce2624b9fe8acdc7c9b8dfe2fc8889906993fc2a20aae9fdf92631d73b85d
+  metadata.gz: 7a115db51c6901227e768b5d4e6b3936cece507e74e95c56e863df69ea8df6a9
+  data.tar.gz: d271503b99bac24d5c48f2671f50d2fee7f2d76f154a6964910e567af76f8f5c
 SHA512:
-  metadata.gz: 12e5e02958b71ed1d541b83194127b63a62b22b144cd34a968cd7bece8f55246d8365412f6cbe6574c1237dcfa92639a6269d98f109a64538cc98cf0143cd24e
-  data.tar.gz: 839a8ccdbfac1ceceb754398f42274220a2a171aca2bc611d11492931a492a43fb6dbc4353e796f343806597e7ada24295418a6013f47333137e72e7880e321a
+  metadata.gz: d3e64fd03c57ced3f0b77ebb95a0ef3b8d32e6907ad16d3b65da5fc314f1a4085ed7c7b0b2d6b89dadfc67a641d5693bfa71ff9b8348d3b292cb03e55ad5f04b
+  data.tar.gz: '0208112352a8904c69b7a54c602c10f3e017881efc73f6e5e257bf9bca130288fd3438aa35bdac7f2dcd697004f077bd0fc5fc9833a1e290ba5c8d3794ab894e'

data/.github/CODEOWNERS

@@ -1,2 +1,5 @@
 # Back-end team
 * @doximity/mofo_backend
+
+# Infra Automation
+/.circleci @doximity/infra_automation_reviewers

data/CHANGELOG.md

@@ -1,6 +1,13 @@
 Changelog
 =========
 
+## 1.2.0.pre - 05/05/2023
+  * Update mechanism for verifying RSA public keys to work on OpenSSL 3
+  * Ensure state persists between initial call and on callback
+
+## 1.1.0 - 06/13/2022
+  * Add "prompt" parameter to be persisted on request, allowing for silent authentication (among other things)
+
 ## 1.0.0 - 05/02/2022
   * Gem now publishes to RubyGems
 

data/CONTRIBUTING.md

@@ -1,31 +1,30 @@
-# Contributing
+# Contributing to Doximity
 
 We welcome contributions to this repository. Feel free to submit issues for bugs you encounter and pull requests for code and documentation contributions.
+In order to prevent licensing issues, Doximity Inc. (“Doximity”, “we”, “us”) requires all contributors to agree to an Individual Contributor License Agreement (“CLA”), which is reproduced below.  By submitting your contributions to us, you agree that you have read and are bound by the CLA.  If you do not agree with the CLA, you may not submit contributions.
 
-In order to prevent licensing issues, we require all contributors to sign an individual contributor license agreement, which is reproduced below:
+## Doximity Individual Contributor License Agreement
 
-## Individual Contributor License Agreement
+This license is for your protection as a Contributor as well as the protection of Doximity; it does not change your rights to use your own Contributions for any other purpose.
 
-In order to clarify the intellectual property license granted with Contributions from any person or entity, Doximity Inc. ("Doximity") must have a Contributor License Agreement ("CLA") on file that has been signed by each Contributor, indicating agreement to the license terms below. This license is for your protection as a Contributor as well as the protection of Doximity; it does not change your rights to use your own Contributions for any other purpose.
-
-You accept and agree to the following terms and conditions for Your present and future Contributions submitted to Doximity. Except for the license granted herein to Doximity and recipients of software distributed by Doximity, You reserve all right, title, and interest in and to Your Contributions.
+You accept and agree to the following terms and conditions for Your present and future Contributions submitted to Doximity. Except for the license granted herein to Doximity and recipients of software distributed by Doximity, You reserve all right, titles, and interests in and to Your Contributions.
 
 ### Definitions
 
-"You" (or "Your") shall mean the copyright owner or legal entity authorized by the copyright owner that is making this Agreement with Doximity. For legal entities, the entity making a Contribution and all other entities that control, are controlled by, or are under common control with that entity are considered to be a single Contributor. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
+"You" (or "Your" or the “Contributor”) shall mean the copyright owner or legal entity authorized by the copyright owner that is making this Agreement with Doximity. For legal entities, the entity making a Contribution and all other entities that control, are controlled by, or are under common control with that entity are considered to be a single Contributor. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
 
-1. "Contribution" shall mean any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to Doximity for inclusion in, or documentation of, any of the products owned or managed by Doximity (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to Doximity or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Doximity for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
+1. "Contribution" shall mean the code, documentation, or any original work of authorship, including any modifications or additions to an existing work, that is intentionally submitted by You to Doximity for inclusion in, or documentation of, any of the products owned or managed by Doximity (the "Work"). For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to Doximity or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, Doximity for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by You as "Not a Contribution."
 
 2. Grant of Copyright License. Subject to the terms and conditions of this Agreement, You hereby grant to Doximity and to recipients of software distributed by Doximity a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contributions and such derivative works.
 
-3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Doximity and to recipients of software distributed by Doximity a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
+3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Doximity and to recipients of software distributed by Doximity a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s) alone or by a combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted. If any entity institutes patent litigation against You or any other entity (including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have contributed, constitutes a direct or contributory patent infringement, then any patent licenses granted to that entity under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
 
-4. You represent that you are legally entitled to grant the above license. If your employer(s) has rights to intellectual property that you create that includes your Contributions, you represent that you have received permission to make Contributions on behalf of that employer, that your employer has waived such rights for your Contributions to Doximity, or that your employer has executed a separate Corporate CLA with Doximity.
+4. You represent that You are legally entitled to grant the above license. If your employer(s) has rights to intellectual property that you create that includes your Contributions, you represent that you have received permission to make Contributions on behalf of that employer, that your employer has waived such rights for your Contributions to Doximity, or that your employer has executed a separate Corporate CLA with Doximity.
 
 5. You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of others). You represent that Your Contribution submissions include complete details of any third-party license or other restriction (including, but not limited to, related patents and trademarks) of which you are personally aware and which are associated with any part of Your Contributions.
 
-6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
+6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support. You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in writing, You provide Your Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
 
-7. Should You wish to submit work that is not Your original creation, You may submit it to Doximity separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [[]named here]".
+7. Should You wish to submit work that is not Your original creation, You may submit it to Doximity separately from any Contribution, identifying the complete details of its source and of any license or other restriction (including, but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
 
 8. You agree to notify Doximity of any facts or circumstances of which you become aware that would make these representations inaccurate in any respect.

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    omniauth-doximity-oauth2 (1.0.0)
+    omniauth-doximity-oauth2 (1.2.0.pre)
       activesupport
       faraday
       jwt

data/README.md

@@ -131,12 +131,12 @@ Here's an example of an authentication hash available in the callback by accessi
 
 ## Contributing
 
-1. Fork it
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create a new Pull Request
-6. Sign the CLA if you haven't yet. See [CONTRIBUTING.md](./CONTRIBUTING.md)
+1. See [CONTRIBUTING.md](./CONTRIBUTING.md)
+2. Fork it
+3. Create your feature branch (`git checkout -b my-new-feature`)
+4. Commit your changes (`git commit -am 'Add some feature'`)
+5. Push to the branch (`git push origin my-new-feature`)
+6. Create a new Pull Request
 
 ## License
 

data/lib/omniauth/strategies/doximity_oauth2.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "omniauth/strategies/oauth2"
+require "omniauth-doximity-oauth2/crypto"
 require "omniauth-doximity-oauth2/errors"
 require "active_support/core_ext/hash/indifferent_access"
 require "uri"
@@ -19,7 +20,7 @@ module OmniAuth
 
       option :pkce, true
 
-      option :authorize_options, [:scope]
+      option :authorize_options, %i[scope prompt]
 
       option :client_options, {
         site: "https://auth.doximity.com",
@@ -74,13 +75,16 @@ module OmniAuth
         @raw_credential_info ||= access_token.to_hash.with_indifferent_access
       end
 
-      def authorize_params
+      def authorize_params # rubocop:disable Metrics/AbcSize
         super.tap do |params|
           options[:authorize_options].each do |v|
-            params[v.to_sym] = request.params[v] if request.params[v]
+            params[v.to_sym] = request.params[v.to_s] if request.params[v.to_s]
           end
 
           params[:scope] = get_scope(params)
+
+          # Ensure state is persisted
+          session['omniauth.state'] = params[:state] if params[:state]
         end
       end
 
@@ -98,7 +102,7 @@ module OmniAuth
         keys = request_keys
 
         public_key_params = keys.find { |key| key["kid"] == header["kid"] }
-        rsa_key = create_rsa_key(public_key_params["n"], public_key_params["e"])
+        rsa_key = Crypto.create_rsa_key(public_key_params["n"], public_key_params["e"])
 
         body, = JWT.decode(token, rsa_key.public_key, true, { algorithm: header["alg"] })
         body
@@ -125,11 +129,6 @@ module OmniAuth
 
         MultiJson.load(response.body)["keys"]
       end
-
-      def create_rsa_key(n, e)
-        key = OpenSSL::PKey::RSA.new
-        key.set_key(OpenSSL::BN.new(Base64.urlsafe_decode64(n), 2), OpenSSL::BN.new(Base64.urlsafe_decode64(e), 2), nil)
-      end
     end
   end
 end

data/lib/omniauth-doximity-oauth2/crypto.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Omniauth
+  module DoximityOauth2
+    # Static crypto methods
+    class Crypto
+      def self.create_rsa_key(n, e)
+        data_sequence = OpenSSL::ASN1::Sequence([
+                                                  OpenSSL::ASN1::Integer(base64_to_long(n)),
+                                                  OpenSSL::ASN1::Integer(base64_to_long(e))
+                                                ])
+        asn1 = OpenSSL::ASN1::Sequence(data_sequence)
+        OpenSSL::PKey::RSA.new(asn1.to_der)
+      end
+
+      private
+
+      def base64_to_long(data)
+        decoded_with_padding = Base64.urlsafe_decode64(data) + Base64.decode64("==")
+        decoded_with_padding.to_s.unpack("C*").map do |byte|
+          byte_to_hex(byte)
+        end.join.to_i(16)
+      end
+
+      def byte_to_hex(int)
+        int < 16 ? "0#{int.to_s(16)}" : int.to_s(16)
+      end
+    end
+  end
+end

data/lib/omniauth-doximity-oauth2/version.rb

@@ -2,6 +2,6 @@
 
 module Omniauth
   module DoximityOauth2
-    VERSION = "1.0.0"
+    VERSION = "1.2.0.pre"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-doximity-oauth2
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.2.0.pre
 platform: ruby
 authors:
 - William Harvey
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-05-03 00:00:00.000000000 Z
+date: 2023-05-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -199,6 +199,7 @@ files:
 - README.md
 - Rakefile
 - lib/omniauth-doximity-oauth2.rb
+- lib/omniauth-doximity-oauth2/crypto.rb
 - lib/omniauth-doximity-oauth2/errors.rb
 - lib/omniauth-doximity-oauth2/version.rb
 - lib/omniauth/strategies/doximity_oauth2.rb
@@ -264,9 +265,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.3.11
 signing_key: