omniauth_openid_federation 1.3.0 → 1.3.2

data/lib/omniauth_openid_federation/rack_endpoint.rb

@@ -116,7 +116,7 @@ module OmniauthOpenidFederation
       subject_entity_id = request.params["sub"]
 
       unless subject_entity_id
-        return error_response(400, {error: "invalid_request", error_description: "Missing required parameter: sub"}.to_json)
+        return error_response(400, {error: "invalid_request", error_description: "Missing required parameter: sub"})
       end
 
       # Security: Validate entity identifier per OpenID Federation 1.0 spec
@@ -125,22 +125,22 @@ module OmniauthOpenidFederation
         # Validate and get trimmed value
         subject_entity_id = OmniauthOpenidFederation::Validators.validate_entity_identifier!(subject_entity_id)
       rescue SecurityError => e
-        return error_response(400, {error: "invalid_request", error_description: "Invalid subject entity ID: #{e.message}"}.to_json)
+        return error_response(400, {error: "invalid_request", error_description: "Invalid subject entity ID: #{e.message}"})
       rescue => e
-        return error_response(400, {error: "invalid_request", error_description: "Subject entity ID validation failed: #{e.message}"}.to_json)
+        return error_response(400, {error: "invalid_request", error_description: "Subject entity ID validation failed: #{e.message}"})
       end
 
       # Validate that subject is not the issuer (invalid request per spec)
       config = OmniauthOpenidFederation::FederationEndpoint.configuration
       if subject_entity_id == config.issuer
-        return error_response(400, {error: "invalid_request", error_description: "Subject cannot be the issuer"}.to_json)
+        return error_response(400, {error: "invalid_request", error_description: "Subject cannot be the issuer"})
       end
 
       # Get Subordinate Statement
       subordinate_statement = OmniauthOpenidFederation::FederationEndpoint.get_subordinate_statement(subject_entity_id)
 
       unless subordinate_statement
-        return error_response(404, {error: "not_found", error_description: "Subordinate Statement not found for subject: #{subject_entity_id}"}.to_json)
+        return error_response(404, {error: "not_found", error_description: "Subordinate Statement not found for subject: #{subject_entity_id}"})
       end
 
       headers = {
@@ -188,11 +188,23 @@ module OmniauthOpenidFederation
     # Return error response
     #
     # @param status [Integer] HTTP status code
-    # @param message [String] Error message
+    # @param message [String, Hash] Error message (string) or error hash (will be converted to JSON)
     # @return [Array] Rack response
     def error_response(status, message)
       content_type = (status == 503) ? "text/plain" : "application/json"
-      body = (status == 503) ? message : {error: message}.to_json
+      body = if status == 503
+        message
+      elsif message.is_a?(Hash)
+        message.to_json
+      else
+        # If message is already JSON string, parse and re-encode to ensure proper format
+        begin
+          parsed = JSON.parse(message)
+          parsed.to_json
+        rescue JSON::ParserError
+          {error: message}.to_json
+        end
+      end
 
       [status, {"Content-Type" => content_type}, [body]]
     end

data/lib/omniauth_openid_federation/tasks_helper.rb

@@ -285,7 +285,19 @@ module OmniauthOpenidFederation
             end
             http = Net::HTTP.new(uri.host, uri.port)
             http.use_ssl = (uri.scheme == "https")
-            http.verify_mode = OpenSSL::SSL::VERIFY_NONE if defined?(Rails) && Rails.respond_to?(:env) && Rails.env.development?
+            if uri.scheme == "https"
+              http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+              # Set ca_file directly - this is the simplest and most reliable approach
+              # Try SSL_CERT_FILE first, then default cert file
+              ca_file = if ENV["SSL_CERT_FILE"] && File.file?(ENV["SSL_CERT_FILE"])
+                ENV["SSL_CERT_FILE"]
+              elsif File.exist?(OpenSSL::X509::DEFAULT_CERT_FILE)
+                OpenSSL::X509::DEFAULT_CERT_FILE
+              end
+
+              http.ca_file = ca_file if ca_file
+            end
 
             request_path = uri.path
             request_path += "?#{uri.query}" if uri.query
@@ -466,6 +478,9 @@ module OmniauthOpenidFederation
       }
 
       # HTTP client helper for custom requests
+      build_http_client = lambda do |connect_timeout: 10, read_timeout: 10|
+        HTTP.timeout(connect: connect_timeout, read: read_timeout)
+      end
 
