clarion 0.1.0

data/lib/clarion/authn.rb

@@ -0,0 +1,106 @@
+require 'time'
+require 'securerandom'
+require 'clarion/key'
+
+module Clarion
+  class Authn
+    STATUSES = %i(open verified)
+
+    class << self
+      def make(**kwargs)
+        kwargs.delete(:id)
+        new(
+          id: random_id,
+          created_at: Time.now,
+          **kwargs,
+        )
+      end
+
+      def random_id
+        SecureRandom.urlsafe_base64(64)
+      end
+    end
+
+    def initialize(id:, name: nil, comment: nil, keys: [], created_at:, expires_at:, status:, verified_at: nil, verified_key: nil)
+      @id = id
+      @name = name
+      @comment = comment
+      @keys = keys.map{ |_| _.is_a?(Hash) ? Key.new(**_) : _}
+      @created_at = created_at
+      @expires_at = expires_at
+      @status = status.to_sym
+      @verified_at = verified_at
+      @verified_key = verified_key.is_a?(Hash) ? Key.new(**verified_key) : verified_key
+
+      @created_at = Time.xmlschema(@created_at) if @created_at && @created_at.is_a?(String)
+      @expires_at = Time.xmlschema(@expires_at) if @expires_at && @expires_at.is_a?(String)
+      @verified_at = Time.xmlschema(@verified_at) if @verified_at && @verified_at.is_a?(String)
+
+      raise ArgumentError, ":status not valid" unless STATUSES.include?(@status)
+    end
+
+    attr_reader :id, :name, :comment
+    attr_reader :keys
+    attr_reader :created_at
+    attr_reader :expires_at
+    attr_reader :status
+    attr_reader :verified_at, :verified_key
+
+    def expired?
+      Time.now > expires_at
+    end
+
+    def open?
+      status == :open
+    end
+
+    def verified?
+      status == :verified
+    end
+
+    def key_for_handle(handle)
+      keys.find { |_| _.handle == handle }
+    end
+
+    def verify(key, verified_at: Time.now)
+      unless key_for_handle(key.handle)
+        return false
+      end
+      @verified_at = verified_at
+      @verified_key = key
+      @status = :verified
+      true
+    end
+
+    def to_h(all=false)
+      {
+        id: id,
+        status: status,
+        name: name,
+        comment: comment,
+        created_at: created_at,
+        expires_at: expires_at,
+      }.tap do |h|
+        if verified_key
+          h[:verified_at] = verified_at
+          h[:verified_key] = verified_key.to_h(all)
+        end
+        if all
+          h[:keys] = keys.map{ |_| _.to_h(all) }
+        end
+      end
+    end
+
+    def as_json(*args)
+      to_h(*args).tap { |_|
+        _[:created_at] = _[:created_at].xmlschema if _[:created_at]
+        _[:verified_at] = _[:verified_at].xmlschema if _[:verified_at]
+        _[:expires_at] = _[:expires_at].xmlschema if _[:expires_at]
+      }
+    end
+
+    def to_json(*args)
+      as_json(*args).to_json
+    end
+  end
+end

data/lib/clarion/config.rb

@@ -0,0 +1,58 @@
+require 'clarion/stores'
+require 'clarion/counters'
+
+module Clarion
+  class Config
+    class << self
+      def option(meth)
+        options << meth
+      end
+
+      def options
+        @options ||= []
+      end
+    end
+
+    def initialize(options={})
+      @options = options
+
+      # Validation
+      self.class.options.each do |m|
+        send(m)
+      end
+    end
+
+    attr_reader :options
+
+    option def registration_allowed_url
+      @options.fetch(:registration_allowed_url)
+    end
+
+    option def authn_default_expires_in
+      @options.fetch(:authn_default_expires_in, 300).to_i
+    end
+
+    option def app_id
+      @options[:app_id]
+    end
+
+    option def store
+      @store ||= Clarion::Stores.find(@options.fetch(:store).fetch(:kind)).new(store_options)
+    end
+
+    def store_options
+      @store_options ||= @options.fetch(:store).dup.tap { |_| _.delete(:kind) }
+    end
+
+    option def counter
+      if @options[:counter]
+        @counter ||= Clarion::Counters.find(@options.fetch(:counter).fetch(:kind)).new(counter_options)
+      end
+    end
+
+    def counter_options
+      @counter_options ||= @options.fetch(:counter).dup.tap { |_| _.delete(:kind) }
+    end
+
+  end
+end

