virgil-jwt 1.0.0

data/lib/virgil/jwt/jwt_body_content.rb

@@ -0,0 +1,110 @@
+# Copyright (C) 2015-2019 Virgil Security Inc.
+#
+# Lead Maintainer: Virgil Security Inc. <support@virgilsecurity.com>
+#
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#   (1) Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+#
+#   (2) Redistributions in binary form must reproduce the above copyright
+#   notice, this list of conditions and the following disclaimer in
+#   the documentation and/or other materials provided with the
+#   distribution.
+#
+#   (3) Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ''AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, bytes, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+module Virgil
+  module Jwt
+    #  Represents content of [Jwt]
+    class JwtBodyContent
+      IDENTITY_PREFIX = 'identity-'.freeze
+      SUBJECT_PREFIX = 'virgil-'.freeze
+
+      # Jwt application id.
+      # @return [String]
+      attr_reader :app_id
+
+      # Jwt identity.
+      # @return [String]
+      attr_reader :identity
+
+      # Jwt issuer.
+      # @return [String]
+      attr_reader :issuer
+
+      # Jwt subject.
+      # @return [String]
+      attr_reader :subject
+
+      # When Jwt was issued.
+      # @return [Time]
+      attr_reader :issued_at
+
+      # When Jwt will expire.
+      # @return [Time]
+      attr_reader :expires_at
+
+      # Jwt additional data.
+      # @return [Hash]
+      attr_reader :additional_data
+
+      # Initializes a new instance of the class
+      # @param app_id [String] Application ID. Take it from {https://dashboard.virgilsecurity.com}
+      # @param identity [String] identity (must be equal to RawSignedModel identity when publishing card)
+      # @param issued_at [Time] issued data
+      # @param expires_at [Time] expiration date
+      # @param data [Hash] hash with additional data
+      def initialize(app_id:, identity:, issued_at:, expires_at:, data:)
+        @app_id = app_id
+        @identity = identity
+        @issued_at = issued_at
+        @expires_at = expires_at
+        @additional_data = data
+        @issuer = "#{SUBJECT_PREFIX}#{@app_id}"
+        @subject = "#{IDENTITY_PREFIX}#{@identity}"
+      end
+
+      # Json representation of body content
+      # @return [String]
+      def to_json
+        model = {
+          'iss': issuer,
+          'sub': subject,
+          'iat': issued_at.to_i,
+          'exp': expires_at.to_i,
+          'ada': additional_data}
+        model.to_json
+      end
+
+      # Restore body content from json
+      # @return [JwtBodyContent]
+      def self.restore_from_json(str_json)
+        model = JSON.parse(str_json)
+        new(app_id: model['iss'].gsub(JwtBodyContent::SUBJECT_PREFIX, ''),
+            identity: model['sub'].gsub(JwtBodyContent::IDENTITY_PREFIX, ''),
+            issued_at: Time.at(model['iat']).utc,
+            expires_at: Time.at(model['exp']).utc,
+            data: model['ada'])
+      end
+    end
+  end
+end

data/lib/virgil/jwt/jwt_generator.rb

@@ -0,0 +1,110 @@
+# Copyright (C) 2015-2019 Virgil Security Inc.
+#
+# Lead Maintainer: Virgil Security Inc. <support@virgilsecurity.com>
+#
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#   (1) Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+#
+#   (2) Redistributions in binary form must reproduce the above copyright
+#   notice, this list of conditions and the following disclaimer in
+#   the documentation and/or other materials provided with the
+#   distribution.
+#
+#   (3) Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ''AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, bytes, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+module Virgil
+  module Jwt
+    class JwtGenerator
+
+      # Private Key which will be used for signing
+      # generated access tokens.
+      # Take it on {https://dashboard.virgilsecurity.com/api-keys}
+      # @return [PrivateKey]
+      attr_reader :api_key
+
+      # Key id of #api_key
+      # Take it on {https://dashboard.virgilsecurity.com/api-keys}
+      # @return [String]
+      attr_reader :api_public_key_id
+
+      # Application id
+      # Take it on {https://dashboard.virgilsecurity.com}
+      # @return [String]
+      attr_reader :app_id
+
+      # Lifetime of generated tokens in minutes
+      # @return [Integer]
+      attr_reader :life_time
+
+      # An instance of [AccessTokenSigner] that is used to
+      # generate token signature using #api_key
+      # @return [AccessTokenSigner]
+      attr_reader :access_token_signer
+
+      # Initializes a new instance of the class
+      # @param app_id [String] Application id
+      #  Take it on {https://dashboard.virgilsecurity.com}
+      # @param api_key [PrivateKey] Private Key which will be used for signing
+      #  generated access tokens. Take it on {https://dashboard.virgilsecurity.com/api-keys}
+      # @param api_public_key_id [String] Key id of #api_key.
+      #  Take it on {https://dashboard.virgilsecurity.com/api-keys}
+      # @param life_time [Integer] Lifetime of generated tokens in minutes
+      # @param access_token_signer [AccessTokenSigner] An instance of [AccessTokenSigner]
+      #  that is used to generate token signature using #api_key
+      def initialize(app_id:, api_key:, api_public_key_id:, life_time:, access_token_signer:)
+        @app_id = app_id
+        @api_key = api_key
+        @api_public_key_id = api_public_key_id
+        @life_time = life_time
+        @access_token_signer = access_token_signer
+      end
+
+      # Generates new JWT using specified identity and additional data.
+      # @param identity [String] identity to generate with.
+      # @param data [Hash] dictionary with additional data which will be kept in jwt body
+      # @return new instance of [Jwt]
+      def generate_token(identity, data = nil)
+        raise ArgumentError, 'Identity property is mandatory' if identity.nil?
+        issued_at = Time.now.utc
+        expires_at = Time.at(issued_at.to_i + @life_time * 60).utc
+        jwt_body = JwtBodyContent.new(app_id: @app_id,
+                                      issued_at: issued_at,
+                                      identity: identity,
+                                      expires_at: expires_at,
+                                      data: data)
+
+        jwt_header = JwtHeaderContent.new(algorithm: @access_token_signer.algorithm,
+                                          key_id: @api_public_key_id)
+        unsigned_jwt = Jwt.new(header_content: jwt_header,
+                               body_content: jwt_body,
+                               signature_data: nil)
+        jwt_bytes = Bytes.from_string(unsigned_jwt.to_s)
+        signature = @access_token_signer.generate_token_signature(jwt_bytes, @api_key)
+        Jwt.new(header_content: jwt_header,
+                body_content: jwt_body,
+                signature_data: signature)
+      end
+
+    end
+  end
+end

data/lib/virgil/jwt/jwt_header_content.rb

@@ -0,0 +1,94 @@
+# Copyright (C) 2015-2019 Virgil Security Inc.
+#
+# Lead Maintainer: Virgil Security Inc. <support@virgilsecurity.com>
+#
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#   (1) Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+#
+#   (2) Redistributions in binary form must reproduce the above copyright
+#   notice, this list of conditions and the following disclaimer in
+#   the documentation and/or other materials provided with the
+#   distribution.
+#
+#   (3) Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ''AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, bytes, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+module Virgil
+  module Jwt
+    # Represents header of [Jwt]
+    class JwtHeaderContent
+      VIRGIL_CONTENT_TYPE = 'virgil-jwt;v=1'.freeze
+      JWT_TYPE = 'JWT'.freeze
+
+      # Signature algorithm
+      # @return [String]
+      attr_reader :algorithm
+
+      # Access token type.
+      # @return [String]
+      attr_reader :type
+
+      # Access token content type.
+      # @return [String]
+      attr_reader :content_type
+
+      # Id of public key which is used for jwt signature verification.
+      # @return [String]
+      attr_reader :key_id
+
+      # Initializes a new instance of the class
+      # @param algorithm [String] signature algorithm
+      # @param type [String] access token type
+      # @param content_type [String] Access token content type
+      # @param key_id [String] API key id. Take it from {https://dashboard.virgilsecurity.com/api-keys}
+      def initialize(algorithm:, key_id:, type: JWT_TYPE, content_type: VIRGIL_CONTENT_TYPE)
+        # todo validate
+        @algorithm = algorithm
+        @key_id = key_id
+        @type = type
+        @content_type = content_type
+      end
+
+      # Json representation of header content
+      # @return [String]
+      def to_json
+        model = {
+          'alg': algorithm,
+          'kid': key_id,
+          'typ': type,
+          'cty': content_type
+        }
+        model.to_json
+      end
+
+      # Restore header content from json
+      # @return [JwtHeaderContent]
+      def self.restore_from_json(str_json)
+        model = JSON.parse(str_json)
+        new(algorithm: model['alg'],
+            key_id: model['kid'],
+            type: model['typ'],
+            content_type: model['cty'])
+      end
+    end
+  end
+end