       # Step 1: Fetch login page for CSRF token and cookies
       results[:steps_completed] << "fetch_csrf_token"
@@ -476,7 +491,8 @@ module OmniauthOpenidFederation
       cookies = []
 
       begin
-        login_response = build_http_client(connect_timeout: 10, read_timeout: 10).get(login_page_url)
+        http_client = build_http_client.call(connect_timeout: 10, read_timeout: 10)
+        login_response = http_client.get(login_page_url)
 
         unless login_response.status.success?
           raise "Failed to fetch login page: #{login_response.status.code} #{login_response.status.reason}"
@@ -578,7 +594,8 @@ module OmniauthOpenidFederation
             common_paths.each do |path|
               test_url = URI.join(base_url, path).to_s
               begin
-                test_response = build_http_client(connect_timeout: 5, read_timeout: 5).get(test_url)
+                http_client = build_http_client.call(connect_timeout: 5, read_timeout: 5)
+                test_response = http_client.get(test_url)
                 if test_response.status.code >= 300 && test_response.status.code < 400
                   auth_endpoint = test_url
                   break
@@ -613,7 +630,8 @@ module OmniauthOpenidFederation
         # Include acr_values if provided (must be configured in request_object_params to be included in JWT)
         form_data[:acr_values] = provider_acr if StringHelpers.present?(provider_acr)
 
-        auth_response = build_http_client(connect_timeout: 10, read_timeout: 10)
+        http_client = build_http_client.call(connect_timeout: 10, read_timeout: 10)
+        auth_response = http_client
           .headers(headers)
           .post(auth_endpoint, form: form_data)
 
@@ -692,7 +710,7 @@ module OmniauthOpenidFederation
       require "cgi"
       require "json"
       require "base64"
-      require_relative "../strategy"
+      require_relative "strategy"
 
       results = {
         steps_completed: [],

data/lib/omniauth_openid_federation/time_helpers.rb

@@ -0,0 +1,60 @@
+# Time helper utilities for compatibility with ActiveSupport
+# Provides time methods that work with or without Time.zone
+module OmniauthOpenidFederation
+  module TimeHelpers
+    # Get current time, using Time.zone if available, otherwise Time
+    #
+    # @return [Time] Current time
+    def self.now
+      if time_zone_available?
+        Time.zone.now
+      else
+        # rubocop:disable Rails/TimeZone
+        Time.now
+        # rubocop:enable Rails/TimeZone
+      end
+    end
+
+    # Convert a timestamp to Time, using Time.zone if available, otherwise Time
+    #
+    # @param timestamp [Integer, Float] Unix timestamp
+    # @return [Time] Time object representing the timestamp
+    def self.at(timestamp)
+      if time_zone_available?
+        Time.zone.at(timestamp)
+      else
+        # rubocop:disable Rails/TimeZone
+        Time.at(timestamp)
+        # rubocop:enable Rails/TimeZone
+      end
+    end
+
+    # Parse a time string, using Time.zone if available, otherwise Time
+    #
+    # @param time_string [String] Time string to parse
+    # @return [Time] Parsed time object
+    def self.parse(time_string)
+      if time_zone_available?
+        Time.zone.parse(time_string)
+      else
+        # rubocop:disable Rails/TimeZone
+        Time.parse(time_string)
+        # rubocop:enable Rails/TimeZone
+      end
+    end
+
+    # Check if Time.zone is available and configured
+    #
+    # @return [Boolean] true if Time.zone is available and not nil
+    def self.time_zone_available?
+      return false unless defined?(ActiveSupport)
+      return false unless Time.respond_to?(:zone)
+
+      begin
+        !Time.zone.nil?
+      rescue
+        false
+      end
+    end
+  end
+end

data/lib/omniauth_openid_federation/utils.rb

@@ -1,4 +1,6 @@
 # Utility functions for omniauth_openid_federation
+require_relative "string_helpers"
+
 module OmniauthOpenidFederation
   module Utils
     # Convert hash to HashWithIndifferentAccess if available
@@ -18,7 +20,7 @@ module OmniauthOpenidFederation
     # @param path [String, nil] The file path
     # @return [String] Sanitized path (filename only)
     def self.sanitize_path(path)
-      return "[REDACTED]" if path.nil? || path.empty?
+      return "[REDACTED]" if StringHelpers.blank?(path)
       File.basename(path)
     end
 
@@ -27,7 +29,7 @@ module OmniauthOpenidFederation
     # @param uri [String, nil] The URI
     # @return [String] Sanitized URI
     def self.sanitize_uri(uri)
-      return "[REDACTED]" if uri.nil? || uri.empty?
+      return "[REDACTED]" if StringHelpers.blank?(uri)
       begin
         parsed = URI.parse(uri)
         "#{parsed.scheme}://#{parsed.host}/[REDACTED]"
@@ -70,16 +72,13 @@ module OmniauthOpenidFederation
     def self.validate_file_path!(path, allowed_dirs: nil)
       raise SecurityError, "File path cannot be nil" if path.nil?
 
