slosilo 2.0.1 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b2f977e53f906393dcac0918f5fb5b2b2b41563b
-  data.tar.gz: 967b35f4ed8f91c24dfab09245ff0cb798b585ed
+  metadata.gz: 1b7ca2d8d2bbd323237e1ff513bd8d00af684da0
+  data.tar.gz: 152b2735c0d053e414baeebd40ce229761514a2a
 SHA512:
-  metadata.gz: fd31b09380e3f9411aca6a7ee9244d727e0962954da29c18adffa68b81b58265607205b5a519de8d211da07f412600788c1b5579fc0a604e06328e5bb86e62a8
-  data.tar.gz: 3454255c91a0a62c59bedf5b425e5b5a9fdb1ba29283d85ae0e5be7ca9b5cd2b1fa44b4fa280d65d37441d802e634309a928373848ad4cf199c9e5ac58d074cd
+  metadata.gz: a09dd7a7607809467e9f77c0400c85e3c8336722058de27e00f5aad6cda1577db3f747f3b30b2ecdf677ef679a2a78061f0dbd292de253f02d3f6c14a3ee2495
+  data.tar.gz: 56e9ee6c12c3419d32b6e6260a6889cad2d38e9822cd66788950b17bf3f559e1a8c660cd9519d1c05c070dc4873fc7446e3cda58809d535886ce62835032db34

data/.dockerignore

@@ -0,0 +1,2 @@
+/Gemfile.lock
+/spec/reports

data/CHANGELOG.md

@@ -1,4 +1,7 @@
+# v2.1.1
+
+* Add support for JWT-formatted tokens, with arbitrary expiration.
+
 # v2.0.1
 
 * Fixes a bug that occurs when signing tokens containing Unicode data
-

data/Jenkinsfile

@@ -0,0 +1,39 @@
+#!/usr/bin/env groovy
+
+pipeline {
+  agent { label 'executor-v2' }
+
+  options {
+    timestamps()
+    buildDiscarder(logRotator(daysToKeepStr: '30'))
+  }
+
+  stages {
+    stage('Test') {
+      steps {
+        sh './test.sh'
+
+        junit 'spec/reports/*.xml'
+      }
+    }
+
+    stage('Publish to RubyGems') {
+      agent { label 'releaser-v2' }
+      when {
+        branch 'master'
+      }
+
+      steps {
+        checkout scm
+        sh './publish-rubygem.sh'
+        deleteDir()
+      }
+    }
+  }
+
+  post {
+    always {
+      cleanupAndNotify(currentBuild.currentResult)
+    }
+  }
+}

data/lib/slosilo.rb

@@ -1,3 +1,4 @@
+require "slosilo/jwt"
 require "slosilo/version"
 require "slosilo/keystore"
 require "slosilo/symmetric"

data/lib/slosilo/errors.rb

@@ -8,5 +8,8 @@ module Slosilo
         super
       end
     end
+
+    class TokenValidationError < Error
+    end
   end
 end

data/lib/slosilo/jwt.rb

@@ -0,0 +1,122 @@
+require 'json'
+
+module Slosilo
+  # A JWT-formatted Slosilo token.
+  # @note This is not intended to be a general-purpose JWT implementation.
+  class JWT
+    # Create a new unsigned token with the given claims.
+    # @param claims [#to_h] claims to embed in this token.
+    def initialize claims = {}
+      @claims = JSONHash[claims]
+    end
+
+    # Parse a token in compact representation
+    def self.parse_compact raw
+      load *raw.split('.', 3).map(&Base64.method(:urlsafe_decode64))
+    end
+
+    # Parse a token in JSON representation.
+    # @note only single signature is currently supported.
+    def self.parse_json raw
+      raw = JSON.load raw unless raw.respond_to? :to_h
+      parts = raw.to_h.values_at(*%w(protected payload signature))
+      fail ArgumentError, "input not a complete JWT" unless parts.all?
+      load *parts.map(&Base64.method(:urlsafe_decode64))
+    end
+
+    # Add a signature.
+    # @note currently only a single signature is handled;
+    # the token will be frozen after this operation.
+    def add_signature header, &sign
+      @claims = canonicalize_claims.freeze
+      @header = JSONHash[header].freeze
+      @signature = sign[string_to_sign].freeze
+      freeze
+    end
+
+    def string_to_sign
+      [header, claims].map(&method(:encode)).join '.'
+    end
+
+    # Returns the JSON serialization of this JWT.
+    def to_json *a
+      {
+        protected: encode(header),
+        payload: encode(claims),
+        signature: encode(signature)
+      }.to_json *a
+    end
+
+    # Returns the compact serialization of this JWT.
+    def to_s
+      [header, claims, signature].map(&method(:encode)).join('.')
+    end
+
+    attr_accessor :claims, :header, :signature
+
+    private
+
+    # Create a JWT token object from existing header, payload, and signature strings.
+    # @param header [#to_s] URLbase64-encoded representation of the protected header
+    # @param payload [#to_s] URLbase64-encoded representation of the token payload
+    # @param signature [#to_s] URLbase64-encoded representation of the signature
+    def self.load header, payload, signature
+      self.new(JSONHash.load payload).tap do |token|
+        token.header = JSONHash.load header
+        token.signature = signature.to_s.freeze
+        token.freeze
+      end
+    end
+
+    def canonicalize_claims
+      claims[:iat] = Time.now unless claims.include? :iat
+      claims[:iat] = claims[:iat].to_time.to_i
+      claims[:exp] = claims[:exp].to_time.to_i if claims.include? :exp
+      JSONHash[claims.to_a]
+    end
+
+    # Convenience method to make the above code clearer.
+    # Converts to string and urlbase64-encodes.
+    def encode s
+      Base64.urlsafe_encode64 s.to_s
+    end
+
+    # a hash with a possibly frozen JSON stringification
+    class JSONHash < Hash
+      def to_s
+        @repr || to_json
+      end
+
+      def freeze
+        @repr = to_json.freeze
+        super
+      end
+
+      def self.load raw
+        self[JSON.load raw.to_s].tap do |h|
+          h.send :repr=, raw
+        end
+      end
+
+      private
+
+      def repr= raw
+        @repr = raw.freeze
+        freeze
+      end
+    end
+  end
+
+  # Try to convert by detecting token representation and parsing
+  def self.JWT raw
+    if raw.is_a? JWT
+      raw
+    elsif raw.respond_to?(:to_h) || raw =~ /\A\s*\{/
+      JWT.parse_json raw
+    else
+      JWT.parse_compact raw
+    end
+  rescue
+    raise ArgumentError, "invalid value for JWT(): #{raw.inspect}"
+  end
+end

data/lib/slosilo/key.rb

@@ -3,6 +3,8 @@ require 'json'
 require 'base64'
 require 'time'
 
+require 'slosilo/errors'
+
 module Slosilo
   class Key
     def initialize raw_key = nil
@@ -13,6 +15,10 @@ module Slosilo
       else
         OpenSSL::PKey::RSA.new 2048
       end
+    rescue OpenSSL::PKey::PKeyError => e
+      # old openssl versions used to report ArgumentError
+      # which arguably makes more sense here, so reraise as that
+      raise ArgumentError, e, e.backtrace
     end
     
     attr_reader :key
@@ -71,14 +77,80 @@ module Slosilo
       token["key"] = fingerprint
       token
     end
+
+    JWT_ALGORITHM = 'conjur.org/slosilo/v2'.freeze
+
+    # Issue a JWT with the given claims.
+    # `iat` (issued at) claim is automatically added.
+    # Other interesting claims you can give are:
+    # - `sub` - token subject, for example a user name;
+    # - `exp` - expiration time (absolute);
+    # - `cidr` (Conjur extension) - array of CIDR masks that are accepted to
+    #   make requests that bear this token
+    def issue_jwt claims
+      token = Slosilo::JWT.new claims
+      token.add_signature \
+          alg: JWT_ALGORITHM,
+          kid: fingerprint,
+          &method(:sign)
+      token.freeze
+    end
+
+    DEFAULT_EXPIRATION = 8 * 60
     
-    def token_valid? token, expiry = 8 * 60
+    def token_valid? token, expiry = DEFAULT_EXPIRATION
+      return jwt_valid? token if token.respond_to? :header
       token = token.clone
       expected_key = token.delete "key"
       return false if (expected_key and (expected_key != fingerprint))
       signature = Base64::urlsafe_decode64(token.delete "signature")
       (Time.parse(token["timestamp"]) + expiry > Time.now) && verify_signature(token, signature)
     end
+
+    # Validate a JWT.
+    #
+    # Convenience method calling #validate_jwt and returning false if an
+    # exception is raised.
+    #
+    # @param token [JWT] pre-parsed token to verify
+    # @return [Boolean]
+    def jwt_valid? token
+      validate_jwt token
+      true
+    rescue
+      false
+    end
+
+    # Validate a JWT.
+    #
+    # First checks whether algorithm is 'conjur.org/slosilo/v2' and the key id
+    # matches this key's fingerprint. Then verifies if the token is not expired,
+    # as indicated by the `exp` claim; in its absence tokens are assumed to
+    # expire in `iat` + 8 minutes.
+    #
+    # If those checks pass, finally the signature is verified.
+    #
+    # @raises TokenValidationError if any of the checks fail.
+    #
+    # @note It's the responsibility of the caller to examine other claims
+    # included in the token; consideration needs to be given to handling
+    # unrecognized claims.
+    #
+    # @param token [JWT] pre-parsed token to verify
+    def validate_jwt token
+      def err msg
+        raise Error::TokenValidationError, msg, caller
+      end
+
+      header = token.header
+      err 'unrecognized algorithm' unless header['alg'] == JWT_ALGORITHM
+      err 'mismatched key' if (kid = header['kid']) && kid != fingerprint
+      iat = Time.at token.claims['iat'] || err('unknown issuing time')
+      exp = Time.at token.claims['exp'] || (iat + DEFAULT_EXPIRATION)
+      err 'token expired' if exp <= Time.now
+      err 'invalid signature' unless verify_signature token.string_to_sign, token.signature
+      true
+    end
     
     def sign_string value
       salt = shake_salt

data/lib/slosilo/keystore.rb

@@ -59,15 +59,26 @@ module Slosilo
       keystore.any? { |k| k.token_valid? token }
     end
     
+    # Looks up the signer by public key fingerprint and checks the validity
+    # of the signature. If the token is JWT, exp and/or iat claims are also
+    # verified; the caller is responsible for validating any other claims.
     def token_signer token
-      key, id = keystore.get_by_fingerprint token['key']
+      begin
+        # see if maybe it's a JWT
+        token = JWT token
+        fingerprint = token.header['kid']
+      rescue ArgumentError
+        fingerprint = token['key']
+      end
+
+      key, id = keystore.get_by_fingerprint fingerprint
       if key && key.token_valid?(token)
         return id
       else
         return nil
       end
     end
-    
+
     attr_accessor :adapter
     
     private

data/lib/slosilo/version.rb

@@ -1,3 +1,3 @@
 module Slosilo
-  VERSION = "2.0.1"
+  VERSION = "2.1.1"
 end

data/publish-rubygem.sh

@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+docker pull registry.tld/conjurinc/publish-rubygem
+
+docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd
+
+summon --yaml "RUBYGEMS_API_KEY: !var rubygems/api-key" \
+  docker run --rm --env-file @SUMMONENVFILE -v "$(pwd)":/opt/src \
+  registry.tld/conjurinc/publish-rubygem slosilo
+
+docker run -i --rm -v $PWD:/src -w /src alpine/git clean -fxd

data/slosilo.gemspec

@@ -1,5 +1,12 @@
 # -*- encoding: utf-8 -*-
-require File.expand_path('../lib/slosilo/version', __FILE__)
+begin
+  require File.expand_path('../lib/slosilo/version', __FILE__)
+rescue LoadError
+  # so that bundle can be run without the app code
+  module Slosilo
+    VERSION = '0.0.0'
+  end
+end
 
