rails-auth 2.1.2 → 2.2.2

data/spec/rails/auth/x509/matcher_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth::X509::Matcher do
   let(:example_cert)        { OpenSSL::X509::Certificate.new(cert_path("valid.crt").read) }
   let(:example_certificate) { Rails::Auth::X509::Certificate.new(example_cert) }

data/spec/rails/auth/x509/middleware_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "logger"
 
 RSpec.describe Rails::Auth::X509::Middleware do
@@ -33,6 +35,13 @@ RSpec.describe Rails::Auth::X509::Middleware do
         _response, env = middleware.call(request.merge(example_key => bad_cert_pem))
         expect(Rails::Auth.credentials(env)).to be_empty
       end
+
+      it "normalizes abnormal whitespace" do
+        _response, env = middleware.call(request.merge(example_key => valid_cert_pem.tr("\n", "\t")))
+
+        credential = Rails::Auth.credentials(env).fetch("x509")
+        expect(credential).to be_a Rails::Auth::X509::Certificate
+      end
     end
 
     # :nocov:
@@ -42,10 +51,12 @@ RSpec.describe Rails::Auth::X509::Middleware do
 
       let(:java_cert) do
         ruby_cert = OpenSSL::X509::Certificate.new(valid_cert_pem)
-        Java::SunSecurityX509::X509CertImpl.new(ruby_cert.to_der.to_java_bytes)
+        input_stream = Java::JavaIO::ByteArrayInputStream.new(ruby_cert.to_der.to_java_bytes)
+        java_cert_klass = Java::JavaSecurityCert::CertificateFactory.getInstance("X.509")
+        java_cert_klass.generateCertificate(input_stream)
       end
 
-      it "extracts Rails::Auth::Credential::X509 from a Java::SunSecurityX509::X509CertImpl" do
+      it "extracts Rails::Auth::Credential::X509 from a java.security.cert.Certificate" do
         skip "JRuby only" unless defined?(JRUBY_VERSION)
 
         _response, env = middleware.call(request.merge(example_key => [java_cert]))

data/spec/rails/auth/x509/subject_alt_name_extension_spec.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+RSpec.describe Rails::Auth::X509::SubjectAltNameExtension do
+  let(:example_cert) { OpenSSL::X509::Certificate.new(cert_path("valid.crt").read) }
+  let(:example_cert_with_extension) { OpenSSL::X509::Certificate.new(cert_path("valid_with_ext.crt").read) }
+  let(:extension_for_cert) { described_class.new(example_cert) }
+  let(:extension_for_cert_with_san) { described_class.new(example_cert_with_extension) }
+  let(:example_dns_names) { %w[example.com exemplar.com somethingelse.com] }
+  let(:example_ips) { %w[0.0.0.0 127.0.0.1 192.168.1.1] }
+  let(:example_uris) { %w[spiffe://example.com/exemplar https://www.example.com/page1 https://www.example.com/page2] }
+
+  describe "for cert without extensions" do
+    it "returns no DNS names" do
+      expect(extension_for_cert.dns_names).to be_empty
+    end
+
+    it "returns no IPs" do
+      expect(extension_for_cert.ips).to be_empty
+    end
+
+    it "returns no URIs" do
+      expect(extension_for_cert.uris).to be_empty
+    end
+  end
+
+  describe "for cert with extensions" do
+    it "knows its DNS names" do
+      expect(extension_for_cert_with_san.dns_names).to eq example_dns_names
+    end
+
+    it "knows its IPs" do
+      expect(extension_for_cert_with_san.ips).to eq example_ips
+    end
+
+    it "knows its URIs" do
+      expect(extension_for_cert_with_san.uris).to eq example_uris
+    end
+  end
+end

data/spec/rails/auth_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 RSpec.describe Rails::Auth do
   it "has a version number" do
     expect(Rails::Auth::VERSION).not_to be nil

data/spec/spec_helper.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 require "coveralls"
 Coveralls.wear!
 
-$LOAD_PATH.unshift File.expand_path("../../lib", __FILE__)
+$LOAD_PATH.unshift File.expand_path("../lib", __dir__)
 require "rails/auth"
 require "rails/auth/rspec"
 require "support/create_certs"
@@ -11,11 +13,11 @@ require "pathname"
 RSpec.configure(&:disable_monkey_patching!)
 
 def cert_path(name)
-  Pathname.new(File.expand_path("../../tmp/certs", __FILE__)).join(name)
+  Pathname.new(File.expand_path("../tmp/certs", __dir__)).join(name)
 end
 
 def fixture_path(*args)
-  Pathname.new(File.expand_path("../fixtures", __FILE__)).join(*args)
+  Pathname.new(File.expand_path("fixtures", __dir__)).join(*args)
 end
 
 def env_for(method, path, host = "127.0.0.1")

data/spec/support/claims_matcher.rb

@@ -1,4 +1,6 @@
 # A strawman matcher for claims-based credentials for use in tests
+# frozen_string_literal: true
+
 class ClaimsMatcher
   def initialize(options)
     @options = options

data/spec/support/create_certs.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 require "certificate_authority"
 require "fileutils"
 