data/lib/clarion/const_finder.rb

@@ -0,0 +1,24 @@
+module Clarion
+  module ConstFinder
+    def self.find(const, prefix, name)
+      retried = false
+      constant_name = name.to_s.gsub(/\A.|_./) { |s| s[-1].upcase }
+
+      begin
+        const.const_get constant_name, false
+      rescue NameError
+        unless retried
+          begin
+            require "#{prefix}/#{name}"
+          rescue LoadError
+          end
+
+          retried = true
+          retry
+        end
+
+        nil
+      end
+    end
+  end
+end

data/lib/clarion/counters.rb

@@ -0,0 +1,9 @@
+require 'clarion/const_finder'
+
+module Clarion
+  module Counters
+    def self.find(name)
+      ConstFinder.find(self, 'clarion/counters', name)
+    end
+  end
+end

data/lib/clarion/counters/base.rb

@@ -0,0 +1,17 @@
+module Clarion
+  module Counters
+    class Base
+      def initialize(options={})
+        @options = options
+      end
+
+      def get(key)
+        raise NotImplementedError
+      end
+
+      def store(key)
+        raise NotImplementedError
+      end
+    end
+  end
+end

data/lib/clarion/counters/dynamodb.rb

@@ -0,0 +1,45 @@
+require 'aws-sdk-dynamodb'
+require 'clarion/counters/base'
+
+module Clarion
+  module Counters
+    class Dynamodb < Base
+      def initialize(table_name:, region:)
+        @table_name = table_name
+        @region = region
+      end
+
+      def get(key)
+        item = table.query(
+          limit: 1,
+          select: 'ALL_ATTRIBUTES',
+          key_condition_expression: 'handle = :handle',
+          expression_attribute_values: {":handle" => key.handle},
+        ).items.first
+
+        item && item['key_counter']
+      end
+
+      def store(key)
+        table.update_item(
+          key: {
+            'handle' => key.handle,
+          },
+          update_expression: 'SET key_counter = :new',
+          condition_expression: 'attribute_not_exists(key_counter) OR key_counter < :new',
+          expression_attribute_values: {':new' => key.counter},
+        )
+      rescue Aws::DynamoDB::Errors::ConditionalCheckFailedException
+      end
+
+      def table
+        @table ||= dynamodb.table(@table_name)
+      end
+
+      def dynamodb
+        @dynamodb ||= Aws::DynamoDB::Resource.new(region: @region)
+      end
+
+    end
+  end
+end

data/lib/clarion/counters/memory.rb

@@ -0,0 +1,29 @@
+require 'thread'
+require 'clarion/counters/base'
+
+module Clarion
+  module Counters
+    class Memory < Base
+      def initialize(*)
+        super
+        @lock = Mutex.new
+        @counters = {}
+      end
+
+      def get(key)
+        @lock.synchronize do
+          @counters[key.handle]
+        end
+      end
+
+      def store(key)
+        @lock.synchronize do
+          counter = @counters[key.handle]
+          if !counter || key.counter > counter
+            @counters[key.handle] = key.counter
+          end
+        end
+      end
+    end
+  end
+end

data/lib/clarion/key.rb

@@ -0,0 +1,76 @@
+module Clarion
+  class Key
+    CIPHER_ALGO = 'aes-256-gcm'
+    def self.from_encrypted_json(private_key, json)
+      payload = JSON.parse(json, symbolize_names: true)
+      encrypted_data = payload.fetch(:data).unpack('m*')[0]
+      encrypted_shared_key = payload.fetch(:key).unpack('m*')[0]
+
+      shared_key_json = private_key.private_decrypt(encrypted_shared_key, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+      shared_key_info = JSON.parse(shared_key_json, symbolize_names: true)
+      iv = shared_key_info.fetch(:iv).unpack('m*')[0]
+      shared_key = shared_key_info.fetch(:key).unpack('m*')[0]
+      tag = shared_key_info.fetch(:tag).unpack('m*')[0]
+
+      cipher = OpenSSL::Cipher.new(CIPHER_ALGO).tap do |c|
+          c.decrypt
+          c.key = shared_key
+          c.iv = iv
+          c.auth_data = ''
+          c.auth_tag = tag
+      end
+
+      key_json = cipher.update(encrypted_data)
+      key_json << cipher.final
+      key = JSON.parse(key_json, symbolize_names: true)
+      new(**key)
+    end
+
+    def initialize(handle:, name: nil, public_key: nil, counter: nil)
+      @handle = handle
+      @name = name
+      @public_key = public_key
+      @counter = counter
+    end
+
+    attr_reader :handle, :name, :public_key
+    attr_accessor :counter
+
+    def to_h(all=false)
+      {
+        handle: handle,
+      }.tap do |h|
+        h[:name] = name if name
+        h[:counter] = counter if counter
+        if all
+          h[:public_key] = public_key if public_key
+        end
+      end
+    end
+
+    def to_json(*args)
+      to_h(*args).to_json
+    end
+
+    def to_encrypted_json(public_key, *args)
+      cipher = OpenSSL::Cipher.new(CIPHER_ALGO)
+      shared_key = OpenSSL::Random.random_bytes(cipher.key_len)
+      cipher.encrypt
+      cipher.key = shared_key
+      cipher.iv = iv = cipher.random_iv
+      cipher.auth_data = ''
+
+      json = to_json(*args)
+
+      ciphertext = cipher.update(json)
+      ciphertext << cipher.final
+
+      encrypted_key = public_key.public_encrypt({
+        iv: [iv].pack('m*').gsub(/\r?\n/,''),
+        tag: [cipher.auth_tag].pack('m*').gsub(/\r?\n/,''),
+        key: [shared_key].pack('m*').gsub(/\r?\n/,''),
+      }.to_json, OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING)
+      {data: [ciphertext].pack('m*'), key: [encrypted_key].pack('m*')}.to_json
+    end
+  end
+end

data/lib/clarion/registrator.rb

@@ -0,0 +1,26 @@
+require 'clarion/key'
+
+module Clarion
+  class Registrator
+    def initialize(u2f, counter)
+      @u2f = u2f
+      @counter = counter
+    end
+
+    attr_reader :u2f, :counter
+
+    def request
+      [u2f.app_id, u2f.registration_requests]
+    end
+
+    def register!(challenges, response_json)
+      response = U2F::RegisterResponse.load_from_json(response_json)
+      reg = u2f.register!(challenges, response)
+      key = Key.new(handle: reg.key_handle, public_key: reg.public_key, counter: reg.counter)
+      if counter
+        counter.store(key)
+      end
+      key
+    end
+  end
+end

data/lib/clarion/stores.rb

@@ -0,0 +1,9 @@
+require 'clarion/const_finder'
+
+module Clarion
+  module Stores
+    def self.find(name)
+      ConstFinder.find(self, 'clarion/stores', name)
+    end
+  end
+end

data/lib/clarion/stores/base.rb

@@ -0,0 +1,17 @@
+module Clarion
+  module Stores
+    class Base
+      def initialize(options={})
+        @options = options
+      end
+
+      def store_authn(authn)
+        raise NotImplementedError
+      end
+
+      def find_authn(id)
+        raise NotImplementedError
+      end
+    end
+  end
+end

data/lib/clarion/stores/memory.rb

@@ -0,0 +1,30 @@
+require 'thread'
+require 'clarion/stores/base'
+require 'clarion/authn'
+
+module Clarion
+  module Stores
+    class Memory < Base
+      def initialize(*)
+        super
+        @lock = Mutex.new
+        @store = {}
+      end
+
+      def store_authn(authn)
+        @lock.synchronize do
+          @store[authn.id] = authn.to_h(:all)
+        end
+      end
+
+      def find_authn(id)
+        @lock.synchronize do
+          unless @store.key?(id)
+            return nil
+          end
+          Authn.new(**@store[id])
+        end
+      end
+    end
+  end
+end