app_identity 1.0.0

data/lib/app_identity.rb

@@ -0,0 +1,233 @@
+# frozen_string_literal: true
+
+require "base64"
+
+# AppIdentity is a Ruby implementation of the Kinetic Commerce application
+# [identity proof algorithm](spec.md).
+#
+# It implements identity proof generation and validation functions. These
+# functions expect to work with an application object (AppIdentity::App).
+#
+# ## Configuration
+#
+# Most of the configuration is specified in the application, but at an
+# application level, AppIdentity can be configured to disallow explicit
+# versions:
+#
+# ```ruby
+# AppIdentity.disallow_version 1, 3, 4
+# ```
+#
+# This would only allow AppIdentity version 2.
+class AppIdentity
+  # The version of the AppIdentity library.
+  VERSION = "1.0.0"
+  # The name of this implementation for App Identity.
+  NAME = "AppIdentity for Ruby"
+  # The spec version supported in this library.
+  SPEC_VERSION = 4
+
+  # The name, version, and supported specification version of this App Identity
+  # package for Ruby.
+  INFO = {name: NAME, version: VERSION, spec_version: SPEC_VERSION}.freeze
+end
+
+require "app_identity/app"
+require "app_identity/error"
+require "app_identity/internal"
+require "app_identity/validation"
+require "app_identity/versions"
+
+class AppIdentity
+  class << self
+    # Generate an identity proof string for the given application. Returns the
+    # generated proof or `nil`.
+    #
+    # If `nonce` is provided, it must conform to the shape expected by the proof
+    # version. If not provided, it will be generated.
+    #
+    # If `version` is provided, it will be used to generate the nonce and the
+    # proof. This will allow a lower level application to raise its version level.
+    #
+    # If there is *any* error during the generation of the identity proof
+    # string, `nil` will be returned.
+    #
+    # ### Examples
+    #
+    # A version 1 app can have a fixed nonce, which will always produce the same
+    # value.
+    #
+    # ```ruby
+    # app = AppIdentity::App.new({version: 1, id: "decaf", secret: "bad"})
+    # AppIdentity.generate_proof(app, nonce: "hello")
+    # # => "ZGVjYWY6aGVsbG86RDNGNjJCQTYyOEIyMzhEOTgwM0MyNEU4NkNCOTY3M0ZEOTVCNTdBNkJGOTRFMkQ2NTMxQTRBODg1OTlCMzgzNQ=="
+    # ```
+    #
+    # A version 2 app fails when given a non-timestamp nonce.
+    #
+    # ```ruby
+    # AppIdentity.generate_proof(v1(), version: 2, nonce: "hello")
+    # # => nil
+    # ```
+    #
+    # A version 2 app _cannot_ generate a version 1 nonce.
+    #
+    # ```ruby
+    # AppIdentity.generate_proof(v2(), version: 1)
+    # # => nil
+    # ```
+    #
+    # A version 2 app will be rejected if the version has been disallowed.
+    #
+    # ```ruby
+    #  AppIdentity.generate_proof(v2(), disallowed: [1, 2])
+    #  # => nil
+    #  ```
+    #
+    #  Note that the optional `disallowed` parameter is *in addition* to the
+    #  global `disallowed` configuration.
+    def generate_proof(app, nonce: nil, version: nil, disallowed: nil)
+      internal.generate_proof!(app, nonce: nonce, version: version, disallowed: disallowed)
+    rescue
+      nil
+    end
+
+    # Generate an identity proof string for the given application. Returns the
+    # generated proof or raises an exception
+    #
+    # If `nonce` is provided, it must conform to the shape expected by the proof
+    # version. If not provided, it will be generated.
+    #
+    # If `version` is provided, it will be used to generate the nonce and the
+    # proof. This will allow a lower level application to raise its version level.
+    #
+    # If there is *any* error during the generation of the identity proof
+    # string, an exception will be raised.
+    #
+    # ### Examples
+    #
+    # A version 1 app can have a fixed nonce, which will always produce the same
+    # value.
+    #
+    # ```ruby
+    # app = AppIdentity::App.new({version: 1, id: "decaf", secret: "bad"})
+    # AppIdentity.generate_proof!(app, nonce: "hello")
+    # # => "ZGVjYWY6aGVsbG86RDNGNjJCQTYyOEIyMzhEOTgwM0MyNEU4NkNCOTY3M0ZEOTVCNTdBNkJGOTRFMkQ2NTMxQTRBODg1OTlCMzgzNQ=="