 Gem::Specification.new do |gem|
   gem.authors       = ["Rafa\305\202 Rzepecki"]
@@ -24,4 +31,5 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'io-grab', '~> 0.0.1'
   gem.add_development_dependency 'sequel' # for sequel tests
   gem.add_development_dependency 'sqlite3' # for sequel tests
+  gem.add_development_dependency 'activesupport' # for convenience in specs
 end

data/spec/file_adapter_spec.rb

@@ -22,7 +22,7 @@ describe Slosilo::Adapters::FileAdapter do
     context "unacceptable id" do
       let(:id) { "foo.bar" }
       it "isn't accepted" do
-        expect { subject.put_key id, key }.to raise_error
+        expect { subject.put_key id, key }.to raise_error /id should not contain a period/
       end    
     end
     context "acceptable id" do

data/spec/jwt_spec.rb

@@ -0,0 +1,103 @@
+require 'spec_helper'
+
+# (Mostly) integration tests for JWT token format
+describe Slosilo::Key do
+  include_context "with example key"
+
+  describe '#issue_jwt' do
+    it 'issues an JWT token with given claims' do
+      allow(Time).to receive(:now) { DateTime.parse('2014-06-04 23:22:32 -0400').to_time }
+
+      tok = key.issue_jwt sub: 'host/example', cidr: %w(fec0::/64)
+
+      expect(tok).to be_frozen
+
+      expect(tok.header).to eq \
+        alg: 'conjur.org/slosilo/v2',
+        kid: key_fingerprint
+      expect(tok.claims).to eq \
+        iat: 1401938552,
+        sub: 'host/example',
+        cidr: ['fec0::/64']
+
+      expect(key.verify_signature tok.string_to_sign, tok.signature).to be_truthy
+    end
+  end
+end
+
+describe Slosilo::JWT do
+  context "with a signed token" do
+    let(:signature) { 'very signed, such alg' }
+    subject(:token) { Slosilo::JWT.new test: "token" }
+    before do
+      allow(Time).to receive(:now) { DateTime.parse('2014-06-04 23:22:32 -0400').to_time }
+      token.add_signature(alg: 'test-sig') { signature }
+    end
+
+    it 'allows conversion to JSON representation with #to_json' do
+      json = JSON.load token.to_json
+      expect(JSON.load Base64.urlsafe_decode64 json['protected']).to eq \
+          'alg' => 'test-sig'
+      expect(JSON.load Base64.urlsafe_decode64 json['payload']).to eq \
+          'iat' => 1401938552, 'test' => 'token'
+      expect(Base64.urlsafe_decode64 json['signature']).to eq signature
+    end
+
+    it 'allows conversion to compact representation with #to_s' do
+      h, c, s = token.to_s.split '.'
+      expect(JSON.load Base64.urlsafe_decode64 h).to eq \
+          'alg' => 'test-sig'
+      expect(JSON.load Base64.urlsafe_decode64 c).to eq \
+          'iat' => 1401938552, 'test' => 'token'
+      expect(Base64.urlsafe_decode64 s).to eq signature
+    end
+  end
+
+  describe '#to_json' do
+    it "passes any parameters" do
