clarion 0.1.0

data/app/views/authn.erb

@@ -0,0 +1,51 @@
+<style type="text/css">
+  #procession > div {
+    display: none;
+  }
+  #procession.procession_init > div.procession_init {
+    display: block;
+  }
+  #procession.procession_unsupported > div.procession_unsupported {
+    display: block;
+  }
+  #procession.procession_wait > div.procession_wait {
+    display: block;
+  }
+  #procession.procession_contact > div.procession_contact {
+    display: block;
+  }
+  #procession.procession_ok > div.procession_ok {
+    display: block;
+  }
+  #procession.procession_error > div.procession_error {
+    display: block;
+  }
+</style>
+
+<p class='center'><strong>U2F 2FA <%- if @authn.name -%> for <%= @authn.name %><%- end -%></strong></p>
+<div id="procession" class="procession_init" data-authn-id="<%= @authn.id %>" data-app-id="<%= @app_id %>" data-requests='<%= @requests.to_json %>' data-challenge='<%= @challenge.to_json %>' data-req-id='<%= @req_id %>'>
+  <div class="procession_init">
+    <p>Initializing...</p>
+  </div>
+  <div class="procession_unsupported">
+    <p>You have to use browser supporting FIDO U2F</p>
+  </div>
+  <div class="procession_wait">
+    <p>Insert and tap your security key.</p>
+  </div>
+  <div class="procession_contact">
+    <p>Contacting...</p>
+  </div>
+  <div class="procession_ok">
+    <p>OK: You may now close this page.</p>
+  </div>
+  <div class="procession_error">
+    <p>Error: Reload and try again?</p>
+  </div>
+</div>
+<%- if @authn.comment -%>
+<p><small><%= @authn.comment %></small></p>
+<%- end -%>
+
+
+<script src="/sign.js"></script>

data/app/views/layout.erb

@@ -0,0 +1,128 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset='utf-8'>
+    <title>Clarion</title>
+    <style type="text/css">
+      * {
+        font-family: 'Avenir Next', sans-serif;
+        font-size: 16px;
+      }
+      pre, code {
+        font-family: 'Monaco', monospace;
+      }
+      pre, pre code {
+        width: 100%;
+        white-space: pre-wrap;
+        word-wrap: break-word;
+        font-size: 14px;
+      }
+      strong {
+        font-weight: bold;
+      }
+      small {
+        font-size: 12px;
+      }
+
+      .center {
+        text-align: center;
+      }
+
+      body {
+        text-align: center;
+        background-color: white;
+      }
+
+      .hidden {
+        display: none;
+      }
+
+      .container {
+        margin-left: auto;
+        margin-right: auto;
+        width: 400px;
+        text-align: left;
+        padding-top: 12px;
+      }
+
+      .box, .form, .notice, .error {
+        border-radius: 3px;
+        margin-bottom: 12px;
+        padding: 8px 20px;
+      }
+
+      .box {
+        padding: 12px 20px;
+        border: 1px solid #ddd;
+        background-color: white;
+      }
+
+      .notice {
+        border: 1px solid #D6E9C6;
+        background-color: #DFF0D8;
+        color: #3C763D;
+      }
+
+      .error {
+        border: 1px solid #EBCCD1;
+        background-color: #F2DEDE;
+        color: #A94442;
+      }
+
+
+      .box input, .box button {
+        width: 100%;
+        -moz-box-sizing: border-box;
+        -webkit-box-sizing: border-box;
+        box-sizing: border-box;
+
+        font-size: 20px;
+        padding: 6px 4px;
+
+        border: 1px solid #e9e9e9;
+        border-radius: 3px;
+      }
+
+      input[type="submit"], button {
+        background-color: #337AB7;
+        color: white;
+      }
+
+      input[type="submit"]:hover, button:hover {
+        background-color: #286090;
+      }
+
+      .credit {
+        text-align: center;
+      }
+
+      .credit, .credit * {
+        color: #767676;
+        font-size: 12px;
+      }
+    </style>
+    <script src="/u2f-api.js"></script>
+  </head>
+
+  <body>
+    <div class="container">
+      <% notice ||= nil; error ||= nil %>
+      <% if notice %>
+        <div class="notice"><%= notice %></div>
+      <% end %>
+
+      <% if error %>
+        <div class="error"><%= error %></div>
+      <% end %>
+
+      <div class="box">
+        <%== yield %>
+      </div>
+
+      <div class="credit">
+        Powered by <a href="https://github.com/sorah/clarion">sorah/clarion</a>
+      </div>
+    </div>
+
+  <body>
+  </body>

