signet 0.10.0 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cca16d5ecdcc2714f91dda26893593bc4864b3108fb705b02df3267e2deb5864
-  data.tar.gz: 06bd27996b7e0bcc297934f89727be25d1027ae623d94a72635c7ce40edf9d10
+  metadata.gz: ee45b6d3e6075bfd1d1e5b2fae2830e0f981b2e70e7bb075422e51e20b12f4e8
+  data.tar.gz: 3f019f83eda28d4e0a2b80da812c181f605eae19ecc5b138f9ceee2cfd686fbc
 SHA512:
-  metadata.gz: 86a51a0441913e042ed13cd8667168cd7a37e5787714a50b361b5b6e37536be723a22132e7782ee5c8605d01bff35d2acb821f8e14d809f8917815d7c7084542
-  data.tar.gz: 13796569d062502f45820b91085a555858d1cce5bd53a4133e230023aca5bfbcbbee3223ea0dbe3393669c91635d0a2142a5d898d2a9800cc5a3e74413fc705e
+  metadata.gz: 4e9f7704e31e89ecb6b8b24c6f09d1d13615cdfc7ba2d165384ab854be0f33c175bc38db7fd138070fdafff73d33676b96d8e1403b10128e811c25311cd15bf8
+  data.tar.gz: 399c408f37ef1cd30d0e0d31dab9d80ebed8a917e659d252905f4d162511edf2f88d72e27cf8b0792794245ce8e06ae769c473aa94f4c559dcea9e222e221785

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+## 0.11.0 (2018-10-08)
+* Add constant time comparison for oauth signatures.
+
 ## 0.10.0 (2018-09-21)
 * Add UnexpectedStatusError class for http status errors that are not handled.
 

data/lib/signet/oauth_1/server.rb

@@ -13,7 +13,6 @@
 #    limitations under the License.
 #
 require 'faraday'
-
 require 'stringio'
 require 'addressable/uri'
 require 'signet'
@@ -57,6 +56,13 @@ module Signet
            instance_variable_set("@#{attr}", options[attr])
         end
       end
+ 
+      # Constant time string comparison.
+      def safe_equals?(a, b)
+        check = a.bytesize ^ b.bytesize
+        a.bytes.zip(b.bytes) { |x, y| check |= x ^ y.to_i }
+        check == 0
+      end
 
       ##
       # Determine if the supplied nonce/timestamp pair is valid by calling
@@ -285,7 +291,7 @@ module Signet
           client_credential_secret,
           nil
         )
-        if(computed_signature == auth_hash['oauth_signature'])
+        if safe_equals?(computed_signature, auth_hash['oauth_signature'])
           if(auth_hash.fetch('oauth_callback', 'oob').empty?)
             'oob'
           else
@@ -363,7 +369,7 @@ module Signet
           temporary_credential.secret
         )
 
-        if(computed_signature == auth_hash['oauth_signature'])
+        if safe_equals?(computed_signature, auth_hash['oauth_signature'])
           {:client_credential=>client_credential,
             :temporary_credential=>temporary_credential,
             :realm=>auth_hash['realm']
@@ -490,7 +496,7 @@ module Signet
           token_credential_secret
         )
 
-        if(computed_signature == auth_hash['oauth_signature'])
+        if safe_equals?(computed_signature, auth_hash['oauth_signature'])
           {:client_credential=>client_credential,
            :token_credential=>token_credential,
            :realm=>auth_hash['realm']

data/lib/signet/oauth_2.rb

@@ -142,7 +142,7 @@ module Signet #:nodoc:
     # @return [String] The authorization URI to redirect the user to.
     def self.generate_authorization_uri(authorization_uri, parameters={})
       for key, value in parameters
-        parameters.delete(key) if value == nil
+        parameters.delete(key) if value.nil?
       end
       parsed_uri = Addressable::URI.parse(authorization_uri).dup
       query_values = parsed_uri.query_values || {}

data/lib/signet/oauth_2/client.rb

@@ -89,7 +89,7 @@ module Signet
       #   )
       #
       # @see Signet::OAuth2::Client#update!
-      def initialize(options={})
+      def initialize options={}
         @authorization_uri    = nil
         @token_credential_uri = nil
         @client_id            = nil
@@ -104,6 +104,7 @@ module Signet
         @scope                = nil
         @state                = nil
         @username             = nil
+        @access_type          = nil
         self.update!(options)
       end
 
