Merge pull request #221 from excpt/fix-reported-codesmells

Fix reported codesmells Fixes #200
jwt · Sep 2, 2017 · 59ff654 · 59ff654
2 parents 77935e5 + f027da6
commit 59ff654
Show file tree

Hide file tree

Showing 16 changed files with 278 additions and 93 deletions.
diff --git a/.ebert.yml b/.ebert.yml
@@ -0,0 +1,17 @@
+styleguide: plataformatec/linters
+engines:
+  reek:
+    enabled: true
+  fixme:
+    enabled: true
+  rubocop:
+    enabled: true
+  duplication:
+    config:
+      languages:
+      - ruby
+    enabled: true
+  remark-lint:
+    enabled: true
+exclude_paths:
+- spec
diff --git a/.reek.yml b/.reek.yml
@@ -0,0 +1,40 @@
+---
+TooManyStatements:
+  max_statements: 10
+UncommunicativeMethodName:
+  reject:
+  - !ruby/regexp /^[a-z]$/
+  - !ruby/regexp /[0-9]$/
+UncommunicativeParameterName:
+  reject:
+  - !ruby/regexp /^.$/
+  - !ruby/regexp /[0-9]$/
+  - !ruby/regexp /^_/
+UncommunicativeVariableName:
+  reject:
+  - !ruby/regexp /^.$/
+  - !ruby/regexp /[0-9]$/
+UtilityFunction:
+  enabled: false
+LongParameterList:
+  enabled: false
+DuplicateMethodCall:
+  max_calls: 2
+IrresponsibleModule:
+  enabled: false
+NestedIterators:
+  max_allowed_nesting: 2
+PrimaDonnaMethod:
+  enabled: false
+UnusedParameters:
+  enabled: false
+FeatureEnvy:
+  enabled: false
+ControlParameter:
+  enabled: false
+UnusedPrivateMethod:
+  enabled: false
+InstanceVariableAssumption:
+  exclude:
+    - !ruby/regexp /Controller$/
+    - !ruby/regexp /Mailer$/s
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -1,5 +1,98 @@
 AllCops:
-  Excludes:
-    - spec/**/*
+  Exclude:
+    - 'bin/**/*'
+    - 'db/**/*'
+    - 'config/**/*'
+    - 'script/**/*'
+
+Rails:
+  Enabled: true
+
+Style/AlignParameters:
+  EnforcedStyle: with_fixed_indentation
+
+Style/CaseIndentation:
+  EnforcedStyle: end
+
+Style/AsciiComments:
+  Enabled: false
+
+Style/IndentHash:
+  Enabled: false
+
+Style/CollectionMethods:
+  Enabled: true
+  PreferredMethods:
+      inject: 'inject'
+
+Style/Documentation:
+  Enabled: false
+
+Style/BlockDelimiters:
+  Exclude:
+    - spec/**/*_spec.rb
+
+Style/BracesAroundHashParameters:
+  Exclude:
+    - spec/**/*_spec.rb
+
+Style/GuardClause:
+  Enabled: false
+
+Style/IfUnlessModifier:
+  Enabled: false
+
+Style/SpaceInsideHashLiteralBraces:
+  Enabled: false
+
+Style/Lambda:
+  Enabled: false
+
+Style/RaiseArgs:
+  Enabled: false
+
+Style/SignalException:
+  Enabled: false
+
+Metrics/AbcSize:
+  Max: 20
+
+Metrics/ClassLength:
+  Max: 100
+
+Metrics/ModuleLength:
+  Max: 100
+
 Metrics/LineLength:
   Enabled: false
+
+Metrics/MethodLength:
+  Max: 15
+
+Style/SingleLineBlockParams:
+  Enabled: false
+
+Lint/EndAlignment:
+  EnforcedStyleAlignWith: variable
+
+Style/FormatString:
+  Enabled: false
+
+Style/MultilineMethodCallIndentation:
+  EnforcedStyle: indented
+
+Style/MultilineOperationIndentation:
+  EnforcedStyle: indented
+
+Style/WordArray:
+  Enabled: false
+
+Style/RedundantSelf:
+  Enabled: false
+
+Style/AlignHash:
+  Enabled: true
+  EnforcedLastArgumentHashStyle: always_ignore
+
+Style/TrivialAccessors:
+  AllowPredicates: true
diff --git a/Gemfile b/Gemfile
@@ -1,4 +1,3 @@
-# encoding: utf-8
 source 'https://rubygems.org'
 
 gemspec
diff --git a/lib/jwt.rb b/lib/jwt.rb
@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'base64'
 require 'jwt/decode'
 require 'jwt/default_options'
@@ -16,13 +17,6 @@ module JWT
 
   module_function
 
-  def decoded_segments(jwt, verify = true)
-    raise(JWT::DecodeError, 'Nil JSON web token') unless jwt
-
-    decoder = Decode.new jwt, verify
-    decoder.decode_segments
-  end
-
   def encode(payload, key, algorithm = 'HS256', header_fields = {})
     encoder = Encode.new payload, key, algorithm, header_fields
     encoder.segments
@@ -37,7 +31,7 @@ def decode(jwt, key = nil, verify = true, custom_options = {}, &keyfinder)
     header, payload, signature, signing_input = decoder.decode_segments
     decode_verify_signature(key, header, payload, signature, signing_input, merged_options, &keyfinder) if verify
 
-    Verify.verify_claims(payload, merged_options)
+    Verify.verify_claims(payload, merged_options) if verify
 
     raise(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
 
@@ -56,10 +50,10 @@ def decode_verify_signature(key, header, payload, signature, signing_input, opti
   def signature_algorithm_and_key(header, payload, key, &keyfinder)
     if keyfinder
       key = if keyfinder.arity == 2
-              yield(header, payload)
-            else
-              yield(header)
-            end
+        yield(header, payload)
+      else
+        yield(header)
+      end
       raise JWT::DecodeError, 'No verification key available' unless key
     end
     [header['alg'], key]

diff --git a/lib/jwt/decode.rb b/lib/jwt/decode.rb
@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'json'
 
 # JWT::Decode module
@@ -15,10 +16,13 @@ def self.base64url_decode(str)
     def initialize(jwt, verify)
       @jwt = jwt
       @verify = verify
+      @header = ''
+      @payload = ''
+      @signature = ''
     end
 
     def decode_segments
-      header_segment, payload_segment, crypto_segment = raw_segments(@jwt, @verify)
+      header_segment, payload_segment, crypto_segment = raw_segments
       @header, @payload = decode_header_and_payload(header_segment, payload_segment)
       @signature = Decode.base64url_decode(crypto_segment.to_s) if @verify
       signing_input = [header_segment, payload_segment].join('.')
@@ -27,9 +31,9 @@ def decode_segments
 
     private
 
-    def raw_segments(jwt, verify)
-      segments = jwt.split('.')
-      required_num_segments = verify ? [3] : [2, 3]
+    def raw_segments
+      segments = @jwt.split('.')
+      required_num_segments = @verify ? [3] : [2, 3]
       raise(JWT::DecodeError, 'Not enough or too many segments') unless required_num_segments.include? segments.length
       segments
     end

diff --git a/lib/jwt/encode.rb b/lib/jwt/encode.rb
@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'json'
 
 # JWT::Encode module

diff --git a/lib/jwt/error.rb b/lib/jwt/error.rb
@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module JWT
   class EncodeError < StandardError; end
   class DecodeError < StandardError; end

diff --git a/lib/jwt/security_utils.rb b/lib/jwt/security_utils.rb
@@ -0,0 +1,52 @@
+module JWT
+  # Collection of security methods
+  #
+  # @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
+  module SecurityUtils
+
+    module_function
+
+    def secure_compare(left, right)
+      left_bytesize = left.bytesize
+
+      return false unless left_bytesize == right.bytesize
+
+      unpacked_left = left.unpack "C#{left_bytesize}"
+      result = 0
+      right.each_byte { |byte| result |= byte ^ unpacked_left.shift }
+      result.zero?
+    end
+
+    def verify_rsa(algorithm, public_key, signing_input, signature)
+      public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
+    end
+
+    def asn1_to_raw(signature, public_key)
+      byte_size = (public_key.group.degree + 7) / 8
+      OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
+    end
+
+    def raw_to_asn1(signature, private_key)
+      byte_size = (private_key.group.degree + 7) / 8
+      sig_bytes = signature[0..(byte_size - 1)]
+      sig_char = signature[byte_size..-1] || ''
+      OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
+    end
+
+    def rbnacl_fixup(algorithm, key)
+      algorithm = algorithm.sub('HS', 'SHA').to_sym
+
+      return [] unless defined?(RbNaCl) && RbNaCl::HMAC.constants(false).include?(algorithm)
+
+      authenticator = RbNaCl::HMAC.const_get(algorithm)
+
+      # Fall back to OpenSSL for keys larger than 32 bytes.
+      return [] if key.bytesize > authenticator.key_bytes
+
+      [
+        authenticator,
+        key.bytes.fill(0, key.bytesize...authenticator.key_bytes).pack('C*')
+      ]
+    end
+  end
+end