authmac 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 79cdcf6928f30abe694de994eba88c6f2ec89e28
+  data.tar.gz: 62c7ba521390202bb2d61b28d183be513060a1b4
+SHA512:
+  metadata.gz: a7faef3549f1033ed067aa165c1fbe6c9c2e6572d0d4564f5fbd83ccadaed50bc9c2f0922ff55a23d546ada894ef0fb025cba7e0e9536b8adca8a3d68427e712
+  data.tar.gz: 486d280fccd12f4127caef2fe1c65982cd7b9d721ef350aa2224ae82e6526ca951ed51caa4655350ce14e4a8eee88144f46c243d04a3482da31f320028ebda56

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1 @@
+--color

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in authmac.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Marten Veldthuis
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,32 @@
+# Authmac
+
+[![Build Status](https://travis-ci.org/roqua/authmac.png)](https://travis-ci.org/roqua/authmac)
+[![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/roqua/authmac)
+
+TODO: Write a gem description
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'authmac'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install authmac
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,5 @@
+require "bundler/gem_tasks"
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec)
+task :default => :spec

data/authmac.gemspec

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'authmac/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "authmac"
+  gem.version       = Authmac::VERSION
+  gem.authors       = ["Marten Veldthuis"]
+  gem.email         = ["marten@veldthuis.com"]
+  gem.description   = 'Single Sign-On implementation based on HMAC.'
+  gem.summary       = 'Single Sign-On implementation based on HMAC.'
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_development_dependency "rake", "~> 10.0.3"
+  gem.add_development_dependency "rspec", "~> 2.11"
+end

data/example/app.rb

@@ -0,0 +1,34 @@
+require 'sinatra'
+require 'cgi'
+require 'authmac'
+
+set :app_file, __FILE__
+
+get '/' do
+  erb :form
+end
+
+post '/sign' do
+  @checker = Authmac::HmacChecker.new("very_secret", '|', 'sha256')
+  @params_with_timestamp = params.merge('timestamp' => Time.now.to_i)
+  @hmac    = @checker.sign(@params_with_timestamp)
+  @params_with_hmac      = @params_with_timestamp.merge('hmac' => @hmac)
+  @link                  = @params_with_hmac.map{|k,v| "#{k}=#{CGI.escape(v.to_s)}" }.join("&")
+
+  erb :sign
+end
+
+get '/auth' do
+  hmac_checker      = Authmac::HmacChecker.new("very_secret", '|', 'sha256')
+  timestamp_checker = Authmac::TimestampChecker.new(30, 10)
+  authenticator     = Authmac::Authenticator.new(hmac_checker, timestamp_checker)
+  @validation       = authenticator.validate(params)
+
+  if @validation.success?
+    erb :auth_success
+  elsif @validation.hmac_failure?
+    erb :auth_hmac_failure
+  elsif @validation.timestamp_failure?
+    erb :auth_timestamp_failure
+  end
+end

data/example/views/auth_hmac_failure.erb

@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<title>HMAC Generator</title>
+
+<h1>HMAC failure</h1>
+<p>The HMAC you passed did not seem to be correct. For your reference, we use the secret <pre>very_secret</pre> and used the message <pre><%= message %></pre>.</p>

data/example/views/auth_success.erb

@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<title>Success!</title>
+
+<h1>Success!</h1>
+<p>Everything seems to be in order.</p>

data/example/views/auth_timestamp_failure.erb

@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<title>HMAC Generator</title>
+
+<h1>Timestamp expired</h1>
+<p>In this demo application, we've set the timestamp limits to expire after 30 seconds, and not to allow timestamps that are more than 10 seconds in the future.</p>

data/example/views/form.erb

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<title>HMAC Generator</title>
+<style>body { font-size: 1.2em; }</style>
+<form method="post" action="/sign">
+  Professional ID: <input type="text" name="userid" />   <br/>
+  Patient ID:      <input type="text" name="clientid" /> <br/>
+
+  <input type="submit" value="Generate URL" />
+</form>

