JWKS: Bugfixes and Rubocop

bellebaum · anakinj · commit 8ff01c2d6e5e · 2022-10-21T17:02:10.000+03:00
diff --git a/lib/jwt/jwk/ec.rb b/lib/jwt/jwk/ec.rb
@@ -21,17 +21,7 @@ def initialize(key, params = nil, options = {})
         # For backwards compatibility when kid was a String
         params = { kid: params } if params.is_a?(String)
 
-        key_params = case key
-                     when JWT::JWK::EC
-                       key.export(include_private: true)
-                     when OpenSSL::PKey::EC # Accept OpenSSL key as input
-                       @keypair = key # Preserve the object to avoid recreation
-                       parse_ec_key(key)
-                     when Hash
-                       key.transform_keys(&:to_sym)
-                     else
-                       raise ArgumentError, 'key must be of type OpenSSL::PKey::EC or Hash with key parameters'
-        end
+        key_params = extract_key_params(key)
 
         params = params.transform_keys(&:to_sym)
         check_jwk(key_params, params)
@@ -74,6 +64,20 @@ def []=(key, value)
 
       private
 
+      def extract_key_params(key)
+        case key
+        when JWT::JWK::EC
+          key.export(include_private: true)
+        when OpenSSL::PKey::EC # Accept OpenSSL key as input
+          @keypair = key # Preserve the object to avoid recreation
+          parse_ec_key(key)
+        when Hash
+          key.transform_keys(&:to_sym)
+        else
+          raise ArgumentError, 'key must be of type OpenSSL::PKey::EC or Hash with key parameters'
+        end
+      end
+
       def check_jwk(keypair, params)
         raise ArgumentError, 'cannot overwrite cryptographic key attributes' unless (EC_KEY_ELEMENTS & params.keys).empty?
         raise JWT::JWKError, "Incorrect 'kty' value: #{keypair[:kty]}, expected #{KTY}" unless keypair[:kty] == KTY
diff --git a/lib/jwt/jwk/hmac.rb b/lib/jwt/jwk/hmac.rb
@@ -15,16 +15,7 @@ def initialize(key, params = nil, options = {})
         # For backwards compatibility when kid was a String
         params = { kid: params } if params.is_a?(String)
 
-        key_params = case key
-                     when JWT::JWK::HMAC
-                       key.export(include_private: true)
-                     when String # Accept String key as input
-                       { kty: KTY, k: key }
-                     when Hash
-                       key.transform_keys(&:to_sym)
-                     else
-                       raise ArgumentError, 'key must be of type String or Hash with key parameters'
-        end
+        key_params = extract_key_params(key)
 
         params = params.transform_keys(&:to_sym)
         check_jwk(key_params, params)
@@ -73,6 +64,19 @@ def []=(key, value)
 
       private
 
+      def extract_key_params(key)
+        case key
+        when JWT::JWK::HMAC
+          key.export(include_private: true)
+        when String # Accept String key as input
+          { kty: KTY, k: key }
+        when Hash
+          key.transform_keys(&:to_sym)
+        else
+          raise ArgumentError, 'key must be of type String or Hash with key parameters'
+        end
+      end
+
       def check_jwk(keypair, params)
         raise ArgumentError, 'cannot overwrite cryptographic key attributes' unless (HMAC_KEY_ELEMENTS & params.keys).empty?
         raise JWT::JWKError, "Incorrect 'kty' value: #{keypair[:kty]}, expected #{KTY}" unless keypair[:kty] == KTY
diff --git a/lib/jwt/jwk/key_base.rb b/lib/jwt/jwk/key_base.rb
@@ -25,6 +25,10 @@ def kid
         self[:kid]
       end
 
+      def hash
+        self[:kid].hash
+      end
+
       def [](key)
         @parameters[key.to_sym]
       end
diff --git a/lib/jwt/jwk/rsa.rb b/lib/jwt/jwk/rsa.rb
@@ -2,7 +2,7 @@
 
 module JWT
   module JWK
-    class RSA < KeyBase
+    class RSA < KeyBase # rubocop:disable Metrics/ClassLength
       BINARY = 2
       KTY    = 'RSA'
       KTYS   = [KTY, OpenSSL::PKey::RSA, JWT::JWK::RSA].freeze
@@ -16,17 +16,7 @@ def initialize(key, params = nil, options = {})
         # For backwards compatibility when kid was a String
         params = { kid: params } if params.is_a?(String)
 
-        key_params = case key
-                     when JWT::JWK::RSA
-                       key.export(include_private: true)
-                     when OpenSSL::PKey::RSA # Accept OpenSSL key as input
-                       @keypair = key # Preserve the object to avoid recreation
-                       parse_rsa_key(key)
-                     when Hash
-                       key.transform_keys(&:to_sym)
-                     else
-                       raise ArgumentError, 'key must be of type OpenSSL::PKey::RSA or Hash with key parameters'
-        end
+        key_params = extract_key_params(key)
 
         params = params.transform_keys(&:to_sym)
         check_jwk(key_params, params)
@@ -72,6 +62,20 @@ def []=(key, value)
 
       private
 
+      def extract_key_params(key)
+        case key
+        when JWT::JWK::RSA
+          key.export(include_private: true)
+        when OpenSSL::PKey::RSA # Accept OpenSSL key as input
+          @keypair = key # Preserve the object to avoid recreation
+          parse_rsa_key(key)
+        when Hash
+          key.transform_keys(&:to_sym)
+        else
+          raise ArgumentError, 'key must be of type OpenSSL::PKey::RSA or Hash with key parameters'
+        end
+      end
+
       def check_jwk(keypair, params)
         raise ArgumentError, 'cannot overwrite cryptographic key attributes' unless (RSA_KEY_ELEMENTS & params.keys).empty?
         raise JWT::JWKError, "Incorrect 'kty' value: #{keypair[:kty]}, expected #{KTY}" unless keypair[:kty] == KTY
diff --git a/lib/jwt/jwk/set.rb b/lib/jwt/jwk/set.rb
@@ -10,7 +10,7 @@ class Set
 
       attr_reader :keys
 
-      def initialize(jwks = nil, options = {})
+      def initialize(jwks = nil, options = {}) # rubocop:disable Metrics/CyclomaticComplexity
         jwks ||= {}
 
         @keys = case jwks
diff --git a/spec/integration/readme_examples_spec.rb b/spec/integration/readme_examples_spec.rb
@@ -278,17 +278,17 @@
         # ---------- ENCODE ----------
         optional_parameters = { kid: 'my-kid', use: 'sig', alg: 'RS512' }
         jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), optional_parameters)
-        
+
         # Encoding
         payload = { data: 'data' }
         token = JWT.encode(payload, jwk.keypair, jwk[:alg], kid: jwk[:kid])
-        
+
         # JSON Web Key Set for advertising your signing keys
         jwks_hash = JWT::JWK::Set.new(jwk).export
 
         # ---------- DECODE ----------
         jwks = JWT::JWK::Set.new(jwks_hash)
-        jwks.filter! {|key| key[:use] == 'sig' } # Signing keys only!
+        jwks.filter! { |key| key[:use] == 'sig' } # Signing keys only!
         algorithms = jwks.map { |key| key[:alg] }.compact.uniq
         JWT.decode(token, nil, true, algorithms: algorithms, jwks: jwks)
       end
@@ -369,7 +369,7 @@
             jwks
           end
         end
-        
+
         begin
           JWT.decode(token, nil, true, { algorithms: ['RS512'], jwks: jwks_loader })
         rescue JWT::JWKError
