From bb8fe6aa83dd89114beb8aa2dd948edee8fa5db4 Mon Sep 17 00:00:00 2001
From: theworldbright <kent@kentshikama.com>
Date: Fri, 7 Aug 2015 18:38:48 +0900
Subject: [PATCH] Adjust id token config to save private key to file
---
.gitignore | 1 +
.../api/openid_connect/id_tokens_controller.rb | 2 +-
app/models/api/openid_connect/id_token.rb | 2 +-
features/step_definitions/auth_code_steps.rb | 2 +-
lib/api/openid_connect/id_token_config.rb | 17 +++++++++++------
.../authorizations_controller_spec.rb | 10 +++++-----
.../openid_connect/id_tokens_controller_spec.rb | 2 +-
.../api/openid_connect/token_endpoint_spec.rb | 4 ++--
8 files changed, 23 insertions(+), 17 deletions(-)
diff --git a/.gitignore b/.gitignore
index 70544e8474..3847784e1f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,6 +20,7 @@ vendor/cache/
config/database.yml
.rvmrc_custom
.rvmrc.local
+oidc_key.pem
# Mailing list stuff
config/email_offset
diff --git a/app/controllers/api/openid_connect/id_tokens_controller.rb b/app/controllers/api/openid_connect/id_tokens_controller.rb
index dae760892a..9e8c65b895 100644
--- a/app/controllers/api/openid_connect/id_tokens_controller.rb
+++ b/app/controllers/api/openid_connect/id_tokens_controller.rb
@@ -8,7 +8,7 @@ module Api
private
def build_jwk
- JSON::JWK.new(Api::OpenidConnect::IdTokenConfig.public_key, use: :sig)
+ JSON::JWK.new(Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY, use: :sig)
end
end
end
diff --git a/app/models/api/openid_connect/id_token.rb b/app/models/api/openid_connect/id_token.rb
index 2855a38b0a..5acfa0ea4d 100644
--- a/app/models/api/openid_connect/id_token.rb
+++ b/app/models/api/openid_connect/id_token.rb
@@ -12,7 +12,7 @@ module Api
end
def to_jwt(options={})
- to_response_object(options).to_jwt OpenidConnect::IdTokenConfig.private_key
+ to_response_object(options).to_jwt OpenidConnect::IdTokenConfig::PRIVATE_KEY
end
def to_response_object(options={})
diff --git a/features/step_definitions/auth_code_steps.rb b/features/step_definitions/auth_code_steps.rb
index 36ea99cedd..37b4f7b8bc 100644
--- a/features/step_definitions/auth_code_steps.rb
+++ b/features/step_definitions/auth_code_steps.rb
@@ -30,7 +30,7 @@ When /^I parse the tokens and use it obtain user info$/ do
access_token = client_json["access_token"]
encoded_id_token = client_json["id_token"]
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
- Api::OpenidConnect::IdTokenConfig.public_key
+ Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
expect(decoded_token.sub).to eq(@me.diaspora_handle)
get api_openid_connect_user_info_path, access_token: access_token
end
diff --git a/lib/api/openid_connect/id_token_config.rb b/lib/api/openid_connect/id_token_config.rb
index d046d4b7a2..541fa46635 100644
--- a/lib/api/openid_connect/id_token_config.rb
+++ b/lib/api/openid_connect/id_token_config.rb
@@ -1,13 +1,18 @@
module Api
module OpenidConnect
class IdTokenConfig
- @@key = OpenSSL::PKey::RSA.new(2048)
- def self.public_key
- @@key.public_key
- end
- def self.private_key
- @@key
+ private_key = OpenSSL::PKey::RSA.new(2048)
+ key_file_path = File.join(Rails.root, "config", "oidc_key.pem")
+ if File.exist?(key_file_path)
+ private_key = OpenSSL::PKey::RSA.new(File.read(key_file_path))
+ else
+ open key_file_path, "w" do |io|
+ io.write private_key.to_pem
+ end
+ File.chmod(0600, key_file_path)
end
+ PRIVATE_KEY = private_key
+ PUBLIC_KEY = private_key.public_key
end
end
end
diff --git a/spec/controllers/api/openid_connect/authorizations_controller_spec.rb b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
index 244799a284..5233ef9762 100644
--- a/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
+++ b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
@@ -146,7 +146,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
expect(response.location).to have_content("id_token=")
encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
- Api::OpenidConnect::IdTokenConfig.public_key
+ Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
expect(decoded_token.nonce).to eq("4130930983")
expect(decoded_token.exp).to be > Time.zone.now.utc.to_i
end
@@ -164,7 +164,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
expect(response.location).to have_content("id_token=")
encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
- Api::OpenidConnect::IdTokenConfig.public_key
+ Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
expect(decoded_token.nonce).to eq("4130930983")
expect(decoded_token.exp).to be > Time.zone.now.utc.to_i
end
@@ -196,7 +196,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
it "should return the id token in a fragment" do
encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
- Api::OpenidConnect::IdTokenConfig.public_key
+ Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
expect(decoded_token.nonce).to eq("4180930983")
expect(decoded_token.exp).to be > Time.zone.now.utc.to_i
end
@@ -204,7 +204,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
it "should return a valid access token in a fragment" do
encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
- Api::OpenidConnect::IdTokenConfig.public_key
+ Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
access_token = response.location[/(?<=access_token=)[^&]+/]
access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8])
expect(decoded_token.at_hash).to eq(access_token_check_num)
@@ -227,7 +227,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
expect(response.location).to have_content("id_token=")
encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
- Api::OpenidConnect::IdTokenConfig.public_key
+ Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
expect(decoded_token.nonce).to eq("4180930983")
expect(decoded_token.exp).to be > Time.zone.now.utc.to_i
end
diff --git a/spec/controllers/api/openid_connect/id_tokens_controller_spec.rb b/spec/controllers/api/openid_connect/id_tokens_controller_spec.rb
index 06930c45b3..6827863d53 100644
--- a/spec/controllers/api/openid_connect/id_tokens_controller_spec.rb
+++ b/spec/controllers/api/openid_connect/id_tokens_controller_spec.rb
@@ -13,7 +13,7 @@ describe Api::OpenidConnect::IdTokensController, type: :controller do
JSON::JWK.decode jwk
end
public_key = public_keys.first
- expect(Api::OpenidConnect::IdTokenConfig.private_key.public_key.to_s).to eq(public_key.to_s)
+ expect(Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY.to_s).to eq(public_key.to_s)
end
end
end
diff --git a/spec/lib/api/openid_connect/token_endpoint_spec.rb b/spec/lib/api/openid_connect/token_endpoint_spec.rb
index 1dad2c1336..dfbee1eebb 100644
--- a/spec/lib/api/openid_connect/token_endpoint_spec.rb
+++ b/spec/lib/api/openid_connect/token_endpoint_spec.rb
@@ -21,7 +21,7 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
json = JSON.parse(response.body)
encoded_id_token = json["id_token"]
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
- Api::OpenidConnect::IdTokenConfig.public_key
+ Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
expected_guid = bob.pairwise_pseudonymous_identifiers.find_by(sector_identifier: "https://example.com/uri").guid
expect(decoded_token.sub).to eq(expected_guid)
expect(decoded_token.exp).to be > Time.zone.now.utc.to_i
@@ -31,7 +31,7 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
json = JSON.parse(response.body)
encoded_id_token = json["id_token"]
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
- Api::OpenidConnect::IdTokenConfig.public_key
+ Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
access_token = json["access_token"]
access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8])
expect(decoded_token.at_hash).to eq(access_token_check_num)
--
GitLab