Class: FirebaseIdToken::Certificates

Inherits:

Object

• Object
• FirebaseIdToken::Certificates

Defined in:

lib/firebase_id_token/certificates.rb

Overview

Manage download and access of Google's x509 certificates. Keeps certificates on a Redis namespace database.

Download & Access Certificates

It describes two ways to download it: Certificates.request and Certificates.request!. The first will only do something when Redis certificates database is empty, the second one will always request a new download to Google's API and override the database with the response.

It's important to note that when saving a set of certificates, it will also set a Redis expiration time to match Google's API header expires. After this time went out, Redis will automatically delete those certificates.

To know how many seconds left until the expiration you can use Certificates.ttl.

When comes to accessing it, you can either use Certificates.present? to check if there's any data inside Redis certificates database or Certificates.all to obtain an Array of current certificates.

Examples:

.request will only download once

FirebaseIdToken::Certificates.request # Downloads certificates.
FirebaseIdToken::Certificates.request # Won't do anything.
FirebaseIdToken::Certificates.request # Won't do anything either.

.request! will download always

FirebaseIdToken::Certificates.request # Downloads certificates.
FirebaseIdToken::Certificates.request! # Downloads certificates.
FirebaseIdToken::Certificates.request! # Downloads certificates.

Constant Summary

URL =

Google's x509 certificates API URL.

'https://www.googleapis.com/robot/v1/metadata/x509/'\
'securetoken@system.gserviceaccount.com'

Instance Attribute Summary

• #local_certs ⇒ Object readonly

  Certificates saved in the Redis (JSON String or nil).

• #redis ⇒ Object readonly

  A Redis instance.

Class Method Summary

• .all ⇒ Array

  Returns an array of hashes, each hash is a single {key => value} pair containing the certificate KID String as key and a OpenSSL::X509::Certificate object of the respective certificate as value.

• .find(kid) ⇒ nil, OpenSSL::X509::Certificate

  Returns a OpenSSL::X509::Certificate object of the requested Key ID (KID) if there's one.

• .present? ⇒ Boolean

  Returns true if there's certificates data on Redis, false otherwise.

• .request ⇒ nil, Hash

  Calls Certificates.request! only if there are no certificates on Redis.

• .request! ⇒ Hash

  Triggers a HTTPS request to Google's x509 certificates API.

• .request_anyway ⇒ Object deprecated Deprecated.

  Use only request! in favor of Ruby conventions.

• .ttl ⇒ Fixnum

  Returns the current certificates TTL (Time-To-Live) in seconds.

Instance Method Summary

• #initialize ⇒ Certificates constructor

  Sets two instance attributes: :redis and :local_certs.

• #request ⇒ Object
• #request! ⇒ Object

Constructor Details

#initialize ⇒ Certificates

Sets two instance attributes: :redis and :local_certs. Those are respectively a Redis instance from FirebaseIdToken::Configuration and the certificates in it.

# File 'lib/firebase_id_token/certificates.rb', line 135

def initialize
  @redis = Redis::Namespace.new('firebase_id_token',
    redis: FirebaseIdToken.configuration.redis)
  @local_certs = read_certificates
end

Instance Attribute Details

#local_certs ⇒ Object (readonly)

Certificates saved in the Redis (JSON String or nil).

# File 'lib/firebase_id_token/certificates.rb', line 36

def local_certs
  @local_certs
end

#redis ⇒ Object (readonly)

A Redis instance.

# File 'lib/firebase_id_token/certificates.rb', line 34

def redis
  @redis
end

Class Method Details

.all ⇒ Array

Returns an array of hashes, each hash is a single {key => value} pair containing the certificate KID String as key and a OpenSSL::X509::Certificate object of the respective certificate as value. Returns a empty Array when there's no certificates data on Redis.

