RubyGems - sealights-rspec-agent - Versions diffs - 2.0.4 → 2.0.5 - Mend

sealights-rspec-agent 2.0.4 → 2.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (85) hide show

data/agent/dependencies/jwt-2.2.1/Rakefile ADDED Viewed

@@ -0,0 +1,11 @@
+require 'bundler/gem_tasks'
+begin
+  require 'rspec/core/rake_task'
+  RSpec::Core::RakeTask.new(:test)
+  task default: :test
+rescue LoadError
+  puts 'RSpec rake tasks not available. Please run "bundle install" to install missing dependencies.'
+end

data/agent/dependencies/jwt-2.2.1/lib/jwt.rb ADDED Viewed

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+require_relative 'jwt/base64'
+require_relative 'jwt/json'
+require_relative 'jwt/decode'
+require_relative 'jwt/default_options'
+require_relative 'jwt/encode'
+require_relative 'jwt/error'
+require_relative 'jwt/jwk'
+# JSON Web Token implementation
+#
+# Should be up to date with the latest spec:
+# https://tools.ietf.org/html/rfc7519
+module SL_JWT
+  include SL_JWT::DefaultOptions
+  module_function
+  def encode(payload, key, algorithm = 'HS256', header_fields = {})
+    Encode.new(payload: payload,
+               key: key,
+               algorithm: algorithm,
+               headers: header_fields).segments
+  end
+  def decode(jwt, key = nil, verify = true, options = {}, &keyfinder)
+    Decode.new(jwt, key, verify, DEFAULT_OPTIONS.merge(options), &keyfinder).decode_segments
+  end
+end

data/agent/dependencies/jwt-2.2.1/lib/jwt/algos/ecdsa.rb ADDED Viewed

@@ -0,0 +1,35 @@
+module SL_JWT
+  module Algos
+    module Ecdsa
+      module_function
+      SUPPORTED = %w[ES256 ES384 ES512].freeze
+      NAMED_CURVES = {
+        'prime256v1' => 'ES256',
+        'secp384r1' => 'ES384',
+        'secp521r1' => 'ES512'
+      }.freeze
+      def sign(to_sign)
+        algorithm, msg, key = to_sign.values
+        key_algorithm = NAMED_CURVES[key.group.curve_name]
+        if algorithm != key_algorithm
+          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
+        end
+        digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
+        SecurityUtils.asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
+      end
+      def verify(to_verify)
+        algorithm, public_key, signing_input, signature = to_verify.values
+        key_algorithm = NAMED_CURVES[public_key.group.curve_name]
+        if algorithm != key_algorithm
+          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
+        end
+        digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
+        public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
+      end
+    end
+  end
+end

data/agent/dependencies/jwt-2.2.1/lib/jwt/algos/eddsa.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module SL_JWT
+  module Algos
+    module Eddsa
+      module_function
+      SUPPORTED = %w[ED25519].freeze
+      def sign(to_sign)
+        algorithm, msg, key = to_sign.values
+        raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey" if key.class != RbNaCl::Signatures::Ed25519::SigningKey
+        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"  if algorithm.downcase.to_sym != key.primitive
+        key.sign(msg)
+      end
+      def verify(to_verify)
+        algorithm, public_key, signing_input, signature = to_verify.values
+        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{public_key.primitive} verification key was provided" if algorithm.downcase.to_sym != public_key.primitive
+        raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey" if public_key.class != RbNaCl::Signatures::Ed25519::VerifyKey
+        public_key.verify(signature, signing_input)
+      end
+    end
+  end
+end

data/agent/dependencies/jwt-2.2.1/lib/jwt/algos/hmac.rb ADDED Viewed

@@ -0,0 +1,33 @@
+module SL_JWT
+  module Algos
+    module Hmac
+      module_function
+      SUPPORTED = %w[HS256 HS512256 HS384 HS512].freeze
+      def sign(to_sign)
+        algorithm, msg, key = to_sign.values
+        authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, key)
+        if authenticator && padded_key
+          authenticator.auth(padded_key, msg.encode('binary'))
+        else
+          OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
+        end
+      end
+      def verify(to_verify)
+        algorithm, public_key, signing_input, signature = to_verify.values
+        authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, public_key)
+        if authenticator && padded_key
+          begin
+            authenticator.verify(padded_key, signature.encode('binary'), signing_input.encode('binary'))
+          rescue RbNaCl::BadAuthenticatorError
+            false
+          end
+        else
+          SecurityUtils.secure_compare(signature, sign(SL_JWT::Signature::ToSign.new(algorithm, signing_input, public_key)))
+        end
+      end
+    end
+  end
+end

data/agent/dependencies/jwt-2.2.1/lib/jwt/algos/ps.rb ADDED Viewed

@@ -0,0 +1,43 @@
+module SL_JWT
+  module Algos
+    module Ps
+      # RSASSA-PSS signing algorithms
+      module_function
+      SUPPORTED = %w[PS256 PS384 PS512].freeze
+      def sign(to_sign)
+        require_openssl!
+        algorithm, msg, key = to_sign.values
+        key_class = key.class
+        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key_class == String
+        translated_algorithm = algorithm.sub('PS', 'sha')
+        key.sign_pss(translated_algorithm, msg, salt_length: :digest, mgf1_hash: translated_algorithm)
+      end
+      def verify(to_verify)
+        require_openssl!
+        SecurityUtils.verify_ps(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
+      end
+      def require_openssl!
+        if Object.const_defined?('OpenSSL')
+          major, minor = OpenSSL::VERSION.split('.').first(2)
+          unless major.to_i >= 2 && minor.to_i >= 1
+            raise SL_JWT::RequiredDependencyError, "You currently have OpenSSL #{OpenSSL::VERSION}. PS support requires >= 2.1"
+          end
+        else
+          raise SL_JWT::RequiredDependencyError, 'PS signing requires OpenSSL +2.1'
+        end
+      end
+    end
+  end
+end

data/agent/dependencies/jwt-2.2.1/lib/jwt/algos/rsa.rb ADDED Viewed

@@ -0,0 +1,19 @@
+module SL_JWT
+  module Algos
+    module Rsa
+      module_function
+      SUPPORTED = %w[RS256 RS384 RS512].freeze
+      def sign(to_sign)
+        algorithm, msg, key = to_sign.values
+        raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.class == String
+        key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
+      end
+      def verify(to_verify)
+        SecurityUtils.verify_rsa(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
+      end
+    end
+  end
+end

data/agent/dependencies/jwt-2.2.1/lib/jwt/algos/unsupported.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module SL_JWT
+  module Algos
+    module Unsupported
+      module_function
+      SUPPORTED = Object.new.tap { |object| object.define_singleton_method(:include?) { |*| true } }
+      def verify(*)
+        raise SL_JWT::VerificationError, 'Algorithm not supported'
+      end
+      def sign(*)
+        raise NotImplementedError, 'Unsupported signing method'
+      end
+    end
+  end
+end

data/agent/dependencies/jwt-2.2.1/lib/jwt/base64.rb ADDED Viewed

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+require 'base64'
+module SL_JWT
+  # Base64 helpers
+  class Base64
+    class << self
+      def url_encode(str)
+        ::Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
+      end
+      def url_decode(str)
+        str += '=' * (4 - str.length.modulo(4))
+        ::Base64.decode64(str.tr('-_', '+/'))
+      end
+    end
+  end
+end

data/agent/dependencies/jwt-2.2.1/lib/jwt/claims_validator.rb ADDED Viewed

@@ -0,0 +1,33 @@
+require_relative './error'
+module SL_JWT
+  class ClaimsValidator
+    INTEGER_CLAIMS = %i[
+      exp
+      iat
+      nbf
+    ].freeze
+    def initialize(payload)
+      @payload = payload.each_with_object({}) { |(k, v), h| h[k.to_sym] = v }
+    end
+    def validate!
+      validate_int_claims
+      true
+    end
+    private
+    def validate_int_claims
+      INTEGER_CLAIMS.each do |claim|
+        validate_is_int(claim) if @payload.key?(claim)
+      end
+    end
+    def validate_is_int(claim)
+      raise InvalidPayload, "#{claim} claim must be an Integer but it is a #{@payload[claim].class}" unless @payload[claim].is_a?(Integer)
+    end
+  end
+end

