soar_authentication_token 4.0.1 → 5.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7a8624b1f055f6acb2b0389a91287c6da5e28226
-  data.tar.gz: a5a075c86334c09962bd1fa319ca735cc788722c
+  metadata.gz: a52f85114800057ab0311580dcaa924d9abb73cb
+  data.tar.gz: 147f69366980200dc8e695621a1884099ab3b3dd
 SHA512:
-  metadata.gz: 42becbe6549bf863769195ccb7e131d4f199573f41a436b5c504fc5f4b900a6a618e4544e59b2960f760583ab16309fae323738a5cb4e174a15a72ce9a249536
-  data.tar.gz: ae95a54d5d15d4c71bb7fd6455d1c1c58014b80296383520685f3dcbd3531d097c5e2cd0bc386443893588f323182affee4bcc170cc44561bb01f5928eb270fd
+  metadata.gz: 05a4b09349427a6dc587f0ec6c968ef3b25fbed863e801c5148f3ff98499dfb1950e01f17905778dfbf05641cc5361e3fb17b4efcb47915a5bcda6e3f2129699
+  data.tar.gz: 2d436a9426bbb03364391785061c30742c8d62b3283895629a2269017a1c37adfe5132f72f485bad54870f4ef332de9744d2b56a19067f8e1918a0546a4e2d4f

data/.gitignore

@@ -2,3 +2,5 @@ Gemfile.lock
 *.gem
 .byebug_history
 coverage
+validator_config.json
+generator_config.json

data/README.md

@@ -43,9 +43,9 @@ In this mode the StaticTokenValidator is configured with a list of preconfigured
 Run the rspec test tests using docker compose:
 
 ```bash
-docker-compose build --force-rm --no-cache
+export UID; docker-compose build --force-rm --no-cache
 docker-compose down
-docker-compose run --rm soar-authentication-token
+export UID; docker-compose run --rm soar-authentication-token
 docker-compose down
 ```
 
@@ -56,7 +56,7 @@ For test purposes this repo relies on various other repos with services.  This i
 ```bash
 git pull && git submodule foreach 'git fetch origin --tags; git checkout master; git pull'
 docker-compose down
-docker-compose build
+docker-compose build --force-rm --no-cache
 ```
 
 ## Usage
@@ -78,7 +78,7 @@ First step is to configure the middleware. Actually you are not configuring the
 
 ```ruby
 @iut_configuration = {
-  'provider' => 'RemoteTokenValidator',
+  'provider' => 'SoarAuthenticationToken::RemoteTokenValidator',
   'validator-url' => 'http://authentication-token-validator-service:9393/validate'
 }
 @iut = SoarAuthenticationToken::RackMiddleware.new(@test_app, @iut_configuration)
@@ -95,7 +95,7 @@ The class generates tokens or requests a token from a generator service as confi
 For remote token generation, configure as such:
 ```ruby
 @configuration_remote = {
-  'provider' => 'RemoteTokenGenerator',
+  'provider' => 'SoarAuthenticationToken::RemoteTokenGenerator',
   'generator-url' => 'http://authentication-token-generator-service:9393/generate',
   'generator-client-auth-token' => 'xxxx'
 }
@@ -106,7 +106,7 @@ For local token generation, configure as such:
 generator = SoarAuthenticationToken::KeypairGenerator.new
 private_key, public_key = generator.generate
 @configuration_local = {
-  'provider' => 'JwtTokenGenerator',
+  'provider' => 'SoarAuthenticationToken::JwtTokenValidator',
   'private_key' => private_key
 }
 ```
@@ -132,7 +132,7 @@ The class validates tokens or requests validation of a token from a validation s
 For remote token validation, configure as such:
 ```ruby
 @configuration_remote = {
-  'provider' => 'RemoteTokenGenerator',
+  'provider' => 'SoarAuthenticationToken::RemoteTokenGenerator',
   'validator-url' => 'http://authentication-token-validator-service:9393/validate',
 }
 ```
@@ -142,7 +142,7 @@ For local token validation, configure as such:
 generator = SoarAuthenticationToken::KeypairGenerator.new
 private_key, public_key = generator.generate
 @configuration_local = {
-  'provider' => 'JwtTokenValidator',
+  'provider' => 'SoarAuthenticationToken::JwtTokenValidator',
   'public_key' => public_key
 }
 ```

