-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' of github.com:G-Research/astral
- Loading branch information
Showing
15 changed files
with
201 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
require "open-uri" | ||
module Jwt | ||
class JwksDecoder | ||
def initialize(url) | ||
@url = url | ||
end | ||
|
||
def configured?(config) | ||
!@url.nil? | ||
end | ||
|
||
# Decode a JWT token signed with JWKS | ||
def decode(token) | ||
jwks = get_jwks_keyset_from_configured_url | ||
jwks = filter_out_non_signing_keys(jwks) | ||
body = JWT.decode(token, nil, true, | ||
algorithms: get_algorithms_from_keyset(jwks), | ||
jwks: jwks)[0] | ||
Identity.new(body) | ||
rescue => e | ||
Rails.logger.warn "Unable to decode token: #{e}" | ||
nil | ||
end | ||
|
||
private | ||
|
||
def get_jwks_keyset_from_configured_url | ||
jwks_json = URI.open(@url) { |f| f.read } | ||
JWT::JWK::Set.new(JSON.parse(jwks_json)) | ||
end | ||
|
||
def filter_out_non_signing_keys(jwks) | ||
jwks.filter { |k| k[:use] == "sig" } | ||
end | ||
|
||
def get_algorithms_from_keyset(jwks) | ||
jwks.map { |k| k[:alg] }.compact.uniq | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
module Jwt | ||
class SecretDecoder | ||
def initialize(secret) | ||
@secret = secret | ||
end | ||
|
||
def configured?(config) | ||
!@secret.nil? | ||
end | ||
|
||
def decode(token) | ||
# Decode a JWT access token using the configured base. | ||
body = JWT.decode(token, Config[:jwt_signing_key])[0] | ||
Identity.new(body) | ||
rescue => e | ||
Rails.logger.warn "Unable to decode token: #{e}" | ||
nil | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
module Utils | ||
class DecoderFactory | ||
cattr_reader :decoders | ||
class << self | ||
# Any new decoders should be added here: | ||
@@decoders = [ Jwt::JwksDecoder.new(Config[:jwks_url]), | ||
Jwt::SecretDecoder.new(Config[:jwt_signing_key]) ] | ||
|
||
def get(config) | ||
configured_decoders = getConfiguredDecoders(config) | ||
if configured_decoders.length != 1 | ||
raise "Exactly one decoder must be configured" | ||
end | ||
configured_decoders.first | ||
end | ||
|
||
private | ||
def getConfiguredDecoders(config) | ||
decoders.filter { |c| c.configured?(config) } | ||
end | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
require "test_helper" | ||
require "jwt" | ||
require "openssl" | ||
require "json" | ||
require "tempfile" | ||
|
||
class JwksDecoderTest < ActiveSupport::TestCase | ||
test ".decode returns correct identity" do | ||
jwk = generate_jwks_signing_key | ||
token = generate_jwks_token(jwk) | ||
keyset_path = generate_jwks_keyset(jwk) | ||
|
||
identity = Jwt::JwksDecoder.new(keyset_path).decode(token) | ||
assert_equal "[email protected]", identity.sub | ||
assert_equal "astral", identity.aud | ||
end | ||
|
||
private | ||
|
||
def generate_jwks_signing_key | ||
optional_parameters = { kid: "1", use: "sig", alg: "RS256" } | ||
jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), optional_parameters) | ||
end | ||
|
||
def generate_jwks_token(jwk) | ||
payload = { "sub"=>"[email protected]", "name"=>"John Doe", "iat"=>1516239022, | ||
"groups"=>[ "group1", "group2" ], "aud"=>"astral" } | ||
|
||
JWT.encode(payload, jwk.signing_key, jwk[:alg], kid: jwk[:kid]) | ||
end | ||
|
||
def generate_jwks_keyset(jwk) | ||
jwks_hash = JWT::JWK::Set.new(jwk).export | ||
f = Tempfile.new | ||
f.write(JSON.pretty_generate(jwks_hash)) | ||
f.close | ||
f.path | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
require "test_helper" | ||
|
||
class SecretDecoderTest < ActiveSupport::TestCase | ||
test ".decode returns correct identity" do | ||
identity = Jwt::SecretDecoder.new(Config[:jwt_signing_key]). | ||
decode(jwt_authorized) | ||
assert_equal "[email protected]", identity.sub | ||
assert_equal "astral", identity.aud | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
require "test_helper" | ||
|
||
class DecoderFactoryTest < ActiveSupport::TestCase | ||
test ".get returns configured decoder" do | ||
decoders = [ UnconfiguredDecoder.new, ConfiguredDecoder.new ] | ||
Utils::DecoderFactory.stub :decoders, decoders do | ||
decoder = Utils::DecoderFactory.get({}) | ||
assert decoder.instance_of?(ConfiguredDecoder) | ||
end | ||
end | ||
|
||
test ".get recognizes invalid config" do | ||
decoders = [ ConfiguredDecoder.new, ConfiguredDecoder.new ] | ||
Utils::DecoderFactory.stub :decoders, decoders do | ||
assert_raises( | ||
RuntimeError, "Exactly one decoder must be configured") do | ||
decoder = Utils::DecoderFactory.get({}) | ||
end | ||
end | ||
end | ||
|
||
class ConfiguredDecoder | ||
def configured?(c) = true | ||
end | ||
|
||
class UnconfiguredDecoder | ||
def configured?(c) = false | ||
end | ||
end |
File renamed without changes.