WPB-6181 Update rusty-jwt-tools

changelog.d/5-internal/WPB-6181

@@ -0,0 +1 @@
+Version of rusty-jwt-tools bumped to v0.8.5

libs/jwt-tools/src/Data/Jwt/Tools.hs

@@ -159,6 +159,14 @@ generateDpopToken dpopProof uid cid handle tid domain nonce uri method maxSkewSe
   methodCStr <- liftIO $ newCString $ cs $ methodToBS method
   backendPubkeyBundleCStr <- toCStr backendPubkeyBundle
 
+  -- log all variable inputs (can comment in if need to generate new test data)
+  -- traceM $ "proof = Proof " <> show (_unProof dpopProof)
+  -- traceM $ "uid = UserId " <> show (_unUserId uid)
+  -- traceM $ "nonce = Nonce " <> show (_unNonce nonce)
+  -- traceM $ "expires = ExpiryEpoch " <> show (_unExpiryEpoch maxExpiration)
+  -- traceM $ "handle = Handle " <> show (_unHandle handle)
+  -- traceM $ "tid = TeamId " <> show (_unTeamId tid)
+
   let before =
         generateDpopAccessTokenFfi
           dpopProofCStr

libs/jwt-tools/test/Spec.hs

@@ -77,16 +77,19 @@ main = hspec $ do
       toResult Nothing Nothing `shouldBe` Left UnknownError
   where
     token = ""
-    proof = Proof "eyJhbGciOiJFZERTQSIsImp3ayI6eyJjcnYiOiJFZDI1NTE5Iiwia3R5IjoiT0tQIiwieCI6Im5MSkdOLU9hNkpzcTNLY2xaZ2dMbDdVdkFWZG1CMFE2QzNONUJDZ3BoSHcifSwidHlwIjoiZHBvcCtqd3QifQ.eyJjaGFsIjoid2EyVnJrQ3RXMXNhdUoyRDN1S1k4cmM3eTRrbDR1c0giLCJleHAiOjE4MzExMjYxNjMsImhhbmRsZSI6IndpcmVhcHA6Ly8lNDBwaHVoaGliZGhxYnF4cnpibnNhZndAZXhhbXBsZS5jb20iLCJodG0iOiJQT1NUIiwiaHR1IjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9jbGllbnRzL2NjNmU2NDBlMjk2ZThiYmEvYWNjZXNzLXRva2VuIiwiaWF0IjoxNzA0OTgyMTYzLCJqdGkiOiI2ZmM1OWU3Zi1iNjY2LTRmZmMtYjczOC00ZjQ3NjBjODg0Y2EiLCJuYmYiOjE3MDQ5ODIxNjMsIm5vbmNlIjoiVnZHYnc2ZVZUTkdTUWJLNVNlaVNiQSIsInN1YiI6IndpcmVhcHA6Ly9zZ3VNZUxKdFE2U3ZKUGNxUExiMkJnIWNjNmU2NDBlMjk2ZThiYmFAZXhhbXBsZS5jb20iLCJ0ZWFtIjoiNDAyNTE2ODAtMzVlMS00Mzc0LWIzYWEtNzU2MDBkZTc5ZTMzIn0.JgVXD2_E4j4sLcvD284Fj4z_6xmwA0czcP8wzHZmqPpel60HUqDVKDx5GmiWbFWix-E7ZXvYfvZ7NmxlDrgmAg"
-    uid = UserId "b20b8c78-b26d-43a4-af24-f72a3cb6f606"
+    proof = Proof "eyJhbGciOiJFZERTQSIsImp3ayI6eyJjcnYiOiJFZDI1NTE5Iiwia3R5IjoiT0tQIiwieCI6Im5MSkdOLU9hNkpzcTNLY2xaZ2dMbDdVdkFWZG1CMFE2QzNONUJDZ3BoSHcifSwidHlwIjoiZHBvcCtqd3QifQ.eyJhdWQiOiJodHRwczovL3dpcmUuY29tL2FjbWUvY2hhbGxlbmdlL2FiY2QiLCJjaGFsIjoid2EyVnJrQ3RXMXNhdUoyRDN1S1k4cmM3eTRrbDR1c0giLCJleHAiOjE4MzE3MzcyNzEsImhhbmRsZSI6IndpcmVhcHA6Ly8lNDB2bHVwZHlwbml4dm1vdnZzeW1ndHdAZXhhbXBsZS5jb20iLCJodG0iOiJQT1NUIiwiaHR1IjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9jbGllbnRzL2NjNmU2NDBlMjk2ZThiYmEvYWNjZXNzLXRva2VuIiwiaWF0IjoxNzA1NTkzMjcxLCJqdGkiOiI2ZmM1OWU3Zi1iNjY2LTRmZmMtYjczOC00ZjQ3NjBjODg0Y2EiLCJuYmYiOjE3MDU1OTMyNzEsIm5vbmNlIjoibVJDdjNKQS1TNDI0dUJyLVk2QzFndyIsInN1YiI6IndpcmVhcHA6Ly9WNVc3ZnRNeVRJNlBNYlE0Y3ZkazRnIWNjNmU2NDBlMjk2ZThiYmFAZXhhbXBsZS5jb20iLCJ0ZWFtIjoiZmZhODY1ZmEtYjI0YS00Njk3LWFhMDUtMWZjM2YzNjU0ZGI5In0.BVdawX_84Mpmvzbs3v52t3GtCgSKzxgnFDkwf4QK6AusoyfsjhK6grs9GLEe2Lfb1eDrBUJgo-nobeIWmRumBQ"
+    uid = UserId "5795bb7e-d332-4c8e-8f31-b43872f764e2"
+    nonce = Nonce "mRCv3JA-S424uBr-Y6C1gw"
+    expires = ExpiryEpoch 1831823671
+    handle = Handle "vlupdypnixvmovvsymgtw"
+    tid = TeamId "ffa865fa-b24a-4697-aa05-1fc3f3654db9"
+
+    now = NowEpoch 1704982162
     cid = ClientId 14730821443162901434
     domain = Domain "example.com"
-    nonce = Nonce "VvGbw6eVTNGSQbK5SeiSbA"
     uri = Uri "https://example.com/clients/cc6e640e296e8bba/access-token"
     method = POST
     maxSkewSecs = MaxSkewSecs 1
-    now = NowEpoch 1704982162
-    expires = ExpiryEpoch 1831212562
     pem =
       PemBundle $
         "-----BEGIN PRIVATE KEY-----\n\
@@ -95,5 +98,3 @@ main = hspec $ do
         \-----BEGIN PUBLIC KEY-----\n\
         \MCowBQYDK2VwAyEAdYI38UdxksC0K4Qx6E9JK9YfGm+ehnY18oKmHL2YsZk=\n\
         \-----END PUBLIC KEY-----\n"
-    handle = Handle "phuhhibdhqbqxrzbnsafw"
-    tid = TeamId "40251680-35e1-4374-b3aa-75600de79e33"

nix/pkgs/rusty_jwt_tools_ffi/default.nix

@@ -10,12 +10,12 @@
 # Cargo.lock file in its root (not at the ffi/ subpath).
 
 let
-  version = "0.8.0";
+  version = "0.8.5";
   src = fetchFromGitHub {
     owner = "wireapp";
     repo = "rusty-jwt-tools";
-    rev = "064d531b6f0d0b502755dceb3ab73f0f9ad02143";
-    sha256 = "sha256-OqL4ue6swci3JqQKNmzcvpGxQAMhF8bHTXMp6dvIn9o=";
+    rev = "99acb427b2169d726f356d30dec55eae83dda6b6";
+    sha256 = "sha256-x1W79spOZeFHabRbhMksz6gLtRIpl2E7WCiXuzIMoFM=";
   };
   cargoLockFile = builtins.toFile "cargo.lock" (builtins.readFile "${src}/Cargo.lock");
 
@@ -29,12 +29,9 @@ rustPlatform.buildRustPackage {
     outputHashes = {
       # if any of these need updating, replace / create new key with
       # lib.fakeSha256, rebuild, and replace with actual hash.
-      "biscuit-0.6.0-beta1" = "sha256-no7b4Un+7AES7EwWdZh/oeIa4w0caKLAUFsHWqgJOrg=";
       "certval-0.1.4" = "sha256-mUg3Kx1I/r9zBoB7tDaZsykFkE+tsN+Rem6DjUOZbuU=";
       "jwt-simple-0.12.1" = "sha256-5PAOwulL8j6f4Ycoa5Q+1dqEA24uN8rJt+i2RebL6eo=";
-      "rcgen-0.9.2" = "sha256-3jFzInwdzFBot+L2Vm5NLF1ml33GH2+Iv3LqqGhLxFs=";
-      "ring-0.17.0-not-released-yet" = "sha256-TP8yZo64J/d1fw8l2J4+ol70EcHvpvHJBdpF3A+6Dgo=";
-      "x509-ocsp-0.2.1" = "sha256-Tdswn977QtS+i69q82dF/nkXIblUaCsqPD2SqUIYLWc=";
+      "x509-ocsp-0.2.1" = "sha256-o+r9h0CcexWqJIIoZdOgSd7hWIb91BheW6UZI98RpLA=";
     };
   };
 

services/brig/test/integration/API/User/Client.hs

@@ -1459,6 +1459,7 @@ testCreateAccessToken opts n brig = do
           & claimNbf ?~ NumericDate now
           & claimSub ?~ fromMaybe (error "invalid sub claim") ((clientIdentity :: Text) ^? stringOrUri)
           & claimJti ?~ "6fc59e7f-b666-4ffc-b738-4f4760c884ca"
+          & claimAud ?~ (maybe (error "invalid sub claim") (Audience . (: [])) (("https://wire.com/acme/challenge/abcd" :: Text) ^? stringOrUri))
   let dpopClaims = DPoPClaimsSet claimsSet' nonceBs "POST" httpsUrl "wa2VrkCtW1sauJ2D3uKY8rc7y4kl4usH" handle (UUID.toText (toUUID tid))
   signedOrError <- fmap encodeCompact <$> liftIO (signAccessToken dpopClaims)
   case signedOrError of