astro-ruby-sasl 0.0.2

data/README.markdown

@@ -0,0 +1,22 @@
+Simple Authentication and Security Layer (RFC 4422) for Ruby
+============================================================
+
+Goal
+----
+
+Have a reusable library for client implementations that need to do
+authentication over SASL, mainly targeted at Jabber/XMPP libraries.
+
+All class carry just state, are thread-agnostic and must also work in
+asynchronous environments.
+
+Usage
+-----
+
+Derive from **SASL::Preferences** and overwrite the methods. Then,
+create a mechanism instance:
+    # mechanisms => ['DIGEST-MD5', 'PLAIN']
+    sasl = SASL.new(mechanisms, my_preferences)
+    content_to_send = sasl.start
+    # [...]
+    content_to_send = sasl.challenge(received_content)

data/lib/sasl.rb

@@ -0,0 +1,4 @@
+SASL_PATH = File.dirname(__FILE__) + "/sasl"
+Dir.foreach(SASL_PATH) do |f|
+  require "#{SASL_PATH}/#{f}" if f =~ /^[^\.].+\.rb$/
+end

data/lib/sasl/anonymous.rb

@@ -0,0 +1,14 @@
+module SASL
+  ##
+  # SASL ANONYMOUS where you only send a username that may not get
+  # evaluated by the server.
+  #
+  # RFC 4505:
+  # http://tools.ietf.org/html/rfc4505
+  class Anonymous < Mechanism
+    def start
+      @state = nil
+      ['auth', preferences.username.to_s]
+    end
+  end
+end

data/lib/sasl/base.rb

@@ -0,0 +1,144 @@
+##
+# RFC 4422:
+# http://tools.ietf.org/html/rfc4422
+module SASL
+  ##
+  # You must derive from class Preferences and overwrite methods you
+  # want to implement.
+  class Preferences
+    ##
+    # Authorization identitiy ('username@domain' in XMPP)
+    def authzid
+      nil
+    end
+
+    ##
+    # Realm ('domain' in XMPP)
+    def realm
+      raise AbstractMethod
+    end
+
+
+    ##
+    # digest-uri: serv-type/serv-name | serv-type/host/serv-name
+    # ('xmpp/domain' in XMPP)
+    def digest_uri
+      raise AbstractMethod
+    end
+
+    def username
+      raise AbstractMethod
+    end
+
+    def has_password?
+      false
+    end
+
+    def allow_plaintext?
+      false
+    end
+
+    def password
+      ''
+    end
+
+    def want_anonymous?
+      false
+    end
+  end
+
+  ##
+  # Will be raised by SASL.new_mechanism if mechanism passed to the
+  # constructor is not known.
+  class UnknownMechanism < RuntimeError
+    def initialize(mechanism)
+      @mechanism = mechanism
+    end
+
+    def to_s
+      "Unknown mechanism: #{@mechanism.inspect}"
+    end
+  end
+
+  def SASL.new(mechanisms, preferences)
+    best_mechanism = if preferences.want_anonymous? && mechanisms.include?('ANONYMOUS')
+                       'ANONYMOUS'
+                     elsif preferences.has_password?
+                       if mechanisms.include?('DIGEST-MD5')
+                         'DIGEST-MD5'
+                       elsif preferences.allow_plaintext?
+                         'PLAIN'
+                       else
+                         raise UnknownMechanism.new(mechanisms)
+                       end
+                     else
+                       raise UnknownMechanism.new(mechanisms)
+                     end
+    new_mechanism(best_mechanism, preferences)
+  end
+
+  ##
+  # Create a SASL Mechanism for the named mechanism
+  #
+  # mechanism:: [String] mechanism name
+  def SASL.new_mechanism(mechanism, preferences)
+    mechanism_class = case mechanism
+                      when 'DIGEST-MD5'
+                        DigestMD5
+                      when 'PLAIN'
+                        Plain
+                      when 'ANONYMOUS'
+                        Anonymous
+                      else
+                        raise UnknownMechanism.new(mechanism)
+                      end
+    mechanism_class.new(mechanism, preferences)
+  end
+
+
+  class AbstractMethod < Exception # :nodoc:
+    def to_s
+      "Abstract method is not implemented"
+    end
+  end
+
+  ##
+  # Common functions for mechanisms
+  #
+  # Mechanisms implement handling of methods start and receive. They
+  # return: [message_name, content] or nil where message_name is
+  # either 'auth' or 'response' and content is either a string which
+  # may transmitted encoded as Base64 or nil.
+  class Mechanism
+    attr_reader :mechanism
+    attr_reader :preferences
+
+    def initialize(mechanism, preferences)
+      @mechanism = mechanism
+      @preferences = preferences
+      @state = nil
+    end
+
+    def success?
+      @state == :success
+    end
+    def failure?
+      @state == :failure
+    end
+
+    def start
+      raise AbstractMethod
+    end
+
+
+    def receive(message_name, content)
+      case message_name
+      when 'success'
+        @state = :success
+      when 'failure'
+        @state = :failure
+      end
+      nil
+    end
+  end
+end

