authenticated_client 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 2c5c250c311c848b186bfe9b78e1c93a5219c915
+  data.tar.gz: 170c59a4a401d24d98aa11cc3b266f9ff1286610
+SHA512:
+  metadata.gz: 576c4971cf46dd0f89a11e995b267a279026ad5e9e3f258f20514528bd702d1ea821b16e3fc8aa039a7dc5baf1c9093383fb833d9b4d673c43ad4806a44d2d3e
+  data.tar.gz: d030084628102e78ffd1ef61ed6a6ce9821f5874e4626a2c64b4cb802c5c8d5de9c632b8426285a1c7e0141293ad527806883cadab77b93a450d4be9bb890dd2

data/.gitignore

@@ -0,0 +1,3 @@
+Gemfile.lock
+*.gem
+.byebug_history

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.ruby-gemset

@@ -0,0 +1 @@
+authenticated_client

data/.ruby-version

@@ -0,0 +1 @@
+ruby-2.3.0

data/Dockerfile

@@ -0,0 +1,10 @@
+FROM ruby:2.3.0
+
+WORKDIR /usr/local/src/
+
+ADD . /usr/local/src/
+RUN cd /usr/local/src/
+RUN gem install bundler
+RUN bundle install
+
+CMD bundle exec rspec -cfd spec/*

data/Gemfile

@@ -0,0 +1,5 @@
+# A sample Gemfile
+source "https://rubygems.org"
+source 'http://gems.hetzner.co.za'
+
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Barney de Villiers
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,81 @@
+# SoarAuditingProvider
+
+[![Gem Version](https://badge.fury.io/rb/authenticated_client.png)](https://badge.fury.io/rb/authenticated_client)
+
+This gem provides authentication token generation and validation capability for the SOAR architecture.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'authenticated_client'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install authenticated_client
+
+## Configuration
+
+There are three modes of operation.
+### Local
+In local mode the tokens are decoded, verified and meta extracted locally using configured key material.
+
+### Remote
+In remote mode the tokens are passed to a validation service for dynamic validation.  The key material are therefore managed on the validation service.  In this mode you only have to provide the url of the validation service.
+
+### Static
+In this mode the validator are configured with a list of preconfigured static tokens.  Incoming tokens are simply checked against this list.  No extraction of meta is performed on the tokens but retrieved from the configuration.  This mode is to be used in only two scenarios:
+* Between the various authentication token services that requires authentication between themselves.  These services do not have such a service to rely on. Circular dependency.
+* In test scenarios where you do not want to pull in the authentication services to perform testing of your services.
+
+
+## Testing
+
+Run the rspec test tests using docker compose:
+
+    $ docker-compose build
+    $ docker-compose run --rm soar-authentication-token
+
+Properly clean up containers afterwards:
+
+    $ docker-compose down
+
+Locally run a subset:
+
+    $ bundle exec rspec -cfd spec/rack_middleware_spec.rb
+
+
+## Updating
+
+In order to pull the latest from the referenced projects, simply the following command:
+
+```bash
+git pull && git submodule foreach 'git fetch origin --tags; git checkout master; git pull'
+docker-compose build
+```
+
+## Usage
+
+
+
+## Detailed example
+
+
+
+## Contributing
+
+Bug reports and feature requests are welcome by email to barney dot de dot villiers at hetzner dot co dot za. This gem is sponsored by Hetzner (Pty) Ltd (http://hetzner.co.za)
+
+## Notes
+
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+task :default => :spec
+
+RSpec::Core::RakeTask.new(:spec)

data/authenticated_client.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'authenticated_client/version'
+
+
+Gem::Specification.new do |spec|
+  spec.name          = "authenticated_client"
+  spec.version       = AuthenticatedClient::VERSION
+  spec.authors       = ["Barney de Villiers"]
+  spec.email         = ["barney.de.villiers@hetzner.co.za"]
+  spec.description   = %q{Client livrary for accessing authenticated resources}
+  spec.summary       = %q{Client livrary for accessing authenticated resources such as token based systems}
+  spec.homepage      = "https://gitlab.host-h.net/hetznerZA/authenticated-client"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency 'pry', '~> 0'
+  spec.add_development_dependency 'bundler', '~> 1.3'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 2.13'
+  spec.add_development_dependency "capybara", '~> 2.1', '>= 2.1.0'
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "authenticated_client"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/keypair-generator