data/bin/rotate-configs

@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+require "pathname"
+bin_file = Pathname.new(__FILE__).realpath
+$:.unshift File.expand_path("../../lib", bin_file)
+
+require 'soar_authentication_token'
+require 'thor'
+
+class RotateConfigCLI < Thor
+  desc "rotate [OPTIONS]", "rotate configurations"
+  option :generator_config_file,  :aliases => '-g',  :desc => 'Configuration file of the generator'
+  option :validator_config_file,  :aliases => '-v',  :desc => 'Configuration file of the validator'
+  def rotate
+    raise 'generator_config_file must be specified' unless options['generator_config_file']
+
+    rotator = SoarAuthenticationToken::ConfigRotator.new
+    rotator.rotate_json_config_files(generator_file_name: options['generator_config_file'],
+                                     validator_file_name: options['validator_config_file'])
+  end
+  default_task :rotate
+end
+
+RotateConfigCLI.start(ARGV)

data/docker-compose.yml

@@ -1,7 +1,8 @@
 version: '2.0'
 services:
   soar-authentication-token:
-    command: /bin/bash -c 'sleep 5; bundle exec rspec -cfd spec'
+    command: /bin/bash -c 'bundle exec rspec -cfd ./spec/'
+    user: $UID:$UID
     build: .
     image: soar-authentication-token
     volumes:

data/lib/soar_authentication_token.rb

@@ -7,6 +7,7 @@ require 'soar_authentication_token/providers/remote_token_generator'
 require 'soar_authentication_token/providers/remote_token_validator'
 require 'soar_authentication_token/providers/static_token_validator'
 require 'soar_authentication_token/keypair_generator'
+require 'soar_authentication_token/config_rotator'
 require 'soar_authentication_token/token_generator'
 require 'soar_authentication_token/token_validator'
 require 'soar_authentication_token/rack_middleware'

data/lib/soar_authentication_token/config_rotator.rb

@@ -0,0 +1,119 @@
+require 'json'
+
+module SoarAuthenticationToken
+  class ConfigRotator
+    attr_accessor :maximum_number_of_public_keys
+
+    def initialize
+      @maximum_number_of_public_keys = 3
+    end
+
+    def rotate_json_config_files(generator_file_name:, validator_file_name:)
+      generator_config = JSON.parse(File.read(generator_file_name))
+      validator_config = JSON.parse(File.read(validator_file_name))
+      generator_config, validator_config = rotate_configs(generator_config: generator_config,
+                                                          validator_config: validator_config)
+      File.open(generator_file_name,"w") do |f|
+        f.write(JSON.pretty_generate generator_config)
+        f.close
+      end
+      File.open(validator_file_name,"w") do |f|
+        f.write(JSON.pretty_generate validator_config)
+        f.close
+      end
+    end
+
+    def rotate_configs(generator_config:, validator_config:)
+      private_key, public_key = KeypairGenerator.new.generate
+      key_description = generate_keypair_description
+      updated_generator_config = rotate_generator_config(config: generator_config,new_private_key: private_key,new_key_description: key_description)
+      updated_validator_config = rotate_validator_config(config: validator_config,new_public_key:  public_key, new_key_description: key_description)
+      raise 'generated configuration does not match' unless configurations_match_and_valid?(generator_config: updated_generator_config,validator_config: updated_validator_config)
+      [updated_generator_config, updated_validator_config]
+    end
+
+    def rotate_generator_config(config: ,new_private_key: ,new_key_description:)
+      validate_generator_config(config)
+      new_config = config.dup
+      new_config['private_key'] = new_private_key
+      new_config['key_description'] = new_key_description
+      new_config
+    end
+
+    def rotate_validator_config(config: ,new_public_key: ,new_key_description:)
+      validate_validator_config(config)
+      new_config = config.dup
+      trim_public_keys(new_config)
+      new_config['keys'][new_key_description] = { 'public_key' => new_public_key }
+      new_config
+    end
+
+    def configurations_match_and_valid?(generator_config:,validator_config:)
+      validate_generator_config(generator_config)
+      validate_validator_config(validator_config)
+      test_token = generate_test_token(generator_config)
+      validate_test_token(validator_config,test_token)
+    end
+
+    private
+
+    def trim_public_keys(config)
+      traversed_keys = 0
+      config['keys'].sort.reverse_each do |key_name, key_data|
+        traversed_keys += 1
+        config['keys'].delete(key_name) if traversed_keys >= @maximum_number_of_public_keys
+      end
+    end
+
+    def generate_keypair_description
+      "KEYPAIR_#{Time.now.strftime("%Y%m%dT%H%M%S")}"
+    end
+
+    def generate_test_token(generator_config)
+      generator = SoarAuthenticationToken::TokenGenerator.new(generator_config)
+      generator.inject_store_provider(DummyStorageClient.new)
+      token, meta = generator.generate(authenticated_identifier: 'test')
+      token
+    end
+
+    def validate_test_token(validator_config,test_token)
+      validator = SoarAuthenticationToken::TokenValidator.new(validator_config)
+      validator.inject_store_provider(DummyStorageClient.new)
+      validity, meta, message = validator.validate(authentication_token: test_token)
+      validity
+    end
+
+    def validate_generator_config(config)
+      raise ArgumentError, 'private_key not in config' unless config['private_key']
+    end
+
+    def validate_validator_config(config)
+      raise ArgumentError, 'keys not in config' unless config['keys']
+    end
+  end
+
+
+  class DummyStorageClient
+    def initialize(configuration = {})
+    end
+    def store_failure(state = true)
+    end
+    def store_failure?
+      false
+    end
+    def add(token_identifier:, authenticated_identifier:, token_issue_time:, token_expiry_time:, flow_identifier: nil)
+    end
+    def remove(token_identifier:, flow_identifier: nil)
+      true
+    end
+    def token_exist?(token_identifier:, authenticated_identifier:, token_issue_time:, token_expiry_time:, flow_identifier: nil)
+      true
+    end
+    def remove_tokens_for(authenticated_identifier:, flow_identifier: nil)
+      true
+    end
+    def list_tokens_for(authenticated_identifier:, flow_identifier: nil)
+      nil
+    end
+  end
+end

data/lib/soar_authentication_token/providers/jwt_token_generator.rb

@@ -2,8 +2,6 @@ require 'soar_xt'
 require 'jwt'
 require 'securerandom'
 require 'time'
-require 'json'
-require 'authenticated_client'
 
 module SoarAuthenticationToken
   class JwtTokenGenerator
@@ -13,7 +11,7 @@ module SoarAuthenticationToken
 
     def initialize(configuration)
       @configuration = merge_with_default_configuration(configuration)
-      validate_local_mode_configuration
+      validate_configuration
       @private_key = OpenSSL::PKey::EC.new(@configuration['private_key'])
     end
 
@@ -43,9 +41,9 @@ module SoarAuthenticationToken
       JWT.encode(meta, @private_key, 'ES512')
     end
 
