slosilo 0.0.0 → 0.1.2

data/lib/slosilo/jwt.rb

@@ -1,122 +0,0 @@
-require 'json'
-
-module Slosilo
-  # A JWT-formatted Slosilo token.
-  # @note This is not intended to be a general-purpose JWT implementation.
-  class JWT
-    # Create a new unsigned token with the given claims.
-    # @param claims [#to_h] claims to embed in this token.
-    def initialize claims = {}
-      @claims = JSONHash[claims]
-    end
-
-    # Parse a token in compact representation
-    def self.parse_compact raw
-      load *raw.split('.', 3).map(&Base64.method(:urlsafe_decode64))
-    end
-
-    # Parse a token in JSON representation.
-    # @note only single signature is currently supported.
-    def self.parse_json raw
-      raw = JSON.load raw unless raw.respond_to? :to_h
-      parts = raw.to_h.values_at(*%w(protected payload signature))
-      fail ArgumentError, "input not a complete JWT" unless parts.all?
-      load *parts.map(&Base64.method(:urlsafe_decode64))
-    end
-
-    # Add a signature.
-    # @note currently only a single signature is handled;
-    # the token will be frozen after this operation.
-    def add_signature header, &sign
-      @claims = canonicalize_claims.freeze
-      @header = JSONHash[header].freeze
-      @signature = sign[string_to_sign].freeze
-      freeze
-    end
-
-    def string_to_sign
-      [header, claims].map(&method(:encode)).join '.'
-    end
-
-    # Returns the JSON serialization of this JWT.
-    def to_json *a
-      {
-        protected: encode(header),
-        payload: encode(claims),
-        signature: encode(signature)
-      }.to_json *a
-    end
-
-    # Returns the compact serialization of this JWT.
-    def to_s
-      [header, claims, signature].map(&method(:encode)).join('.')
-    end
-
-    attr_accessor :claims, :header, :signature
-
-    private
-
-    # Create a JWT token object from existing header, payload, and signature strings.
-    # @param header [#to_s] URLbase64-encoded representation of the protected header
-    # @param payload [#to_s] URLbase64-encoded representation of the token payload
-    # @param signature [#to_s] URLbase64-encoded representation of the signature
-    def self.load header, payload, signature
-      self.new(JSONHash.load payload).tap do |token|
-        token.header = JSONHash.load header
-        token.signature = signature.to_s.freeze
-        token.freeze
-      end
-    end
-
-    def canonicalize_claims
-      claims[:iat] = Time.now unless claims.include? :iat
-      claims[:iat] = claims[:iat].to_time.to_i
-      claims[:exp] = claims[:exp].to_time.to_i if claims.include? :exp
-      JSONHash[claims.to_a]
-    end
-
-    # Convenience method to make the above code clearer.
-    # Converts to string and urlbase64-encodes.
-    def encode s
-      Base64.urlsafe_encode64 s.to_s
-    end
-
-    # a hash with a possibly frozen JSON stringification
-    class JSONHash < Hash
-      def to_s
-        @repr || to_json
-      end
-
-      def freeze
-        @repr = to_json.freeze
-        super
-      end
-
-      def self.load raw
-        self[JSON.load raw.to_s].tap do |h|
-          h.send :repr=, raw
-        end
-      end
-
-      private
-
-      def repr= raw
-        @repr = raw.freeze
-        freeze
-      end
-    end
-  end
-
-  # Try to convert by detecting token representation and parsing
-  def self.JWT raw
-    if raw.is_a? JWT
-      raw
-    elsif raw.respond_to?(:to_h) || raw =~ /\A\s*\{/
-      JWT.parse_json raw
-    else
-      JWT.parse_compact raw
-    end
-  rescue
-    raise ArgumentError, "invalid value for JWT(): #{raw.inspect}"
-  end
-end

data/publish.sh

@@ -1,5 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
-  publish-rubygem slosilo

data/secrets.yml

@@ -1 +0,0 @@
-RUBYGEMS_API_KEY: !var rubygems/api-key

data/spec/encrypted_attributes_spec.rb

@@ -1,114 +0,0 @@
-require 'spec_helper'
-require 'slosilo/attr_encrypted'
-
-describe Slosilo::EncryptedAttributes do
-  before(:all) do
-    Slosilo::encryption_key = OpenSSL::Cipher.new("aes-256-gcm").random_key
-  end
-
-  let(:aad) { proc{ |_| "hithere" } }
-
-  let(:base){
-    Class.new do
-      attr_accessor :normal_ivar,:with_aad
-      def stupid_ivar
-        side_effect!
-        @_explicit
-      end
-      def stupid_ivar= e
-        side_effect!
-        @_explicit = e
-      end
-      def side_effect!
-
-      end
-    end
-  }
-
-  let(:sub){
-    Class.new(base) do
-      attr_encrypted :normal_ivar, :stupid_ivar
-    end
-  }
-
-  subject{ sub.new  }
-
-  context "when setting a normal ivar" do
-    let(:value){ "some value" }
-    it "stores an encrypted value in the ivar" do
-      subject.normal_ivar = value
-      expect(subject.instance_variable_get(:"@normal_ivar")).to_not eq(value)
-    end
-
-    it "recovers the value set" do
-      subject.normal_ivar = value
-      expect(subject.normal_ivar).to eq(value)
-    end
-  end
-
-  context "when setting an attribute with an implementation" do
-    it "calls the base class method" do
-      expect(subject).to receive_messages(:side_effect! => nil)
-      subject.stupid_ivar = "hi"
-      expect(subject.stupid_ivar).to eq("hi")
-    end
-  end
-
-  context "when given an :aad option" do
-
-    let(:cipher){ Slosilo::EncryptedAttributes.cipher }
-    let(:key){ Slosilo::EncryptedAttributes.key}
-    context "that is a string" do
-      let(:aad){ "hello there" }
-      before{ sub.attr_encrypted :with_aad, aad: aad }
-      it "encrypts the value with the given string  for auth data" do
-        expect(cipher).to receive(:encrypt).with("hello", key: key, aad: aad)
-        subject.with_aad = "hello"
-      end
-
-      it "decrypts the encrypted value" do
-        subject.with_aad = "foo"
-        expect(subject.with_aad).to eq("foo")
-      end
-    end
-
-    context "that is nil" do
-      let(:aad){ nil }
-      before{ sub.attr_encrypted :with_aad, aad: aad }
-      it "encrypts the value with an empty string for auth data" do
-        expect(cipher).to receive(:encrypt).with("hello",key: key, aad: "").and_call_original
-        subject.with_aad = "hello"
-      end
-
-      it "decrypts the encrypted value" do
-        subject.with_aad = "hello"
-        expect(subject.with_aad).to eq("hello")
-      end
-    end
-
-    context "that is a proc" do
-      let(:aad){
-        proc{ |o| "x" }
-      }
-
-      before{ sub.attr_encrypted :with_aad, aad: aad }
-
-      it "calls the proc with the object being encrypted" do
-        expect(aad).to receive(:[]).with(subject).and_call_original
-        subject.with_aad = "hi"
-      end
-
-      it "encrypts the value with the string returned for auth data" do
-        expect(cipher).to receive(:encrypt).with("hello", key: key, aad: aad[subject]).and_call_original
-        subject.with_aad = "hello"
-      end
-      it "decrypts the encrypted value" do
-        subject.with_aad = "hello"
-        expect(subject.with_aad).to eq("hello")
-      end
-    end
-
-  end
-
-
-end

