RubyGems - standard_singpass - Versions diffs - 0.1.0 - Mend

standard_singpass 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

checksums.yaml +7 -0
data/CHANGELOG.md +33 -0
data/MIT-LICENSE +20 -0
data/README.md +116 -0
data/Rakefile +8 -0
data/fixtures/myinfo-personas.json +250 -0
data/lib/generators/standard_singpass/install/install_generator.rb +45 -0
data/lib/generators/standard_singpass/install/templates/initializer.rb.erb +57 -0
data/lib/standard_singpass/engine.rb +17 -0
data/lib/standard_singpass/myinfo/client.rb +429 -0
data/lib/standard_singpass/myinfo/configuration.rb +233 -0
data/lib/standard_singpass/myinfo/ecdh_jwe.rb +350 -0
data/lib/standard_singpass/myinfo/error.rb +14 -0
data/lib/standard_singpass/myinfo/jwks_generator.rb +116 -0
data/lib/standard_singpass/myinfo/person_data_parser.rb +356 -0
data/lib/standard_singpass/myinfo/security.rb +186 -0
data/lib/standard_singpass/myinfo/test_personas.rb +47 -0
data/lib/standard_singpass/myinfo.rb +78 -0
data/lib/standard_singpass/version.rb +3 -0
data/lib/standard_singpass.rb +6 -0
data/lib/tasks/standard_singpass.rake +71 -0
metadata +179 -0

data/lib/tasks/standard_singpass.rake ADDED Viewed

@@ -0,0 +1,71 @@
+# typed: false
+# Singpass MyInfo operational tasks.
+#
+# These run on a trusted local machine — never CI, never a shared shell.
+# The output of `generate_jwks` contains private key material.
+#
+#   bin/rails standard_singpass:myinfo:generate_jwks
+#   bin/rails 'standard_singpass:myinfo:generate_jwks[my-sig-2,my-enc-2]'
+#   bin/rails 'standard_singpass:myinfo:validate_jwks[path/to/private-jwks.json]'
+#   cat private-jwks.json | bin/rails standard_singpass:myinfo:validate_jwks
+namespace :standard_singpass do
+  namespace :myinfo do
+    desc "Generate a fresh MyInfo private JWKS (sig + enc, EC P-256). JSON to stdout, narrative to stderr."
+    task :generate_jwks, [:sig_kid, :enc_kid] => :environment do |_, args|
+      sig_kid = args[:sig_kid].presence || "singpass-sig-#{Date.current.strftime('%Y%m%d')}"
+      enc_kid = args[:enc_kid].presence || "singpass-enc-#{Date.current.strftime('%Y%m%d')}"
+      jwks = StandardSingpass::Myinfo::JwksGenerator.generate(sig_kid:, enc_kid:)
+      # Narrative on stderr so `> private-jwks.json` captures clean JSON.
+      warn ""
+      warn "Generated MYINFO private JWKS:"
+      jwks[:keys].each do |k|
+        warn "  kid=#{k[:kid]}  use=#{k[:use]}  alg=#{k[:alg]}  crv=#{k[:crv]}  has_d=true"
+      end
+      warn ""
+      warn "Next steps:"
+      warn "  1. Store the JSON below in your secret manager (e.g. 1Password)."
+      warn "  2. Paste into the env var your host uses to populate"
+      warn "     StandardSingpass::Myinfo.configure { |c| c.private_jwks_json = ... }"
+      warn "     (mark as Secret/Encrypted; do not shell-escape, paste raw)."
+      warn "  3. After redeploy, confirm your public JWKS endpoint shows the same"
+      warn "     kids with NO 'd' field."
+      warn ""
+      puts JSON.generate(jwks)
+    end
+    desc "Validate a MyInfo private JWKS payload. Catches the public-only-key trap before paste."
+    task :validate_jwks, [:path] => :environment do |_, args|
+      raw = if args[:path].present?
+        File.read(args[:path])
+      elsif !$stdin.tty?
+        $stdin.read
+      else
+        abort "Provide a path or pipe JSON:\n" \
+              "  bin/rails 'standard_singpass:myinfo:validate_jwks[path/to/jwks.json]'\n" \
+              "  cat private-jwks.json | bin/rails standard_singpass:myinfo:validate_jwks"
+      end
+      begin
+        jwks = JSON.parse(raw)
+      rescue JSON::ParserError => e
+        abort "Not valid JSON: #{e.message}"
+      end
+      issues = StandardSingpass::Myinfo::JwksGenerator.validate(jwks)
+      if issues.empty?
+        key_count = (jwks["keys"] || []).size
+        warn "OK — JWKS validates: #{key_count} keys, all private (have 'd'), all EC P-256, alg matches use."
+      else
+        warn "JWKS validation FAILED — #{issues.size} issue(s):"
+        issues.each { |i| warn "  - #{i}" }
+        exit 1
+      end
+    end
+  end
+end

metadata ADDED Viewed

@@ -0,0 +1,179 @@
+--- !ruby/object:Gem::Specification
+name: standard_singpass
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Jaryl Sim
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '8.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '8.0'
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.7'
+- !ruby/object:Gem::Dependency
+  name: aes_key_wrap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: sorbet-runtime
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+- !ruby/object:Gem::Dependency
+  name: sorbet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+- !ruby/object:Gem::Dependency
+  name: tapioca
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.16'
+description: StandardSingpass packages the FAPI 2.0 OAuth client, DPoP/PKCE primitives,
+  native ECDH-ES JWE decryption, and person-data parser needed to integrate with Singpass
+  MyInfo. Designed as a reusable Rails engine; the host owns persistence, orchestration,
+  and UI.
+email:
+- code@jaryl.dev
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- MIT-LICENSE
+- README.md
+- Rakefile
+- fixtures/myinfo-personas.json
+- lib/generators/standard_singpass/install/install_generator.rb
+- lib/generators/standard_singpass/install/templates/initializer.rb.erb
+- lib/standard_singpass.rb
+- lib/standard_singpass/engine.rb
+- lib/standard_singpass/myinfo.rb
+- lib/standard_singpass/myinfo/client.rb
+- lib/standard_singpass/myinfo/configuration.rb
+- lib/standard_singpass/myinfo/ecdh_jwe.rb
+- lib/standard_singpass/myinfo/error.rb
+- lib/standard_singpass/myinfo/jwks_generator.rb
+- lib/standard_singpass/myinfo/person_data_parser.rb
+- lib/standard_singpass/myinfo/security.rb
+- lib/standard_singpass/myinfo/test_personas.rb
+- lib/standard_singpass/version.rb
+- lib/tasks/standard_singpass.rake
+homepage: https://github.com/rarebit-one/standard_singpass
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/rarebit-one/standard_singpass
+  source_code_uri: https://github.com/rarebit-one/standard_singpass
+  changelog_uri: https://github.com/rarebit-one/standard_singpass/blob/main/CHANGELOG.md
+  bug_tracker_uri: https://github.com/rarebit-one/standard_singpass/issues
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '4.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.10
+specification_version: 4
+summary: Singpass MyInfo (and future Singpass Sign-In) client for Rails apps.
+test_files: []