udap_security_test_kit 0.9.1 → 0.10.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (15) hide show
  1. checksums.yaml +4 -4
  2. data/lib/udap_security_test_kit/authorization_code_authentication_group.rb +17 -3
  3. data/lib/udap_security_test_kit/authorization_code_group.rb +15 -15
  4. data/lib/udap_security_test_kit/authorization_code_token_exchange_test.rb +9 -8
  5. data/lib/udap_security_test_kit/client_credentials_authentication_group.rb +17 -3
  6. data/lib/udap_security_test_kit/client_credentials_group.rb +12 -12
  7. data/lib/udap_security_test_kit/client_credentials_token_exchange_test.rb +9 -8
  8. data/lib/udap_security_test_kit/dynamic_client_registration_group.rb +1 -0
  9. data/lib/udap_security_test_kit/registration_success_contents_test.rb +9 -2
  10. data/lib/udap_security_test_kit/signed_metadata_contents_test.rb +1 -1
  11. data/lib/udap_security_test_kit/token_exchange_response_body_test.rb +10 -0
  12. data/lib/udap_security_test_kit/udap_jwt_builder.rb +1 -1
  13. data/lib/udap_security_test_kit/udap_jwt_validator.rb +1 -1
  14. data/lib/udap_security_test_kit/version.rb +1 -1
  15. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: fd4ceb272702d0780afe146810e40fc77f93e14fec1853720ab1c9e34157fda3
4
- data.tar.gz: c033bcacedebeb7700434a9aa721ab29f65556bba8303136a0372e234be94092
3
+ metadata.gz: be592aff3162a459764f09b857cf2d786e141b8a46698f061db3ac4aa682d92e
4
+ data.tar.gz: 64288629f38cd38f6021fc67c043810a13f8011428e8300ff586babea2ea3b46
5
5
  SHA512:
6
- metadata.gz: 05dddcf0581db8eeec609d5d03ebecc23f410022e51ef886aa20c472ca394b9401e69cde3b8c503989c2ccad3c90ffd5cbdd7f6607b63fe178ab06dd54f0036f
7
- data.tar.gz: 8a0ebd05c1cdda66fe262ff2486dc0c0ccc1740cc0f9864dd2dcc4f11da4560dfe85269a00ac98b2e6d131ac8ba472a0c9c485ae84c142f08b2cbb0057cb26a7
6
+ metadata.gz: da5963362a0b8f9151bf8419461da4f465590e9a58283eb4a67a0ad310d8d3242dfd5a3f25314ee710277e17b4cd67dad00b2a9b5f4aca333f9e9db47eec2161
7
+ data.tar.gz: 1c9ce32de1da555027de8b1b01db398e93b7397a87270de3fcb02a36b54eb0da8398f84a8d467d91239c694cb20c6a7bc1134ebd91d463134b931546e429d99b
data/lib/udap_security_test_kit/authorization_code_authentication_group.rb CHANGED
@@ -20,7 +20,7 @@ module UDAPSecurityTestKit
20
20
  config: {
21
21
  requests: {
22
22
  token_exchange: {
23
- name: :authorization_code_token_exchange
23
+ name: :udap_auth_code_flow_token_exchange
24
24
  }
25
25
  }
26
26
  }
@@ -28,7 +28,21 @@ module UDAPSecurityTestKit
28
28
  config: {
29
29
  inputs: {
30
30
  token_response_body: {
31
- name: :authorization_code_token_response_body
31
+ name: :udap_auth_code_flow_token_exchange_response_body
32
+ }
33
+ },
34
+ outputs: {
35
+ udap_access_token: {
36
+ name: :udap_auth_code_flow_access_token
37
+ },
38
+ udap_expires_in: {
39
+ name: :udap_auth_code_flow_expires_in
40
+ },
41
+ udap_received_scopes: {
42
+ name: :udap_auth_code_flow_received_scopes
43
+ },
44
+ udap_refresh_token: {
45
+ name: :udap_auth_code_flow_refresh_token
32
46
  }
33
47
  }
34
48
  }
@@ -36,7 +50,7 @@ module UDAPSecurityTestKit
36
50
  config: {
37
51
  requests: {
38
52
  token_exchange: {
39
- name: :authorization_code_token_exchange
53
+ name: :udap_auth_code_flow_token_exchange
40
54
  }
41
55
  }
42
56
  }
data/lib/udap_security_test_kit/authorization_code_group.rb CHANGED
@@ -45,24 +45,24 @@ module UDAPSecurityTestKit
45
45
  config: {
46
46
  inputs: {
47
47
  udap_registration_grant_type: {
48
- name: :reg_grant_type_auth_code,
48
+ name: :udap_auth_code_flow_registration_grant_type,
49
49
  default: 'authorization_code',
50
50
  locked: true
51
51
  },
52
52
  udap_client_cert_pem: {
53
- name: :udap_client_cert_pem_auth_code_flow,
53
+ name: :udap_auth_code_flow_client_cert_pem,
54
54
  title: 'Authorization Code Client Certificate(s) (PEM Format)'
55
55
  },
56
56
  udap_client_private_key_pem: {
57
- name: :udap_client_private_key_auth_code_flow,
57
+ name: :udap_auth_code_flow_client_private_key,
58
58
  title: 'Authorization Code Client Private Key (PEM Format)'
59
59
  },
60
60
  udap_cert_iss: {
61
- name: :udap_cert_iss_auth_code_flow,
61
+ name: :udap_auth_code_flow_cert_iss,
62
62
  title: 'Authorization Code JWT Issuer (iss) Claim'
63
63
  },
64
64
  udap_registration_requested_scope: {
65
- name: :udap_registration_scope_auth_code_flow,
65
+ name: :udap_auth_code_flow_registration_scope,
66
66
  title: 'Authorization Code Registration Requested Scope(s)',
67
67
  description: %(
68
68
  String containing a space delimited list of scopes requested by the client application for use in
@@ -72,29 +72,29 @@ module UDAPSecurityTestKit
72
72
  )
73
73
  },
74
74
  udap_registration_certifications: {
75
- name: :udap_registration_certifications_auth_code_flow,
75
+ name: :udap_auth_code_flow_registration_certifications,
76
76
  title: 'Authorization Code UDAP Registration Certifications'
77
77
  }
78
78
  },
79
79
  outputs: {
80
80
  udap_client_cert_pem: {
81
- name: :udap_client_cert_pem_auth_code_flow
81
+ name: :udap_auth_code_flow_client_cert_pem
82
82
  },
83
83
  udap_client_private_key_pem: {
84
- name: :udap_client_private_key_auth_code_flow
84
+ name: :udap_auth_code_flow_client_private_key
85
85
  },
86
86
  udap_cert_iss: {
87
- name: :udap_cert_iss_auth_code_flow
87
+ name: :udap_auth_code_flow_cert_iss
88
88
  }
89
89
  }
90
90
  } do
91
91
  input_order :udap_registration_endpoint,
92
- :reg_grant_type_auth_code,
93
- :udap_client_cert_pem_auth_code_flow,
94
- :udap_client_private_key_auth_code_flow,
95
- :udap_cert_iss_auth_code_flow,
96
- :udap_registration_scope_auth_code_flow,
97
- :udap_jwt_signing_alg, :udap_registration_certifications_auth_code_flow
92
+ :udap_auth_code_flow_registration_grant_type,
93
+ :udap_auth_code_flow_client_cert_pem,
94
+ :udap_auth_code_flow_client_private_key,
95
+ :udap_auth_code_flow_cert_iss,
96
+ :udap_auth_code_flow_registration_scope,
97
+ :udap_jwt_signing_alg, :udap_auth_code_flow_registration_certifications
98
98
  end
99
99
 
100
100
  group from: :udap_authorization_code_authentication_group,
data/lib/udap_security_test_kit/authorization_code_token_exchange_test.rb CHANGED
@@ -23,7 +23,7 @@ module UDAPSecurityTestKit
23
23
  title: 'Token Endpoint',
24
24
  description: 'The full URL from which Inferno will request an access token'
25
25
 
26
- input :udap_client_cert_pem_auth_code_flow,
26
+ input :udap_auth_code_flow_client_cert_pem,
27
27
  title: 'X.509 Client Certificate (PEM Format)',
28
28
  type: 'textarea',
29
29
  description: %(
@@ -34,7 +34,7 @@ module UDAPSecurityTestKit
34
34
  authorization server under test.
35
35
  )
36
36
 
37
- input :udap_client_private_key_auth_code_flow,
37
+ input :udap_auth_code_flow_client_private_key,
38
38
  type: 'textarea',
39
39
  title: 'Client Private Key (PEM Format)',
40
40
  description: 'The private key corresponding to the X.509 client certificate'
@@ -57,8 +57,9 @@ module UDAPSecurityTestKit
57
57
  default: 'RS256',
58
58
  locked: true
59
59
 
60
- output :token_retrieval_time
61
- output :authorization_code_token_response_body
60
+ output :udap_auth_code_flow_token_retrieval_time,
61
+ :udap_auth_code_flow_token_exchange_response_body
62
+
62
63
  makes_request :token_exchange
63
64
 
64
65
  config options: { redirect_uri: "#{Inferno::Application['base_url']}/custom/udap_security_test_kit/redirect" }
@@ -70,11 +71,11 @@ module UDAPSecurityTestKit
70
71
  nil
71
72
  )
72
73
 
73
- x5c_certs = UDAPJWTBuilder.split_user_input_cert_string(udap_client_cert_pem_auth_code_flow)
74
+ x5c_certs = UDAPJWTBuilder.split_user_input_cert_string(udap_auth_code_flow_client_cert_pem)
74
75
 
75
76
  client_assertion_jwt = UDAPJWTBuilder.encode_jwt_with_x5c_header(
76
77
  client_assertion_payload,
77
- udap_client_private_key_auth_code_flow,
78
+ udap_auth_code_flow_client_private_key,
78
79
  udap_jwt_signing_alg,
79
80
  x5c_certs
80
81
  )
@@ -95,9 +96,9 @@ module UDAPSecurityTestKit
95
96
  assert_response_status(200)
96
97
  assert_valid_json(request.response_body)
97
98
 
98
- output token_retrieval_time: Time.now.iso8601
99
+ output udap_auth_code_flow_token_retrieval_time: Time.now.iso8601
99
100
 
