Class: CF::UAA::Info

Inherits:

Object

• Object
• CF::UAA::Info

Includes:

Http

Defined in:

lib/uaa/info.rb

Overview

Provides interfaces to various UAA endpoints that are not in the context of an overall class of operations like SCIM resources or OAuth2 tokens.

Constant Summary

Constants included from Http

Http::FORM_UTF8, Http::JSON_UTF8

Instance Attribute Summary

• #key_style ⇒ Object readonly

  Returns the value of attribute key_style.

• #target ⇒ Object

  Returns the value of attribute target.

Instance Method Summary

• #decode_token(client_id, client_secret, token, token_type = "bearer", audience_ids = nil) ⇒ Hash

  Sends token to the server to validate and decode.

• #discover_uaa ⇒ String

  Gets a base url for the associated UAA from the target server by inspecting the links returned from its info endpoint.

• #initialize(target, options = {}) ⇒ Info constructor

  A new instance of Info.

• #password_strength(password) ⇒ Hash

  Gets information about the given password, including a strength score and an indication of what strength is required.

• #server ⇒ Hash

  Gets basic information about the target server, including version number, commit ID, and links to API endpoints.

• #symbolize_keys=(bool) ⇒ Boolean

  sets whether the keys in returned hashes should be symbols.

• #validation_key(client_id = nil, client_secret = nil) ⇒ Hash

  Gets the key from the server that is used to validate token signatures.

• #validation_keys_hash(client_id = nil, client_secret = nil) ⇒ Hash

  Gets all currently valid token verification keys.

• #whoami(auth_header) ⇒ Hash

  Gets information about the user authenticated by the token in the auth_header.

Methods included from Http

basic_auth, #initialize_http_options, #logger, #logger=, #set_request_handler, #trace?

Constructor Details

#initialize(target, options = {}) ⇒ Info

Returns a new instance of Info.

Parameters:

• target (String) —

  The base URL of the server. For example the target could be https://login.cloudfoundry.com, https://uaa.cloudfoundry.com, or http://localhost:8080/uaa.

• options (Hash) (defaults to: {}) —

  can be

  • :symbolize_keys, If set to true, response hashes will have symbols for their keys, otherwise string keys are returned.

# File 'lib/uaa/info.rb', line 32

def initialize(target, options = {})
  self.target = target
  self.symbolize_keys = options[:symbolize_keys]
  initialize_http_options(options)
end

Instance Attribute Details

#key_style ⇒ Object (readonly)

Returns the value of attribute key_style.

# File 'lib/uaa/info.rb', line 24

def key_style
  @key_style
end

#target ⇒ Object

Returns the value of attribute target.

# File 'lib/uaa/info.rb', line 23

def target
  @target
end

Instance Method Details

#decode_token(client_id, client_secret, token, token_type = "bearer", audience_ids = nil) ⇒ Hash

Sends token to the server to validate and decode. Authenticates with client_id and client_secret. If audience_ids are specified and the token’s “aud” attribute does not contain one or more of the audience_ids, raises AuthError – meaning the token is not for this audience.

Parameters:

• token (String) —

  an access token as retrieved by TokenIssuer. See also TokenInfo.

• token_type (String) (defaults to: "bearer") —

  as retrieved by TokenIssuer. See TokenInfo.

Returns:

• (Hash) —

  contents of the token

# File 'lib/uaa/info.rb', line 122

def decode_token(client_id, client_secret, token, token_type = "bearer", audience_ids = nil)
  reply = json_parse_reply(key_style, *request(target, :post, '/check_token',
                                               Util.encode_form(token: token),
                                               "authorization" => Http.basic_auth(client_id, client_secret),
                                               "content-type" => Http::FORM_UTF8,"accept" => Http::JSON_UTF8))

  auds = Util.arglist(reply[:aud] || reply['aud'])
  if audience_ids && (!auds || (auds & audience_ids).empty?)
    raise AuthError, "invalid audience: #{auds.join(' ')}"
  end
  reply
end

#discover_uaa ⇒ String

Gets a base url for the associated UAA from the target server by inspecting the links returned from its info endpoint.

Returns:

• (String) —

  url of UAA (or the target itself if it didn’t provide a response)

# File 'lib/uaa/info.rb', line 69

def discover_uaa
  info = server
  links = info['links'] || info[:links]
  uaa = links && (links['uaa'] || links[:uaa])

  uaa || target
end

#password_strength(password) ⇒ Hash

Gets information about the given password, including a strength score and an indication of what strength is required.

Returns:

• (Hash)

# File 'lib/uaa/info.rb', line 139

def password_strength(password)
  json_parse_reply(key_style, *request(target, :post, '/password/score',
      Util.encode_form(password: password), "content-type" => Http::FORM_UTF8,
      "accept" => Http::JSON_UTF8))
end

#server ⇒ Hash

Gets basic information about the target server, including version number, commit ID, and links to API endpoints.

Returns:

• (Hash)

Raises:

• (BadResponse)

# File 'lib/uaa/info.rb', line 60

def server
  reply = json_get(target, '/login', key_style)
  return reply if reply && (reply[:prompts] || reply['prompts'])
  raise BadResponse, "Invalid response from target #{target}"
end

#symbolize_keys=(bool) ⇒ Boolean

sets whether the keys in returned hashes should be symbols.

Returns:

• (Boolean) —

  the new state

# File 'lib/uaa/info.rb', line 40

def symbolize_keys=(bool)
  @key_style = bool ? :sym : nil
end

#validation_key(client_id = nil, client_secret = nil) ⇒ Hash

Gets the key from the server that is used to validate token signatures. If the server is configured to use a symetric key, the caller must authenticate by providing a a client_id and client_secret. If the server is configured to sign with a private key, this call will retrieve the public key and client_id must be nil.

Returns:

• (Hash)

# File 'lib/uaa/info.rb', line 84

def validation_key(client_id = nil, client_secret = nil)
  hdrs = client_id && client_secret ?
      { "authorization" => Http.basic_auth(client_id, client_secret)} : {}
  json_get(target, "/token_key", key_style, hdrs)
end

#validation_keys_hash(client_id = nil, client_secret = nil) ⇒ Hash

Gets all currently valid token verification keys. If the server has had its signing key changed, then /token_key will return a verification key that does not match a JWT token issued before the change. To validate the signature of these tokens, refer to the kid header of the JWT token. The validation_keys_hash method returns a hash of all currently valid verification keys, indexed by kid. To retrieve symmetric keys as part of the result, client credentials are required.

Returns:

• (Hash)

# File 'lib/uaa/info.rb', line 99

def validation_keys_hash(client_id = nil, client_secret = nil)
  hdrs = client_id && client_secret ?
      { "authorization" => Http.basic_auth(client_id, client_secret)} : {}
  response = json_get(target, "/token_keys", key_style, hdrs)

  keys_map = {}

  response['keys'].each do |key|
    keys_map[key['kid']] = key
  end

  keys_map
end

#whoami(auth_header) ⇒ Hash

Gets information about the user authenticated by the token in the auth_header. It GETs from the target‘s /userinfo endpoint and returns user information as specified by OpenID Connect.

Parameters:

• auth_header (String) —

  see TokenInfo#auth_header

Returns:

• (Hash)

See Also:

• http://openid.net/connect/
• http://openid.net/specs/openid-connect-standard-1_0.html#userinfo_ep
• http://openid.net/specs/openid-connect-messages-1_0.html#anchor9

# File 'lib/uaa/info.rb', line 53

def whoami(auth_header)
  json_get(target, "/userinfo?schema=openid", key_style, "authorization" => auth_header)
end