RubyGems - udap_security_test_kit - Versions diffs - 0.9.1 → 0.10.0 - Mend

udap_security_test_kit 0.9.1 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fd4ceb272702d0780afe146810e40fc77f93e14fec1853720ab1c9e34157fda3
-  data.tar.gz: c033bcacedebeb7700434a9aa721ab29f65556bba8303136a0372e234be94092
+  metadata.gz: be592aff3162a459764f09b857cf2d786e141b8a46698f061db3ac4aa682d92e
+  data.tar.gz: 64288629f38cd38f6021fc67c043810a13f8011428e8300ff586babea2ea3b46
 SHA512:
-  metadata.gz: 05dddcf0581db8eeec609d5d03ebecc23f410022e51ef886aa20c472ca394b9401e69cde3b8c503989c2ccad3c90ffd5cbdd7f6607b63fe178ab06dd54f0036f
-  data.tar.gz: 8a0ebd05c1cdda66fe262ff2486dc0c0ccc1740cc0f9864dd2dcc4f11da4560dfe85269a00ac98b2e6d131ac8ba472a0c9c485ae84c142f08b2cbb0057cb26a7
+  metadata.gz: da5963362a0b8f9151bf8419461da4f465590e9a58283eb4a67a0ad310d8d3242dfd5a3f25314ee710277e17b4cd67dad00b2a9b5f4aca333f9e9db47eec2161
+  data.tar.gz: 1c9ce32de1da555027de8b1b01db398e93b7397a87270de3fcb02a36b54eb0da8398f84a8d467d91239c694cb20c6a7bc1134ebd91d463134b931546e429d99b

data/lib/udap_security_test_kit/authorization_code_authentication_group.rb CHANGED Viewed

@@ -20,7 +20,7 @@ module UDAPSecurityTestKit
          config: {
            requests: {
              token_exchange: {
-               name: :authorization_code_token_exchange
+               name: :udap_auth_code_flow_token_exchange
              }
            }
          }
@@ -28,7 +28,21 @@ module UDAPSecurityTestKit
          config: {
            inputs: {
              token_response_body: {
-               name: :authorization_code_token_response_body
+               name: :udap_auth_code_flow_token_exchange_response_body
+             }
+           },
+           outputs: {
+             udap_access_token: {
+               name: :udap_auth_code_flow_access_token
+             },
+             udap_expires_in: {
+               name: :udap_auth_code_flow_expires_in
+             },
+             udap_received_scopes: {
+               name: :udap_auth_code_flow_received_scopes
+             },
+             udap_refresh_token: {
+               name: :udap_auth_code_flow_refresh_token
              }
            }
          }
@@ -36,7 +50,7 @@ module UDAPSecurityTestKit
          config: {
            requests: {
              token_exchange: {
-               name: :authorization_code_token_exchange
+               name: :udap_auth_code_flow_token_exchange
              }
            }
          }

data/lib/udap_security_test_kit/authorization_code_group.rb CHANGED Viewed

@@ -45,24 +45,24 @@ module UDAPSecurityTestKit
           config: {
             inputs: {
               udap_registration_grant_type: {
-                name: :reg_grant_type_auth_code,
+                name: :udap_auth_code_flow_registration_grant_type,
                 default: 'authorization_code',
                 locked: true
               },
               udap_client_cert_pem: {
-                name: :udap_client_cert_pem_auth_code_flow,
+                name: :udap_auth_code_flow_client_cert_pem,
                 title: 'Authorization Code Client Certificate(s) (PEM Format)'
               },
               udap_client_private_key_pem: {
-                name: :udap_client_private_key_auth_code_flow,
+                name: :udap_auth_code_flow_client_private_key,
                 title: 'Authorization Code Client Private Key (PEM Format)'
               },
               udap_cert_iss: {
-                name: :udap_cert_iss_auth_code_flow,
+                name: :udap_auth_code_flow_cert_iss,
                 title: 'Authorization Code JWT Issuer (iss) Claim'
               },
               udap_registration_requested_scope: {
-                name: :udap_registration_scope_auth_code_flow,
+                name: :udap_auth_code_flow_registration_scope,
                 title: 'Authorization Code Registration Requested Scope(s)',
                 description: %(
                   String containing a space delimited list of scopes requested by the client application for use in
@@ -72,29 +72,29 @@ module UDAPSecurityTestKit
                 )
               },
               udap_registration_certifications: {
-                name: :udap_registration_certifications_auth_code_flow,
+                name: :udap_auth_code_flow_registration_certifications,
                 title: 'Authorization Code UDAP Registration Certifications'
               }
             },
             outputs: {
               udap_client_cert_pem: {
-                name: :udap_client_cert_pem_auth_code_flow
+                name: :udap_auth_code_flow_client_cert_pem
               },
               udap_client_private_key_pem: {
-                name: :udap_client_private_key_auth_code_flow
+                name: :udap_auth_code_flow_client_private_key
               },
               udap_cert_iss: {
-                name: :udap_cert_iss_auth_code_flow
+                name: :udap_auth_code_flow_cert_iss
               }
             }
           } do
       input_order :udap_registration_endpoint,
-                  :reg_grant_type_auth_code,
-                  :udap_client_cert_pem_auth_code_flow,
-                  :udap_client_private_key_auth_code_flow,
-                  :udap_cert_iss_auth_code_flow,
-                  :udap_registration_scope_auth_code_flow,
-                  :udap_jwt_signing_alg, :udap_registration_certifications_auth_code_flow
+                  :udap_auth_code_flow_registration_grant_type,
+                  :udap_auth_code_flow_client_cert_pem,
+                  :udap_auth_code_flow_client_private_key,
+                  :udap_auth_code_flow_cert_iss,
+                  :udap_auth_code_flow_registration_scope,
+                  :udap_jwt_signing_alg, :udap_auth_code_flow_registration_certifications
     end
     group from: :udap_authorization_code_authentication_group,

