--
86b1c997fac1f77b0eacfab788659b5a89a6096e by Abseil Team <absl-team@google.com>:
Import of CCTZ from GitHub.
PiperOrigin-RevId: 211654320
--
299b70e1247df768454a76eb957a184de9706f61 by Chris Kennelly <ckennelly@google.com>:
Avoid creating a misaligned reference to int.
PiperOrigin-RevId: 211505883
--
c8fad4357ad0bfb3c5ad197c505509bc087072c9 by Abseil Team <absl-team@google.com>:
Import of CCTZ from GitHub.
PiperOrigin-RevId: 211458539
--
0613feffcd36466c3e53a50758d7e8f17c001dce by Greg Falcon <gfalcon@google.com>:
Refactor a string unit test into a template function for internal purposes.
PiperOrigin-RevId: 211100748
GitOrigin-RevId: 86b1c997fac1f77b0eacfab788659b5a89a6096e
Change-Id: Ic6a932b6c27c6762dcdb3b0127f1e2be782418c1
‘geteuid’ gives us the user that the command is being run as,
including in setuid modes. By using geteuid to determind id, we can
avoid the ‘sudo -i’ hack when upgrading Nix. So now, upgrading Nix on
macOS is as simple as:
$ sudo nix-channel --update
$ sudo nix-env -u
$ sudo launchctl stop org.nixos.nix-daemon
$ sudo launchctl start org.nixos.nix-daemon
or
$ sudo systemctl restart nix-daemon
Implements initial validations of token claims. The included
validations are:
* validation of token issuer
* validation of token audience
* validation that a subject is set
* validation that a token is not expired
These fields are only used to constrain deserialisation to the
supported values, but have no further effect.
`rustc` throws warnings about them not being used, which this commit
disables.
Implements the logic for validating a token signature and returning
its decoded headers and claims.
This does not yet apply claim validations, as those have not been
specified yet.
Introduces a new struct type which contains the token's headers and
claims as JSON values. This is constructed by validating a token and
allows library users to deal with the deserialised values as they
please.
There are multiple points in the code where a token part needs to be
deserialised (i.e. first base64-decoded, then JSON-deserialised). This
is extracted to a helper function in this commit.
Introduces the internal function for validating JWT signatures. The
process is relatively straightforward:
1. Create an OpenSSL signature verifier using the public key from the
JWK.
2. Split the JWT into the data (header + claims) and signature parts.
3. Validate the data against the signature using the verifier from (1)
OpenSSL "cleanly" returns a boolean in case of an invalid signature,
but an otherwise successful operation.
This is represented differently in the returned error variant, with an
invalid signature being represented as `InvalidSignature`, and other
errors as the `OpenSSL` error variant which wraps the underlying
OpenSSL issue.
Successful validation returns an empty `Ok` result.
This makes the library slightly more "rusty". Instead of returning a
validation result which also represents potential success, use an enum
representing the error variants and the standard library's
`Result`-type to represent success/failure.
It's pretty easy to unintentionally install a second version of nix
into the user profile when using a daemon install. In this case it
looks like nix was upgraded while the nix-daemon is probably still
unning an older version.
A protocol mismatch can sometimes cause problems when using specific
features with an older daemon. For example:
Nix 2.0 changed the way files are compied to the store. The daemon is
backwards compatible and can still handle older clients, however a 1.11
nix-daemon isn't forwards compatible.
