desviar 0.0.15 → 0.0.16

data/README.md

@@ -2,20 +2,31 @@
 
 This is a Ruby-based app server built on Sinatra to create
 preauthorized time-limited, random URIs used in devops deployment
-scripts or in web applications such as confirmation emails.
+scripts or in web applications such as confirmation emails.  Your
+scenario is that you have a database, repository or webserver
+(possibly behind a firewall) that needs to stay both hidden and
+secure, but you need to provide a means for a script to invoke an API
+call or for a remote user to click a direct link to fetch a specific
+item from its hidden source without presenting credentials.
 
 It operates similarly to TinyURL or the Amazon S3 temporary-URI
-feature: provide the tool with the URI to an existing secure resource,
-specify a number of seconds you want to authorize references to it,
-and you'll get back a temporary URI good for that amount of time.
-
-You can set it up on a DMZ network or in the cloud behind an
+feature: provide the tool with the URI and credentials to an existing
+secure resource, specify a number of seconds you want to authorize
+references to it, and you'll get back a temporary URI good for that
+amount of time.  An analogy is the inexpensive key-card issued by a
+hotel's desk clerk: to access secure content in the room, you first
+need to present your credit-card credentials; your room key is all you
+need thereafter, at least until the key expires.  The hotel remains
+secure even if you keep the key after checkout.
+
+You can set up desviar on a DMZ network or in the cloud behind an
 iptables/nginx configuration to provide whatever ACL restrictions you
 want, and you can reference any source URI (not just those stored on
-S3).
+S3 or an equivalent service).
 
-Secure content is cached in memory (sqlite3) by default; for
-troubleshooting, you can store content in a file.
+Secure content is encrypted and cached in memory (sqlite3) by default;
+for troubleshooting, you can store content in a file and/or turn off
+encryption.
 
 #### Installation ####
 
@@ -27,7 +38,7 @@ Clone this repo and perform the following:
     git clone https://github.com/instantlinux/desviar.git
     cd desviar
     cp config/config.rb.example config/config.rb
-    sudo apt-get install -y make libsqlite3-dev ruby-dev
+    sudo apt-get install -y make g++ libsqlite3-dev ruby-dev
     #  package names above may differ if not using Ubuntu
     sudo gem install bundler
     sudo bundle install
@@ -35,9 +46,9 @@ Clone this repo and perform the following:
     rackup -p 4567
 
 ##### From rubygems.org #####
-Invoke the following:
+[![Gem Version](https://badge.fury.io/rb/desviar.png)](http://badge.fury.io/rb/desviar) Invoke the following:
 
-    sudo apt-get install -y make libsqlite3-dev ruby-dev
+    sudo apt-get install -y make g++ libsqlite3-dev ruby-dev
     sudo gem install desviar
     wget https://raw.github.com/instantlinux/desviar/master/config.ru
     wget https://raw.github.com/instantlinux/desviar/master/config/config.rb.example
@@ -47,7 +58,7 @@ Invoke the following:
 
 #### Usage ####
 
-Default credential of [app](http://localhost:4567) is user _desviar_, pw _password_.  
+In your browser, the [app](http://localhost:4567)'s default credential upon installation is user _desviar_, pw _password_.
 
 Commands:
 * /create - generate a new pre-authenticated URI
@@ -56,19 +67,14 @@ Commands:
 * /link/nnn - retrieve details
 * /config - set runtime configuration
 
-For scripting, the list, link and config commands can be modified with a _/json_ suffix (e.g. _/config/json_) to generate json instead of html output.
-
-Here's an example of creating a new link via _curl_:
-
-    curl --digest --user desviar:password http://localhost:4567/create \
-     --data "redir_uri=http://localhost/test&expiration=1800&captcha=1&notes=testing"
+For scripting, the list, link and config commands can be modified with a _/json_ suffix (e.g. _/config/json_) to generate json instead of html output.  Script examples for Ruby and bash are provided in the [examples directory](https://github.com/instantlinux/desviar/tree/master/examples).
 
 Security notes:
 Consider moving the default database location from /dev/shm/desviar, and set its permissions to 0600. You can modify config.ru to direct log output to a different file.
 
 #### Features implemented ####
 
-- [x] HTTP digest authentication for user interface
+- [x] HTTP digest authentication for client API and user interface
 - [ ] Parse htpasswd files to support multiple credentials
 - [x] Bypass authentication for generated URIs
 - [x] Basic HTTP authentication for remote URIs

data/desviar.gemspec

@@ -38,6 +38,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "dm-timestamps", ">= 1.2"
   spec.add_dependency "dm-validations", ">= 1.2"
   spec.add_dependency "multi_json", ">= 1.7"
+  spec.add_dependency "net-http-digest_auth", ">= 1.4"
   spec.add_dependency "rack-recaptcha", ">= 0.6"
   spec.add_dependency "rack-test", ">= 0.6"
   spec.add_dependency "sinatra", ">= 1.4"

data/examples/bash-client.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+# API examples - Desviar::Client
+#
+# Created 1 Aug 2013
+#
+#   Copyright 2013 Richard Braun
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+
+# Usage:
+#  Start the server first (rackup -p 4567)
+#  Adjust credentials below if you've modified the server
+#  Invoke this program ./bash-client.sh
+
+echo "========= Desviar::Client config =========="
+curl --digest --user desviar:password -q http://localhost:4567/config/json
+echo
+echo "========= Desviar::Client create =========="
+#  In this example, create an item valid for 5 seconds and another valid for
+#  10 minutes to demonstrate cleanup after 6 seconds.  The notes field is
+#  an arbitrary payload which can be used for whatever tracking purposes
+#  your application requires.
+id=`curl -q --digest --user desviar:password http://localhost:4567/create \
+     --data "redir_uri=https://rubygems.org/gems/desviar&expiration=5&captcha=1&notes=tracking-item" \
+   --location |grep ID:|egrep -o [0-9]+`
+curl --digest --user desviar:password -q http://localhost:4567/link/json/$id
+echo
+id=`curl -q --digest --user desviar:password http://localhost:4567/create \
+     --data "redir_uri=https://rubygems.org/gems/desviar&expiration=600&notes=item%202" \
+   --location |grep ID:|egrep -o [0-9]+`
+curl --digest --user desviar:password -q http://localhost:4567/link/json/$id
+echo
+echo "========= Desviar::Client list ============"
+curl --digest --user desviar:password -q http://localhost:4567/list/json
+echo
+echo "========= Desviar::Client clean ============"
+sleep 6
+curl --digest --user desviar:password -q http://localhost:4567/clean
+curl --digest --user desviar:password -q http://localhost:4567/list/json
+echo

data/examples/ruby-client.rb

@@ -0,0 +1,67 @@
+#!/usr/bin/env ruby
+# API examples - Desviar::Client
+#
+# Created 1 Aug 2013
+#
+#   Copyright 2013 Richard Braun
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+
+# Usage:
+#  Start the server first (rackup -p 4567)
+#  Adjust credentials below if you've modified the server
+#  Invoke this program ./ruby-client.rb
+
+require 'desviar/client'
+require 'pp'
+
+obj = Desviar::Client.new 'desviar', 'password'
+puts "Starting Desviar::Client for server #{obj.server_uri} as user #{obj.user_name}"
+
+puts "========= Desviar::Client config =========="
+puts "dbencrypt is #{obj.config_item 'dbencrypt'}"
+puts "debug is #{obj.config_item :debug}"
+puts "Full config hash is:"
+pp obj.config
+
+puts "========= Desviar::Client create =========="
+# Can specify option names using symbols/strings; values must be strings
+
+#  The notes field is an arbitrary payload which can be used for
+#  whatever tracking purposes your application requires.
+
+#  Example 1: create an item valid for 5 seconds to demonstrate
+#  cleanup after 6 seconds.  Fetch will invoke captcha (get credentials
+#  from Google for a "real" test)
+link = obj.create "https://rubygems.org/gems/desviar", 5, {
+   :captcha => 1.to_s,
+   "notes"  => "tracking-item" }
+puts link['temp_uri'].inspect
+puts obj.fetch link['temp_uri']
+
+# Example 2: same as #1 except without captcha
+link = obj.create "https://rubygems.org/gems/desviar", 5, {
+   "notes"  => "tracking example 2" }
+puts link['temp_uri'].inspect
+puts obj.fetch link['temp_uri']
+
+# Example 3: valid for 10 minutes 
+pp obj.create "https://rubygems.org/gems/desviar", 600, {
+   "notes"  => "example 3" }
+
+puts "========= Desviar::Client list ============"
+pp obj.list
+begin
+  pp obj.list_item 999
+rescue ArgumentError
+  puts "Handling expected error for item 999"
+end
+
+puts "========= Desviar::Client clean ============"
+sleep 6
+obj.clean
+pp obj.list

data/lib/auth.rb

@@ -3,7 +3,8 @@ require 'webrick/httpauth/htpasswd'
 module Desviar::Auth
 
     def self.htpasswd
-      @htpasswd ||= Htpasswd.new(git.path_to("htpasswd"))
+#      @htpasswd ||= Htpasswd.new(git.path_to("htpasswd"))
+      @htpasswd ||= Htpasswd.new('.htpasswd')
     end
 
     def self.authentication
@@ -26,7 +27,8 @@ module Desviar::Auth
       end
     end
 
