Introduce standalone SponsorManifest for read/validate

kzu · kzu · commit a755e4be0f7c · 2025-04-21T13:52:01.000-03:00
This allows zero-dependencies reading and validating of an offline local jwt manifest.
diff --git a/samples/dotnet/SponsorLink/ManifestStatus.cs b/samples/dotnet/SponsorLink/ManifestStatus.cs
diff --git a/samples/dotnet/SponsorLink/SponsorLink.cs b/samples/dotnet/SponsorLink/SponsorLink.cs
@@ -165,82 +165,4 @@ public static bool TryRead([NotNullWhen(true)] out ClaimsPrincipal? principal, I
 
         return principal != null;
     }
-
-    /// <summary>
-    /// Validates the manifest signature and optional expiration.
-    /// </summary>
-    /// <param name="jwt">The JWT to validate.</param>
-    /// <param name="jwk">The key to validate the manifest signature with.</param>
-    /// <param name="token">Except when returning <see cref="Status.Unknown"/>, returns the security token read from the JWT, even if signature check failed.</param>
-    /// <param name="identity">The associated claims, only when return value is not <see cref="Status.Unknown"/>.</param>
-    /// <param name="requireExpiration">Whether to check for expiration.</param>
-    /// <returns>The status of the validation.</returns>
-    public static ManifestStatus Validate(string jwt, string jwk, out SecurityToken? token, out ClaimsIdentity? identity, bool validateExpiration)
-    {
-        token = default;
-        identity = default;
-
-        SecurityKey key;
-        try
-        {
-            key = JsonWebKey.Create(jwk);
-        }
-        catch (ArgumentException)
-        {
-            return ManifestStatus.Unknown;
-        }
-
-        var handler = new JsonWebTokenHandler { MapInboundClaims = false };
-
-        if (!handler.CanReadToken(jwt))
-            return ManifestStatus.Unknown;
-
-        var validation = new TokenValidationParameters
-        {
-            RequireExpirationTime = false,
-            ValidateLifetime = false,
-            ValidateAudience = false,
-            ValidateIssuer = false,
-            ValidateIssuerSigningKey = true,
-            IssuerSigningKey = key,
-            RoleClaimType = "roles",
-            NameClaimType = "sub",
-        };
-
-        var result = handler.ValidateTokenAsync(jwt, validation).Result;
-        if (result.Exception != null)
-        {
-            if (result.Exception is SecurityTokenInvalidSignatureException)
-            {
-                var jwtToken = handler.ReadJsonWebToken(jwt);
-                token = jwtToken;
-                identity = new ClaimsIdentity(jwtToken.Claims);
-                return ManifestStatus.Invalid;
-            }
-            else
-            {
-                var jwtToken = handler.ReadJsonWebToken(jwt);
-                token = jwtToken;
-                identity = new ClaimsIdentity(jwtToken.Claims);
-                return ManifestStatus.Invalid;
-            }
-        }
-
-        token = result.SecurityToken;
-        identity = new ClaimsIdentity(result.ClaimsIdentity.Claims, "JWT");
-
-        if (validateExpiration && token.ValidTo == DateTime.MinValue)
-            return ManifestStatus.Invalid;
-
-        // The sponsorable manifest does not have an expiration time.
-        if (validateExpiration && token.ValidTo < DateTimeOffset.UtcNow)
-            return ManifestStatus.Expired;
-
-        return ManifestStatus.Valid;
-    }
-
-    class JwtRolesPrincipal(ClaimsIdentity identity) : ClaimsPrincipal([identity])
-    {
-        public override bool IsInRole(string role) => HasClaim("roles", role) || base.IsInRole(role);
-    }
 }
diff --git a/samples/dotnet/SponsorLink/SponsorManifest.cs b/samples/dotnet/SponsorLink/SponsorManifest.cs
@@ -0,0 +1,160 @@
+﻿// <autogenerated />
+#nullable enable
+using System;
+using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
+using System.IO;
+using System.Security.Claims;
+using Microsoft.IdentityModel.JsonWebTokens;
+using Microsoft.IdentityModel.Tokens;
+
+namespace Devlooped.Sponsors;
+
+/// <summary>
+/// The resulting status from validation.
+/// </summary>
+public enum ManifestStatus
+{
+    /// <summary>
+    /// The manifest couldn't be read at all.
+    /// </summary>
+    Unknown,
+    /// <summary>
+    /// The manifest was read and is valid (not expired and properly signed).
+    /// </summary>
+    Valid,
+    /// <summary>
+    /// The manifest was read but has expired.
+    /// </summary>
+    Expired,
+    /// <summary>
+    /// The manifest was read, but its signature is invalid.
+    /// </summary>
+    Invalid,
+}
+
+/// <summary>
+/// Represents the sponsorship status of a user.
+/// </summary>
+/// <param name="Status">The status.</param>
+/// <param name="Principal">The principal potentially containing roles validated from the manifest.</param>
+/// <param name="SecurityToken">The security token from the validated manifest.</param>
+public record SponsorManifest(ManifestStatus Status, ClaimsPrincipal Principal, SecurityToken? SecurityToken)
+{
+    /// <summary>
