omniauth-jwt2 0.1.0

data/gemfiles/coverage.gemfile

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+source "https://rubygems.org"
+
+# Gemfile is only for local development.
+# On CI we only need the gemspecs' dependencies (including development dependencies).
+# Exceptions, if any, will be found in gemfiles/*
+
+# Coverage
+eval_gemfile "contexts/coverage.gemfile"
+
+# Testing
+eval_gemfile "contexts/testing.gemfile"
+
+# Debugging
+eval_gemfile "contexts/debug.gemfile"
+
+gemspec path: "../"

data/gemfiles/legacy.gemfile

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+source "https://rubygems.org"
+
+# Gemfile is only for local development.
+# On CI we only need the gemspecs' dependencies (including development dependencies).
+# Exceptions, if any, will be found in gemfiles/*
+
+# Testing
+gem "rspec", "~> 3.12"                        # ruby *
+gem "rack-test", "~> 2.1"                     # ruby 2.0
+gem "rack"                                    # ruby 2.4
+gem "rack-session", "< 2", github: "pboling/rack-session", branch: "fix-missing-rack-session"                     # ruby < 2.4
+gem "json"                                    # ruby 2.3
+gem "openssl"                                 # ruby 2.3
+gem "openssl-signature_algorithm"             # ruby 2.4
+gem "ed25519"                                 # ruby 2.4
+
+# Debugging
+eval_gemfile "contexts/debug.gemfile"
+
+gemspec path: "../"
+
+gem "omniauth", "< 2"

data/gemfiles/style.gemfile

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+source "https://rubygems.org"
+
+# Gemfile is only for local development.
+# On CI we only need the gemspecs' dependencies (including development dependencies).
+# Exceptions, if any, will be found in gemfiles/*
+
+# Coverage
+eval_gemfile "contexts/coverage.gemfile"
+
+# Style
+eval_gemfile "contexts/style.gemfile"
+
+# Debugging
+eval_gemfile "contexts/debug.gemfile"
+
+gemspec path: "../"

data/gemfiles/vanilla.gemfile

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+source "https://rubygems.org"
+
+# Gemfile is only for local development.
+# On CI we only need the gemspecs' dependencies (including development dependencies).
+# Exceptions, if any, will be found in gemfiles/*
+
+# Coverage
+eval_gemfile "contexts/coverage.gemfile"
+
+# Testing
+eval_gemfile "contexts/testing.gemfile"
+
+# Debugging
+eval_gemfile "contexts/debug.gemfile"
+
+gemspec path: "../"

data/lib/omniauth/jwt/version.rb

@@ -0,0 +1,7 @@
+module Omniauth
+  module JWT
+    module Version
+      VERSION = "0.1.0"
+    end
+  end
+end

data/lib/omniauth/jwt.rb

@@ -0,0 +1,10 @@
+# External gems
+require "version_gem"
+
+# This gem
+require "omniauth/jwt/version"
+require "omniauth/strategies/jwt"
+
+Omniauth::JWT::Version.class_eval do
+  extend VersionGem::Basic
+end

