Bump json-jwt and openid_connect

Fixes CVE-2018-1000539

Gemfile

@@ -164,7 +164,7 @@ gem "omniauth-wordpress", "0.2.2"
 gem "twitter",            "6.2.0"
 
 # OpenID Connect
-gem "openid_connect", "1.1.5"
+gem "openid_connect", "1.1.6"
 
 # Serializers
 

Gemfile.lock

@@ -306,7 +306,7 @@ GEM
     httparty (0.16.2)
       multi_xml (>= 0.5.2)
     httpclient (2.8.3)
-    i18n (1.0.0)
+    i18n (1.1.0)
       concurrent-ruby (~> 1.0)
     i18n-inflector (2.6.7)
       i18n (>= 0.4.1)
@@ -333,12 +333,10 @@ GEM
       rails (>= 4.0, < 6.0)
       sprockets (>= 3.0.0)
     json (2.1.0)
-    json-jwt (1.9.2)
+    json-jwt (1.9.4)
       activesupport
       aes_key_wrap
       bindata
-      securecompare
-      url_safe_base64
     json-schema (2.8.0)
       addressable (>= 2.4)
     json-schema-rspec (0.0.4)
@@ -379,7 +377,7 @@ GEM
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
     mini_magick (4.8.0)
-    mini_mime (1.0.0)
+    mini_mime (1.0.1)
     mini_portile2 (2.3.0)
     minitest (5.11.3)
     mobile-fu (1.4.0)
@@ -429,7 +427,7 @@ GEM
     open_graph_reader (0.6.2)
       faraday (>= 0.9.0)
       nokogiri (~> 1.6)
-    openid_connect (1.1.5)
+    openid_connect (1.1.6)
       activemodel
       attr_required (>= 1.0.0)
       json-jwt (>= 1.5.0)
@@ -475,7 +473,7 @@ GEM
     pry-byebug (3.6.0)
       byebug (~> 10.0)
       pry (~> 0.10)
-    public_suffix (3.0.2)
+    public_suffix (3.0.3)
     rack (2.0.5)
     rack-cors (1.0.2)
     rack-google-analytics (1.2.0)
@@ -483,7 +481,7 @@ GEM
       activesupport
     rack-mobile-detect (0.4.0)
       rack
-    rack-oauth2 (1.9.1)
+    rack-oauth2 (1.9.2)
       activesupport
       attr_required
       httpclient
@@ -642,7 +640,6 @@ GEM
       sass (~> 3.4.20)
     secure_headers (5.0.5)
       useragent (>= 0.15.0)
-    securecompare (1.0.0)
     shellany (0.0.1)
     shoulda-matchers (3.1.2)
       activesupport (>= 4.0.0)
@@ -728,7 +725,6 @@ GEM
     unicorn-worker-killer (0.4.4)
       get_process_mem (~> 0)
       unicorn (>= 4, < 6)
-    url_safe_base64 (0.2.2)
     useragent (0.16.10)
     uuid (2.3.8)
       macaddr (~> 1.0)
@@ -829,7 +825,7 @@ DEPENDENCIES
   omniauth-twitter (= 1.4.0)
   omniauth-wordpress (= 0.2.2)
   open_graph_reader (= 0.6.2)
-  openid_connect (= 1.1.5)
+  openid_connect (= 1.1.6)
   pg (= 1.0.0)
   poltergeist (= 1.17.0)
   pronto (= 0.9.5)

spec/controllers/api/openid_connect/authorizations_controller_spec.rb

@@ -296,7 +296,9 @@ describe Api::OpenidConnect::AuthorizationsController, type: :request do
           decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
                                                                         Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
           access_token = response.location[/(?<=access_token=)[^&]+/]
-          access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8])
+          access_token_check_num = Base64.urlsafe_encode64(
+            OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8], padding: false
+          )
           expect(decoded_token.at_hash).to eq(access_token_check_num)
         end
       end

spec/fixtures/client_assertion_with_tampered_sig.txt

@@ -1 +1 @@
-eyJhbGciOiJSUzI1NiIsImtpZCI6ImExIn0.eyJhdWQiOiBbImh0dHBzOi8va2VudHNoaWthbWEuY29tL2FwaS9vcGVuaWRfY29ubmVjdC9hY2Nlc3NfdG9rZW5zIl0sICJpc3MiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UiLCAianRpIjogIjBtY3JyZVlIIiwgImV4cCI6IDE0NDMxNzA4OTEuMzk3NDU2LCAiaWF0IjogMTQ0MzE3MDI5MS4zOTc0NTYsICJzdWIiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UifQ.QJUR3SYFrEIlbfOKjO0NYInddklytbJ2LSWNpkQ1aNThgneDCVCjIYGCaL2C9Sw-GR8j7QSUsKOwBbjZMUmVPFTjsfB4wdgObbxVt1QAXwDjAXc5w1smOerRsoahZ4yKI1an6PTaFxMwnoXUQcBZTsOS6RgXOCPPPoxibxohxoehPLieM0l7LYcF5DQKg7fTxZYOpmtiP--nibJxomXdVQNLSnZuQwnyWtlp_gYmqrYMMN1LPSmNCgZMZZZIYttaaAIA96SylglqubowJRShtDO9rSvUz_sgeCo7qo5Bfb0B5n9_PtIlr1CZSVoHyYj2lVqQldx7fnGuqqQJCfDQoe
+eyJhbGciOiJSUzI1NiIsImtpZCI6ImExIn0.eyJhdWQiOiBbImh0dHBzOi8va2VudHNoaWthbWEuY29tL2FwaS9vcGVuaWRfY29ubmVjdC9hY2Nlc3NfdG9rZW5zIl0sICJpc3MiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UiLCAianRpIjogIjBtY3JyZVlIIiwgImV4cCI6IDE0NDMxNzA4OTEuMzk3NDU2LCAiaWF0IjogMTQ0MzE3MDI5MS4zOTc0NTYsICJzdWIiOiAiMTRkNjkyY2Q1M2Q5YzFhOWY0NmZkNjllMGU1NzQ0M2UifQ.QJUR3SYFrEIlbfOKjO0NYInddklytbJ2LSWNpkQ1aNThgneDCVCjIYGCaL2C9Sw-GR8j7QSUsKOwBbjZMUmVPFTjsfB4wdgObbxVt1QAXwDjAXc5w1smOerRsoahZ4yKI1an6PTaFxMwnoXUQcBZTsOS6RgXOCPPPoxibxohxoehPLieM0l7LYcF5DQKg7fTxZYOpmtiP--nibJxomXdVQNLSnZuQwnyWtlp_gYmqrYMMN1LPSmNCgZMZZZIYttaaAIA96SylglqubowJRShtDO9rSvUz_sgeCo7qo5Bfb0B5n9_PtIlr1CZSVoHyYj2lVqQldx7fnGuqqQJCfDQoQ

spec/lib/api/openid_connect/token_endpoint_spec.rb

@@ -49,7 +49,9 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
         decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
                                                                       Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
         access_token = json["access_token"]
-        access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8])
+        access_token_check_num = Base64.urlsafe_encode64(
+          OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8], padding: false
+        )
         expect(decoded_token.at_hash).to eq(access_token_check_num)
       end
 
@@ -93,7 +95,9 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
         decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
                                                                       Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
         access_token = json["access_token"]
-        access_token_check_num = UrlSafeBase64.encode64(OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8])
+        access_token_check_num = Base64.urlsafe_encode64(
+          OpenSSL::Digest::SHA256.digest(access_token)[0, 128 / 8], padding: false
+        )
         expect(decoded_token.at_hash).to eq(access_token_check_num)
       end