angus-authentication 0.0.2

data/lib/angus-authentication.rb

@@ -0,0 +1,4 @@
+require_relative 'angus/authentication/exceptions'
+require_relative 'angus/authentication/provider'
+
+require_relative 'rack/middleware/angus_authentication'

data/lib/angus/authentication/default_authenticator.rb

@@ -0,0 +1,24 @@
+module Angus
+  module Authentication
+    class DefaultAuthenticator
+
+      def initialize(private_key)
+        @private_key = private_key
+      end
+
+      def call(session_id, auth_data, auth_token)
+        if Digest::SHA1.hexdigest("#@private_key\n#{auth_data}") == auth_token
+          private_session_key_seed = BCrypt::Engine.generate_salt
+          private_session_key = Digest::SHA1.hexdigest(
+            "#@private_key\n#{private_session_key_seed}"
+          )
+
+          return private_session_key, private_session_key_seed
+        else
+          return nil, nil
+        end
+      end
+
+    end
+  end
+end

data/lib/angus/authentication/exceptions.rb

@@ -0,0 +1,17 @@
+module Angus
+  module Authentication
+
+    class MissingAuthorizationData < StandardError
+
+    end
+
+    class InvalidAuthorizationData < StandardError
+
+    end
+
+    class AuthorizationTimeout < StandardError
+
+    end
+
+  end
+end

data/lib/angus/authentication/provider.rb

@@ -0,0 +1,154 @@
+require 'digest'
+require 'bcrypt'
+
+require_relative 'redis_store'
+require_relative 'default_authenticator'
+
+module Angus
+  module Authentication
+
+    class Provider
+
+      DEFAULT_ID_TTL = 60 * 60
+      DEFAULT_SESSION_TTL = 60 * 60
+      DEFAULT_PRIVATE_KEY = 'CHANGE ME!!'
+
+      AUTHENTICATION_HEADER = 'HTTP_AUTHORIZATION'
+      BAAS_AUTHENTICATION_HEADER = 'HTTP_X_BAAS_AUTH'
+      BAAS_SESSION_HEADER = 'X-Baas-Session-Seed'
+      DATE_HEADER = 'HTTP_DATE'
+      REQUEST_HEADER = 'REQUEST_METHOD'
+      PATH_HEADER = 'PATH_INFO'
+
+      def initialize(settings, env)
+        @session_id_ttl = settings[:session_id_ttl] || DEFAULT_ID_TTL
+        @session_ttl = settings[:session_ttl] || DEFAULT_SESSION_TTL
+        @private_key = settings[:private_key] || DEFAULT_PRIVATE_KEY
+        @authenticator = settings[:authenticator] || DefaultAuthenticator.new(@private_key)
+        @store = RedisStore.new(settings[:store] || {})
+        @excluded_regexps = settings[:excluded_regexps] || []
+        @env = env
+      end
+
+      def authenticate!
+        return unless should_authenticate?
+
+        if has_session?
+          authenticate_session
+        else
+          start_session
+        end
+      end
+
+      def update_response_header(response)
+        return unless should_authenticate?
+
+        headers = response[1]
+
+        session_data = @store.get_session_data(session_id)
+
+        headers[BAAS_SESSION_HEADER] = session_data['key_seed']
+      end
+
+      private
+
+      def should_authenticate?
+        return true if @excluded_regexps.empty?
+
+        @excluded_regexps.none? { |regexp| request_path.match(regexp) }
+      end
+
+      def request_path
+        @env[PATH_HEADER]
+      end
+
+      def has_session?
+        @store.has_key?(session_id)
+      end
+
+      def start_session
+        raise MissingAuthorizationData unless authorization_data_present?
+
+        private_session_key, private_session_key_seed = @authenticator.call(session_id, auth_data,
+                                                                            auth_token)
+
+        raise InvalidAuthorizationData unless private_session_key
+
+        session_data = {
+          'private_key' => private_session_key,
+          'key_seed' => private_session_key_seed,
+          'created_at' => Time.now.iso8601
+        }
+
+        @store.save_session_data(session_id, session_data, @session_id_ttl + @session_ttl)
+      end
+
+      def authenticate_session
+        raise MissingAuthorizationData unless session_data_present?
+
+        if session_expired? && authorization_data_present?
+          start_session && return
+        elsif session_expired?
+          raise AuthorizationTimeout
+        end
+        session_data = @store.get_session_data(session_id)
+
+        if authenticate_session_token(session_data['private_key'])
+          raise InvalidAuthorizationData
+        end
+      end
+
+      def authenticate_session_token(private_key)
+        Digest::SHA1.hexdigest("#{private_key}\n#{auth_data}") != session_auth_token
+      end
+
+      def authorization_data_present?
+        @env[DATE_HEADER] != nil && @env[AUTHENTICATION_HEADER] != nil &&
+          extract_session_id(@env[AUTHENTICATION_HEADER]) != nil
+      end
+
+      def session_data_present?
+        @env[DATE_HEADER] != nil && @env[BAAS_AUTHENTICATION_HEADER] != nil &&
+          extract_session_id(@env[BAAS_AUTHENTICATION_HEADER]) != nil
+      end
+
+      def session_expired?
+        session_data = @store.get_session_data(session_id)
+
+        created_at = Time.iso8601(session_data['created_at'])
+
+        (created_at + @session_ttl) < Time.now
+      rescue Exception
+        true
+      end
+
+      def auth_data
+        "#{@env[DATE_HEADER]}\n" +
+        "#{@env[REQUEST_HEADER]}\n" +
+        "#{@env[PATH_HEADER]}"
+      end
+
+      def auth_token
+        (@env[AUTHENTICATION_HEADER] || '').match(/.*:([a-zA-Z0-9]*)$/)
+        $1
+      end
+
+      def session_id
+        extract_session_id(@env[BAAS_AUTHENTICATION_HEADER]) ||
+          extract_session_id(@env[AUTHENTICATION_HEADER])
+      end
+
+      def session_auth_token
+        (@env[BAAS_AUTHENTICATION_HEADER] || '').match(/.*:([a-zA-Z0-9]*)$/)
+        $1
+      end
+
+      def extract_session_id(data)
+        (data || '').match(/^([a-zA-Z0-9]*):.*/)
+        $1
+      end
+
+    end
+
+  end
+end

data/lib/angus/authentication/redis_store.rb

@@ -0,0 +1,40 @@
+require 'json'
+require 'redis'
+
+module Angus
+  module Authentication
+
+    class RedisStore
+
+      DEFAULT_NAMESPACE = ''
+
+      def initialize(settings)
+        @namespace = settings.delete(:namespace) || DEFAULT_NAMESPACE
+        @settings = settings
+      end
+
+      def has_key?(key)
+        redis.exists(add_namespace(key))
+      end
+
+      def save_session_data(key, data, ttl)
+        redis.set(add_namespace(key), JSON(data))
+        redis.expire(add_namespace(key), ttl)
+      end
+
+      def get_session_data(key)
+        JSON(redis.get(add_namespace(key)) || {})
+      end
+
+      def redis
+        @redis ||= Redis.new(@settings)
+      end
+
+      def add_namespace(key)
+        "#@namespace.angus-authentication-provider.#{key}"
+      end
+
+    end
+
+  end
+end

data/lib/angus/authentication/version.rb

@@ -0,0 +1,5 @@
+module Angus
+  module Authentication
+    VERSION = '0.0.2'
+  end
+end

data/lib/rack/middleware/angus_authentication.rb

@@ -0,0 +1,41 @@
+require 'angus/authentication/provider'
+
+module Rack
+  module Middleware
+
+    class AngusAuthentication
+
+      UNAUTHORIZED_MESSAGE = 'Unauthorized'
+      TIMEOUT_MESSAGE = 'Authentication Timeout'
+
+      def initialize(app, settings = {})
+        @app = app
+
+        @authentication_settings = settings
+      end
+
+      def call(env)
+        dup.call!(env)
+      end
+
+      def call!(env)
+        authentication_provider = Angus::Authentication::Provider.new(@authentication_settings, env)
+
+        authentication_provider.authenticate!
+
+        response = @app.call(env)
+
+        authentication_provider.update_response_header(response)
+
+        response
+      rescue Angus::Authentication::MissingAuthorizationData,
+             Angus::Authentication::InvalidAuthorizationData
+        [401, {}, [UNAUTHORIZED_MESSAGE]]
+      rescue Angus::Authentication::AuthorizationTimeout
+        [419, {}, [TIMEOUT_MESSAGE]]
+      end
+
+    end
+
+  end
+end

metadata

@@ -0,0 +1,245 @@
+--- !ruby/object:Gem::Specification
+name: angus-authentication
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+  prerelease: 
+platform: ruby
+authors:
+- Adrian Gomez
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-11-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: redis
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bcrypt-ruby
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.1'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.14'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.6'
+- !ruby/object:Gem::Dependency
+  name: mock_redis
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.7'
+- !ruby/object:Gem::Dependency
+  name: simplecov-rcov
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov-rcov-text
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ci_reporter
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- angus@moove-it.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/angus/authentication/default_authenticator.rb
+- lib/angus/authentication/version.rb
+- lib/angus/authentication/exceptions.rb
+- lib/angus/authentication/redis_store.rb
+- lib/angus/authentication/provider.rb
+- lib/angus-authentication.rb
+- lib/rack/middleware/angus_authentication.rb
+homepage: http://mooveit.github.io/angus-authentication
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.25
+signing_key: 
+specification_version: 3
+summary: Offers authentication for rack applications.
+test_files: []