-      # Convert Pathname to string if needed
       path_str = path.to_s
       raise SecurityError, "File path cannot be empty" if path_str.empty?
 
-      # Check for path traversal attempts
       if path_str.include?("..") || path_str.include?("~")
         raise SecurityError, "Path traversal detected in: #{sanitize_path(path_str)}"
       end
 
-      # Resolve to absolute path
       resolved = File.expand_path(path_str)
 
       # Validate it's within allowed directories if specified
@@ -120,7 +119,6 @@ module OmniauthOpenidFederation
       n = Base64.urlsafe_encode64(key.n.to_s(2), padding: false)
       e = Base64.urlsafe_encode64(key.e.to_s(2), padding: false)
 
-      # Generate kid (key ID) from public key
       public_key_pem = key.public_key.to_pem
       kid = Digest::SHA256.hexdigest(public_key_pem)[0, 16]
 
@@ -131,7 +129,6 @@ module OmniauthOpenidFederation
         e: e
       }
 
-      # Add use field if specified
       jwk[:use] = use if use
 
       jwk

data/lib/omniauth_openid_federation/validators.rb

@@ -1,6 +1,7 @@
 # Input validation utilities for omniauth_openid_federation
 require_relative "constants"
 require_relative "configuration"
+require_relative "string_helpers"
 
 module OmniauthOpenidFederation
   module Validators
@@ -13,7 +14,6 @@ module OmniauthOpenidFederation
         raise ConfigurationError, "Private key is required for signed request objects"
       end
 
-      # Try to parse if it's a string
       if private_key.is_a?(String)
         begin
           OpenSSL::PKey::RSA.new(private_key)
@@ -82,10 +82,8 @@ module OmniauthOpenidFederation
     def self.validate_client_options!(client_options)
       client_options ||= {}
 
-      # Normalize hash keys to symbols
       normalized = normalize_hash(client_options)
 
-      # Validate required fields (structure validation, not security)
       if StringHelpers.blank?(normalized[:identifier])
         raise ConfigurationError, "Client identifier is required"
       end
@@ -94,8 +92,6 @@ module OmniauthOpenidFederation
         raise ConfigurationError, "Redirect URI is required"
       end
 
-      # Basic format check for redirect URI (config validation, not security)
-      # Note: Config values are trusted, we only check format to catch config errors
       begin
         parsed = URI.parse(normalized[:redirect_uri].to_s)
         unless parsed.is_a?(URI::HTTP) || parsed.is_a?(URI::HTTPS)
@@ -105,10 +101,8 @@ module OmniauthOpenidFederation
         raise ConfigurationError, "Invalid redirect URI format: #{e.message}"
       end
 
-      # Validate private key (required for security)
       validate_private_key!(normalized[:private_key])
 
-      # Basic format check for endpoints (config validation, not security)
       %i[authorization_endpoint token_endpoint jwks_uri].each do |endpoint|
         if normalized.key?(endpoint) && !StringHelpers.blank?(normalized[endpoint])
           # Endpoints can be paths or full URLs
@@ -145,7 +139,6 @@ module OmniauthOpenidFederation
       str = value.to_s.strip
       return nil if str.length > max_length
 
-      # Only allow printable ASCII (whitelist approach)
       unless allow_control_chars
         str = str.gsub(/[^\x20-\x7E]/, "")
       end
@@ -159,15 +152,16 @@ module OmniauthOpenidFederation
       max_length ||= ::OmniauthOpenidFederation::Configuration.config.max_string_length
       raise SecurityError, "URI cannot be nil" if uri_str.nil?
 
