Class: WSDL::Security::Config

Inherits:

Object

• Object
• WSDL::Security::Config

Defined in:

lib/wsdl/security/config.rb

Overview

Fluent facade for configuring request and response security policies.

Config is intentionally thin and delegates to focused components:

• RequestPolicy for outbound message security intent
• ResponsePolicy for inbound verification enforcement
• CredentialNormalizer for credential normalization and validation

Per-request runtime security artifacts (nonce, IDs, timestamps, references) are generated by RequestMaterializer to avoid replayable state reuse.

Constant Summary

KeyRef =

Local alias for key reference constants

Constants::KeyReference

Instance Method Summary

• #check_certificate_validity ⇒ Boolean

  Returns whether certificate validity checking is enabled.

• #clear ⇒ self

  Clears all security policy.

• #clock_skew ⇒ Integer

  Returns response timestamp clock skew in seconds.

• #configured? ⇒ Boolean

  Returns whether any request security is configured.

• #dup ⇒ Config

  Returns deep-copy style duplicate.

• #explicit_namespace_prefixes? ⇒ Boolean

  Returns whether explicit signature namespace prefixes are enabled.

• #initialize(policy: Policy.default, credential_normalizer: CredentialNormalizer.new) ⇒ Config constructor

  A new instance of Config.

• #inspect ⇒ String

  Returns redacted configuration for safe logging.

• #key_reference ⇒ Symbol

  Returns key reference method.

• #request_context(now: Time.now.utc) ⇒ RequestContext

  Builds per-request runtime security context.

• #response_policy ⇒ ResponsePolicy

  Returns the response policy for verification enforcement.

• #response_verification_options ⇒ ResponseVerification::Options

  Returns response verification options.

• #sign_addressing? ⇒ Boolean

  Returns whether WS-Addressing signing is enabled.

• #sign_timestamp? ⇒ Boolean

  Returns whether timestamp signing is enabled.

• #signature(certificate:, private_key:, **options) ⇒ self

  Configures X.509 certificate signing.

• #signature? ⇒ Boolean

  Returns whether X.509 signing is configured.

• #timestamp(created_at: nil, expires_in: Timestamp::DEFAULT_TTL, expires_at: nil) ⇒ self

  Configures a wsu:Timestamp header.

• #timestamp? ⇒ Boolean

  Returns whether Timestamp is configured.

• #username_token(username, password, digest: false, created_at: nil) ⇒ self

  Configures UsernameToken authentication.

• #username_token? ⇒ Boolean

  Returns whether UsernameToken is configured.

• #validate_timestamp ⇒ Boolean

  Returns whether response timestamp validation is enabled.

• #verification_mode ⇒ Symbol

  Returns response verification mode.

• #verification_trust_store ⇒ OpenSSL::X509::Store, ...

  Returns configured response verification trust store.

• #verify_response(mode: ResponsePolicy::MODE_REQUIRED, trust_store: nil, check_validity: true, validate_timestamp: true, clock_skew: 300) ⇒ self

  Configures response verification enforcement.

• #verify_response? ⇒ Boolean

  Returns whether response verification enforcement is enabled.

Constructor Details

#initialize(policy: Policy.default, credential_normalizer: CredentialNormalizer.new) ⇒ Config

Returns a new instance of Config.

Parameters:

• policy (Policy) (defaults to: Policy.default)
• credential_normalizer (CredentialNormalizer) (defaults to: CredentialNormalizer.new)

# File 'lib/wsdl/security/config.rb', line 20

def initialize(policy: Policy.default, credential_normalizer: CredentialNormalizer.new)
  @policy = policy
  @credential_normalizer = credential_normalizer
end

Instance Method Details

#check_certificate_validity ⇒ Boolean

Returns whether certificate validity checking is enabled.

Returns:

• (Boolean)

# File 'lib/wsdl/security/config.rb', line 176

def check_certificate_validity
  response_verification_options.certificate.verify_not_expired
end

#clear ⇒ self

Clears all security policy.

Returns:

• (self)

# File 'lib/wsdl/security/config.rb', line 226

def clear
  @policy = Policy.default
  self
end

#clock_skew ⇒ Integer

Returns response timestamp clock skew in seconds.