-    def validate_local_mode_configuration
-      raise "'private_key' must be configured in local mode" unless @configuration['private_key']
-      raise "'expiry' must be configured in local mode" unless @configuration['expiry']
+    def validate_configuration
+      raise "'private_key' must be configured" unless @configuration['private_key']
+      raise "'expiry' must be configured" unless @configuration['expiry']
       raise "'expiry' must be an integer" unless Integer(@configuration['expiry'])
     end
 

data/lib/soar_authentication_token/providers/jwt_token_validator.rb

@@ -1,5 +1,4 @@
 require 'jwt'
-require 'authenticated_client'
 
 module SoarAuthenticationToken
   class JwtTokenValidator
@@ -7,8 +6,6 @@ module SoarAuthenticationToken
       @configuration = configuration
       set_configuration_defaults
       validate_configuration
-      @public_key = OpenSSL::PKey::EC.new(@configuration['public_key'])
-      @public_key.private_key = nil
     end
 
     def inject_store_provider(store_provider)
@@ -16,12 +13,12 @@ module SoarAuthenticationToken
     end
 
     def validate(authentication_token:,flow_identifier: nil)
-      meta = decode_token_meta(authentication_token)
+      decoded_token_payload = decode(authentication_token)
+      return rejection_result(reason: 'Token decode/verification failure') if decoded_token_payload.nil?
+      meta = compile_meta_from_payload(decoded_token_payload)
       return rejection_result(reason: "Expired token <#{meta['token_expiry_time']}> for <#{meta['authenticated_identifier']}>") if token_expired?(meta)
       return rejection_result(reason: "Unknown token for <#{meta['authenticated_identifier']}>") unless token_exist_in_store?(meta,flow_identifier)
       success_result(token_meta: meta)
-    rescue JWT::VerificationError, JWT::DecodeError
-      rejection_result(reason: 'Token decode/verification failure')
     end
 
     private
@@ -30,24 +27,13 @@ module SoarAuthenticationToken
       @configuration['expiry'] ||= 86400
     end
 
-    def decode_token_meta(authentication_token)
-      decoded_token_payload = decode(authentication_token)
-      compile_meta(token_identifier:         decoded_token_payload[0]['token_identifier'],
-                   authenticated_identifier: decoded_token_payload[0]['authenticated_identifier'],
-                   token_issue_time:         decoded_token_payload[0]['token_issue_time'],
-                   token_expiry_time:        decoded_token_payload[0]['token_expiry_time'])
-    end
-
-    def compile_meta(token_identifier:,
-                     authenticated_identifier:,
-                     token_issue_time:,
-                     token_expiry_time:)
+    def compile_meta_from_payload(decoded_token_payload)
       {
-        'token_identifier' =>         token_identifier,
-        'authenticated_identifier' => authenticated_identifier,
-        'token_issue_time' =>         token_issue_time,
-        'token_expiry_time' =>        token_expiry_time,
-        'token_age' =>                token_age(token_issue_time)
+        'token_identifier' =>         decoded_token_payload[0]['token_identifier'],
+        'authenticated_identifier' => decoded_token_payload[0]['authenticated_identifier'],
+        'token_issue_time' =>         decoded_token_payload[0]['token_issue_time'],
+        'token_expiry_time' =>        decoded_token_payload[0]['token_expiry_time'],
+        'token_age' =>                token_age(decoded_token_payload[0]['token_issue_time'])
       }
     end
 
@@ -56,13 +42,25 @@ module SoarAuthenticationToken
     end
 
     def validate_configuration
-      raise "'public_key' must be configured in local mode" unless @configuration['public_key']
-      raise "'expiry' must be configured in local mode" unless @configuration['expiry']
+      raise "'keys' must be configured" unless @configuration['keys']
+      raise "'expiry' must be configured" unless @configuration['expiry']
       raise "'expiry' must be an integer" unless Integer(@configuration['expiry'])
     end
 
     def decode(authentication_token)
-      JWT.decode(authentication_token, @public_key, true, { :algorithm => 'ES512' })
+      @configuration['keys'].sort.reverse_each do |key_name, key_data|
+        payload = attempt_decode_using_a_key(authentication_token,key_data)
+        return payload if payload
+      end
+      nil
+    end
+
+    def attempt_decode_using_a_key(authentication_token,key_data)
+      public_key = OpenSSL::PKey::EC.new(key_data['public_key'])
+      public_key.private_key = nil
+      JWT.decode(authentication_token, public_key, true, { :algorithm => 'ES512' })
+    rescue JWT::VerificationError, JWT::DecodeError
+      nil
     end
 
     def token_expired?(meta)

data/lib/soar_authentication_token/token_validator.rb

@@ -18,7 +18,7 @@ module SoarAuthenticationToken
     private
 
     def instantiate_provider
-      @provider = Object::const_get("SoarAuthenticationToken::#{@configuration['provider']}").new(@configuration)
+      @provider = Object::const_get(@configuration['provider']).new(@configuration)
     end
 
     def validate_configuration

data/lib/soar_authentication_token/version.rb

@@ -1,3 +1,3 @@
 module SoarAuthenticationToken
-  VERSION = '4.0.1'
+  VERSION = '5.0.0'
 end

data/spec/config_rotator_spec.rb

@@ -0,0 +1,283 @@
+require 'spec_helper'
+
+describe SoarAuthenticationToken::ConfigRotator do
+  subject { SoarAuthenticationToken::ConfigRotator.new }
+
+  before :all do
+    keypair_generator = SoarAuthenticationToken::KeypairGenerator.new
+    @private_key_1, @public_key_1 = keypair_generator.generate
+    @private_key_2, @public_key_2 = keypair_generator.generate
+    @private_key_3, @public_key_3 = keypair_generator.generate
+    @private_key_4, @public_key_4 = keypair_generator.generate
+
+    @valid_validator_config = {
+      'provider' => 'SoarAuthenticationToken::JwtTokenValidator',
+      'keys' => {
+        'KEYPAIR_20160107T230101' => { 'public_key' => @public_key_1 },
+        'KEYPAIR_20160107T230201' => { 'public_key' => @public_key_2 },
+        'KEYPAIR_20160107T230301' => { 'public_key' => @public_key_3 }
+      }
+    }
+    @valid_generator_config = {
+      'provider' => 'SoarAuthenticationToken::JwtTokenGenerator',
+      'private_key' => @private_key_3,
+      'key_description' => 'original key'
+    }
+  end
+
+  it 'has a version number' do
+    expect(SoarAuthenticationToken::VERSION).not_to be nil
+  end
+
+  context "when trimming public keys in the validator configuration to one less than maximum allowed" do
+
+    context "with key list containing no keys" do
+      let!(:validator_configuration) {
+        {
+          'keys' => { }
+        }
+      }
+      it 'the resulting list is kept intact with no keys' do
+        test_configuration = validator_configuration.dup
+        subject.send(:trim_public_keys, test_configuration)
+        expect(test_configuration).to eq(
+                {
+                  'keys' => { }
+                })
+      end
+    end
+
+    context "with key list containing lower than maximum allowed number of keys" do
+      let!(:validator_configuration) {
+        {
+          'keys' => {
+            'KEYPAIR_20160107T230001' => [],
+            'KEYPAIR_20160107T230101' => []
+          }
+        }
+      }
+      it 'the resulting list is kept intact' do
+        test_configuration = validator_configuration.dup
+        subject.send(:trim_public_keys, test_configuration)
+        expect(test_configuration).to eq(        {
+                  'keys' => {
+                    'KEYPAIR_20160107T230001' => [],
+                    'KEYPAIR_20160107T230101' => []
+                  }
+                })
+      end
+    end
+
+    context "with key list containing the maximum allowed number of keys" do
+      let!(:validator_configuration) {
+        {
+          'keys' => {
+            'KEYPAIR_20160107T230001' => [],
+            'KEYPAIR_20160107T230101' => [],
+            'KEYPAIR_20160107T230201' => []
+          }
+        }
+      }
+      it 'the key named with the lowest string value (ordered alphabetically) is removed' do
+        test_configuration = validator_configuration.dup
+        subject.send(:trim_public_keys, test_configuration)
+        expect(test_configuration).to eq(        {
+                  'keys' => {
+                    'KEYPAIR_20160107T230101' => [],
+                    'KEYPAIR_20160107T230201' => []
+                  }
+                })
+      end
+    end
+
+    context "with key list containing more than the maximum allowed number of keys" do
+      let!(:validator_configuration) {
+        {
+          'keys' => {
+            'KEYPAIR_20160107T230001' => [],
+            'KEYPAIR_20160107T230401' => [],
+            'KEYPAIR_20160107T230201' => [],
