Class: Safire::ClientConfig

Inherits:

Entity

• Object
• Entity
• Safire::ClientConfig

Includes:

URIValidation

Defined in:

lib/safire/client_config.rb

Overview

Client configuration entity providing necessary attributes to perform different auth flows such as SMART public, confidential symmetric, confidential asymmetric clients, and backend services. The ClientConfig instance is passed to Safire::Client upon initialization.

client = Safire::Client.new(config)

client = Safire::Client.new(config)

Examples:

Initializing a ClientConfig

config = Safire::ClientConfig.new(
  base_url: 'https://fhir.example.com',
  client_id: 'my_client_id',
  redirect_uri: 'https://myapp.example.com/callback',
  scopes: ['openid', 'profile', 'patient/*.read']
)

Initializing a ClientConfig using the Builder

config = Safire::ClientConfig.builder
  .base_url('https://fhir.example.com')
  .client_id('my_client_id')
  .redirect_uri('https://myapp.example.com/callback')
  .scopes(['openid', 'profile', 'patient/*.read'])
  .build

See Also:

• ClientConfigBuilder

Constant Summary

ATTRIBUTES =

%i[
  base_url issuer client_id client_secret redirect_uri
  scopes authorization_endpoint token_endpoint
  private_key kid jwt_algorithm jwks_uri
].freeze

Instance Attribute Summary

• #authorization_endpoint ⇒ String readonly

  > Optional, will be retrieved from the well-known smart-configuration if not provided.

• #base_url ⇒ String readonly

  The base URL of the FHIR service.

• #client_id ⇒ String^? readonly

  The client identifier issued to the app by the authorization server.

• #issuer ⇒ String readonly

  The URL of the FHIR service from which the app wishes to retrieve FHIR data.

• #jwks_uri ⇒ String^? readonly

  URL to the client’s JWKS containing the public key.

• #jwt_algorithm ⇒ String^? readonly

  The JWT signing algorithm (RS384 or ES384).

• #kid ⇒ String^? readonly

  The key ID matching the public key registered with the authorization server.

• #private_key ⇒ OpenSSL::PKey::RSA, ... readonly

  The private key for signing JWT assertions in confidential asymmetric auth.

• #redirect_uri ⇒ String readonly

  The redirect URI registered by the app with the authorization server.

• #scopes ⇒ Array<String> readonly

  List of OAuth2 scopes describing the app’s desired access.

• #token_endpoint ⇒ String readonly

  > Optional, will be retrieved from the well-known smart-configuration if not provided.

Class Method Summary

• .builder ⇒ Object

Instance Method Summary

• #initialize(config) ⇒ ClientConfig constructor

  A new instance of ClientConfig.

• #inspect ⇒ Object private

Methods inherited from Entity

#to_hash

Constructor Details

#initialize(config) ⇒ ClientConfig

Returns a new instance of ClientConfig.

# File 'lib/safire/client_config.rb', line 71

def initialize(config)
  super(config, ATTRIBUTES)

  @issuer ||= base_url
  validate!
end

Instance Attribute Details

#authorization_endpoint ⇒ String (readonly)

> Optional, will be retrieved from the well-known smart-configuration if not provided

Returns:

• (String) —

  URL of the server’s OAuth2 Authorization Endpoint.

# File 'lib/safire/client_config.rb', line 60

class ClientConfig < Entity
  include URIValidation

  ATTRIBUTES = %i[
    base_url issuer client_id client_secret redirect_uri
    scopes authorization_endpoint token_endpoint
    private_key kid jwt_algorithm jwks_uri
  ].freeze

  attr_reader(*ATTRIBUTES)

  def initialize(config)
    super(config, ATTRIBUTES)

    @issuer ||= base_url
    validate!
  end

  class << self
    def builder
      ClientConfigBuilder.new
    end
  end

  SENSITIVE_ATTRIBUTES = %i[client_secret private_key].freeze
  URI_ATTRS = %i[base_url redirect_uri issuer authorization_endpoint token_endpoint jwks_uri].freeze
  OPTIONAL_URI_ATTRS = %i[redirect_uri authorization_endpoint token_endpoint jwks_uri].freeze
  private_constant :SENSITIVE_ATTRIBUTES, :URI_ATTRS, :OPTIONAL_URI_ATTRS

  # @api private
  def inspect
    attrs = ATTRIBUTES.map do |attr|
      value = send(attr)
      next if value.nil?

      masked = SENSITIVE_ATTRIBUTES.include?(attr) ? '[FILTERED]' : value.inspect
      "#{attr}: #{masked}"
    end.compact.join(', ')
    "#<#{self.class} #{attrs}>"
  end

  protected

  # @return [Array<Symbol>] attributes masked as '[FILTERED]' in #to_hash
  def sensitive_attributes
    SENSITIVE_ATTRIBUTES
  end

  private

  # Validates all URI attributes for structure and HTTPS requirement.
  #
  # Per SMART App Launch 2.2.0 (§App Protection, §Confidential Asymmetric),
  # all exchanges involving sensitive data SHALL use TLS. All endpoint URIs
  # must therefore use the `https` scheme.
  #
  # Exception: `http` is permitted when the host is `localhost` or `127.0.0.1`
  # to support local development without a TLS termination proxy.
  #
  # @raise [Errors::ConfigurationError] if any URI is malformed or uses HTTP on a non-localhost host
  def validate_uris!
    invalid_uris, non_https_uris = collect_uri_violations
    return if invalid_uris.empty? && non_https_uris.empty?

