carapace 0.1.2 → 0.2.0

data/CHANGELOG.md

@@ -1,19 +1,38 @@
 # Carapace Changelog
 
+## 0.2.0: Monday 4th June 2012
+
+Major reworking of the gem for Rails 3.2.5. The gem is now a Rails Engine built
+from the ground up.
+
+The original `test/rails_app` has been replaced with the Rails 3 standard `test/dummy` app.
+
+File `carapace.js` has moved from `rails_generators/templates` to `vendor/assets/javascripts`.
+File `carapace.rb` has moved from `lib` to `lib\carapace` and its Javascript output has been marked as being `html_safe`.
+
+Various other files have been added/removed/modified to support the Rails 3 framework change.
+
+This and all subsequent versions are for Rails 3 or later. [For Rails 2.x use version 0.1.2](https://rubygems.org/gems/carapace/versions/0.1.2).
+
+No testing has been done for Rails 3 versions prior to 3.2.5.
+
 ## 0.1.2: Thursday 31st May 2012
 
 Update to the ruby code so that it works with version 1.9.3.
-The change that was required was to overcome an implicit cast that stopped working. The
+The change that was required was to overcome an implicit cast that stopped working. The 
 solution was to provide an explicit cast. Regression tested to Ruby 1.8.6 and 1.8.7.
 
-Testing was also performed with Rails 2.3.14, the last version in the 2.x series. The
+Testing was also performed with Rails 2.3.14, the last version in the 2.x series. The 
 test/rails_app built with Rails 2.0.2 did not work out of the box and so it has also
 been updated for rails 2.3.14 while maintaining backward compatibility with Rails 2.0.2.
 
-The changed files are
-    `script/server`, `config/environment.rb` and `config/environments/development/rb`
+The changed files are 
+
+        script/server
+        config/environment.rb
+        config/environments/development/rb`
 
-When using the test/rails app on versions more recent than 2.0.2 run "rake rails:update"
+When using the test/rails app on versions more recent than 2.0.2 run `rake rails:update`
 prior to starting the server.
 
 This version is the final version that is tested against Ruby 1.8 and Rails 2.x.
@@ -21,21 +40,19 @@ This version is the final version that is tested against Ruby 1.8 and Rails 2.x.
 ## 0.1.1: Thursday 31st May 2012
 
 Update to the ruby code so that it works with version 1.8.7.
-The change that was required was due to OpenSSL::Cipher no longer being a module
-(the directive `include Cipher` as a module has been removed)
-See the [Ruby 1.8.7 release news](http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7/NEWS) where it says
+The change that was required was due to `OpenSSL::Cipher` no longer being a module
+(the directive `include Cipher` as a module has been removed).
+See the [Ruby 1.8.7 release news](http://svn.ruby-lang.org/repos/ruby/tags/v1_8_7/NEWS) where it says:
 
-    Remove redundant module namespace in Cipher, Digest, PKCS7, PKCS12.
-    Compatibility classes are provided which will be removed in Ruby 1.9.
+   _Remove redundant module namespace in Cipher, Digest, PKCS7, PKCS12.
+    Compatibility classes are provided which will be removed in Ruby 1.9._
 
 ## 0.1.0: Wednesday 30th May 2012
 
-Initial gem version
+Initial gem version.
 
-Written and tested against Ruby 1.8.6 and Rails 2.0.2
+Written and tested against Ruby 1.8.6 and Rails 2.0.2.
 
 ## Origin
 
 The original Carapace code was written on 10th August 2007 for Ruby 1.8.6 and Rails 2.0.2.
-
-

data/Gemfile

@@ -0,0 +1,17 @@
+source "http://rubygems.org"
+
+# Declare your gem's dependencies in carapace.gemspec.
+# Bundler will treat runtime dependencies like base dependencies, and
+# development dependencies will be added by default to the :development group.
+gemspec
+
+# jquery-rails is used by the dummy application
+gem "jquery-rails"
+
+# Declare any dependencies that are still in development here instead of in
+# your gemspec. These might include edge Rails or gems from your path or
+# Git. Remember to move these dependencies to your gemspec before releasing
+# your gem to rubygems.org.
+
+# To use debugger
+# gem 'debugger'

data/README.md

@@ -1,56 +1,61 @@
-# Carapace
+# Carapace                     
 
 Carapace enables encrypted transfer of HTTP form field values from
 the view (client) to the controller (server).
 
-The data is encrypted by the browser before being posted to the server. The
+The data is encrypted by the browser before being posted to the server. The 
 server decrypts the data ready for processing.
 
 Example uses are transfer of user passwords or credit card numbers.
 
 ## Installation
 
-Install it:
+**This gem is for Rails 3.x. For Rails 2.x please use Carapace 0.1.2.**
 
-    $ gem install carapace
+1. Add it to your Gemfile:
 
-Configure your rails 2.x application:
+        gem carapace
 
-    $ script/generate carapace
+2. And then:
+
+        $ bundle install
 
 ## Usage
 
-Client-side, Carapace uses Javascript to perform encryption. Include this like so:
+Client-side, Carapace uses Javascript to perform encryption. Include this like so: 
+
+        <%= javascript_include_tag 'carapace.js' %>
+        <%= carapace_javascript %>
 
-    <%= javascript_include_tag 'carapace.js' %>
-    <%= carapace_javascript %>
+Alternatively, add `\\= require carapace` to the `app/assets/javascripts/application.js`
+file instead of using `<% javascript_include_tag 'carapace.js' %>`.
 
 Use the `carapace_encrypt` Javascript function on any form fields that
 require encryption. For example:
 
-    function onSubmit()
-    {
-        carapace_encrypt(document.getElementById("user_password"));
-    }
+        function onSubmit()
+        {   
+            carapace_encrypt(document.getElementById("user_password"));
+        }   
 
-Then, configure the form's "submit" button to call it: 
+Then, configure the form's `submit` button to call it: 
 
-    <%= submit_tag "Add User", :class => "submit", :onclick => "onSubmit()" %>
+        <%= submit_tag "Add User", :class => "submit", :onclick => "onSubmit()" %>
 
-On the server, mix Carapace into a Rails controller (ApplicationController) class:
+On the server, mix Carapace into a Rails controller (_ApplicationController_) class:
 
-    require 'carapace'
-    include Carapace
+        require 'carapace'
+        include Carapace
     
 Then use Carapace from within action methods:
 
-    def index
-      carapace_session    
-      if request.post?
-        @message=params[:message]
-        carapace_decrypt! @message
-      end 
-    end 
+        def index
+          carapace_session    
+          if request.post?
+            @message=params[:message]
+            carapace_decrypt! @message
+          end 
+        end 
 
 **Warning:** if the controller rejects a post operation and re-displays itself
 the data is not encrypted when sent to the browser. To maintain security,
@@ -59,7 +64,7 @@ such fields should be cleared before rendering the view.
 ## Testing
 
 Test the gem with `rake test`. There is also a self-contained rails application
-in `test\rails_app` for further testing and education. See `test\rails_app\README.md`
+in `test\dummy` for further testing and education. See `test\dummy\README.md`
 for more information.
 
 ## History
@@ -68,15 +73,15 @@ Carapace was originally written as part of a larger application in 2007 that nee
 to provide a degree of security for sensitive data in situations where SSL could
 not be used. 
 
-The Carapace gem was created in 2012 to make it straightforward to re-use the
+The Carapace gem was created in 2012 to make it straightforward to re-use the 
 original code in new applications. This was done primarily as a learning exercise.
 
-For revision history see CHANGELOG.md
+For revision history see `CHANGELOG.md`.
 
 ## Acknowledgement
 
 Carapace makes use of the [JSBN Library by Tom Wu](http://www-cs-students.stanford.edu/~tjw/jsbn/)
-under the terms of its license (see file LICENCE\_JSBN).
+under the terms of its license (see file `LICENCE_JSBN`).
 
 ## About the Name
 
@@ -84,8 +89,8 @@ A _Carapace_ is the protective shell that covers and protects animals
 such as crabs and turtles.
 
