bollard 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 902e221383e933affc9e6e06aad20ad103e3844c
+  data.tar.gz: 266c40c3987a7395d7505e18b9b30a4c1abed5ee
+SHA512:
+  metadata.gz: 7fa85f9688e7009f7ba8758162a7bf0acf04fc5a8edb728617cbf5a5003f47060276407052bdf213457aed99e0ed94eb8ec2f4e4abd56bbadc3be135cd40f8c1
+  data.tar.gz: b69f6bc526192d625370f9552e9ebe8793cc3dbccc6b0f7180abcc1d0da09ff88a558f4ef72a121dc8484dd97fb16f912300f0b0271a129290e42b241e54b101

data/.gitignore

@@ -0,0 +1,2 @@
+/.byebug_history
+pkg

data/Gemfile

@@ -0,0 +1,2 @@
+source "https://rubygems.org"
+gemspec

data/Gemfile.lock

@@ -0,0 +1,79 @@
+PATH
+  remote: .
+  specs:
+    bollard (1.0.0)
+      jwt
+      rest-client
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (5.2.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    addressable (2.5.2)
+      public_suffix (>= 2.0.2, < 4.0)
+    byebug (10.0.2)
+    concurrent-ruby (1.0.5)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
+    diff-lcs (1.3)
+    domain_name (0.5.20180417)
+      unf (>= 0.0.5, < 1.0.0)
+    hashdiff (0.3.7)
+    http-cookie (1.0.3)
+      domain_name (~> 0.5)
+    i18n (1.1.0)
+      concurrent-ruby (~> 1.0)
+    jwt (2.1.0)
+    mime-types (3.2.2)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2018.0812)
+    minitest (5.11.3)
+    netrc (0.11.0)
+    public_suffix (3.0.3)
+    rake (12.3.1)
+    rest-client (2.0.2)
+      http-cookie (>= 1.0.2, < 2.0)
+      mime-types (>= 1.16, < 4.0)
+      netrc (~> 0.8)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.0)
+    safe_yaml (1.0.4)
+    thread_safe (0.3.6)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.7.5)
+    webmock (2.3.2)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activesupport (>= 3.1)
+  bollard!
+  byebug
+  rake
+  rspec (~> 3.7)
+  webmock (~> 2.3)
+
+BUNDLED WITH
+   1.16.1

data/LICENCE.md

@@ -0,0 +1,22 @@
+The MIT License
+
+Copyright 2018 Vinomofo
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,24 @@
+# Bollard
+
+A way of securing API communications with a JWT header that verifies a payload given a known secret
+
+## Use
+Install Bollard
+
+```
+gem install bollard
+```
+
+Use Bollard to :post messages
+```
+require "bollard"
+
+Bollard.secure_post("https://my.endpoint/api", '{ "key_1": "val_1" }', "shared_secret_key")
+```
+
+Use Bollard to verify received messages
+```
+require "bollard"
+
+Bollard.verify_post('{ "key_1": "val_1" }', "", "shared_secret_key")
+```

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bollard.gemspec

@@ -0,0 +1,28 @@
+$:.push File.expand_path("../lib", __FILE__)
+
+# Maintain your gem's version:
+require "bollard/version"
+
+# Describe your gem and declare its dependencies:
+Gem::Specification.new do |s|
+  s.name        = "bollard"
+  s.version     = Bollard::VERSION
+  s.license     = "MIT"
+  s.authors     = ["Michael Dilley"]
+  s.email       = "mick@vinomofo.com"
+  s.homepage    = "https://github.com/vinomofo/bollard"
+  s.summary     = "Send a secure post somewhere"
+  s.description = "Send a secure post somewhere"
+
+  s.files       = `git ls-files`.split("\n")
+  s.test_files  = `git ls-files -- {spec,gemfiles}/*`.split("\n")
+
+  s.add_dependency "jwt"
+  s.add_dependency "rest-client"
+
+  s.add_development_dependency "activesupport", ">= 3.1"
+  s.add_development_dependency "rspec", "~> 3.7"
+  s.add_development_dependency "webmock", "~> 2.3"
+  s.add_development_dependency "byebug"
+  s.add_development_dependency "rake"
+end

data/lib/bollard/post.rb

@@ -0,0 +1,33 @@
+require 'rest-client'
+
+module Bollard
+  PostError = Class.new(RuntimeError)
+
+  class Post
+    def initialize(url, payload, signing_secret, extra_headers, auth_header)
+      @url = url
+      @payload = payload
+      @signing_secret = signing_secret
+      @auth_header = auth_header
+      @extra_headers = extra_headers
+    end
+
+    def perform
+      RestClient.post(@url, @payload, headers)
+    rescue RestClient::ExceptionWithResponse => e
+      raise PostError.new(e.response.body)
+    rescue RestClient::Exception => e
+      raise PostError.new(e.message)
+    end
+
+    private
+
+    def headers
+      @extra_headers.merge({ @auth_header => signature })
+    end
+
+    def signature
+      Signature.generate(@payload, @signing_secret)
+    end
+  end
+end

data/lib/bollard/signature.rb

@@ -0,0 +1,72 @@
+require 'digest'
+require 'jwt'
+
+module Bollard
+  class SignatureVerificationError < RuntimeError
+    attr_reader :message, :sig_header, :http_body
+
+    def initialize(message, sig_header, http_body: nil)
+      @message = message
+      @sig_header = sig_header
+      @http_body = http_body
+    end
+  end
+
+  class Signature
+    EXPECTED_ALGORITHM = "sig_v1".freeze
+
+
+    def self.generate(data, secret, ttl: 600)
+      iat = Time.now.to_i
+      payload = { iat: iat, exp: iat + ttl, sig_v1: Digest::SHA256.hexdigest(data) }
+      JWT.encode(payload, secret, 'HS256')
+    end
+
+
+    # Verifies the signature header for a given payload.
+    #
+    # Raises a SignatureVerificationError in the following cases:
+    # - the header does not match the expected format
+    # - no hash found with the expected algorithm
+    # - hash doesn't match the expected hash
+    #
+    # Returns true otherwise
+    def self.verify(payload, header, secret, tolerance: nil)
+      begin
+        decoded_token = JWT.decode(header, secret, true, { exp_leeway: tolerance })
+      rescue JWT::DecodeError => e
+        raise SignatureVerificationError.new(e.message, header, http_body: payload)
+      end
+
+      provided_hash = decoded_token[0][EXPECTED_ALGORITHM]
+      if provided_hash.blank?
+        raise SignatureVerificationError.new(
+          "No hash found with expected algorithm #{EXPECTED_ALGORITHM}",
+          header, http_body: payload
+        )
+      end
+
+      expected_hash = Digest::SHA256.hexdigest(payload)
+      unless secure_compare(provided_hash, expected_hash)
+        raise SignatureVerificationError.new("Hash mismatch for payload", header, http_body: payload)
+      end
+
+      true
+    end
+
+
+    # Constant time string comparison to prevent timing attacks
+
+    # Code borrowed from ActiveSupport
+    def self.secure_compare(a, b)
+      return false unless a.bytesize == b.bytesize
+
+      l = a.unpack "C#{a.bytesize}"
+
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res.zero?
+    end
+    private_class_method :secure_compare
+  end
+end

data/lib/bollard/version.rb

@@ -0,0 +1,3 @@
+module Bollard
+  VERSION = "1.0.0"
+end

data/lib/bollard.rb

@@ -0,0 +1,14 @@
+require 'bollard/signature'
+require 'bollard/post'
+
+module Bollard
+  def self.secure_post(url, payload, signing_secret, extra_headers: {}, auth_header: 'Bollard-Signature')
+    post = Post.new(url, payload, signing_secret, extra_headers: extra_headers, auth_header: auth_header)
+    post.perform
+  end
+
+
+  def self.verify_post(payload, header, signing_secret, tolerance: nil)
+    Signature.verify_header(payload, header, signing_secret, tolerance: tolerance)
+  end
+end

