Class: SignIn::ClientAssertionValidator

Inherits:

Object

• Object
• SignIn::ClientAssertionValidator

Defined in:

app/services/sign_in/client_assertion_validator.rb

Instance Attribute Summary

• #client_assertion ⇒ Object readonly

  Returns the value of attribute client_assertion.

• #client_assertion_type ⇒ Object readonly

  Returns the value of attribute client_assertion_type.

• #client_config ⇒ Object readonly

  Returns the value of attribute client_config.

Instance Method Summary

• #decoded_client_assertion ⇒ Object private
• #hostname ⇒ Object private
• #initialize(client_assertion:, client_assertion_type:, client_config:) ⇒ ClientAssertionValidator constructor

  A new instance of ClientAssertionValidator.

• #jwt_decode(with_validation: true) ⇒ Object private
• #localhost_hostname ⇒ Object private
• #perform ⇒ Object
• #token_route ⇒ Object private
• #validate_audience ⇒ Object private
• #validate_client_assertion_type ⇒ Object private
• #validate_iss ⇒ Object private
• #validate_subject ⇒ Object private

Constructor Details

#initialize(client_assertion:, client_assertion_type:, client_config:) ⇒ ClientAssertionValidator

Returns a new instance of ClientAssertionValidator.

# File 'app/services/sign_in/client_assertion_validator.rb', line 7

def initialize(client_assertion:, client_assertion_type:, client_config:)
  @client_assertion = client_assertion
  @client_assertion_type = client_assertion_type
  @client_config = client_config
end

Instance Attribute Details

#client_assertion ⇒ Object (readonly)

Returns the value of attribute client_assertion.

# File 'app/services/sign_in/client_assertion_validator.rb', line 5

def client_assertion
  @client_assertion
end

#client_assertion_type ⇒ Object (readonly)

Returns the value of attribute client_assertion_type.

# File 'app/services/sign_in/client_assertion_validator.rb', line 5

def client_assertion_type
  @client_assertion_type
end

#client_config ⇒ Object (readonly)

Returns the value of attribute client_config.

# File 'app/services/sign_in/client_assertion_validator.rb', line 5

def client_config
  @client_config
end

Instance Method Details

#decoded_client_assertion ⇒ Object (private)

# File 'app/services/sign_in/client_assertion_validator.rb', line 56

def decoded_client_assertion
  @decoded_client_assertion ||= jwt_decode
end

#hostname ⇒ Object (private)

# File 'app/services/sign_in/client_assertion_validator.rb', line 50

def hostname
  return localhost_hostname if Settings.vsp_environment == 'localhost'

  "https://#{Settings.hostname}"
end

#jwt_decode(with_validation: true) ⇒ Object (private)

# File 'app/services/sign_in/client_assertion_validator.rb', line 60

def jwt_decode(with_validation: true)
  decoded_jwt = JWT.decode(
    client_assertion,
    client_config.assertion_public_keys,
    with_validation,
    {
      verify_expiration: with_validation,
      algorithm: Constants::Auth::ASSERTION_ENCODE_ALGORITHM
    }
  )&.first
  OpenStruct.new(decoded_jwt)
rescue JWT::VerificationError
  raise Errors::ClientAssertionSignatureMismatchError.new message: 'Client assertion body does not match signature'
rescue JWT::ExpiredSignature
  raise Errors::ClientAssertionExpiredError.new message: 'Client assertion has expired'
rescue JWT::DecodeError
  raise Errors::ClientAssertionMalformedJWTError.new message: 'Client assertion is malformed'
end

#localhost_hostname ⇒ Object (private)

# File 'app/services/sign_in/client_assertion_validator.rb', line 79

def localhost_hostname
  port = URI.parse("http://#{Settings.hostname}").port

  "http://localhost:#{port}"
end

#perform ⇒ Object

# File 'app/services/sign_in/client_assertion_validator.rb', line 13

def perform
  validate_client_assertion_type
  validate_iss
  validate_subject
  validate_audience
end

#token_route ⇒ Object (private)

# File 'app/services/sign_in/client_assertion_validator.rb', line 46

def token_route
  "#{hostname}#{Constants::Auth::TOKEN_ROUTE_PATH}"
end

#validate_audience ⇒ Object (private)

# File 'app/services/sign_in/client_assertion_validator.rb', line 40

def validate_audience
  unless decoded_client_assertion.aud.match(token_route)
    raise Errors::ClientAssertionAttributesError.new message: 'Client assertion audience is not valid'
  end
end

#validate_client_assertion_type ⇒ Object (private)

# File 'app/services/sign_in/client_assertion_validator.rb', line 22

def validate_client_assertion_type
  if client_assertion_type != Constants::Urn::JWT_BEARER_CLIENT_AUTHENTICATION
    raise Errors::ClientAssertionTypeInvalidError.new message: 'Client assertion type is not valid'
  end
end

#validate_iss ⇒ Object (private)

# File 'app/services/sign_in/client_assertion_validator.rb', line 28

def validate_iss
  if decoded_client_assertion.iss != client_config.client_id
    raise Errors::ClientAssertionAttributesError.new message: 'Client assertion issuer is not valid'
  end
end

#validate_subject ⇒ Object (private)

# File 'app/services/sign_in/client_assertion_validator.rb', line 34

def validate_subject
  if decoded_client_assertion.sub != client_config.client_id
    raise Errors::ClientAssertionAttributesError.new message: 'Client assertion subject is not valid'
  end
end