data/lib/omniauth/strategies/jwt.rb

@@ -0,0 +1,97 @@
+require "omniauth"
+require "jwt"
+
+module OmniAuth
+  module Strategies
+    class JWT
+      class ClaimInvalid < StandardError; end
+
+      class BadJwt < StandardError; end
+
+      include OmniAuth::Strategy
+
+      args [:secret]
+
+      option :secret, nil
+      option :decode_options, {}
+      option :jwks_loader
+      option :algorithm, "HS256" # overridden by options.decode_options[:algorithms]
+      option :decode_options, {}
+      option :uid_claim, "email"
+      option :required_claims, %w(name email)
+      option :info_map, {name: "name", email: "email"}
+      option :auth_url, nil
+      option :valid_within, nil
+
+      def request_phase
+        redirect(options.auth_url)
+      end
+
+      def decoded
+        begin
+          secret = if defined?(OpenSSL)
+            case options.algorithm
+            when "RS256", "RS384", "RS512"
+              OpenSSL::PKey::RSA.new(options.secret).public_key
+            when "ES256", "ES384", "ES512"
+              OpenSSL::PKey::EC.new(options.secret)
+            when "HS256", "HS384", "HS512"
+              options.secret
+            else
+              raise NotImplementedError, "Unsupported algorithm: #{options.algorithm}"
+            end
+          else
+            options.secret
+          end
+
+          # JWT.decode can handle either algorithms or algorithm, but not both.
+          default_algos = options.decode_options.key?(:algorithms) ? options.decode_options[:algorithms] : [options.algorithm]
+          @decoded ||= ::JWT.decode(
+            request.params["jwt"],
+            secret,
+            true,
+            options.decode_options.merge(
+              {
+                algorithms: default_algos,
+                jwks: options.jwks_loader,
+              }.delete_if { |_, v| v.nil? },
+            ),
+          )[0]
+        rescue Exception => e
+          raise BadJwt.new("#{e.class}: #{e.message}")
+        end
+        (options.required_claims || []).each do |field|
+          raise ClaimInvalid.new("Missing required '#{field}' claim.") if !@decoded.key?(field.to_s)
+        end
+        raise ClaimInvalid.new("Missing required 'iat' claim.") if options.valid_within && !@decoded["iat"]
+        if options.valid_within && (Time.now.to_i - @decoded["iat"]).abs > options.valid_within.to_i
+          raise ClaimInvalid, "'iat' timestamp claim is too skewed from present"
+        end
+
+        @decoded
+      end
+
+      def callback_phase
+        super
+      rescue BadJwt => e
+        fail!("bad_jwt", e)
+      rescue ClaimInvalid => e
+        fail!(:claim_invalid, e)
+      end
+
+      uid { decoded[options.uid_claim] }
+
+      extra do
+        {raw_info: decoded}
+      end
+
+      info do
+        options.info_map.each_with_object({}) do |(k, v), h|
+          h[k.to_s] = decoded[v.to_s]
+        end
+      end
+    end
+
+    class Jwt < JWT; end
+  end
+end

data/omniauth-jwt2.gemspec

@@ -0,0 +1,41 @@
+# Get the GEMFILE_VERSION without *require* "my_gem/version", for code coverage accuracy
+# See: https://github.com/simplecov-ruby/simplecov/issues/557#issuecomment-825171399
+load "lib/omniauth/jwt/version.rb"
+gem_version = Omniauth::JWT::Version::VERSION
+Omniauth::JWT::Version.send(:remove_const, :VERSION)
+
+Gem::Specification.new do |spec|
+  spec.name = "omniauth-jwt2"
+  spec.version = gem_version
+  spec.authors = ["Michael Bleigh", "Robin Ward", "Peter Boling"]
+  spec.email = ["mbleigh@mbleigh.com", "robin.ward@gmail.com", "peter.boling@gmail.com"]
+  spec.description = "An OmniAuth strategy to accept JWT-based single sign-on."
+  spec.summary = "An OmniAuth strategy to accept JWT-based single sign-on."
+  spec.homepage = "http://github.com/pboling/omniauth-jwt2"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 2.2"
+
+  spec.files = %x(git ls-files).split($/)
+  spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  # TODO: Since this gem supports Ruby >= 2.2 we need to ensure no gems are
+  #       added here that require a newer version. Once this gem progresses to
+  #       only support non-EOL Rubies, all dependencies can be listed in this
+  #       gemspec, and the gemfiles/* pattern can be dispensed with.
+  spec.add_dependency("jwt", "~> 2.2", ">= 2.2.1")                           # ruby 2.1
+  spec.add_dependency("omniauth", ">= 1.1")                                  # ruby 2.2
+
+  # Utilities
+  spec.add_dependency("version_gem", "~> 1.1", ">= 1.1.3")                   # ruby 2.2
+  spec.add_development_dependency("rake", "~> 13.0")                         # ruby 2.2, v13.1 is >= 2.3
+
+  # Hot reload
+  spec.add_development_dependency("guard", "~> 2.18", ">= 2.18.1")           # ruby 1.9.3
+  spec.add_development_dependency("guard-rspec", "~> 4.7", ">= 4.7.3")       # ruby *
+
+  # Testing
+  spec.add_development_dependency("rack-test", "~> 2.1")                     # ruby 2.0
+  spec.add_development_dependency("rspec", "~> 3.12")                        # ruby *
+  spec.add_development_dependency("rspec-pending_for", "~> 0.1")             # ruby *
+end