data/spec/file_adapter_spec.rb

@@ -1,81 +0,0 @@
-require 'spec_helper'
-require 'tmpdir'
-
-require 'slosilo/adapters/file_adapter'
-
-describe Slosilo::Adapters::FileAdapter do
-  include_context "with example key"
-
-  let(:dir) { Dir.mktmpdir }
-  let(:adapter) { Slosilo::Adapters::FileAdapter.new dir }
-  subject { adapter }
-  
-  describe "#get_key" do
-    context "when given key does not exist" do
-      it "returns nil" do
-        expect(subject.get_key(:whatever)).not_to be
-      end
-    end
-  end
-  
-  describe "#put_key" do
-    context "unacceptable id" do
-      let(:id) { "foo.bar" }
-      it "isn't accepted" do
-        expect { subject.put_key id, key }.to raise_error /id should not contain a period/
-      end    
-    end
-    context "acceptable id" do
-      let(:id) { "id" }
-      let(:key_encrypted) { "encrypted key" }
-      let(:fname) { "#{dir}/#{id}.key" }
-      it "creates the key" do
-        expect(Slosilo::EncryptedAttributes).to receive(:encrypt).with(key.to_der).and_return key_encrypted
-        expect(File).to receive(:write).with(fname, key_encrypted)
-        expect(File).to receive(:chmod).with(0400, fname)
-        subject.put_key id, key
-        expect(subject.instance_variable_get("@keys")[id]).to eq(key)
-      end    
-    end
-  end
-  
-  describe "#each" do
-    before { adapter.instance_variable_set("@keys", one: :onek, two: :twok) }
-    
-    it "iterates over each key" do
-      results = []
-      adapter.each { |id,k| results << { id => k } }
-      expect(results).to eq([ { one: :onek}, {two: :twok } ])
-    end
-  end
-
-  context 'with real key store' do
-    let(:id) { 'some id' }
-
-    before do
-      Slosilo::encryption_key = Slosilo::Symmetric.new.random_key
-      pre_adapter = Slosilo::Adapters::FileAdapter.new dir
-      pre_adapter.put_key(id, key)
-    end
-
-    describe '#get_key' do
-      it "loads and decrypts the key" do
-        expect(adapter.get_key(id)).to eq(key)
-      end
-    end
-
-    describe '#get_by_fingerprint' do
-      it "can look up a key by a fingerprint" do
-        expect(adapter.get_by_fingerprint(key_fingerprint)).to eq([key, id])
-      end
-    end
-    
-    describe '#each' do
-      it "enumerates the keys" do
-        results = []
-        adapter.each { |id,k| results << { id => k } }
-        expect(results).to eq([ { id => key } ])
-      end
-    end
-  end
-end

data/spec/jwt_spec.rb

@@ -1,102 +0,0 @@
-require 'spec_helper'
-
-# (Mostly) integration tests for JWT token format
-describe Slosilo::Key do
-  include_context "with example key"
-
-  describe '#issue_jwt' do
-    it 'issues an JWT token with given claims' do
-      allow(Time).to receive(:now) { DateTime.parse('2014-06-04 23:22:32 -0400').to_time }
-
-      tok = key.issue_jwt sub: 'host/example', cidr: %w(fec0::/64)
-
-      expect(tok).to be_frozen
-
-      expect(tok.header).to eq \
-        alg: 'conjur.org/slosilo/v2',
-        kid: key_fingerprint
-      expect(tok.claims).to eq \
-        iat: 1401938552,
-        sub: 'host/example',
-        cidr: ['fec0::/64']
-
-      expect(key.verify_signature tok.string_to_sign, tok.signature).to be_truthy
-    end
-  end
-end
-
-describe Slosilo::JWT do
-  context "with a signed token" do
-    let(:signature) { 'very signed, such alg' }
-    subject(:token) { Slosilo::JWT.new test: "token" }
-    before do
-      allow(Time).to receive(:now) { DateTime.parse('2014-06-04 23:22:32 -0400').to_time }
-      token.add_signature(alg: 'test-sig') { signature }
-    end
-
-    it 'allows conversion to JSON representation with #to_json' do
-      json = JSON.load token.to_json
-      expect(JSON.load Base64.urlsafe_decode64 json['protected']).to eq \
-          'alg' => 'test-sig'
-      expect(JSON.load Base64.urlsafe_decode64 json['payload']).to eq \
-          'iat' => 1401938552, 'test' => 'token'
-      expect(Base64.urlsafe_decode64 json['signature']).to eq signature
-    end
-
-    it 'allows conversion to compact representation with #to_s' do
-      h, c, s = token.to_s.split '.'
-      expect(JSON.load Base64.urlsafe_decode64 h).to eq \
-          'alg' => 'test-sig'
-      expect(JSON.load Base64.urlsafe_decode64 c).to eq \
-          'iat' => 1401938552, 'test' => 'token'
-      expect(Base64.urlsafe_decode64 s).to eq signature
-    end
-  end
-
-  describe '#to_json' do
-    it "passes any parameters" do
-      token = Slosilo::JWT.new
-      allow(token).to receive_messages \
-          header: :header,
-          claims: :claims,
-          signature: :signature
-      expect_any_instance_of(Hash).to receive(:to_json).with :testing
-      expect(token.to_json :testing)
-    end
-  end
-
-  describe '()' do
-    include_context "with example key"
-
-    it 'understands both serializations' do
-      [COMPACT_TOKEN, JSON_TOKEN].each do |token|
-        token = Slosilo::JWT token
-        expect(token.header).to eq \
-            'typ' => 'JWT',
-            'alg' => 'conjur.org/slosilo/v2',
-            'kid' => key_fingerprint
-        expect(token.claims).to eq \
-            'sub' => 'host/example',
-            'iat' => 1401938552,
-            'exp' => 1401938552 + 60*60,
-            'cidr' => ['fec0::/64']
-        expect(key.verify_signature token.string_to_sign, token.signature).to be_truthy
-      end
-    end
-
-    it 'is a noop if already parsed' do
-      token = Slosilo::JWT COMPACT_TOKEN
-      expect(Slosilo::JWT token).to eq token
-    end
-
-    it 'raises ArgumentError on failure to convert' do
-      expect { Slosilo::JWT "foo bar" }.to raise_error ArgumentError
-      expect { Slosilo::JWT elite: 31337 }.to raise_error ArgumentError
-      expect { Slosilo::JWT "foo.bar.xyzzy" }.to raise_error ArgumentError
-    end
-  end
-
-  COMPACT_TOKEN = "eyJ0eXAiOiJKV1QiLCJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiIxMDdiZGI4NTAxYzQxOWZhZDJmZGIyMGI0NjdkNGQwYTYyYTE2YTk4YzM1ZjJkYTBlYjNiMWZmOTI5Nzk1YWQ5In0=.eyJzdWIiOiJob3N0L2V4YW1wbGUiLCJjaWRyIjpbImZlYzA6Oi82NCJdLCJleHAiOjE0MDE5NDIxNTIsImlhdCI6MTQwMTkzODU1Mn0=.qSxy6gx0DbiIc-Wz_vZhBsYi1SCkHhzxfMGPnnG6MTqjlzy7ntmlU2H92GKGoqCRo6AaNLA_C3hA42PeEarV5nMoTj8XJO_kwhrt2Db2OX4u83VS0_enoztWEZG5s45V0Lv71lVR530j4LD-hpqhm_f4VuISkeH84u0zX7s1zKOlniuZP-abCAHh0htTnrVz9wKG0VywkCUmWYyNNqC2h8PRf64SvCWcQ6VleHpjO-ms8OeTw4ZzRbzKMi0mL6eTmQlbT3PeBArUaS0pNJPg9zdDQaL2XDOofvQmj6Yy_8RA4eCt9HEfTYEdriVqK-_9QCspbGzFVn9GTWf51MRi5dngV9ItsDoG9ktDtqFuMttv7TcqjftsIHZXZsAZ175E".freeze
-
-  JSON_TOKEN = "{\"protected\":\"eyJ0eXAiOiJKV1QiLCJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiIxMDdiZGI4NTAxYzQxOWZhZDJmZGIyMGI0NjdkNGQwYTYyYTE2YTk4YzM1ZjJkYTBlYjNiMWZmOTI5Nzk1YWQ5In0=\",\"payload\":\"eyJzdWIiOiJob3N0L2V4YW1wbGUiLCJjaWRyIjpbImZlYzA6Oi82NCJdLCJleHAiOjE0MDE5NDIxNTIsImlhdCI6MTQwMTkzODU1Mn0=\",\"signature\":\"qSxy6gx0DbiIc-Wz_vZhBsYi1SCkHhzxfMGPnnG6MTqjlzy7ntmlU2H92GKGoqCRo6AaNLA_C3hA42PeEarV5nMoTj8XJO_kwhrt2Db2OX4u83VS0_enoztWEZG5s45V0Lv71lVR530j4LD-hpqhm_f4VuISkeH84u0zX7s1zKOlniuZP-abCAHh0htTnrVz9wKG0VywkCUmWYyNNqC2h8PRf64SvCWcQ6VleHpjO-ms8OeTw4ZzRbzKMi0mL6eTmQlbT3PeBArUaS0pNJPg9zdDQaL2XDOofvQmj6Yy_8RA4eCt9HEfTYEdriVqK-_9QCspbGzFVn9GTWf51MRi5dngV9ItsDoG9ktDtqFuMttv7TcqjftsIHZXZsAZ175E\"}".freeze
-end

data/test.sh

@@ -1,8 +0,0 @@
-#!/bin/bash -xe
-
-
-echo "==> Docker Run"
-docker run --rm --volume $PWD:/app --workdir /app cyberark/ubuntu-ruby-builder bash -c 'git config --global --add safe.directory /app && bundle && ls -ltra && bundle exec rake jenkins' || :
-
-echo "==> CP Coverage to Spec"
-cp -r coverage spec