data/spec/lib/bollard/post_spec.rb

@@ -0,0 +1,33 @@
+require 'spec_helper'
+
+RSpec.describe Bollard::Post do
+  it "posts the payload to the given URL" do
+    stub_request(:post, "https://test.localhost/")
+
+    post = Bollard::Post.new("https://test.localhost/", "{}", "secret", {}, "Bollard-Signature")
+    post.perform
+
+    expect(WebMock).to have_requested(:post, "https://test.localhost").with(body: "{}")
+  end
+
+  it "adds the correct signature header to the request" do
+    allow(Bollard::Signature).to receive(:generate).and_return("valid_signature")
+    stub_request(:post, "https://test.localhost/")
+
+    post = Bollard::Post.new("https://test.localhost/", "{}", "secret", {}, "Bollard-Signature")
+    post.perform
+
+    expect(WebMock).to have_requested(:post, "https://test.localhost")
+      .with(headers: { "Bollard-Signature" => "valid_signature" })
+  end
+
+  it "adds extra headers to the request" do
+    stub_request(:post, "https://test.localhost/")
+
+    post = Bollard::Post.new("https://test.localhost/", "{}", "secret", { content_type: :json, accept: :json }, "Bollard-Signature")
+    post.perform
+
+    expect(WebMock).to have_requested(:post, "https://test.localhost")
+      .with(headers: { content_type: 'application/json', accept: 'application/json' })
+  end
+end

data/spec/lib/bollard/signature_spec.rb

@@ -0,0 +1,75 @@
+require "spec_helper"
+require 'digest'
+
+RSpec.describe Bollard::Signature do
+  describe ".generate" do
+    let(:jwt) { Bollard::Signature.generate("Some data", "super-secret") }
+    let(:jwt_payload) { JWT.decode(jwt, "super-secret", true)[0] }
+
+    it "generates a valid JWT for the given payload" do
+      expect { JWT.decode(jwt, "super-secret", true) }.not_to raise_error
+    end
+
+    it "adds an issued-at field" do
+      travel_to(Time.now) do
+        expect(jwt_payload["iat"]).to eq Time.now.to_i
+      end
+    end
+
+    it "adds an expires-at field" do
+      travel_to(Time.now) do
+        expect(jwt_payload["exp"]).to eq(Time.now.to_i + 600)
+      end
+    end
+
+    context "when given a ttl" do
+      let(:jwt) { Bollard::Signature.generate("Some data", "super-secret", ttl: 100) }
+
+      it "sets the expires-at field using the configurable ttl" do
+        travel_to(Time.now) do
+          expect(jwt_payload["exp"]).to eq(Time.now.to_i + 100)
+        end
+      end
+    end
+
+    it "adds a hash of the data" do
+      expect(jwt_payload["sig_v1"]).to eq(Digest::SHA256.hexdigest("Some data"))
+    end
+
+    it "signs the jwt with the secret so it can be verified" do
+      expect { JWT.decode(jwt, "not-the-same-secret", true) }.to raise_error(JWT::VerificationError, "Signature verification raised")
+    end
+  end
+
+  describe ".verify" do
+    it "verifies the signing secret matches the given secret" do
+      jwt = Bollard::Signature.generate("Some data", "super-secret")
+      expect { Bollard::Signature.verify("Some data", jwt, "different-super-secret") }.to raise_error(Bollard::SignatureVerificationError, "Signature verification raised")
+    end
+
+    it "verifies the payload matches the given hash" do
+      jwt = Bollard::Signature.generate("Some data", "super-secret")
+      expect { Bollard::Signature.verify("Some different data", jwt, "super-secret") }.to raise_error(Bollard::SignatureVerificationError, "Hash mismatch for payload")
+    end
+
+    it "verifies the format of the token" do
+      jwt = JWT.encode({ sig_v2: Digest::SHA256.hexdigest("Some data") }, "super-secret", 'HS256')
+
+      expect { Bollard::Signature.verify("Some data", jwt, "super-secret") }.to raise_error(Bollard::SignatureVerificationError, "No hash found with expected algorithm #{Bollard::Signature::EXPECTED_ALGORITHM}")
+    end
+
+    it "ensures that the jwt hasn't expired" do
+      jwt = Bollard::Signature.generate("Some data", "super-secret")
+      travel_to(Time.now + 1200) do
+        expect { Bollard::Signature.verify("Some data", jwt, "super-secret") }.to raise_error(Bollard::SignatureVerificationError, "Signature has expired")
+      end
+    end
+
+    it "allows leeway for the expiry if set" do
+      jwt = Bollard::Signature.generate("Some data", "super-secret")
+      travel_to(Time.now + 1200) do
+        expect { Bollard::Signature.verify("Some data", jwt, "super-secret", tolerance: 1200) }.not_to raise_error
+      end
+    end
+  end
+end