data/spec/lib/omniauth/strategies/jwt_spec.rb

@@ -0,0 +1,213 @@
+require "spec_helper"
+
+describe OmniAuth::Strategies::JWT do
+  let(:response_json) { JSON.parse(last_response.body) }
+  let(:rand_secret) { SecureRandom.hex(10) }
+  let(:args) { [rand_secret, {auth_url: "http://example.com/login"}] }
+
+  let(:app) {
+    the_args = args
+    Rack::Builder.new do |b|
+      b.use Rack::Session::Cookie, secret: SecureRandom.hex(32)
+      b.use OmniAuth::Strategies::JWT, *the_args
+      b.run lambda { |env|
+        [200, {}, [(env["omniauth.auth"] || {}).to_json]]
+      }
+    end
+  }
+
+  context "request phase" do
+    it "redirects to the configured login url" do
+      # TODO: Figure out how to write this test without using the deprecated
+      #       and unsafe, "get" method for the request phase.
+      get "/auth/jwt"
+      expect(last_response.status).to eq(302)
+      expect(last_response.headers["Location"]).to eq("http://example.com/login")
+    end
+  end
+
+  context "callback phase" do
+    it "decodes the response" do
+      encoded = JWT.encode({name: "Bob", email: "steve@example.com"}, rand_secret)
+      get "/auth/jwt/callback?jwt=" + encoded
+      expect(response_json["info"]["email"]).to eq("steve@example.com")
+    end
+
+    it "does not work without required fields" do
+      encoded = JWT.encode({name: "Steve"}, rand_secret)
+      get "/auth/jwt/callback?jwt=" + encoded
+      expect(last_response.status).to eq(302)
+    end
+
+    it "assigns the uid" do
+      encoded = JWT.encode({name: "Steve", email: "dude@awesome.com"}, rand_secret)
+      get "/auth/jwt/callback?jwt=" + encoded
+      expect(response_json["uid"]).to eq("dude@awesome.com")
+    end
+
+    context "with a non-default encoding algorithm" do
+      let(:args) { [rand_secret, {auth_url: "http://example.com/login", decode_options: {algorithms: ["HS512", "HS256"]}}] }
+
+      it "decodes the response with an allowed algorithm" do
+        encoded = JWT.encode({name: "Bob", email: "steve@example.com"}, rand_secret, "HS512")
+        get "/auth/jwt/callback?jwt=" + encoded
+        expect(JSON.parse(last_response.body)["info"]["email"]).to eq("steve@example.com")
+
+        encoded = JWT.encode({name: "Bob", email: "steve@example.com"}, rand_secret, "HS256")
+        get "/auth/jwt/callback?jwt=" + encoded
+        expect(JSON.parse(last_response.body)["info"]["email"]).to eq("steve@example.com")
+      end
+
+      it "fails decoding the response with a different algorithm" do
+        encoded = JWT.encode({name: "Bob", email: "steve@example.com"}, rand_secret, "HS384")
+        get "/auth/jwt/callback?jwt=" + encoded
+        expect(last_response.headers["Location"]).to include("/auth/failure")
+      end
+    end
+
+    context "with a :valid_within option set" do
+      let(:args) { [rand_secret, {auth_url: "http://example.com/login", valid_within: 300}] }
+
+      it "works if the iat key is within the time window" do
+        encoded = JWT.encode({name: "Ted", email: "ted@example.com", iat: Time.now.to_i}, rand_secret)
+        get "/auth/jwt/callback?jwt=" + encoded
+        expect(last_response.status).to eq(200)
+      end
+
+      it "does not work if the iat key is outside the time window" do
+        encoded = JWT.encode({name: "Ted", email: "ted@example.com", iat: Time.now.to_i + 500}, rand_secret)
+        get "/auth/jwt/callback?jwt=" + encoded
+        expect(last_response.status).to eq(302)
+      end
+
+      it "does not work if the iat key is missing" do
+        encoded = JWT.encode({name: "Ted", email: "ted@example.com"}, rand_secret)
+        get "/auth/jwt/callback?jwt=" + encoded
+        expect(last_response.status).to eq(302)
+      end
+    end
+  end
+
+  describe "#decoded" do
+    subject { described_class.new({}) }
+
+    let(:timestamp) { Time.now.to_i }
+    let(:claims) do
+      {
+        id: 123,
+        name: "user_example",
+        email: "user@example.com",
+        iat: timestamp,
+      }
+    end
+
+    let(:algorithm) { "HS256" }
+    let(:secret) { rand_secret }
+    let(:private_key) { secret }
+    let(:payload) { JWT.encode(claims, private_key, algorithm) }
+
+    before do
+      subject.options[:secret] = secret
+      subject.options[:algorithm] = algorithm
+
+      # We use Rack::Request instead of ActionDispatch::Request because
+      # Rack::Test::Methods enables testing of this module.
