RubyGems - omniauth_openid_federation - Versions diffs - 1.3.0 → 1.3.2 - Mend

omniauth_openid_federation 1.3.0 → 1.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +13 -0
data/README.md +1 -1
data/app/controllers/omniauth_openid_federation/federation_controller.rb +1 -1
data/config/routes.rb +20 -10
data/examples/integration_test_flow.rb +4 -4
data/examples/mock_op_server.rb +3 -3
data/examples/mock_rp_server.rb +3 -3
data/lib/omniauth_openid_federation/entity_statement_reader.rb +39 -14
data/lib/omniauth_openid_federation/federation/entity_statement_builder.rb +7 -14
data/lib/omniauth_openid_federation/federation/entity_statement_helper.rb +40 -11
data/lib/omniauth_openid_federation/federation/entity_statement_validator.rb +6 -87
data/lib/omniauth_openid_federation/federation/trust_chain_resolver.rb +3 -15
data/lib/omniauth_openid_federation/federation_endpoint.rb +39 -171
data/lib/omniauth_openid_federation/jwks/rotate.rb +45 -20
data/lib/omniauth_openid_federation/jws.rb +2 -1
data/lib/omniauth_openid_federation/rack_endpoint.rb +19 -7
data/lib/omniauth_openid_federation/tasks_helper.rb +23 -5
data/lib/omniauth_openid_federation/time_helpers.rb +60 -0
data/lib/omniauth_openid_federation/utils.rb +4 -7
data/lib/omniauth_openid_federation/validators.rb +12 -36
data/lib/omniauth_openid_federation/version.rb +1 -1
data/lib/omniauth_openid_federation.rb +1 -0
data/lib/tasks/omniauth_openid_federation.rake +4 -3
data/sig/omniauth_openid_federation.rbs +6 -0
metadata +100 -1

data/lib/omniauth_openid_federation/federation/entity_statement_validator.rb CHANGED Viewed

@@ -4,6 +4,7 @@ require "json"
 require_relative "../logger"
 require_relative "../errors"
 require_relative "../configuration"
+require_relative "../string_helpers"
 # Entity Statement Validator for OpenID Federation 1.0
 # @see https://openid.net/specs/openid-federation-1_0.html#section-3.2.1 Section 3.2.1: Entity Statement Validation
@@ -53,70 +54,27 @@ module OmniauthOpenidFederation
       # @return [Hash] Validated entity statement with header and claims
       # @raise [ValidationError] If validation fails at any step
       def validate!
-        # Step 1: Entity Statement MUST be a signed JWT
         validate_jwt_format
-        # Step 2: Validate typ header (MUST be "entity-statement+jwt")
         validate_typ_header
-        # Step 3: Validate alg header (MUST be present and not "none")
         validate_alg_header
-        # Step 4: Validate sub claim matches Entity Identifier
         validate_sub_claim
-        # Step 5: Validate iss claim is valid Entity Identifier
         validate_iss_claim
-        # Step 6: Determine Entity Configuration vs Subordinate Statement
         determine_statement_type
-        # Step 7: Validate authority_hints for Subordinate Statements
         validate_authority_hints if @is_subordinate_statement
-        # Step 8: Validate iat claim (issued at time)
         validate_iat_claim
-        # Step 9: Validate exp claim (expiration time)
         validate_exp_claim
-        # Step 10: Validate jwks claim (MUST be present and valid)
         validate_jwks_claim
-        # Step 11: Validate kid header (MUST be non-zero length string)
         validate_kid_header
-        # Step 12: Validate kid matches key in issuer's JWKS
         validate_kid_matching
-        # Step 13: Validate signature (if issuer configuration provided)
         validate_signature if @issuer_entity_configuration || @is_entity_configuration
-        # Step 14: Validate crit claim (if present)
         validate_crit_claim
-        # Step 15: Validate authority_hints syntax (if present)
         validate_authority_hints_syntax if @header && @payload && @is_entity_configuration
-        # Step 16: Validate metadata syntax (if present)
         validate_metadata_syntax
-        # Step 17: Validate metadata_policy (if present, MUST be Subordinate Statement)
         validate_metadata_policy_presence
-        # Step 18: Validate metadata_policy_crit (if present, MUST be Subordinate Statement)
         validate_metadata_policy_crit_presence
-        # Step 19: Validate constraints (if present, MUST be Subordinate Statement)
         validate_constraints_presence
-        # Step 20: Validate trust_marks (if present, MUST be Entity Configuration)
         validate_trust_marks_presence
-        # Step 21: Validate trust_mark_issuers (if present, MUST be Entity Configuration)
         validate_trust_mark_issuers_presence
-        # Step 22: Validate trust_mark_owners (if present, MUST be Entity Configuration)
         validate_trust_mark_owners_presence
         {
@@ -129,14 +87,12 @@ module OmniauthOpenidFederation
       private
-      # Step 1: Entity Statement MUST be a signed JWT
       def validate_jwt_format
         jwt_parts = @jwt_string.split(".")
         if jwt_parts.length != JWT_PARTS_COUNT
           raise ValidationError, "Invalid JWT format: expected #{JWT_PARTS_COUNT} parts (header.payload.signature), got #{jwt_parts.length}"
         end
-        # Decode header and payload
         begin
           @header = JSON.parse(Base64.urlsafe_decode64(jwt_parts[0]))
           @payload = JSON.parse(Base64.urlsafe_decode64(jwt_parts[1]))
@@ -147,7 +103,6 @@ module OmniauthOpenidFederation
         end
       end
-      # Step 2: Entity Statement MUST have typ header with value "entity-statement+jwt"
       def validate_typ_header
         typ = @header["typ"] || @header[:typ]
         unless typ == REQUIRED_TYP
@@ -155,10 +110,9 @@ module OmniauthOpenidFederation
         end
       end
-      # Step 3: Entity Statement MUST have alg header that is present and not "none"
       def validate_alg_header
         alg = @header["alg"] || @header[:alg]
-        if alg.nil? || alg.empty?
+        if StringHelpers.blank?(alg)
           raise ValidationError, "Entity statement MUST have an alg (algorithm) header parameter"
         end
         if alg == "none"
@@ -170,33 +124,28 @@ module OmniauthOpenidFederation
         end
       end
-      # Step 4: Entity Identifier MUST match sub claim
       # Note: This is a structural check. The actual Entity Identifier validation
       # would require knowing the expected Entity Identifier, which is context-dependent.
       def validate_sub_claim
         sub = @payload["sub"]
-        if sub.nil? || sub.empty?
+        if StringHelpers.blank?(sub)
           raise ValidationError, "Entity statement MUST have a sub (subject) claim with a valid Entity Identifier"
         end
-        # Basic Entity Identifier format validation (should be a URI)
         unless sub.is_a?(String) && sub.start_with?("http://", "https://")
           raise ValidationError, "Entity statement sub claim MUST be a valid Entity Identifier (URI)"
         end
       end
-      # Step 5: Entity Statement MUST have iss claim with valid Entity Identifier
       def validate_iss_claim
         iss = @payload["iss"]
-        if iss.nil? || iss.empty?
+        if StringHelpers.blank?(iss)
           raise ValidationError, "Entity statement MUST have an iss (issuer) claim with a valid Entity Identifier"
         end
-        # Basic Entity Identifier format validation (should be a URI)
         unless iss.is_a?(String) && iss.start_with?("http://", "https://")
           raise ValidationError, "Entity statement iss claim MUST be a valid Entity Identifier (URI)"
         end
       end
-      # Step 6: Determine Entity Configuration vs Subordinate Statement
       def determine_statement_type
         iss = @payload["iss"]
         sub = @payload["sub"]
@@ -213,7 +162,6 @@ module OmniauthOpenidFederation
           return
         end
-        # Extract authority_hints from issuer's Entity Configuration
         issuer_config = if @issuer_entity_configuration.is_a?(Hash)
           @issuer_entity_configuration
         elsif @issuer_entity_configuration.respond_to?(:parse)
@@ -231,7 +179,6 @@ module OmniauthOpenidFederation
         end
       end
-      # Step 8: Validate iat claim (issued at time)
       def validate_iat_claim
         iat = @payload["iat"]
         if iat.nil?
