ruby-paseto 0.1.0

data/lib/paseto/interface/key.rb

@@ -0,0 +1,113 @@
+# encoding: binary
+# typed: true
+# frozen_string_literal: true
+
+module Paseto
+  module Interface
+    class Key
+      extend T::Sig
+      extend T::Helpers
+
+      DOMAIN_SEPARATOR_AUTH = "\x81"
+      DOMAIN_SEPARATOR_ENCRYPT = "\x80"
+
+      abstract!
+
+      sig do
+        abstract.params(
+          payload: T::Hash[String, T.untyped],
+          footer: String,
+          implicit_assertion: String,
+          options: T.any(String, Integer, Symbol, T::Boolean)
+        ).returns(String)
+      end
+      def encode!(payload, footer: '', implicit_assertion: '', **options); end
+
+      sig do
+        abstract.params(
+          payload: String,
+          implicit_assertion: String,
+          options: T.nilable(T.any(Proc, String, Integer, Symbol, T::Boolean))
+        ).returns(Result)
+      end
+      def decode!(payload, implicit_assertion: '', **options); end
+
+      sig { abstract.returns(String) }
+      def id; end
+
+      sig { abstract.returns(String) }
+      def paserk; end
+
+      sig { abstract.returns(String) }
+      def pbkw_header; end
+
+      sig { abstract.returns(Version) }
+      def protocol; end
+
+      sig { abstract.returns(String) }
+      def purpose; end
+
+      sig { abstract.returns(String) }
+      def to_bytes; end
+
+      sig(:final) do
+        params(
+          payload: String,
+          implicit_assertion: String,
+          options: T.nilable(T.any(Proc, String, Integer, Symbol, T::Boolean))
+        ).returns(Result)
+      end
+      def decode(payload, implicit_assertion: '', **options)
+        decode!(payload, **T.unsafe(implicit_assertion: implicit_assertion, **options))
+          .then { |result| Verify.verify(result, options) }
+      end
+
+      sig(:final) { returns({ 'exp' => String, 'iat' => String, 'nbf' => String }) }
+      def default_claims
+        now = Time.new
+        {
+          'exp' => (now + (60 * 60)).iso8601,
+          'iat' => now.iso8601,
+          'nbf' => now.iso8601
+        }
+      end
+
+      sig(:final) do
+        params(
+          payload: T::Hash[String, T.untyped],
+          footer: T.any(T::Hash[String, T.untyped], String),
+          implicit_assertion: String,
+          options: T.nilable(T.any(String, Integer, Symbol, T::Boolean))
+        ).returns(String)
+      end
+      def encode(payload, footer: '', implicit_assertion: '', **options)
+        footer = MultiJson.dump(footer, mode: :object) if footer.is_a?(Hash)
+        default_claims.merge(payload)
+                      .then { |claims| encode!(claims, footer: footer, implicit_assertion: implicit_assertion, **options) }
+      end
+
+      sig(:final) { params(other: T.untyped).returns(T::Boolean) }
+      def ==(other)
+        self.class == other.class &&
+          to_bytes == other.to_bytes
+      end
+
+      sig(:final) { returns(String) }
+      def header = "#{version}.#{purpose}"
+
+      sig(:final) { returns(String) }
+      def paserk_version = protocol.paserk_version
+
+      sig(:final) { returns(String) }
+      def pae_header = "#{header}."
+
+      sig(:final) { params(password: String, options: T::Hash[Symbol, T.any(Integer, Symbol)]).returns(String) }
+      def pbkd(password:, options: {})
+        Operations::PBKW.pbkw(self, password, options)
+      end
+
+      sig(:final) { returns(String) }
+      def version = protocol.version
+    end
+  end
+end

data/lib/paseto/interface/pbkd.rb

@@ -0,0 +1,83 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Paseto
+  module Interface
+    module PBKD
+      extend T::Sig
+      extend T::Helpers
+
+      include Kernel
+
+      abstract!
+
+      module ClassMethods
+        extend T::Sig
+        extend T::Helpers
+
+        interface!
+
+        sig { abstract.returns(Interface::Version) }
+        def protocol; end
+      end
+
+      mixes_in_class_methods(ClassMethods)
+
+      sig do
+        abstract.params(
+          header: String,
+          pre_key: String,
+          salt: String,
+          nonce: String,
+          edk: String,
+          params: T::Hash[Symbol, Integer]
+        ).returns([String, String])
+      end
+      def authenticate(header:, pre_key:, salt:, nonce:, edk:, params:); end  # rubocop:disable Metrics/ParameterLists
+
+      sig(:final) { params(payload: String, key: String, nonce: String).returns(String) }
+      def crypt(payload:, key:, nonce:)
+        ek = protocol.digest("#{Operations::PBKW::DOMAIN_SEPARATOR_ENCRYPT}#{key}", digest_size: 32)
+
+        protocol.crypt(key: ek, nonce: nonce, payload: payload)
+      end
+
+      sig do
+        abstract.params(payload: String).returns(
+          {
+            salt: String,
+            nonce: String,
+            edk: String,
+            tag: String,
+            params: T::Hash[Symbol, Integer]
+          }
+        )
+      end
+      def decode(payload); end
+
+      sig { abstract.params(salt: String, params: T::Hash[Symbol, Integer]).returns(String) }
+      def pre_key(salt:, params:); end
+
+      sig(:final) { returns(String) }
+      def paserk_version
+        protocol.paserk_version
+      end
+
+      sig(:final) { returns(Interface::Version) }
+      def protocol
+        self.class.protocol
+      end
+
+      sig { abstract.returns(String) }
+      def random_nonce; end
+
+      sig { abstract.returns(String) }
+      def random_salt; end
+
+      sig(:final) { returns(String) }
+      def version
+        protocol.version
+      end
+    end
+  end
+end

data/lib/paseto/interface/pie.rb

@@ -0,0 +1,59 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+
+module Paseto
+  module Interface
+    module PIE
+      extend T::Sig
+      extend T::Helpers
+
+      include Kernel
+
+      abstract!
+
+      module ClassMethods
+        extend T::Sig
+        extend T::Helpers
+
+        interface!
+
+        sig { abstract.params(data: String).returns({ t: String, n: String, c: String }) }
+        def decode_and_split(data); end
+
+        sig { abstract.returns(Interface::Version) }
+        def protocol; end
+      end
+
+      mixes_in_class_methods(ClassMethods)
+
+      sig { abstract.params(nonce: String).returns(String) }
+      def authentication_key(nonce:); end
+
+      sig { abstract.params(payload: String, auth_key: String).returns(String) }
+      def authentication_tag(payload:, auth_key:); end
+
+      sig { abstract.params(nonce: String, payload: String).returns(String) }
+      def crypt(nonce:, payload:); end
+
+      sig { params(data: String).returns({ t: String, n: String, c: String }) }
+      def decode_and_split(data)
+        self.class.decode_and_split(data)
+      end
+
+      sig { abstract.returns(String) }
+      def local_header; end
+
+      sig { abstract.returns(String) }
+      def random_nonce; end
+
+      sig { abstract.returns(String) }
+      def secret_header; end
+
+      sig(:final) { returns(Interface::Version) }
+      def protocol
+        self.class.protocol
+      end
+    end
+  end
+end

data/lib/paseto/interface/pke.rb

@@ -0,0 +1,86 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+
+module Paseto
+  module Interface
+    module PKE
+      extend T::Sig
+      extend T::Helpers
+
+      include Kernel
+
+      abstract!
+
+      DOMAIN_SEPARATOR_ENCRYPT = "\x01"
+      DOMAIN_SEPARATOR_AUTH = "\x02"
+
+      module ClassMethods
+        extend T::Sig
+        extend T::Helpers
+
+        interface!
+
+        sig { abstract.params(esk: T.untyped).returns(String) }
+        def epk_bytes_from_esk(esk); end
+
+        sig { abstract.returns(T.untyped) }
+        def generate_ephemeral_key; end
+
+        sig { abstract.returns(String) }
+        def header; end
+
+        sig { abstract.returns(Interface::Version) }
+        def protocol; end
+
+        sig { abstract.params(encoded_data: String).returns([String, T.untyped, String]) }
+        def split(encoded_data); end
+      end
+
+      mixes_in_class_methods(ClassMethods)
+
+      sig { abstract.returns(AsymmetricKey) }
+      def sealing_key; end
+
+      sig { abstract.params(xk: String, epk: T.untyped).returns(String) }
+      def derive_ak(xk:, epk:); end
+
+      sig { abstract.params(xk: String, epk: T.untyped).returns({ ek: String, n: String }) }
+      def derive_ek_n(xk:, epk:); end
+
+      sig { abstract.params(message: String, ek: String, n: String).returns(SymmetricKey) }
+      def decrypt(message:, ek:, n:); end
+
+      sig { abstract.params(message: String, ek: String, n: String).returns(String) }
+      def encrypt(message:, ek:, n:); end
+
+      sig { abstract.params(ak: String, epk: T.untyped, edk: String).returns(String) }
+      def tag(ak:, epk:, edk:); end
+
+      sig(:final) { params(esk: T.untyped).returns(String) }
+      def epk_bytes_from_esk(esk)
+        self.class.epk_bytes_from_esk(esk)
+      end
+
+      sig(:final) { returns(T.untyped) }
+      def generate_ephemeral_key
+        self.class.generate_ephemeral_key
+      end
+
+      sig(:final) { returns(String) }
+      def header
+        self.class.header
+      end
+
+      sig(:final) { returns(Interface::Version) }
+      def protocol
+        self.class.protocol
+      end
+
+      sig(:final) { params(encoded_data: String).returns([String, T.untyped, String]) }
+      def split(encoded_data)
+        self.class.split(encoded_data)
+      end
+    end
+  end
+end

