RubyGems - openid_connect - Versions diffs - 0.3.6 → 0.3.7 - Mend

openid_connect 0.3.6 → 0.3.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

data/Gemfile.lock +3 -2
data/VERSION +1 -1
data/lib/openid_connect/request_object.rb +2 -2
data/lib/openid_connect/response_object/id_token.rb +19 -7
data/spec/helpers/crypto_spec_helper.rb +31 -0
data/spec/mock_response/request_object/signed.jwt +1 -0
data/spec/openid_connect/discovery/provider/config/resource_spec.rb +20 -0
data/spec/openid_connect/discovery/provider/config_spec.rb +10 -0
data/spec/openid_connect/request_object_spec.rb +10 -0
data/spec/openid_connect/response_object/id_token_spec.rb +55 -0
data/spec/rack/oauth2/server/authorize/extension/id_token_spec.rb +20 -1
data/spec/spec_helper.rb +2 -13
metadata +10 -4

data/Gemfile.lock CHANGED

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    openid_connect (0.3.6)
+    openid_connect (0.3.7)
       activemodel (>= 3)
       attr_required (>= 0.0.5)
       json (>= 1.4.3)
@@ -35,6 +35,7 @@ GEM
     httpclient (2.3.0.1)
     i18n (0.6.1)
     json (1.7.5)
+    json (1.7.5-java)
     json-jwt (0.3.3)
       activesupport (>= 2.3)
       i18n
@@ -73,7 +74,7 @@ GEM
     treetop (1.4.11)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.33)
+    tzinfo (0.3.34)
     url_safe_base64 (0.2.1)
     validate_email (0.1.6)
       activemodel (>= 3.0)

data/VERSION CHANGED

	@@ -1 +1 @@
1	- 0.3.6
1	+ 0.3.7

data/lib/openid_connect/request_object.rb CHANGED

@@ -28,11 +28,11 @@ module OpenIDConnect
     include JWTnizable
     class << self
-      def decode(jwt_string, key)
+      def decode(jwt_string, key = nil)
         new JSON::JWT.decode(jwt_string, key)
       end
-      def fetch(request_uri, key)
+      def fetch(request_uri, key = nil)
         jwt_string = OpenIDConnect.http_client.get_content(request_uri)
         decode jwt_string, key
       end

data/lib/openid_connect/response_object/id_token.rb CHANGED

@@ -63,20 +63,32 @@ module OpenIDConnect
           jwt = JSON::JWT.decode jwt_string, :skip_verification
           jwk = jwt[:user_jwk]
           raise InvalidToken.new('Missing user_jwk') if jwk.blank?
+          raise InvalidToken.new('Invalid user_id') unless jwt[:user_id] == self_issued_user_id(jwk)
           public_key = JSON::JWK.decode jwk
-          user_id_base_string = case public_key
-          when OpenSSL::PKey::RSA
+          jwt = JSON::JWT.decode jwt_string, public_key
+          new jwt
+        end
+        def self_issued(attributes = {})
+          attributes[:user_jwk] ||= JSON::JWK.new attributes.delete(:public_key)
+          _attributes_ = {
+            iss:      'https://self-issued.me',
+            user_id:  self_issued_user_id(attributes[:user_jwk])
+          }.merge(attributes)
+          new _attributes_
+        end
+        def self_issued_user_id(jwk)
+          user_id_base_string = case jwk[:alg].to_s
+          when 'RSA'
             [jwk[:mod], jwk[:xpo]].join
-          when OpenSSL::PKey::EC
+          when 'EC'
             raise NotImplementedError.new('Not Implemented Yet')
           else
             # Shouldn't reach here. All unknown algorithm error should occurs when decoding JWK
             raise InvalidToken.new('Unknown Algorithm')
           end
-          expected_user_id = UrlSafeBase64.encode64 OpenSSL::Digest::SHA256.digest(user_id_base_string)
-          raise InvalidToken.new('Invalid user_id') unless jwt[:user_id] == expected_user_id
-          jwt = JSON::JWT.decode jwt_string, public_key
-          new jwt
+          UrlSafeBase64.encode64 OpenSSL::Digest::SHA256.digest(user_id_base_string)
         end
       end
     end

data/spec/helpers/crypto_spec_helper.rb ADDED

@@ -0,0 +1,31 @@
+module CryptoSpecHelper
+  def rsa_key
+    @rsa_key ||= OpenSSL::PKey::RSA.generate 2048
+  end
+  def public_key
+    @public_key ||= rsa_key.public_key
+  end
+  def private_key
+    @private_key ||= OpenSSL::PKey::RSA.new rsa_key.export(OpenSSL::Cipher::Cipher.new('DES-EDE3-CBC'), 'pass-phrase'), 'pass-phrase'
+  end
+  def ec_key
+    @ec_key ||= OpenSSL::PKey::EC.new('secp256k1').generate_key
+  end
+  def ec_public_key
+    unless @ec_public_key
+      @ec_public_key = OpenSSL::PKey::EC.new ec_key
+      @ec_public_key.private_key = nil
+    end
+    @ec_public_key
+  end
+  def ec_private_key
+    ec_key
+  end
+end
+include CryptoSpecHelper

data/spec/mock_response/request_object/signed.jwt ADDED

@@ -0,0 +1 @@

+ eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjbGllbnRfaWQiOiJjbGllbnRfaWQiLCJyZXNwb25zZV90eXBlIjoidG9rZW4gaWRfdG9rZW4iLCJyZWRpcmVjdF91cmkiOiJodHRwczovL2NsaWVudC5leGFtcGxlLmNvbSIsInNjb3BlIjoib3BlbmlkIGVtYWlsIiwic3RhdGUiOiJzdGF0ZTEyMzQiLCJub25jZSI6Im5vbmNlMTIzNCIsImRpc3BsYXkiOiJ0b3VjaCIsInByb21wdCI6Im5vbmUiLCJpZF90b2tlbiI6eyJjbGFpbXMiOnsiYWNyIjp7InZhbHVlcyI6WyIyIiwiMyIsIjQiXX19LCJtYXhfYWdlIjoxMH0sInVzZXJpbmZvIjp7ImNsYWltcyI6eyJuYW1lIjp7ImVzc2VudGlhbCI6dHJ1ZX0sImVtYWlsIjp7ImVzc2VudGlhbCI6ZmFsc2V9fX19.MLTDQVPdhAdkJhboM06IRtjHJrvamJ_H2vFGRupXmTA

data/spec/openid_connect/discovery/provider/config/resource_spec.rb ADDED

@@ -0,0 +1,20 @@
+require 'spec_helper'
+describe OpenIDConnect::Discovery::Provider::Config::Resource do
+  let(:resource) do
+    uri = URI.parse 'http://server.example.com'
+    OpenIDConnect::Discovery::Provider::Config::Resource.new uri
+  end
+  describe '#endpoint' do
+    context 'when invalid host' do
+      before do
+        resource.host = 'hoge*hoge'
+      end
+      it do
+        expect { resource.endpoint }.to raise_error SWD::Exception
+      end
+    end
+  end
+end

data/spec/openid_connect/discovery/provider/config_spec.rb CHANGED

@@ -25,6 +25,16 @@ describe OpenIDConnect::Discovery::Provider::Config do
         config.user_id_types_supported.should == ["public", "pairwise"]
       end
     end
+    context 'when SWD::Exception raised' do
+      it do
+        expect do
+          mock_json :get, endpoint, 'errors/unknown', status: [404, 'Not Found'] do
+            OpenIDConnect::Discovery::Provider::Config.discover! provider
+          end
+        end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
+      end
+    end
   end
   context 'when OP identifier includes custom port' do

data/spec/openid_connect/request_object_spec.rb CHANGED

@@ -81,6 +81,16 @@ describe OpenIDConnect::RequestObject do
       end
     end
+    describe '.fetch' do
+      let(:endpoint) { 'https://client.example.com/request.jwk' }
+      it do
+        mock_json :get, endpoint, 'request_object/signed', format: :jwt do
+          request_object = OpenIDConnect::RequestObject.fetch endpoint, 'secret'
+          request_object.as_json.should == jsonized.with_indifferent_access
+        end
+      end
+    end
     describe '#required?' do
       it do
         request_object.user_info.required?(:name).should be_true

data/spec/openid_connect/response_object/id_token_spec.rb CHANGED

@@ -270,4 +270,59 @@ describe OpenIDConnect::ResponseObject::IdToken do
       end
     end
   end
+  describe '.self_issued' do
+    subject { self_issued }
+    let(:user_jwk) { JSON::JWK.new(public_key) }
+    let(:self_issued) do
+      klass.self_issued(
+        public_key: public_key,
+        aud: 'client.example.com',
+        exp: 1.week.from_now,
+        iat: Time.now
+      )
+    end
+    [:iss, :user_id, :aud, :exp, :iat, :user_jwk].each do |attribute|
+      its(attribute) { should be_present }
+    end
+    its(:iss)      { should == 'https://self-issued.me' }
+    its(:user_jwk) { should == user_jwk }
+    its(:user_id)  { should == OpenIDConnect::ResponseObject::IdToken.self_issued_user_id(user_jwk) }
+  end
+  describe '.self_issued_user_id' do
+    context 'when RSA key given' do
+      let(:jwk) { JSON::JWK.new(public_key) }
+      it do
+        user_id = klass.self_issued_user_id jwk
+        user_id.should == UrlSafeBase64.encode64(
+          OpenSSL::Digest::SHA256.digest([jwk[:mod], jwk[:xpo]].join)
+        )
+      end
+    end
+    context 'when EC key given' do
+      let(:jwk) { JSON::JWK.new(ec_public_key) }
+      it do
+        expect do
+          user_id = klass.self_issued_user_id jwk
+        end.to raise_error NotImplementedError
+      end
+    end
+    context 'when unknown algorithm JWK given' do
+      let(:jwk) do
+        {
+          alg: 'unknown'
+        }
+      end
+      it do
+        expect do
+          user_id = klass.self_issued_user_id jwk
+        end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
+      end
+    end
+  end
 end

data/spec/rack/oauth2/server/authorize/extension/id_token_spec.rb CHANGED

@@ -35,7 +35,7 @@ describe Rack::OAuth2::Server::Authorize::Extension::IdToken do
     end
   end
-  context 'otherwise' do
+  context 'when id_token is missing' do
     let :app do
       Rack::OAuth2::Server::Authorize.new do |request, response|
         response.redirect_uri = redirect_uri
@@ -46,4 +46,23 @@ describe Rack::OAuth2::Server::Authorize::Extension::IdToken do
       expect { response }.to raise_error AttrRequired::AttrMissing, "'id_token' required."
     end
   end
+  context 'when error response' do
+    let(:env)     { Rack::MockRequest.env_for("/authorize?client_id=client_id") }
+    let(:request) { Rack::OAuth2::Server::Authorize::Extension::IdToken::Request.new env }
+    it 'should set protocol_params_location = :fragment' do
+      expect { request.bad_request! }.to raise_error(Rack::OAuth2::Server::Authorize::BadRequest) { |e|
+        e.protocol_params_location.should == :fragment
+      }
+    end
+  end
+  context 'when openid scope given' do
+    let(:env)     { Rack::MockRequest.env_for("/authorize?client_id=client_id&scope=openid") }
+    let(:request) { Rack::OAuth2::Server::Authorize::Extension::IdToken::Request.new env }
+    it do
+      request.openid_connect_request?.should be_true
+    end
+  end
 end

data/spec/spec_helper.rb CHANGED

@@ -3,16 +3,5 @@ require 'cover_me'
 require 'rspec'
 require 'openid_connect'
-require 'helpers/webmock_helper'
-def rsa
-  @rsa ||= OpenSSL::PKey::RSA.generate 2048
-end
-def public_key
-  @public_key ||= rsa.public_key
-end
-def private_key
-  @private_key ||= OpenSSL::PKey::RSA.new rsa.export(OpenSSL::Cipher::Cipher.new('DES-EDE3-CBC'), 'pass-phrase'), 'pass-phrase'
-end
+require 'helpers/crypto_spec_helper'
+require 'helpers/webmock_helper'

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: openid_connect
 version: !ruby/object:Gem::Version
-  version: 0.3.6
+  version: 0.3.7
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-10-23 00:00:00.000000000 Z
+date: 2012-10-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -270,6 +270,7 @@ files:
 - lib/rack/oauth2/server/id_token_response.rb
 - lib/rack/oauth2/server/resource/error_with_connect_ext.rb
 - openid_connect.gemspec
+- spec/helpers/crypto_spec_helper.rb
 - spec/helpers/webmock_helper.rb
 - spec/mock_response/access_token/bearer.json
 - spec/mock_response/access_token/bearer_with_id_token.json
@@ -287,6 +288,7 @@ files:
 - spec/mock_response/id_token.json
 - spec/mock_response/public_keys/jwk.json
 - spec/mock_response/public_keys/x509.pem
+- spec/mock_response/request_object/signed.jwt
 - spec/mock_response/user_info/openid.json
 - spec/openid_connect/access_token_spec.rb
 - spec/openid_connect/client/registrar_spec.rb
@@ -296,6 +298,7 @@ files:
 - spec/openid_connect/discovery/principal/email_spec.rb
 - spec/openid_connect/discovery/principal/uri_spec.rb
 - spec/openid_connect/discovery/principal_spec.rb
+- spec/openid_connect/discovery/provider/config/resource_spec.rb
 - spec/openid_connect/discovery/provider/config/response_spec.rb
 - spec/openid_connect/discovery/provider/config_spec.rb
 - spec/openid_connect/discovery/provider_spec.rb
@@ -327,7 +330,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2386054182410413464
+      hash: 4253340027617054014
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -336,7 +339,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2386054182410413464
+      hash: 4253340027617054014
 requirements: []
 rubyforge_project:
 rubygems_version: 1.8.24
@@ -344,6 +347,7 @@ signing_key:
 specification_version: 3
 summary: OpenID Connect Server & Client Library
 test_files:
+- spec/helpers/crypto_spec_helper.rb
 - spec/helpers/webmock_helper.rb
 - spec/mock_response/access_token/bearer.json
 - spec/mock_response/access_token/bearer_with_id_token.json
@@ -361,6 +365,7 @@ test_files:
 - spec/mock_response/id_token.json
 - spec/mock_response/public_keys/jwk.json
 - spec/mock_response/public_keys/x509.pem
+- spec/mock_response/request_object/signed.jwt
 - spec/mock_response/user_info/openid.json
 - spec/openid_connect/access_token_spec.rb
 - spec/openid_connect/client/registrar_spec.rb
@@ -370,6 +375,7 @@ test_files:
 - spec/openid_connect/discovery/principal/email_spec.rb
 - spec/openid_connect/discovery/principal/uri_spec.rb
 - spec/openid_connect/discovery/principal_spec.rb
+- spec/openid_connect/discovery/provider/config/resource_spec.rb
 - spec/openid_connect/discovery/provider/config/response_spec.rb
 - spec/openid_connect/discovery/provider/config_spec.rb
 - spec/openid_connect/discovery/provider_spec.rb