lib/global_session/session/v2.rb in global_session-3.2.10 vs lib/global_session/session/v2.rb in global_session-3.3.0

@@ -42,10 +42,13 @@
   # Limitations of V2 include the following:
   # * Some Ruby implementations (e.g. JRuby) lack a msgpack library
   # * The sign and verify algorithms, while safe, do not comply fully with PKCS7; they rely on the
   #   OpenSSL low-level crypto API instead of using the higher-level EVP (envelope) API.
   class V2 < Abstract
+    # Pattern that matches strings that are probably a V2 session cookie.
+    HEADER = /^l9/
+
     # Utility method to decode a cookie; good for console debugging. This performs no
     # validation or security check of any sort.
     #
     # === Parameters
     # cookie(String):: well-formed global session cookie
@@ -77,12 +80,12 @@
         authority_check
         authority = @directory.local_authority_name
         hash['a'] = authority
         signed_hash = RightSupport::Crypto::SignedHash.new(
             hash.reject { |k,v| ['dx', 's'].include?(k) },
-            :encoding=>GlobalSession::Encoding::Msgpack,
-            :private_key=>@directory.private_key)
+            @directory.private_key,
+            encoding: GlobalSession::Encoding::Msgpack)
         @signature = signed_hash.sign(@expired_at)
       end
 
       hash['dx'] = @insecure
       hash['s'] = @signature
@@ -250,24 +253,24 @@
       insecure = hash.delete('dx')
       signature = hash.delete('s')
 
       #Check trust in signing authority
       unless @directory.trusted_authority?(authority)
-        raise SecurityError, "Global sessions signed by #{authority.inspect} are not trusted"
+        raise GlobalSession::InvalidSignature, "Global sessions signed by #{authority.inspect} are not trusted"
       end
 
       signed_hash = RightSupport::Crypto::SignedHash.new(
           hash.reject { |k,v| ['dx', 's'].include?(k) },
-          :encoding=>GlobalSession::Encoding::Msgpack,
-          :public_key=>@directory.authorities[authority])
+          @directory.authorities[authority],
+          :encoding=>GlobalSession::Encoding::Msgpack)
 
       begin
         signed_hash.verify!(signature, expired_at)
       rescue RightSupport::Crypto::ExpiredSignature
         raise GlobalSession::ExpiredSession, "Session expired at #{expired_at}"
       rescue RightSupport::Crypto::InvalidSignature => e
-        raise SecurityError, "Global session signature verification failed: " + e.message
+        raise GlobalSession::InvalidSignature, "Integrity check failed: " + e.message
       end
 
       #Check other validity (delegate to directory)
       unless @directory.valid_session?(id, expired_at)
         raise GlobalSession::InvalidSession, "Global session has been invalidated"
@@ -283,25 +286,14 @@
       @signature = signature
       @cookie = cookie
     end
 
     def create_from_scratch # :nodoc:
-      authority_check
-
       @signed = {}
       @insecure = {}
       @created_at = Time.now.utc
       @authority = @directory.local_authority_name
       @id = RightSupport::Data::UUID.generate
       renew!
-    end
-
-    def create_invalid # :nodoc:
-      @id = nil
-      @created_at = Time.now.utc
-      @expired_at = created_at
-      @signed = {}
-      @insecure = {}
-      @authority = nil
     end
   end
 end