Class: Authentic::KeyManager

Inherits:

Object

• Object
• Authentic::KeyManager

Defined in:

lib/authentic/key_manager.rb

Overview

Internal: manages JWK retrieval, caching, and validation.

Instance Attribute Summary

• #store ⇒ Object readonly

  Returns the value of attribute store.

• #well_known ⇒ Object readonly

  Returns the value of attribute well_known.

Instance Method Summary

• #get(jwt) ⇒ Object

  Public: retrieves JWK.

• #hydrate_iss_keys(iss) ⇒ Object

  Internal: hydrates JWK cache.

• #hydrate_store(keys, iss) ⇒ Object

  Internal: hydrates key store.

• #initialize(max_age) ⇒ KeyManager constructor

  A new instance of KeyManager.

• #json_req(uri) ⇒ Object

  Internal: performs JSON request.

• #valid_key(key) ⇒ Object

  Internal: performs JSON request.

• #valid_rsa_key(key) ⇒ Object

  Internal: validates RSA key.

Constructor Details

#initialize(max_age) ⇒ KeyManager

Returns a new instance of KeyManager.

# File 'lib/authentic/key_manager.rb', line 12

def initialize(max_age)
  @store = KeyStore.new(max_age)
  @well_known = '/.well-known/openid-configuration'
end

Instance Attribute Details

#store ⇒ Object (readonly)

Returns the value of attribute store.

# File 'lib/authentic/key_manager.rb', line 10

def store
  @store
end

#well_known ⇒ Object (readonly)

Returns the value of attribute well_known.

# File 'lib/authentic/key_manager.rb', line 10

def well_known
  @well_known
end

Instance Method Details

#get(jwt) ⇒ Object

Public: retrieves JWK.

jwt - JSON::JWT.

Returns JSON::JWK.

# File 'lib/authentic/key_manager.rb', line 22

def get(jwt)
  iss = jwt.fetch(:iss)

  result = store.get(iss, jwt.kid)

  return result unless result.nil?

  # Refresh all keys for an issuer while I have the updated data on hand
  hydrate_iss_keys iss
  store.get(iss, jwt.kid)
end

#hydrate_iss_keys(iss) ⇒ Object

Internal: hydrates JWK cache.

iss - issuer URI.

Returns nothing.

Raises:

• (InvalidKey)

# File 'lib/authentic/key_manager.rb', line 73

def hydrate_iss_keys(iss)
  uri = iss.sub(%r{[\/]+$}, '') + well_known
  json = json_req uri.to_s
  body = json_req json['jwks_uri']

  raise InvalidKey, "no valid JWK found, #{json['jwks_uri']}" if body['keys']&.blank?

  keys = body['keys'].select { |key| valid_key(key) }
  hydrate_store(keys, iss)
end

#hydrate_store(keys, iss) ⇒ Object

Internal: hydrates key store.

keys - array of keys hash. iss - JWT issuer endpoint.

Returns nothing.

# File 'lib/authentic/key_manager.rb', line 90

def hydrate_store(keys, iss)
  keys.each do |key|
    store.set(
      iss, key['kid'],
      JSON::JWK.new(
        kty: key['kty'],
        e: key['e'],
        n: key['n'],
        kid: key['kid']
      )
    )
  end
end

#json_req(uri) ⇒ Object

Internal: performs JSON request.

uri - endpoint to request.

Returns JSON.

# File 'lib/authentic/key_manager.rb', line 57

def json_req(uri)
  begin
    resp = RestClient.get(uri, accept: :json)
  rescue RestClient::ExceptionWithResponse => e
    code = e.response.code
    raise RequestError.new("failed to retrieve JWK, status #{code}", code)
  end

  JSON.parse resp.body
end

#valid_key(key) ⇒ Object

Internal: performs JSON request.

key - hash with JWK data.

Returns boolean.

# File 'lib/authentic/key_manager.rb', line 48

def valid_key(key)
  valid_rsa_key(key) && (key['x5c']&.length || (key['n'] && key['e']))
end

#valid_rsa_key(key) ⇒ Object

Internal: validates RSA key.

key - hash with key data.

Returns boolean.

# File 'lib/authentic/key_manager.rb', line 39

def valid_rsa_key(key)
  key['use'] == 'sig' && key['kty'] == 'RSA' && key['kid']
end