warden_openid_bearer 0.1.3 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7d1514a1fefcebd1c255a74d18df49f546d103ca7382e52464777f12c32f34e7
-  data.tar.gz: 91c9843e458d7bf1cedc6f360f54f40a28b67eddc9891b9fe364251c6a1c78a0
+  metadata.gz: 968af30fb6b9b5daf5ec6f2c5a3ad26e776e2749a9f0fd5564458d436b98f244
+  data.tar.gz: b2fb133b65e2bba2c1484c0218de5ae83daf50cee85b02ed3bf4fb24402d1af1
 SHA512:
-  metadata.gz: 7d82af75ad73daffb395154b35ecefef6196078e6bfc9333d0c8d8f59a9e218100d163fcd4f0a7c6f67098bc81d47a8bc92a0a1a2f26149ddca491f02bb3bce4
-  data.tar.gz: 870825f9e3f800506a1c4b45ecd2783da72e8077c5a47a74abe2b4e3dc434c43ac8998cbbfe5f861aae5d964b39ebfd3aff42fd74f9aa12d070e794a17cf8f49
+  metadata.gz: 1f1f9e1be38b4577968d609454c09fd9fff276918f993a02de13bcef716c8f21be3d8a657065b9e8b078c57c4a19d3e03803b4c32505b6942c6a3c77855146d2
+  data.tar.gz: 53febc3f4cfe6d6e2d6928d864c1232cf3571fb72ba4ad8a44b803570cbd46b11666165080a592a573e55ea4d8a5ffd618781254808541d80210009a1c7882ed

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## [0.2.0] - 2023-11-02
+- Rewritten to *not* depend on the auth token being JWT (an assumption which only works with Keycloak)
+- Support user-configured (bogus) certificate for development
+
+## [0.1.4] - 2022-10-11
+- Clean up a stray `puts` left when debugging
+
 ## [0.1.3] - 2022-10-07
 - Fix `require`s
 

data/README.md

@@ -1,12 +1,12 @@
 # WardenOpenidBearer
 
-[Warden](https://github.com/wardencommunity/warden) strategy for authentication with OpenID-Connect JWT bearer tokens.
+[Warden](https://github.com/wardencommunity/warden) strategy for authentication with OpenID-Connect bearer tokens.
 
 This gem is like
 [the `warden_openid_auth gem`](https://rubygems.org/gems/warden_openid_auth),
 except that it only provides support for the very last step of
 the OAuth code flow, i.e. when the resource server / relying party
-(your Ruby Web app) validates and decodes the JWT token.
+(your Ruby Web app) validates and decodes the bearer token.
 
 Use this gem if your client-side Web (or mobile) app will be taking
 care of the rest of the OAuth2 motions, such as redirecting (or
@@ -26,6 +26,14 @@ with iframes, etc.
      manager.default_strategies WardenOpenidBearer::Strategy.register!
      WardenOpenidBearer.configure do |oidc|
        oidc.openid_metadata_url = "https://example.com/.well-known/openid-configuration"
+       oidc.scope = ["openid", "email"]
+       oidc.redirect_uri = ["openid", "email"]
+       # Optional — Explicit OpenID-Connect server certificate (e.g. for a development rig):
+       oidc.openid_server_certificate = <<-CERT
+-----BEGIN CERTIFICATE-----
+MIIDCTBLAHBLAHBLAH==
+-----END CERTIFICATE-----
+CERT
      end
    
      manager.failure_app = Proc.new { |_env|
@@ -45,7 +53,7 @@ with iframes, etc.
 ### Subclassing
 
 Subclassing `WardenOpenidBearer::Strategy` is the recommended way to
-- support more than one authentication server (overriding `metadata_url` and/or `cache_timeout`),
+- support more than one authentication server (overriding `valid?`, `metadata_url` and/or `cache_timeout`),
 - provide user hydration into the class of your choice (overriding `user_of_claims`).
 
 More details available in the rubydoc comments of
@@ -69,7 +77,7 @@ After checking out the Git repository, run `bin/setup` to install dependencies.
 
 The `debugger` gem is a development-time requirement (in the Gemfile). In order to activate it:
 
-1. Uncomment the line that says `require "debug"` in `./spec_helper.rb`
+1. Uncomment the line that says `require "debug"` in `./spec/spec_helper.rb`
 1. Stick `debugger` somewhere in the source or test code
 1. Run the test suite
 
@@ -87,7 +95,7 @@ To release a new version:
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/epfl-si/warden_openid_bearer.
+Bug reports and pull requests are welcome on GitHub at https://github.com/epfl-si/warden_openid_bearer .
 
 ## License
 

data/lib/warden_openid_bearer/cache_mixin.rb

@@ -4,31 +4,36 @@ module WardenOpenidBearer
   # We don't need an overengineered approach based on the Rails cache.
   # No, really.
   module CacheMixin
-    def cached_by(key, &do_it)
-      # We could support more complex types (e.g. arrays) as
-      # value-type cache keys; but right now, our use cases don't
-      # require it:
-      is_value_type = key.is_a? String
-      cache = if is_value_type
-        @__cache_mixin__cache ||= {}
-      else
-        # Use the ::ObjectSpace::WeakMap private API, because the
-        # endeavor of reinventing weak maps on top of (public)
-        # WeakRef's would be called an inversion of abstraction and
-        # would be considered harmful. Sue me (I have unit tests).
-        @__cache_mixin__weakmap_cache ||= ::ObjectSpace::WeakMap.new
-      end
+    def cached_by(*keys, &do_it)
+      @__cache_mixin__cache ||= {}
+
+      caller_method = caller[0][/`.*'/][1..-2]
+      keys.unshift(caller_method)
+
+      first_keys = keys.slice!(0, keys.length - 1).join("|")
+      last_key = keys[0]
+
+      last_key_is_value_type = last_key.is_a? String
+      cache = if last_key_is_value_type
+                @__cache_mixin__cache[first_keys] ||= {}
+              else
+                # Use the ::ObjectSpace::WeakMap private API, because the
+                # endeavor of reinventing weak maps on top of (public)
+                # WeakRef's would be called an inversion of abstraction and
+                # would be considered harmful. Sue me (I have unit tests).
+                @__cache_mixin__cache[first_keys] ||= ::ObjectSpace::WeakMap.new
+              end
 
       now = Time.now()
 
-      if (cached = cache[key])
+      if (cached = cache[last_key])
         unless respond_to?(:cache_timeout) && now - cached[:fetched_at] > cache_timeout
           return cached[:payload]
         end
       end
 
       retval = do_it.call
-      cache[key] = {payload: retval, fetched_at: now}
+      cache[last_key] = { payload: retval, fetched_at: now }
       retval
     end
   end

data/lib/warden_openid_bearer/discovered_config.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
-require "net/http"
+require 'net/http'
+require 'warden_openid_bearer/net_https'
 
 module WardenOpenidBearer
   # Cacheable configuration (periodically re-)fetched starting from
@@ -19,16 +20,12 @@ module WardenOpenidBearer
     # Provide a public API for tuning the timeout.
     attr_writer :cache_timeout
 
-    def jwks
-      json(metadata[:jwks_uri])
+    def userinfo_endpoint
+      metadata[:userinfo_endpoint]
     end
 
-    def issuer
-      metadata[:issuer]
-    end
-
-    def authorization_algs
-      metadata[:authorization_signing_alg_values_supported]
+    def peer_cert=(peer_cert)
+      @peer_cert = peer_cert
     end
 
     private
@@ -39,7 +36,12 @@ module WardenOpenidBearer
 
     def json(uri)
       cached_by(uri) do
-        JSON.parse(Net::HTTP.get_response(URI(uri)).body, symbolize_names: true)
+        if uri.scheme == 'https'
+          response = WardenOpenidBearer::NetHTTPS.get_response(URI(uri), @peer_cert)
+        else
+          response = Net::HTTP.get_response(URI(uri))
+        end
+        JSON.parse(response.body, symbolize_names: true)
       end
     end
   end

data/lib/warden_openid_bearer/net_https.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'net/http'
+
+module WardenOpenidBearer
+  # Like Net::HTTP, but with TLS and VERIFY_PEER always on.
+  class NetHTTPS < Net::HTTP
+    def initialize(*things)
+      super(*things)
+      self.use_ssl = true
+      self.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    end
+
+    def peer_cert=(peer_cert)
+      self.verify_hostname = false
+      self.verify_callback = lambda do |preverify_ok, cert_store|
+        end_cert_der = cert_store.chain[0].to_der
+        return preverify_ok unless end_cert_der == cert_store.current_cert.to_der
+
+        return end_cert_der == peer_cert.to_der
+      end
+    end
+
+    def self.get_response(uri, peer_cert = nil)
+      https = self.new(uri.hostname, uri.port)
+      https.peer_cert = peer_cert if peer_cert
+
+      req = Net::HTTP::Get.new(uri)
+      https.start do |https|
+        https.request(req)
+      end
+    end
+  end
+end

data/lib/warden_openid_bearer/strategy.rb

@@ -1,13 +1,15 @@
 # frozen_string_literal: true
 
-require "jwt"
+require 'uri'
+require 'net/http'
+require 'warden_openid_bearer/net_https'
 
 module WardenOpenidBearer
   # Like `WardenOpenidAuth::Strategy` in
   # `lib/warden_openid_auth/strategy.rb` from the `warden_openid_auth`
   # gem, except done right for a modern, split-backend Web application
   # (in which the browser takes charge of the OAuth2 login dance, and
-  # the back-end only checks signatures on the JWT claims).
+  # the back-end only validates bearer tokens).
   #
   # You shoud subclass `WardenOpenidBearer::Strategy` and override the
   # `user_of_claims` protected method if you want `env['warden'].user`
@@ -24,32 +26,28 @@ module WardenOpenidBearer
     include WardenOpenidBearer::Registerer # Provides self.register!
     include WardenOpenidBearer::CacheMixin
 
+    # Override in a subclass to support multiple authentication
+    # servers (if tokens can be discriminated between them somehow).
+    # The base class returns True whenever an `Authentication: Bearer`
+    # request header is present.
     def valid?
-      return if !token
-      # Do the issuer check here, so as to seamlessly support multiple
-      # OIDC issuers inside the same app. If a token is not “for us”,
-      # we want to defer to the other Warden strategy instances in the
-      # stack (one which could typically be another instance of either
-      # WardenOpenidBearer::Strategy, or one of its subclasses); therefore, we
-      # want to return `false` if issuers don't match.
-      untrusted_issuer == config.issuer
+      !!token
     end
 
     def authenticate!
-      if (c = claims)
-        success! user_of_claims(c)
+      res = oauth2_userinfo_response
+      body = res.body
+
+      if res.is_a?(Net::HTTPSuccess)
+        success! user_of_claims(JSON.parse(body))
       else
-        # Given that `valid?` did return true previously,
-        # we know the status with precision:
-        fail! "Invalid OIDC bearer token"
+        fail! body
       end
-    rescue JWT::ExpiredSignature
-      fail! "Expired OIDC bearer token"
     end
 
     # Overridden to always return false, because we typically *don't*
     # want persistent sessions for an OpenID-Connect resource server —
-    # Everything we need to know is in the JWT token.
+    # If we cached, we would break logout.
     def store?
       false
     end
@@ -57,7 +55,12 @@ module WardenOpenidBearer
     # Made public so that one may tune the `strategy.config.cache_timeout`:
     def config
       return @config if @config
+
       @config = WardenOpenidBearer::DiscoveredConfig.new(metadata_url)
+      if (peer_cert = WardenOpenidBearer.config.openid_server_certificate)
+        @config.peer_cert = peer_cert
+      end
+
       @config.cache_timeout = cache_timeout
       @config
     end
@@ -94,7 +97,7 @@ module WardenOpenidBearer
       WardenOpenidBearer.config.cache_timeout
     end
 
-    # Returns the JWT token from `request.headers['Authorization']`
+    # Returns the bearer token from `request.headers['Authorization']`
     # (which may or may not be valid)
     def token
       # We call this one quite a lot, so we want some caching. Also,
@@ -102,46 +105,33 @@ module WardenOpenidBearer
       # this class and re-uses it across requests (see
       # `_fetch_strategy` in `lib/warden/proxy.rb`).
       cached_by(request) do
-        puts request.headers
         strategy, token = (request.headers["Authorization"] || "").split(" ")
         token if (strategy || "").downcase == "bearer"
       end
     end
 
-    # Returns the JWT claims, only if the cryptographic signature and
-    # other security requirements (in particular, the expiration
-    # timestamp) check out.
-    def claims
-      JWT.decode(token, nil, true, jwt_decode_opts).first
-    end
-
-    def jwt_decode_opts
-      # Note: issuer check was already done in `valid?`, see
-      # explanations there; skip it here.
-      {
-        algorithm: algorithm,
-        verify_expiration: true,
-        verify_not_before: true,
-        verify_iat: true,
-        jwks: config.jwks
-      }
-    end
-
-    def algorithm
-      return untrusted_algorithm if
-          config.authorization_algs.member? untrusted_algorithm
-    end
-
-    def untrusted_fields
-      JWT.decode(token, nil, false)
+    def oauth2_userinfo_response
+      cached_by(request) do
+        _do_oauth2_userinfo
+      end
     end
 
-    def untrusted_algorithm
-      untrusted_fields.last["alg"]
-    end
+    def _do_oauth2_userinfo
+      uri = URI.parse(config.userinfo_endpoint)
+      req = Net::HTTP::Get.new(uri)
+      req['Authorization'] = "Bearer #{token}"
 
-    def untrusted_issuer
-      untrusted_fields.first["iss"]
+      if uri.scheme == 'https'
+        http = WardenOpenidBearer::NetHTTPS.new(uri.hostname, uri.port)
+        if (peer_cert = WardenOpenidBearer.config.openid_server_certificate)
+          http.peer_cert = peer_cert
+        end
+      else
+        http = Net::HTTP.new(uri.hostname, uri.port)
+      end
+      http.start do |http|
+        http.request(req)
+      end
     end
   end
 end

data/lib/warden_openid_bearer/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WardenOpenidBearer
-  VERSION = "0.1.3"
+  VERSION = "0.2.0"
 end

data/lib/warden_openid_bearer.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 require "dry/configurable"
+require "openssl"
+require "uri"
 
 require_relative "warden_openid_bearer/version"
 require_relative "warden_openid_bearer/registerer"
@@ -12,5 +14,6 @@ module WardenOpenidBearer
   extend Dry::Configurable
 
   setting :openid_metadata_url, constructor: ->(url) { URI(url) }
+  setting :openid_server_certificate, default: nil, constructor: ->(pem) { if pem; OpenSSL::X509::Certificate.new(pem); else nil; end }
   setting :cache_timeout, default: 900
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: warden_openid_bearer
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.2.0
 platform: ruby
 authors:
 - Dominique Quatravaux
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-10-07 00:00:00.000000000 Z
+date: 2023-11-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: warden
@@ -52,26 +52,12 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.2.2
-- !ruby/object:Gem::Dependency
-  name: jwt
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.5'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.5'
 description: |2+
 
   This gem is like the `warden_openid_auth` gem, except that it only
   provides support for the very last step of the OAuth code flow, i.e.
   when the resource server / relying party (your Ruby Web app)
-  validates and decodes the JWT token.
+  validates the bearer token.
 
   Use this gem if your client-side Web (or mobile) app will be taking
   care of the rest of the OAuth2 motions, such as redirecting (or
@@ -95,11 +81,11 @@ files:
 - lib/warden_openid_bearer.rb
 - lib/warden_openid_bearer/cache_mixin.rb
 - lib/warden_openid_bearer/discovered_config.rb
+- lib/warden_openid_bearer/net_https.rb
 - lib/warden_openid_bearer/registerer.rb
 - lib/warden_openid_bearer/strategy.rb
 - lib/warden_openid_bearer/version.rb
 - sig/warden_openid_bearer.rbs
-- warden_openid_bearer.gemspec
 homepage: https://github.com/epfl-si/warden_openid_bearer
 licenses:
 - MIT
@@ -123,7 +109,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.11
+rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
 summary: Warden strategy to validate OpenID-Connect bearer tokens

data/warden_openid_bearer.gemspec

@@ -1,47 +0,0 @@
-# frozen_string_literal: true
-
-require_relative "lib/warden_openid_bearer/version"
-
-Gem::Specification.new do |spec|
-  spec.name = "warden_openid_bearer"
-  spec.version = WardenOpenidBearer::VERSION
-  spec.authors = ["Dominique Quatravaux"]
-  spec.email = ["dominique.quatravaux@epfl.ch"]
-
-  spec.summary = "Warden strategy to validate OpenID-Connect bearer tokens"
-  spec.description = <<~END_DESCRIPTION
-
-    This gem is like the `warden_openid_auth` gem, except that it only
-    provides support for the very last step of the OAuth code flow, i.e.
-    when the resource server / relying party (your Ruby Web app)
-    validates and decodes the JWT token.
-
-    Use this gem if your client-side Web (or mobile) app will be taking
-    care of the rest of the OAuth2 motions, such as redirecting (or
-    opening a popup window) to the authentication server at login time,
-    managing and refreshing tokens, doing all these unspeakable things
-    with iframes, etc.
-
-  END_DESCRIPTION
-  spec.homepage = "https://github.com/epfl-si/warden_openid_bearer"
-  spec.license = "MIT"
-  spec.required_ruby_version = ">= 2.6.0"
-
-  spec.metadata["homepage_uri"] = spec.homepage
-  spec.metadata["source_code_uri"] = spec.homepage
-  spec.metadata["changelog_uri"] = "#{spec.homepage}/blob/master/CHANGELOG.md"
-  spec.metadata["my_side_project_has_a_side_project"] = "https://github.com/epfl-si/rails.starterkit"
-
-  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
-  spec.files = Dir.chdir(__dir__) do
-    `git ls-files -z`.split("\x0").reject do |f|
-      (f == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
-    end
-  end
-  spec.require_paths = ["lib"]
-
-  spec.add_dependency "warden", "~> 1.2.0"
-  spec.add_dependency "dry-configurable", "~> 0.15.0"
-  spec.add_dependency "net-http", "~> 0.2.2"
-  spec.add_dependency "jwt", "~> 2.5"
-end