Returns:

• (Integer)

# File 'lib/wsdl/security/config.rb', line 190

def clock_skew
  response_verification_options.timestamp.tolerance_seconds
end

#configured? ⇒ Boolean

Returns whether any request security is configured.

Returns:

• (Boolean)

# File 'lib/wsdl/security/config.rb', line 113

def configured?
  @policy.request.configured?
end

#dup ⇒ Config

Returns deep-copy style duplicate.

Returns:

• (Config)

# File 'lib/wsdl/security/config.rb', line 234

def dup
  self.class.new(policy: @policy, credential_normalizer: @credential_normalizer)
end

#explicit_namespace_prefixes? ⇒ Boolean

Returns whether explicit signature namespace prefixes are enabled.

Returns:

• (Boolean)

# File 'lib/wsdl/security/config.rb', line 155

def explicit_namespace_prefixes?
  @policy.request.explicit_namespace_prefixes?
end

#inspect ⇒ String

Returns redacted configuration for safe logging.

Returns:

• (String)

# File 'lib/wsdl/security/config.rb', line 241

def inspect
  parts = inspect_base_parts
  parts.concat(inspect_username_token_parts) if @policy.request.username_token
  parts.concat(inspect_signature_parts) if @policy.request.signature
  "#<#{self.class.name} #{parts.join(' ')}>"
rescue StandardError
  "#<#{self.class.name} username_token=#{username_token?} timestamp=#{timestamp?} " \
  "signature=#{signature?} verify_response=#{verify_response?}>"
end

#key_reference ⇒ Symbol

Returns key reference method.

Returns:

• (Symbol)

# File 'lib/wsdl/security/config.rb', line 162

def key_reference
  @policy.request.key_reference
end

#request_context(now: Time.now.utc) ⇒ RequestContext

Builds per-request runtime security context.

Parameters:

• now (Time) (defaults to: Time.now.utc)

Returns:

• (RequestContext)

# File 'lib/wsdl/security/config.rb', line 219

def request_context(now: Time.now.utc)
  RequestMaterializer.materialize(@policy.request, now:)
end

#response_policy ⇒ ResponsePolicy

Returns the response policy for verification enforcement.

Returns:

• (ResponsePolicy)

# File 'lib/wsdl/security/config.rb', line 211

def response_policy
  @policy.response
end

#response_verification_options ⇒ ResponseVerification::Options

Returns response verification options.

Returns:

• (ResponseVerification::Options)

# File 'lib/wsdl/security/config.rb', line 204

def response_verification_options
  @policy.response.options
end

#sign_addressing? ⇒ Boolean

Returns whether WS-Addressing signing is enabled.

Returns:

• (Boolean)

# File 'lib/wsdl/security/config.rb', line 148

def sign_addressing?
  @policy.request.sign_addressing?
end

#sign_timestamp? ⇒ Boolean

Returns whether timestamp signing is enabled.

Returns:

• (Boolean)

# File 'lib/wsdl/security/config.rb', line 141

def sign_timestamp?
  @policy.request.sign_timestamp?
end

#signature(certificate:, private_key:, **options) ⇒ self

Configures X.509 certificate signing.

SOAP Body signing is mandatory and cannot be disabled.

Parameters:

• certificate (OpenSSL::X509::Certificate, String)
• private_key (OpenSSL::PKey::RSA, OpenSSL::PKey::EC, String)
• options (Hash) —

  signing options

Returns:

• (self)

# File 'lib/wsdl/security/config.rb', line 58

def signature(certificate:, private_key:, **options)
  cert = @credential_normalizer.normalize_certificate(certificate)
  key = @credential_normalizer.normalize_private_key(private_key, options[:key_password])

  signature_options = SignatureOptions.from_hash(options).freeze
  @credential_normalizer.validate_key_reference!(signature_options.key_reference, cert)

  signature = RequestPolicy::Signature.new(
    certificate: cert,
    private_key: key,
    options: signature_options
  )

  @policy = @policy.with_request(@policy.request.with_signature(signature))
  self
end

#signature? ⇒ Boolean

Returns whether X.509 signing is configured.

Returns:

• (Boolean)

# File 'lib/wsdl/security/config.rb', line 134

def signature?
  @policy.request.signature?
end

#timestamp(created_at: nil, expires_in: Timestamp::DEFAULT_TTL, expires_at: nil) ⇒ self

Configures a wsu:Timestamp header.

Parameters:

• created_at (Time, nil) (defaults to: nil) —

  optional fixed creation time

• expires_in (Integer) (defaults to: Timestamp::DEFAULT_TTL) —

  seconds until expiration

• expires_at (Time, nil) (defaults to: nil) —

  explicit expiration time

Returns:

• (self)

# File 'lib/wsdl/security/config.rb', line 44

def timestamp(created_at: nil, expires_in: Timestamp::DEFAULT_TTL, expires_at: nil)
  ts = RequestPolicy::Timestamp.new(created_at:, expires_in:, expires_at:)
  @policy = @policy.with_request(@policy.request.with_timestamp(ts))
  self
end

#timestamp? ⇒ Boolean

Returns whether Timestamp is configured.

Returns:

• (Boolean)

# File 'lib/wsdl/security/config.rb', line 127

def timestamp?
  @policy.request.timestamp?
end

#username_token(username, password, digest: false, created_at: nil) ⇒ self

Configures UsernameToken authentication.

Parameters:

• username (String) —

  the username

• password (String) —

  the password

• digest (Boolean) (defaults to: false) —

  whether to use digest authentication

• created_at (Time, nil) (defaults to: nil) —

  optional fixed creation timestamp

Returns:

• (self)

# File 'lib/wsdl/security/config.rb', line 32

def username_token(username, password, digest: false, created_at: nil)
  token = RequestPolicy::UsernameToken.new(username:, password:, digest:, created_at:)
  @policy = @policy.with_request(@policy.request.with_username_token(token))
  self
end

#username_token? ⇒ Boolean

Returns whether UsernameToken is configured.

Returns:

• (Boolean)

# File 'lib/wsdl/security/config.rb', line 120

def username_token?
  @policy.request.username_token?
end

#validate_timestamp ⇒ Boolean

Returns whether response timestamp validation is enabled.

Returns:

• (Boolean)

# File 'lib/wsdl/security/config.rb', line 183

def validate_timestamp
  response_verification_options.timestamp.validate
end

#verification_mode ⇒ Symbol

Returns response verification mode.

Returns:

• (Symbol)

# File 'lib/wsdl/security/config.rb', line 197

def verification_mode
  @policy.response.mode
end

#verification_trust_store ⇒ OpenSSL::X509::Store, ...

Returns configured response verification trust store.

Returns:

• (OpenSSL::X509::Store, Symbol, String, Array, nil)

# File 'lib/wsdl/security/config.rb', line 169

def verification_trust_store
  response_verification_options.certificate.trust_store
end

#verify_response(mode: ResponsePolicy::MODE_REQUIRED, trust_store: nil, check_validity: true, validate_timestamp: true, clock_skew: 300) ⇒ self

Configures response verification enforcement.

Parameters:

• mode (Symbol) (defaults to: ResponsePolicy::MODE_REQUIRED) —

  :disabled, :if_present, or :required

• trust_store (OpenSSL::X509::Store, Symbol, String, Array, nil) (defaults to: nil)
• check_validity (Boolean) (defaults to: true)
• validate_timestamp (Boolean) (defaults to: true)
• clock_skew (Integer) (defaults to: 300)

Returns:

• (self)

# File 'lib/wsdl/security/config.rb', line 83

def verify_response(mode: ResponsePolicy::MODE_REQUIRED, trust_store: nil,
                    check_validity: true, validate_timestamp: true, clock_skew: 300)
  resolved_trust_store = resolve_trust_store(mode:, trust_store:)

  options = ResponseVerification::Options.new(
    certificate: ResponseVerification::Certificate.new(
      trust_store: resolved_trust_store,
      verify_not_expired: check_validity
    ),
    timestamp: ResponseVerification::Timestamp.new(
      validate: validate_timestamp,
      tolerance_seconds: clock_skew
    )
  )

  response = @policy.response.with_mode(mode).with_options(options)
  @policy = @policy.with_response(response)
  self
end

#verify_response? ⇒ Boolean

Returns whether response verification enforcement is enabled.

Returns:

• (Boolean)

# File 'lib/wsdl/security/config.rb', line 106

def verify_response?
  !@policy.response.disabled?
end