@@ -152,6 +153,8 @@ module Signet
       #     to be refreshed.
       #   - <code>:access_token</code> -
       #     The current access token for this client.
+      #   - <code>:access_type</code> -
+      #     The current access type parameter for #authorization_uri.
       #   - <code>:id_token</code> -
       #     The current ID token for this client.
       #   - <code>:extension_parameters</code> -
@@ -189,6 +192,7 @@ module Signet
         self.signing_key = options[:signing_key] if options.has_key?(:signing_key)
         self.extension_parameters = options[:extension_parameters] || {}
         self.additional_parameters = options[:additional_parameters] || {}
+        self.access_type = options.fetch(:access_type) { :offline }
         self.update_token!(options)
         return self
       end
@@ -259,8 +263,8 @@ module Signet
         unless options[:response_type]
           options[:response_type] = :code
         end
-        unless options[:access_type]
-          options[:access_type] = :offline
+        if !options[:access_type] && access_type
+          options[:access_type] = access_type
         end
         options[:client_id] ||= self.client_id
         options[:redirect_uri] ||= self.redirect_uri
@@ -330,6 +334,23 @@ module Signet
         end
       end
 
+      ##
+      # Returns the current access type parameter for #authorization_uri.
+      #
+      # @return [String, Symbol] The current access type.
+      def access_type
+        return @access_type
+      end
+
+      ##
+      # Sets the current access type parameter for #authorization_uri.
+      #
+      # @param [String, Symbol] new_access_type
+      #   The current access type.
+      def access_type=(new_access_type)
+        @access_type = new_access_type
+      end
+
       ##
       # Returns the client identifier for this client.
       #
@@ -713,7 +734,7 @@ module Signet
       #   omitted.
       #
       # @return [String] The decoded ID token.
-      def decoded_id_token(public_key=nil, options = {}, &keyfinder)
+      def decoded_id_token public_key=nil, options = {}, &keyfinder
         options[:algorithm] ||= signing_algorithm
         verify = !!(public_key || keyfinder)
         payload, _header = JWT.decode(self.id_token, public_key, verify, options, &keyfinder)
@@ -746,12 +767,13 @@ module Signet
       #
       # @param [String, Integer, nil] new_expires_in
       #   The access token lifetime.
-      def expires_in=(new_expires_in)
-        if new_expires_in != nil
+      def expires_in= new_expires_in
+        if !new_expires_in.nil?
           @issued_at = Time.now
           @expires_at = @issued_at + new_expires_in.to_i
         else
-          @expires_at, @issued_at = nil, nil
+          @expires_at = nil
+          @issued_at = nil
         end
       end
 
@@ -760,7 +782,7 @@ module Signet
       #
       # @return [Time, nil] The access token issuance time.
       def issued_at
-        return @issued_at
+        @issued_at
       end
 
       ##
@@ -961,7 +983,7 @@ module Signet
       end
 
       def fetch_access_token(options={})
-        if self.token_credential_uri == nil
+        if self.token_credential_uri.nil?
           raise ArgumentError, 'Missing token endpoint URI.'
         end
 

data/lib/signet/version.rb

@@ -17,7 +17,7 @@ unless defined? Signet::VERSION
   module Signet
     module VERSION
       MAJOR = 0
-      MINOR = 10
+      MINOR = 11
       TINY  = 0
       PRE   = nil
 
@@ -58,15 +58,15 @@ unless defined? Signet::VERSION
       # @private
       #
       def self.warn_unsupported_ruby cur_version, recommended_version
-        "WARNING: You are running Ruby #{cur_version}, which has reached" + 
-        " end-of-life and is no longer supported by Ruby Core.\n" + 
-        'Signet works best on supported versions of' + 
-        ' Ruby. It is strongly recommended that you upgrade to Ruby' + 
-        " #{recommended_version} or later. \n" +
-        'See https://www.ruby-lang.org/en/downloads/branches/ for more' +
-        " info on the Ruby maintenance schedule.\n" + 
-        'To suppress this message, set the' + 
-        ' GOOGLE_CLOUD_SUPPRESS_RUBY_WARNINGS environment variable.'
+        "WARNING: You are running Ruby #{cur_version}, which has reached" \
+          " end-of-life and is no longer supported by Ruby Core.\n" \
+          'Signet works best on supported versions of' \
+          ' Ruby. It is strongly recommended that you upgrade to Ruby' \
+          " #{recommended_version} or later. \n" \
+          'See https://www.ruby-lang.org/en/downloads/branches/ for more' \
+          " info on the Ruby maintenance schedule.\n" \
+          'To suppress this message, set the' \
+          ' GOOGLE_CLOUD_SUPPRESS_RUBY_WARNINGS environment variable.'
       end
 
       ##
@@ -74,14 +74,14 @@ unless defined? Signet::VERSION
       # @private
       #
       def self.warn_nonrecommended_ruby cur_version, recommended_version
-        "WARNING: You are running Ruby #{cur_version}, which is nearing" + 
-        " end-of-life.\n" + 
-        'Signet works best on supported versions of' +
-        " Ruby. Consider upgrading to Ruby #{recommended_version} or later.\n" +
-        'See https://www.ruby-lang.org/en/downloads/branches/ for more' +
-        " info on the Ruby maintenance schedule.\n" +
-        'To suppress this message, set the' + 
-        ' GOOGLE_CLOUD_SUPPRESS_RUBY_WARNINGS environment variable.'
+        "WARNING: You are running Ruby #{cur_version}, which is nearing" \
+          " end-of-life.\n" \
+          'Signet works best on supported versions of' \
+          " Ruby. Consider upgrading to Ruby #{recommended_version} or later.\n" \
+          'See https://www.ruby-lang.org/en/downloads/branches/ for more' \
+          " info on the Ruby maintenance schedule.\n" \
+          'To suppress this message, set the' \
+          ' GOOGLE_CLOUD_SUPPRESS_RUBY_WARNINGS environment variable.'
       end
     end
   end

data/spec/signet/oauth_2/client_spec.rb

@@ -1110,6 +1110,16 @@ describe Signet::OAuth2::Client, 'configured with custom parameters' do
     expect(@client.authorization_uri(:additional_parameters => {'type' => 'new_type', 'new_param' => 'new_val'}).query_values).to eq ({"access_type"=>"offline", "client_id"=>"s6BhdRkqt3", "new_param"=>"new_val",  "response_type"=>"code","redirect_uri"=>"https://example.client.com/callback", "type"=>"new_type"})
   end
 
+  it 'should not have access_type parameter in authorization_uri when we set it to nil in client' do
+    @client.update!(:access_type=>nil)
+    expect(@client.authorization_uri().query_values).to eq ({"client_id"=>"s6BhdRkqt3", "response_type"=>"code", "redirect_uri"=>"https://example.client.com/callback"})
+  end
+
+  it 'should use new access_type parameter as default for authorization_uri' do
+    @client.update!(:access_type=>:online)
+    expect(@client.authorization_uri().query_values).to eq ({"access_type"=>"online", "client_id"=>"s6BhdRkqt3", "response_type"=>"code", "redirect_uri"=>"https://example.client.com/callback"})
+  end
+
   it 'should merge new generate_access_token_request custom parameters' do
     @client.update!(:code=>'12345')
     params = @client.generate_access_token_request(:additional_parameters => {'type' => 'new_type', 'new_param' => 'new_val'})

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: signet
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.11.0
 platform: ruby
 authors:
 - Bob Aman
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-24 00:00:00.000000000 Z
+date: 2018-10-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable