omniauth_openid_federation 1.3.0 → 1.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bdb5dbe8832e2837c2970556b8498492c8e32489e8efad28eff176be94af1a1d
-  data.tar.gz: 7addf88091e26b0c603a5bd50fe8c701d8d8cb2c5a5854549a59795b7782a792
+  metadata.gz: 8f8bba8b102bcf8c24fdd775d5d898d92b27c27d8e6df40c63ff23756aee4f8d
+  data.tar.gz: 900a1851f0a9917b5593f6146d965271180a979d312b9ff5fa15c295578172e5
 SHA512:
-  metadata.gz: 31a2b0f6042da80bcb445c0d92e137b06da8d017e58e05835fb0983e35df4215797ccabef024378cc5faa78006037f0f338cb074bc8784c72eea02b349fbc248
-  data.tar.gz: cd47a106c42a20a80caa3db3212dbe4c1748af65a17f88b4a57273f35a01cbc79e814b998f793691b50b368592f5d31ac31ff87c1831880497047b02178569d1
+  metadata.gz: 31a7bcc8b8e1661dc9bcc13604e2e92279d81501e0a1da25b8b48a6f9bf35251489720aa1879b6beeb89de32bd2970d72c086e58b1be43d0f4c125809339fb51
+  data.tar.gz: 5c27ea824e18a49a0fe899f6f6f2ade3c6a10872ade9b2eca3690cada27e06aa5ada813f1cdf34763881bc8c4ee5d1033f0a7ed821a8378602ee72db169150f7

data/CHANGELOG.md

@@ -1,5 +1,18 @@
 # CHANGELOG
 
+## 1.3.2 (2025-12-09)
+
+- Added `TimeHelpers` module for compatibility with non-Rails environments
+- Replaced `Time.zone` usage with `TimeHelpers` to work with or without ActiveSupport
+
+## 1.3.1 (2025-12-09)
+
+- Enhanced SSL configuration for HTTPS requests in tasks_helper.rb
+- Updated federation controller to use ApplicationController
+- Updated routes to have semaphore if it is already loaded
+- Updated gemfiles and workflows for Rails 8 compatibility
+- Improved time handling in integration and mock server classes using Time.zone.now
+
 ## 1.3.0 (2025-11-28)
 
 - Added `prepare_request_object_params` proc option to customize request parameters before signing

data/README.md

@@ -1,6 +1,6 @@
 # omniauth_openid_federation
 
-[![Gem Version](https://badge.fury.io/rb/omniauth_openid_federation.svg?v=1.1.0)](https://badge.fury.io/rb/omniauth_openid_federation) [![Test Status](https://github.com/amkisko/omniauth_openid_federation.rb/actions/workflows/test.yml/badge.svg)](https://github.com/amkisko/omniauth_openid_federation.rb/actions/workflows/test.yml) [![codecov](https://codecov.io/gh/amkisko/omniauth_openid_federation.rb/graph/badge.svg?token=CX3O9M1GIT)](https://codecov.io/gh/amkisko/omniauth_openid_federation.rb/graph/badge.svg)
+[![Gem Version](https://badge.fury.io/rb/omniauth_openid_federation.svg?v=1.1.0)](https://badge.fury.io/rb/omniauth_openid_federation) [![Test Status](https://github.com/amkisko/omniauth_openid_federation.rb/actions/workflows/test.yml/badge.svg)](https://github.com/amkisko/omniauth_openid_federation.rb/actions/workflows/test.yml) [![codecov](https://codecov.io/gh/amkisko/omniauth_openid_federation.rb/graph/badge.svg?token=CX3O9M1GIT)](https://codecov.io/gh/amkisko/omniauth_openid_federation.rb) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=amkisko_omniauth_openid_federation.rb&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=amkisko_omniauth_openid_federation.rb)
 
 OmniAuth strategy for OpenID Federation providers with comprehensive security features, supporting signed request objects, ID token encryption, and full OpenID Federation 1.0 compliance.
 

data/app/controllers/omniauth_openid_federation/federation_controller.rb

@@ -12,7 +12,7 @@
 require "omniauth_openid_federation/cache_adapter"
 
 module OmniauthOpenidFederation
-  class FederationController < ActionController::Base
+  class FederationController < ::ApplicationController
     # Serve the entity statement
     #
     # GET /.well-known/openid-federation

data/config/routes.rb

@@ -1,17 +1,27 @@
 # Routes for OpenID Federation well-known endpoints
 # These routes are mounted at the root level (not namespaced) because
 # OpenID Federation spec requires specific well-known paths
-OmniauthOpenidFederation::Engine.routes.draw do
-  # OpenID Federation 1.0 Section 9: Entity Configuration endpoint
-  # MUST be at /.well-known/openid-federation
-  get "/.well-known/openid-federation", to: "omniauth_openid_federation/federation#show", as: :openid_federation
+# Guard to prevent double-loading routes (important for test isolation)
+# Use a file-level instance variable that doesn't trigger class loading
+@_omniauth_openid_federation_routes_loaded ||= false
+unless @_omniauth_openid_federation_routes_loaded
+  @_omniauth_openid_federation_routes_loaded = true
+  begin
+    OmniauthOpenidFederation::Engine.routes.draw do
+      # OpenID Federation 1.0 Section 9: Entity Configuration endpoint
+      # MUST be at /.well-known/openid-federation
+      get "/.well-known/openid-federation", to: "omniauth_openid_federation/federation#show", as: :openid_federation
 
-  # Fetch endpoint for Subordinate Statements (Section 6.1)
-  get "/.well-known/openid-federation/fetch", to: "omniauth_openid_federation/federation#fetch", as: :openid_federation_fetch
+      # Fetch endpoint for Subordinate Statements (Section 6.1)
+      get "/.well-known/openid-federation/fetch", to: "omniauth_openid_federation/federation#fetch", as: :openid_federation_fetch
 
-  # Standard JWKS endpoint
-  get "/.well-known/jwks.json", to: "omniauth_openid_federation/federation#jwks", as: :openid_federation_jwks
+      # Standard JWKS endpoint
+      get "/.well-known/jwks.json", to: "omniauth_openid_federation/federation#jwks", as: :openid_federation_jwks
 
-  # Signed JWKS endpoint (OpenID Federation requirement)
-  get "/.well-known/signed-jwks.json", to: "omniauth_openid_federation/federation#signed_jwks", as: :openid_federation_signed_jwks
+      # Signed JWKS endpoint (OpenID Federation requirement)
+      get "/.well-known/signed-jwks.json", to: "omniauth_openid_federation/federation#signed_jwks", as: :openid_federation_signed_jwks
+    end
+  rescue NameError, LoadError
+    # Rails not available or not fully initialized - routes will be loaded when Engine initializes
+  end
 end

data/examples/integration_test_flow.rb

@@ -319,7 +319,7 @@ class IntegrationTestFlow
       attempt = 0
       ready = false
       server_name = url.include?("9292") ? "OP" : "RP"
-      start_time = Time.now
+      start_time = Time.zone.now
 
       while attempt < max_attempts && !ready
         begin
@@ -330,7 +330,7 @@ class IntegrationTestFlow
           response = http.get(uri.path)
 
           if response.code == "200"
-            elapsed = (Time.now - start_time).round(1)
+            elapsed = (Time.zone.now - start_time).round(1)
             puts "  ✓ #{url} is ready (#{elapsed}s)"
             ready = true
           end
@@ -342,7 +342,7 @@ class IntegrationTestFlow
           attempt += 1
           # Show progress every 5 attempts (1 second)
           if attempt % 5 == 0
-            elapsed = (Time.now - start_time).round(1)
+            elapsed = (Time.zone.now - start_time).round(1)
             print "."
           end
           sleep check_interval
@@ -350,7 +350,7 @@ class IntegrationTestFlow
       end
 
       unless ready
-        elapsed = (Time.now - start_time).round(1)
+        elapsed = (Time.zone.now - start_time).round(1)
         puts "\n  ✗ #{server_name} server at #{url} did not become ready in time (#{elapsed}s)"
         err_log = File.join(@tmp_dir, "#{server_name.downcase}_server_error.log")
         log_file = File.join(@tmp_dir, "#{server_name.downcase}_server.log")

data/examples/mock_op_server.rb

@@ -111,7 +111,7 @@ class MockOPServer
   end
 
   def self.load_signing_key(key_data)
-    if key_data.nil? || key_data.empty?
+    if key_data.blank?
       # Generate a new key for testing
       OpenSSL::PKey::RSA.new(2048)
     elsif key_data.is_a?(String)
@@ -126,7 +126,7 @@ class MockOPServer
   end
 
   def self.load_encryption_key(key_data)
-    return nil if key_data.nil? || key_data.empty?
+    return nil if key_data.blank?
     load_signing_key(key_data)
   end
 
@@ -478,7 +478,7 @@ class MockOPServer
         redirect_uri: redirect_uri,
         state: state,
         nonce: nonce,
-        created_at: Time.now
+        created_at: Time.zone.now
       }
 
       # Redirect back to RP with authorization code

data/examples/mock_rp_server.rb

@@ -66,7 +66,7 @@ class MockRPServer
   end
 
   def self.load_signing_key(key_data)
-    if key_data.nil? || key_data.empty?
+    if key_data.blank?
       OpenSSL::PKey::RSA.new(2048)
     elsif key_data.is_a?(String)
       if key_data.include?("BEGIN")
@@ -80,7 +80,7 @@ class MockRPServer
   end
 
   def self.load_encryption_key(key_data)
-    return nil if key_data.nil? || key_data.empty?
+    return nil if key_data.blank?
     load_signing_key(key_data)
   end
 
@@ -297,7 +297,7 @@ class MockRPServer
         provider_entity_id: provider_entity_id,
         redirect_uri: redirect_uri,
         nonce: nonce,
-        created_at: Time.now
+        created_at: Time.zone.now
       }
 
       # Step 5: Redirect to provider

data/lib/omniauth_openid_federation/entity_statement_reader.rb

@@ -5,6 +5,7 @@ require_relative "key_extractor"
 require_relative "utils"
 require_relative "configuration"
 require_relative "logger"
+require_relative "string_helpers"
 
 # Entity Statement Reader for OpenID Federation 1.0
 # @see https://openid.net/specs/openid-federation-1_0.html OpenID Federation 1.0 Specification
@@ -30,7 +31,7 @@ module OmniauthOpenidFederation
       # @return [Array<Hash>] Array of JWK hash objects
       def fetch_keys(entity_statement_path: nil)
         entity_statement = load_entity_statement(entity_statement_path)
-        return [] if entity_statement.nil? || entity_statement.empty?
+        return [] if StringHelpers.blank?(entity_statement)
 
         # Decode self-signed entity statement
         # Entity statements are self-signed, so we validate using their own JWKS
@@ -53,7 +54,7 @@ module OmniauthOpenidFederation
       # @return [Hash, nil] Hash with provider metadata or nil if not found
       def parse_metadata(entity_statement_path: nil)
         entity_statement = load_entity_statement(entity_statement_path)
-        return nil if entity_statement.nil? || entity_statement.empty?
+        return nil if StringHelpers.blank?(entity_statement)
 
         # Decode JWT payload
         jwt_parts = entity_statement.split(".")
@@ -93,21 +94,45 @@ module OmniauthOpenidFederation
       def load_entity_statement(entity_statement_path)
         return nil if entity_statement_path.nil? || entity_statement_path.to_s.empty?
 
