RubyGems - openproject-token - Versions diffs - 8.1.0 → 8.3.0 - Mend

openproject-token 8.1.0 → 8.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/open_project/token/extractor.rb +37 -3
data/lib/open_project/token/plans.rb +1 -0
data/lib/open_project/token/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 036add30203bd58edee1bb60302814023de3dec2d0ef112d3a9d34acf646294a
-  data.tar.gz: 71dc97d55f7fdf0f78ffa1fd1eb6b24c71e67ca0e9942c69dcc38118313257fa
+  metadata.gz: b9a6cd09cc78e050108eda243bc4abac221821625040cc36bb33e98d38ca27f2
+  data.tar.gz: 0eaa921bc56a56aebce2dd9aaa9f3879f52d7e7f8789261636bcde64802dd8ac
 SHA512:
-  metadata.gz: 7d5a77dd12c965bbf26dc1736d7b69164e5fb3ddb40b69ebea4b6c77ffc87b39ebf64245ce8db0b0b5d4eed8751ceca728ed23564847e3864fc785b213fb10ce
-  data.tar.gz: 30c28b4596c4772c8b29de8ad5e96898093be16c5a333134d2a1c07b2678de082702f29946227eaa5d3a0f8d64927cbe793bbc1362b45d3c8c5ac6215d746ff4
+  metadata.gz: 76b84b185be0f93f9ff001f55a9f7c5415269249916c1028d59c8f4e9a5f707dbff9c4ee8c3812e4d65be686904d6dfad4bfd64a1c786c6f53e376d2bed4127b
+  data.tar.gz: 15ee68a90091c9ae799a3082f292bfb7e3445d4084fe8dad495084fffaf87aac3e63ccbac5b7128b4c6dd2b61edec46cfa51d0572d2e7d4cd607543c2451b199

data/lib/open_project/token/extractor.rb CHANGED Viewed

@@ -6,6 +6,7 @@ module OpenProject
       class Error < StandardError; end
       class KeyError < Error; end
       class DecryptionError < Error; end
+      class SignatureError < Error; end
       attr_accessor :key
@@ -13,7 +14,7 @@ module OpenProject
         @key = key
       end
-      def read(data) # rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity
+      def read(data)
         unless key.public?
           raise KeyError, "Provided key is not a public key."
         end
@@ -21,11 +22,44 @@ module OpenProject
         json_data = Base64.decode64(data.chomp)
         begin
-          encryption_data = JSON.parse(json_data)
+          container = JSON.parse(json_data)
         rescue JSON::ParserError
           raise DecryptionError, "Encryption data is invalid JSON."
         end
+        if container["payload"].nil?
+          decrypt_encryption_data(container)
+        else
+          decrypt_signed_format(container)
+        end
+      end
+      private
+      def decrypt_signed_format(container)
+        payload_data = Base64.decode64(container["payload"])
+        signature = Base64.decode64(container["signature"])
+        # Verify signature of the entire payload
+        begin
+          unless key.verify(OpenSSL::Digest.new("SHA256"), signature, payload_data)
+            raise SignatureError, "Signature verification failed."
+          end
+        rescue OpenSSL::PKey::RSAError => e
+          raise SignatureError, "Signature verification failed: #{e.message}"
+        end
+        # Parse the verified payload
+        begin
+          encryption_data = JSON.parse(payload_data)
+        rescue JSON::ParserError
+          raise DecryptionError, "Payload data is invalid JSON."
+        end
+        decrypt_encryption_data(encryption_data)
+      end
+      def decrypt_encryption_data(encryption_data) # rubocop:disable Metrics/AbcSize
         unless %w(data key iv).all? { |key| encryption_data[key] }
           raise DecryptionError, "Required field missing from encryption data."
         end
@@ -36,7 +70,7 @@ module OpenProject
         begin
           # Decrypt the AES key using asymmetric RSA encryption.
-          aes_key = self.key.public_decrypt(encrypted_key)
+          aes_key = key.public_decrypt(encrypted_key)
         rescue OpenSSL::PKey::RSAError
           raise DecryptionError, "AES encryption key could not be decrypted."
         end

data/lib/open_project/token/plans.rb CHANGED Viewed

@@ -53,6 +53,7 @@ module OpenProject
       calculated_values
       customize_life_cycle
       ldap_groups
+      portfolio_management
       project_list_sharing
       weighted_item_lists
     ].freeze

data/lib/open_project/token/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module OpenProject
   class Token
-    VERSION = "8.1.0"
+    VERSION = "8.3.0"
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: openproject-token
 version: !ruby/object:Gem::Version
-  version: 8.1.0
+  version: 8.3.0
 platform: ruby
 authors:
 - OpenProject GmbH
@@ -48,7 +48,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.4.5
+      version: 3.4.7
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="