+      token = Slosilo::JWT.new
+      allow(token).to receive_messages \
+          header: :header,
+          claims: :claims,
+          signature: :signature
+      expect_any_instance_of(Hash).to receive(:to_json).with :testing
+      expect(token.to_json :testing)
+    end
+  end
+
+  describe '()' do
+    include_context "with example key"
+
+    it 'understands both serializations' do
+      [COMPACT_TOKEN, JSON_TOKEN].each do |token|
+        token = Slosilo::JWT token
+        expect(token.header).to eq \
+            'typ' => 'JWT',
+            'alg' => 'conjur.org/slosilo/v2',
+            'kid' => key_fingerprint
+        expect(token.claims).to eq \
+            'sub' => 'host/example',
+            'iat' => 1401938552,
+            'exp' => 1401938552 + 60*60,
+            'cidr' => ['fec0::/64']
+
+        expect(key.verify_signature token.string_to_sign, token.signature).to be_truthy
+      end
+    end
+
+    it 'is a noop if already parsed' do
+      token = Slosilo::JWT COMPACT_TOKEN
+      expect(Slosilo::JWT token).to eq token
+    end
+
+    it 'raises ArgumentError on failure to convert' do
+      expect { Slosilo::JWT "foo bar" }.to raise_error ArgumentError
+      expect { Slosilo::JWT elite: 31337 }.to raise_error ArgumentError
+      expect { Slosilo::JWT "foo.bar.xyzzy" }.to raise_error ArgumentError
+    end
+  end
+
+  COMPACT_TOKEN = "eyJ0eXAiOiJKV1QiLCJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiJkMjhlM2EzNDdlMzY4NDE2YjMxMjlhNDBjMWI4ODdmZSJ9.eyJzdWIiOiJob3N0L2V4YW1wbGUiLCJpYXQiOjE0MDE5Mzg1NTIsImV4cCI6MTQwMTk0MjE1MiwiY2lkciI6WyJmZWMwOjovNjQiXX0=.cw9S8Oxu8BmvDgEotBlNiZoJNkAGDpvGIuhCCnG-nMq80dy0ECjC4xERYXHx3bcadEJ8jWfqDB90d7CGvJyepbMhC1hEdsb8xNWGkkqTvQOh33cnZiEJjjfbORpKnOpcc8QySmB9Eb_zKl5WaM6Sjm-uINJri3djuVo_n_S7I43YvKw7gbd5u2gVttgaWnqlnJoeXZnnmXSYH8_66Lr__BqO4tCedShQIf4gA0R_dljrzVSZtJsFTKvwuNOuCvBqO8dQkhp8vplOkKynDkdip-H2nDBQb9Y3bQ8K0NVtSJatBy-d1HvPHSwFZrH4K7P_J2OgJtw9GtckT43QasliXoibdk__Hyvy4HJIIM44rSm7JUuyZWl8e8svRqLujBP7".freeze
+
+  JSON_TOKEN = "{\"protected\":\"eyJ0eXAiOiJKV1QiLCJhbGciOiJjb25qdXIub3JnL3Nsb3NpbG8vdjIiLCJraWQiOiJkMjhlM2EzNDdlMzY4NDE2YjMxMjlhNDBjMWI4ODdmZSJ9\",\"payload\":\"eyJzdWIiOiJob3N0L2V4YW1wbGUiLCJpYXQiOjE0MDE5Mzg1NTIsImV4cCI6MTQwMTk0MjE1MiwiY2lkciI6WyJmZWMwOjovNjQiXX0=\",\"signature\":\"cw9S8Oxu8BmvDgEotBlNiZoJNkAGDpvGIuhCCnG-nMq80dy0ECjC4xERYXHx3bcadEJ8jWfqDB90d7CGvJyepbMhC1hEdsb8xNWGkkqTvQOh33cnZiEJjjfbORpKnOpcc8QySmB9Eb_zKl5WaM6Sjm-uINJri3djuVo_n_S7I43YvKw7gbd5u2gVttgaWnqlnJoeXZnnmXSYH8_66Lr__BqO4tCedShQIf4gA0R_dljrzVSZtJsFTKvwuNOuCvBqO8dQkhp8vplOkKynDkdip-H2nDBQb9Y3bQ8K0NVtSJatBy-d1HvPHSwFZrH4K7P_J2OgJtw9GtckT43QasliXoibdk__Hyvy4HJIIM44rSm7JUuyZWl8e8svRqLujBP7\"}".freeze
+end

data/spec/key_spec.rb

@@ -1,5 +1,8 @@
 require 'spec_helper'
 
