openid_connect 0.9.2 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0c8f7a65bb459955b2c3b48c95136b767d2299db
-  data.tar.gz: b425f0dd8c76e63749920ab0079a3ba60218721b
+  metadata.gz: 96670a029138c10be710eeb8b123c9e3b173c3ee
+  data.tar.gz: 02bf038dac7a8acaef22d285d0fbfc433443bd62
 SHA512:
-  metadata.gz: 8fe38d6c1f68b1c0d1b15762ea42c9c3dffb17334490766d088e31c3c1ff1b98915bbe56d4884f146b3d2ec1565f622155e7d47bea199a5b3f484640b031a42c
-  data.tar.gz: c07ffac0ba172baa94dbf46efb4bfcb921ec29fc541ce0385aca6494e34601de05ad789943f1144fd6ed2f07ac23fe691a346b798e93d3f1f24181f412c9c683
+  metadata.gz: 1f59f7cc3af3259e70dd8f40e8790c854a2ca7b487e0cdb09850e161460d07a9b7031b983da851563aa5f136c188b4ce698664597572911c36a5588b0d767557
+  data.tar.gz: 9bb50877162d933fcbaa8c82e2a2f344e3e81a3a30059f116716c5fb94db3586b946dac3ff350216ff84ef7077001af677fb533c97eea3d340f9aae0b767d384

data/.travis.yml

@@ -1,3 +1,8 @@
+before_install:
+  - gem install bundler
+
 rvm:
-  - 1.9.3
-  - 2.0.0
+  - 2.0
+  - 2.1
+  - 2.2
+  - 2.3.0

data/VERSION

@@ -1 +1 @@
-0.9.2
+0.10.0

data/lib/openid_connect/discovery/provider/config.rb

@@ -4,8 +4,10 @@ module OpenIDConnect
       class Config
         def self.discover!(identifier, cache_options = {})
           uri = URI.parse(identifier)
-          Resource.new(uri).discover!(cache_options)
-        rescue SWD::Exception => e
+          Resource.new(uri).discover!(cache_options).tap do |response|
+            response.validate! identifier
+          end
+        rescue SWD::Exception, ValidationFailed => e
           raise DiscoveryFailed.new(e.message)
         end
       end

data/lib/openid_connect/discovery/provider/config/resource.rb

@@ -23,7 +23,7 @@ module OpenIDConnect
           private
 
           def to_response_object(hash)
-            Response.new hash
+            Response.new(hash)
           end
 
           def cache_key

data/lib/openid_connect/discovery/provider/config/response.rb

@@ -10,10 +10,10 @@ module OpenIDConnect
           uri_attributes = {
             required: [
               :issuer,
+              :authorization_endpoint,
               :jwks_uri
             ],
             optional: [
-              :authorization_endpoint,
               :token_endpoint,
               :userinfo_endpoint,
               :registration_endpoint,
@@ -72,8 +72,10 @@ module OpenIDConnect
             end
           end
 
-          def validate!
-            valid? or raise ValidationFailed.new(self)
+          def validate!(expected_issuer = nil)
+            valid? && (
+              expected_issuer.blank? || issuer == expected_issuer
+            ) or raise ValidationFailed.new(self)
           end
 
           def jwks

data/lib/openid_connect/request_object.rb

@@ -13,11 +13,9 @@ module OpenIDConnect
       @userinfo = UserInfo.new(attributes) if attributes.present?
     end
 
-    def as_json_with_mixed_keys(options = {})
-      hash = as_json_without_mixed_keys options
-      hash.with_indifferent_access
+    def as_json(options = {})
+      super.with_indifferent_access
     end
-    alias_method_chain :as_json, :mixed_keys
 
     class << self
       def decode(jwt_string, key = nil)

data/lib/openid_connect/request_object/claimable.rb

@@ -3,12 +3,10 @@ module OpenIDConnect
     module Claimable
       def self.included(klass)
         klass.send :attr_optional, :claims
-        klass.send :alias_method_chain, :initialize, :claims
-        klass.send :alias_method_chain, :as_json, :keep_blank
       end
 
-      def initialize_with_claims(attributes = {})
-        initialize_without_claims attributes
+      def initialize(attributes = {})
+        super
         if claims.present?
           _claims_ = {}
           claims.each do |key, value|
@@ -29,9 +27,9 @@ module OpenIDConnect
         end
       end
 
-      def as_json_with_keep_blank(options = {})
+      def as_json(options = {})
         keys = claims.try(:keys)
-        hash = as_json_without_keep_blank options
+        hash = super
         Array(keys).each do |key|
           hash[:claims][key] ||= nil
         end

data/lib/openid_connect/response_object/id_token.rb

@@ -27,7 +27,7 @@ module OpenIDConnect
       end
 
       include JWTnizable
-      def to_jwt_with_at_hash_and_c_hash(key, algorithm = :RS256, &block)
+      def to_jwt(key, algorithm = :RS256, &block)
         hash_length = algorithm.to_s[2, 3].to_i
         if access_token
           token = case access_token
@@ -41,9 +41,8 @@ module OpenIDConnect
         if code
           self.c_hash = left_half_hash_of code, hash_length
         end
-        to_jwt_without_at_hash_and_c_hash key, algorithm, &block
+        super
       end
-      alias_method_chain :to_jwt, :at_hash_and_c_hash
 
       private
 

data/lib/rack/oauth2/server/authorize/request_with_connect_params.rb

@@ -2,22 +2,20 @@ class Rack::OAuth2::Server::Authorize
   module RequestWithConnectParams
     CONNECT_EXT_PARAMS = [:nonce, :display, :prompt, :request, :request_uri, :id_token]
 
