Class: Rails::Auth::X509::Certificate

Inherits:

Object

• Object
• Rails::Auth::X509::Certificate

Defined in:

lib/rails/auth/x509/certificate.rb

Overview

X.509 client certificates obtained from HTTP requests

Instance Attribute Summary

• #certificate ⇒ Object readonly

  Returns the value of attribute certificate.

Instance Method Summary

• #==(other) ⇒ Object (also: #eql?)

  Compare ourself to another object by ensuring that it has the same type and that its certificate pem is the same as ours.

• #[](component) ⇒ Object
• #attributes ⇒ Hash

  Generates inspectable attributes for debugging.

• #cn ⇒ Object (also: #common_name)
• #dns_names ⇒ Object
• #initialize(certificate) ⇒ Certificate constructor

  A new instance of Certificate.

• #ips ⇒ Object
• #ou ⇒ Object (also: #organizational_unit)
• #spiffe_id ⇒ String^?

  According to the SPIFFE standard only one SPIFFE ID can exist in the URI SAN: (github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md#2-spiffe-id).

• #uris ⇒ Object

Constructor Details

#initialize(certificate) ⇒ Certificate

Returns a new instance of Certificate.

# File 'lib/rails/auth/x509/certificate.rb', line 10

def initialize(certificate)
  unless certificate.is_a?(OpenSSL::X509::Certificate)
    raise TypeError, "expecting OpenSSL::X509::Certificate, got #{certificate.class}"
  end

  @certificate = certificate.freeze
  @subject = {}

  @certificate.subject.to_a.each do |name, data, _type|
    @subject[name.freeze] = data.freeze
  end
  @subject_alt_names = SubjectAltNameExtension.new(certificate)
  @subject_alt_names.freeze
  @subject.freeze
end

Instance Attribute Details

#certificate ⇒ Object (readonly)

Returns the value of attribute certificate.

# File 'lib/rails/auth/x509/certificate.rb', line 8

def certificate
  @certificate
end

Instance Method Details

#==(other) ⇒ Object Also known as: eql?

Compare ourself to another object by ensuring that it has the same type and that its certificate pem is the same as ours

# File 'lib/rails/auth/x509/certificate.rb', line 81

def ==(other)
  other.is_a?(self.class) && other.certificate.to_der == certificate.to_der
end

#[](component) ⇒ Object

# File 'lib/rails/auth/x509/certificate.rb', line 26

def [](component)
  @subject[component.to_s.upcase]
end

#attributes ⇒ Hash

Generates inspectable attributes for debugging

Returns:

• (Hash) —

  hash containing parts of the certificate subject (cn, ou) and subject alternative name extension (uris, dns_names) as well as SPIFFE ID (spiffe_id), which is just a convenience since those are already included in the uris

# File 'lib/rails/auth/x509/certificate.rb', line 68

def attributes
  {
    cn: cn,
    dns_names: dns_names,
    ips: ips,
    ou: ou,
    spiffe_id: spiffe_id,
    uris: uris
  }.reject { |_, v| v.nil? || v.empty? }
end

#cn ⇒ Object Also known as: common_name

# File 'lib/rails/auth/x509/certificate.rb', line 30

def cn
  @subject["CN"]
end

#dns_names ⇒ Object

# File 'lib/rails/auth/x509/certificate.rb', line 35

def dns_names
  @subject_alt_names.dns_names
end

#ips ⇒ Object

# File 'lib/rails/auth/x509/certificate.rb', line 39

def ips
  @subject_alt_names.ips
end

#ou ⇒ Object Also known as: organizational_unit

# File 'lib/rails/auth/x509/certificate.rb', line 43

def ou
  @subject["OU"]
end

#spiffe_id ⇒ String^?

According to the SPIFFE standard only one SPIFFE ID can exist in the URI SAN: (github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md#2-spiffe-id)

Returns:

• (String, nil) —

  string containing SPIFFE ID if one is present in the certificate

# File 'lib/rails/auth/x509/certificate.rb', line 58

def spiffe_id
  uris.detect { |uri| uri.start_with?("spiffe://") }
end

#uris ⇒ Object

# File 'lib/rails/auth/x509/certificate.rb', line 48

def uris
  @subject_alt_names.uris
end