data/spec/lib/bollard_spec.rb

@@ -0,0 +1,45 @@
+require 'spec_helper'
+
+RSpec.describe Bollard do
+  describe ".secure_post" do
+    let(:post) { instance_double(Bollard::Post, perform: true) }
+
+    before do
+      allow(Bollard::Post).to receive(:new).and_return(post)
+    end
+
+    it "delegates everything to Post" do
+      Bollard.secure_post("https://url.com", "{}", "secrets", extra_headers: { header_1: "1" }, auth_header: "Authorization")
+      expect(Bollard::Post).to have_received(:new).with("https://url.com", "{}", "secrets", extra_headers: { header_1: "1" }, auth_header: "Authorization")
+      expect(post).to have_received(:perform)
+    end
+
+    it "provides defaults for extra_headers" do
+      Bollard.secure_post("https://url.com", "{}", "secrets", auth_header: "Authorization")
+      expect(Bollard::Post).to have_received(:new).with("https://url.com", "{}", "secrets", extra_headers: {}, auth_header: "Authorization")
+    end
+
+    it "provides defaults for auth_header" do
+      Bollard.secure_post("https://url.com", "{}", "secrets", extra_headers: { header_1: "1" })
+      expect(Bollard::Post).to have_received(:new).with("https://url.com", "{}", "secrets", extra_headers: { header_1: "1" }, auth_header: "Bollard-Signature")
+    end
+  end
+
+  describe ".verify_post" do
+    before do
+      allow(Bollard::Signature).to receive(:verify_header)
+    end
+
+    it "delegates everything to Signature" do
+      Bollard.verify_post("{}", "abc123", "secrets", tolerance: 100)
+
+      expect(Bollard::Signature).to have_received(:verify_header).with("{}", "abc123", "secrets", tolerance: 100)
+    end
+
+    it "provides a default for tolerance" do
+      Bollard.verify_post("{}", "abc123", "secrets")
+
+      expect(Bollard::Signature).to have_received(:verify_header).with("{}", "abc123", "secrets", tolerance: nil)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,16 @@
+require 'byebug'
+require 'active_support/testing/time_helpers'
+
+require 'webmock/rspec'
+require File.expand_path('../../lib/bollard', __FILE__)
+Dir[File.expand_path('../spec/support/**/*.rb', __FILE__)].each { |f| require f }
+
+RSpec.configure do |config|
+  config.order = 'random'
+
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+
+  config.include ActiveSupport::Testing::TimeHelpers
+end

metadata

@@ -0,0 +1,160 @@
+--- !ruby/object:Gem::Specification
+name: bollard
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Michael Dilley
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-08-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rest-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Send a secure post somewhere
+email: mick@vinomofo.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- Gemfile.lock
+- LICENCE.md
+- README.md
+- Rakefile
+- bollard.gemspec
+- lib/bollard.rb
+- lib/bollard/post.rb
+- lib/bollard/signature.rb
+- lib/bollard/version.rb
+- spec/lib/bollard/post_spec.rb
+- spec/lib/bollard/signature_spec.rb
+- spec/lib/bollard_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/vinomofo/bollard
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.8
+signing_key: 
+specification_version: 4
+summary: Send a secure post somewhere
+test_files:
+- spec/lib/bollard/post_spec.rb
+- spec/lib/bollard/signature_spec.rb
+- spec/lib/bollard_spec.rb
+- spec/spec_helper.rb