-    def self.unauthorized!(realm = Desviar::info)
+#    def self.unauthorized!(realm = Desviar::info)
+    def self.unauthorized!(realm = 'desviar-realm')
       headers "WWW-Authenticate" => %(Basic realm="#{realm}")
       throw :halt, [ 401, "Authorization Required" ]
     end

data/lib/desviar.rb

@@ -75,8 +75,17 @@ module Desviar
       http.use_ssl = params[:redir_uri].index('https') == 0
       http.verify_mode = OpenSSL::SSL::VERIFY_NONE
       req = Net::HTTP::Get.new(object.request_uri)
-      req.basic_auth params[:remoteuser], params[:remotepw] if params[:remoteuser] != ''
-      response = http.request(req)
+      if params[:remoteuser] != ''
+        req.basic_auth params[:remoteuser], params[:remotepw]
+      end
+      begin
+        response = http.request(req)
+      rescue Errno::ECONNREFUSED
+        error 401
+      end
+      if response.code.to_i != 200
+        error response.code.to_i 
+      end
       if !$config[:dbencrypt]
         @desviar[:content] = response.body[0, $config[:contentmax]]
       else
@@ -204,6 +213,7 @@ module Desviar
     def self.new(*)
   #   TODO: htpasswd parsing
   #   Desviar::Auth::authenticate!
+  #   @auth.call()
       app = Rack::Auth::Digest::MD5.new(super) do |username|
         {$config[:adminuser] => $config[:adminpw]}[username]
       end
@@ -212,6 +222,22 @@ module Desviar
       app
     end
 
+=begin
+  class Mytest
+    def initialize(app)
+#      Desviar::Public::log "Initializing auth from .htpasswd"
+      @obj = Rack::Auth::Basic.new(app) do |username, password|
+        unless File.exist?('../config/.htpasswd')
+          raise PasswordFileNotFound.new("#{file} is not found. Please create it with htpasswd")
+        end
+        htpasswd = WEBrick::HTTPAuth::Htpasswd.new(file)
+        crypted = htpasswd.get_passwd(nil, user, false)
+        crypted == pass.crypt(crypted) if crypted
+      end
+    end
+  end
+=end
+
   end
 
   #############################################

data/lib/desviar/client.rb

@@ -0,0 +1,134 @@
+# Client functions for Desviar main object
+#
+#   Copyright 2013 Richard Braun
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+
+require 'json'
+require 'uri'
+require 'net/http'
+require 'net/http/digest_auth'
+
+module Desviar
+  class Client
+    ##
+    # Client functions for Desviar main object
+
+    # Create new client
+    def initialize(user_name, private_key, server_uri = 'http://localhost:4567')
+      @server_uri = server_uri
+      @user_name = user_name
+      @private_key = private_key
+    end
+
+    # Return server's URI
+    def server_uri()
+      @server_uri
+    end
+
+    # Return username
+    def user_name()
+      @user_name
+    end
+
+    # Fetch configuration (as a hash)
+    def config
+      JSON.parse get("config/json")
+    end
+
+    # Fetch a single configuration item
+    def config_item(item)
+      cfg = JSON.parse get("config/json")
+      raise ArgumentError, "Invalid item #{item}" if !cfg.has_key?(item.to_s)
+      cfg[item.to_s]
+    end
+
+    # Fetch list of stored redirects
+    def list
+      JSON.parse get("list/json")
+    end
+
+    # Fetch meta information about a particular redirect
+    def list_item(id)
+      JSON.parse get("link/json/#{id}")
+    end
+
+    # Clean out expired entries
+    def clean
+      get("clean")
+    end
+
+    # Create a new redirect
+    def create(uri, expiration = 900, opts = {})
+      opts[:captcha_button] = "Proceed" if !opts.has_key?(:captcha_button) && !opts.has_key?("captcha_button")
+      newlink = post("create", { :redir_uri => uri, :expiration => expiration.to_s }.merge(opts))
+      JSON.parse get("link/json/#{newlink.split('/').last}")
+    end
+
+    # Fetch content
+    def fetch(temp_uri)
+      get("desviar/#{temp_uri}", false)
+    end
+
+    private
+
+    # Internal function:  raw, digest-authenticated HTTP get from server
+    def get(path, need_auth = true)
+      uri              = URI.parse "#{@server_uri}/#{path}"
+      uri.user         = @user_name
+      uri.password     = @private_key
+
+      http             = Net::HTTP.new uri.host, uri.port
+      http.use_ssl     = @server_uri.index('https') == 0
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      req              = Net::HTTP::Get.new uri.request_uri
+      response         = http.request req
+      if need_auth
+        auth           = Net::HTTP::DigestAuth.new.auth_header(
+                            uri, response['www-authenticate'], 'GET')
+        req            = Net::HTTP::Get.new uri.request_uri
+        req.add_field 'Authorization', auth
+        response         = http.request req
+      end
+      case response.code.to_i
+        when 200
+          response.body
+        when 301..302
+          response.response['Location']
+        else
+          raise ArgumentError, "#{path} return status #{response.code}"
+      end
+    end
+
+    # Internal function:  HTTP post
+    def post(path, params)
+      uri              = URI.parse "#{@server_uri}/#{path}"
+      uri.user         = @user_name
+      uri.password     = @private_key
+
+      http             = Net::HTTP.new uri.host, uri.port
+      http.use_ssl     = @server_uri.index('https') == 0
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      req              = Net::HTTP::Get.new uri.request_uri
+      response         = http.request req
+      auth             = Net::HTTP::DigestAuth.new.auth_header(
+                            uri, response['www-authenticate'], 'POST')
+      req              = Net::HTTP::Post.new uri.request_uri
+      req.add_field     'Authorization', auth
+      req.set_form_data params
+      response         = http.request req
+      case response.code.to_i
+        when 200
+          response.body
+        when 303
+          response.response['Location']
+        else
+          raise ArgumentError, "#{path} return status #{response.code}"
+      end
+    end
+  end
+end