 Definitions:
-[Oxford](http://oxforddictionaries.com/definition/carapace?q=carapace)
-[Cambridge](http://dictionary.cambridge.org/dictionary/british/carapace)
+    [Oxford](http://oxforddictionaries.com/definition/carapace?q=carapace)
+    [Cambridge](http://dictionary.cambridge.org/dictionary/british/carapace)
 
 In a similar vein, this gem allows a protective shell to surround data sent from
 a browser to a web server.
@@ -93,4 +98,3 @@ a browser to a web server.
 ## License
 
 Carapace is released under the MIT License. See LICENSE for details.
-

data/Rakefile

@@ -1,8 +1,38 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Carapace'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+
+
+Bundler::GemHelper.install_tasks
+
 require 'rake/testtask'
 
-Rake::TestTask.new do |t|
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
   t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
 end
 
-desc "Run tests"
+
 task :default => :test

data/carapace.gemspec

@@ -0,0 +1,29 @@
+$:.push File.expand_path("../lib", __FILE__)
+
+# Maintain your gem's version:
+require "carapace/version"
+
+# Describe your gem and declare its dependencies:
+Gem::Specification.new do |s|
+  s.name        = "carapace"
+  s.version     = Carapace::VERSION
+
+  s.summary     = "RSA encryption for HTML form fields"
+  s.description = "Allows field contents to be encrypted between broswer and webserver"  
+
+  s.authors     = ["John Lane"]
+  s.email       = ["carapace@jelmail.com"]
+  s.homepage    = 'https://github.com/johnlane/carapace'
+  s.license     = 'MIT'
+
+  s.files = Dir["{lib,vendor}/**/*"] + ["CHANGELOG.md", "LICENSE", "LICENSE_JSBN", "Rakefile", "README.md" ]
+  s.test_files = Dir["test/**/*"] + ["Gemfile", "carapace.gemspec"]
+
+  s.add_dependency "rails", "~> 3.2.5"
+
+  s.add_development_dependency "sqlite3"
+
+  s.add_development_dependency 'minitest'
+  s.add_development_dependency 'capybara'
+
+end

data/lib/carapace.rb

@@ -1,124 +1,2 @@
-module Carapace
-  
-  require 'openssl'
-  include OpenSSL
-  include PKey
-  include Cipher if RUBY_VERSION < "1.8.7"
-
-  @carapace_javascript_written = false
-
-#  Until I can get the below to work it will need to be done in the contoller
-#  helper_method :carapace_javascript
-
-
-  private
-  
-  HEX = { 'a' => 10, 'b' => 11, 'c' => 12, 'd' => 13, 'e' => 14, 'f' => 15 } #:nodoc:
-
-  # Pass as parameter to carapace_decrypt to ensure decryption occurs or force error
-  CARAPACE_FORCE_DECRYPT = true                                              
-  
-  # Start a Carapace session.
-  #
-  # A Carapace session allows a Rails action to display and process 
-  # an HTML form that returns encrypted fields. The action must start a session 
-  # for both the initial display and the post-processing of the request.
-  # 
-  # Encryption is performed using a 1024 bit RSA key (or other key 
-  # length as specified by the optional parameter)
-  #
-  def carapace_session(key_length=1024) #:doc:
-    unless session[:carapace_private_key]
-      key = RSA.new(key_length)
-      session[:carapace_private_key]     = key.to_s
-      session[:carapace_public_modulus]  = key.public_key.n.to_s(base=16)
-      session[:carapace_public_exponent] = key.public_key.e.to_s(base=16)
-    end
-  end
-
-  # Decrypt a string. The return value is the decrypted string.
-  # If the string was not encrypted by the browser it is returned as-is
-  # unless the force_decrypt parameter is given as CARAPACE_FORCE_DECRYPT
-  # in which case nil is returned
-  #
-  # CARAPACE_FORCE_DECRYPT can be used to protect against accepting plaintext 
-  # transmissions when the user's browser has Javascript disabled.
-  #
-  def carapace_decrypt(string, force_decrypt=false) #:doc:
-    if carapace_enabled? then         # only decrypt if browser was enabled
-      byte = 0                        # the converted byte will go here
-      s = "".rjust(string.length/2)   # string to receive converted bytes
-      0.upto(string.length-1) do |i|  # iterate through string one chr at a time
-        ch = string[i].chr            #   current character
-        nibble = HEX[ch] || ch.to_i   #   converted to its binary value
-        if i%2 == 0 then              
-          byte = nibble << 4          #   most significant nibble is bits 5-8
-        else
-          byte += nibble              #   lease significant nibble is bits 1-4
-          s[i/2] = byte.chr           #   store the converted byte
-        end
-      end
-      RSA.new(session[:carapace_private_key],nil).private_decrypt(s) # perform the decryption
-    else
-      force_decrypt ? nil : string    # input is unencrypted - return input 
-    end                               # return error if decryption was forced 
-
-  end
-  
-  # Decrypt a string. The return value is the decrypted string
-  # The string is decrypted in-situ, meaning its value is modified
-  # (warning, this does not call any customer accessor (e.g. "password=")
-  # so any custom code (such as password hashing) will not execute.)
-  #
-  def carapace_decrypt!(string, force_decrypt=false) #:doc:
-    decrypted_string = carapace_decrypt(string, force_decrypt)
-    string.replace decrypted_string unless !decrypted_string
-  end
-
-    private
-  
-  # Helper method for use in the view rhtml to insert Carapace Javascript
-  # The javascript is added to a page once, no matter how often this is called.
-  #
-  def carapace_javascript #:doc:
-    unless @carapace_javascript_written
-      session[:carapace_nonce] = Time.now.to_i.to_s.reverse.crypt(rand.to_s.reverse[0,2])
-      @carapace_javascript_written = true
-      return "<script type='text/javascript'>
-        carapace_modulus = \"#{session[:carapace_public_modulus]}\" ;
-        carapace_exponent = \"#{session[:carapace_public_exponent]}\" ;
-        document.cookie = \"carapace_nonce=#{session[:carapace_nonce]}; path=/\";
-        //alert(\"Session:#{session[:carapace_nonce]}\\nCookie:\"+document.cookie)
-        rsa = new RSAKey();
-        rsa.setPublic(carapace_modulus, carapace_exponent);
-
-        function carapace_encrypt(field)
-        {
-          field.value = rsa.encrypt(field.value);
-        }
-        </script>"
-    end 
-  end
-  
-  # Returns TRUE if Carapace was enabled on the view. This does not mean that
-  # data was encrypted, just that Carapace Javascript was executed by the
-  # user's browser, making the Carapace encryption services available. This
-  # will be TRUE if everything is set up correctly AND the user's browser has
-  # Javascript enabled
-  #
-  # This can be used to protect against accepting plaintext 
-  # transmissions when the user's browser has Javascript disabled.
-  # 
-  def carapace_enabled? #:doc:
-        cookies["carapace_nonce"]==session[:carapace_nonce]
-  end
-
-  # This is called when Carapace is included in a controller.
-  # It automatically sets upn the Carapace Javascript helper.
-  def self.included(c)
-	  #c.RAILS_DEFAULT_LOGGER.debug "Carapace has been included by #{c.class}"
-    if (c.class == Class)
-      c.helper_method :carapace_javascript
-    end
-  end
-end
+require 'carapace/engine'
+require 'carapace/carapace'