data/lib/paseto/interface/serializer.rb

@@ -0,0 +1,19 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Paseto
+  module Interface
+    module Serializer
+      extend T::Sig
+      extend T::Helpers
+
+      interface!
+
+      sig { abstract.params(val: String, options: T::Hash[T.untyped, T.untyped]).returns(T.untyped) }
+      def deserialize(val, options); end
+
+      sig { abstract.params(val: T.untyped, options: T::Hash[T.untyped, T.untyped]).returns(String) }
+      def serialize(val, options); end
+    end
+  end
+end

data/lib/paseto/interface/version.rb

@@ -0,0 +1,161 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Paseto
+  module Interface
+    module Version
+      extend T::Sig
+      extend T::Helpers
+
+      include Comparable
+      include Kernel
+
+      abstract!
+
+      module ClassMethods
+        extend T::Sig
+        extend T::Helpers
+
+        interface!
+
+        sig { abstract.params(key: String, nonce: String, payload: String).returns(String) }
+        def crypt(key:, nonce:, payload:); end
+
+        sig { abstract.params(data: String, digest_size: Integer).returns(String) }
+        def digest(data, digest_size:); end
+
+        sig { abstract.returns(Integer) }
+        def digest_bytes; end
+
+        sig { abstract.params(data: String, key: String, digest_size: Integer).returns(String) }
+        def hmac(data, key:, digest_size:); end
+
+        sig { abstract.returns(Interface::ID) }
+        def id; end
+
+        sig do
+          abstract.params(
+            password: String,
+            salt: String,
+            length: Integer,
+            parameters: Integer
+          ).returns(String)
+        end
+        def kdf(password, salt:, length:, **parameters); end
+
+        sig { abstract.returns(String) }
+        def paserk_version; end
+
+        sig { abstract.returns(String) }
+        def pbkd_local_header; end
+
+        sig { abstract.returns(String) }
+        def pbkd_secret_header; end
+
+        sig { abstract.params(password: String).returns(Interface::PBKD) }
+        def pbkw(password); end
+
+        sig { abstract.params(key: SymmetricKey).returns(Interface::PIE) }
+        def pie(key); end
+
+        sig { abstract.params(key: AsymmetricKey).returns(Interface::PKE) }
+        def pke(key); end
+
+        sig { abstract.params(size: Integer).returns(String) }
+        def random(size); end
+
+        sig { abstract.returns(String) }
+        def version; end
+      end
+
+      mixes_in_class_methods(ClassMethods)
+
+      sig(:final) { params(key: String, nonce: String, payload: String).returns(String) }
+      def crypt(key:, nonce:, payload:)
+        self.class.crypt(key: key, nonce: nonce, payload: payload)
+      end
+
+      sig(:final) { params(data: String, digest_size: T.nilable(Integer)).returns(String) }
+      def digest(data, digest_size: nil)
+        self.class.digest(data, digest_size: digest_size || digest_bytes)
+      end
+
+      sig(:final) { returns(Integer) }
+      def digest_bytes
+        self.class.digest_bytes
+      end
+
+      sig(:final) { params(data: String, key: String, digest_size: T.nilable(Integer)).returns(String) }
+      def hmac(data, key:, digest_size: nil)
+        self.class.hmac(data, key: key, digest_size: digest_size || digest_bytes)
+      end
+
+      sig(:final) { returns(Interface::ID) }
+      def id
+        self.class.id
+      end
+
+      sig(:final) do
+        params(
+          password: String,
+          salt: String,
+          length: Integer,
+          parameters: T.any(Symbol, Integer)
+        ).returns(String)
+      end
+      def kdf(password, salt:, length:, **parameters)
+        self.class.kdf(password, salt: salt, length: length, **parameters)
+      end
+
+      sig(:final) { returns(String) }
+      def paserk_version
+        self.class.paserk_version
+      end
+
+      sig(:final) { returns(String) }
+      def pbkd_local_header
+        self.class.pbkd_local_header
+      end
+
+      sig(:final) { returns(String) }
+      def pbkd_secret_header
+        self.class.pbkd_secret_header
+      end
+
+      sig(:final) { params(password: String).returns(Interface::PBKD) }
+      def pbkw(password)
+        self.class.pbkw(password)
+      end
+
+      sig(:final) { params(key: SymmetricKey).returns(Interface::PIE) }
+      def pie(key)
+        self.class.pie(key)
+      end
+
+      sig(:final) { params(key: AsymmetricKey).returns(Interface::PKE) }
+      def pke(key)
+        self.class.pke(key)
+      end
+
+      sig(:final) { params(size: Integer).returns(String) }
+      def random(size)
+        self.class.random(size)
+      end
+
+      sig(:final) { returns(String) }
+      def version
+        self.class.version
+      end
+
+      sig(:final) { params(other: T.untyped).returns(T.nilable(Integer)) }
+      def <=>(other)
+        case other
+        in Interface::Version
+          version <=> other.version
+        else
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/paseto/interface/wrapper.rb

@@ -0,0 +1,20 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+
+module Paseto
+  module Interface
+    module Wrapper
+      extend T::Sig
+      extend T::Helpers
+
+      interface!
+
+      sig { abstract.params(key: Key, nonce: T.nilable(String)).returns(String) }
+      def encode(key, nonce: nil); end
+
+      sig { abstract.params(paserk: [String, String, String, String]).returns(Key) }
+      def decode(paserk); end
+    end
+  end
+end

data/lib/paseto/operations/i_d.rb

@@ -0,0 +1,48 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+
+module Paseto
+  module Operations
+    class ID
+      extend T::Sig
+
+      sig(:final) { params(key: SymmetricKey).returns(String) }
+      def self.lid(key)
+        new(key.protocol).lid(key)
+      end
+
+      sig(:final) { params(key: AsymmetricKey).returns(String) }
+      def self.sid(key)
+        new(key.protocol).sid(key)
+      end
+
+      sig(:final) { params(key: AsymmetricKey).returns(String) }
+      def self.pid(key)
+        new(key.protocol).pid(key)
+      end
+
+      sig { params(protocol: Interface::Version).void }
+      def initialize(protocol)
+        @coder = T.let(protocol.id, Interface::ID)
+      end
+
+      sig(:final) { params(key: SymmetricKey).returns(String) }
+      def lid(key)
+        @coder.encode('lid', key.paserk)
+      end
+
+      sig(:final) { params(key: AsymmetricKey).returns(String) }
+      def sid(key)
+        raise ArgumentError, 'no private key available' unless key.private?
+
+        @coder.encode('sid', key.paserk)
+      end
+
+      sig(:final) { params(key: AsymmetricKey).returns(String) }
+      def pid(key)
+        @coder.encode('pid', key.public_paserk)
+      end
+    end
+  end
+end

data/lib/paseto/operations/id/i_dv3.rb

@@ -0,0 +1,20 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+
+module Paseto
+  module Operations
+    class ID
+      module IDv3
+        extend T::Sig
+
+        extend Interface::ID
+
+        sig { override.returns(Protocol::Version3) }
+        def self.protocol
+          Protocol::Version3.new
+        end
+      end
+    end
+  end
+end

data/lib/paseto/operations/id/i_dv4.rb

@@ -0,0 +1,20 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+
+module Paseto
+  module Operations
+    class ID
+      module IDv4
+        extend T::Sig
+
+        extend Interface::ID
+
+        sig { override.returns(Protocol::Version4) }
+        def self.protocol
+          Protocol::Version4.new
+        end
+      end
+    end
+  end
+end