-cert_path = File.expand_path("../../../tmp/certs", __FILE__)
+cert_path = File.expand_path("../../tmp/certs", __dir__)
 FileUtils.mkdir_p(cert_path)
 
 #
@@ -15,7 +17,7 @@ ca.serial_number.number = 1
 ca.key_material.generate_key
 ca.signing_entity = true
 
-ca.sign! "extensions" => { "keyUsage" => { "usage" => %w(critical keyCertSign) } }
+ca.sign! "extensions" => { "keyUsage" => { "usage" => %w[critical keyCertSign] } }
 
 ca_cert_path = File.join(cert_path, "ca.crt")
 ca_key_path  = File.join(cert_path, "ca.key")
@@ -41,6 +43,59 @@ valid_key_path  = File.join(cert_path, "valid.key")
 File.write valid_cert_path, valid_cert.to_pem
 File.write valid_key_path,  valid_cert.key_material.private_key.to_pem
 
+#
+# Valid client certificate with extensions
+#
+
+valid_cert_with_ext = CertificateAuthority::Certificate.new
+valid_cert_with_ext.subject.common_name = "127.0.0.1"
+valid_cert_with_ext.subject.organizational_unit = "ponycopter"
+valid_cert_with_ext.serial_number.number = 3
+valid_cert_with_ext.key_material.generate_key
+signing_profile = {
+  "extensions" => {
+    "basicConstraints" => {
+      "ca" => false
+    },
+    "crlDistributionPoints" => {
+      "uri" => "http://notme.com/other.crl"
+    },
+    "subjectKeyIdentifier" => {},
+    "authorityKeyIdentifier" => {},
+    "authorityInfoAccess" => {
+      "ocsp" => %w[http://youFillThisOut/ocsp/]
+    },
+    "keyUsage" => {
+      "usage" => %w[digitalSignature keyEncipherment dataEncipherment]
+    },
+    "extendedKeyUsage" => {
+      "usage" => %w[serverAuth clientAuth]
+    },
+    "subjectAltName" => {
+      "uris" => %w[spiffe://example.com/exemplar https://www.example.com/page1 https://www.example.com/page2],
+      "ips" => %w[0.0.0.0 127.0.0.1 192.168.1.1],
+      "dns_names" => %w[example.com exemplar.com somethingelse.com]
+    },
+    "certificatePolicies" => {
+      "policy_identifier" => "1.3.5.8",
+      "cps_uris" => %w[http://my.host.name/ http://my.your.name/],
+      "user_notice" => {
+        "explicit_text" => "Explicit Text Here",
+        "organization" => "Organization name",
+        "notice_numbers" => "1,2,3,4"
+      }
+    }
+  }
+}
+valid_cert_with_ext.parent = ca
+valid_cert_with_ext.sign!(signing_profile)
+
+valid_cert_with_ext_path = File.join(cert_path, "valid_with_ext.crt")
+valid_key_with_ext_path  = File.join(cert_path, "valid_with_ext.key")
+
+File.write valid_cert_with_ext_path, valid_cert_with_ext.to_pem
+File.write valid_key_with_ext_path,  valid_cert_with_ext.key_material.private_key.to_pem
+
 #
 # Create evil MitM self-signed certificate
 #

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails-auth
 version: !ruby/object:Gem::Version
-  version: 2.1.2
+  version: 2.2.2
 platform: ruby
 authors:
 - Tony Arcieri
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-01-27 00:00:00.000000000 Z
+date: 2020-07-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -28,16 +28,22 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.10'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.10'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -102,6 +108,7 @@ files:
 - lib/rails/auth/x509/filter/pem.rb
 - lib/rails/auth/x509/matcher.rb
 - lib/rails/auth/x509/middleware.rb
+- lib/rails/auth/x509/subject_alt_name_extension.rb
 - rails-auth.gemspec
 - spec/fixtures/example_acl.yml
 - spec/rails/auth/acl/matchers/allow_all_spec.rb
@@ -120,6 +127,7 @@ files:
 - spec/rails/auth/x509/certificate_spec.rb
 - spec/rails/auth/x509/matcher_spec.rb
 - spec/rails/auth/x509/middleware_spec.rb
+- spec/rails/auth/x509/subject_alt_name_extension_spec.rb
 - spec/rails/auth_spec.rb
 - spec/spec_helper.rb
 - spec/support/claims_matcher.rb
@@ -137,15 +145,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.0.0
+      version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Modular resource-oriented authentication and authorization for Rails/Rack