JWKS: Set Tests

Author: bellebaum

lib/jwt/jwk/ec.rb

@@ -9,7 +9,7 @@ class EC < KeyBase # rubocop:disable Metrics/ClassLength
       def_delegators :keypair, :public_key
 
       KTY    = 'EC'
-      KTYS   = [KTY, OpenSSL::PKey::EC].freeze
+      KTYS   = [KTY, OpenSSL::PKey::EC, JWT::JWK::EC].freeze
       BINARY = 2
       EC_PUBLIC_KEY_ELEMENTS = %i[kty crv x y].freeze
       EC_PRIVATE_KEY_ELEMENTS = %i[d].freeze

lib/jwt/jwk/hmac.rb

@@ -4,7 +4,7 @@ module JWT
   module JWK
     class HMAC < KeyBase
       KTY  = 'oct'
-      KTYS = [KTY, String].freeze
+      KTYS = [KTY, String, JWT::JWK::HMAC].freeze
       HMAC_PUBLIC_KEY_ELEMENTS = %i[kty].freeze
       HMAC_PRIVATE_KEY_ELEMENTS = %i[k].freeze
       HMAC_KEY_ELEMENTS = (HMAC_PRIVATE_KEY_ELEMENTS + HMAC_PUBLIC_KEY_ELEMENTS).freeze

lib/jwt/jwk/key_base.rb

@@ -37,6 +37,8 @@ def ==(other)
         self[:kid] == other[:kid]
       end
 
+      alias eql? ==
+
       def <=>(other)
         self[:kid] <=> other[:kid]
       end

lib/jwt/jwk/rsa.rb

@@ -5,7 +5,7 @@ module JWK
     class RSA < KeyBase
       BINARY = 2
       KTY    = 'RSA'
-      KTYS   = [KTY, OpenSSL::PKey::RSA].freeze
+      KTYS   = [KTY, OpenSSL::PKey::RSA, JWT::JWK::RSA].freeze
       RSA_PUBLIC_KEY_ELEMENTS  = %i[kty n e].freeze
       RSA_PRIVATE_KEY_ELEMENTS = %i[d p q dp dq qi].freeze
       RSA_KEY_ELEMENTS = (RSA_PRIVATE_KEY_ELEMENTS + RSA_PUBLIC_KEY_ELEMENTS).freeze

lib/jwt/jwk/set.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'forwardable'
 
 module JWT
@@ -9,7 +10,7 @@ class Set
 
       attr_reader :keys
 
-      def initialize(jwks)
+      def initialize(jwks = nil, options = {})
         jwks ||= {}
 
         @keys = case jwks
@@ -19,9 +20,9 @@ def initialize(jwks)
                   [jwks]
                 when Hash
                   jwks = jwks.transform_keys(&:to_sym)
-                  [*jwks[:keys]].map { |k| JWT::JWK.new k }
+                  [*jwks[:keys]].map { |k| JWT::JWK.new(k, nil, options) }
                 when Array
-                  jwks.map { |k| JWT::JWK.new k }
+                  jwks.map { |k| JWT::JWK.new(k, nil, options) }
                 else
                   raise ArgumentError, 'Can only create new JWKS from Hash, Array and JWK'
         end
@@ -46,13 +47,11 @@ def reject!(&block)
       end
 
       def uniq!(&block)
-        return @keys.uniq! unless block
-
         self if @keys.uniq!(&block)
       end
 
       def merge(enum)
-        @keys += JWT::JWK::Set.new(enum.collect)
+        @keys += JWT::JWK::Set.new(enum.to_a).keys
         self
       end
 
@@ -69,6 +68,7 @@ def ==(other)
         other.is_a?(JWT::JWK::Set) && keys.sort == other.keys.sort
       end
 
+      alias eql? ==
       alias filter! select!
       alias length size
       # For symbolic manipulation