-    def self.included(klass)
+    def self.prepended(klass)
       klass.send :attr_optional, *CONNECT_EXT_PARAMS
-      klass.class_eval do
-        def initialize_with_connect_params(env)
-          initialize_without_connect_params env
-          CONNECT_EXT_PARAMS.each do |attribute|
-            self.send :"#{attribute}=", params[attribute.to_s]
-          end
-        end
-        alias_method_chain :initialize, :connect_params
+    end
 
-        def openid_connect_request?
-          scope.include?('openid')
-        end
+    def initialize(env)
+      super
+      CONNECT_EXT_PARAMS.each do |attribute|
+        self.send :"#{attribute}=", params[attribute.to_s]
       end
     end
+
+    def openid_connect_request?
+      scope.include?('openid')
+    end
   end
-  Request.send :include, RequestWithConnectParams
+  Request.send :prepend, RequestWithConnectParams
 end

data/lib/rack/oauth2/server/id_token_response.rb

@@ -1,22 +1,20 @@
 module Rack::OAuth2::Server
   module IdTokenResponse
-    def self.included(klass)
+    def self.prepended(klass)
       klass.send :attr_optional, :id_token
-      klass.class_eval do
-        def protocol_params_location
-          :fragment
-        end
+    end
+
+    def protocol_params_location
+      :fragment
+    end
 
-        def protocol_params_with_id_token
-          protocol_params_without_id_token.merge(
-            id_token: id_token
-          )
-        end
-        alias_method_chain :protocol_params, :id_token
-      end
+    def protocol_params
+      super.merge(
+        id_token: id_token
+      )
     end
   end
-  Token::Response.send :include, IdTokenResponse
+  Token::Response.send :prepend, IdTokenResponse
 end
 
 require 'rack/oauth2/server/authorize/extension/code_and_id_token'

data/spec/mock_response/discovery/config_with_custom_port.json

@@ -0,0 +1,13 @@
+{
+    "issuer": "https://connect-op.heroku.com:8080",
+    "authorization_endpoint": "https://connect-op.heroku.com:8080/authorizations/new",
+    "token_endpoint": "https://connect-op.heroku.com:8080/access_tokens",
+    "userinfo_endpoint": "https://connect-op.heroku.com:8080/userinfo",
+    "registration_endpoint": "https://connect-op.heroku.com:8080/connect/client",
+    "scopes_supported": ["openid", "profile", "email", "address"],
+    "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
+    "subject_types_supported": ["public", "pairwise"],
+    "claims_supported": ["sub", "iss", "name", "email"],
+    "jwks_uri": "https://connect-op.heroku.com/jwks.json",
+    "id_token_signing_alg_values_supported": ["RS256"]
+}

data/spec/mock_response/discovery/config_with_invalid_issuer.json

@@ -0,0 +1,13 @@
+{
+    "issuer": "https://attacker.example.com",
+    "authorization_endpoint": "https://connect-op.heroku.com/authorizations/new",
+    "token_endpoint": "https://connect-op.heroku.com/access_tokens",
+    "userinfo_endpoint": "https://connect-op.heroku.com/userinfo",
+    "registration_endpoint": "https://connect-op.heroku.com/connect/client",
+    "scopes_supported": ["openid", "profile", "email", "address"],
+    "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
+    "subject_types_supported": ["public", "pairwise"],
+    "claims_supported": ["sub", "iss", "name", "email"],
+    "jwks_uri": "https://connect-op.heroku.com/jwks.json",
+    "id_token_signing_alg_values_supported": ["RS256"]
+}

data/spec/mock_response/discovery/config_with_path.json

@@ -0,0 +1,13 @@
+{
+    "issuer": "https://connect.openid4.us/abop",
+    "authorization_endpoint": "https://connect.openid4.us/abop/authorizations/new",
+    "token_endpoint": "https://connect.openid4.us/abop/access_tokens",
+    "userinfo_endpoint": "https://connect.openid4.us/abop/userinfo",
+    "registration_endpoint": "https://connect.openid4.us/abop/connect/client",
+    "scopes_supported": ["openid", "profile", "email", "address"],
+    "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
+    "subject_types_supported": ["public", "pairwise"],
+    "claims_supported": ["sub", "iss", "name", "email"],
+    "jwks_uri": "https://connect-op.heroku.com/jwks.json",
+    "id_token_signing_alg_values_supported": ["RS256"]
+}

