Update to Jose 0.9.0 (#32)

* Update to Jose 0.9.0 * Apply auto-formatter
ulrikstrid · Mar 8, 2023 · f70d979 · f70d979
1 parent b9ea648
commit f70d979
Show file tree

Hide file tree

Showing 21 changed files with 69 additions and 61 deletions.
diff --git a/.ocamlformat b/.ocamlformat
@@ -1,4 +1,4 @@
-version = 0.24.1
+version = 0.25.1
 profile = conventional
 
 leading-nested-match-parens = false

diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -7,7 +7,7 @@
   };
 
   inputs = {
-    nixpkgs.url = "github:nix-ocaml/nix-overlays/0081a01960591e7415986eca055887ca76689799";
+    nixpkgs.url = "github:nix-ocaml/nix-overlays?rev=5f9732395c157852afe6710e11097afa2083cbc1";
 
     flake-utils.url = "github:numtide/flake-utils";
     nixpkgs.inputs.flake-utils.follows = "flake-utils";

diff --git a/oidc-client/Static.ml b/oidc-client/Static.ml
@@ -37,8 +37,7 @@ let get_token ~code t =
   (* TODO: Move this into Oidc.Token *)
   let body =
     Oidc.Token.Request.make ~client:t.client ~grant_type:"authorization_code"
-      ~scope:[`OpenID]
-      ~redirect_uri:t.redirect_uri ~code
+      ~scope:[`OpenID] ~redirect_uri:t.redirect_uri ~code
     |> Oidc.Token.Request.to_body_string
     |> Piaf.Body.of_string
   in

diff --git a/oidc/Discover.ml b/oidc/Discover.ml
@@ -1,4 +1,3 @@
-
 (* All fields listed here:
    https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata *)
 type t = {
@@ -13,14 +12,12 @@ type t = {
   subject_types_supported : string list;
   (* "pairwise", "public" *)
   id_token_signing_alg_values_supported : string list;
-  (* "RS256" must be supported, get list from Jose? *)
+      (* "RS256" must be supported, get list from Jose? *)
 }
 
-type error = [ `Msg of string ]
+type error = [`Msg of string]
 
-let error_to_string error =
-  match error with
-  | `Msg str -> str
+let error_to_string error = match error with `Msg str -> str
 
 let of_yojson json =
   try

diff --git a/oidc/Discover.mli b/oidc/Discover.mli
@@ -19,14 +19,14 @@ type t = {
 (** {i The discovery type can include much more than the type currently
        includes. Feel free to open a PR adding anything you need} *)
 
-type error = [ `Msg of string ]
+type error = [`Msg of string]
 
 val error_to_string : error -> string
 
-val of_yojson : Yojson.Safe.t -> (t, [> error ]) result
+val of_yojson : Yojson.Safe.t -> (t, [> error]) result
 (** {i This might change to return a result in the future} *)
 
-val of_string : string -> (t, [> error ]) result
+val of_string : string -> (t, [> error]) result
 (** {i This might change to return a result in the future} *)
 
 val to_yojson : t -> Yojson.Safe.t
diff --git a/oidc/Error.mli b/oidc/Error.mli
@@ -16,4 +16,4 @@ val to_string : t -> string
 (** Convert error to string *)
 
 val pp : Format.formatter -> t -> unit
-(** Pretty printer for errors *)
+(** Pretty printer for errors *)
diff --git a/oidc/IDToken.ml b/oidc/IDToken.ml
@@ -17,6 +17,8 @@ type validation_error =
   | `Missing_iss
   | `Missing_nonce
   | `Missing_sub
+  | `Not_json
+  | `Not_supported
   | `Msg of string
   | `No_jwk_provided
   | `Unexpected_nonce
@@ -34,6 +36,8 @@ let validation_error_to_string = function
   | `Unexpected_nonce -> "Got nonce when not expected"
   | `Invalid_sub_length -> "Invalid sub length"
   | `Missing_sub -> "Missing sub"
+  | `Not_json -> "Not JSON"
+  | `Not_supported -> "Not supported"
   | `Wrong_aud_value aud -> "Wrong aud " ^ aud
   | `Missing_aud -> "aud is missing"
   | `Wrong_iss_value iss -> "Wrong iss value " ^ iss
@@ -149,12 +153,13 @@ let validate_nonce ?nonce (jwt : Jose.Jwt.t) =
     Log.debug (fun m -> m "no nonce provided");
     Ok jwt
 
-let validate ?clock_tolerance ?nonce ?jwk ~(client : Client.t) ~issuer
-    (jwt : Jose.Jwt.t) =
+let validate ?clock_tolerance ?nonce ?jwk
+    ?(now = Unix.gettimeofday () |> Ptime.of_float_s |> Option.get)
+    ~(client : Client.t) ~issuer (jwt : Jose.Jwt.t) =
   let issuer = Uri.to_string issuer in
   (match (jwt.header.alg, jwk) with
   | `None, _ -> Ok jwt
-  | _, Some jwk -> Jose.Jwt.validate ~jwk jwt
+  | _, Some jwk -> Jose.Jwt.validate ~now ~jwk jwt
   | _, None -> Error `No_jwk_provided)
   >>= validate_iss ~issuer
   >>= validate_exp

diff --git a/oidc/IDToken.mli b/oidc/IDToken.mli
@@ -14,6 +14,8 @@ type validation_error =
   | `Missing_iss
   | `Missing_nonce
   | `Missing_sub
+  | `Not_json
+  | `Not_supported
   | `Msg of string
   | `No_jwk_provided
   | `Unexpected_nonce
@@ -28,6 +30,7 @@ val validate :
   ?clock_tolerance:int ->
   ?nonce:string ->
   ?jwk:'a Jose.Jwk.t ->
+  ?now:Ptime.t ->
   client:Client.t ->
   issuer:Uri.t ->
   Jose.Jwt.t ->
@@ -48,7 +51,7 @@ val validate :
   - aud
   - exp
   - iat
-  
+
   Fields to be validated if exists
   - nonce
 

diff --git a/oidc/Jwks.ml b/oidc/Jwks.ml
@@ -8,12 +8,13 @@ let get_use jwk =
   | Jose.Jwk.Rsa_pub jwk -> jwk.use
   | Jose.Jwk.Oct jwk -> jwk.use
   | Jose.Jwk.Es256_pub jwk -> jwk.use
+  | Jose.Jwk.Es384_pub jwk -> jwk.use
   | Jose.Jwk.Es512_pub jwk -> jwk.use
+  | Jose.Jwk.Ed25519_pub jwk -> jwk.use
 
 let matching_jwt (jwt : Jose.Jwt.t) (jwk : Jose.Jwk.public Jose.Jwk.t) =
-  match Jose.Jwk.get_alg jwk, get_use jwk with
-  | Some alg, Some use ->
-      alg = jwt.header.alg && use = `Sig
+  match (Jose.Jwk.get_alg jwk, get_use jwk) with
+  | Some alg, Some use -> alg = jwt.header.alg && use = `Sig
   | _, _ -> false
 
 let find_jwk ~(jwt : Jose.Jwt.t) jwks =

diff --git a/oidc/Parameters.ml b/oidc/Parameters.ml
@@ -122,15 +122,15 @@ let to_yojson t : Yojson.Safe.t =
      ]
     |> List.filter_map identity)
 
-let of_yojson  json : (t, [> error]) result =
+let of_yojson json : (t, [> error]) result =
   let module Json = Yojson.Safe.Util in
   try
     Ok
       {
         response_type =
           Json.to_list (Json.member "response_type" json)
           |> List.map Json.to_string;
-        client_id =(Json.member "client_id" json |> Json.to_string);
+        client_id = Json.member "client_id" json |> Json.to_string;
         redirect_uri =
           json |> Json.member "redirect_uri" |> Json.to_string |> Uri.of_string;
         scope =

diff --git a/oidc/Parameters.mli b/oidc/Parameters.mli
@@ -59,4 +59,3 @@ val of_yojson : Yojson.Safe.t -> (t, [> error]) result
 (** {2 Parsing in the provider} *)
 
 val parse_query : Uri.t -> (t, [> error]) result
-
diff --git a/oidc/Scopes.mli b/oidc/Scopes.mli
@@ -19,4 +19,4 @@ type t =
 val of_string : string -> t
 val to_string : t -> string
 val of_scope_parameter : string -> t list
-val to_scope_parameter : t list -> string
+val to_scope_parameter : t list -> string
diff --git a/oidc/SimpleClient.ml b/oidc/SimpleClient.ml
@@ -45,8 +45,7 @@ type request_descr = {
 let make_token_request ~code ~discovery t =
   let body =
     Token.Request.make ~client:t.client ~grant_type:"authorization_code"
-      ~scope:[`OpenID]
-      ~redirect_uri:t.redirect_uri ~code
+      ~scope:[`OpenID] ~redirect_uri:t.redirect_uri ~code
     |> Token.Request.to_body_string
   in
   let headers =
@@ -84,10 +83,8 @@ let make_userinfo_request ~(token : Token.Response.t) ~(discovery : Discover.t)
   | None, _ -> Error `Missing_userinfo_endpoint
 
 let get_auth_parameters ?scope ?claims ?nonce ~state t =
-  Parameters.make ?scope ?claims ?nonce ~state
-    ~redirect_uri:t.redirect_uri
-    ~client_id:t.client.id
-    ()
+  Parameters.make ?scope ?claims ?nonce ~state ~redirect_uri:t.redirect_uri
+    ~client_id:t.client.id ()
 
 let make_auth_uri ?scope ?claims ?nonce ~state ~discovery t =
   let query =

diff --git a/oidc/SimpleClient.mli b/oidc/SimpleClient.mli
@@ -97,7 +97,13 @@ val valid_token_of_string :
 val valid_userinfo_of_string :
   token_response:Token.Response.t ->
   string ->
-  (string, [> `Missing_sub | `Sub_missmatch | `Msg of string]) result
+  ( string,
+    [> `Missing_sub
+    | `Sub_missmatch
+    | `Not_json
+    | `Not_supported
+    | `Msg of string ] )
+  result
 