+require 'active_support'
+require 'active_support/core_ext/numeric/time'
+
 describe Slosilo::Key do
   include_context "with example key"
   
@@ -120,7 +123,7 @@ describe Slosilo::Key do
     context "when given something else" do
       subject { Slosilo::Key.new "foo" }
       it "fails early" do
-        expect { subject }.to raise_error
+        expect { subject }.to raise_error ArgumentError
       end
     end
   end
@@ -175,7 +178,50 @@ describe Slosilo::Key do
     subject { key.signed_token data }
     it { is_expected.to eq(expected_token) }
   end
-  
+
+  describe "#validate_jwt" do
+    let(:token) do
+      instance_double Slosilo::JWT,
+          header: { 'alg' => 'conjur.org/slosilo/v2' },
+          claims: { 'iat' => Time.now.to_i },
+          string_to_sign: double("string to sign"),
+          signature: double("signature")
+    end
+
+    before do
+      allow(key).to receive(:verify_signature).with(token.string_to_sign, token.signature) { true }
+    end
+
+    it "verifies the signature" do
+      expect { key.validate_jwt token }.not_to raise_error
+    end
+
+    it "rejects unknown algorithm" do
+      token.header['alg'] = 'HS256' # we're not supporting standard algorithms
+      expect { key.validate_jwt token }.to raise_error /algorithm/
+    end
+
+    it "rejects bad signature" do
+      allow(key).to receive(:verify_signature).with(token.string_to_sign, token.signature) { false }
+      expect { key.validate_jwt token }.to raise_error /signature/
+    end
+
+    it "rejects expired token" do
+      token.claims['exp'] = 1.hour.ago.to_i
+      expect { key.validate_jwt token }.to raise_error /expired/
+    end
+
+    it "accepts unexpired token with implicit expiration" do
+      token.claims['iat'] = 5.minutes.ago
+      expect { key.validate_jwt token }.to_not raise_error
+    end
+
+    it "rejects token expired with implicit expiration" do
+      token.claims['iat'] = 10.minutes.ago.to_i
+      expect { key.validate_jwt token }.to raise_error /expired/
+    end
+  end
+
   describe "#token_valid?" do
     let(:data) { { "foo" => :bar } }
     let(:signature) { Base64::urlsafe_encode64 "\xB0\xCE{\x9FP\xEDV\x9C\xE7b\x8B[\xFAil\x87^\x96\x17Z\x97\x1D\xC2?B\x96\x9C\x8Ep-\xDF_\x8F\xC21\xD9^\xBC\n\x16\x04\x8DJ\xF6\xAF-\xEC\xAD\x03\xF9\xEE:\xDF\xB5\x8F\xF9\xF6\x81m\xAB\x9C\xAB1\x1E\x837\x8C\xFB\xA8P\xA8<\xEA\x1Dx\xCEd\xED\x84f\xA7\xB5t`\x96\xCC\x0F\xA9t\x8B\x9Fo\xBF\x92K\xFA\xFD\xC5?\x8F\xC68t\xBC\x9F\xDE\n$\xCA\xD2\x8F\x96\x0EtX2\x8Cl\x1E\x8Aa\r\x8D\xCAi\x86\x1A\xBD\x1D\xF7\xBC\x8561j\x91YlO\xFA(\x98\x10iq\xCC\xAF\x9BV\xC6\v\xBC\x10Xm\xCD\xFE\xAD=\xAA\x95,\xB4\xF7\xE8W\xB8\x83;\x81\x88\xE6\x01\xBA\xA5F\x91\x17\f\xCE\x80\x8E\v\x83\x9D<\x0E\x83\xF6\x8D\x03\xC0\xE8A\xD7\x90i\x1D\x030VA\x906D\x10\xA0\xDE\x12\xEF\x06M\xD8\x8B\xA9W\xC8\x9DTc\x8AJ\xA4\xC0\xD3!\xFA\x14\x89\xD1p\xB4J7\xA5\x04\xC2l\xDC8<\x04Y\xD8\xA4\xFB[\x89\xB1\xEC\xDA\xB8\xD7\xEA\x03Ja pinch of salt".force_encoding("ASCII-8BIT") }

