darrrr 0.0.3 → 0.1.0

data/lib/darrrr/serialization/recovery_token_reader.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Darrrr
+  class RecoveryTokenReader < BinData::Record
+    uint8 :version
+    uint8 :token_type
+    array :token_id, :type => :uint8, :read_until => lambda { index + 1 == Darrrr::TOKEN_ID_BYTE_LENGTH }
+    uint8 :options
+    uint16be :issuer_length
+    string :issuer, :read_length => :issuer_length
+    uint16be :audience_length
+    string :audience, :read_length => :audience_length
+    uint16be :issued_time_length
+    string :issued_time, :read_length => :issued_time_length
+    uint16be :data_length
+    string :data, :read_length => :data_length
+    uint16be :binding_data_length
+    string :binding_data, :read_length => :binding_data_length
+  end
+end

data/lib/darrrr/serialization/recovery_token_writer.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Darrrr
+  class RecoveryTokenWriter < BinData::Record
+    uint8 :version
+    uint8 :token_type
+    array :token_id, :type => :uint8, :initial_length => Darrrr::TOKEN_ID_BYTE_LENGTH
+    uint8 :options
+    uint16be :issuer_length, :value => lambda { issuer.length }
+    string :issuer
+    uint16be :audience_length, :value => lambda { audience.length }
+    string :audience
+    uint16be :issued_time_length, :value => lambda { issued_time.length }
+    string :issued_time
+    uint16be :data_length, :value => lambda { data.length }
+    string :data
+    uint16be :binding_data_length, :value => lambda { binding_data.length }
+    string :binding_data
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: darrrr
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.1.0
 platform: ruby
 authors:
 - Neil Matatall
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-04-25 00:00:00.000000000 Z
+date: 2017-09-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -90,21 +90,20 @@ files:
 - README.md
 - Rakefile
 - lib/darrrr.rb
-- lib/github/delegated_account_recovery.rb
-- lib/github/delegated_account_recovery/account_provider.rb
-- lib/github/delegated_account_recovery/constants.rb
-- lib/github/delegated_account_recovery/crypto_helper.rb
-- lib/github/delegated_account_recovery/cryptors/default/default_encryptor.rb
-- lib/github/delegated_account_recovery/cryptors/default/encrypted_data.rb
-- lib/github/delegated_account_recovery/cryptors/default/encrypted_data_io.rb
-- lib/github/delegated_account_recovery/provider.rb
-- lib/github/delegated_account_recovery/recovery_provider.rb
-- lib/github/delegated_account_recovery/recovery_token.rb
-- lib/github/delegated_account_recovery/serialization/recovery_token_reader.rb
-- lib/github/delegated_account_recovery/serialization/recovery_token_writer.rb
-- lib/github/delegated_account_recovery/version.rb
-homepage: http://github.com/oreoshake/darrrr
-licenses: []
+- lib/darrrr/account_provider.rb
+- lib/darrrr/constants.rb
+- lib/darrrr/crypto_helper.rb
+- lib/darrrr/cryptors/default/default_encryptor.rb
+- lib/darrrr/cryptors/default/encrypted_data.rb
+- lib/darrrr/cryptors/default/encrypted_data_io.rb
+- lib/darrrr/provider.rb
+- lib/darrrr/recovery_provider.rb
+- lib/darrrr/recovery_token.rb
+- lib/darrrr/serialization/recovery_token_reader.rb
+- lib/darrrr/serialization/recovery_token_writer.rb
+homepage: http://github.com/github/darrrr
+licenses:
+- MIT
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -122,7 +121,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.6.10
 signing_key: 
 specification_version: 4
 summary: Client library for the Delegated Recovery spec