    raise Errors::ConfigurationError.new(
      invalid_uri_attributes: invalid_uris,
      non_https_uri_attributes: non_https_uris
    )
  end

  def collect_uri_violations
    invalid_uris = []
    non_https_uris = []

    URI_ATTRS.each do |attr|
      value = send(attr)
      next if value.nil? && OPTIONAL_URI_ATTRS.include?(attr)

      case classify_uri(value)
      when :invalid   then invalid_uris << attr
      when :non_https then non_https_uris << attr
      end
    end

    [invalid_uris, non_https_uris]
  end

  def validate!
    raise Errors::ConfigurationError.new(missing_attributes: [:base_url]) if base_url.nil?

    validate_uris!
  end
end

#base_url ⇒ String (readonly)

Returns the base URL of the FHIR service.

Returns:

• (String) —

  the base URL of the FHIR service

# File 'lib/safire/client_config.rb', line 60

class ClientConfig < Entity
  include URIValidation

  ATTRIBUTES = %i[
    base_url issuer client_id client_secret redirect_uri
    scopes authorization_endpoint token_endpoint
    private_key kid jwt_algorithm jwks_uri
  ].freeze

  attr_reader(*ATTRIBUTES)

  def initialize(config)
    super(config, ATTRIBUTES)

    @issuer ||= base_url
    validate!
  end

  class << self
    def builder
      ClientConfigBuilder.new
    end
  end

  SENSITIVE_ATTRIBUTES = %i[client_secret private_key].freeze
  URI_ATTRS = %i[base_url redirect_uri issuer authorization_endpoint token_endpoint jwks_uri].freeze
  OPTIONAL_URI_ATTRS = %i[redirect_uri authorization_endpoint token_endpoint jwks_uri].freeze
  private_constant :SENSITIVE_ATTRIBUTES, :URI_ATTRS, :OPTIONAL_URI_ATTRS

  # @api private
  def inspect
    attrs = ATTRIBUTES.map do |attr|
      value = send(attr)
      next if value.nil?

      masked = SENSITIVE_ATTRIBUTES.include?(attr) ? '[FILTERED]' : value.inspect
      "#{attr}: #{masked}"
    end.compact.join(', ')
    "#<#{self.class} #{attrs}>"
  end

  protected

  # @return [Array<Symbol>] attributes masked as '[FILTERED]' in #to_hash
  def sensitive_attributes
    SENSITIVE_ATTRIBUTES
  end

  private

  # Validates all URI attributes for structure and HTTPS requirement.
  #
  # Per SMART App Launch 2.2.0 (§App Protection, §Confidential Asymmetric),
  # all exchanges involving sensitive data SHALL use TLS. All endpoint URIs
  # must therefore use the `https` scheme.
  #
  # Exception: `http` is permitted when the host is `localhost` or `127.0.0.1`
  # to support local development without a TLS termination proxy.
  #
  # @raise [Errors::ConfigurationError] if any URI is malformed or uses HTTP on a non-localhost host
  def validate_uris!
    invalid_uris, non_https_uris = collect_uri_violations
    return if invalid_uris.empty? && non_https_uris.empty?

    raise Errors::ConfigurationError.new(
      invalid_uri_attributes: invalid_uris,
      non_https_uri_attributes: non_https_uris
    )
  end

  def collect_uri_violations
    invalid_uris = []
    non_https_uris = []

    URI_ATTRS.each do |attr|
      value = send(attr)
      next if value.nil? && OPTIONAL_URI_ATTRS.include?(attr)

      case classify_uri(value)
      when :invalid   then invalid_uris << attr
      when :non_https then non_https_uris << attr
      end
    end

    [invalid_uris, non_https_uris]
  end

  def validate!
    raise Errors::ConfigurationError.new(missing_attributes: [:base_url]) if base_url.nil?

    validate_uris!
  end
end

#client_id ⇒ String^? (readonly)

Returns the client identifier issued to the app by the authorization server. Optional at initialization — required by all authorization flows. Omit only when performing Dynamic Client Registration (RFC 7591) to obtain a client_id before any flow begins.

Returns:

• (String, nil) —

  the client identifier issued to the app by the authorization server. Optional at initialization — required by all authorization flows. Omit only when performing Dynamic Client Registration (RFC 7591) to obtain a client_id before any flow begins.