data/lib/sasl/base64.rb

@@ -0,0 +1,32 @@
+# =XMPP4R - XMPP Library for Ruby
+# License:: Ruby's license (see the LICENSE file) or GNU GPL, at your option.
+# Website::http://home.gna.org/xmpp4r/
+
+begin
+  require 'base64'
+rescue LoadError
+  ##
+  # Ruby 1.9 has dropped the Base64 module,
+  # this is a replacement
+  #
+  # We could replace all call by Array#pack('m')
+  # and String#unpack('m'), but this module
+  # improves readability.
+  module Base64
+    ##
+    # Encode a String
+    # data:: [String] Binary
+    # result:: [String] Binary in Base64
+    def self.encode64(data)
+      [data].pack('m')
+    end
+
+    ##
+    # Decode a Base64-encoded String
+    # data64:: [String] Binary in Base64
+    # result:: [String] Binary
+    def self.decode64(data64)
+      data64.unpack('m').first
+    end
+  end
+end

data/lib/sasl/digest_md5.rb

@@ -0,0 +1,168 @@
+require 'digest/md5'
+
+module SASL
+  ##
+  # RFC 2831:
+  # http://tools.ietf.org/html/rfc2831
+  class DigestMD5 < Mechanism
+    attr_writer :cnonce
+
+    def initialize(*a)
+      super
+      @nonce_count = 0
+    end
+
+    def start
+      @state = nil
+      unless defined? @nonce
+        ['auth', nil]
+      else
+        # reauthentication
+        receive('challenge', '')
+      end
+    end
+
+    def receive(message_name, content)
+      if message_name == 'challenge'
+        c = decode_challenge(content)
+
+        unless c['rspauth']
+          response = {}
+          if defined?(@nonce) && response['nonce'].nil?
+            # Could be reauth
+          else
+            # No reauth:
+            @nonce_count = 0
+          end
+          @nonce ||= c['nonce']
+          response['nonce'] = @nonce
+          response['charset'] = 'utf-8'
+          response['username'] = preferences.username
+          response['realm'] = c['realm'] || preferences.realm
+          @cnonce = generate_nonce unless defined? @cnonce
+          response['cnonce'] = @cnonce
+          @nc = next_nc
+          response['nc'] = @nc
+          @qop = c['qop'] || 'auth'
+          response['qop'] = @qop
+          response['digest-uri'] = preferences.digest_uri
+          response['response'] = response_value(response['nonce'], response['nc'], response['cnonce'], response['qop'])
+          ['response', encode_response(response)]
+        else
+          rspauth_expected = response_value(@nonce, @nc, @cnonce, @qop, '')
+          p :rspauth_received=>c['rspauth'], :rspauth_expected=>rspauth_expected
+          if c['rspauth'] == rspauth_expected
+            @state = :success
+            ['success', nil]
+          else
+            @state = :failure
+            ['failure', nil]
+          end
+        end
+      end
+    end
+
+    private
+
+    def decode_challenge(text)
+      challenge = {}
+      
+      state = :key
+      key = ''
+      value = ''
+
+      text.scan(/./) do |ch|
+        if state == :key
+          if ch == '='
+            state = :value
+          elsif ch =~ /\S/
+            key += ch
+          end
+          
+        elsif state == :value
+          if ch == ','
+            challenge[key] = value
+            key = ''
+            value = ''
+            state = :key
+          elsif ch == '"' and value == ''
+            state = :quote
+          else
+            value += ch
+          end
+
+        elsif state == :quote
+          if ch == '"'
+            state = :value
+          else
+            value += ch
+          end
+        end
+      end
+      challenge[key] = value unless key == ''
+      
+      p :decode_challenge => challenge
+      challenge
+    end
+
+    def encode_response(response)
+      p :encode_response => response
+      response.collect do |k,v|
+        if v.include?('"')
+          v.sub!('\\', '\\\\')
+          v.sub!('"', '\\"')
+          "#{k}=\"#{v}\""
+        else
+          "#{k}=#{v}"
+        end
+      end.join(',')
+    end
+
+    def generate_nonce
+      nonce = ''
+      while nonce.length < 16
+        c = rand(128).chr
+        nonce += c if c =~ /^[a-zA-Z0-9]$/
+      end
+      nonce
+    end
+
+    ##
+    # Function from RFC2831
+    def h(s); Digest::MD5.digest(s); end
+    ##
+    # Function from RFC2831
+    def hh(s); Digest::MD5.hexdigest(s); end
+    
+    ##
+    # Calculate the value for the response field
+    def response_value(nonce, nc, cnonce, qop, a2_prefix='AUTHENTICATE')
+      p :response_value => {:nonce=>nonce,
+        :cnonce=>cnonce,
+        :qop=>qop,
+        :username=>preferences.username,
+        :realm=>preferences.realm,
+        :password=>preferences.password,
+        :authzid=>preferences.authzid}
+      a1_h = h("#{preferences.username}:#{preferences.realm}:#{preferences.password}")
+      a1 = "#{a1_h}:#{nonce}:#{cnonce}"
+      if preferences.authzid
+        a1 += ":#{preferences.authzid}"
+      end
+      if qop && (qop.downcase == 'auth-int' || qop.downcase == 'auth-conf')
+        a2 = "#{a2_prefix}:#{preferences.digest_uri}:00000000000000000000000000000000"
+      else
+        a2 = "#{a2_prefix}:#{preferences.digest_uri}"
+      end
+      hh("#{hh(a1)}:#{nonce}:#{nc}:#{cnonce}:#{qop}:#{hh(a2)}")
+    end
+
+    def next_nc
+      @nonce_count += 1
+      s = @nonce_count.to_s
+      s = "0#{s}" while s.length < 8
+      s
+    end
+  end
+end
+

data/lib/sasl/plain.rb

@@ -0,0 +1,14 @@
+module SASL
+  ##
+  # RFC 4616:
+  # http://tools.ietf.org/html/rfc4616
+  class Plain < Mechanism
+    def start
+      @state = nil
+      message = [preferences.authzid.to_s,
+                 preferences.username,
+                 preferences.password].join("\000")
+      ['auth', message]
+    end
+  end
+end

data/spec/anonymous_spec.rb

@@ -0,0 +1,19 @@
+require 'sasl'
+require 'spec'
+
+describe SASL::Anonymous do
+  class MyAnonymousPreferences < SASL::Preferences
+    def username
+      'bob'
+    end
+  end
+  preferences = MyAnonymousPreferences.new
+
+  it 'should authenticate anonymously' do
+    sasl = SASL::Anonymous.new('ANONYMOUS', preferences)
+    sasl.start.should == ['auth', 'bob']
+    sasl.success?.should == false
+    sasl.receive('success', nil).should == nil
+    sasl.success?.should == true
+  end
+end

