Class: MAuth::Client::LocalAuthenticator::SecurityTokenCacher

Inherits:
Object
  • Object
show all
Defined in:
lib/mauth/client.rb

Defined Under Namespace

Classes: ExpirableSecurityToken

Instance Method Summary collapse

Constructor Details

#initialize(mauth_client) ⇒ SecurityTokenCacher

Returns a new instance of SecurityTokenCacher.



410
411
412
413
414
415
416
417
 
# File 'lib/mauth/client.rb', line 410

def initialize(mauth_client)
  @mauth_client = mauth_client
  # TODO: should this be UnableToSignError?
  @mauth_client.assert_private_key(UnableToAuthenticateError.new("Cannot fetch public keys from mAuth service without a private key!"))
  @cache = {}
  require 'thread'
  @cache_write_lock = Mutex.new
end

Instance Method Details

#get(app_uuid) ⇒ Object 



419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
 
# File 'lib/mauth/client.rb', line 419

def get(app_uuid)
  if !@cache[app_uuid] || @cache[app_uuid].expired?
    # url-encode the app_uuid to prevent trickery like escaping upward with ../../ in a malicious
    # app_uuid - probably not exploitable, but this is the right way to do it anyway.
    # use UNRESERVED instead of UNSAFE (the default) as UNSAFE doesn't include /
    url_encoded_app_uuid = URI.escape(app_uuid, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
    begin
      response = signed_mauth_connection.get("/mauth/#{@mauth_client.mauth_api_version}/security_tokens/#{url_encoded_app_uuid}.json")
    rescue ::Faraday::Error::ConnectionFailed, ::Faraday::Error::TimeoutError
      raise UnableToAuthenticateError, "mAuth service did not respond; received #{$!.class}: #{$!.message}"
    end
    if response.status == 200
      begin
        security_token = JSON.parse(response.body)
      rescue JSON::ParserError
        raise UnableToAuthenticateError, "mAuth service responded with unparseable json: #{response.body}\n#{$!.class}: #{$!.message}"
      end
      @cache_write_lock.synchronize do
        @cache[app_uuid] = ExpirableSecurityToken.new(security_token, Time.now)
      end
    elsif response.status == 404
      # signing with a key mAuth doesn't know about is considered inauthentic
      raise InauthenticError, "mAuth service responded with 404 looking up public key for #{app_uuid}"
    else
      @mauth_client.send(:mauth_service_response_error, response)
    end
  end
  @cache[app_uuid].security_token
end