-      str = uri_str.to_s.strip
+      original_str = uri_str.to_s
+      sanitized = original_str.gsub(/[^\x20-\x7E]/, "")
+      raise SecurityError, "URI contains invalid characters (only printable ASCII allowed)" if sanitized != original_str
+
+      str = sanitized.strip
       raise SecurityError, "URI cannot be empty" if str.empty?
       raise SecurityError, "URI exceeds maximum length of #{max_length} characters" if str.length > max_length
 
-      sanitized = str.gsub(/[^\x20-\x7E]/, "")
-      raise SecurityError, "URI contains invalid characters (only printable ASCII allowed)" if sanitized != str
-
       begin
-        parsed = URI.parse(sanitized)
+        parsed = URI.parse(str)
       rescue URI::InvalidURIError => e
         raise SecurityError, "Invalid URI format: #{e.message}"
       end
@@ -180,7 +174,7 @@ module OmniauthOpenidFederation
         raise SecurityError, "URI must be HTTP or HTTPS"
       end
 
-      raise SecurityError, "URI host cannot be empty" if parsed.host.nil? || parsed.host.empty?
+      raise SecurityError, "URI host cannot be empty" if StringHelpers.blank?(parsed.host)
 
       parsed
     end
@@ -199,22 +193,16 @@ module OmniauthOpenidFederation
 
       case acr_values
       when Array
-        # Filter out blanks (arrays may already be sanitized)
         values = acr_values.map(&:to_s).map(&:strip).reject { |v| StringHelpers.blank?(v) }
       when String
-        # Trim and split by whitespace and validate each value using allowed characters
-        # Security: Use simple space split (no regexp to avoid ReDoS)
         trimmed = acr_values.strip
         values = trimmed.split(" ").map(&:strip).reject { |v| StringHelpers.blank?(v) }
       else
-        # Convert to string, trim and split
         str = acr_values.to_s.strip
         return nil if str.length > max_length
-        # Security: Use simple space split (no regexp to avoid ReDoS)
         values = str.split(" ").map(&:strip).reject { |v| StringHelpers.blank?(v) }
       end
 
-      # Sanitize each value unless already sanitized
       unless skip_sanitization
         values = values.map { |v| sanitize_request_param(v) }.compact
       end
@@ -243,9 +231,8 @@ module OmniauthOpenidFederation
         raise ConfigurationError, "client_id cannot be empty after trimming"
       end
 
-      # Sanitize using allowed characters (printable ASCII only)
       sanitized = sanitize_request_param(str)
-      if sanitized.nil? || sanitized.empty?
+      if StringHelpers.blank?(sanitized)
         raise ConfigurationError, "client_id contains invalid characters"
       end
 
@@ -268,7 +255,6 @@ module OmniauthOpenidFederation
         raise ConfigurationError, "redirect_uri cannot be empty after trimming"
       end
 
-      # Validate as URI (includes allowed characters validation)
       validated = validate_uri_safe!(str, allowed_schemes: ["http", "https"])
       validated.to_s
     end
@@ -289,7 +275,6 @@ module OmniauthOpenidFederation
         return nil
       end
 
-      # Normalize to array
       scopes = case scope
       when Array
         scope.map(&:to_s).map(&:strip).reject { |s| StringHelpers.blank?(s) }
@@ -299,14 +284,12 @@ module OmniauthOpenidFederation
         scope.to_s.strip.split(" ").map(&:strip).reject { |s| StringHelpers.blank?(s) }
       end
 
-      # Validate each scope value (allowed: printable ASCII)
       scopes = scopes.map { |s| sanitize_request_param(s) }.compact
 
       if scopes.empty?
         raise ConfigurationError, "scope cannot be empty after validation"
       end
 
-      # Check for "openid" scope if required
       if require_openid && !scopes.include?("openid")
         raise ConfigurationError, "scope MUST include 'openid' per OIDC Core 1.0 spec"
       end
@@ -336,9 +319,8 @@ module OmniauthOpenidFederation
         raise ConfigurationError, "state cannot be empty after trimming"
       end
 
-      # Sanitize using allowed characters (printable ASCII only)
       sanitized = sanitize_request_param(str)
-      if sanitized.nil? || sanitized.empty?
+      if StringHelpers.blank?(sanitized)
         raise ConfigurationError, "state contains invalid characters"
       end
 
@@ -363,10 +345,8 @@ module OmniauthOpenidFederation
         return nil
       end
 
-      # Sanitize using allowed characters (printable ASCII only)
-      # OIDC Core 1.0: nonce value is a case-sensitive string
       sanitized = sanitize_request_param(str)
-      if sanitized.nil? || sanitized.empty?
+      if StringHelpers.blank?(sanitized)
         if required
           raise ConfigurationError, "nonce contains invalid characters"
         end
@@ -392,13 +372,11 @@ module OmniauthOpenidFederation
         raise ConfigurationError, "response_type cannot be empty after trimming"
       end
 