data/spec/digest_md5_spec.rb

@@ -0,0 +1,97 @@
+require 'sasl'
+require 'spec'
+
+describe SASL::DigestMD5 do
+  # Preferences from http://tools.ietf.org/html/rfc2831#section-4
+  class MyDigestMD5Preferences < SASL::Preferences
+    attr_writer :serv_type
+    def realm
+      'elwood.innosoft.com'
+    end
+    def digest_uri
+      "#{@serv_type}/elwood.innosoft.com"
+    end
+    def username
+      'chris'
+    end
+    def has_password?
+      true
+    end
+    def password
+      'secret'
+    end
+  end
+  preferences = MyDigestMD5Preferences.new
+
+  it 'should authenticate (1)' do
+    preferences.serv_type = 'imap'
+    sasl = SASL::DigestMD5.new('DIGEST-MD5', preferences)
+    sasl.start.should == ['auth', nil]
+    sasl.cnonce = 'OA6MHXh6VqTrRk'
+    response = sasl.receive('challenge',
+                            'realm="elwood.innosoft.com",nonce="OA6MG9tEQGm2hh",qop="auth",
+                             algorithm=md5-sess,charset=utf-8')
+    response[0].should == 'response'
+    response[1].should =~ /charset="?utf-8"?/
+    response[1].should =~ /username="?chris"?/
+    response[1].should =~ /realm="?elwood.innosoft.com"?/
+    response[1].should =~ /nonce="?OA6MG9tEQGm2hh"?/
+    response[1].should =~ /nc="?00000001"?/
+    response[1].should =~ /cnonce="?OA6MHXh6VqTrRk"?/
+    response[1].should =~ /digest-uri="?imap\/elwood.innosoft.com"?/
+    response[1].should =~ /response=d388dad90d4bbd760a152321f2143af7"?/
+    response[1].should =~ /"?qop=auth"?/
+
+    sasl.receive('challenge',
+                 'rspauth=ea40f60335c427b5527b84dbabcdfffd').should ==
+      ['success', nil]
+    sasl.success?.should == true
+  end
+
+  it 'should authenticate (2)' do
+    preferences.serv_type = 'acap'
+    sasl = SASL::DigestMD5.new('DIGEST-MD5', preferences)
+    sasl.start.should == ['auth', nil]
+    sasl.cnonce = 'OA9BSuZWMSpW8m'
+    response = sasl.receive('challenge',
+                            'realm="elwood.innosoft.com",nonce="OA9BSXrbuRhWay",qop="auth",
+                             algorithm=md5-sess,charset=utf-8')
+    response[0].should == 'response'
+    response[1].should =~ /charset="?utf-8"?/
+    response[1].should =~ /username="?chris"?/
+    response[1].should =~ /realm="?elwood.innosoft.com"?/
+    response[1].should =~ /nonce="?OA9BSXrbuRhWay"?/
+    response[1].should =~ /nc="?00000001"?/
+    response[1].should =~ /cnonce="?OA9BSuZWMSpW8m"?/
+    response[1].should =~ /digest-uri="?acap\/elwood.innosoft.com"?/
+    response[1].should =~ /response=6084c6db3fede7352c551284490fd0fc"?/
+    response[1].should =~ /"?qop=auth"?/
+
+    sasl.receive('challenge',
+                 'rspauth=2f0b3d7c3c2e486600ef710726aa2eae').should ==
+      ['success', nil]
+    sasl.success?.should == true
+  end
+
+  it 'should reauthenticate' do
+    preferences.serv_type = 'imap'
+    sasl = SASL::DigestMD5.new('DIGEST-MD5', preferences)
+    sasl.start.should == ['auth', nil]
+    sasl.cnonce = 'OA6MHXh6VqTrRk'
+    sasl.receive('challenge',
+                 'realm="elwood.innosoft.com",nonce="OA6MG9tEQGm2hh",qop="auth",
+                  algorithm=md5-sess,charset=utf-8')
+    # reauth:
+    response = sasl.start
+    response[0].should == 'response'
+    response[1].should =~ /charset="?utf-8"?/
+    response[1].should =~ /username="?chris"?/
+    response[1].should =~ /realm="?elwood.innosoft.com"?/
+    response[1].should =~ /nonce="?OA6MG9tEQGm2hh"?/
+    response[1].should =~ /nc="?00000002"?/
+    response[1].should =~ /cnonce="?OA6MHXh6VqTrRk"?/
+    response[1].should =~ /digest-uri="?imap\/elwood.innosoft.com"?/
+    response[1].should =~ /response=b0b5d72a400655b8306e434566b10efb"?/ # my own result
+    response[1].should =~ /"?qop=auth"?/
+  end
+end