+    /// Whether the manifest <see cref="Status"/> is <see cref="ManifestStatus.Valid"/>.
+    /// </summary>
+    public bool IsValid => Status == ManifestStatus.Valid;
+}
+
+static partial class SponsorLink
+{
+    /// <summary>
+    /// Reads the local manifest (if present) for the specified sponsorable account and validates it 
+    /// against the given JWK key.
+    /// </summary>
+    /// <param name="sponsorable">The sponsorable account to read.</param>
+    /// <param name="jwk">The public key to validate the signature on the manifest JWT if found.</param>
+    /// <param name="validateExpiration">Whether to validate the manifest expiration. If <see langword="false"/>, 
+    /// an expired manifest will be reported as <see cref="ManifestStatus.Valid"/>. The expiration date 
+    /// can be checked in that case via the <see cref="SponsorManifest.SecurityToken"/>.</param>
+    /// <returns>A manifest that represents the user status.</returns>
+    public static SponsorManifest GetManifest(string sponsorable, string jwk, bool validateExpiration = true)
+    {
+        var path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), 
+            ".sponsorlink", "github", sponsorable + ".jwt");
+
+        if (!File.Exists(path))
+            return new SponsorManifest(ManifestStatus.Unknown, new ClaimsPrincipal(), null);
+
+        return ParseManifest(File.ReadAllText(path), jwk, validateExpiration);
+    }
+
+    internal static SponsorManifest ParseManifest(string jwt, string jwk, bool validateExpiration)
+    {
+        var status = Validate(jwt, jwk, out var token, out var identity, validateExpiration);
+
+        if (status == ManifestStatus.Unknown || identity == null)
+            return new SponsorManifest(status, new ClaimsPrincipal(), token);
+
+        return new SponsorManifest(status, new JwtRolesPrincipal(identity), token);
+    }
+
+    /// <summary>
+    /// Validates the manifest signature and optional expiration.
+    /// </summary>
+    /// <param name="jwt">The JWT to validate.</param>
+    /// <param name="jwk">The key to validate the manifest signature with.</param>
+    /// <param name="token">Except when returning <see cref="Status.Unknown"/>, returns the security token read from the JWT, even if signature check failed.</param>
+    /// <param name="identity">The associated claims, only when return value is not <see cref="Status.Unknown"/>.</param>
+    /// <param name="requireExpiration">Whether to check for expiration.</param>
+    /// <returns>The status of the validation.</returns>
+    public static ManifestStatus Validate(string jwt, string jwk, out SecurityToken? token, out ClaimsIdentity? identity, bool validateExpiration)
+    {
+        token = default;
+        identity = default;
+
+        SecurityKey key;
+        try
+        {
+            key = JsonWebKey.Create(jwk);
+        }
+        catch (ArgumentException)
+        {
+            return ManifestStatus.Unknown;
+        }
+
+        var handler = new JsonWebTokenHandler { MapInboundClaims = false };
+
+        if (!handler.CanReadToken(jwt))
+            return ManifestStatus.Unknown;
+
+        var validation = new TokenValidationParameters
+        {
+            RequireExpirationTime = false,
+            ValidateLifetime = false,
+            ValidateAudience = false,
+            ValidateIssuer = false,
+            ValidateIssuerSigningKey = true,
+            IssuerSigningKey = key,
+            RoleClaimType = "roles",
+            NameClaimType = "sub",
+        };
+
+        var result = handler.ValidateTokenAsync(jwt, validation).Result;
+        if (!result.IsValid || result.Exception != null)
+        {
+            if (result.Exception is SecurityTokenInvalidSignatureException)
+            {
+                var jwtToken = handler.ReadJsonWebToken(jwt);
+                token = jwtToken;
+                identity = new ClaimsIdentity(jwtToken.Claims);
+                return ManifestStatus.Invalid;
+            }
+            else
+            {
+                var jwtToken = handler.ReadJsonWebToken(jwt);
+                token = jwtToken;
+                identity = new ClaimsIdentity(jwtToken.Claims);
+                return ManifestStatus.Invalid;
+            }
+        }
+
+        token = result.SecurityToken;
+        identity = new ClaimsIdentity(result.ClaimsIdentity.Claims, "JWT");
+
+        if (validateExpiration && token.ValidTo == DateTime.MinValue)
+            return ManifestStatus.Invalid;
+
+        // The sponsorable manifest does not have an expiration time.
+        if (validateExpiration && token.ValidTo < DateTimeOffset.UtcNow)
+            return ManifestStatus.Expired;
+
+        return ManifestStatus.Valid;
+    }
+
+    class JwtRolesPrincipal(ClaimsIdentity identity) : ClaimsPrincipal([identity])
+    {
+        public override bool IsInRole(string role) => HasClaim("roles", role) || base.IsInRole(role);
+    }
+}
diff --git a/samples/dotnet/Tests/SponsorManifestTests.cs b/samples/dotnet/Tests/SponsorManifestTests.cs
@@ -8,7 +8,7 @@
 
 namespace Devlooped.Tests;
 
-public class SponsorLinkTests
+public class SponsorManifestTests
 {
     // We need to convert to jwk string since the analyzer project has merged the JWT assembly and types.
     public static string ToJwk(SecurityKey key)
@@ -19,64 +19,67 @@ public static string ToJwk(SecurityKey key)
     [Fact]
     public void ValidateSponsorable()
     {
-        var manifest = SponsorableManifest.Create(new Uri("https://foo.com"), [new Uri("https://github.com/sponsors/bar")], "ASDF1234");
-        var jwt = manifest.ToJwt();
-        var jwk = ToJwk(manifest.SecurityKey);
+        var sponsorable = SponsorableManifest.Create(new Uri("https://foo.com"), [new Uri("https://github.com/sponsors/bar")], "ASDF1234");
+        var jwt = sponsorable.ToJwt();
+        var jwk = ToJwk(sponsorable.SecurityKey);
 
         // NOTE: sponsorable manifest doesn't have expiration date.
-        var status = SponsorLink.Validate(jwt, jwk, out var token, out var principal, false);
+        var manifest = SponsorLink.ParseManifest(jwt, jwk, false);
 
-        Assert.Equal(ManifestStatus.Valid, status);
+        Assert.True(manifest.IsValid);
+        Assert.Equal(ManifestStatus.Valid, manifest.Status);
     }
 
     [Fact]
     public void ValidateWrongKey()
     {
-        var manifest = SponsorableManifest.Create(new Uri("https://foo.com"), [new Uri("https://github.com/sponsors/bar")], "ASDF1234");
-        var jwt = manifest.ToJwt();
+        var sponsorable = SponsorableManifest.Create(new Uri("https://foo.com"), [new Uri("https://github.com/sponsors/bar")], "ASDF1234");
+        var jwt = sponsorable.ToJwt();
         var jwk = ToJwk(new RsaSecurityKey(RSA.Create()));
 
-        var status = SponsorLink.Validate(jwt, jwk, out var token, out var principal, false);
+        var manifest = SponsorLink.ParseManifest(jwt, jwk, false);
 
-        Assert.Equal(ManifestStatus.Invalid, status);
+        Assert.Equal(ManifestStatus.Invalid, manifest.Status);
 
         // We should still be a able to read the data, knowing it may have been tampered with.
-        Assert.NotNull(principal);
-        Assert.NotNull(token);
+        Assert.NotNull(manifest.Principal);
+        Assert.NotNull(manifest.SecurityToken);
     }
 
     [Fact]
     public void ValidateExpiredSponsor()
     {
-        var manifest = SponsorableManifest.Create(new Uri("https://foo.com"), [new Uri("https://github.com/sponsors/bar")], "ASDF1234");
-        var jwk = ToJwk(manifest.SecurityKey);
-        var sponsor = manifest.Sign([], expiration: TimeSpan.Zero);
+        var sponsorable = SponsorableManifest.Create(new Uri("https://foo.com"), [new Uri("https://github.com/sponsors/bar")], "ASDF1234");
+        var jwk = ToJwk(sponsorable.SecurityKey);
+        var sponsor = sponsorable.Sign([], expiration: TimeSpan.Zero);
 
         // Will be expired after this.
         Thread.Sleep(1000);
 
-        var status = SponsorLink.Validate(sponsor, jwk, out var token, out var principal, true);
+        var manifest = SponsorLink.ParseManifest(sponsor, jwk, true);
 
-        Assert.Equal(ManifestStatus.Expired, status);
+        Assert.Equal(ManifestStatus.Expired, manifest.Status);
 
         // We should still be a able to read the data, even if expired (but not tampered with).
-        Assert.NotNull(principal);
-        Assert.NotNull(token);
+        Assert.NotNull(manifest.Principal);
+        Assert.NotNull(manifest.SecurityToken);
     }
 
     [Fact]
     public void ValidateUnknownFormat()
     {
-        var manifest = SponsorableManifest.Create(new Uri("https://foo.com"), [new Uri("https://github.com/sponsors/bar")], "ASDF1234");
-        var jwk = ToJwk(manifest.SecurityKey);
+        var sponsorable = SponsorableManifest.Create(new Uri("https://foo.com"), [new Uri("https://github.com/sponsors/bar")], "ASDF1234");
+        var jwk = ToJwk(sponsorable.SecurityKey);
 
-        var status = SponsorLink.Validate("asdfasdf", jwk, out var token, out var principal, false);
+        var manifest = SponsorLink.ParseManifest("asdfasdf", jwk, false);
 
-        Assert.Equal(ManifestStatus.Unknown, status);
+        Assert.Equal(ManifestStatus.Unknown, manifest.Status);
 
         // Nothing could be read at all.
-        Assert.Null(principal);
-        Assert.Null(token);
+        Assert.False(manifest.IsValid);
+        Assert.NotNull(manifest.Principal);
+        Assert.Null(manifest.Principal.Identity);
+        Assert.Null(manifest.SecurityToken);
     }
 
     [Fact]
@@ -111,16 +114,16 @@ public void ValidateCachedManifest()
 
         var jwt = File.ReadAllText(path);
 
-        var status = SponsorLink.Validate(jwt,
+        var manifest = SponsorLink.ParseManifest(jwt,
             """
             {
               "e": "AQAB",
               "kty": "RSA",
               "n": "5inhv8QymaDBOihNi1eY-6-hcIB5qSONFZxbxxXAyOtxAdjFCPM-94gIZqM9CDrX3pyg1lTJfml_a_FZSU9dB1ii5mSX_mNHBFXn1_l_gi1ErdbkIF5YbW6oxWFxf3G5mwVXwnPfxHTyQdmWQ3YJR-A3EB4kaFwLqA6Ha5lb2ObGpMTQJNakD4oTAGDhqHMGhu6PupGq5ie4qZcQ7N8ANw8xH7nicTkbqEhQABHWOTmLBWq5f5F6RYGF8P7cl0IWl_w4YcIZkGm2vX2fi26F9F60cU1v13GZEVDTXpJ9kzvYeM9sYk6fWaoyY2jhE51qbv0B0u6hScZiLREtm3n7ClJbIGXhkUppFS2JlNaX3rgQ6t-4LK8gUTyLt3zDs2H8OZyCwlCpfmGmdsUMkm1xX6t2r-95U3zywynxoWZfjBCJf41leM9OMKYwNWZ6LQMyo83HWw1PBIrX4ZLClFwqBcSYsXDyT8_ZLd1cdYmPfmtllIXxZhLClwT5qbCWv73V"
             }
             """
-            , out var token, out var principal, false);
+            , false);
 
-        Assert.Equal(ManifestStatus.Valid, status);
+        Assert.Equal(ManifestStatus.Valid, manifest.Status);
     }
 }
diff --git a/src/Core/Records.cs b/src/Core/Records.cs
@@ -43,7 +43,7 @@ public record OpenSource(ConcurrentDictionary<string, HashSet<string>> Authors,
     OpenSourceTotals? totals;
 
     public OpenSource() : this(new(FnvHashComparer.Default), new(FnvHashComparer.Default), new(FnvHashComparer.Default))
-    {            
+    {
     }
 
     public OpenSourceSummary Summary => summary ??= new(Totals);
diff --git a/src/Web/Stats.cs b/src/Web/Stats.cs

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ public record OpenSource(ConcurrentDictionary<string, HashSet<string>> Authors,`
`43`	`43`	`OpenSourceTotals? totals;`
`44`	`44`
`45`	`45`	`public OpenSource() : this(new(FnvHashComparer.Default), new(FnvHashComparer.Default), new(FnvHashComparer.Default))`
`46`		`- {`
	`46`	`+ {`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`public OpenSourceSummary Summary => summary ??= new(Totals);`