data/app/views/register.erb

@@ -0,0 +1,55 @@
+<style type="text/css">
+  #procession > div {
+    display: none;
+  }
+  #procession.procession_init > div.procession_init {
+    display: block;
+  }
+  #procession.procession_unsupported > div.procession_unsupported {
+    display: block;
+  }
+  #procession.procession_wait > div.procession_wait {
+    display: block;
+  }
+  #procession.procession_contact > div.procession_contact {
+    display: block;
+  }
+  #procession.procession_ok > div.procession_ok {
+    display: block;
+  }
+  #procession.procession_error > div.procession_error {
+    display: block;
+  }
+</style>
+
+<p><strong>U2F key registration<%- if @name -%> for <%= @name %><%- end -%></strong></p>
+<div id="procession" class="procession_init" data-app-id="<%= @app_id %>" data-requests='<%= @requests.to_json %>' data-state='<%= @state %>' data-callback='<%= @callback %>' data-reg-id='<%= @reg_id %>'>
+  <form id="callback_form" class="hidden" method='POST'>
+    <input type="hidden" name="state" value="<%= @state %>">
+    <input type="hidden" name="data" value="">
+  </form>
+  <div class="procession_init">
+    <p>Loading...</p>
+  </div>
+  <div class="procession_unsupported">
+    <p>You have to use browser supporting FIDO U2F</p>
+  </div>
+  <div class="procession_wait">
+    <p>Insert and tap your security key.</p>
+  </div>
+  <div class="procession_contact">
+    <p>Contacting...</p>
+  </div>
+  <div class="procession_ok">
+    <p>OK...</p>
+  </div>
+  <div class="procession_error">
+    <p>Error: try again from the previous page?</p>
+  </div>
+</div>
+<%- if @comment -%>
+<p><small><%= @comment %></small></p>
+<%- end -%>
+
+
+<script src="/register.js"></script>

data/app/views/test.erb

@@ -0,0 +1,35 @@
+<form action="<%= @register_url %>" method="POST">
+  <input type="hidden" name="name" value="<%= @name %>">
+  <input type="hidden" name="comment" value="<%= @comment %>">
+  <input type="hidden" name="state" value="<%= @state%>">
+  <input type="hidden" name="callback" value="<%= @callback %>">
+  <input type="hidden" name="public_key" value="<%= @public_key %>">
+  <input type="submit" value="Register (POST)">
+</form>
+
+<form id="callback_form" class="hidden" method='POST' action="/test/callback">
+  <input type="hidden" name="state" value="">
+  <input type="hidden" name="data" value="">
+</form>
+
+<button id="register_cb_button" data-url="/register?<%= URI.encode_www_form(name: @name, comment: @comment, state: @state, callback: "js:#{request.base_url}", public_key: @public_key)%>">Register (JS callback)</button>
+<script>
+"use strict";
+document.addEventListener("DOMContentLoaded", function() {
+  window.addEventListener("message", function(event) {
+    console.log(event.data);
+    if (event.data.clarion_key) {
+      let data = event.data.clarion_key;
+      let form = document.getElementById("callback_form");
+      form.querySelector('[name=state]').value = data.state;
+      form.querySelector('[name=data]').value = data.data;
+      form.submit();
+    }
+  }, false);
+
+  let button = document.getElementById("register_cb_button");
+  button.addEventListener("click", function() {
+    window.open(button.attributes['data-url'].value, '_blank');
+  });
+});
+</script>

data/app/views/test_callback.erb

@@ -0,0 +1,10 @@
+<pre><code><%= @key.to_json(:all) %></code></pre>
+
+<button id="start_authn_button">Create Authn</button>
+<button class='hidden' id="open_authn_button">Open Authn</button>
+<pre>
+<code id="authn_test" data-key='<%= @key.to_json(:all) %>'>
+</code>
+</pre>
+
+<script src="/test.js"></script>

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "clarion"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/bin/test-authn

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+require 'net/http'
+require 'net/https'
+require 'uri'
+
+base = ARGV[0]
+unless base
+  abort "Usage: #{$0} url"
+end
+
+

data/clarion.gemspec

@@ -0,0 +1,32 @@
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "clarion/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "clarion"
+  spec.version       = Clarion::VERSION
+  spec.authors       = ["Sorah Fukumori"]
+  spec.email         = ["sorah@cookpad.com"]
+
+  spec.summary       = %q{Web-based FIDO U2F Helper for CLI operations (SSH login...)}
+  spec.homepage      = "https://github.com/sorah/clarion"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "u2f"
+  spec.add_dependency "sinatra"
+  spec.add_dependency "erubis"
+  spec.add_dependency "aws-sdk-s3"
+  spec.add_dependency "aws-sdk-dynamodb"
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec", "~> 3.0"
+end

data/config.ru

@@ -0,0 +1,63 @@
+require 'bundler/setup'
+require 'securerandom'
+
+require 'clarion'
+
+if ENV['RACK_ENV'] == 'production'
+  raise 'Set $SECRET_KEY_BASE' unless ENV['SECRET_KEY_BASE']
+end
+
+if ENV['CLARION_DEV_HTTPS']
+  use(Class.new do
+    def initialize(app)
+      @app = app
+    end
+    def call(env)
+      @app.call env.merge('HTTPS' => 'on')
+    end
+  end)
+end
+
+config = {
+  registration_allowed_url: Regexp.new(ENV.fetch('CLARION_REGISTRATION_ALLOWED_URL')),
+  authn_default_expires_in: ENV.fetch('CLARION_AUTHN_DEFAULT_EXPIRES_IN', 300).to_i,
+}
+
+case ENV.fetch('CLARION_STORE', 's3')
+when 's3'
+  config[:store] = {
+    kind: :s3,
+    region: ENV.fetch('CLARION_STORE_S3_REGION'),
+    bucket: ENV.fetch('CLARION_STORE_S3_BUCKET'),
+    prefix: ENV.fetch('CLARION_STORE_S3_PREFIX'),
+  }
+when 'memory'
+  config[:store] = {kind: :memory}
+else
+  raise ArgumentError, "Unsupported $CLARION_STORE"
+end
+
+case ENV.fetch('CLARION_COUNTER', nil)
+when 'dynamodb'
+  config[:counter] = {
+    kind: :dynamodb,
+    region: ENV.fetch('CLARION_COUNTER_DYNAMODB_REGION'),
+    table_name: ENV.fetch('CLARION_COUNTER_DYNAMODB_TABLE'),
+  }
+when 'memory'
+  config[:counter] = {kind: :memory}
+when nil
+  # do nothing
+else
+  raise ArgumentError, "Unsupported $CLARION_COUNTER"
+end
+
+use(
+  Rack::Session::Cookie,
+  key: 'clarionsess',
+  expire_after: 3600,
+  secure: ENV['RACK_ENV'] == 'production',
+  secret: ENV.fetch('SECRET_KEY_BASE', SecureRandom.base64(256)),
+)
+
+run Clarion.app(Clarion::Config.new(config))

data/dev.rb

@@ -0,0 +1,30 @@
+#!/usr/bin/env ruby
+require 'bundler/setup'
+require 'webrick'
+require 'webrick/ssl'
+require 'logger'
+require 'rack'
+ENV['RACK_ENV'] = 'development'
+ENV['CLARION_DEV_HTTPS']='1'
+ENV['CLARION_REGISTRATION_ALLOWED_URL']='.+'
+
+ENV['CLARION_STORE']='memory'
+ENV['CLARION_COUNTER']='memory'
+
+
+app, _ = Rack::Builder.parse_file(File.join(__dir__, 'config.ru'))
+
+rack_options = {
+  app: app,
+  Port: ENV.fetch('PORT', 3000).to_i,
+  Host: ENV.fetch('BIND', '127.0.0.1'),
+  environment: 'development',
+  server: 'webrick',
+  Logger: Logger.new($stdout),#.tap { |_|  _.level = Logger::DEBUG },
+  SSLEnable: true,
+  SSLCertName: 'CN=localhost',
+  SSLCertComment: 'dummy',
+  SSLStartImmediately: true,
+}
+server = Rack::Server.new(rack_options)
+server.start