data/spec/mock_response/discovery/config_without_issuer.json

@@ -0,0 +1,12 @@
+{
+    "authorization_endpoint": "https://connect-op.heroku.com/authorizations/new",
+    "token_endpoint": "https://connect-op.heroku.com/access_tokens",
+    "userinfo_endpoint": "https://connect-op.heroku.com/userinfo",
+    "registration_endpoint": "https://connect-op.heroku.com/connect/client",
+    "scopes_supported": ["openid", "profile", "email", "address"],
+    "response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "id_token token"],
+    "subject_types_supported": ["public", "pairwise"],
+    "claims_supported": ["sub", "iss", "name", "email"],
+    "jwks_uri": "https://connect-op.heroku.com/jwks.json",
+    "id_token_signing_alg_values_supported": ["RS256"]
+}

data/spec/openid_connect/discovery/provider/config/response_spec.rb

@@ -10,6 +10,7 @@ describe OpenIDConnect::Discovery::Provider::Config::Response do
   let :minimum_attributes do
     {
       issuer: 'https://server.example.com',
+      authorization_endpoint: 'https://server.example.com/authorize',
       jwks_uri: jwks_uri,
       response_types_supported: [
         :code, :id_token, 'token id_token'

data/spec/openid_connect/discovery/provider/config_spec.rb

@@ -24,6 +24,28 @@ describe OpenIDConnect::Discovery::Provider::Config do
       end
     end
 
+    context 'when OP identifier includes custom port' do
+      let(:provider) { 'https://connect-op.heroku.com:8080' }
+      let(:endpoint) { 'https://connect-op.heroku.com:8080/.well-known/openid-configuration' }
+
+      it 'should construct well-known URI with given port' do
+        mock_json :get, endpoint, 'discovery/config_with_custom_port' do
+          OpenIDConnect::Discovery::Provider::Config.discover! provider
+        end
+      end
+    end
+
+    context 'when OP identifier includes path' do
+      let(:provider) { 'https://connect.openid4.us/abop' }
+      let(:endpoint) { 'https://connect.openid4.us/abop/.well-known/openid-configuration' }
+
+      it 'should construct well-known URI with given port' do
+        mock_json :get, endpoint, 'discovery/config_with_path' do
+          OpenIDConnect::Discovery::Provider::Config.discover! provider
+        end
+      end
+    end
+
     context 'when SWD::Exception raised' do
       it do
         expect do
@@ -33,26 +55,24 @@ describe OpenIDConnect::Discovery::Provider::Config do
         end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
       end
     end
-  end
 
-  context 'when OP identifier includes custom port' do
-    let(:provider) { 'https://connect-op.heroku.com:8080' }
-    let(:endpoint) { 'https://connect-op.heroku.com:8080/.well-known/openid-configuration' }
-
-    it 'should construct well-known URI with given port' do
-      mock_json :get, endpoint, 'discovery/config' do
-        OpenIDConnect::Discovery::Provider::Config.discover! provider
+    context 'when response include invalid issuer' do
+      it do
+        expect do
+          mock_json :get, endpoint, 'discovery/config_with_invalid_issuer' do
+            OpenIDConnect::Discovery::Provider::Config.discover! provider
+          end
+        end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
       end
     end
-  end
-
-  context 'when OP identifier includes path' do
-    let(:provider) { 'https://connect.openid4.us/abop' }
-    let(:endpoint) { 'https://connect.openid4.us/abop/.well-known/openid-configuration' }
 
-    it 'should construct well-known URI with given port' do
-      mock_json :get, endpoint, 'discovery/config' do
-        OpenIDConnect::Discovery::Provider::Config.discover! provider
+    context 'when response include no issuer' do
+      it do
+        expect do
+          mock_json :get, endpoint, 'discovery/config_without_issuer' do
+            OpenIDConnect::Discovery::Provider::Config.discover! provider
+          end
+        end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: openid_connect
 version: !ruby/object:Gem::Version
-  version: 0.9.2
+  version: 0.10.0
 platform: ruby
 authors:
 - nov matake
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-09-14 00:00:00.000000000 Z
+date: 2016-01-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -276,6 +276,10 @@ files:
 - spec/mock_response/client/rotated.json
 - spec/mock_response/client/updated.json
 - spec/mock_response/discovery/config.json
+- spec/mock_response/discovery/config_with_custom_port.json
+- spec/mock_response/discovery/config_with_invalid_issuer.json
+- spec/mock_response/discovery/config_with_path.json
+- spec/mock_response/discovery/config_without_issuer.json
 - spec/mock_response/discovery/swd.json
 - spec/mock_response/discovery/webfinger.json
 - spec/mock_response/errors/insufficient_scope.json
@@ -328,7 +332,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
 summary: OpenID Connect Server & Client Library
@@ -343,6 +347,10 @@ test_files:
 - spec/mock_response/client/rotated.json
 - spec/mock_response/client/updated.json
 - spec/mock_response/discovery/config.json
+- spec/mock_response/discovery/config_with_custom_port.json
+- spec/mock_response/discovery/config_with_invalid_issuer.json
+- spec/mock_response/discovery/config_with_path.json
+- spec/mock_response/discovery/config_without_issuer.json
 - spec/mock_response/discovery/swd.json
 - spec/mock_response/discovery/webfinger.json
 - spec/mock_response/errors/insufficient_scope.json