spec/jwk/set_spec.rb

@@ -0,0 +1,140 @@
+# frozen_string_literal: true
+
+RSpec.describe JWT::JWK::Set do
+  describe '.new' do
+    it 'can create an empty set' do
+      expect(described_class.new.keys).to eql([])
+    end
+
+    context 'can create a set' do
+      it 'from a JWK' do
+        jwk = JWT::JWK.new 'testkey'
+        expect(described_class.new(jwk).keys).to eql([jwk])
+      end
+
+      it 'from a JWKS hash with symbol keys' do
+        jwks = { keys: [{ kty: 'oct', k: 'testkey' }] }
+        jwk = JWT::JWK.new({ kty: 'oct', k: 'testkey' })
+        expect(described_class.new(jwks).keys).to eql([jwk])
+      end
+
+      it 'from a JWKS hash with string keys' do
+        jwks = { 'keys' => [{ 'kty' => 'oct', 'k' => 'testkey' }] }
+        jwk = JWT::JWK.new({ kty: 'oct', k: 'testkey' })
+        expect(described_class.new(jwks).keys).to eql([jwk])
+      end
+
+      it 'from an array of keys' do
+        jwk = JWT::JWK.new 'testkey'
+        expect(described_class.new([jwk]).keys).to eql([jwk])
+      end
+
+      it 'from an existing JWT::JWK::Set' do
+        jwk = JWT::JWK.new({ kty: 'oct', k: 'testkey' })
+        jwks = described_class.new(jwk)
+        expect(described_class.new(jwks)).to eql(jwks)
+      end
+    end
+
+    it 'raises an error on invalid inputs' do
+      expect { described_class.new(42) }.to raise_error(ArgumentError)
+    end
+  end
+
+  describe '.export' do
+    it 'exports the JWKS to Hash' do
+      jwk = JWT::JWK.new({ kty: 'oct', k: 'testkey' })
+      jwks = described_class.new(jwk)
+      exported = jwks.export
+      expect(exported[:keys].size).to eql(1)
+      expect(exported[:keys][0]).to eql(jwk.export)
+    end
+  end
+
+  describe '.eql?' do
+    it 'correctly classifies equal sets' do
+      jwk = JWT::JWK.new({ kty: 'oct', k: 'testkey' })
+      jwks1 = described_class.new(jwk)
+      jwks2 = described_class.new(jwk)
+      expect(jwks1).to eql(jwks2)
+    end
+
+    it 'correctly classifies different sets' do
+      jwk1 = JWT::JWK.new({ kty: 'oct', k: 'testkey' })
+      jwk2 = JWT::JWK.new({ kty: 'oct', k: 'testkex' })
+      jwks1 = described_class.new(jwk1)
+      jwks2 = described_class.new(jwk2)
+      expect(jwks1).not_to eql(jwks2)
+    end
+  end
+
+  # TODO: No idea why this does not work. eql? returns true for the two elements,
+  #       but Array#uniq! doesn't recognize this, despite the documentation saying otherwise
+  describe '.uniq!' do
+    it 'filters out equal keys' do
+      jwk = JWT::JWK.new({ kty: 'oct', k: 'testkey' })
+      jwk2 = JWT::JWK.new({ kty: 'oct', k: 'testkey' })
+      jwks = described_class.new([jwk, jwk2])
+      jwks.uniq!
+      expect(jwks.keys.size).to eql(1)
+    end
+  end
+
+  describe '.select!' do
+    it 'filters the keyset' do
+      jwks = described_class.new([])
+      jwks << JWT::JWK.new(OpenSSL::PKey::RSA.new(2048))
+      jwks << JWT::JWK.new(OpenSSL::PKey::EC.generate('secp384r1'))
+      jwks.select! { |k| k[:kty] == 'RSA' }
+      expect(jwks.size).to eql(1)
+      expect(jwks.keys[0][:kty]).to eql('RSA')
+    end
+  end
+
+  describe '.reject!' do
+    it 'filters the keyset' do
+      jwks = described_class.new([])
+      jwks << JWT::JWK.new(OpenSSL::PKey::RSA.new(2048))
+      jwks << JWT::JWK.new(OpenSSL::PKey::EC.generate('secp384r1'))
+      jwks.reject! { |k| k[:kty] == 'RSA' }
+      expect(jwks.size).to eql(1)
+      expect(jwks.keys[0][:kty]).to eql('EC')
+    end
+  end
+
+  describe '.merge' do
+    context 'merges two JWKSs' do
+      it 'when called via .union' do
+        jwks1 = described_class.new(JWT::JWK.new(OpenSSL::PKey::RSA.new(2048)))
+        jwks2 = described_class.new(JWT::JWK.new(OpenSSL::PKey::EC.generate('secp384r1')))
+        jwks3 = jwks1.union(jwks2)
+        expect(jwks1.size).to eql(1)
+        expect(jwks2.size).to eql(1)
+        expect(jwks3.size).to eql(2)
+        expect(jwks3.keys).to include(jwks1.keys[0])
+        expect(jwks3.keys).to include(jwks2.keys[0])
+      end
+
+      it 'when called via "|" operator' do
+        jwks1 = described_class.new(JWT::JWK.new(OpenSSL::PKey::RSA.new(2048)))
+        jwks2 = described_class.new(JWT::JWK.new(OpenSSL::PKey::EC.generate('secp384r1')))
+        jwks3 = jwks1 | jwks2
+        expect(jwks1.size).to eql(1)
+        expect(jwks2.size).to eql(1)
+        expect(jwks3.size).to eql(2)
+        expect(jwks3.keys).to include(jwks1.keys[0])
+        expect(jwks3.keys).to include(jwks2.keys[0])
+      end
+
+      it 'when called directly' do
+        jwks1 = described_class.new(JWT::JWK.new(OpenSSL::PKey::RSA.new(2048)))
+        jwks2 = described_class.new(JWT::JWK.new(OpenSSL::PKey::EC.generate('secp384r1')))
+        jwks3 = jwks1.merge(jwks2)
+        expect(jwks1.size).to eql(2)
+        expect(jwks2.size).to eql(1)
+        expect(jwks3).to eql(jwks1)
+        expect(jwks3.keys).to include(jwks2.keys[0])
+      end
+    end
+  end
+end