RubyGems - openid_connect - Versions diffs - 0.3.6 → 0.3.7 - Mend

openid_connect 0.3.6 → 0.3.7

Files changed (13) hide show

data/Gemfile.lock +3 -2
data/VERSION +1 -1
data/lib/openid_connect/request_object.rb +2 -2
data/lib/openid_connect/response_object/id_token.rb +19 -7
data/spec/helpers/crypto_spec_helper.rb +31 -0
data/spec/mock_response/request_object/signed.jwt +1 -0
data/spec/openid_connect/discovery/provider/config/resource_spec.rb +20 -0
data/spec/openid_connect/discovery/provider/config_spec.rb +10 -0
data/spec/openid_connect/request_object_spec.rb +10 -0
data/spec/openid_connect/response_object/id_token_spec.rb +55 -0
data/spec/rack/oauth2/server/authorize/extension/id_token_spec.rb +20 -1
data/spec/spec_helper.rb +2 -13
metadata +10 -4

data/Gemfile.lock CHANGED

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    openid_connect (0.3.6)
+    openid_connect (0.3.7)
       activemodel (>= 3)
       attr_required (>= 0.0.5)
       json (>= 1.4.3)
@@ -35,6 +35,7 @@ GEM
     httpclient (2.3.0.1)
     i18n (0.6.1)
     json (1.7.5)
+    json (1.7.5-java)
     json-jwt (0.3.3)
       activesupport (>= 2.3)
       i18n
@@ -73,7 +74,7 @@ GEM
     treetop (1.4.11)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.33)
+    tzinfo (0.3.34)
     url_safe_base64 (0.2.1)
     validate_email (0.1.6)
       activemodel (>= 3.0)

data/VERSION CHANGED

	@@ -1 +1 @@
1	- 0.3.6
1	+ 0.3.7

data/lib/openid_connect/request_object.rb CHANGED

@@ -28,11 +28,11 @@ module OpenIDConnect
     include JWTnizable
     class << self
-      def decode(jwt_string, key)
+      def decode(jwt_string, key = nil)
         new JSON::JWT.decode(jwt_string, key)
       end
-      def fetch(request_uri, key)
+      def fetch(request_uri, key = nil)
         jwt_string = OpenIDConnect.http_client.get_content(request_uri)
         decode jwt_string, key
       end

data/lib/openid_connect/response_object/id_token.rb CHANGED

@@ -63,20 +63,32 @@ module OpenIDConnect
           jwt = JSON::JWT.decode jwt_string, :skip_verification
           jwk = jwt[:user_jwk]
           raise InvalidToken.new('Missing user_jwk') if jwk.blank?
+          raise InvalidToken.new('Invalid user_id') unless jwt[:user_id] == self_issued_user_id(jwk)
           public_key = JSON::JWK.decode jwk
-          user_id_base_string = case public_key
-          when OpenSSL::PKey::RSA
+          jwt = JSON::JWT.decode jwt_string, public_key
+          new jwt
+        end
+        def self_issued(attributes = {})
+          attributes[:user_jwk] ||= JSON::JWK.new attributes.delete(:public_key)
+          _attributes_ = {
+            iss:      'https://self-issued.me',
+            user_id:  self_issued_user_id(attributes[:user_jwk])
+          }.merge(attributes)
+          new _attributes_
+        end
+        def self_issued_user_id(jwk)
+          user_id_base_string = case jwk[:alg].to_s
+          when 'RSA'
             [jwk[:mod], jwk[:xpo]].join
-          when OpenSSL::PKey::EC
+          when 'EC'
             raise NotImplementedError.new('Not Implemented Yet')
           else
             # Shouldn't reach here. All unknown algorithm error should occurs when decoding JWK
             raise InvalidToken.new('Unknown Algorithm')
           end
-          expected_user_id = UrlSafeBase64.encode64 OpenSSL::Digest::SHA256.digest(user_id_base_string)
-          raise InvalidToken.new('Invalid user_id') unless jwt[:user_id] == expected_user_id
-          jwt = JSON::JWT.decode jwt_string, public_key
-          new jwt
+          UrlSafeBase64.encode64 OpenSSL::Digest::SHA256.digest(user_id_base_string)
         end
       end
     end

data/spec/helpers/crypto_spec_helper.rb ADDED

@@ -0,0 +1,31 @@
+module CryptoSpecHelper
+  def rsa_key
+    @rsa_key ||= OpenSSL::PKey::RSA.generate 2048
+  end
+  def public_key
+    @public_key ||= rsa_key.public_key
+  end
+  def private_key
+    @private_key ||= OpenSSL::PKey::RSA.new rsa_key.export(OpenSSL::Cipher::Cipher.new('DES-EDE3-CBC'), 'pass-phrase'), 'pass-phrase'
+  end
+  def ec_key
+    @ec_key ||= OpenSSL::PKey::EC.new('secp256k1').generate_key
+  end
+  def ec_public_key
+    unless @ec_public_key
+      @ec_public_key = OpenSSL::PKey::EC.new ec_key
+      @ec_public_key.private_key = nil
+    end
+    @ec_public_key
+  end
+  def ec_private_key
+    ec_key
+  end
+end
+include CryptoSpecHelper