data/lib/github/delegated_account_recovery.rb

@@ -1,178 +0,0 @@
-# frozen_string_literal: true
-
-require "bindata"
-require "openssl"
-
-require_relative "delegated_account_recovery/constants"
-require_relative "delegated_account_recovery/crypto_helper"
-require_relative "delegated_account_recovery/recovery_token"
-require_relative "delegated_account_recovery/provider"
-require_relative "delegated_account_recovery/account_provider"
-require_relative "delegated_account_recovery/recovery_provider"
-require_relative "delegated_account_recovery/serialization/recovery_token_writer"
-require_relative "delegated_account_recovery/serialization/recovery_token_reader"
-require_relative "delegated_account_recovery/cryptors/default/default_encryptor"
-require_relative "delegated_account_recovery/cryptors/default/encrypted_data"
-require_relative "delegated_account_recovery/cryptors/default/encrypted_data_io"
-
-module GitHub
-  module DelegatedAccountRecovery
-    # Represents a binary serialization error
-    class RecoveryTokenSerializationError < StandardError; end
-
-    # Represents invalid data within a valid token
-    #  (e.g. wrong `version` number, invalid token `type`)
-    class TokenFormatError < StandardError; end
-
-    # Represents all crypto errors
-    #   (e.g. invalid keys, invalid signature, decrypt failures)
-    class CryptoError < StandardError; end
-
-    # Represents providers supplying invalid configurations
-    #  (e.g. non-https URLs, missing required fields, http errors)
-    class ProviderConfigError < StandardError; end
-
-    # Represents an invalid countersigned recovery token.
-    #  (e.g. invalid signature, invalid nested token, unregistered provider, stale tokens)
-    class CountersignedTokenError < StandardError
-      attr_reader :key
-      def initialize(message, key)
-        super(message)
-        @key = key
-      end
-    end
-
-    # Represents an invalid recovery token.
-    #  (e.g. invalid signature, unregistered provider, stale tokens)
-    class RecoveryTokenError < StandardError; end
-
-    # Represents a call to to `recovery_provider` or `account_provider` that
-    # has not been registered.
-    class UnknownProviderError < ArgumentError; end
-
-    include Constants
-
-    class << self
-      REQUIRED_CRYPTO_OPS = [:sign, :verify, :encrypt, :decrypt].freeze
-      # recovery provider data is only loaded (and cached) upon use.
-      attr_accessor :recovery_providers, :account_providers, :cache, :allow_unsafe_urls,
-        :privacy_policy, :icon_152px, :authority
-
-      # Find and load remote recovery provider configuration data.
-      #
-      # provider_origin: the origin that contains the config data in a well-known
-      # location.
-      def recovery_provider(provider_origin)
-        unless self.recovery_providers
-          raise "No recovery providers configured"
-        end
-        if self.recovery_providers.include?(provider_origin)
-          RecoveryProvider.new(provider_origin).load
-        else
-          raise UnknownProviderError, "Unknown recovery provider: #{provider_origin}"
-        end
-      end
-
-      # Permit an origin to act as a recovery provider.
-      #
-      # provider_origin: the origin to permit
-      def register_recovery_provider(provider_origin)
-        self.recovery_providers ||= []
-        self.recovery_providers << provider_origin
-      end
-
-      # Find and load remote account provider configuration data.
-      #
-      # provider_origin: the origin that contains the config data in a well-known
-      # location.
-      def account_provider(provider_origin)
-        unless self.account_providers
-          raise "No account providers configured"
-        end
-        if self.account_providers.include?(provider_origin)
-          AccountProvider.new(provider_origin).load
-        else
-          raise UnknownProviderError, "Unknown account provider: #{provider_origin}"
-        end
-      end
-
-      # Permit an origin to act as an account provider.
-      #
-      # account_origin: the origin to permit
-      def register_account_provider(account_origin)
-        self.account_providers ||= []
-        self.account_providers << account_origin
-      end
-
-      # Provide a reference to the account provider configuration for this web app
-      def this_account_provider
-        AccountProvider.this
-      end
-
-      # Provide a reference to the recovery provider configuration for this web app
-      def this_recovery_provider
-        RecoveryProvider.this
-      end
-
-      # Returns a hash of all configuration values, recovery and account provider.
-      def account_and_recovery_provider_config
-        provider_data = Darrrr.this_account_provider.try(:to_h) || {}
-
-        if Darrrr.this_recovery_provider
-          provider_data.merge!(recovery_provider_config) do |key, lhs, rhs|
-            unless lhs == rhs
-              raise ArgumentError, "inconsistent config value detected #{key}: #{lhs} != #{rhs}"
-            end
-
-            lhs
-          end
-        end
-
-        provider_data
-      end
-
-      # returns the account provider information in hash form
-      def account_provider_config
-        this_account_provider.to_h
-      end
-
-      # returns the account provider information in hash form
-      def recovery_provider_config
-        this_recovery_provider.to_h
-      end
-
-      def with_encryptor(encryptor)
-        raise ArgumentError, "A block must be supplied" unless block_given?
-        unless valid_encryptor?(encryptor)
-          raise ArgumentError, "custom encryption class must respond to all of #{REQUIRED_CRYPTO_OPS}"
-        end
-
-        Thread.current[:darrrr_encryptor] = encryptor
-        yield
-      ensure
-        Thread.current[:darrrr_encryptor] = nil
-      end
-
-      # Returns the crypto API to be used. A thread local instance overrides the
-      # globally configured value which overrides the default encryptor.
-      def encryptor
-        Thread.current[:darrrr_encryptor] || @encryptor || DefaultEncryptor
-      end
-
-      # Overrides the global `encryptor` API to use
-      #
-      # encryptor: a class/module that responds to all +REQUIRED_CRYPTO_OPS+.
-      def custom_encryptor=(encryptor)
-        if valid_encryptor?(encryptor)
-          @encryptor = encryptor
-        else
-          raise ArgumentError, "custom encryption class must respond to all of #{REQUIRED_CRYPTO_OPS}"
-        end
-      end
-
-      private def valid_encryptor?(encryptor)
-        REQUIRED_CRYPTO_OPS.all? {|m| encryptor.respond_to?(m)}
-      end
-    end
-  end
-end