data/lib/model.rb

@@ -10,6 +10,9 @@
 
 module Desviar
   module Model
+    ##
+    # Data model for Desviar main object
+
     class Main
     include DataMapper::Resource
   

data/lib/version.rb

@@ -1,7 +1,7 @@
 module Desviar
-  VERSION = "0.0.15"
-  RELEASE = "2013-07-30"
-  TIMESTAMP = "2013-07-29 08:27:33 -07:00"
+  VERSION = "0.0.16"
+  RELEASE = "2013-08-03"
+  TIMESTAMP = "2013-08-03 09:12:27 -07:00"
 
   def self.info
       "#{name} v#{VERSION} (#{RELEASE})"

data/lib/views/show.erb

@@ -1,13 +1,14 @@
 <div class="desviar">
   <a href="/desviar/<%= @desviar.temp_uri[0, @desviar.temp_uri.length - $config[:urisuffix].length] %>">
-  https:<%= settings.bind %>:<%= settings.port %>/desviar/<%= @desviar.temp_uri[0, @desviar.temp_uri.length - $config[:urisuffix].length] %></a><br><hr>
+  http://<%= settings.bind %>:<%= settings.port %>/desviar/<%= @desviar.temp_uri[0, @desviar.temp_uri.length - $config[:urisuffix].length] %></a><br><hr>
   <h2><a href="<%= @desviar.redir_uri %>"><%= @desviar.redir_uri %></a></h2>
   <div class="sbody" id="box">
      <%= @desviar.formatted_notes %>
   </div>
   <div class="sdate">
-     Created <%= @desviar.created_at.strftime("%D at %T %Z") %> <%= ENV['REMOTE_USER'] %><br>
-     Expires <%= @desviar.expires_at.strftime("%D at %T %Z") %>
+     Created <%= @desviar.created_at.strftime("%D at %T %Z") %><br>
+     Expires <%= @desviar.expires_at.strftime("%D at %T %Z") %><br>
+     ID: <%= @desviar.id %>
      <%= @desviar.captcha ? "<br>CAPTCHA is required" : "" %>
   </div>
   <hr>

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: desviar
 version: !ruby/object:Gem::Version
-  version: 0.0.15
+  version: 0.0.16
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-07-30 00:00:00.000000000 Z
+date: 2013-08-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dm-core
@@ -107,6 +107,22 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: net-http-digest_auth
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '1.4'
 - !ruby/object:Gem::Dependency
   name: rack-recaptcha
   requirement: !ruby/object:Gem::Requirement
@@ -222,9 +238,12 @@ files:
 - config.ru
 - config/config.rb.example
 - desviar.gemspec
+- examples/bash-client.sh
+- examples/ruby-client.rb
 - lib/auth.rb
 - lib/authorization.rb
 - lib/desviar.rb
+- lib/desviar/client.rb
 - lib/encrypt.rb
 - lib/model.rb
 - lib/public/favicon.ico
@@ -239,7 +258,7 @@ files:
 homepage: http://github.com/instantlinux/desviar
 licenses: []
 post_install_message: ! "------------------------------------------------------------------------------\nDesviar
-  v0.0.15\n\nTo configure, download from:\n   https://raw.github.com/instantlinux/desviar/master/config/config.rb.example\ninto
+  v0.0.16\n\nTo configure, download from:\n   https://raw.github.com/instantlinux/desviar/master/config/config.rb.example\ninto
   a new file config.rb and export DESVIAR_CONFIG=<path>/config.rb.\n\nThanks for using
   Desviar.\n------------------------------------------------------------------------------\n"
 rdoc_options: []