data/lib/udap_security_test_kit/authorization_code_token_exchange_test.rb CHANGED Viewed

@@ -23,7 +23,7 @@ module UDAPSecurityTestKit
           title: 'Token Endpoint',
           description: 'The full URL from which Inferno will request an access token'
-    input :udap_client_cert_pem_auth_code_flow,
+    input :udap_auth_code_flow_client_cert_pem,
           title: 'X.509 Client Certificate (PEM Format)',
           type: 'textarea',
           description: %(
@@ -34,7 +34,7 @@ module UDAPSecurityTestKit
             authorization server under test.
           )
-    input :udap_client_private_key_auth_code_flow,
+    input :udap_auth_code_flow_client_private_key,
           type: 'textarea',
           title: 'Client Private Key (PEM Format)',
           description: 'The private key corresponding to the X.509 client certificate'
@@ -57,8 +57,9 @@ module UDAPSecurityTestKit
           default: 'RS256',
           locked: true
-    output :token_retrieval_time
-    output :authorization_code_token_response_body
+    output :udap_auth_code_flow_token_retrieval_time,
+           :udap_auth_code_flow_token_exchange_response_body
     makes_request :token_exchange
     config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect" }
@@ -70,11 +71,11 @@ module UDAPSecurityTestKit
         nil
       )
-      x5c_certs = UDAPJWTBuilder.split_user_input_cert_string(udap_client_cert_pem_auth_code_flow)
+      x5c_certs = UDAPJWTBuilder.split_user_input_cert_string(udap_auth_code_flow_client_cert_pem)
       client_assertion_jwt = UDAPJWTBuilder.encode_jwt_with_x5c_header(
         client_assertion_payload,
-        udap_client_private_key_auth_code_flow,
+        udap_auth_code_flow_client_private_key,
         udap_jwt_signing_alg,
         x5c_certs
       )
@@ -95,9 +96,9 @@ module UDAPSecurityTestKit
       assert_response_status(200)
       assert_valid_json(request.response_body)
-      output token_retrieval_time: Time.now.iso8601
+      output udap_auth_code_flow_token_retrieval_time: Time.now.iso8601
-      output authorization_code_token_response_body: request.response_body
+      output udap_auth_code_flow_token_exchange_response_body: request.response_body
     end
   end
 end

data/lib/udap_security_test_kit/client_credentials_authentication_group.rb CHANGED Viewed

@@ -16,7 +16,7 @@ module UDAPSecurityTestKit
          config: {
            requests: {
              token_exchange: {
-               name: :client_credentials_token_exchange
+               name: :udap_client_credentials_flow_token_exchange
              }
            }
          }
@@ -24,7 +24,21 @@ module UDAPSecurityTestKit
          config: {
            inputs: {
              token_response_body: {
-               name: :client_credentials_token_response_body
+               name: :udap_client_credentials_flow_token_exchange_response_body
+             }
+           },
+           outputs: {
+             udap_access_token: {
+               name: :udap_client_credentials_flow_access_token
+             },
+             udap_expires_in: {
+               name: :udap_client_credentials_flow_expires_in
+             },
+             udap_received_scopes: {
+               name: :udap_client_credentials_flow_received_scopes
+             },
+             udap_refresh_token: {
+               name: :udap_client_credentials_flow_refresh_token
              }
            }
          }
@@ -32,7 +46,7 @@ module UDAPSecurityTestKit
          config: {
            requests: {
              token_exchange: {
-               name: :client_credentials_token_exchange
+               name: :udap_client_credentials_flow_token_exchange
              }
            }
          }

data/lib/udap_security_test_kit/client_credentials_group.rb CHANGED Viewed

@@ -47,16 +47,16 @@ module UDAPSecurityTestKit
           config: {
             inputs: {
               udap_registration_grant_type: {
-                name: :reg_grant_type_client_creds,
+                name: :udap_client_credentials_flow_registration_grant_type,
                 default: 'client_credentials',
                 locked: true
               },
               udap_client_cert_pem: {
-                name: :udap_client_cert_pem_client_creds_flow,
+                name: :udap_client_credentials_flow_client_cert_pem,
                 title: 'Client Credentials Client Certificate(s) (PEM Format)'
               },
               udap_client_private_key_pem: {
-                name: :udap_client_private_key_client_creds_flow,
+                name: :udap_client_credentials_flow_client_private_key,
                 title: 'Client Credentials Client Private Key (PEM Format)'
               },
               udap_cert_iss: {
@@ -64,7 +64,7 @@ module UDAPSecurityTestKit
                 title: 'Client Credentials JWT Issuer (iss) Claim'
               },
               udap_registration_requested_scope: {
-                name: :udap_registration_scope_client_creds_flow,
+                name: :udap_client_credentials_flow_registration_scope,
                 title: 'Client Credentials Registration Requested Scope(s)',
                 description: %(
                   String containing a space delimited list of scopes requested by the client application for use in
@@ -74,16 +74,16 @@ module UDAPSecurityTestKit
                 )
               },
               udap_registration_certifications: {
-                name: :udap_registration_certifications_client_creds_flow,
+                name: :udap_client_creds_flow_registration_certifications,
                 title: 'Client Credentials UDAP Registration Certifications'
               }
             },
             outputs: {
               udap_client_cert_pem: {
-                name: :udap_client_cert_pem_client_creds_flow
+                name: :udap_client_credentials_flow_client_cert_pem
               },
               udap_client_private_key_pem: {
-                name: :udap_client_private_key_client_creds_flow
+                name: :udap_client_credentials_flow_client_private_key
               },
               udap_cert_iss: {
                 name: :udap_cert_iss_client_creds_flow
@@ -91,12 +91,12 @@ module UDAPSecurityTestKit
             }
           } do
       input_order :udap_registration_endpoint,
-                  :reg_grant_type_client_creds,
-                  :udap_client_cert_pem_client_creds_flow,
-                  :udap_client_private_key_client_creds_flow,
+                  :udap_client_credentials_flow_registration_grant_type,
+                  :udap_client_credentials_flow_client_cert_pem,
+                  :udap_client_credentials_flow_client_private_key,
                   :udap_cert_iss_client_creds_flow,
-                  :udap_registration_scope_client_creds_flow,
-                  :udap_jwt_signing_alg, :udap_registration_certifications_client_creds_flow
+                  :udap_client_credentials_flow_registration_scope,
+                  :udap_jwt_signing_alg, :udap_client_creds_flow_registration_certifications
     end
     group from: :udap_client_credentials_authentication_group,

data/lib/udap_security_test_kit/client_credentials_token_exchange_test.rb CHANGED Viewed

@@ -38,7 +38,7 @@ module UDAPSecurityTestKit
           title: 'Token Endpoint',
           description: 'The full URL from which Inferno will request an access token'
-    input :udap_client_cert_pem_client_creds_flow,
+    input :udap_client_credentials_flow_client_cert_pem,
           title: 'X.509 Client Certificate(s) (PEM Format)',
           type: 'textarea',
           description: %(
@@ -48,7 +48,7 @@ module UDAPSecurityTestKit
             authorization server under test.
           )
-    input :udap_client_private_key_client_creds_flow,
+    input :udap_client_credentials_flow_client_private_key,
           type: 'textarea',
           title: 'Client Private Key (PEM Format)',
           description: 'The private key corresponding to the X.509 client certificate'
@@ -71,8 +71,9 @@ module UDAPSecurityTestKit
           default: 'RS256',
           locked: true
-    output :token_retrieval_time
-    output :client_credentials_token_response_body
+    output :udap_client_credentials_flow_token_retrieval_time,
+           :udap_client_credentials_flow_token_exchange_response_body
     makes_request :token_exchange
     run do
@@ -97,12 +98,12 @@ module UDAPSecurityTestKit
       )
       x5c_certs = UDAPJWTBuilder.split_user_input_cert_string(
-        udap_client_cert_pem_client_creds_flow
+        udap_client_credentials_flow_client_cert_pem
       )
       client_assertion_jwt = UDAPJWTBuilder.encode_jwt_with_x5c_header(
         client_assertion_payload,
-        udap_client_private_key_client_creds_flow,
+        udap_client_credentials_flow_client_private_key,
         udap_jwt_signing_alg,
         x5c_certs
       )
@@ -122,9 +123,9 @@ module UDAPSecurityTestKit
       assert_response_status(200)
       assert_valid_json(request.response_body)
-      output token_retrieval_time: Time.now.iso8601
+      output udap_client_credentials_flow_token_retrieval_time: Time.now.iso8601
-      output client_credentials_token_response_body: request.response_body
+      output udap_client_credentials_flow_token_exchange_response_body: request.response_body
     end
   end
 end

data/lib/udap_security_test_kit/dynamic_client_registration_group.rb CHANGED Viewed

@@ -1,3 +1,4 @@
+require_relative 'generate_client_certs_test'
 require_relative 'registration_failure_invalid_contents_test'
 require_relative 'registration_failure_invalid_jwt_signature_test'
 require_relative 'registration_success_test'

data/lib/udap_security_test_kit/registration_success_contents_test.rb CHANGED Viewed

@@ -48,16 +48,23 @@ module UDAPSecurityTestKit
       original_software_statement = JSON.parse(udap_software_statement_json)
-      expected_claims = ['client_name', 'grant_types', 'token_endpoint_auth_method', 'scope']
+      expected_claims = ['scope', 'client_name', 'grant_types', 'token_endpoint_auth_method']
       auth_code_claims = ['redirect_uris', 'response_types']
+      # For this subset, authorization server may return a different value than
+      # the one originally provided in client software statement
+      mutable_claims = ['scope', 'client_name']
       expected_claims.concat auth_code_claims if udap_registration_grant_type == 'authorization_code'
       expected_claims.each do |claim|
         assert registration_response.key?(claim), "Successful registration response must include #{claim} claim"
+        assert registration_response[claim].present?, "`#{claim}` value cannot be blank"
+        next if mutable_claims.include?(claim)
         assert registration_response[claim] == original_software_statement[claim],
                "Registration response value for #{claim} does not match " \
-               'in client-submitted software statement'
+               'value in client-submitted software statement'
       end
     end
   end

data/lib/udap_security_test_kit/signed_metadata_contents_test.rb CHANGED Viewed

@@ -26,7 +26,7 @@ module UDAPSecurityTestKit
       assert token_header.key?('x5c'), 'JWT header does not contain `x5c` field'
       assert token_header.key?('alg'), 'JWT header does not contain `alg` field'
-      leaf_cert_der = Base64.urlsafe_decode64(token_header['x5c'].first)
+      leaf_cert_der = Base64.decode64(token_header['x5c'].first)
       leaf_cert = OpenSSL::X509::Certificate.new(leaf_cert_der)
       signature_validation_result = UDAPSecurityTestKit::UDAPJWTValidator.validate_signature(
         signed_metadata_jwt,

data/lib/udap_security_test_kit/token_exchange_response_body_test.rb CHANGED Viewed

@@ -15,10 +15,20 @@ module UDAPSecurityTestKit
     input :token_response_body
+    output :udap_access_token,
+           :udap_expires_in,
+           :udap_received_scopes,
+           :udap_refresh_token
     run do
       assert_valid_json(token_response_body)
       token_response_body_parsed = JSON.parse(token_response_body)
+      output udap_access_token: token_response_body_parsed['access_token'],
+             udap_expires_in: token_response_body_parsed['expires_in'],
+             udap_received_scopes: token_response_body_parsed['scope'],
+             udap_refresh_token: token_response_body_parsed['refresh_token']
       required_keys = ['access_token', 'token_type']
       required_keys.each do |key|

data/lib/udap_security_test_kit/udap_jwt_builder.rb CHANGED Viewed

@@ -21,7 +21,7 @@ module UDAPSecurityTestKit
       x5c_certs_encoded = x5c_certs_pem_string.map do |cert|
         cert_pem = OpenSSL::X509::Certificate.new(cert)
-        Base64.urlsafe_encode64(cert_pem.to_der)
+        Base64.encode64(cert_pem.to_der)
       end
       JWT.encode payload, private_key, alg, { x5c: x5c_certs_encoded }

data/lib/udap_security_test_kit/udap_jwt_validator.rb CHANGED Viewed

@@ -22,7 +22,7 @@ module UDAPSecurityTestKit
     def self.validate_trust_chain(x5c_header_encoded, trust_anchor_certs)
       cert_chain = x5c_header_encoded.map do |cert|
-        cert_der = Base64.urlsafe_decode64(cert)
+        cert_der = Base64.decode64(cert)
         OpenSSL::X509::Certificate.new(cert_der)
       end
       crl_uris = cert_chain.map(&:crl_uris).compact.flatten

data/lib/udap_security_test_kit/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module UDAPSecurityTestKit
-  VERSION = '0.9.1'.freeze
+  VERSION = '0.10.0'.freeze
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: udap_security_test_kit
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.10.0
 platform: ruby
 authors:
 - Stephen MacVicar
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-09-09 00:00:00.000000000 Z
+date: 2024-11-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: inferno_core