-      # Sanitize using allowed characters (printable ASCII only)
       sanitized = sanitize_request_param(str)
-      if sanitized.nil? || sanitized.empty?
+      if StringHelpers.blank?(sanitized)
         raise ConfigurationError, "response_type contains invalid characters"
       end
 
-      # Validate it's a known response type (space-separated list)
       valid_types = ["code", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"]
       types = sanitized.split(" ").map(&:strip)
       unless types.all? { |t| valid_types.include?(t) || t.match?(/^[a-z_]+$/) }
@@ -426,10 +404,8 @@ module OmniauthOpenidFederation
         raise SecurityError, "Entity identifier cannot be empty after trimming"
       end
 
-      # Validate as URI (includes allowed characters and length validation)
       validate_uri_safe!(str, max_length: max_length, allowed_schemes: ["http", "https"])
 
-      # Return trimmed and validated value
       str
     end
   end

data/lib/omniauth_openid_federation/version.rb

@@ -1,3 +1,3 @@
 module OmniauthOpenidFederation
-  VERSION = "1.3.0".freeze
+  VERSION = "1.3.2".freeze
 end

data/lib/omniauth_openid_federation.rb

@@ -28,6 +28,7 @@ end
 
 require_relative "omniauth_openid_federation/version"
 require_relative "omniauth_openid_federation/string_helpers"
+require_relative "omniauth_openid_federation/time_helpers"
 require_relative "omniauth_openid_federation/logger"
 require_relative "omniauth_openid_federation/configuration"
 require_relative "omniauth_openid_federation/errors"

data/lib/tasks/omniauth_openid_federation.rake

@@ -1,5 +1,6 @@
 # Rake tasks for OmniAuth OpenID Federation
 # Thin wrappers around TasksHelper for CLI interface
+require_relative "../omniauth_openid_federation/time_helpers"
 
 namespace :openid_federation do
   desc "Fetch entity statement from OpenID Federation provider"
@@ -262,8 +263,8 @@ namespace :openid_federation do
       end
       puts "   Issuer: #{metadata[:issuer]}"
       puts "   Subject: #{metadata[:sub]}"
-      puts "   Expires: #{Time.at(metadata[:exp])}" if metadata[:exp]
-      puts "   Issued At: #{Time.at(metadata[:iat])}" if metadata[:iat]
+      puts "   Expires: #{OmniauthOpenidFederation::TimeHelpers.at(metadata[:exp])}" if metadata[:exp]
+      puts "   Issued At: #{OmniauthOpenidFederation::TimeHelpers.at(metadata[:iat])}" if metadata[:iat]
       puts
 
       # Key status information
@@ -594,7 +595,7 @@ namespace :openid_federation do
           if value
             if [:exp, :iat, :auth_time].include?(key)
               time_value = begin
-                Time.at(value)
+                OmniauthOpenidFederation::TimeHelpers.at(value)
               rescue
                 value
               end

data/sig/omniauth_openid_federation.rbs

@@ -183,6 +183,12 @@ module OmniauthOpenidFederation
     def self.blank?: (untyped value) -> bool
   end
 
+  module TimeHelpers
+    def self.now: () -> Time
+    def self.at: (Integer | Float timestamp) -> Time
+    def self.parse: (String time_string) -> Time
+  end
+
   module Validators
     def self.validate_private_key!: (untyped private_key) -> void
     def self.normalize_hash: (untyped hash) -> Hash[Symbol, untyped]

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth_openid_federation
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.3.2
 platform: ruby
 authors:
 - Andrei Makarov
@@ -197,6 +197,104 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.52'
+- !ruby/object:Gem::Dependency
+  name: standard-custom
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: standard-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: standard-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: standard-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.3'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.33'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.33'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: rubocop-thread_safety
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
@@ -323,6 +421,7 @@ files:
 - lib/omniauth_openid_federation/strategy.rb
 - lib/omniauth_openid_federation/string_helpers.rb
 - lib/omniauth_openid_federation/tasks_helper.rb
+- lib/omniauth_openid_federation/time_helpers.rb
 - lib/omniauth_openid_federation/utils.rb
 - lib/omniauth_openid_federation/validators.rb
 - lib/omniauth_openid_federation/version.rb