# File 'lib/safire/client_config.rb', line 60

class ClientConfig < Entity
  include URIValidation

  ATTRIBUTES = %i[
    base_url issuer client_id client_secret redirect_uri
    scopes authorization_endpoint token_endpoint
    private_key kid jwt_algorithm jwks_uri
  ].freeze

  attr_reader(*ATTRIBUTES)

  def initialize(config)
    super(config, ATTRIBUTES)

    @issuer ||= base_url
    validate!
  end

  class << self
    def builder
      ClientConfigBuilder.new
    end
  end

  SENSITIVE_ATTRIBUTES = %i[client_secret private_key].freeze
  URI_ATTRS = %i[base_url redirect_uri issuer authorization_endpoint token_endpoint jwks_uri].freeze
  OPTIONAL_URI_ATTRS = %i[redirect_uri authorization_endpoint token_endpoint jwks_uri].freeze
  private_constant :SENSITIVE_ATTRIBUTES, :URI_ATTRS, :OPTIONAL_URI_ATTRS

  # @api private
  def inspect
    attrs = ATTRIBUTES.map do |attr|
      value = send(attr)
      next if value.nil?

      masked = SENSITIVE_ATTRIBUTES.include?(attr) ? '[FILTERED]' : value.inspect
      "#{attr}: #{masked}"
    end.compact.join(', ')
    "#<#{self.class} #{attrs}>"
  end

  protected

  # @return [Array<Symbol>] attributes masked as '[FILTERED]' in #to_hash
  def sensitive_attributes
    SENSITIVE_ATTRIBUTES
  end

  private

  # Validates all URI attributes for structure and HTTPS requirement.
  #
  # Per SMART App Launch 2.2.0 (§App Protection, §Confidential Asymmetric),
  # all exchanges involving sensitive data SHALL use TLS. All endpoint URIs
  # must therefore use the `https` scheme.
  #
  # Exception: `http` is permitted when the host is `localhost` or `127.0.0.1`
  # to support local development without a TLS termination proxy.
  #
  # @raise [Errors::ConfigurationError] if any URI is malformed or uses HTTP on a non-localhost host
  def validate_uris!
    invalid_uris, non_https_uris = collect_uri_violations
    return if invalid_uris.empty? && non_https_uris.empty?

    raise Errors::ConfigurationError.new(
      invalid_uri_attributes: invalid_uris,
      non_https_uri_attributes: non_https_uris
    )
  end

  def collect_uri_violations
    invalid_uris = []
    non_https_uris = []

    URI_ATTRS.each do |attr|
      value = send(attr)
      next if value.nil? && OPTIONAL_URI_ATTRS.include?(attr)

      case classify_uri(value)
      when :invalid   then invalid_uris << attr
      when :non_https then non_https_uris << attr
      end
    end

    [invalid_uris, non_https_uris]
  end

  def validate!
    raise Errors::ConfigurationError.new(missing_attributes: [:base_url]) if base_url.nil?

    validate_uris!
  end
end

#issuer ⇒ String (readonly)

Returns the URL of the FHIR service from which the app wishes to retrieve FHIR data. Optionally provided. Will default to ‘base_url` if not provided.

Returns:

• (String) —

  the URL of the FHIR service from which the app wishes to retrieve FHIR data. Optionally provided. Will default to ‘base_url` if not provided.

# File 'lib/safire/client_config.rb', line 60

class ClientConfig < Entity
  include URIValidation

  ATTRIBUTES = %i[
    base_url issuer client_id client_secret redirect_uri
    scopes authorization_endpoint token_endpoint
    private_key kid jwt_algorithm jwks_uri
  ].freeze

  attr_reader(*ATTRIBUTES)

  def initialize(config)
    super(config, ATTRIBUTES)

    @issuer ||= base_url
    validate!
  end

  class << self
    def builder
      ClientConfigBuilder.new
    end
  end

  SENSITIVE_ATTRIBUTES = %i[client_secret private_key].freeze
  URI_ATTRS = %i[base_url redirect_uri issuer authorization_endpoint token_endpoint jwks_uri].freeze
  OPTIONAL_URI_ATTRS = %i[redirect_uri authorization_endpoint token_endpoint jwks_uri].freeze
  private_constant :SENSITIVE_ATTRIBUTES, :URI_ATTRS, :OPTIONAL_URI_ATTRS