data/agent/dependencies/jwt-2.2.1/lib/jwt/decode.rb ADDED Viewed

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+require 'json'
+require_relative './signature'
+require_relative './verify'
+# JWT::Decode module
+module SL_JWT
+  # Decoding logic for JWT
+  class Decode
+    def initialize(jwt, key, verify, options, &keyfinder)
+      raise(SL_JWT::DecodeError, 'Nil JSON web token') unless jwt
+      @jwt = jwt
+      @key = key
+      @options = options
+      @segments = jwt.split('.')
+      @verify = verify
+      @signature = ''
+      @keyfinder = keyfinder
+    end
+    def decode_segments
+      validate_segment_count!
+      if @verify
+        decode_crypto
+        verify_signature
+        verify_claims
+      end
+      raise(SL_JWT::DecodeError, 'Not enough or too many segments') unless header && payload
+      [payload, header]
+    end
+    private
+    def verify_signature
+      @key = find_key(&@keyfinder) if @keyfinder
+      @key = ::SL_JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks]
+      raise(SL_JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty?
+      raise(SL_JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless options_includes_algo_in_header?
+      Signature.verify(header['alg'], @key, signing_input, @signature)
+    end
+    def options_includes_algo_in_header?
+      allowed_algorithms.include? header['alg']
+    end
+    def allowed_algorithms
+      if @options.key?(:algorithm)
+        [@options[:algorithm]]
+      else
+        @options[:algorithms] || []
+      end
+    end
+    def find_key(&keyfinder)
+      key = (keyfinder.arity == 2 ? yield(header, payload) : yield(header))
+      raise SL_JWT::DecodeError, 'No verification key available' unless key
+      key
+    end
+    def verify_claims
+      Verify.verify_claims(payload, @options)
+    end
+    def validate_segment_count!
+      return if segment_length == 3
+      return if !@verify && segment_length == 2 # If no verifying required, the signature is not needed
+      raise(SL_JWT::DecodeError, 'Not enough or too many segments')
+    end
+    def segment_length
+      @segments.count
+    end
+    def decode_crypto
+      @signature = SL_JWT::Base64.url_decode(@segments[2])
+    end
+    def header
+      @header ||= parse_and_decode @segments[0]
+    end
+    def payload
+      @payload ||= parse_and_decode @segments[1]
+    end
+    def signing_input
+      @segments.first(2).join('.')
+    end
+    def parse_and_decode(segment)
+      SL_JWT::JSON.parse(SL_JWT::Base64.url_decode(segment))
+    rescue ::JSON::ParserError
+      raise SL_JWT::DecodeError, 'Invalid segment encoding'
+    end
+  end
+end

data/agent/dependencies/jwt-2.2.1/lib/jwt/default_options.rb ADDED Viewed

@@ -0,0 +1,15 @@
+module SL_JWT
+  module DefaultOptions
+    DEFAULT_OPTIONS = {
+      verify_expiration: true,
+      verify_not_before: true,
+      verify_iss: false,
+      verify_iat: false,
+      verify_jti: false,
+      verify_aud: false,
+      verify_sub: false,
+      leeway: 0,
+      algorithms: ['HS256']
+    }.freeze
+  end
+end

data/agent/dependencies/jwt-2.2.1/lib/jwt/encode.rb ADDED Viewed

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+require_relative './claims_validator'
+# JWT::Encode module
+module SL_JWT
+  # Encoding logic for JWT
+  class Encode
+    ALG_NONE = 'none'.freeze
+    ALG_KEY  = 'alg'.freeze
+    def initialize(options)
+      @payload   = options[:payload]
+      @key       = options[:key]
+      @algorithm = options[:algorithm]
+      @headers   = options[:headers].each_with_object({}) { |(key, value), headers| headers[key.to_s] = value }
+    end
+    def segments
+      @segments ||= combine(encoded_header_and_payload, encoded_signature)
+    end
+    private
+    def encoded_header
+      @encoded_header ||= encode_header
+    end
+    def encoded_payload
+      @encoded_payload ||= encode_payload
+    end
+    def encoded_signature
+      @encoded_signature ||= encode_signature
+    end
+    def encoded_header_and_payload
+      @encoded_header_and_payload ||= combine(encoded_header, encoded_payload)
+    end
+    def encode_header
+      @headers[ALG_KEY] = @algorithm
+      encode(@headers)
+    end
+    def encode_payload
+      if @payload && @payload.is_a?(Hash)
+        ClaimsValidator.new(@payload).validate!
+      end
+      encode(@payload)
+    end
+    def encode_signature
+      return '' if @algorithm == ALG_NONE
+      SL_JWT::Base64.url_encode(SL_JWT::Signature.sign(@algorithm, encoded_header_and_payload, @key))
+    end
+    def encode(data)
+      SL_JWT::Base64.url_encode(SL_JWT::JSON.generate(data))
+    end
+    def combine(*parts)
+      parts.join('.')
+    end
+  end
+end