data/spec/mock_response/request_object/signed.jwt ADDED

@@ -0,0 +1 @@

+ eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjbGllbnRfaWQiOiJjbGllbnRfaWQiLCJyZXNwb25zZV90eXBlIjoidG9rZW4gaWRfdG9rZW4iLCJyZWRpcmVjdF91cmkiOiJodHRwczovL2NsaWVudC5leGFtcGxlLmNvbSIsInNjb3BlIjoib3BlbmlkIGVtYWlsIiwic3RhdGUiOiJzdGF0ZTEyMzQiLCJub25jZSI6Im5vbmNlMTIzNCIsImRpc3BsYXkiOiJ0b3VjaCIsInByb21wdCI6Im5vbmUiLCJpZF90b2tlbiI6eyJjbGFpbXMiOnsiYWNyIjp7InZhbHVlcyI6WyIyIiwiMyIsIjQiXX19LCJtYXhfYWdlIjoxMH0sInVzZXJpbmZvIjp7ImNsYWltcyI6eyJuYW1lIjp7ImVzc2VudGlhbCI6dHJ1ZX0sImVtYWlsIjp7ImVzc2VudGlhbCI6ZmFsc2V9fX19.MLTDQVPdhAdkJhboM06IRtjHJrvamJ_H2vFGRupXmTA

data/spec/openid_connect/discovery/provider/config/resource_spec.rb ADDED

@@ -0,0 +1,20 @@
+require 'spec_helper'
+describe OpenIDConnect::Discovery::Provider::Config::Resource do
+  let(:resource) do
+    uri = URI.parse 'http://server.example.com'
+    OpenIDConnect::Discovery::Provider::Config::Resource.new uri
+  end
+  describe '#endpoint' do
+    context 'when invalid host' do
+      before do
+        resource.host = 'hoge*hoge'
+      end
+      it do
+        expect { resource.endpoint }.to raise_error SWD::Exception
+      end
+    end
+  end
+end

data/spec/openid_connect/discovery/provider/config_spec.rb CHANGED

@@ -25,6 +25,16 @@ describe OpenIDConnect::Discovery::Provider::Config do
         config.user_id_types_supported.should == ["public", "pairwise"]
       end
     end
+    context 'when SWD::Exception raised' do
+      it do
+        expect do
+          mock_json :get, endpoint, 'errors/unknown', status: [404, 'Not Found'] do
+            OpenIDConnect::Discovery::Provider::Config.discover! provider
+          end
+        end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
+      end
+    end
   end
   context 'when OP identifier includes custom port' do

data/spec/openid_connect/request_object_spec.rb CHANGED

@@ -81,6 +81,16 @@ describe OpenIDConnect::RequestObject do
       end
     end
+    describe '.fetch' do
+      let(:endpoint) { 'https://client.example.com/request.jwk' }
+      it do
+        mock_json :get, endpoint, 'request_object/signed', format: :jwt do
+          request_object = OpenIDConnect::RequestObject.fetch endpoint, 'secret'
+          request_object.as_json.should == jsonized.with_indifferent_access
+        end
+      end
+    end
     describe '#required?' do
       it do
         request_object.user_info.required?(:name).should be_true

data/spec/openid_connect/response_object/id_token_spec.rb CHANGED

@@ -270,4 +270,59 @@ describe OpenIDConnect::ResponseObject::IdToken do
       end
     end
   end
+  describe '.self_issued' do
+    subject { self_issued }
+    let(:user_jwk) { JSON::JWK.new(public_key) }
+    let(:self_issued) do
+      klass.self_issued(
+        public_key: public_key,
+        aud: 'client.example.com',
+        exp: 1.week.from_now,
+        iat: Time.now
+      )
+    end
+    [:iss, :user_id, :aud, :exp, :iat, :user_jwk].each do |attribute|
+      its(attribute) { should be_present }
+    end
+    its(:iss)      { should == 'https://self-issued.me' }
+    its(:user_jwk) { should == user_jwk }
+    its(:user_id)  { should == OpenIDConnect::ResponseObject::IdToken.self_issued_user_id(user_jwk) }
+  end
+  describe '.self_issued_user_id' do
+    context 'when RSA key given' do
+      let(:jwk) { JSON::JWK.new(public_key) }
+      it do
+        user_id = klass.self_issued_user_id jwk
+        user_id.should == UrlSafeBase64.encode64(
+          OpenSSL::Digest::SHA256.digest([jwk[:mod], jwk[:xpo]].join)
+        )
+      end
+    end
+    context 'when EC key given' do
+      let(:jwk) { JSON::JWK.new(ec_public_key) }
+      it do
+        expect do
+          user_id = klass.self_issued_user_id jwk
+        end.to raise_error NotImplementedError
+      end
+    end
+    context 'when unknown algorithm JWK given' do
+      let(:jwk) do
+        {
+          alg: 'unknown'
+        }
+      end
+      it do
+        expect do
+          user_id = klass.self_issued_user_id jwk
+        end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
+      end
+    end
+  end
 end