Examples:

FirebaseIdToken::Certificates.request
certs = FirebaseIdToken::Certificates.all
certs.first #=> {"1d6d01c7[...]" => #<OpenSSL::X509::Certificate[...]}

Returns:

• (Array)

# File 'lib/firebase_id_token/certificates.rb', line 98

def self.all
  new.local_certs.map { |kid, cert|
    { kid => OpenSSL::X509::Certificate.new(cert) } }
end

.find(kid) ⇒ nil, OpenSSL::X509::Certificate

Returns a OpenSSL::X509::Certificate object of the requested Key ID (KID) if there's one. Returns nil otherwise.

It will raise a Exceptions::NoCertificatesError if the Redis certificates database is empty.

Examples:

FirebaseIdToken::Certificates.request
cert = FirebaseIdToken::Certificates.find "1d6d01f4w7d54c7[...]"
#=> <OpenSSL::X509::Certificate: subject=#<OpenSSL [...]

Parameters:

• kid (String) —

  Key ID

Returns:

• (nil, OpenSSL::X509::Certificate)

Raises:

• (Exceptions::NoCertificatesError)

# File 'lib/firebase_id_token/certificates.rb', line 114

def self.find(kid)
  certs = new.local_certs
  raise Exceptions::NoCertificatesError if certs.empty?

  if certs[kid]
    OpenSSL::X509::Certificate.new certs[kid]
  end
end

.present? ⇒ Boolean

Returns true if there's certificates data on Redis, false otherwise.

Examples:

FirebaseIdToken::Certificates.present? #=> false
FirebaseIdToken::Certificates.request
FirebaseIdToken::Certificates.present? #=> true

Returns:

• (Boolean)

# File 'lib/firebase_id_token/certificates.rb', line 84

def self.present?
  ! new.local_certs.empty?
end

.request ⇒ nil, Hash

Calls request! only if there are no certificates on Redis. It will return nil otherwise.

It will raise Exceptions::CertificatesRequestError if the request fails or Exceptions::CertificatesTtlError when Google responds with a low TTL, check out request! for more info.

Returns:

• (nil, Hash)

See Also:

• request!

# File 'lib/firebase_id_token/certificates.rb', line 51

def self.request
  new.request
end

.request! ⇒ Hash

Triggers a HTTPS request to Google's x509 certificates API. If it responds with a status 200 OK, saves the request body into Redis and returns it as a Hash.

Otherwise it will raise a Exceptions::CertificatesRequestError.

This is really rare to happen, but Google may respond with a low TTL certificate. This is a SecurityError and will raise a Exceptions::CertificatesTtlError. You are mostly like to never face it.

Returns:

• (Hash)

# File 'lib/firebase_id_token/certificates.rb', line 65

def self.request!
  new.request!
end

.request_anyway ⇒ Object

Deprecated.

Use only request! in favor of Ruby conventions.

It will raise a warning. Kept for compatibility.

See Also:

• request!

# File 'lib/firebase_id_token/certificates.rb', line 72

def self.request_anyway
  warn 'WARNING: FirebaseIdToken::Certificates.request_anyway is '\
    'deprecated. Use FirebaseIdToken::Certificates.request! instead.'

  new.request!
end

.ttl ⇒ Fixnum

Returns the current certificates TTL (Time-To-Live) in seconds. Zero meaning no certificates. It's the same as the certificates expiration time, use it to know when to request again.

Returns:

• (Fixnum)

# File 'lib/firebase_id_token/certificates.rb', line 127

def self.ttl
  ttl = new.redis.ttl('certificates')
  ttl < 0 ? 0 : ttl
end

Instance Method Details

#request ⇒ Object

See Also:

• request

# File 'lib/firebase_id_token/certificates.rb', line 142

def request
  request! if @local_certs.empty?
end

#request! ⇒ Object

See Also:

• request!

# File 'lib/firebase_id_token/certificates.rb', line 147

def request!
  @request = HTTParty.get URL
  code = @request.code
  if code == 200
    save_certificates
  else
    raise Exceptions::CertificatesRequestError.new(code)
  end
end