data/example/views/sign.erb

@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<title>HMAC Generator</title>
+<h1>Okay, here's what I've got</h1>
+
+<p>These are the values we used to generate the hash:
+<code><%= @params.inspect %></code></p>
+
+<p>Then we add the timestamp parameter:
+<code><%= @params_with_timestamp.inspect %></code></p>
+
+<p>To calculate the HMAC, we generate the following string based on this:
+<code><%= @checker.send(:message_string, @params_with_timestamp) %></code></p>
+
+<p>And use this secret for the HMAC generation:
+<code>very_secret</code></p>
+
+<p>Then we add the HMAC:
+<code><%= @params_with_hmac.inspect %></code></p>
+
+<p>Then, this is a nice URL to use. We URL-escape each value, and keep in mind that the order of HTTP-parameters does not matter:</p>
+
+<a href="/auth?<%= @link %>">Link</a>

data/lib/authmac/hmac_checker.rb

@@ -0,0 +1,34 @@
+require 'openssl'
+
+module Authmac
+  class HmacChecker
+    def initialize(secret, parameter_separator = '|', digest_function = "sha1")
+      @secret = secret
+      @digest = digest_function
+      @separator = parameter_separator
+    end
+
+    def validate(hash, given_hmac)
+      sign(hash) == given_hmac
+    end
+
+    def sign(hash)
+      OpenSSL::HMAC.hexdigest(digester, @secret, message_string(hash))
+    end
+
+    private
+
+    def digester
+      OpenSSL::Digest::Digest.new(@digest)
+    end
+
+    def message_string(hash)
+      hash_values_sorted_by_key(hash).join(@separator)
+    end
+
+    def hash_values_sorted_by_key(hash)
+      hash.sort_by {|key, value| key }.map(&:last)
+    end
+  end
+end
+

data/lib/authmac/timestamp_checker.rb

@@ -0,0 +1,22 @@
+module Authmac
+  class TimestampChecker
+    def initialize(max_behind, max_ahead)
+      @max_behind = max_behind
+      @max_ahead  = max_ahead
+    end
+
+    def validate(timestamp)
+      not_too_old(timestamp) and not_too_new(timestamp)
+    end
+
+    private
+
+    def not_too_old(timestamp)
+      (Time.now - @max_behind) <= Time.at(timestamp)
+    end
+
+    def not_too_new(timestamp)
+      Time.at(timestamp) <= (Time.now + @max_ahead)
+    end
+  end
+end

data/lib/authmac/version.rb

@@ -0,0 +1,3 @@
+module Authmac
+  VERSION = "1.0.0"
+end

data/lib/authmac.rb

@@ -0,0 +1,61 @@
+require "authmac/version"
+require 'authmac/hmac_checker'
+require 'authmac/timestamp_checker'
+
+module Authmac
+  class HmacError < StandardError; end
+  class TimestampError < StandardError; end
+
+  class ValidationResult
+    def initialize(options = {})
+      @hmac = options.fetch(:hmac)
+      @timestamp = options.fetch(:timestamp)
+    end
+
+    def success?
+      @hmac and @timestamp
+    end
+
+    def failure?
+      !success?
+    end
+
+    def hmac_failure?
+      !@hmac
+    end
+
+    def timestamp_failure?
+      !@timestamp
+    end
+  end
+
+  class Authenticator
+    def initialize(hmac_checker, timestamp_checker)
+      @hmac_checker = hmac_checker
+      @timestamp_checker = timestamp_checker
+    end
+
+    def validate(params)
+      ValidationResult.new(hmac:      validate_hmac(params),
+                           timestamp: validate_timestamp(params))
+    end
+
+    private
+
+    def validate_hmac(params)
+      hash, hmac = split_params(params)
+      @hmac_checker.validate(hash, hmac)
+    end
+
+    def validate_timestamp(params)
+      timestamp = params[:timestamp].to_i
+      @timestamp_checker.validate(timestamp)
+    end
+
+    def split_params(params)
+      hash = params.reduce({}) { |memo, (k,v)| memo[k.to_sym] = v; memo }
+      hmac = hash.delete(:hmac)
+      return [hash, hmac]
+    end
+  end
+end