data/lib/virgil/jwt/jwt_verifier.rb

@@ -0,0 +1,78 @@
+# Copyright (C) 2015-2019 Virgil Security Inc.
+#
+# Lead Maintainer: Virgil Security Inc. <support@virgilsecurity.com>
+#
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#   (1) Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+#
+#   (2) Redistributions in binary form must reproduce the above copyright
+#   notice, this list of conditions and the following disclaimer in
+#   the documentation and/or other materials provided with the
+#   distribution.
+#
+#   (3) Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ''AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, bytes, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+module Virgil
+  module Jwt
+    class JwtVerifier
+
+      # @return [AccessTokenSigner] that is used to
+      # verify token signature.
+      attr_reader :access_token_signer
+
+      #  Public Key which should be used to verify signatures
+      # @return [PublicKey]
+      attr_reader :api_public_key
+
+      # Id of public key which should be used to verify signatures
+      # @return [String]
+      attr_reader :api_public_key_id
+
+      # Initializes a new instance of the class
+      # @param access_token_signer [AccessTokenSigner]
+      # @param api_public_key [PublicKey]
+      # @param api_public_key_id [String]
+      def initialize(access_token_signer:, api_public_key:, api_public_key_id:)
+        @access_token_signer = access_token_signer
+        @api_public_key = api_public_key
+        @api_public_key_id = api_public_key_id
+      end
+
+      # Verifies specified token.
+      # @param jwt [Jwt] token to be virefied.
+      # @return true if token is verified, otherwise false.
+      def verify_token(jwt)
+        if jwt.header_content.key_id != @api_public_key_id ||
+           jwt.header_content.algorithm != @access_token_signer.algorithm ||
+           jwt.header_content.content_type != JwtHeaderContent::VIRGIL_CONTENT_TYPE ||
+           jwt.header_content.type != JwtHeaderContent::JWT_TYPE
+          return false
+        end
+
+        @access_token_signer.verify_token_signature(jwt.signature_data,
+                                                    jwt.unsigned_data,
+                                                    api_public_key)
+      end
+    end
+  end
+end

data/lib/virgil/jwt/token_context.rb

@@ -0,0 +1,72 @@
+# Copyright (C) 2015-2019 Virgil Security Inc.
+#
+# Lead Maintainer: Virgil Security Inc. <support@virgilsecurity.com>
+#
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#   (1) Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+#
+#   (2) Redistributions in binary form must reproduce the above copyright
+#   notice, this list of conditions and the following disclaimer in
+#   the documentation and/or other materials provided with the
+#   distribution.
+#
+#   (3) Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ''AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, bytes, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+module Virgil
+  module Jwt
+
+    # Provides payload for access token providers
+    class TokenContext
+
+      # Operation for which token is needed.
+      # @return [String]
+      attr_reader :operation
+
+      # Identity that should be used in access token.
+      # @return [String]
+      attr_reader :identity
+
+      # Service for which token is needed.
+      # @return [String]
+      attr_reader :service
+
+      # You can set up token cache in {CallbackJwtProvider#obtain_access_token_proc}
+      # and reset cached token if True.
+      # @return [TrueClass] or [FalseClass]
+      attr_reader :force_reload
+
+      # Initializes a new instance of the class
+      # @param operation [String] Operation for which token is needed
+      # @param identity [String] Identity to use in token
+      # @param force_reload [TrueClass] or [FalseClass]
+      # If you set up token cache in {CallbackJwtProvider#obtain_access_token_proc}
+      # it should reset cached token and return new if TRUE.
+      def initialize(operation:, identity:, service: nil, force_reload: false)
+        @operation = operation
+        @identity = identity
+        @service = service
+        @force_reload = force_reload
+      end
+    end
+  end
+end