data/spec/sequel_adapter_spec.rb

@@ -60,7 +60,7 @@ describe Slosilo::Adapters::SequelAdapter do
     let(:db) { Sequel.sqlite }
     before do
       allow(subject).to receive(:create_model).and_call_original
-      Sequel.cache_anonymous_models = false
+      Sequel::Model.cache_anonymous_models = false
       Sequel::Model.db = db
     end
   end

data/spec/slosilo_spec.rb

@@ -88,5 +88,37 @@ describe Slosilo do
         expect(subject.token_signer(token)).not_to be
       end
     end
+
+    context "with JWT token" do
+      before do
+        expect(key).to receive(:validate_jwt) do |jwt|
+          expect(jwt.header).to eq 'kid' => key.fingerprint
+          expect(jwt.claims).to eq({})
+          expect(jwt.signature).to eq 'sig'
+        end
+      end
+
+      it "accepts pre-parsed JSON serialization" do
+        expect(Slosilo.token_signer(
+          'protected' => 'eyJraWQiOiJkMjhlM2EzNDdlMzY4NDE2YjMxMjlhNDBjMWI4ODdmZSJ9',
+          'payload' => 'e30=',
+          'signature' => 'c2ln'
+        )).to eq 'test'
+      end
+
+      it "accepts pre-parsed JWT token" do
+        expect(Slosilo.token_signer(Slosilo::JWT(
+          'protected' => 'eyJraWQiOiJkMjhlM2EzNDdlMzY4NDE2YjMxMjlhNDBjMWI4ODdmZSJ9',
+          'payload' => 'e30=',
+          'signature' => 'c2ln'
+        ))).to eq 'test'
+      end
+
+      it "accepts compact serialization" do
+        expect(Slosilo.token_signer(
+          'eyJraWQiOiJkMjhlM2EzNDdlMzY4NDE2YjMxMjlhNDBjMWI4ODdmZSJ9.e30=.c2ln'
+        )).to eq 'test'
+      end
+    end
   end
 end

data/spec/symmetric_spec.rb

@@ -24,12 +24,12 @@ describe Slosilo::Symmetric do
     context "when the ciphertext has been messed with" do
       let(:ciphertext) {  "pwnd!" } # maybe we should do something more realistic like add some padding?
       it "raises an exception" do
-        expect{ subject.decrypt(ciphertext, key: key, aad: auth_data)}.to raise_exception
+        expect{ subject.decrypt(ciphertext, key: key, aad: auth_data)}.to raise_exception /Invalid version/
       end
       context "by adding a trailing 0" do
         let(:new_ciphertext){ ciphertext + '\0' }
         it "raises an exception" do
-          expect{ subject.decrypt(new_ciphertext, key: key, aad: auth_data) }.to raise_exception
+          expect{ subject.decrypt(new_ciphertext, key: key, aad: auth_data) }.to raise_exception /Invalid version/
         end
       end
     end
@@ -44,7 +44,7 @@ describe Slosilo::Symmetric do
 