  # @api private
  def inspect
    attrs = ATTRIBUTES.map do |attr|
      value = send(attr)
      next if value.nil?

      masked = SENSITIVE_ATTRIBUTES.include?(attr) ? '[FILTERED]' : value.inspect
      "#{attr}: #{masked}"
    end.compact.join(', ')
    "#<#{self.class} #{attrs}>"
  end

  protected

  # @return [Array<Symbol>] attributes masked as '[FILTERED]' in #to_hash
  def sensitive_attributes
    SENSITIVE_ATTRIBUTES
  end

  private

  # Validates all URI attributes for structure and HTTPS requirement.
  #
  # Per SMART App Launch 2.2.0 (§App Protection, §Confidential Asymmetric),
  # all exchanges involving sensitive data SHALL use TLS. All endpoint URIs
  # must therefore use the `https` scheme.
  #
  # Exception: `http` is permitted when the host is `localhost` or `127.0.0.1`
  # to support local development without a TLS termination proxy.
  #
  # @raise [Errors::ConfigurationError] if any URI is malformed or uses HTTP on a non-localhost host
  def validate_uris!
    invalid_uris, non_https_uris = collect_uri_violations
    return if invalid_uris.empty? && non_https_uris.empty?

    raise Errors::ConfigurationError.new(
      invalid_uri_attributes: invalid_uris,
      non_https_uri_attributes: non_https_uris
    )
  end

  def collect_uri_violations
    invalid_uris = []
    non_https_uris = []

    URI_ATTRS.each do |attr|
      value = send(attr)
      next if value.nil? && OPTIONAL_URI_ATTRS.include?(attr)

      case classify_uri(value)
      when :invalid   then invalid_uris << attr
      when :non_https then non_https_uris << attr
      end
    end

    [invalid_uris, non_https_uris]
  end

  def validate!
    raise Errors::ConfigurationError.new(missing_attributes: [:base_url]) if base_url.nil?

    validate_uris!
  end
end

#jwks_uri ⇒ String^? (readonly)

Returns URL to the client’s JWKS containing the public key. Optional, included as jku header in JWT assertions when provided.

Returns:

• (String, nil) —

  URL to the client’s JWKS containing the public key. Optional, included as jku header in JWT assertions when provided.

# File 'lib/safire/client_config.rb', line 60

class ClientConfig < Entity
  include URIValidation

  ATTRIBUTES = %i[
    base_url issuer client_id client_secret redirect_uri
    scopes authorization_endpoint token_endpoint
    private_key kid jwt_algorithm jwks_uri
  ].freeze

  attr_reader(*ATTRIBUTES)

  def initialize(config)
    super(config, ATTRIBUTES)

    @issuer ||= base_url
    validate!
  end

  class << self
    def builder
      ClientConfigBuilder.new
    end
  end

  SENSITIVE_ATTRIBUTES = %i[client_secret private_key].freeze
  URI_ATTRS = %i[base_url redirect_uri issuer authorization_endpoint token_endpoint jwks_uri].freeze
  OPTIONAL_URI_ATTRS = %i[redirect_uri authorization_endpoint token_endpoint jwks_uri].freeze
  private_constant :SENSITIVE_ATTRIBUTES, :URI_ATTRS, :OPTIONAL_URI_ATTRS

  # @api private
  def inspect
    attrs = ATTRIBUTES.map do |attr|
      value = send(attr)
      next if value.nil?

      masked = SENSITIVE_ATTRIBUTES.include?(attr) ? '[FILTERED]' : value.inspect
      "#{attr}: #{masked}"
    end.compact.join(', ')
    "#<#{self.class} #{attrs}>"
  end

  protected

  # @return [Array<Symbol>] attributes masked as '[FILTERED]' in #to_hash
  def sensitive_attributes
    SENSITIVE_ATTRIBUTES
  end

  private

  # Validates all URI attributes for structure and HTTPS requirement.
  #
  # Per SMART App Launch 2.2.0 (§App Protection, §Confidential Asymmetric),
  # all exchanges involving sensitive data SHALL use TLS. All endpoint URIs
  # must therefore use the `https` scheme.
  #
  # Exception: `http` is permitted when the host is `localhost` or `127.0.0.1`
  # to support local development without a TLS termination proxy.
  #
  # @raise [Errors::ConfigurationError] if any URI is malformed or uses HTTP on a non-localhost host
  def validate_uris!
    invalid_uris, non_https_uris = collect_uri_violations
    return if invalid_uris.empty? && non_https_uris.empty?

    raise Errors::ConfigurationError.new(
      invalid_uri_attributes: invalid_uris,
      non_https_uri_attributes: non_https_uris
    )
  end

  def collect_uri_violations
    invalid_uris = []
    non_https_uris = []

    URI_ATTRS.each do |attr|
      value = send(attr)
      next if value.nil? && OPTIONAL_URI_ATTRS.include?(attr)

      case classify_uri(value)
      when :invalid   then invalid_uris << attr
      when :non_https then non_https_uris << attr
      end
    end

    [invalid_uris, non_https_uris]
  end

  def validate!
    raise Errors::ConfigurationError.new(missing_attributes: [:base_url]) if base_url.nil?

    validate_uris!
  end
end

#jwt_algorithm ⇒ String^? (readonly)

Returns the JWT signing algorithm (RS384 or ES384). Optional, auto-detected from key type if not provided.

Returns:

• (String, nil) —

  the JWT signing algorithm (RS384 or ES384). Optional, auto-detected from key type if not provided.