-        # Determine allowed directories for file path validation
-        config = OmniauthOpenidFederation::Configuration.config
-        allowed_dirs = if defined?(Rails) && Rails.root
-          [Rails.root.join("config").to_s]
-        elsif config.root_path
-          [File.join(config.root_path, "config")]
+        # If path is absolute and exists, allow it (for temp files in tests)
+        # For absolute paths that don't exist, validate path traversal but allow outside allowed_dirs
+        # For relative paths, validate against allowed directories
+        path_str = entity_statement_path.to_s
+        is_absolute = path_str.start_with?("/", "~")
+
+        if is_absolute && File.exist?(entity_statement_path)
+          validated_path = entity_statement_path
+        elsif is_absolute
+          # Absolute path - validate path traversal but allow outside allowed_dirs
+          begin
+            validated_path = Utils.validate_file_path!(
+              entity_statement_path,
+              allowed_dirs: nil  # Allow absolute paths outside config directory
+            )
+          rescue SecurityError
+            return nil
+          end
+        else
+          # Relative path - must be in allowed directories
+          config = OmniauthOpenidFederation::Configuration.config
+          allowed_dirs = if defined?(Rails) && Rails.root
+            [Rails.root.join("config").to_s]
+          elsif config.root_path
+            [File.join(config.root_path, "config")]
+          end
+
+          begin
+            # Validate file path to prevent path traversal attacks
+            validated_path = Utils.validate_file_path!(
+              entity_statement_path,
+              allowed_dirs: allowed_dirs
+            )
+          rescue SecurityError
+            return nil
+          end
         end
 
         begin
-          # Validate file path to prevent path traversal attacks
-          validated_path = Utils.validate_file_path!(
-            entity_statement_path,
-            allowed_dirs: allowed_dirs
-          )
-
           return nil unless File.exist?(validated_path)
 
           File.read(validated_path)

data/lib/omniauth_openid_federation/federation/entity_statement_builder.rb

@@ -4,6 +4,7 @@ require "openssl"
 require "time"
 require_relative "../logger"
 require_relative "../errors"
+require_relative "../string_helpers"
 
 # Entity Statement Builder for OpenID Federation 1.0
 # @see https://openid.net/specs/openid-federation-1_0.html OpenID Federation 1.0 Specification
@@ -82,7 +83,6 @@ module OmniauthOpenidFederation
 
         payload = build_payload
 
-        # Build JWT header
         # Per OpenID Federation 1.0 Section 3.1: typ MUST be "entity-statement+jwt"
         header = {
           alg: "RS256",
@@ -102,13 +102,13 @@ module OmniauthOpenidFederation
       private
 
       def validate_parameters
-        raise ConfigurationError, "Issuer is required" if @issuer.nil? || @issuer.empty?
-        raise ConfigurationError, "Subject is required" if @subject.nil? || @subject.empty?
+        raise ConfigurationError, "Issuer is required" if StringHelpers.blank?(@issuer)
+        raise ConfigurationError, "Subject is required" if StringHelpers.blank?(@subject)
         raise ConfigurationError, "Private key is required" if @private_key.nil?
-        raise ConfigurationError, "JWKS is required" if @jwks.nil? || @jwks.empty?
-        raise ConfigurationError, "Metadata is required" if @metadata.nil? || @metadata.empty?
-        raise ConfigurationError, "JWKS must contain at least one key" if @jwks["keys"].nil? || @jwks["keys"].empty?
-        raise ConfigurationError, "Key ID (kid) is required" if @kid.nil? || @kid.empty?
+        raise ConfigurationError, "JWKS is required" if StringHelpers.blank?(@jwks)
+        raise ConfigurationError, "Metadata is required" if StringHelpers.blank?(@metadata)
+        raise ConfigurationError, "JWKS must contain at least one key" if StringHelpers.blank?(@jwks["keys"])
+        raise ConfigurationError, "Key ID (kid) is required" if StringHelpers.blank?(@kid)
       end
 
       def build_payload
@@ -125,7 +125,6 @@ module OmniauthOpenidFederation
           metadata: @metadata
         }
 
