auth_origin_control 0.0.1

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    M2VjNTMwY2ZmZDUzNGI4ZDlmNDdhMDk0ZjU2NzI4YWJhODk5MzkwMQ==
+  data.tar.gz: !binary |-
+    ODAxMjRkYmM4M2E5YzQ0MGI5YjY5MDI3YTUwMTlkMmEyMTdlYzdjMg==
+!binary "U0hBNTEy":
+  metadata.gz: !binary |-
+    ZWE4NjEzY2E1NGQ0OWYwMjY3NzcyZmJkMzE2NDM4NTYyY2ViYzY2YTMzMDky
+    OGMyNzgzY2IxNDJiYzdkMzUwMDlhMzY5MTBkY2Y5MThhMjRkOGUyZGI4ZmNk
+    MTQwZWIyM2NiMjM4YTBlMzk2ODhiODc5NWRlMzY2NjI2NjUzZjQ=
+  data.tar.gz: !binary |-
+    Mzc0MTIxNGI4MzY5N2U0MDNiY2ZmZGMzZjQwMDQyZWRlY2U0YmE4ZmU1M2U3
+    OTg2ZTJiNWIwNGM2ZTM3ZGMxNzk1YjMyMTkyNmZkZWQ2ZjFkYWUxMTVlYmVm
+    NzlkMzk5MGMyMDVlYWU3ZmRiNjYwZDU0YmVhNGQ1MzYxMGMxYmY=

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2013 YOURNAME
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,66 @@
+= AuthOriginControl
+
+Authenticate your apis in server - to - server operations
+
+is based on api-auth gem
+
+------
+
+== In your omniauth provider
+
+=== Gemfile
+
+gem 'auth_origin_control'
+
+=== config/initializers/auth_origin_control
+
+BorderPatrol.setup do |config|
+  config.clients_model = "Doorkeeper::Application"  # assuming you use Doorkeeper gem
+end
+
+=== controllers
+
+before_filter :origin_control
+
+=== routes
+
+mount AuthOriginControl::Engine => "YOUR DESIRED PATH"
+
+------
+
+== In your intermediary api
+
+=== Gemfile
+
+gem 'auth_origin_control'
+gem "api-auth", github: "NicoArbogast/api_auth", branch: 'temp' # needed until merged into mgomes/api_auth
+
+=== config/initializers/auth_origin_control
+
+AuthOriginControl.setup do |config|
+  config.local_or_remote_authority = 'remote'
+  config.self_identity = {:access_id => ACCESS_ID_REGISTERED_FOR_THIS_APP, :secret_key => ACCESS_SECRET_REGISTERED_FOR_THIS_APP}
+end
+
+=== controllers
+
+before_filter :origin_control
+
+------
+
+== In your client api
+
+=== Gemfile
+
+gem 'auth_origin_control'
+gem "api-auth", github: "NicoArbogast/api_auth", branch: 'temp' # needed until merged into mgomes/api_auth
+
+=== config/initializers/auth_origin_control
+
+AuthOriginControl.setup do |config|
+  config.self_identity = {:access_id => ACCESS_ID_REGISTERED_FOR_THIS_APP, :secret_key => ACCESS_SECRET_REGISTERED_FOR_THIS_APP}
+end
+
+=== In your http Interfaces to your apis
+
+AuthOriginControl::SignedRequest.new

data/Rakefile

@@ -0,0 +1,27 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'AuthOriginControl'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+
+
+Bundler::GemHelper.install_tasks
+

data/app/assets/javascripts/auth_origin_control/application.js

@@ -0,0 +1,15 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// the compiled file.
+//
+// WARNING: THE FIRST BLANK LINE MARKS THE END OF WHAT'S TO BE PROCESSED, ANY BLANK LINE SHOULD
+// GO AFTER THE REQUIRES BELOW.
+//
+//= require jquery
+//= require jquery_ujs
+//= require_tree .

data/app/assets/stylesheets/auth_origin_control/application.css

@@ -0,0 +1,13 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the top of the
+ * compiled file, but it's generally better to create a new file per style scope.
+ *
+ *= require_self
+ *= require_tree .
+ */

data/app/controllers/auth_origin_control/application_controller.rb

@@ -0,0 +1,4 @@
+module AuthOriginControl
+  class ApplicationController < ActionController::Base
+  end
+end

data/app/controllers/auth_origin_control/original_clients_controller.rb

@@ -0,0 +1,32 @@
+module AuthOriginControl
+  class OriginalClientsController < AuthOriginControl::ApplicationController
+    before_filter :origin_control
+    
+    def show
+      render_original_request_client
+    end
+    
+    private
+    
+    # receives a signed request from an api
+    # original - intermediary - passport_api
+    #
+    # containing the authorization_header from an original api call
+    # gets the original_api id from this authorization_header
+    # returns the original app hash {id: XXXXX, secret: XXXXX} encoded
+    # using the intermediary secret
+    #
+    # intermediary decodes response based on its own secret
+    # and authentifies original request
+    #
+    def render_original_request_client
+      if original_request_auth = params[:original_request_auth]
+        render :text => AuthOriginControl::EncodedSecret.new(@current_client_app[:secret]).from_app_id(original_request_auth)
+      else
+        render :json => {:error => "Please provide the original request if you need to authenticate original request client"}
+      end
+    end
+    
+    
+  end
+end

data/app/helpers/auth_origin_control/application_helper.rb

@@ -0,0 +1,4 @@
+module AuthOriginControl
+  module ApplicationHelper
+  end
+end

data/app/views/layouts/auth_origin_control/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>AuthOriginControl</title>
+  <%= stylesheet_link_tag    "auth_origin_control/application", :media => "all" %>
+  <%= javascript_include_tag "auth_origin_control/application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/config/routes.rb

@@ -0,0 +1,3 @@
+AuthOriginControl::Engine.routes.draw do
+  match "/original_client" => "original_clients#show"
+end

data/lib/auth_origin_control/api_auth/app.rb

@@ -0,0 +1,59 @@
+require 'auth_origin_control/api_auth/identification/local'
+require 'auth_origin_control/api_auth/identification/remote'
+
+module AuthOriginControl
+  module ApiAuth
+    class App
+      
+      attr_accessor :request
+      
+      def initialize(request, args = {})
+        @request = request
+        @config = args[:config]
+        
+        if @local = args[:local]
+          @app_model = ApiAuth::Identification::Local.new({
+            app: self,
+            config: @config
+          })
+        else
+          @app_model = ApiAuth::Identification::Remote.new({
+            app: self,
+            config: @config
+          })          
+        end
+      end
+      
+      def authentified_app
+        secret_key.try(:[],'error') ? secret_key : (authentic? ? app : identification_error_msg(nil, (@local ? "you" : "original client")))
+      end
+      
+      def access_id
+        @access_id ||= ::ApiAuth.access_id(@request)
+      end
+      
+      
+      private 
+
+      def app
+        valid? ? { id: access_id, secret: secret_key } : nil
+      end
+      
+      def valid?
+        !!access_id && !!secret_key
+      end
+      
+      def authentic?
+        ::ApiAuth.authentic?(@request, secret_key)
+      end
+      
+      def secret_key
+        @secret_key ||= @app_model.secret_key
+      end
+      
+      def identification_error_msg(response, client_id = "request client")
+        {"error" => response.try(:[],"error") || "Error verifying ID of #{client_id}"}
+      end      
+    end
+  end
+end

data/lib/auth_origin_control/api_auth/identification/local.rb

@@ -0,0 +1,26 @@
+module AuthOriginControl
+  module ApiAuth
+    module Identification
+      class Local
+      
+        def initialize(args = {})
+          @app= args[:app]
+          @config = args[:config] || AuthOriginControl
+          
+          @clients_model= @config.clients_model.try(:constantize)
+          @clients_model_access_id= @config.clients_model_keys[:access_id]
+          @clients_model_secret_key= @config.clients_model_keys[:secret_key]          
+        end
+      
+        # find client app based on request signature
+        # returns nil if not found
+        # returns secret_key if app found
+        # 
+        def secret_key access_id = @app.access_id
+          @clients_model.try("find_by_#{@clients_model_access_id}", access_id).
+          try(@clients_model_secret_key).try(:gsub, /\\n/,"\n")
+        end        
+      end
+    end
+  end
+end

data/lib/auth_origin_control/api_auth/identification/remote.rb

@@ -0,0 +1,71 @@
+module AuthOriginControl
+  module ApiAuth
+    module Identification
+      class Remote
+
+        def initialize(args = {})
+          @app = args[:app]
+          @config = args[:config]
+          
+          @original_request = @app.request
+          
+          @passport_api_url = @config.passport_api.try(:[],:url)
+          @passport_api_original_client_path = @config.passport_api.try(:[],:original_request_client_path)
+          @passport_api_original_client_key = @config.passport_api.try(:[],:original_request_client_response_key)
+          
+          @self_id = @config.self_identity.try(:[],:access_id)
+          @self_secret = @config.self_identity.try(:[],:secret_key)
+        end
+        
+        def secret_key access_id = @app.access_id
+          _secret_from_authority = secret_key_from_authority
+          _secret_from_authority.try(:[],'error') ? _secret_from_authority : _secret_from_authority.try(:gsub, /\\n/,"\n")
+        end
+        
+        
+        private
+        
+        def secret_key_from_authority
+          app_from_authority
+        end
+          
+        # using RestClient
+        #
+        # # Net::Http 
+        # uri = URI(uri_string)
+        # Net::HTTP.start(uri.host, uri.port) do |http|
+        #   _request = Net::HTTP::Get.new(uri_string)
+        #   ApiAuth.sign!(_request, self_identity[:access_id], self_identity[:secret_key])
+        #   return http.request _request
+        # end
+        #
+        def app_from_authority
+          result_raw = AuthOriginControl::SignedRequest.new(authority_request_uri).try(:result_raw)
+          decoded_result = decode(result_raw) if result_raw
+          result = ActiveSupport::JSON.decode(decoded_result) if decoded_result
+          #puts result
+          return result if result.try(:[],'error')
+          original_client_secret_key = result.try(:[],@passport_api_original_client_key)
+          #puts original_client_secret_key
+          return original_client_secret_key
+        end
+        
+        def decode(encoded_string)
+          AuthOriginControl::EncodedSecret.new(@self_secret).decode(encoded_string)
+        end
+        
+        def authority_request_uri
+          uri_root = @passport_api_url + @passport_api_original_client_path 
+          uri_params = "?original_request_auth=" + (original_request_auth.try(:parameterize) || '')
+          uri_root + uri_params
+        end
+        
+        def original_request_auth
+          # api_auth_headers = ::ApiAuth::Headers.new(@original_request)
+          # api_auth_headers.respond_to?(:authorization_header) ? api_auth_headers.try(:authorization_header) : nil
+          @app.access_id
+        end
+      end
+    end
+  end
+end

data/lib/auth_origin_control/base.rb

@@ -0,0 +1,23 @@
+require "auth_origin_control/encoded_secret/encoded_secret"
+require "auth_origin_control/signed_request/request"
+require "auth_origin_control/helpers/helpers"
+require 'auth_origin_control/api_auth/app'
+
+module AuthOriginControl
+  class Base
+
+    def initialize(request, args={})
+      @request = request
+      
+      @config = AuthOriginControl
+      @local = @config.local_or_remote_authority != "remote"
+    end
+    
+    def app
+      AuthOriginControl::ApiAuth::App.new(@request, {  local: (@local),
+                                                      config: @config
+                                                      }).authentified_app
+    end
+  
+  end
+end

data/lib/auth_origin_control/encoded_secret/encoded_secret.rb

@@ -0,0 +1,39 @@
+require 'encryptor' 
+
+module AuthOriginControl
+  class EncodedSecret
+    
+    def initialize encode_key
+      @config = AuthOriginControl
+      @self_secret = @config.self_identity.try(:[],:secret_key)
+      
+      @encrypt_key = Digest::SHA256.hexdigest(encode_key)
+    end
+    
+    def from_app_id _app_id
+      if secret = find_secret_from_id(_app_id)
+        encode({:original_request_client_secret => secret}.to_json)
+      else
+        encode({:error => "Client App could not be found with id #{_app_id}"}.to_json)
+      end
+    end
+    
+    def encode data
+      Encryptor.encrypt(data, :key => @encrypt_key)
+    end
+    
+    def decode data
+      begin
+        Encryptor.decrypt(data, :key => @encrypt_key)
+      rescue OpenSSL::Cipher::CipherError
+        return data
+      end
+    end
+    
+    private
+    
+    def find_secret_from_id _app_id
+      AuthOriginControl::ApiAuth::Identification::Local.new.secret_key _app_id
+    end
+  end
+end

data/lib/auth_origin_control/engine.rb

@@ -0,0 +1,5 @@
+module AuthOriginControl
+  class Engine < ::Rails::Engine
+    isolate_namespace AuthOriginControl
+  end
+end

data/lib/auth_origin_control/helpers/helpers.rb

@@ -0,0 +1,27 @@
+module AuthOriginControl
+  module Helpers
+    extend ActiveSupport::Concern
+    
+    def origin_control
+      @current_client_app = identify_client
+      if _error = @current_client_app["error"]
+        if self.is_a? ActionController::Base
+          render :json => { "error" => _error}
+        else
+          error!('401 Unauthorized', 401)
+        end
+      else
+        true
+      end
+    end
+    
+    def identify_client(_request = request)
+      AuthOriginControl::Base.new(_request).app
+    end    
+  end
+end
+
+class ActionController::Base
+  include AuthOriginControl::Helpers
+end
+

data/lib/auth_origin_control/signed_request/request.rb

@@ -0,0 +1,62 @@
+module AuthOriginControl
+  class SignedRequest
+  
+    def initialize(url, args={})
+      @request_uri = url
+      
+      @payload      = args.delete(:payload)
+      @method       = args.delete(:method) || :get
+      @timeout      = args.delete(:timeout) || -1
+      @open_timeout = args.delete(:open_timeout) || -1
+      @headers      = args
+
+      @self_id = AuthOriginControl.self_identity[:access_id]
+      @self_secret = AuthOriginControl.self_identity[:secret_key]
+    end
+  
+    # Sends a cross_border_request
+    #
+    # rest_client_request = RestClient::Request.new(
+    # :url => uri_string,
+    # :headers => {},
+    # :method => :get)
+    #
+    # Net::Http 
+    # uri = URI(uri_string)
+    # Net::HTTP.start(uri.host, uri.port) do |http|
+    #   _request = Net::HTTP::Get.new(uri_string)
+    #   ApiAuth.sign!(_request, self_identity[:access_id], self_identity[:secret_key])
+    #   return http.request _request
+    # end
+    # sign the request and send
+    #
+    def result
+      _rslt_raw = result_raw
+      _rslt_raw && _rslt_raw.code != 401 ? ActiveSupport::JSON.decode(_rslt_raw) : {error: _rslt_raw, code: _rslt_raw.try(:code)}
+    end  
+
+    def result_raw
+      signed_authority_request.execute do |response, request, result|
+        return response
+      end
+    end  
+  
+    def signed_authority_request
+      ::ApiAuth.sign!(authority_request, @self_id, @self_secret)
+    end
+  
+    # RestClient Request
+    #
+    # # Net::Http 
+    # # _request = Net::HTTP::Get.new(uri_string)
+    # 
+    def authority_request
+      RestClient::Request.new(
+        :url          => @request_uri,
+        :payload      => @payload,
+        :timeout      => @timeout,
+        :headers      => @headers,
+        :method       => @method)
+    end
+  end
+end

data/lib/auth_origin_control/version.rb

@@ -0,0 +1,3 @@
+module AuthOriginControl
+  VERSION = "0.0.1"
+end

data/lib/auth_origin_control.rb

@@ -0,0 +1,53 @@
+require 'api-auth'
+require 'rest-client'
+
+require "auth_origin_control/engine"
+require "auth_origin_control/base"
+
+module AuthOriginControl
+
+  mattr_accessor :local_or_remote_authority
+  def self.local_or_remote_authority
+    @@local_or_remote_authority ||= "local"
+  end
+  
+  mattr_accessor :clients_model
+  def self.clients_model
+    @@clients_model ||= "Doorkeeper::Application"
+  end
+  
+  mattr_accessor :clients_model_keys
+  def self.clients_model_keys
+    (@@clients_model_keys || {}).reverse_merge!({
+      :access_id => "uid",
+      :secret_key => "secret"
+    })
+  end
+  
+  mattr_accessor :passport_api
+  def self.passport_api
+    (@@passport_api || {}).reverse_merge!({
+      :url => "http://localhost:3000/auth_passport_office",
+      :original_request_client_path => "/original_client",
+      :original_request_client_response_key => "original_request_client_secret",
+      :signed_requests => true
+    })
+  end
+  
+  mattr_accessor :self_identity
+  def self.self_identity
+    (@@self_identity || {}).reverse_merge!({
+      :access_id => "",
+      :secret_key => ""
+    })
+  end
+  
+  mattr_accessor :path
+  def self.path
+    @@path ||= '/'
+  end
+    
+  def self.setup
+    yield self
+  end
+end

data/lib/tasks/auth_origin_control_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :auth_origin_control do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,134 @@
+--- !ruby/object:Gem::Specification
+name: auth_origin_control
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- NicoArbogast
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-08-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.2.13
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.2.13
+- !ruby/object:Gem::Dependency
+  name: api-auth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.0.3.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.0.3.1
+- !ruby/object:Gem::Dependency
+  name: rest-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.6.7
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.6.7
+- !ruby/object:Gem::Dependency
+  name: encryptor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.1.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.1.3
+- !ruby/object:Gem::Dependency
+  name: mysql2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Auth Origin Control checks the origin of the request at app entry
+email:
+- nicolas@rbogast.me
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- app/assets/javascripts/auth_origin_control/application.js
+- app/assets/stylesheets/auth_origin_control/application.css
+- app/controllers/auth_origin_control/application_controller.rb
+- app/controllers/auth_origin_control/original_clients_controller.rb
+- app/helpers/auth_origin_control/application_helper.rb
+- app/views/layouts/auth_origin_control/application.html.erb
+- config/routes.rb
+- lib/auth_origin_control/api_auth/app.rb
+- lib/auth_origin_control/api_auth/identification/local.rb
+- lib/auth_origin_control/api_auth/identification/remote.rb
+- lib/auth_origin_control/base.rb
+- lib/auth_origin_control/encoded_secret/encoded_secret.rb
+- lib/auth_origin_control/engine.rb
+- lib/auth_origin_control/helpers/helpers.rb
+- lib/auth_origin_control/signed_request/request.rb
+- lib/auth_origin_control/version.rb
+- lib/auth_origin_control.rb
+- lib/tasks/auth_origin_control_tasks.rake
+- MIT-LICENSE
+- Rakefile
+- README.rdoc
+homepage: https://github.com/NicoArbogast/auth_origin_control.git
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.7
+signing_key: 
+specification_version: 4
+summary: Auth Origin Control checks the origin of the request at app entry
+test_files: []