@@ -0,0 +1,37 @@
+#!/usr/bin/env ruby
+require "pathname"
+bin_file = Pathname.new(__FILE__).realpath
+$:.unshift File.expand_path("../../lib", bin_file)
+
+require 'authenticated_client'
+require 'yaml'
+require 'json'
+
+class Main
+
+  def generate_keypair
+    #create and configure auditing instance
+    keypair_generator = AuthenticatedClient::KeypairGenerator.new
+    private_key, public_key = keypair_generator.generate
+    configuration = {
+      'private_key' => private_key,
+      'public_key' => public_key
+    }
+    puts "------------"
+    puts "YAML Format:"
+    puts "------------"
+    print configuration.to_yaml
+    puts ""
+    puts "------------"
+    puts "JSON Format:"
+    puts "------------"
+    print configuration.to_json
+    puts ""
+    puts ""
+    puts "------------"
+
+  end
+end
+
+main = Main.new
+main.generate_keypair

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/authenticated_client.rb

@@ -0,0 +1,9 @@
+module AuthenticatedClient
+end
+
+require 'authenticated_client/keypair_generator'
+require 'authenticated_client/auth_client'
+require 'authenticated_client/token_generator'
+require 'authenticated_client/token_validator'
+require 'authenticated_client/rack_middleware'
+require 'authenticated_client/version'

data/lib/authenticated_client/auth_client.rb

@@ -0,0 +1,52 @@
+require 'uri'
+require 'net/http'
+
+module AuthenticatedClient
+  class Client
+    attr_accessor :url
+    attr_accessor :token
+    attr_accessor :verb
+    attr_accessor :parameters
+    attr_accessor :body
+    attr_accessor :auditing
+
+    def initialize
+      @url = nil
+      @token = nil
+      @verb = :post
+      @parameters = {}
+      @body = {}
+      @auditing = nil
+    end
+
+    def request
+      validate_elements_before_performing_request
+      perform_http_request
+    end
+
+    private
+
+    def perform_http_request
+      uri = URI.parse(@url)
+      uri.query = URI.encode_www_form( @parameters )
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true if uri.is_a?(URI::HTTPS)
+      request = Net::HTTP::Post.new(uri.request_uri) if :post == @verb
+      request = Net::HTTP::Get.new(uri.request_uri) if :get == @verb
+      request.add_field("AUTHORIZATION", @token) if @token
+      request.body = body.to_json
+      http.request(request)
+    end
+
+    def validate_elements_before_performing_request
+      raise 'only verbs post and get are supported' unless [:post, :get].include?(@verb)
+      raise "invalid url #{@url}" unless @url =~ URI::regexp
+      raise "parameters must be a hash" unless @parameters.is_a?(Hash)
+      raise "body must be a hash" unless @body.is_a?(Hash)
+    end
+
+    def audit_failure
+
+    end
+  end
+end

data/lib/authenticated_client/version.rb

@@ -0,0 +1,3 @@
+module AuthenticatedClient
+  VERSION = '0.0.1'
+end

data/sanity/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+.byebug_history
+*.gem

data/sanity/.ruby-gemset

@@ -0,0 +1 @@
+sanity

data/sanity/.ruby-version

@@ -0,0 +1 @@
+ruby-2.3.0

data/sanity/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gem 'authenticated_client', :path => "../"

data/sanity/sanity.rb

@@ -0,0 +1,55 @@
+require 'authenticated_client'
+require 'yaml'
+
+class Main
+
+  def generate_keypair
+    #create and configure auditing instance
+    keypair_generator = AuthenticatedClient::KeypairGenerator.new
+    private_key, public_key = keypair_generator.generate
+    configuration = {
+      'private_key' => private_key,
+      'public_key' => public_key
+    }
+    print configuration.to_yaml
+  end
+
+  def round_trip_simple_code
+    $stderr.puts "Generating Keypair..."
+    $ecdsa_key = OpenSSL::PKey::EC.new 'secp521r1'
+    $ecdsa_key.generate_key
+    $ecdsa_public = OpenSSL::PKey::EC.new $ecdsa_key
+    $ecdsa_public.private_key = nil
+    $stderr.puts "Generation Complete"
+
+    $stderr.puts 'DIRECT'
+    json_stuff = { 'stuff' => 'bla' }
+    token = encode(json_stuff)
+    result = decode(token)
+    $stderr.puts result
+
+    extracted_private_key = $ecdsa_key.to_pem
+    extracted_public_key = $ecdsa_public.to_pem
+    $ecdsa_key = nil
+    $ecdsa_public = nil
+
+    $stderr.puts 'INDIRECT'
+    $ecdsa_key = OpenSSL::PKey::EC.new extracted_private_key
+    $ecdsa_public = OpenSSL::PKey::EC.new ''#extracted_public_key
+    token = encode(json_stuff)
+    result = decode(token)
+    $stderr.puts result
+  end
+
+  def encode(payload)
+    JWT.encode(payload, $ecdsa_key, 'ES512')
+  end
+
+  def decode(authentication_token)
+    JWT.decode(authentication_token, $ecdsa_public, true, { :algorithm => 'ES512' })
+  end
+end
+
+main = Main.new
+main.generate_keypair
+main.round_trip_simple_code

data/sanity/sanity_benchmark.rb

@@ -0,0 +1,83 @@
+require 'soar_auditing_provider'
+require 'log4r_auditor'
+require 'soar_flow'
+require 'benchmark'
+require 'byebug'
+
+class Main
+
+  AUDITING_CONFIGURATION = {
+    'auditing' => {
+      'level' => 'debug',
+      'install_exit_handler' => 'false',
+      'add_caller_source_location' => 'false',
+      'queue_worker' => {
+        'queue_size' => 1000000,
+        'initial_back_off_in_seconds' => 1,
+        'back_off_multiplier' => 2,
+        'back_off_attempts' => 5
+      },
+      'default_nfrs' => {
+        'accessibility' => 'local',
+        'privacy' => 'not encrypted',
+        'reliability' => 'instance',
+        'performance' => 'high'
+      },
+      'auditors' => {
+        'log4r' => {
+          'adaptor' => 'Log4rAuditor::Log4rAuditor',
+          'file_name' => 'soar_sc.log',
+          'standard_stream' => 'none',
+          'nfrs' => {
+            'accessibility' => 'local',
+            'privacy' => 'not encrypted',
+            'reliability' => 'instance',
+            'performance' => 'high'
+          }
+        }
+      }
+    }
+  }
+
+  def test_sanity
+    iterations = 1000000
+
+    #create and configure auditing instance
+    myauditing = SoarAuditingProvider::AuditingProvider.new( AUDITING_CONFIGURATION['auditing'] )
+    myauditing.startup_flow_id = SoarFlow::ID::generate_flow_id
+    myauditing.service_identifier = 'my-test-service.com'
+
+    #associate a set of auditing entries with a flow by generating a flow identifiers
+    flow_id = SoarFlow::ID::generate_flow_id
+
+    Benchmark.bm do |x|
+      myauditing = SoarAuditingProvider::AuditingProvider.new( AUDITING_CONFIGURATION['auditing'].dup.merge("level" => "warn") )
+      myauditing.startup_flow_id = SoarFlow::ID::generate_flow_id
+      myauditing.service_identifier = 'my-test-service.com'
+      x.report ("audit_call_below_audit_threshold:") {
+        iterations.times {
+          myauditing.info("Benchmarking test",flow_id)
+        }
+      }
+      myauditing = SoarAuditingProvider::AuditingProvider.new( AUDITING_CONFIGURATION['auditing'].dup.merge("add_caller_source_location" => "false") )
+      myauditing.startup_flow_id = SoarFlow::ID::generate_flow_id
+      myauditing.service_identifier = 'my-test-service.com'
+      x.report ("audit_call_without_caller_info  :") {
+        iterations.times {
+          myauditing.info("Benchmarking test",flow_id)
+        }
+      }
+      myauditing = SoarAuditingProvider::AuditingProvider.new( AUDITING_CONFIGURATION['auditing'].dup.merge("add_caller_source_location" => "true") )
+      myauditing.startup_flow_id = SoarFlow::ID::generate_flow_id
+      myauditing.service_identifier = 'my-test-service.com'
+      x.report ("audit_call_with_caller_info     :") {
+        iterations.times {
+          myauditing.info("Benchmarking test",flow_id)
+        }
+      }
+    end
+  end
+end
+
+main = Main.new
+main.test_sanity

data/spec/auth_client_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+
+describe AuthenticatedClient::AuthenticatedClient do
+  before :each do
+  end
+
+  it 'has a version number' do
+    expect(AuthenticatedClient::VERSION).not_to be nil
+  end
+
+  context "when performing an authenticated request" do
+    context "with a valid token" do
+      it 'respond with a successful request' do
+        @iut = AuthenticatedClient::AuthenticatedClient.new
+        @iut.url = 'http://authentication-token-generator-service:9393/generate'
+        @iut.token = 'test_ecosystem_token_for_auth_token_aaapi_authenticator_service'
+        @iut.verb = :post
+        @iut.parameters = {}
+        @iut.body = {}
+        @iut.auditing = nil
+
+        response = @iut.request
+        expect(response.code).to eq '200'
+      end
+    end
+    context "with an invalid token" do
+      it 'respond unauthorized' do
+        @iut = AuthenticatedClient::AuthenticatedClient.new
+        @iut.url = 'http://authentication-token-generator-service:9393/generate'
+        @iut.token = 'invalid'
+        @iut.verb = :post
+        @iut.parameters = {}
+        @iut.body = {}
+        @iut.auditing = nil
+
+        response = @iut.request
+        expect(response.code).to eq '401'
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,5 @@
+$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
+$LOAD_PATH.unshift File.expand_path('../../spec/support', __FILE__)
+
+require 'authenticated_client'
+require 'pry'

metadata

@@ -0,0 +1,150 @@
+--- !ruby/object:Gem::Specification
+name: authenticated_client
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Barney de Villiers
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-01-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.13'
+- !ruby/object:Gem::Dependency
+  name: capybara
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.1.0
+description: Client livrary for accessing authenticated resources
+email:
+- barney.de.villiers@hetzner.co.za
+executables:
+- console
+- keypair-generator
+- setup
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".ruby-gemset"
+- ".ruby-version"
+- Dockerfile
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- authenticated_client.gemspec
+- bin/console
+- bin/keypair-generator
+- bin/setup
+- lib/authenticated_client.rb
+- lib/authenticated_client/auth_client.rb
+- lib/authenticated_client/version.rb
+- sanity/.gitignore
+- sanity/.ruby-gemset
+- sanity/.ruby-version
+- sanity/Gemfile
+- sanity/sanity.rb
+- sanity/sanity_benchmark.rb
+- spec/auth_client_spec.rb
+- spec/spec_helper.rb
+homepage: https://gitlab.host-h.net/hetznerZA/authenticated-client
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Client livrary for accessing authenticated resources such as token based
+  systems
+test_files:
+- spec/auth_client_spec.rb
+- spec/spec_helper.rb