data/lib/github/delegated_account_recovery/account_provider.rb

@@ -1,140 +0,0 @@
-# frozen_string_literal: true
-
-module GitHub
-  module DelegatedAccountRecovery
-    class AccountProvider
-      include CryptoHelper
-      include Provider
-
-      # Only applicable when acting as a recovery provider
-      PRIVATE_FIELDS = [:symmetric_key, :signing_private_key]
-
-      FIELDS = [:tokensign_pubkeys_secp256r1].freeze
-      URL_FIELDS = [:issuer, :save_token_return, :recover_account_return,
-        :privacy_policy, :icon_152px].freeze
-
-      # These are the fields required by the spec
-      REQUIRED_FIELDS = FIELDS + URL_FIELDS
-
-      attr_accessor(*REQUIRED_FIELDS)
-      attr_accessor(*PRIVATE_FIELDS)
-
-      alias :origin :issuer
-
-      # The CryptoHelper defines an `unseal` method that requires us to
-      # define a `unseal_keys` method that will return the set of keys that
-      # are valid when verifying the signature on a sealed key.
-      def unseal_keys
-        tokensign_pubkeys_secp256r1
-      end
-
-      # Used to serve content at /.well-known/delegated-account-recovery/configuration
-      def to_h
-        {
-          "issuer" => self.issuer,
-          "tokensign-pubkeys-secp256r1" => self.tokensign_pubkeys_secp256r1.dup,
-          "save-token-return" => self.save_token_return,
-          "recover-account-return" => self.recover_account_return,
-          "privacy-policy" => self.privacy_policy,
-          "icon-152px" => self.icon_152px
-        }
-      end
-
-      # Generates a binary token with an encrypted arbitrary data payload.
-      #
-      # data: value to encrypt in the token
-      # provider: the recovery provider/audience of the token
-      # binding data: binding data value retrieved from recovery provider to
-      #   provide some assurance the same browser was used.
-      def generate_recovery_token(data:, audience:)
-        RecoveryToken.build(issuer: self, audience: audience, type: RECOVERY_TOKEN_TYPE).tap do |token|
-          token.data = Darrrr.encryptor.encrypt(data)
-        end
-      end
-
-      # Parses a countersigned_token and returns the nested recovery token
-      # WITHOUT verifying any signatures. This should only be used if no user
-      # context can be identified or if we're extracting issuer information.
-      def dangerous_unverified_recovery_token(countersigned_token)
-        parsed_countersigned_token = RecoveryToken.parse(Base64.strict_decode64(countersigned_token))
-        RecoveryToken.parse(parsed_countersigned_token.data)
-      end
-
-      # Validates the countersigned recovery token by verifying the signature
-      # of the countersigned token, parsing out the origin recovery token,
-      # verifying the signature on the recovery token, and finally decrypting
-      # the data in the origin recovery token.
-      #
-      # countersigned_token: our original recovery token wrapped in recovery
-      # token instance that is signed by the recovery provider.
-      #
-      # returns a verified recovery token or raises
-      # an error if the token fails validation.
-      def validate_countersigned_recovery_token!(countersigned_token)
-        # 5. Validate the the issuer field is present in the token,
-        # and that it matches the audience field in the original countersigned token.
-        begin
-          recovery_provider = RecoveryToken.recovery_provider_issuer(Base64.strict_decode64(countersigned_token))
-        rescue RecoveryTokenSerializationError => e