 (** {2 Example - Google}
 

diff --git a/oidc/Token.mli b/oidc/Token.mli
@@ -25,8 +25,8 @@ module Response : sig
     unit ->
     t
 
-  val of_yojson : Yojson.Safe.t -> (t, [> `Msg of string ]) result
-  val of_string : string -> (t, [> `Msg of string ]) result
+  val of_yojson : Yojson.Safe.t -> (t, [> `Msg of string]) result
+  val of_string : string -> (t, [> `Msg of string]) result
   val to_yojson : t -> Yojson.Safe.t
 
   val validate :

diff --git a/oidc/TokenResponse.ml b/oidc/TokenResponse.ml
@@ -15,10 +15,10 @@ let make ?(token_type = Bearer) ?(scope = []) ?expires_in ?access_token
 
 (* Microsoft returns ints as strings... *)
 let string_or_int_to_int_opt = function
-| `String s -> (try Some (int_of_string s) with | _ -> None)
-| `Int i -> Some i
-| `Null -> None
-| _ -> None (* TODO: Should we log or throw? *)
+  | `String s -> ( try Some (int_of_string s) with _ -> None)
+  | `Int i -> Some i
+  | `Null -> None
+  | _ -> None (* TODO: Should we log or throw? *)
 
 let of_yojson json =
   try
@@ -42,7 +42,8 @@ let of_yojson json =
         (* Only Bearer is supported by OIDC, TODO = return a error if it is not
            Bearer *)
         scope;
-        expires_in = json |> Json.member "expires_in" |> string_or_int_to_int_opt;
+        expires_in =
+          json |> Json.member "expires_in" |> string_or_int_to_int_opt;
         access_token =
           json |> Json.member "access_token" |> Json.to_string_option;
         refresh_token =

diff --git a/oidc/dune b/oidc/dune
@@ -1,7 +1,7 @@
 (library
  (name oidc)
  (public_name oidc)
- (libraries logs uri yojson jose base64)
+ (libraries logs uri yojson jose base64 unix)
  (instrumentation
   (backend bisect_ppx)))
 

diff --git a/test/Jwks.ml b/test/Jwks.ml
@@ -1,6 +1,6 @@
 open Helpers
 
-let () = Mirage_crypto_rng_unix.initialize ()
+let () = Mirage_crypto_rng_unix.initialize (module Mirage_crypto_rng.Fortuna)
 let rsa = Mirage_crypto_pk.Rsa.generate ~bits:1024 ()
 let jwk = Jose.Jwk.make_priv_rsa rsa
 
@@ -23,8 +23,8 @@ let find_jwk_with_kid () =
   match found_jwk with
   | Some found_jwk ->
     check_result_string "thumbprint"
-      (Jose.Jwk.get_thumbprint `SHA1 jwk)
-      (Jose.Jwk.get_thumbprint `SHA1 found_jwk)
+      (Jose.Jwk.get_thumbprint `SHA1 jwk |> Result.map Cstruct.to_string)
+      (Jose.Jwk.get_thumbprint `SHA1 found_jwk |> Result.map Cstruct.to_string)
   | None ->
     print_endline "Did not find jwk";
     raise Not_found
@@ -34,8 +34,8 @@ let find_jwk_without_kid () =
   match found_jwk with
   | Some found_jwk ->
     check_result_string "thumbprint"
-      (Jose.Jwk.get_thumbprint `SHA1 jwk)
-      (Jose.Jwk.get_thumbprint `SHA1 found_jwk)
+      (Jose.Jwk.get_thumbprint `SHA1 jwk |> Result.map Cstruct.to_string)
+      (Jose.Jwk.get_thumbprint `SHA1 found_jwk |> Result.map Cstruct.to_string)
   | None ->
     print_endline "Did not find jwk";
     raise Not_found

diff --git a/test/Jwt.ml b/test/Jwt.ml
@@ -1,6 +1,6 @@
 open Helpers
 
-let () = Mirage_crypto_rng_unix.initialize ()
+let () = Mirage_crypto_rng_unix.initialize (module Mirage_crypto_rng.Fortuna)
 let jwk = Jose.Jwk.make_priv_rsa (Mirage_crypto_pk.Rsa.generate ~bits:1024 ())
 let aud = "1234"
 let issuer = Uri.of_string "https://idp.example.com"

diff --git a/test/OidcParameters.ml b/test/OidcParameters.ml
@@ -33,7 +33,7 @@ let to_query () =
     Oidc.Parameters.
       {
         response_type = ["code"];
-        client_id= client.id;
+        client_id = client.id;
         redirect_uri = Uri.of_string "https://client.example.org/cb";
         scope = [`OpenID; `Profile];
         state = Some "af0ifjsldkj";