       context "and the ciphertext has been messed with" do
         it "raises an exception" do
-          expect{ subject.decrypt(ciphertext + "\0\0\0", key: key, aad: auth_data)}.to raise_exception
+          expect{ subject.decrypt(ciphertext + "\0\0\0", key: key, aad: auth_data)}.to raise_exception OpenSSL::Cipher::CipherError
         end
       end
     end
@@ -52,7 +52,7 @@ describe Slosilo::Symmetric do
     context "when the auth data doesn't match" do
       let(:auth_data){ "asdf" }
       it "raises an exception" do
-        expect{ subject.decrypt(ciphertext, key: key, aad: auth_data)}.to raise_exception
+        expect{ subject.decrypt(ciphertext, key: key, aad: auth_data)}.to raise_exception OpenSSL::Cipher::CipherError
       end
     end
   end

data/test.sh

@@ -0,0 +1,25 @@
+#!/bin/bash -xe
+
+iid=slosilo-test-$(date +%s)
+
+docker build -t $iid -f - . << EOF
+  FROM ruby
+  WORKDIR /app
+  COPY Gemfile slosilo.gemspec ./
+  RUN bundle
+  COPY . ./
+  RUN bundle
+EOF
+
+cidfile=$(mktemp -u)
+docker run --cidfile $cidfile -v /app/spec/reports $iid bundle exec rake jenkins || :
+
+cid=$(cat $cidfile)
+
+docker cp $cid:/app/spec/reports spec/
+docker rm $cid
+
+# untag, will use cache next time if available but no junk will be left
+docker rmi $iid
+
+rm $cidfile

metadata

@@ -1,111 +1,125 @@
 --- !ruby/object:Gem::Specification
 name: slosilo
 version: !ruby/object:Gem::Version
-  version: 2.0.1
+  version: 2.1.1
 platform: ruby
 authors:
 - Rafał Rzepecki
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-06-14 00:00:00.000000000 Z
+date: 2017-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
   name: ci_reporter_rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: io-grab
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: 0.0.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: 0.0.1
 - !ruby/object:Gem::Dependency
   name: sequel
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: This gem provides an easy way of storing and retrieving encryption keys
@@ -116,10 +130,12 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .kateproject
+- ".dockerignore"
+- ".gitignore"
+- ".kateproject"
 - CHANGELOG.md
 - Gemfile
+- Jenkinsfile
 - LICENSE
 - README.md
 - Rakefile
@@ -132,15 +148,18 @@ files:
 - lib/slosilo/adapters/sequel_adapter/migration.rb
 - lib/slosilo/attr_encrypted.rb
 - lib/slosilo/errors.rb
+- lib/slosilo/jwt.rb
 - lib/slosilo/key.rb
 - lib/slosilo/keystore.rb
 - lib/slosilo/random.rb
 - lib/slosilo/symmetric.rb
 - lib/slosilo/version.rb
 - lib/tasks/slosilo.rake
+- publish-rubygem.sh
 - slosilo.gemspec
 - spec/encrypted_attributes_spec.rb
 - spec/file_adapter_spec.rb
+- spec/jwt_spec.rb
 - spec/key_spec.rb
 - spec/keystore_spec.rb
 - spec/random_spec.rb
@@ -148,6 +167,7 @@ files:
 - spec/slosilo_spec.rb
 - spec/spec_helper.rb
 - spec/symmetric_spec.rb
+- test.sh
 homepage: ''
 licenses:
 - MIT
@@ -158,23 +178,24 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.14.1
+rubygems_version: 2.6.14
 signing_key: 
 specification_version: 4
 summary: Store SSL keys in a database
 test_files:
 - spec/encrypted_attributes_spec.rb
 - spec/file_adapter_spec.rb
+- spec/jwt_spec.rb
 - spec/key_spec.rb
 - spec/keystore_spec.rb
 - spec/random_spec.rb
@@ -182,4 +203,3 @@ test_files:
 - spec/slosilo_spec.rb
 - spec/spec_helper.rb
 - spec/symmetric_spec.rb
-has_rdoc: