Merge branch 'add-jwt-strategy-to-gitlab-suite' into 'master'
Ports omniauth-jwt gem onto GitLab OmniAuth Strategies suite See merge request gitlab-org/gitlab-ce!18580
This commit is contained in:
commit
fa7b98d508
1
Gemfile
1
Gemfile
|
@ -51,7 +51,6 @@ gem 'omniauth-shibboleth', '~> 1.2.0'
|
||||||
gem 'omniauth-twitter', '~> 1.4'
|
gem 'omniauth-twitter', '~> 1.4'
|
||||||
gem 'omniauth_crowd', '~> 2.2.0'
|
gem 'omniauth_crowd', '~> 2.2.0'
|
||||||
gem 'omniauth-authentiq', '~> 0.3.1'
|
gem 'omniauth-authentiq', '~> 0.3.1'
|
||||||
gem 'omniauth-jwt', '~> 0.0.2'
|
|
||||||
gem 'rack-oauth2', '~> 1.2.1'
|
gem 'rack-oauth2', '~> 1.2.1'
|
||||||
gem 'jwt', '~> 1.5.6'
|
gem 'jwt', '~> 1.5.6'
|
||||||
|
|
||||||
|
|
|
@ -555,9 +555,6 @@ GEM
|
||||||
jwt (>= 1.5)
|
jwt (>= 1.5)
|
||||||
omniauth (>= 1.1.1)
|
omniauth (>= 1.1.1)
|
||||||
omniauth-oauth2 (>= 1.5)
|
omniauth-oauth2 (>= 1.5)
|
||||||
omniauth-jwt (0.0.2)
|
|
||||||
jwt
|
|
||||||
omniauth (~> 1.1)
|
|
||||||
omniauth-kerberos (0.3.0)
|
omniauth-kerberos (0.3.0)
|
||||||
omniauth-multipassword
|
omniauth-multipassword
|
||||||
timfel-krb5-auth (~> 0.8)
|
timfel-krb5-auth (~> 0.8)
|
||||||
|
@ -1117,7 +1114,6 @@ DEPENDENCIES
|
||||||
omniauth-github (~> 1.1.1)
|
omniauth-github (~> 1.1.1)
|
||||||
omniauth-gitlab (~> 1.0.2)
|
omniauth-gitlab (~> 1.0.2)
|
||||||
omniauth-google-oauth2 (~> 0.5.3)
|
omniauth-google-oauth2 (~> 0.5.3)
|
||||||
omniauth-jwt (~> 0.0.2)
|
|
||||||
omniauth-kerberos (~> 0.3.0)
|
omniauth-kerberos (~> 0.3.0)
|
||||||
omniauth-oauth2-generic (~> 0.2.2)
|
omniauth-oauth2-generic (~> 0.2.2)
|
||||||
omniauth-saml (~> 1.10)
|
omniauth-saml (~> 1.10)
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Ports omniauth-jwt gem onto GitLab OmniAuth Strategies suite
|
||||||
|
merge_request: 18580
|
||||||
|
author:
|
||||||
|
type: fixed
|
|
@ -534,7 +534,7 @@ production: &base
|
||||||
# required_claims: ["name", "email"],
|
# required_claims: ["name", "email"],
|
||||||
# info_map: { name: "name", email: "email" },
|
# info_map: { name: "name", email: "email" },
|
||||||
# auth_url: 'https://example.com/',
|
# auth_url: 'https://example.com/',
|
||||||
# valid_within: nil,
|
# valid_within: null,
|
||||||
# }
|
# }
|
||||||
# }
|
# }
|
||||||
# - { name: 'saml',
|
# - { name: 'saml',
|
||||||
|
@ -825,7 +825,7 @@ test:
|
||||||
required_claims: ["name", "email"],
|
required_claims: ["name", "email"],
|
||||||
info_map: { name: "name", email: "email" },
|
info_map: { name: "name", email: "email" },
|
||||||
auth_url: 'https://example.com/',
|
auth_url: 'https://example.com/',
|
||||||
valid_within: nil,
|
valid_within: null,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
- { name: 'auth0',
|
- { name: 'auth0',
|
||||||
|
|
|
@ -25,5 +25,6 @@ end
|
||||||
module OmniAuth
|
module OmniAuth
|
||||||
module Strategies
|
module Strategies
|
||||||
autoload :Bitbucket, Rails.root.join('lib', 'omni_auth', 'strategies', 'bitbucket')
|
autoload :Bitbucket, Rails.root.join('lib', 'omni_auth', 'strategies', 'bitbucket')
|
||||||
|
autoload :Jwt, Rails.root.join('lib', 'omni_auth', 'strategies', 'jwt')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -50,7 +50,7 @@ JWT will provide you with a secret key for you to use.
|
||||||
required_claims: ["name", "email"],
|
required_claims: ["name", "email"],
|
||||||
info_map: { name: "name", email: "email" },
|
info_map: { name: "name", email: "email" },
|
||||||
auth_url: 'https://example.com/',
|
auth_url: 'https://example.com/',
|
||||||
valid_within: nil,
|
valid_within: null,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
|
@ -0,0 +1,62 @@
|
||||||
|
require 'omniauth'
|
||||||
|
require 'jwt'
|
||||||
|
|
||||||
|
module OmniAuth
|
||||||
|
module Strategies
|
||||||
|
class JWT
|
||||||
|
ClaimInvalid = Class.new(StandardError)
|
||||||
|
|
||||||
|
include OmniAuth::Strategy
|
||||||
|
|
||||||
|
args [:secret]
|
||||||
|
|
||||||
|
option :secret, nil
|
||||||
|
option :algorithm, 'HS256'
|
||||||
|
option :uid_claim, 'email'
|
||||||
|
option :required_claims, %w(name email)
|
||||||
|
option :info_map, { name: "name", email: "email" }
|
||||||
|
option :auth_url, nil
|
||||||
|
option :valid_within, nil
|
||||||
|
|
||||||
|
uid { decoded[options.uid_claim] }
|
||||||
|
|
||||||
|
extra do
|
||||||
|
{ raw_info: decoded }
|
||||||
|
end
|
||||||
|
|
||||||
|
info do
|
||||||
|
options.info_map.each_with_object({}) do |(k, v), h|
|
||||||
|
h[k.to_s] = decoded[v.to_s]
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def request_phase
|
||||||
|
redirect options.auth_url
|
||||||
|
end
|
||||||
|
|
||||||
|
def decoded
|
||||||
|
@decoded ||= ::JWT.decode(request.params['jwt'], options.secret, options.algorithm).first
|
||||||
|
|
||||||
|
(options.required_claims || []).each do |field|
|
||||||
|
raise ClaimInvalid, "Missing required '#{field}' claim" unless @decoded.key?(field.to_s)
|
||||||
|
end
|
||||||
|
|
||||||
|
raise ClaimInvalid, "Missing required 'iat' claim" if options.valid_within && !@decoded["iat"]
|
||||||
|
|
||||||
|
if options.valid_within && (Time.now.to_i - @decoded["iat"]).abs > options.valid_within
|
||||||
|
raise ClaimInvalid, "'iat' timestamp claim is too skewed from present"
|
||||||
|
end
|
||||||
|
|
||||||
|
@decoded
|
||||||
|
end
|
||||||
|
|
||||||
|
def callback_phase
|
||||||
|
super
|
||||||
|
rescue ClaimInvalid => e
|
||||||
|
fail! :claim_invalid, e
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
class Jwt < JWT; end
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,87 @@
|
||||||
|
require 'spec_helper'
|
||||||
|
|
||||||
|
describe OmniAuth::Strategies::Jwt do
|
||||||
|
include Rack::Test::Methods
|
||||||
|
include DeviseHelpers
|
||||||
|
|
||||||
|
context '.decoded' do
|
||||||
|
let(:strategy) { described_class.new({}) }
|
||||||
|
let(:timestamp) { Time.now.to_i }
|
||||||
|
let(:jwt_config) { Devise.omniauth_configs[:jwt] }
|
||||||
|
let(:key) { JWT.encode(claims, jwt_config.strategy.secret) }
|
||||||
|
|
||||||
|
let(:claims) do
|
||||||
|
{
|
||||||
|
id: 123,
|
||||||
|
name: "user_example",
|
||||||
|
email: "user@example.com",
|
||||||
|
iat: timestamp
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
before do
|
||||||
|
allow_any_instance_of(OmniAuth::Strategy).to receive(:options).and_return(jwt_config.strategy)
|
||||||
|
allow_any_instance_of(Rack::Request).to receive(:params).and_return({ 'jwt' => key })
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'decodes the user information' do
|
||||||
|
result = strategy.decoded
|
||||||
|
|
||||||
|
expect(result["id"]).to eq(123)
|
||||||
|
expect(result["name"]).to eq("user_example")
|
||||||
|
expect(result["email"]).to eq("user@example.com")
|
||||||
|
expect(result["iat"]).to eq(timestamp)
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'required claims is missing' do
|
||||||
|
let(:claims) do
|
||||||
|
{
|
||||||
|
id: 123,
|
||||||
|
email: "user@example.com",
|
||||||
|
iat: timestamp
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'raises error' do
|
||||||
|
expect { strategy.decoded }.to raise_error(OmniAuth::Strategies::JWT::ClaimInvalid)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when valid_within is specified but iat attribute is missing in response' do
|
||||||
|
let(:claims) do
|
||||||
|
{
|
||||||
|
id: 123,
|
||||||
|
name: "user_example",
|
||||||
|
email: "user@example.com"
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
before do
|
||||||
|
jwt_config.strategy.valid_within = Time.now.to_i
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'raises error' do
|
||||||
|
expect { strategy.decoded }.to raise_error(OmniAuth::Strategies::JWT::ClaimInvalid)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when timestamp claim is too skewed from present' do
|
||||||
|
let(:claims) do
|
||||||
|
{
|
||||||
|
id: 123,
|
||||||
|
name: "user_example",
|
||||||
|
email: "user@example.com",
|
||||||
|
iat: timestamp - 10.minutes.to_i
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
before do
|
||||||
|
jwt_config.strategy.valid_within = 2.seconds
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'raises error' do
|
||||||
|
expect { strategy.decoded }.to raise_error(OmniAuth::Strategies::JWT::ClaimInvalid)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue