Class: ExoAuth::Auth

Inherits:

Object

• Object
• ExoAuth::Auth

Defined in:

lib/exoauth/auth.rb

Constant Summary

DEFAULT_ALGORITHM =

'RS256'

DEFAULT_HMAC_SIZE =

20

DEFAULT_RSA_SIZE =

4096

DEFAULT_TOKEN_TTL =

3600

DEFAULT_SIGNING_KEY_PATH =

'~/.ssh/exotic-app.rsa'

DEFAULT_VERIFY_KEY_PATH =

'~/.ssh/exotic-app.rsa.pub'

@@conf =

ExoBasic::Settings.loaded['user_auth']

@@app_signing_key =

Auth.init_app_key(@@conf, 'signing')

@@app_verify_key =

Auth.init_app_key(@@conf, 'verify')

Class Method Summary

• .app_algorithm ⇒ Object
• .app_expiration_ttl ⇒ Object
• .app_keys ⇒ Object
• .decode(token, verify_key = 'default', algorithm = 'default') ⇒ Object
• .encode(payload, signing_key = 'default', algorithm = 'default') ⇒ Object
• .expired?(now, expiration_time) ⇒ Boolean
• .generate_key(algorithm, parm = nil) ⇒ Object
• .get_app_signing_key ⇒ Object
• .get_app_verify_key ⇒ Object
• .init_app_key(conf, prefix) ⇒ Object
• .issued_expiration_time(now) ⇒ Object
• .key_from_env(varname, algorithm) ⇒ Object
• .key_from_file(fname, algorithm) ⇒ Object
• .key_from_settings(field, algorithm) ⇒ Object
• .key_from_string(str, algorithm) ⇒ Object
• .key_to_file(fname, key) ⇒ Object
• .private_key_from_pem(pem, algorithm) ⇒ Object
• .public_key_from_pem(pem, algorithm) ⇒ Object
• .settings_reloaded ⇒ Object
• .show_key(key, algorithm) ⇒ Object

Class Method Details

.app_algorithm ⇒ Object

# File 'lib/exoauth/auth.rb', line 15

def self.app_algorithm
  ExoBasic::Settings.try_get_key(@@conf,
                                 Auth::DEFAULT_ALGORITHM,
                                 'algorithm')
end

.app_expiration_ttl ⇒ Object

# File 'lib/exoauth/auth.rb', line 21

def self.app_expiration_ttl
  ExoBasic::Settings.try_get_key(@@conf,
                                 Auth::DEFAULT_TOKEN_TTL,
                                 'token_ttl')
end

.app_keys ⇒ Object

# File 'lib/exoauth/auth.rb', line 240

def self.app_keys
  algorithm = Auth.app_algorithm

  {
    :algorithm => algorithm,
    :signing_key => Auth.show_key(Auth.get_app_signing_key, algorithm),
    :verify_key => Auth.show_key(Auth.get_app_verify_key, algorithm),
    :token_ttl => Auth.app_expiration_ttl
  }
end

.decode(token, verify_key = 'default', algorithm = 'default') ⇒ Object

# File 'lib/exoauth/auth.rb', line 165

def self.decode(token, verify_key='default', algorithm='default')
  if algorithm == 'default'
    algorithm = Auth.app_algorithm
  end
  if verify_key == 'default'
    verify_key = Auth.get_app_verify_key
  else
    verify_key = Auth.public_key_from_pem(verify_key, algorithm)
  end

  begin
    payload, headers = [nil, nil]
    if verify_key.nil?
      payload, headers = JWT.decode(token, nil, false)
    else
      payload, headers = JWT.decode(token, verify_key, true, { algorithm: algorithm })
    end

    now = Time.now
    if !headers['iat'].nil? &&
       (headers['iat'].to_f > now.to_f ||
        Auth.expired?(now, Auth.issued_expiration_time(headers['iat'])))

      false
    elsif !headers['exp'].nil? &&
          (headers['exp'].to_i < now.to_i ||
           Auth.expired?(now, headers['exp']))

      false
    else
      payload
    end
  rescue JWT::DecodeError => e
    false
  end
end

.encode(payload, signing_key = 'default', algorithm = 'default') ⇒ Object

# File 'lib/exoauth/auth.rb', line 143

def self.encode(payload, signing_key='default', algorithm='default')
  if algorithm == 'default'
    algorithm = Auth.app_algorithm
  end
  if signing_key == 'default'
    signing_key = Auth.get_app_signing_key
  else
    signing_key = Auth.private_key_from_pem(signing_key, algorithm)
  end

  now = Time.now
  headers = {
    'iat' => now.to_i,
    'exp' => Auth.issued_expiration_time(now)
  }
  if signing_key.nil?
    JWT.encode(payload, nil, 'none', headers)
  else
    JWT.encode(payload, signing_key, algorithm, headers)
  end
end

.expired?(now, expiration_time) ⇒ Boolean

# File 'lib/exoauth/auth.rb', line 31

def self.expired?(now, expiration_time)
  now > Time.at(expiration_time.to_i)
end

.generate_key(algorithm, parm = nil) ⇒ Object

# File 'lib/exoauth/auth.rb', line 48

def self.generate_key(algorithm, parm=nil)
  case algorithm
  when 'HS256'
    if parm.nil?
      parm = Auth::DEFAULT_HMAC_SIZE
    end

    ExoBasic::HMACKeys.gen_key(parm)
  when 'ES384'
    ExoBasic::ECDSAKeys.gen_key('secp384r1')
  when 'ES512'
    ExoBasic::ECDSAKeys.gen_key('secp521r1')
  when 'RS256'
    if parm.nil?
      parm = Auth::DEFAULT_RSA_SIZE
    end

    ExoBasic::RSAKeys.gen_key(parm)
  else
    nil
  end
end

.get_app_signing_key ⇒ Object

# File 'lib/exoauth/auth.rb', line 232

def self.get_app_signing_key
  @@app_signing_key
end

.get_app_verify_key ⇒ Object

# File 'lib/exoauth/auth.rb', line 236

def self.get_app_verify_key
  @@app_verify_key
end

.init_app_key(conf, prefix) ⇒ Object

# File 'lib/exoauth/auth.rb', line 202

def self.init_app_key(conf, prefix)
  if conf.key?("#{prefix}_key_path")
    fname = File.expand_path(conf["#{prefix}_key_path"], __FILE__)
    Auth.key_from_file(fname, Auth.app_algorithm)
  elsif conf.key?("#{prefix}_key_env_variable")
    varname = conf["#{prefix}_key_env_variable"]
    Auth.key_from_env(varname, Auth.app_algorithm)
  elsif conf.key?("#{prefix}_key")
    field = "#{prefix}_key"
    Auth.key_from_settings(field, Auth.app_algorithm)
  elsif conf.key?("#{prefix}_enabled")
    fname = File.expand_path(Auth::DEFAULT_VERIFY_KEY_PATH, __FILE__)
    Auth.key_from_file(fname, Auth.app_algorithm)
  else
    nil
  end
end

.issued_expiration_time(now) ⇒ Object

# File 'lib/exoauth/auth.rb', line 27

def self.issued_expiration_time(now)
  now.to_i + Auth.app_expiration_ttl
end

.key_from_env(varname, algorithm) ⇒ Object

# File 'lib/exoauth/auth.rb', line 112

def self.key_from_env(varname, algorithm)
  Auth.key_from_string(ENV[varname], algorithm)
end

.key_from_file(fname, algorithm) ⇒ Object

# File 'lib/exoauth/auth.rb', line 120

def self.key_from_file(fname, algorithm)
  key = nil
  File.open(fname) do |file|
    case algorithm
    when 'HS256'
      key = file.read
    when 'ES384', 'ES512', 'RS256'
      key = OpenSSL::PKey.read(file)
    end
  end

  key
end

.key_from_settings(field, algorithm) ⇒ Object

# File 'lib/exoauth/auth.rb', line 116

def self.key_from_settings(field, algorithm)
  Auth.key_from_string(@@conf[field], algorithm)
end

.key_from_string(str, algorithm) ⇒ Object

# File 'lib/exoauth/auth.rb', line 100

def self.key_from_string(str, algorithm)
  key = nil
  case algorithm
  when 'HS256'
    key = str
  when 'ES384', 'ES512', 'RS256'
    key = OpenSSL::PKey.read(str)
  end

  key
end

.key_to_file(fname, key) ⇒ Object

# File 'lib/exoauth/auth.rb', line 134

def self.key_to_file(fname, key)
  done = false
  File.open(fname, 'w') do |file|
    done = file.write(key) > 0
  end

  done
end

.private_key_from_pem(pem, algorithm) ⇒ Object

# File 'lib/exoauth/auth.rb', line 71

def self.private_key_from_pem(pem, algorithm)
  pkey = nil
  case algorithm
  when 'HS256'
    pkey = pem
  when 'ES384', 'ES512'
    pkey = ExoBasic::ECDSAKeys.from_pem(pem)
  when 'RS256'
    pkey = ExoBasic::RSAKeys.from_pem(pem)
  end

  pkey
end

.public_key_from_pem(pem, algorithm) ⇒ Object

# File 'lib/exoauth/auth.rb', line 85

def self.public_key_from_pem(pem, algorithm)
  pub_key = nil
  case algorithm
  when 'HS256'
    pub_key = pem
  when 'ES384', 'ES512'
    pub_key = ExoBasic::ECDSAKeys.from_pem(pem)
    pub_key.private_key = nil
  when 'RS256'
    pub_key = ExoBasic::RSAKeys.from_pem(pem)
  end

  pub_key
end

.settings_reloaded ⇒ Object

# File 'lib/exoauth/auth.rb', line 224

def self.settings_reloaded
  @@conf = ExoBasic::Settings.loaded['user_auth']

  @@app_signing_key = Auth.init_app_key(@@conf, 'signing')

  @@app_verify_key = Auth.init_app_key(@@conf, 'verify')
end

.show_key(key, algorithm) ⇒ Object

# File 'lib/exoauth/auth.rb', line 35

def self.show_key(key, algorithm)
  case algorithm
  when 'HS256'
    key
  when 'ES384', 'ES512'
    ExoBasic::ECDSAKeys.to_pem(key)
  when 'RS256'
    ExoBasic::RSAKeys.to_pem(key)
  else
    nil
  end
end