-          raise CountersignedTokenError.new("Countersigned token is invalid: " + e.message, :countersigned_token_parse_error)
-        rescue UnknownProviderError => e
-          raise CountersignedTokenError.new(e.message, :recovery_token_invalid_issuer)
-        end
-
-        # 1. Parse the countersigned-token.
-        # 2. Validate that the version field is 0.
-        # 7. Retrieve the current Recovery Provider configuration as described in Section 2.
-        # 8. Validate that the counter-signed token signature validates with a current element of the countersign-pubkeys-secp256r1 array.
-        begin
-          parsed_countersigned_token = recovery_provider.unseal(Base64.strict_decode64(countersigned_token))
-        rescue TokenFormatError => e
-          raise CountersignedTokenError.new(e.message, :countersigned_invalid_token_version)
-        rescue CryptoError
-          raise CountersignedTokenError.new("Countersigned token has an invalid signature", :countersigned_invalid_signature)
-        end
-
-        # 3. De-serialize the original recovery token from the data field.
-        # 4. Validate the signature on the original recovery token.
-        begin
-          recovery_token = self.unseal(parsed_countersigned_token.data)
-        rescue RecoveryTokenSerializationError => e
-          raise CountersignedTokenError.new("Nested recovery token is invalid: " + e.message, :recovery_token_token_parse_error)
-        rescue TokenFormatError => e
-          raise CountersignedTokenError.new("Nested recovery token format error: #{e.message}", :recovery_token_invalid_token_type)
-        rescue CryptoError
-          raise CountersignedTokenError.new("Nested recovery token has an invalid signature", :recovery_token_invalid_signature)
-        end
-
-        # 5. Validate the the issuer field is present in the countersigned-token,
-        # and that it matches the audience field in the original token.
-
-        countersigned_token_issuer = parsed_countersigned_token.issuer
-        if countersigned_token_issuer.blank? || countersigned_token_issuer != recovery_token.audience || recovery_provider.origin != countersigned_token_issuer
-          raise CountersignedTokenError.new("Validate the the issuer field is present in the countersigned-token, and that it matches the audience field in the original token", :recovery_token_invalid_issuer)
-        end
-
-        # 6. Validate the token binding for the countersigned token, if present.
-        # (the token binding for the inner token is not relevant)
-        # TODO not required, to be implemented later
-
-        # 9. Decrypt the data field from the original recovery token and parse its information, if present.
-        begin
-          recovery_token.decode
-        rescue CryptoError
-          raise CountersignedTokenError.new("Recovery token data could not be decrypted", :indecipherable_opaque_data)
-        end
-
-        # 10. Apply any additional processing which provider-specific data in the opaque data portion may indicate is necessary.
-        begin
-          if DateTime.parse(parsed_countersigned_token.issued_time).utc < (Time.now - CLOCK_SKEW).utc
-            raise CountersignedTokenError.new("Countersigned recovery token issued at time is too far in the past", :stale_token)
-          end
-        rescue ArgumentError
-          raise CountersignedTokenError.new("Invalid countersigned token issued time", :invalid_issued_time)
-        end
-
-        recovery_token
-      end
-    end
-  end
-end