# File 'lib/safire/client_config.rb', line 60

class ClientConfig < Entity
  include URIValidation

  ATTRIBUTES = %i[
    base_url issuer client_id client_secret redirect_uri
    scopes authorization_endpoint token_endpoint
    private_key kid jwt_algorithm jwks_uri
  ].freeze

  attr_reader(*ATTRIBUTES)

  def initialize(config)
    super(config, ATTRIBUTES)

    @issuer ||= base_url
    validate!
  end

  class << self
    def builder
      ClientConfigBuilder.new
    end
  end

  SENSITIVE_ATTRIBUTES = %i[client_secret private_key].freeze
  URI_ATTRS = %i[base_url redirect_uri issuer authorization_endpoint token_endpoint jwks_uri].freeze
  OPTIONAL_URI_ATTRS = %i[redirect_uri authorization_endpoint token_endpoint jwks_uri].freeze
  private_constant :SENSITIVE_ATTRIBUTES, :URI_ATTRS, :OPTIONAL_URI_ATTRS

  # @api private
  def inspect
    attrs = ATTRIBUTES.map do |attr|
      value = send(attr)
      next if value.nil?

      masked = SENSITIVE_ATTRIBUTES.include?(attr) ? '[FILTERED]' : value.inspect
      "#{attr}: #{masked}"
    end.compact.join(', ')
    "#<#{self.class} #{attrs}>"
  end

  protected

  # @return [Array<Symbol>] attributes masked as '[FILTERED]' in #to_hash
  def sensitive_attributes
    SENSITIVE_ATTRIBUTES
  end

  private

  # Validates all URI attributes for structure and HTTPS requirement.
  #
  # Per SMART App Launch 2.2.0 (§App Protection, §Confidential Asymmetric),
  # all exchanges involving sensitive data SHALL use TLS. All endpoint URIs
  # must therefore use the `https` scheme.
  #
  # Exception: `http` is permitted when the host is `localhost` or `127.0.0.1`
  # to support local development without a TLS termination proxy.
  #
  # @raise [Errors::ConfigurationError] if any URI is malformed or uses HTTP on a non-localhost host
  def validate_uris!
    invalid_uris, non_https_uris = collect_uri_violations
    return if invalid_uris.empty? && non_https_uris.empty?

    raise Errors::ConfigurationError.new(
      invalid_uri_attributes: invalid_uris,
      non_https_uri_attributes: non_https_uris
    )
  end

  def collect_uri_violations
    invalid_uris = []
    non_https_uris = []

    URI_ATTRS.each do |attr|
      value = send(attr)
      next if value.nil? && OPTIONAL_URI_ATTRS.include?(attr)

      case classify_uri(value)
      when :invalid   then invalid_uris << attr
      when :non_https then non_https_uris << attr
      end
    end

    [invalid_uris, non_https_uris]
  end

  def validate!
    raise Errors::ConfigurationError.new(missing_attributes: [:base_url]) if base_url.nil?

    validate_uris!
  end
end

#kid ⇒ String^? (readonly)

Returns the key ID matching the public key registered with the authorization server. Required for confidential asymmetric authentication.

Returns:

• (String, nil) —

  the key ID matching the public key registered with the authorization server. Required for confidential asymmetric authentication.

# File 'lib/safire/client_config.rb', line 60

class ClientConfig < Entity
  include URIValidation

  ATTRIBUTES = %i[
    base_url issuer client_id client_secret redirect_uri
    scopes authorization_endpoint token_endpoint
    private_key kid jwt_algorithm jwks_uri
  ].freeze

  attr_reader(*ATTRIBUTES)

  def initialize(config)
    super(config, ATTRIBUTES)

    @issuer ||= base_url
    validate!
  end

  class << self
    def builder
      ClientConfigBuilder.new
    end
  end

  SENSITIVE_ATTRIBUTES = %i[client_secret private_key].freeze
  URI_ATTRS = %i[base_url redirect_uri issuer authorization_endpoint token_endpoint jwks_uri].freeze
  OPTIONAL_URI_ATTRS = %i[redirect_uri authorization_endpoint token_endpoint jwks_uri].freeze
  private_constant :SENSITIVE_ATTRIBUTES, :URI_ATTRS, :OPTIONAL_URI_ATTRS

  # @api private
  def inspect
    attrs = ATTRIBUTES.map do |attr|
      value = send(attr)
      next if value.nil?

      masked = SENSITIVE_ATTRIBUTES.include?(attr) ? '[FILTERED]' : value.inspect
      "#{attr}: #{masked}"
    end.compact.join(', ')
    "#<#{self.class} #{attrs}>"
  end

  protected

  # @return [Array<Symbol>] attributes masked as '[FILTERED]' in #to_hash
  def sensitive_attributes
    SENSITIVE_ATTRIBUTES
  end

  private

  # Validates all URI attributes for structure and HTTPS requirement.
  #
  # Per SMART App Launch 2.2.0 (§App Protection, §Confidential Asymmetric),
  # all exchanges involving sensitive data SHALL use TLS. All endpoint URIs
  # must therefore use the `https` scheme.
  #
  # Exception: `http` is permitted when the host is `localhost` or `127.0.0.1`
  # to support local development without a TLS termination proxy.
  #
  # @raise [Errors::ConfigurationError] if any URI is malformed or uses HTTP on a non-localhost host
  def validate_uris!
    invalid_uris, non_https_uris = collect_uri_violations
    return if invalid_uris.empty? && non_https_uris.empty?

    raise Errors::ConfigurationError.new(
      invalid_uri_attributes: invalid_uris,
      non_https_uri_attributes: non_https_uris
    )
  end

  def collect_uri_violations
    invalid_uris = []
    non_https_uris = []

    URI_ATTRS.each do |attr|
      value = send(attr)
      next if value.nil? && OPTIONAL_URI_ATTRS.include?(attr)

      case classify_uri(value)
      when :invalid   then invalid_uris << attr
      when :non_https then non_https_uris << attr
      end
    end

    [invalid_uris, non_https_uris]
  end

  def validate!
    raise Errors::ConfigurationError.new(missing_attributes: [:base_url]) if base_url.nil?

    validate_uris!
  end
end

#private_key ⇒ OpenSSL::PKey::RSA, ... (readonly)

Returns the private key for signing JWT assertions in confidential asymmetric auth. Can be an OpenSSL key object or PEM string.

Returns:

• (OpenSSL::PKey::RSA, OpenSSL::PKey::EC, String, nil) —

  the private key for signing JWT assertions in confidential asymmetric auth. Can be an OpenSSL key object or PEM string.

# File 'lib/safire/client_config.rb', line 60

class ClientConfig < Entity
  include URIValidation

  ATTRIBUTES = %i[
    base_url issuer client_id client_secret redirect_uri
    scopes authorization_endpoint token_endpoint
    private_key kid jwt_algorithm jwks_uri
  ].freeze

  attr_reader(*ATTRIBUTES)

  def initialize(config)
    super(config, ATTRIBUTES)

    @issuer ||= base_url
    validate!
  end

  class << self
    def builder
      ClientConfigBuilder.new
    end
  end

  SENSITIVE_ATTRIBUTES = %i[client_secret private_key].freeze
  URI_ATTRS = %i[base_url redirect_uri issuer authorization_endpoint token_endpoint jwks_uri].freeze
  OPTIONAL_URI_ATTRS = %i[redirect_uri authorization_endpoint token_endpoint jwks_uri].freeze
  private_constant :SENSITIVE_ATTRIBUTES, :URI_ATTRS, :OPTIONAL_URI_ATTRS

  # @api private
  def inspect
    attrs = ATTRIBUTES.map do |attr|
      value = send(attr)
      next if value.nil?

      masked = SENSITIVE_ATTRIBUTES.include?(attr) ? '[FILTERED]' : value.inspect
      "#{attr}: #{masked}"
    end.compact.join(', ')
    "#<#{self.class} #{attrs}>"
  end

  protected

  # @return [Array<Symbol>] attributes masked as '[FILTERED]' in #to_hash
  def sensitive_attributes
    SENSITIVE_ATTRIBUTES
  end

  private

  # Validates all URI attributes for structure and HTTPS requirement.
  #
  # Per SMART App Launch 2.2.0 (§App Protection, §Confidential Asymmetric),
  # all exchanges involving sensitive data SHALL use TLS. All endpoint URIs
  # must therefore use the `https` scheme.
  #
  # Exception: `http` is permitted when the host is `localhost` or `127.0.0.1`
  # to support local development without a TLS termination proxy.
  #
  # @raise [Errors::ConfigurationError] if any URI is malformed or uses HTTP on a non-localhost host
  def validate_uris!
    invalid_uris, non_https_uris = collect_uri_violations
    return if invalid_uris.empty? && non_https_uris.empty?

    raise Errors::ConfigurationError.new(
      invalid_uri_attributes: invalid_uris,
      non_https_uri_attributes: non_https_uris
    )
  end

  def collect_uri_violations
    invalid_uris = []
    non_https_uris = []

    URI_ATTRS.each do |attr|
      value = send(attr)
      next if value.nil? && OPTIONAL_URI_ATTRS.include?(attr)

      case classify_uri(value)
      when :invalid   then invalid_uris << attr
      when :non_https then non_https_uris << attr
      end
    end

    [invalid_uris, non_https_uris]
  end

  def validate!
    raise Errors::ConfigurationError.new(missing_attributes: [:base_url]) if base_url.nil?

    validate_uris!
  end
end

#redirect_uri ⇒ String (readonly)

Returns the redirect URI registered by the app with the authorization server.

Returns:

• (String) —

  the redirect URI registered by the app with the authorization server

# File 'lib/safire/client_config.rb', line 60

class ClientConfig < Entity
  include URIValidation

  ATTRIBUTES = %i[
    base_url issuer client_id client_secret redirect_uri
    scopes authorization_endpoint token_endpoint
    private_key kid jwt_algorithm jwks_uri
  ].freeze

  attr_reader(*ATTRIBUTES)

  def initialize(config)
    super(config, ATTRIBUTES)

    @issuer ||= base_url
    validate!
  end

  class << self
    def builder
      ClientConfigBuilder.new
    end
  end

  SENSITIVE_ATTRIBUTES = %i[client_secret private_key].freeze
  URI_ATTRS = %i[base_url redirect_uri issuer authorization_endpoint token_endpoint jwks_uri].freeze
  OPTIONAL_URI_ATTRS = %i[redirect_uri authorization_endpoint token_endpoint jwks_uri].freeze
  private_constant :SENSITIVE_ATTRIBUTES, :URI_ATTRS, :OPTIONAL_URI_ATTRS

  # @api private
  def inspect
    attrs = ATTRIBUTES.map do |attr|
      value = send(attr)
      next if value.nil?

      masked = SENSITIVE_ATTRIBUTES.include?(attr) ? '[FILTERED]' : value.inspect
      "#{attr}: #{masked}"
    end.compact.join(', ')
    "#<#{self.class} #{attrs}>"
  end

  protected

  # @return [Array<Symbol>] attributes masked as '[FILTERED]' in #to_hash
  def sensitive_attributes
    SENSITIVE_ATTRIBUTES
  end

  private

  # Validates all URI attributes for structure and HTTPS requirement.
  #
  # Per SMART App Launch 2.2.0 (§App Protection, §Confidential Asymmetric),
  # all exchanges involving sensitive data SHALL use TLS. All endpoint URIs
  # must therefore use the `https` scheme.
  #
  # Exception: `http` is permitted when the host is `localhost` or `127.0.0.1`
  # to support local development without a TLS termination proxy.
  #
  # @raise [Errors::ConfigurationError] if any URI is malformed or uses HTTP on a non-localhost host
  def validate_uris!
    invalid_uris, non_https_uris = collect_uri_violations
    return if invalid_uris.empty? && non_https_uris.empty?

    raise Errors::ConfigurationError.new(
      invalid_uri_attributes: invalid_uris,
      non_https_uri_attributes: non_https_uris
    )
  end

  def collect_uri_violations
    invalid_uris = []
    non_https_uris = []

    URI_ATTRS.each do |attr|
      value = send(attr)
      next if value.nil? && OPTIONAL_URI_ATTRS.include?(attr)

      case classify_uri(value)
      when :invalid   then invalid_uris << attr
      when :non_https then non_https_uris << attr
      end
    end

    [invalid_uris, non_https_uris]
  end

  def validate!
    raise Errors::ConfigurationError.new(missing_attributes: [:base_url]) if base_url.nil?

    validate_uris!
  end
end

#scopes ⇒ Array<String> (readonly)

Returns list of OAuth2 scopes describing the app’s desired access. Optionally provided.

Returns:

• (Array<String>) —

  list of OAuth2 scopes describing the app’s desired access. Optionally provided.

# File 'lib/safire/client_config.rb', line 60

class ClientConfig < Entity
  include URIValidation

  ATTRIBUTES = %i[
    base_url issuer client_id client_secret redirect_uri
    scopes authorization_endpoint token_endpoint
    private_key kid jwt_algorithm jwks_uri
  ].freeze

  attr_reader(*ATTRIBUTES)

  def initialize(config)
    super(config, ATTRIBUTES)

    @issuer ||= base_url
    validate!
  end

  class << self
    def builder
      ClientConfigBuilder.new
    end
  end

  SENSITIVE_ATTRIBUTES = %i[client_secret private_key].freeze
  URI_ATTRS = %i[base_url redirect_uri issuer authorization_endpoint token_endpoint jwks_uri].freeze
  OPTIONAL_URI_ATTRS = %i[redirect_uri authorization_endpoint token_endpoint jwks_uri].freeze
  private_constant :SENSITIVE_ATTRIBUTES, :URI_ATTRS, :OPTIONAL_URI_ATTRS

  # @api private
  def inspect
    attrs = ATTRIBUTES.map do |attr|
      value = send(attr)
      next if value.nil?

      masked = SENSITIVE_ATTRIBUTES.include?(attr) ? '[FILTERED]' : value.inspect
      "#{attr}: #{masked}"
    end.compact.join(', ')
    "#<#{self.class} #{attrs}>"
  end

  protected

  # @return [Array<Symbol>] attributes masked as '[FILTERED]' in #to_hash
  def sensitive_attributes
    SENSITIVE_ATTRIBUTES
  end

  private

  # Validates all URI attributes for structure and HTTPS requirement.
  #
  # Per SMART App Launch 2.2.0 (§App Protection, §Confidential Asymmetric),
  # all exchanges involving sensitive data SHALL use TLS. All endpoint URIs
  # must therefore use the `https` scheme.
  #
  # Exception: `http` is permitted when the host is `localhost` or `127.0.0.1`
  # to support local development without a TLS termination proxy.
  #
  # @raise [Errors::ConfigurationError] if any URI is malformed or uses HTTP on a non-localhost host
  def validate_uris!
    invalid_uris, non_https_uris = collect_uri_violations
    return if invalid_uris.empty? && non_https_uris.empty?

    raise Errors::ConfigurationError.new(
      invalid_uri_attributes: invalid_uris,
      non_https_uri_attributes: non_https_uris
    )
  end

  def collect_uri_violations
    invalid_uris = []
    non_https_uris = []

    URI_ATTRS.each do |attr|
      value = send(attr)
      next if value.nil? && OPTIONAL_URI_ATTRS.include?(attr)

      case classify_uri(value)
      when :invalid   then invalid_uris << attr
      when :non_https then non_https_uris << attr
      end
    end

    [invalid_uris, non_https_uris]
  end

  def validate!
    raise Errors::ConfigurationError.new(missing_attributes: [:base_url]) if base_url.nil?

    validate_uris!
  end
end

#token_endpoint ⇒ String (readonly)

> Optional, will be retrieved from the well-known smart-configuration if not provided

Returns:

• (String) —

  URL of the server’s OAuth2 Token Endpoint.

# File 'lib/safire/client_config.rb', line 60

class ClientConfig < Entity
  include URIValidation

  ATTRIBUTES = %i[
    base_url issuer client_id client_secret redirect_uri
    scopes authorization_endpoint token_endpoint
    private_key kid jwt_algorithm jwks_uri
  ].freeze

  attr_reader(*ATTRIBUTES)

  def initialize(config)
    super(config, ATTRIBUTES)

    @issuer ||= base_url
    validate!
  end

  class << self
    def builder
      ClientConfigBuilder.new
    end
  end

  SENSITIVE_ATTRIBUTES = %i[client_secret private_key].freeze
  URI_ATTRS = %i[base_url redirect_uri issuer authorization_endpoint token_endpoint jwks_uri].freeze
  OPTIONAL_URI_ATTRS = %i[redirect_uri authorization_endpoint token_endpoint jwks_uri].freeze
  private_constant :SENSITIVE_ATTRIBUTES, :URI_ATTRS, :OPTIONAL_URI_ATTRS

  # @api private
  def inspect
    attrs = ATTRIBUTES.map do |attr|
      value = send(attr)
      next if value.nil?

      masked = SENSITIVE_ATTRIBUTES.include?(attr) ? '[FILTERED]' : value.inspect
      "#{attr}: #{masked}"
    end.compact.join(', ')
    "#<#{self.class} #{attrs}>"
  end

  protected

  # @return [Array<Symbol>] attributes masked as '[FILTERED]' in #to_hash
  def sensitive_attributes
    SENSITIVE_ATTRIBUTES
  end

  private

  # Validates all URI attributes for structure and HTTPS requirement.
  #
  # Per SMART App Launch 2.2.0 (§App Protection, §Confidential Asymmetric),
  # all exchanges involving sensitive data SHALL use TLS. All endpoint URIs
  # must therefore use the `https` scheme.
  #
  # Exception: `http` is permitted when the host is `localhost` or `127.0.0.1`
  # to support local development without a TLS termination proxy.
  #
  # @raise [Errors::ConfigurationError] if any URI is malformed or uses HTTP on a non-localhost host
  def validate_uris!
    invalid_uris, non_https_uris = collect_uri_violations
    return if invalid_uris.empty? && non_https_uris.empty?

    raise Errors::ConfigurationError.new(
      invalid_uri_attributes: invalid_uris,
      non_https_uri_attributes: non_https_uris
    )
  end

  def collect_uri_violations
    invalid_uris = []
    non_https_uris = []

    URI_ATTRS.each do |attr|
      value = send(attr)
      next if value.nil? && OPTIONAL_URI_ATTRS.include?(attr)

      case classify_uri(value)
      when :invalid   then invalid_uris << attr
      when :non_https then non_https_uris << attr
      end
    end

    [invalid_uris, non_https_uris]
  end

  def validate!
    raise Errors::ConfigurationError.new(missing_attributes: [:base_url]) if base_url.nil?

    validate_uris!
  end
end

Class Method Details

.builder ⇒ Object

# File 'lib/safire/client_config.rb', line 79

def builder
  ClientConfigBuilder.new
end

Instance Method Details

#inspect ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/safire/client_config.rb', line 90

def inspect
  attrs = ATTRIBUTES.map do |attr|
    value = send(attr)
    next if value.nil?

    masked = SENSITIVE_ATTRIBUTES.include?(attr) ? '[FILTERED]' : value.inspect
    "#{attr}: #{masked}"
  end.compact.join(', ')
  "#<#{self.class} #{attrs}>"
end