100
- output authorization_code_token_response_body: request.response_body
101
+ output udap_auth_code_flow_token_exchange_response_body: request.response_body
101
102
  end
102
103
  end
103
104
  end
data/lib/udap_security_test_kit/client_credentials_authentication_group.rb CHANGED
@@ -16,7 +16,7 @@ module UDAPSecurityTestKit
16
16
  config: {
17
17
  requests: {
18
18
  token_exchange: {
19
- name: :client_credentials_token_exchange
19
+ name: :udap_client_credentials_flow_token_exchange
20
20
  }
21
21
  }
22
22
  }
@@ -24,7 +24,21 @@ module UDAPSecurityTestKit
24
24
  config: {
25
25
  inputs: {
26
26
  token_response_body: {
27
- name: :client_credentials_token_response_body
27
+ name: :udap_client_credentials_flow_token_exchange_response_body
28
+ }
29
+ },
30
+ outputs: {
31
+ udap_access_token: {
32
+ name: :udap_client_credentials_flow_access_token
33
+ },
34
+ udap_expires_in: {
35
+ name: :udap_client_credentials_flow_expires_in
36
+ },
37
+ udap_received_scopes: {
38
+ name: :udap_client_credentials_flow_received_scopes
39
+ },
40
+ udap_refresh_token: {
41
+ name: :udap_client_credentials_flow_refresh_token
28
42
  }
29
43
  }
30
44
  }
@@ -32,7 +46,7 @@ module UDAPSecurityTestKit
32
46
  config: {
33
47
  requests: {
34
48
  token_exchange: {
35
- name: :client_credentials_token_exchange
49
+ name: :udap_client_credentials_flow_token_exchange
36
50
  }
37
51
  }
38
52
  }
data/lib/udap_security_test_kit/client_credentials_group.rb CHANGED
@@ -47,16 +47,16 @@ module UDAPSecurityTestKit
47
47
  config: {
48
48
  inputs: {
49
49
  udap_registration_grant_type: {
50
- name: :reg_grant_type_client_creds,
50
+ name: :udap_client_credentials_flow_registration_grant_type,
51
51
  default: 'client_credentials',
52
52
  locked: true
53
53
  },
54
54
  udap_client_cert_pem: {
55
- name: :udap_client_cert_pem_client_creds_flow,
55
+ name: :udap_client_credentials_flow_client_cert_pem,
56
56
  title: 'Client Credentials Client Certificate(s) (PEM Format)'
57
57
  },
58
58
  udap_client_private_key_pem: {
59
- name: :udap_client_private_key_client_creds_flow,
59
+ name: :udap_client_credentials_flow_client_private_key,
60
60
  title: 'Client Credentials Client Private Key (PEM Format)'
61
61
  },
62
62
  udap_cert_iss: {
@@ -64,7 +64,7 @@ module UDAPSecurityTestKit
64
64
  title: 'Client Credentials JWT Issuer (iss) Claim'
65
65
  },
66
66
  udap_registration_requested_scope: {
67
- name: :udap_registration_scope_client_creds_flow,
67
+ name: :udap_client_credentials_flow_registration_scope,
68
68
  title: 'Client Credentials Registration Requested Scope(s)',
69
69
  description: %(
70
70
  String containing a space delimited list of scopes requested by the client application for use in
@@ -74,16 +74,16 @@ module UDAPSecurityTestKit
74
74
  )
75
75
  },
76
76
  udap_registration_certifications: {
77
- name: :udap_registration_certifications_client_creds_flow,
77
+ name: :udap_client_creds_flow_registration_certifications,
78
78
  title: 'Client Credentials UDAP Registration Certifications'
79
79
  }
80
80
  },
81
81
  outputs: {
82
82
  udap_client_cert_pem: {
83
- name: :udap_client_cert_pem_client_creds_flow
83
+ name: :udap_client_credentials_flow_client_cert_pem
84
84
  },
85
85
  udap_client_private_key_pem: {
86
- name: :udap_client_private_key_client_creds_flow
86
+ name: :udap_client_credentials_flow_client_private_key
87
87
  },
88
88
  udap_cert_iss: {
89
89
  name: :udap_cert_iss_client_creds_flow
@@ -91,12 +91,12 @@ module UDAPSecurityTestKit
91
91
  }
92
92
  } do
93
93
  input_order :udap_registration_endpoint,
94
- :reg_grant_type_client_creds,
95
- :udap_client_cert_pem_client_creds_flow,
96
- :udap_client_private_key_client_creds_flow,
94
+ :udap_client_credentials_flow_registration_grant_type,
95
+ :udap_client_credentials_flow_client_cert_pem,
96
+ :udap_client_credentials_flow_client_private_key,
97
97
  :udap_cert_iss_client_creds_flow,
98
- :udap_registration_scope_client_creds_flow,
99
- :udap_jwt_signing_alg, :udap_registration_certifications_client_creds_flow
98
+ :udap_client_credentials_flow_registration_scope,
99
+ :udap_jwt_signing_alg, :udap_client_creds_flow_registration_certifications
100
100
  end
101
101
 