+      expect_next_instance_of(Rack::Request) do |rack_request|
+        expect(rack_request).to receive(:params).and_return("jwt" => payload)
+      end
+    end
+
+    ecdsa_named_curves = {
+      "ES256" => "prime256v1",
+      "ES384" => "secp384r1",
+      "ES512" => "secp521r1",
+    }.freeze
+
+    algos = {
+      OpenSSL::PKey::RSA => %w[RS256 RS384 RS512],
+      String => %w[HS256 HS384 HS512],
+    }
+    algos.merge!(OpenSSL::PKey::EC => %w[ES256 ES384 ES512]) unless ["2.2.10", "2.3.8"].include?(RubyVersion.to_s)
+    algos.each do |private_key_class, algorithms|
+      algorithms.each do |algorithm|
+        context "when the #{algorithm} algorithm is used" do
+          let(:algorithm) { algorithm }
+          let(:secret) do
+            # rubocop:disable Style/CaseLikeIf
+            if private_key_class == OpenSSL::PKey::RSA
+              private_key_class.generate(2048)
+                .to_pem
+            elsif private_key_class == OpenSSL::PKey::EC
+              private_key_class.generate(ecdsa_named_curves[algorithm])
+                .to_pem
+            else
+              private_key_class.new(rand_secret)
+            end
+            # rubocop:enable Style/CaseLikeIf
+          end
+
+          let(:private_key) { private_key_class ? private_key_class.new(secret) : secret }
+
+          it "decodes the user information" do
+            result = subject.decoded
+
+            expect(result).to eq(claims.stringify_keys)
+          end
+        end
+      end
+    end
+
+    context "required claims is missing" do
+      let(:claims) do
+        {
+          id: 123,
+          email: "user@example.com",
+          iat: timestamp,
+        }
+      end
+
+      it "raises error" do
+        expect { subject.decoded }.to raise_error(OmniAuth::Strategies::Jwt::ClaimInvalid)
+      end
+    end
+
+    context "when valid_within is specified but iat attribute is missing in response" do
+      let(:claims) do
+        {
+          id: 123,
+          name: "user_example",
+          email: "user@example.com",
+        }
+      end
+
+      before do
+        # Omniauth config values are always strings!
+        subject.options[:valid_within] = (60 * 60 * 24 * 2).to_s # 2 days
+      end
+
+      it "raises error" do
+        expect { subject.decoded }.to raise_error(OmniAuth::Strategies::Jwt::ClaimInvalid)
+      end
+    end
+
+    context "when timestamp claim is too skewed from present" do
+      let(:claims) do
+        {
+          id: 123,
+          name: "user_example",
+          email: "user@example.com",
+          iat: timestamp - (60 * 60 * 10), # minus ten minutes
+        }
+      end
+
+      before do
+        # Omniauth config values are always strings!
+        subject.options[:valid_within] = "2" # 2 seconds
+      end
+
+      it "raises error" do
+        expect { subject.decoded }.to raise_error(OmniAuth::Strategies::Jwt::ClaimInvalid)
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,64 @@
+# Std Lib
+require "securerandom"
+
+# 3rd party gems
+require "rspec/pending_for"
+begin
+  require "rack/session"
+rescue LoadError
+  nil # File won't exist in old rack for Ruby 2.2 & 2.3
+end
+require "rack/test"
+require "json"
+require "omniauth"
+begin
+  require "openssl"
+  require "openssl/signature_algorithm"
+  require "ed25519"
+rescue LoadError
+  nil # Gem doesn't exist for ancient Rubies 2.2 & 2.3
+end
+
+require "byebug" if ENV["DEBUG"] == "true"
+# This does not require "simplecov",
+#   because that has a side-effect of running `.simplecov`
+begin
+  require "kettle-soup-cover"
+rescue LoadError
+  puts "Not analyzing test coverage"
+end
+
+require "support/hash"
+require "support/next_instance_of"
+
+OmniAuth.config.logger = Logger.new("/dev/null")
+require "omniauth/version"
+puts "OMNIAUTH VERSION: #{OmniAuth::VERSION}"
+if Gem::Version.new(OmniAuth::VERSION) > Gem::Version.new("2.0")
+  OmniAuth.config.silence_get_warning = true
+  OmniAuth.config.allowed_request_methods |= [:get, :post]
+end
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  include Rack::Test::Methods
+  include NextInstanceOf
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = "random"
+end
+
+# Last thing before loading this library, load simplecov:
+require "simplecov" if defined?(Kettle::Soup::Cover) && Kettle::Soup::Cover::DO_COV
+
+require "omniauth/jwt"

data/spec/support/hash.rb

@@ -0,0 +1,9 @@
+class Hash
+  def self.stringify_keys(h)
+    h.is_a?(Hash) ? h.collect { |k, v| [k.to_s, stringify_keys(v)] }.to_h : h
+  end
+
+  def stringify_keys
+    self.class.stringify_keys(self)
+  end
+end

data/spec/support/next_instance_of.rb

@@ -0,0 +1,43 @@
+# From: https://github.com/gitlabhq/gitlabhq/blob/master/gems/gitlab-rspec/lib/gitlab/rspec/next_instance_of.rb#L4
+module NextInstanceOf
+  def expect_next_instance_of(klass, *new_args, &blk)
+    stub_new(expect(klass), nil, false, *new_args, &blk)
+  end
+
+  def expect_next_instances_of(klass, number, ordered = false, *new_args, &blk)
+    stub_new(expect(klass), number, ordered, *new_args, &blk)
+  end
+
+  def allow_next_instance_of(klass, *new_args, &blk)
+    stub_new(allow(klass), nil, false, *new_args, &blk)
+  end
+
+  def allow_next_instances_of(klass, number, ordered = false, *new_args, &blk)
+    stub_new(allow(klass), number, ordered, *new_args, &blk)
+  end
+
+  private
+
+  def stub_new(target, number, ordered = false, *new_args, &blk)
+    receive_new = receive(:new)
+    receive_new.ordered if ordered
+    receive_new.with(*new_args) if !(new_args.empty? || new_args.blank?)
+
+    if number.is_a?(Range)
+      receive_new.at_least(number.begin).times if number.begin
+      receive_new.at_most(number.end).times if number.end
+    elsif number
+      receive_new.exactly(number).times
+    end
+
+    target.to receive_new.and_wrap_original do |*original_args, **original_kwargs|
+      method, *original_args = original_args
+      begin
+        method.call(*original_args, **original_kwargs).tap(&blk)
+      rescue ArgumentError
+        # Kludge for old ruby < 2.7
+        method.call(*original_args).tap(&blk)
+      end
+    end
+  end
+end