@@ -243,13 +190,11 @@ module OmniauthOpenidFederation
         end
         current_time = Time.now.to_i
-        # Allow clock skew: iat can be slightly in the future
         if iat > (current_time + @clock_skew_tolerance)
           raise ValidationError, "Entity statement iat (issued at) claim is too far in the future. Current time: #{current_time}, iat: #{iat}, tolerance: #{@clock_skew_tolerance}s"
         end
       end
-      # Step 9: Validate exp claim (expiration time)
       def validate_exp_claim
         exp = @payload["exp"]
         if exp.nil?
@@ -261,19 +206,16 @@ module OmniauthOpenidFederation
         end
         current_time = Time.now.to_i
-        # Allow clock skew: exp can be slightly in the past
         if exp < (current_time - @clock_skew_tolerance)
           raise ValidationError, "Entity statement has expired. Current time: #{current_time}, exp: #{exp}, tolerance: #{@clock_skew_tolerance}s"
         end
       end
-      # Step 10: Validate jwks claim (MUST be present and valid)
       def validate_jwks_claim
         jwks = @payload["jwks"]
         if jwks.nil?
           # jwks is OPTIONAL only for Entity Statement returned from OP during Explicit Registration
           # For all other cases, it is REQUIRED
-          # We'll be strict and require it unless we have context that this is an Explicit Registration response
           raise ValidationError, "Entity statement MUST have a jwks (JWK Set) claim"
         end
@@ -286,14 +228,12 @@ module OmniauthOpenidFederation
           raise ValidationError, "Entity statement jwks claim MUST contain a 'keys' array"
         end
-        # Validate that each key has a unique kid
         kids = keys.map { |key| key["kid"] || key[:kid] }.compact
         if kids.length != kids.uniq.length
           raise ValidationError, "Entity statement jwks keys MUST have unique kid (Key ID) values"
         end
       end
-      # Step 11: Validate kid header (MUST be non-zero length string)
       def validate_kid_header
         kid = @header["kid"] || @header[:kid]
         if kid.nil?
@@ -307,17 +247,13 @@ module OmniauthOpenidFederation
         end
       end
-      # Step 12: Validate kid matches key in issuer's JWKS
       def validate_kid_matching
         kid = @header["kid"] || @header[:kid]
         jwks = @payload["jwks"] || {}
-        # Get issuer's JWKS
         issuer_jwks = if @is_entity_configuration
-          # For Entity Configuration, use its own JWKS
           jwks
         elsif @issuer_entity_configuration
-          # For Subordinate Statement, use issuer's Entity Configuration JWKS
           issuer_config = if @issuer_entity_configuration.is_a?(Hash)
             @issuer_entity_configuration
           elsif @issuer_entity_configuration.respond_to?(:parse)
@@ -328,7 +264,6 @@ module OmniauthOpenidFederation
           issuer_config[:jwks] || issuer_config["jwks"] || issuer_config[:claims]&.fetch("jwks", {}) || issuer_config["claims"]&.fetch("jwks", {})
         else
-          # Cannot validate kid matching without issuer configuration
           OmniauthOpenidFederation::Logger.warn("[EntityStatementValidator] Cannot validate kid matching: issuer entity configuration not provided")
           return
         end
@@ -341,12 +276,9 @@ module OmniauthOpenidFederation
         end
       end
-      # Step 13: Validate signature
+      # Signature validation is typically done separately using JWT.decode
+      # This step validates that we have the necessary information to validate the signature
       def validate_signature
-        # Signature validation is typically done separately using JWT.decode
-        # This step is a placeholder - actual signature validation should be done
-        # by the caller using the issuer's public key
-        # We validate that we have the necessary information to validate the signature
         kid = @header["kid"] || @header[:kid]
         jwks = @payload["jwks"] || {}
@@ -372,12 +304,8 @@ module OmniauthOpenidFederation
         unless matching_key
           raise ValidationError, "Cannot validate signature: signing key with kid '#{kid}' not found in issuer's JWKS"
         end
-        # Note: Actual cryptographic signature verification should be done by the caller
-        # using JWT.decode with the matching key
       end
-      # Step 14: Validate crit claim (if present)
       def validate_crit_claim
         crit = @payload["crit"] || @payload[:crit]
         return unless crit
@@ -398,7 +326,6 @@ module OmniauthOpenidFederation
         end
       end
-      # Step 15: Validate authority_hints syntax (if present)
       def validate_authority_hints_syntax
         authority_hints = @payload["authority_hints"] || @payload[:authority_hints]
         return unless authority_hints
@@ -418,7 +345,6 @@ module OmniauthOpenidFederation
         end
       end
-      # Step 16: Validate metadata syntax (if present)
       def validate_metadata_syntax
         metadata = @payload["metadata"] || @payload[:metadata]
         return unless metadata
@@ -427,7 +353,6 @@ module OmniauthOpenidFederation
           raise ValidationError, "Entity statement metadata claim MUST be a JSON object"
         end
-        # Validate that metadata values are not null
         metadata.each do |entity_type, entity_metadata|
           if entity_metadata.nil?
             raise ValidationError, "Entity statement metadata claim MUST NOT use null as metadata values"
@@ -438,7 +363,6 @@ module OmniauthOpenidFederation
         end
       end
-      # Step 17: Validate metadata_policy presence (MUST be Subordinate Statement)
       def validate_metadata_policy_presence
         metadata_policy = @payload["metadata_policy"] || @payload[:metadata_policy]
         return unless metadata_policy
@@ -448,7 +372,6 @@ module OmniauthOpenidFederation
         end
       end
-      # Step 18: Validate metadata_policy_crit presence (MUST be Subordinate Statement)
       def validate_metadata_policy_crit_presence
         metadata_policy_crit = @payload["metadata_policy_crit"] || @payload[:metadata_policy_crit]
         return unless metadata_policy_crit
@@ -458,7 +381,6 @@ module OmniauthOpenidFederation
         end
       end
-      # Step 19: Validate constraints presence (MUST be Subordinate Statement)
       def validate_constraints_presence
         constraints = @payload["constraints"] || @payload[:constraints]
         return unless constraints
@@ -468,7 +390,6 @@ module OmniauthOpenidFederation
         end
       end
-      # Step 20: Validate trust_marks presence (MUST be Entity Configuration)
       def validate_trust_marks_presence
         trust_marks = @payload["trust_marks"] || @payload[:trust_marks]
         return unless trust_marks
@@ -478,7 +399,6 @@ module OmniauthOpenidFederation
         end
       end
-      # Step 21: Validate trust_mark_issuers presence (MUST be Entity Configuration)
       def validate_trust_mark_issuers_presence
         trust_mark_issuers = @payload["trust_mark_issuers"] || @payload[:trust_mark_issuers]
         return unless trust_mark_issuers
@@ -488,7 +408,6 @@ module OmniauthOpenidFederation
         end
       end
-      # Step 22: Validate trust_mark_owners presence (MUST be Entity Configuration)
       def validate_trust_mark_owners_presence
         trust_mark_owners = @payload["trust_mark_owners"] || @payload[:trust_mark_owners]
         return unless trust_mark_owners

data/lib/omniauth_openid_federation/federation/trust_chain_resolver.rb CHANGED Viewed

@@ -4,7 +4,7 @@ require_relative "../http_client"
 require_relative "../logger"
 require_relative "../errors"
 require_relative "../utils"
-require "set"
+require_relative "../string_helpers"
 require "cgi"
 # Trust Chain Resolver for OpenID Federation 1.0
@@ -59,24 +59,21 @@ module OmniauthOpenidFederation
       def resolve!
         OmniauthOpenidFederation::Logger.debug("[TrustChainResolver] Starting trust chain resolution for: #{@leaf_entity_id}")
-        # Step 1: Fetch Leaf Entity's Entity Configuration
         leaf_config = fetch_entity_configuration(@leaf_entity_id)
-        validate_entity_statement(leaf_config, nil) # No issuer for Entity Configuration
+        validate_entity_statement(leaf_config, nil)
         @resolved_statements << leaf_config
         @visited_entities.add(@leaf_entity_id)
-        # Step 2: Follow authority_hints to build the chain
         current_entity_id = @leaf_entity_id
         current_config = leaf_config
         while current_config && !is_trust_anchor?(current_config)
           authority_hints = extract_authority_hints(current_config)
-          if authority_hints.nil? || authority_hints.empty?
+          if StringHelpers.blank?(authority_hints)
             raise ValidationError, "Entity #{current_entity_id} has no authority_hints and is not a Trust Anchor"
           end
-          # Try each authority hint until we find a valid chain
           found_next = false
           authority_hints.each do |authority_id|
             next if @visited_entities.include?(authority_id)
@@ -86,28 +83,23 @@ module OmniauthOpenidFederation
             end
             begin
-              # Fetch Subordinate Statement from authority
               subordinate_statement = fetch_subordinate_statement(
                 issuer: authority_id,
                 subject: current_entity_id
               )
-              # Validate Subordinate Statement
               issuer_config = fetch_entity_configuration(authority_id)
               validate_entity_statement(subordinate_statement, issuer_config)
-              # Add to chain
               @resolved_statements << subordinate_statement
               @visited_entities.add(authority_id)
-              # Continue with issuer as next entity
               current_entity_id = authority_id
               current_config = issuer_config
               found_next = true
               break
             rescue ValidationError, FetchError => e
               OmniauthOpenidFederation::Logger.warn("[TrustChainResolver] Failed to resolve via #{authority_id}: #{e.message}")
-              # Instrument trust chain validation failure
               OmniauthOpenidFederation::Instrumentation.notify_trust_chain_validation_failed(
                 entity_id: current_entity_id,
                 trust_anchor: authority_id,
@@ -124,10 +116,8 @@ module OmniauthOpenidFederation
           end
         end
-        # Step 3: Verify we reached a Trust Anchor
         unless is_trust_anchor?(current_config)
           error_msg = "Trust chain did not terminate at a configured Trust Anchor"
-          # Instrument trust chain validation failure
           OmniauthOpenidFederation::Instrumentation.notify_trust_chain_validation_failed(
             entity_id: @leaf_entity_id,
             trust_anchor: current_entity_id,
@@ -164,7 +154,6 @@ module OmniauthOpenidFederation
       end
       def fetch_subordinate_statement(issuer:, subject:)
-        # Try to get fetch endpoint from issuer's Entity Configuration
         issuer_config = fetch_entity_configuration(issuer)
         fetch_endpoint = extract_fetch_endpoint(issuer_config)
@@ -172,7 +161,6 @@ module OmniauthOpenidFederation
           raise FetchError, "Issuer #{issuer} does not provide a fetch endpoint"
         end
-        # Build fetch URL with iss and sub parameters
         fetch_url = "#{fetch_endpoint}?iss=#{CGI.escape(issuer)}&sub=#{CGI.escape(subject)}"
         OmniauthOpenidFederation::Logger.debug("[TrustChainResolver] Fetching Subordinate Statement from: #{fetch_url}")