+            'KEYPAIR_20160107T230101' => []
+          }
+        }
+      }
+      it 'the keys named with the lowest string values (ordered alphabetically) is removed until the it contains one less than the maximum allowed' do
+        test_configuration = validator_configuration.dup
+        subject.send(:trim_public_keys, test_configuration)
+        expect(test_configuration).to eq(        {
+                  'keys' => {
+                    'KEYPAIR_20160107T230201' => [],
+                    'KEYPAIR_20160107T230401' => []
+                  }
+                })
+      end
+    end
+  end
+
+  context "when rotating key pairs" do
+    context "with invalid generator configuration in a json formated file" do
+      let!(:validator_config_file_name) {
+        filename = "validator_config.json"
+        File.open(filename,"w") do |f|
+          f.write(@valid_validator_config.to_json)
+        end
+        filename
+      }
+      let!(:generator_config_file_name) {
+        filename = "generator_config.json"
+        File.open(filename,"w") do |f|
+          f.write({}.to_json) #Empty hash is an Invalid hash
+        end
+        filename
+      }
+      it 'raises an error indicating the generator configuration is invalid' do
+        expect { subject.rotate_json_config_files(generator_file_name: generator_config_file_name,
+                                                  validator_file_name: validator_config_file_name)
+               }.to raise_error(ArgumentError, /private_key not in config/)
+      end
+    end
+
+    context "with invalid validator configuration in a json formated file" do
+      let!(:validator_config_file_name) {
+        filename = "validator_config.json"
+        File.open(filename,"w") do |f|
+          f.write({}.to_json)  #Empty hash is an invalid hash
+        end
+        filename
+      }
+      let!(:generator_config_file_name) {
+        filename = "generator_config.json"
+        File.open(filename,"w") do |f|
+          f.write(@valid_generator_config.to_json)
+        end
+        filename
+      }
+      it 'raises an error indicating the validator configuration is invalid' do
+        expect { subject.rotate_json_config_files(generator_file_name: generator_config_file_name,
+                                                  validator_file_name: validator_config_file_name)
+               }.to raise_error(ArgumentError, /keys not in config/)
+      end
+    end
+
+    context "with valid generator/validator configurations in a json formated file" do
+      let!(:validator_config_file_name) {
+        filename = "validator_config.json"
+        File.open(filename,"w") do |f|
+          f.write(@valid_validator_config.to_json)
+        end
+        filename
+      }
+      let!(:generator_config_file_name) {
+        filename = "generator_config.json"
+        File.open(filename,"w") do |f|
+          f.write(@valid_generator_config.to_json)
+        end
+        filename
+      }
+      it 'replaces the newly generated private key to the generator configuration' do
+        subject.rotate_json_config_files(generator_file_name: generator_config_file_name,
+                                         validator_file_name: validator_config_file_name)
+        generator_config = JSON.parse(File.read(generator_config_file_name))
+        expect(generator_config['private_key']).to_not eq(@valid_generator_config['private_key'])
+      end
+
+      it 'adds the newly generated public key to the validator configuration' do
+        subject.rotate_json_config_files(generator_file_name: generator_config_file_name,
+                                         validator_file_name: validator_config_file_name)
+        generator_config = JSON.parse(File.read(generator_config_file_name))
+        validator_config = JSON.parse(File.read(validator_config_file_name))
+        expect(validator_config['keys'][generator_config['key_description']]).to_not be nil
+      end
+
+      it 'removes the oldest public key from the validator configuration in keeping with maximum number of keys' do
+        subject.rotate_json_config_files(generator_file_name: generator_config_file_name,
+                                         validator_file_name: validator_config_file_name)
+        generator_config = JSON.parse(File.read(generator_config_file_name))
+        validator_config = JSON.parse(File.read(validator_config_file_name))
+        expect(validator_config['keys'].size).to be 3
+      end
+    end
+  end
+
+  context "when confirming that configurations are valid" do
+    context "given validator (with single public key) configuration that includes generator key" do
+      let!(:validator_config) {{
+        'provider' => 'SoarAuthenticationToken::JwtTokenValidator',
+        'keys' => {
+          'KEYPAIR_20160107T230101' => { 'public_key' => @public_key_1 }
+        }
+      }}
+      let!(:generator_config) {{
+        'provider' => 'SoarAuthenticationToken::JwtTokenGenerator',
+        'private_key' => @private_key_1,
+        'key_description' => 'original key'
+      }}
+      it 'responds that the configuration combination is valid' do
+        valid = subject.configurations_match_and_valid?(generator_config: generator_config,
+                                                        validator_config: validator_config)
+        expect(valid).to be true
+      end
+    end
+
+    context "given validator (with single public key) configuration that does not include generator key" do
+      let!(:validator_config) {{
+        'provider' => 'SoarAuthenticationToken::JwtTokenValidator',
+        'keys' => {
+          'KEYPAIR_20160107T230101' => { 'public_key' => @public_key_1 }
+        }
+      }}
+      let!(:generator_config) {{
+        'provider' => 'SoarAuthenticationToken::JwtTokenGenerator',
+        'private_key' => @private_key_2,
+        'key_description' => 'original key'
+      }}
+      it 'responds that the configuration combination is not valid' do
+        valid = subject.configurations_match_and_valid?(generator_config: generator_config,
+                                                        validator_config: validator_config)
+        expect(valid).to be false
+      end
+    end
+
+    context "given validator (with multiple public keys) configuration that include generator key" do
+      let!(:validator_config) {{
+        'provider' => 'SoarAuthenticationToken::JwtTokenValidator',
+        'keys' => {
+          'KEYPAIR_20160107T230101' => { 'public_key' => @public_key_1 },
+          'KEYPAIR_20160107T230201' => { 'public_key' => @public_key_2 },
+          'KEYPAIR_20160107T230301' => { 'public_key' => @public_key_3 },
+        }
+      }}
+      let!(:generator_config) {{
+        'provider' => 'SoarAuthenticationToken::JwtTokenGenerator',
+        'private_key' => @private_key_2,
+        'key_description' => 'original key'
+      }}
+      it 'responds that the configuration combination is valid' do
+        valid = subject.configurations_match_and_valid?(generator_config: generator_config,
+                                                        validator_config: validator_config)
+        expect(valid).to be true
+      end
+    end
+
+    context "given validator (with multiple public keys) configuration that does not include generator key" do
+      let!(:validator_config) {{
+        'provider' => 'SoarAuthenticationToken::JwtTokenValidator',
+        'keys' => {
+          'KEYPAIR_20160107T230101' => { 'public_key' => @public_key_1 },
+          'KEYPAIR_20160107T230201' => { 'public_key' => @public_key_2 },
+          'KEYPAIR_20160107T230301' => { 'public_key' => @public_key_3 },
+        }
+      }}
+      let!(:generator_config) {{
+        'provider' => 'SoarAuthenticationToken::JwtTokenGenerator',
+        'private_key' => @private_key_4,
+        'key_description' => 'original key'
+      }}
+      it 'responds that the configuration combination is not valid' do
+        valid = subject.configurations_match_and_valid?(generator_config: generator_config,
+                                                        validator_config: validator_config)
+        expect(valid).to be false
+      end
+    end
+  end
+end