+    # ```
+    #
+    # A version 2 app fails when given a non-timestamp nonce.
+    #
+    # ```ruby
+    # AppIdentity.generate_proof!(v1(), version: 2, nonce: "hello")
+    # # => nil
+    # ```
+    #
+    # A version 2 app _cannot_ generate a version 1 nonce.
+    #
+    # ```ruby
+    # AppIdentity.generate_proof!(v2(), version: 1)
+    # # => nil
+    # ```
+    #
+    # A version 2 app will be rejected if the version has been disallowed.
+    #
+    # ```ruby
+    #  AppIdentity.generate_proof!(v2(), disallowed: [1, 2])
+    #  # => nil
+    #  ```
+    #
+    #  Note that the optional `disallowed` parameter is *in addition* to the
+    #  global `disallowed` configuration.
+    def generate_proof!(app, nonce: nil, version: nil, disallowed: nil)
+      internal.generate_proof!(app, nonce: nonce, version: version, disallowed: disallowed)
+    rescue
+      raise AppIdentity::Error, :generate_proof
+    end
+
+    # Parses a proof string and returns a Hash containing the proof parts or `nil`
+    # if the proof is cannot be determined as valid.
+    def parse_proof(proof)
+      internal.parse_proof!(proof)
+    rescue
+      nil
+    end
+
+    # Parses a proof string and returns a Hash containing the proof parts or
+    # raises an exception if the proof is cannot be determined as valid.
+    def parse_proof!(proof)
+      internal.parse_proof!(proof)
+    rescue
+      raise AppIdentity::Error, :parse_proof
+    end
+
+    # Verify a `AppIdentity` proof value using a a provided `app`. Returns the
+    # validated app or `nil`.
+    #
+    # The `proof` may be provided either as a string or a parsed proof (from
+    # `#parse_proof`). String proof values are usually obtained from HTTP
+    # headers. At Kinetic Commerce, this has generally jeen `KCS-Application` or
+    # `KCS-Service`.
+    #
+    # The `app` can be provided as an AppIdentity::App, a valid input to
+    # AppIdentity::App.new, or an finder callable that accepts a single
+    # parameter—the parsed proof value—and returns an AppIdentity::App input.
+    #
+    # ```ruby
+    # AppIdentity.verify_proof(proof, ->(proof) {
+    #   IdentityApplications.get(proof[:id]
+    # }))
+    # ```
+    #
+    #  Note that the optional `disallowed` parameter is *in addition* to the
+    #  global `disallowed` configuration.
+    def verify_proof(proof, app, disallowed: nil)
+      internal.verify_proof!(proof, app, disallowed: disallowed)
+    rescue
+      nil
+    end
+
+    # Verify a `AppIdentity` proof value using a a provided `app`. Returns the
+    # validated app, `nil`, or raises an exception on error.
+    #
+    # The `proof` may be provided either as a string or a parsed proof (from
+    # `#parse_proof`). String proof values are usually obtained from HTTP
+    # headers. At Kinetic Commerce, this has generally jeen `KCS-Application` or
+    # `KCS-Service`.
+    #
+    # The `app` can be provided as an AppIdentity::App, a valid input to
+    # AppIdentity::App.new, or an finder callable that accepts a single
+    # parameter—the parsed proof value—and returns an AppIdentity::App input.
+    #
+    # ```ruby
+    # AppIdentity.verify_proof!(proof, ->(proof) {
+    #   IdentityApplications.get(proof[:id]
+    # }))
+    # ```
+    #
+    #  Note that the optional `disallowed` parameter is *in addition* to the
+    #  global `disallowed` configuration.
+    def verify_proof!(proof, app, disallowed: nil)
+      internal.verify_proof!(proof, app, disallowed: disallowed)
+    rescue
+      raise AppIdentity::Error, :verify_proof
+    end
+
+    # Add the `versions` to the global disallowed versions list.
+    def disallow_version(*versions)
+      AppIdentity::Versions.disallow(*versions)
+    end
+
+    # Remove the `versions` from the global disallowed versions list.
+    def allow_version(*versions)
+      AppIdentity::Versions.allow(*versions)
+    end
+
+    private :new
+
+    private
+
+    def internal
+      Internal.instance
+    end
+  end
+end