-        # Entity Configuration specific claims
         if is_entity_configuration
           payload[:authority_hints] = @authority_hints if @authority_hints
           payload[:trust_marks] = @trust_marks if @trust_marks
@@ -133,7 +132,6 @@ module OmniauthOpenidFederation
           payload[:trust_mark_owners] = @trust_mark_owners if @trust_mark_owners
         end
 
-        # Subordinate Statement specific claims
         if is_subordinate_statement
           payload[:metadata_policy] = @metadata_policy if @metadata_policy
           payload[:metadata_policy_crit] = @metadata_policy_crit if @metadata_policy_crit
@@ -141,21 +139,17 @@ module OmniauthOpenidFederation
           payload[:source_endpoint] = @source_endpoint if @source_endpoint
         end
 
-        # Common optional claims
         payload[:crit] = @crit if @crit
 
         payload
       end
 
       def normalize_jwks(jwks)
-        # Ensure JWKS is a hash with "keys" array
         if jwks.is_a?(Hash)
-          # If it has :keys or "keys", use as-is
           if jwks.key?(:keys) || jwks.key?("keys")
             keys = jwks[:keys] || jwks["keys"]
             {"keys" => normalize_keys(keys)}
           else
-            # If it's just a hash, wrap it
             {"keys" => [jwks]}
           end
         elsif jwks.is_a?(Array)
@@ -168,7 +162,6 @@ module OmniauthOpenidFederation
       def normalize_keys(keys)
         keys.map do |key|
           if key.is_a?(Hash)
-            # Convert symbol keys to string keys
             key.transform_keys(&:to_s)
           else
             key

data/lib/omniauth_openid_federation/federation/entity_statement_helper.rb

@@ -17,18 +17,47 @@ module OmniauthOpenidFederation
       # @raise [ValidationError] If parsing fails
       def self.parse_for_signed_jwks(entity_statement_path)
         # Determine allowed directories for file path validation
-        config = Configuration.config
-        allowed_dirs = if defined?(Rails) && Rails.root
-          [Rails.root.join("config").to_s]
-        elsif config.root_path
-          [File.join(config.root_path, "config")]
-        end
+        # If path is absolute and exists, allow it (for temp files in tests)
+        # For absolute paths that don't exist, validate path traversal but allow outside allowed_dirs
+        # For relative paths, validate against allowed directories
+        path_str = entity_statement_path.to_s
+        is_absolute = path_str.start_with?("/", "~")
+
+        if is_absolute && File.exist?(entity_statement_path)
+          validated_path = entity_statement_path
+        elsif is_absolute
+          # Absolute path - validate path traversal but allow outside allowed_dirs
+          begin
+            validated_path = Utils.validate_file_path!(
+              entity_statement_path,
+              allowed_dirs: nil  # Allow absolute paths outside config directory
+            )
+          rescue SecurityError => e
+            OmniauthOpenidFederation::Logger.warn("[EntityStatementHelper] Security error: #{e.message}")
+            return nil
+          end
+        else
+          # Relative path - must be in allowed directories
+          config = Configuration.config
+          allowed_dirs = if defined?(Rails) && Rails.root
+            [Rails.root.join("config").to_s]
+          elsif config.root_path
+            [File.join(config.root_path, "config")]
+          end
 
-        # Validate file path to prevent path traversal
-        validated_path = Utils.validate_file_path!(
-          entity_statement_path,
-          allowed_dirs: allowed_dirs
-        )
+          begin
+            # Validate file path to prevent path traversal
+            validated_path = Utils.validate_file_path!(
+              entity_statement_path,
+              allowed_dirs: allowed_dirs
+            )
+          rescue SecurityError => e
+            # For relative paths with path traversal, raise SecurityError instead of returning nil
+            # This is a security violation that should be explicitly handled
+            OmniauthOpenidFederation::Logger.warn("[EntityStatementHelper] Security error: #{e.message}")
+            raise SecurityError, e.message
+          end
+        end
 
         unless File.exist?(validated_path)
           sanitized_path = Utils.sanitize_path(validated_path)