data/lib/github/delegated_account_recovery/constants.rb

@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-module GitHub
-  module DelegatedAccountRecovery
-    module Constants
-      PROTOCOL_VERSION = 0
-      PRIME_256_V1 = "prime256v1" # AKA secp256r1
-      GROUP = OpenSSL::PKey::EC::Group.new(PRIME_256_V1)
-      DIGEST = OpenSSL::Digest::SHA256
-      TOKEN_ID_BYTE_LENGTH = 16
-      RECOVERY_TOKEN_TYPE = 0
-      COUNTERSIGNED_RECOVERY_TOKEN_TYPE = 1
-      WELL_KNOWN_CONFIG_PATH = ".well-known/delegated-account-recovery/configuration"
-      CLOCK_SKEW = 5 * 60
-    end
-
-    include Constants
-  end
-end

data/lib/github/delegated_account_recovery/crypto_helper.rb

@@ -1,57 +0,0 @@
-# frozen_string_literal: true
-
-module GitHub
-  module DelegatedAccountRecovery
-    module CryptoHelper
-      include Constants
-      # Signs the provided token and joins the data with the signature.
-      #
-      # token: a RecoveryToken instance
-      #
-      # returns a base64 value for the binary token string and the signature
-      # of the token.
-      def seal(token)
-        raise RuntimeError, "signing private key must be set" unless self.signing_private_key
-        binary_token = token.to_binary_s
-        signature = Darrrr.encryptor.sign(binary_token, self.signing_private_key)
-        Base64.strict_encode64([binary_token, signature].join)
-      end
-
-      # Splits the payload by the token size, treats the remaining portion as
-      # the signature of the payload, and verifies the signature is valid for
-      # the given payload.
-      #
-      # token_and_signature: binary string consisting of [token_binary_str, signature].join
-      # keys - An array of public keys to use for signature verification.
-      #
-      # returns a RecoveryToken if the payload has been verified and
-      # deserializes correctly. Raises exceptions if any crypto fails.
-      # Raises an error if the token's version field is not valid.
-      def unseal(token_and_signature)
-        token = RecoveryToken.parse(token_and_signature)
-
-        unless token.version.to_i == PROTOCOL_VERSION
-          raise TokenFormatError, "Version field must be #{PROTOCOL_VERSION}"
-        end
-
-        token_data, signature = partition_signed_token(token_and_signature, token)
-        self.unseal_keys.each do |key|
-          return token if Darrrr.encryptor.verify(token_data, signature, key)
-        end
-        raise CryptoError, "Recovery token signature was invalid"
-      end
-
-      # Split the binary token into the token data and the signature over the
-      # data.
-      #
-      # token_and_signature: binary serialization of the token and signature for the token
-      # recovery_token: a RecoveryToken object parsed from token_and_signature
-      #
-      # returns a two element array of [token, signature]
-      private def partition_signed_token(token_and_signature, recovery_token)
-        token_length = recovery_token.num_bytes
-        [token_and_signature[0...token_length], token_and_signature[token_length..-1]]
-      end
-    end
-  end
-end