authmac 1.0.1 → 1.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e4b7bd1e6888d9396a2b8625350f3626575facb4
-  data.tar.gz: c868726a7655dd6063eea99029a2b09296d1b405
+  metadata.gz: e150851873e527bbdb621d19701b3d4ff7f976c7
+  data.tar.gz: 02bc0a0836b9931e91e3e32d2d532c6bdc5be40b
 SHA512:
-  metadata.gz: 864d917472213fda96505a9b093a24954805023619b6725b259dc26b9a705605a95156f9914944ec6716e4f348f3f05e211c24bff74069e8bedcdb34eb1164cc
-  data.tar.gz: 9501f5e4860c67f36f2fb0c9c758207c89090c1d10cfc6dc55accbf8f9b5eb81123101ab7728960b60ab392dc1d7063781d700e71f44754b1c785747c91aa0d4
+  metadata.gz: 8a68eadb5dc40141d7a165376f577ecec25967ad321d42124b53cd3f8db333f89a3b12b407921cedf60ead0eb001156a87f3ee82eb89186560e07e17d880cdba
+  data.tar.gz: ce5c1ef3d649f8adb7d371c86cb8a9931d84b25927eb5ee349d33ccb7241a68bdf81cf6a4aaee7661a5c17dbaaf121f8238c9362cfa72c5a05ba084f2e75ef39

data/.travis.yml

@@ -0,0 +1,2 @@
+rvm:
+  - '2.1.0'

data/CHANGELOG.md

@@ -0,0 +1,4 @@
+## Version 1.0.3 / 2014-5-12
+
+* Raise error when insecure key is being used, assuming all keys are hex values (see rfc2104)
+* Only compatible with ruby 2

data/circle.yml

@@ -0,0 +1,3 @@
+machine:
+  ruby:
+    version: 2.1.0

data/lib/authmac/hmac_checker.rb

@@ -2,10 +2,11 @@ require 'openssl'
 
 module Authmac
   class HmacChecker
-    def initialize(secret, parameter_separator = '|', digest_function = "sha1")
+    def initialize(secret, parameter_separator = '|', digest_function = 'sha1')
       @secret = secret
       @digest = digest_function
       @separator = parameter_separator
+      fail Authmac::SecretError, 'secret too short, see rfc2104' unless @secret.bytes.size >= digester.digest_length * 2
     end
 
     def validate(hash, given_hmac)

data/lib/authmac/version.rb

@@ -1,3 +1,3 @@
 module Authmac
-  VERSION = "1.0.1"
+  VERSION = '1.0.3'
 end

data/lib/authmac.rb

@@ -3,8 +3,7 @@ require 'authmac/hmac_checker'
 require 'authmac/timestamp_checker'
 
 module Authmac
-  class HmacError < StandardError; end
-  class TimestampError < StandardError; end
+  class SecretError < StandardError; end
 
   class ValidationResult
     def initialize(options = {})

data/spec/authmac/hmac_checker_spec.rb

@@ -2,9 +2,16 @@ require 'authmac/hmac_checker'
 
 module Authmac
   describe HmacChecker do
-    let(:checker) { HmacChecker.new("very secret key", "|", "sha1") }
+    let(:checker) { HmacChecker.new('very secret random key of sufficient size', '|', 'sha1') }
+
+    it 'raises an error for a secret shorter than the hmac output' do
+      expect {
+        HmacChecker.new('way too short key', '|', 'sha1')
+      }.to raise_error SecretError, 'secret too short, see rfc2104'
+    end
 
     describe '#validate' do
+
       context 'for an empty hash' do
         let(:hash) { Hash.new }
 
@@ -13,13 +20,13 @@ module Authmac
         end
 
         it 'fails with an incorrect hmac' do
-          expect(checker.validate(hash, "wrong")).to be_falsey
+          expect(checker.validate(hash, 'wrong')).to be_falsey
         end
       end
 
       context 'for a hash with a single parameter' do
         it 'succeeds with the correct hmac' do
-          expect(checker.validate({single: 'parameter'}, hmacify("parameter"))).to be_truthy
+          expect(checker.validate({single: 'parameter'}, hmacify('parameter'))).to be_truthy
         end
 
         it 'fails with incorrect hmac' do
@@ -36,7 +43,6 @@ module Authmac
         it 'sorts hash values based on their keys' do
           expect(checker.validate({second: 'another', first: 'parameter'},
                                   hmacify('parameter|another'))).to be_truthy
-
         end
       end
     end
@@ -49,7 +55,7 @@ module Authmac
 
     def hmacify(string, method='sha1')
       digester = OpenSSL::Digest.new(method)
-      OpenSSL::HMAC.hexdigest(digester, "very secret key", string)
+      OpenSSL::HMAC.hexdigest(digester, 'very secret random key of sufficient size', string)
     end
   end
 end

data/spec/authmac_spec.rb

@@ -14,7 +14,7 @@ module Authmac
         auth.validate(hash.merge(hmac: hmac))
       end
 
-      it 'raises HmacError if hmac is incorrect' do
+      it 'sets the hmac_failure flag when hmac is incorrect' do
         allow(hmac_checker).to receive(:validate).and_return(false)
         expect(auth.validate({}).hmac_failure?).to be_truthy
       end
@@ -25,11 +25,10 @@ module Authmac
         auth.validate({timestamp: timestamp.to_s})
       end
 
-      it 'raises TimestampError if timestamp is out of bounds' do
+      it 'sets the timestamp_failure flag when timestamp is out of bounds' do
         allow(timestamp_checker).to receive(:validate).and_return(false)
         expect(auth.validate({}).timestamp_failure?).to be_truthy
       end
     end
-
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authmac
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.3
 platform: ruby
 authors:
 - Marten Veldthuis
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-01-22 00:00:00.000000000 Z
+date: 2014-05-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -47,11 +47,14 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".rspec"
+- ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
 - authmac.gemspec
+- circle.yml
 - example/app.rb
 - example/views/auth_hmac_failure.erb
 - example/views/auth_success.erb
@@ -84,7 +87,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.0
+rubygems_version: 2.2.1
 signing_key: 
 specification_version: 4
 summary: Single Sign-On implementation based on HMAC.