data/lib/carapace/carapace.rb

@@ -0,0 +1,124 @@
+module Carapace
+  
+  require 'openssl'
+  include OpenSSL
+  include PKey
+  include Cipher if RUBY_VERSION < "1.8.7"
+
+  @carapace_javascript_written = false
+
+#  Until I can get the below to work it will need to be done in the contoller
+#  helper_method :carapace_javascript
+
+
+  private
+  
+  HEX = { 'a' => 10, 'b' => 11, 'c' => 12, 'd' => 13, 'e' => 14, 'f' => 15 } #:nodoc:
+
+  # Pass as parameter to carapace_decrypt to ensure decryption occurs or force error
+  CARAPACE_FORCE_DECRYPT = true                                              
+  
+  # Start a Carapace session.
+  #
+  # A Carapace session allows a Rails action to display and process 
+  # an HTML form that returns encrypted fields. The action must start a session 
+  # for both the initial display and the post-processing of the request.
+  # 
+  # Encryption is performed using a 1024 bit RSA key (or other key 
+  # length as specified by the optional parameter)
+  #
+  def carapace_session(key_length=1024) #:doc:
+    unless session[:carapace_private_key]
+      key = RSA.new(key_length)
+      session[:carapace_private_key]     = key.to_s
+      session[:carapace_public_modulus]  = key.public_key.n.to_s(base=16)
+      session[:carapace_public_exponent] = key.public_key.e.to_s(base=16)
+    end
+  end
+
+  # Decrypt a string. The return value is the decrypted string.
+  # If the string was not encrypted by the browser it is returned as-is
+  # unless the force_decrypt parameter is given as CARAPACE_FORCE_DECRYPT
+  # in which case nil is returned
+  #
+  # CARAPACE_FORCE_DECRYPT can be used to protect against accepting plaintext 
+  # transmissions when the user's browser has Javascript disabled.
+  #
+  def carapace_decrypt(string, force_decrypt=false) #:doc:
+    if carapace_enabled? then         # only decrypt if browser was enabled
+      byte = 0                        # the converted byte will go here
+      s = "".rjust(string.length/2)   # string to receive converted bytes
+      0.upto(string.length-1) do |i|  # iterate through string one chr at a time
+        ch = string[i].chr            #   current character
+        nibble = HEX[ch] || ch.to_i   #   converted to its binary value
+        if i%2 == 0 then              
+          byte = nibble << 4          #   most significant nibble is bits 5-8
+        else
+          byte += nibble              #   lease significant nibble is bits 1-4
+          s[i/2] = byte.chr           #   store the converted byte
+        end
+      end
+      RSA.new(session[:carapace_private_key],nil).private_decrypt(s) # perform the decryption
+    else
+      force_decrypt ? nil : string    # input is unencrypted - return input 
+    end                               # return error if decryption was forced 
+
+  end
+  
+  # Decrypt a string. The return value is the decrypted string
+  # The string is decrypted in-situ, meaning its value is modified
+  # (warning, this does not call any customer accessor (e.g. "password=")
+  # so any custom code (such as password hashing) will not execute.)
+  #
+  def carapace_decrypt!(string, force_decrypt=false) #:doc:
+    decrypted_string = carapace_decrypt(string, force_decrypt)
+    string.replace decrypted_string unless !decrypted_string
+  end
+
+    private
+  
+  # Helper method for use in the view rhtml to insert Carapace Javascript
+  # The javascript is added to a page once, no matter how often this is called.
+  #
+  def carapace_javascript #:doc:
+    unless @carapace_javascript_written
+      session[:carapace_nonce] = Time.now.to_i.to_s.reverse.crypt(rand.to_s.reverse[0,2])
+      @carapace_javascript_written = true
+      return "<script type='text/javascript'>
+        carapace_modulus = \"#{session[:carapace_public_modulus]}\" ;
+        carapace_exponent = \"#{session[:carapace_public_exponent]}\" ;
+        document.cookie = \"carapace_nonce=#{session[:carapace_nonce]}; path=/\";
+        //alert(\"Session:#{session[:carapace_nonce]}\\nCookie:\"+document.cookie)
+        rsa = new RSAKey();
+        rsa.setPublic(carapace_modulus, carapace_exponent);
+
+        function carapace_encrypt(field)
+        {
+          field.value = rsa.encrypt(field.value);
+        }
+        </script>".html_safe
+    end 
+  end
+  
+  # Returns TRUE if Carapace was enabled on the view. This does not mean that
+  # data was encrypted, just that Carapace Javascript was executed by the
+  # user's browser, making the Carapace encryption services available. This
+  # will be TRUE if everything is set up correctly AND the user's browser has
+  # Javascript enabled
+  #
+  # This can be used to protect against accepting plaintext 
+  # transmissions when the user's browser has Javascript disabled.
+  # 
+  def carapace_enabled? #:doc:
+        cookies["carapace_nonce"]==session[:carapace_nonce]
+  end
+
+  # This is called when Carapace is included in a controller.
+  # It automatically sets upn the Carapace Javascript helper.
+  def self.included(c)
+	  #c.RAILS_DEFAULT_LOGGER.debug "Carapace has been included by #{c.class}"
+    if (c.class == Class)
+      c.helper_method :carapace_javascript
+    end
+  end
+end