data/spec/mechanism_spec.rb

@@ -0,0 +1,56 @@
+require 'sasl'
+require 'spec'
+
+describe SASL do
+  it 'should know DIGEST-MD5' do
+    sasl = SASL.new_mechanism('DIGEST-MD5', SASL::Preferences.new)
+    sasl.should be_an_instance_of SASL::DigestMD5
+  end
+  it 'should know PLAIN' do
+    sasl = SASL.new_mechanism('PLAIN', SASL::Preferences.new)
+    sasl.should be_an_instance_of SASL::Plain
+  end
+  it 'should know ANONYMOUS' do
+    sasl = SASL.new_mechanism('ANONYMOUS', SASL::Preferences.new)
+    sasl.should be_an_instance_of SASL::Anonymous
+  end
+  it 'should choose ANONYMOUS' do
+    preferences = SASL::Preferences.new
+    class << preferences
+      def want_anonymous?
+        true
+      end
+    end
+    SASL.new(%w(PLAIN DIGEST-MD5 ANONYMOUS), preferences).should be_an_instance_of SASL::Anonymous
+  end
+  it 'should choose DIGEST-MD5' do
+    preferences = SASL::Preferences.new
+    class << preferences
+      def has_password?
+        true
+      end
+    end
+    SASL.new(%w(PLAIN DIGEST-MD5 ANONYMOUS), preferences).should be_an_instance_of SASL::DigestMD5
+  end
+  it 'should choose PLAIN' do
+    preferences = SASL::Preferences.new
+    class << preferences
+      def has_password?
+        true
+      end
+      def allow_plaintext?
+        true
+      end
+    end
+    SASL.new(%w(PLAIN ANONYMOUS), preferences).should be_an_instance_of SASL::Plain
+  end
+  it 'should disallow PLAIN by default' do
+    preferences = SASL::Preferences.new
+    class << preferences
+      def has_password?
+        true
+      end
+    end
+    lambda { SASL.new(%w(PLAIN ANONYMOUS), preferences) }.should raise_error(SASL::UnknownMechanism)
+  end
+end

data/spec/plain_spec.rb

@@ -0,0 +1,39 @@
+require 'sasl'
+require 'spec'
+
+describe SASL::Plain do
+  class MyPlainPreferences < SASL::Preferences
+    def authzid
+      'bob@example.com'
+    end
+    def username
+      'bob'
+    end
+    def has_password?
+      true
+    end
+    def password
+      's3cr3t'
+    end
+  end
+  preferences = MyPlainPreferences.new
+
+  it 'should authenticate' do
+    sasl = SASL::Plain.new('PLAIN', preferences)
+    sasl.start.should == ['auth', "bob@example.com\000bob\000s3cr3t"]
+    sasl.success?.should == false
+    sasl.receive('success', nil).should == nil
+    sasl.failure?.should == false
+    sasl.success?.should == true
+  end
+
+  it 'should recognize failure' do
+    sasl = SASL::Plain.new('PLAIN', preferences)
+    sasl.start.should == ['auth', "bob@example.com\000bob\000s3cr3t"]
+    sasl.success?.should == false
+    sasl.failure?.should == false
+    sasl.receive('failure', 'keep-idiots-out').should == nil
+    sasl.failure?.should == true
+    sasl.success?.should == false
+  end
+end

metadata

@@ -0,0 +1,66 @@
+--- !ruby/object:Gem::Specification 
+name: astro-ruby-sasl
+version: !ruby/object:Gem::Version 
+  version: 0.0.2
+platform: ruby
+authors: 
+- Stephan Maka
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-02-06 00:00:00 -08:00
+default_executable: 
+dependencies: []
+
+description: Simple Authentication and Security Layer (RFC 4422)
+email: stephan@spaceboyz.net
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- spec/mechanism_spec.rb
+- spec/anonymous_spec.rb
+- spec/plain_spec.rb
+- spec/digest_md5_spec.rb
+- lib/sasl/base.rb
+- lib/sasl/digest_md5.rb
+- lib/sasl/anonymous.rb
+- lib/sasl/plain.rb
+- lib/sasl/base64.rb
+- lib/sasl.rb
+- README.markdown
+has_rdoc: false
+homepage: http://github.com/astro/ruby-sasl/
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: SASL client library
+test_files: 
+- spec/mechanism_spec.rb
+- spec/anonymous_spec.rb
+- spec/plain_spec.rb
+- spec/digest_md5_spec.rb