data/licences/APACHE-2.0.txt

@@ -0,0 +1,168 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction, and
+distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by the copyright
+owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all other entities
+that control, are controlled by, or are under common control with that entity.
+For the purposes of this definition, "control" means (i) the power, direct or
+indirect, to cause the direction or management of such entity, whether by
+contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity exercising
+permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications, including
+but not limited to software source code, documentation source, and configuration
+files.
+
+"Object" form shall mean any form resulting from mechanical transformation or
+translation of a Source form, including but not limited to compiled object code,
+generated documentation, and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or Object form, made
+available under the License, as indicated by a copyright notice that is included
+in or attached to the work (an example is provided in the Appendix below).
+
+"Derivative Works" shall mean any work, whether in Source or Object form, that
+is based on (or derived from) the Work and for which the editorial revisions,
+annotations, elaborations, or other modifications represent, as a whole, an
+original work of authorship. For the purposes of this License, Derivative Works
+shall not include works that remain separable from, or merely link (or bind by
+name) to the interfaces of, the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including the original version
+of the Work and any modifications or additions to that Work or Derivative Works
+thereof, that is intentionally submitted to Licensor for inclusion in the Work
+by the copyright owner or by an individual or Legal Entity authorized to submit
+on behalf of the copyright owner. For the purposes of this definition,
+"submitted" means any form of electronic, verbal, or written communication sent
+to the Licensor or its representatives, including but not limited to
+communication on electronic mailing lists, source code control systems, and
+issue tracking systems that are managed by, or on behalf of, the Licensor for
+the purpose of discussing and improving the Work, but excluding communication
+that is conspicuously marked or otherwise designated in writing by the copyright
+owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity on behalf
+of whom a Contribution has been received by Licensor and subsequently
+incorporated within the Work.
+
+2. Grant of Copyright License.
+
+Subject to the terms and conditions of this License, each Contributor hereby
+grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+irrevocable copyright license to reproduce, prepare Derivative Works of,
+publicly display, publicly perform, sublicense, and distribute the Work and such
+Derivative Works in Source or Object form.
+
+3. Grant of Patent License.
+
+Subject to the terms and conditions of this License, each Contributor hereby
+grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+irrevocable (except as stated in this section) patent license to make, have
+made, use, offer to sell, sell, import, and otherwise transfer the Work, where
+such license applies only to those patent claims licensable by such Contributor
+that are necessarily infringed by their Contribution(s) alone or by combination
+of their Contribution(s) with the Work to which such Contribution(s) was
+submitted. If You institute patent litigation against any entity (including
+a cross-claim or counterclaim in a lawsuit) alleging that the Work or
+a Contribution incorporated within the Work constitutes direct or contributory
+patent infringement, then any patent licenses granted to You under this License
+for that Work shall terminate as of the date such litigation is filed.
+
+4. Redistribution.
+
+You may reproduce and distribute copies of the Work or Derivative Works thereof
+in any medium, with or without modifications, and in Source or Object form,
+provided that You meet the following conditions:
+
+- You must give any other recipients of the Work or Derivative Works a copy of
+  this License; and
+- You must cause any modified files to carry prominent notices stating that You
+  changed the files; and
+- You must retain, in the Source form of any Derivative Works that You
+  distribute, all copyright, patent, trademark, and attribution notices from the
+  Source form of the Work, excluding those notices that do not pertain to any
+  part of the Derivative Works; and
+- If the Work includes a "NOTICE" text file as part of its distribution, then
+  any Derivative Works that You distribute must include a readable copy of the
+  attribution notices contained within such NOTICE file, excluding those notices
+  that do not pertain to any part of the Derivative Works, in at least one of
+  the following places: within a NOTICE text file distributed as part of the
+  Derivative Works; within the Source form or documentation, if provided along
+  with the Derivative Works; or, within a display generated by the Derivative
+  Works, if and wherever such third-party notices normally appear. The contents
+  of the NOTICE file are for informational purposes only and do not modify the
+  License. You may add Your own attribution notices within Derivative Works that
+  You distribute, alongside or as an addendum to the NOTICE text from the Work,
+  provided that such additional attribution notices cannot be construed as
+  modifying the License.
+
+You may add Your own copyright statement to Your modifications and may provide
+additional or different license terms and conditions for use, reproduction, or
+distribution of Your modifications, or for any such Derivative Works as a whole,
+provided Your use, reproduction, and distribution of the Work otherwise complies
+with the conditions stated in this License.
+
+5. Submission of Contributions.
+
+Unless You explicitly state otherwise, any Contribution intentionally submitted
+for inclusion in the Work by You to the Licensor shall be under the terms and
+conditions of this License, without any additional terms or conditions.
+Notwithstanding the above, nothing herein shall supersede or modify the terms of
+any separate license agreement you may have executed with Licensor regarding
+such Contributions.
+
+6. Trademarks.
+
+This License does not grant permission to use the trade names, trademarks,
+service marks, or product names of the Licensor, except as required for
+reasonable and customary use in describing the origin of the Work and
+reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty.
+
+Unless required by applicable law or agreed to in writing, Licensor provides the
+Work (and each Contributor provides its Contributions) on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,
+including, without limitation, any warranties or conditions of TITLE,
+NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are
+solely responsible for determining the appropriateness of using or
+redistributing the Work and assume any risks associated with Your exercise of
+permissions under this License.
+
+8. Limitation of Liability.
+
+In no event and under no legal theory, whether in tort (including negligence),
+contract, or otherwise, unless required by applicable law (such as deliberate
+and grossly negligent acts) or agreed to in writing, shall any Contributor be
+liable to You for damages, including any direct, indirect, special, incidental,
+or consequential damages of any character arising as a result of this License or
+out of the use or inability to use the Work (including but not limited to
+damages for loss of goodwill, work stoppage, computer failure or malfunction, or
+any and all other commercial damages or losses), even if such Contributor has
+been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability.
+
+While redistributing the Work or Derivative Works thereof, You may choose to
+offer, and charge a fee for, acceptance of support, warranty, indemnity, or
+other liability obligations and/or rights consistent with this License. However,
+in accepting such obligations, You may act only on Your own behalf and on Your
+sole responsibility, not on behalf of any other Contributor, and only if You
+agree to indemnify, defend, and hold each Contributor harmless for any liability
+incurred by, or claims asserted against, such Contributor by reason of your
+accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS

data/licences/DCO.txt

@@ -0,0 +1,34 @@
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.