data/spec/rack/oauth2/server/authorize/extension/id_token_spec.rb CHANGED

@@ -35,7 +35,7 @@ describe Rack::OAuth2::Server::Authorize::Extension::IdToken do
     end
   end
-  context 'otherwise' do
+  context 'when id_token is missing' do
     let :app do
       Rack::OAuth2::Server::Authorize.new do |request, response|
         response.redirect_uri = redirect_uri
@@ -46,4 +46,23 @@ describe Rack::OAuth2::Server::Authorize::Extension::IdToken do
       expect { response }.to raise_error AttrRequired::AttrMissing, "'id_token' required."
     end
   end
+  context 'when error response' do
+    let(:env)     { Rack::MockRequest.env_for("/authorize?client_id=client_id") }
+    let(:request) { Rack::OAuth2::Server::Authorize::Extension::IdToken::Request.new env }
+    it 'should set protocol_params_location = :fragment' do
+      expect { request.bad_request! }.to raise_error(Rack::OAuth2::Server::Authorize::BadRequest) { |e|
+        e.protocol_params_location.should == :fragment
+      }
+    end
+  end
+  context 'when openid scope given' do
+    let(:env)     { Rack::MockRequest.env_for("/authorize?client_id=client_id&scope=openid") }
+    let(:request) { Rack::OAuth2::Server::Authorize::Extension::IdToken::Request.new env }
+    it do
+      request.openid_connect_request?.should be_true
+    end
+  end
 end

data/spec/spec_helper.rb CHANGED

@@ -3,16 +3,5 @@ require 'cover_me'
 require 'rspec'
 require 'openid_connect'
-require 'helpers/webmock_helper'
-def rsa
-  @rsa ||= OpenSSL::PKey::RSA.generate 2048
-end
-def public_key
-  @public_key ||= rsa.public_key
-end
-def private_key
-  @private_key ||= OpenSSL::PKey::RSA.new rsa.export(OpenSSL::Cipher::Cipher.new('DES-EDE3-CBC'), 'pass-phrase'), 'pass-phrase'
-end
+require 'helpers/crypto_spec_helper'
+require 'helpers/webmock_helper'

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: openid_connect
 version: !ruby/object:Gem::Version
-  version: 0.3.6
+  version: 0.3.7
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-10-23 00:00:00.000000000 Z
+date: 2012-10-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -270,6 +270,7 @@ files:
 - lib/rack/oauth2/server/id_token_response.rb
 - lib/rack/oauth2/server/resource/error_with_connect_ext.rb
 - openid_connect.gemspec
+- spec/helpers/crypto_spec_helper.rb
 - spec/helpers/webmock_helper.rb
 - spec/mock_response/access_token/bearer.json
 - spec/mock_response/access_token/bearer_with_id_token.json
@@ -287,6 +288,7 @@ files:
 - spec/mock_response/id_token.json
 - spec/mock_response/public_keys/jwk.json
 - spec/mock_response/public_keys/x509.pem
+- spec/mock_response/request_object/signed.jwt
 - spec/mock_response/user_info/openid.json
 - spec/openid_connect/access_token_spec.rb
 - spec/openid_connect/client/registrar_spec.rb
@@ -296,6 +298,7 @@ files:
 - spec/openid_connect/discovery/principal/email_spec.rb
 - spec/openid_connect/discovery/principal/uri_spec.rb
 - spec/openid_connect/discovery/principal_spec.rb
+- spec/openid_connect/discovery/provider/config/resource_spec.rb
 - spec/openid_connect/discovery/provider/config/response_spec.rb
 - spec/openid_connect/discovery/provider/config_spec.rb
 - spec/openid_connect/discovery/provider_spec.rb
@@ -327,7 +330,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2386054182410413464
+      hash: 4253340027617054014
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -336,7 +339,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2386054182410413464
+      hash: 4253340027617054014
 requirements: []
 rubyforge_project:
 rubygems_version: 1.8.24
@@ -344,6 +347,7 @@ signing_key:
 specification_version: 3
 summary: OpenID Connect Server & Client Library
 test_files:
+- spec/helpers/crypto_spec_helper.rb
 - spec/helpers/webmock_helper.rb
 - spec/mock_response/access_token/bearer.json
 - spec/mock_response/access_token/bearer_with_id_token.json
@@ -361,6 +365,7 @@ test_files:
 - spec/mock_response/id_token.json
 - spec/mock_response/public_keys/jwk.json
 - spec/mock_response/public_keys/x509.pem
+- spec/mock_response/request_object/signed.jwt
 - spec/mock_response/user_info/openid.json
 - spec/openid_connect/access_token_spec.rb
 - spec/openid_connect/client/registrar_spec.rb
@@ -370,6 +375,7 @@ test_files:
 - spec/openid_connect/discovery/principal/email_spec.rb
 - spec/openid_connect/discovery/principal/uri_spec.rb
 - spec/openid_connect/discovery/principal_spec.rb
+- spec/openid_connect/discovery/provider/config/resource_spec.rb
 - spec/openid_connect/discovery/provider/config/response_spec.rb
 - spec/openid_connect/discovery/provider/config_spec.rb
 - spec/openid_connect/discovery/provider_spec.rb