102
102
  group from: :udap_client_credentials_authentication_group,
data/lib/udap_security_test_kit/client_credentials_token_exchange_test.rb CHANGED
@@ -38,7 +38,7 @@ module UDAPSecurityTestKit
38
38
  title: 'Token Endpoint',
39
39
  description: 'The full URL from which Inferno will request an access token'
40
40
 
41
- input :udap_client_cert_pem_client_creds_flow,
41
+ input :udap_client_credentials_flow_client_cert_pem,
42
42
  title: 'X.509 Client Certificate(s) (PEM Format)',
43
43
  type: 'textarea',
44
44
  description: %(
@@ -48,7 +48,7 @@ module UDAPSecurityTestKit
48
48
  authorization server under test.
49
49
  )
50
50
 
51
- input :udap_client_private_key_client_creds_flow,
51
+ input :udap_client_credentials_flow_client_private_key,
52
52
  type: 'textarea',
53
53
  title: 'Client Private Key (PEM Format)',
54
54
  description: 'The private key corresponding to the X.509 client certificate'
@@ -71,8 +71,9 @@ module UDAPSecurityTestKit
71
71
  default: 'RS256',
72
72
  locked: true
73
73
 
74
- output :token_retrieval_time
75
- output :client_credentials_token_response_body
74
+ output :udap_client_credentials_flow_token_retrieval_time,
75
+ :udap_client_credentials_flow_token_exchange_response_body
76
+
76
77
  makes_request :token_exchange
77
78
 
78
79
  run do
@@ -97,12 +98,12 @@ module UDAPSecurityTestKit
97
98
  )
98
99
 
99
100
  x5c_certs = UDAPJWTBuilder.split_user_input_cert_string(
100
- udap_client_cert_pem_client_creds_flow
101
+ udap_client_credentials_flow_client_cert_pem
101
102
  )
102
103
 
103
104
  client_assertion_jwt = UDAPJWTBuilder.encode_jwt_with_x5c_header(
104
105
  client_assertion_payload,
105
- udap_client_private_key_client_creds_flow,
106
+ udap_client_credentials_flow_client_private_key,
106
107
  udap_jwt_signing_alg,
107
108
  x5c_certs
108
109
  )
@@ -122,9 +123,9 @@ module UDAPSecurityTestKit
122
123
  assert_response_status(200)
123
124
  assert_valid_json(request.response_body)
124
125
 
125
- output token_retrieval_time: Time.now.iso8601
126
+ output udap_client_credentials_flow_token_retrieval_time: Time.now.iso8601
126
127
 
127
- output client_credentials_token_response_body: request.response_body
128
+ output udap_client_credentials_flow_token_exchange_response_body: request.response_body
128
129
  end
129
130
  end
130
131
  end
data/lib/udap_security_test_kit/dynamic_client_registration_group.rb CHANGED
@@ -1,3 +1,4 @@
1
+ require_relative 'generate_client_certs_test'
1
2
  require_relative 'registration_failure_invalid_contents_test'
2
3
  require_relative 'registration_failure_invalid_jwt_signature_test'
3
4
  require_relative 'registration_success_test'
data/lib/udap_security_test_kit/registration_success_contents_test.rb CHANGED
@@ -48,16 +48,23 @@ module UDAPSecurityTestKit
48
48
 
49
49
  original_software_statement = JSON.parse(udap_software_statement_json)
50
50
 
51
- expected_claims = ['client_name', 'grant_types', 'token_endpoint_auth_method', 'scope']
51
+ expected_claims = ['scope', 'client_name', 'grant_types', 'token_endpoint_auth_method']
52
52
  auth_code_claims = ['redirect_uris', 'response_types']
53
53
 
54
+ # For this subset, authorization server may return a different value than
55
+ # the one originally provided in client software statement
56
+ mutable_claims = ['scope', 'client_name']
57
+
54
58
  expected_claims.concat auth_code_claims if udap_registration_grant_type == 'authorization_code'
55
59
 
56
60
  expected_claims.each do |claim|
57
61
  assert registration_response.key?(claim), "Successful registration response must include #{claim} claim"
62
+ assert registration_response[claim].present?, "`#{claim}` value cannot be blank"
63
+ next if mutable_claims.include?(claim)
64
+
58
65
  assert registration_response[claim] == original_software_statement[claim],
59
66
  "Registration response value for #{claim} does not match " \
60
- 'in client-submitted software statement'
67
+ 'value in client-submitted software statement'
61
68
  end
62
69
  end
63
70
  end
data/lib/udap_security_test_kit/signed_metadata_contents_test.rb CHANGED
@@ -26,7 +26,7 @@ module UDAPSecurityTestKit
26
26
  assert token_header.key?('x5c'), 'JWT header does not contain `x5c` field'
27
27
  assert token_header.key?('alg'), 'JWT header does not contain `alg` field'
28
28
 
29
- leaf_cert_der = Base64.urlsafe_decode64(token_header['x5c'].first)
29
+ leaf_cert_der = Base64.decode64(token_header['x5c'].first)
30
30
  leaf_cert = OpenSSL::X509::Certificate.new(leaf_cert_der)
31
31
  signature_validation_result = UDAPSecurityTestKit::UDAPJWTValidator.validate_signature(
32
32
  signed_metadata_jwt,
data/lib/udap_security_test_kit/token_exchange_response_body_test.rb CHANGED
@@ -15,10 +15,20 @@ module UDAPSecurityTestKit
15
15
 
16
16
  input :token_response_body
17
17
 
18
+ output :udap_access_token,
19
+ :udap_expires_in,
20
+ :udap_received_scopes,
21
+ :udap_refresh_token
22
+
18
23
  run do
19
24
  assert_valid_json(token_response_body)
20
25
  token_response_body_parsed = JSON.parse(token_response_body)
21
26
 
27
+ output udap_access_token: token_response_body_parsed['access_token'],
28
+ udap_expires_in: token_response_body_parsed['expires_in'],
29
+ udap_received_scopes: token_response_body_parsed['scope'],
30
+ udap_refresh_token: token_response_body_parsed['refresh_token']
31
+
22
32
  required_keys = ['access_token', 'token_type']
23
33
 
24
34
  required_keys.each do |key|
data/lib/udap_security_test_kit/udap_jwt_builder.rb CHANGED
@@ -21,7 +21,7 @@ module UDAPSecurityTestKit
21
21
 
22
22
  x5c_certs_encoded = x5c_certs_pem_string.map do |cert|
23
23
  cert_pem = OpenSSL::X509::Certificate.new(cert)
24
- Base64.urlsafe_encode64(cert_pem.to_der)
24
+ Base64.encode64(cert_pem.to_der)
25
25
  end
26
26
 
27
27
  JWT.encode payload, private_key, alg, { x5c: x5c_certs_encoded }
data/lib/udap_security_test_kit/udap_jwt_validator.rb CHANGED
@@ -22,7 +22,7 @@ module UDAPSecurityTestKit
22
22
 
23
23
  def self.validate_trust_chain(x5c_header_encoded, trust_anchor_certs)
24
24
  cert_chain = x5c_header_encoded.map do |cert|
25
- cert_der = Base64.urlsafe_decode64(cert)
25
+ cert_der = Base64.decode64(cert)
26
26
  OpenSSL::X509::Certificate.new(cert_der)
27
27
  end
28
28
  crl_uris = cert_chain.map(&:crl_uris).compact.flatten
data/lib/udap_security_test_kit/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module UDAPSecurityTestKit
2
- VERSION = '0.9.1'.freeze
2
+ VERSION = '0.10.0'.freeze
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: udap_security_test_kit
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.9.1
4
+ version: 0.10.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Stephen MacVicar
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2024-09-09 00:00:00.000000000 Z
12
+ date: 2024-11-04 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: inferno_core