data/spec/authmac/hmac_checker_spec.rb

@@ -0,0 +1,55 @@
+require 'authmac/hmac_checker'
+
+module Authmac
+  describe HmacChecker do
+    let(:checker) { HmacChecker.new("very secret key", "|", "sha1") }
+
+    describe '#validate' do
+      context 'for an empty hash' do
+        let(:hash) { Hash.new }
+
+        it 'succeeds with the correct hmac' do
+          checker.validate(hash, hmacify('')).should be_true
+        end
+
+        it 'fails with an incorrect hmac' do
+          checker.validate(hash, "wrong").should be_false
+        end
+      end
+
+      context 'for a hash with a single parameter' do
+        it 'succeeds with the correct hmac' do
+          checker.validate({single: 'parameter'}, hmacify("parameter")).should be_true
+        end
+
+        it 'fails with incorrect hmac' do
+          checker.validate({single: 'parameter'}, 'wrong').should be_false
+        end
+      end
+
+      context 'for a hash with multiple parameters' do
+        it 'succeeds with correct hmac' do
+          checker.validate({first: 'parameter', second: 'another'},
+                          hmacify('parameter|another')).should be_true
+        end
+
+        it 'sorts hash values based on their keys' do
+          checker.validate({second: 'another', first: 'parameter'},
+                          hmacify('parameter|another')).should be_true
+
+        end
+      end
+    end
+
+    describe '#calculate_hmac' do
+      it 'generates hmac' do
+        checker.sign(second: 'another', first: 'parameter').should == hmacify('parameter|another')
+      end
+    end
+
+    def hmacify(string, method='sha1')
+      digester = OpenSSL::Digest::Digest.new(method)
+      OpenSSL::HMAC.hexdigest(digester, "very secret key", string)
+    end
+  end
+end

data/spec/authmac/timestamp_checker_spec.rb

@@ -0,0 +1,19 @@
+require 'authmac/timestamp_checker'
+
+module Authmac
+  describe TimestampChecker do
+    let(:checker) { TimestampChecker.new(15*60, 5*60) }
+
+    it 'returns true if timestamp is recent' do
+      checker.validate(Time.now.to_i).should be_true
+    end
+
+    it 'returns false if timestamp is too old' do
+      checker.validate(Time.now.to_i - (15*60 + 1)).should be_false
+    end
+
+    it 'returns false if timestamp is too far in the future' do
+      checker.validate(Time.now.to_i + (5*60 + 1)).should be_false
+    end
+  end
+end

data/spec/authmac_spec.rb

@@ -0,0 +1,35 @@
+require 'authmac'
+
+module Authmac
+  describe Authenticator do
+    let(:hmac_checker)      { stub("HmacChecker", validate: true) }
+    let(:timestamp_checker) { stub("TimestampChecker", validate: true) }
+    let(:auth) { Authenticator.new(hmac_checker, timestamp_checker) }
+
+    describe '#validate' do
+      it 'checks hmac' do
+        hash = {userid: 'someone', clientid: 'something'}
+        hmac = "a-calculated-hmac"
+        hmac_checker.should_receive(:validate).with(hash, hmac)
+        auth.validate(hash.merge(hmac: hmac))
+      end
+
+      it 'raises HmacError if hmac is incorrect' do
+        hmac_checker.stub(validate: false)
+        auth.validate({}).hmac_failure?.should be_true
+      end
+
+      it 'checks timestamp' do
+        timestamp = Time.now.to_i
+        timestamp_checker.should_receive(:validate).with(timestamp)
+        auth.validate({timestamp: timestamp.to_s})
+      end
+
+      it 'raises TimestampError if timestamp is out of bounds' do
+        timestamp_checker.stub(validate: false)
+        auth.validate({}).timestamp_failure?.should be_true
+      end
+    end
+
+  end
+end

metadata

@@ -0,0 +1,94 @@
+--- !ruby/object:Gem::Specification
+name: authmac
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Marten Veldthuis
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-01-22 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 10.0.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 10.0.3
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.11'
+description: Single Sign-On implementation based on HMAC.
+email:
+- marten@veldthuis.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- authmac.gemspec
+- example/app.rb
+- example/views/auth_hmac_failure.erb
+- example/views/auth_success.erb
+- example/views/auth_timestamp_failure.erb
+- example/views/form.erb
+- example/views/sign.erb
+- lib/authmac.rb
+- lib/authmac/hmac_checker.rb
+- lib/authmac/timestamp_checker.rb
+- lib/authmac/version.rb
+- spec/authmac/hmac_checker_spec.rb
+- spec/authmac/timestamp_checker_spec.rb
+- spec/authmac_spec.rb
+homepage: ''
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.0
+signing_key: 
+specification_version: 4
+summary: Single Sign-On implementation based on HMAC.
+test_files:
+- spec/authmac/hmac_checker_spec.rb
+- spec/authmac/timestamp_checker_spec.rb
+- spec/authmac_spec.rb