duo_security 0.0.1

data/duo_security.gemspec

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/duo_security/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Marten Veldthuis"]
+  gem.email         = ["marten@veldthuis.com"]
+  gem.description   = %q{Perform 2-factor authentication using duosecurity.com}
+  gem.summary       = %q{}
+  gem.homepage      = "https://github.com/roqua/duo_security"
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "duo_security"
+  gem.require_paths = ["lib"]
+  gem.version       = DuoSecurity::VERSION
+
+  gem.add_dependency "httparty", "~> 0.8.3"
+  
+  gem.add_development_dependency "vcr", "~> 2.2.4"
+  gem.add_development_dependency "webmock", "~> 1.8.9"
+end

data/lib/duo_security/api.rb

@@ -0,0 +1,82 @@
+require 'cgi'
+require 'httparty'
+
+module DuoSecurity
+  class API
+    class UnknownUser < StandardError; end
+
+    FACTORS = ["auto", "passcode", "phone", "sms", "push"]
+
+    include HTTParty
+    ssl_ca_file File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "data", "ca-bundle.crt"))
+
+    def initialize(host, secret_key, integration_key)
+      @host = host
+      @skey = secret_key
+      @ikey = integration_key
+
+      self.class.base_uri "https://#{@host}/rest/v1"
+    end
+
+    def ping
+      response = self.class.get("/ping")
+      response.parsed_response.fetch("response") == "pong"
+    end
+
+    def check
+      auth = sign("get", @host, "/rest/v1/check", {}, @skey, @ikey)
+      response = self.class.get("/check", headers: {"Authorization" => auth})
+
+      # TODO use parsed_response.fetch(...) when content-type is set correctly
+      response["response"] == "valid"
+    end
+
+    def preauth(user)
+      response = post("/preauth", {"user" => user})["response"]
+
+      raise UnknownUser, response.fetch("status") if response.fetch("result") == "enroll"
+
+      return response
+    end
+
+    def auth(user, factor, factor_params)
+      raise ArgumentError.new("Factor should be one of #{FACTORS.join(", ")}") unless FACTORS.include?(factor)
+
+      params = {"user" => user, "factor" => factor}.merge(factor_params)
+      response = post("/auth",params)
+
+      response["response"]["result"] == "allow"
+    end
+
+    protected
+
+    def post(path, params = {})
+      auth = sign("post", @host, "/rest/v1#{path}", params, @skey, @ikey)
+      self.class.post(path, headers: {"Authorization" => auth}, body: params)
+    end
+
+    def hmac_sha1(key, data)
+      OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha1'), key, data.to_s)
+    end
+
+    def sign(method, host, path, params, skey, ikey)
+      canon = [method.upcase, host.downcase, path]
+
+      args = []
+      for key in params.keys.sort
+        val = params[key]
+        args << "#{CGI.escape(key)}=#{CGI.escape(val)}"
+      end
+
+      canon << args.join("&")
+      canon = canon.join("\n")
+
+      sig = hmac_sha1(skey, canon)
+      auth = "#{ikey}:#{sig}"
+
+      encoded = Base64.encode64(auth).split("\n").join("")
+
+      return "Basic #{encoded}"
+    end
+  end
+end

data/lib/duo_security/attempt.rb

@@ -0,0 +1,17 @@
+module DuoSecurity
+  class Attempt
+    def initialize(api, username)
+      @api      = api
+      @username = username
+    end
+
+    def login!
+      preauth = @api.preauth(@username)
+      factor  = preauth["factors"].fetch("default")
+      
+      @api.auth(@username, "auto", {"auto" => factor})
+    rescue API::UnknownUser => e
+      false
+    end
+  end
+end

data/lib/duo_security/version.rb

@@ -0,0 +1,3 @@
+module DuoSecurity
+  VERSION = "0.0.1"
+end

data/lib/duo_security.rb

@@ -0,0 +1,6 @@
+require "duo_security/version"
+require "duo_security/api"
+require "duo_security/attempt"
+
+module DuoSecurity
+end

data/spec/duo_security/api_spec.rb

@@ -0,0 +1,99 @@
+require 'minitest/autorun'
+require 'vcr'
+require_relative "../../lib/duo_security/api"
+
+VCR.configure do |c|
+  c.cassette_library_dir = "fixtures/vcr"
+  c.hook_into :webmock
+  c.allow_http_connections_when_no_cassette = true
+  c.before_http_request(:real?) do |request|
+    puts "Cassette #{VCR.current_cassette.name} being recorded. Take appropriate actions on your phone."
+  end
+end
+
+module DuoSecurity
+  describe API do
+    let(:host) { ENV["DUO_HOST"] }
+    let(:skey) { ENV["DUO_SKEY"] }
+    let(:ikey) { ENV["DUO_IKEY"] }
+
+    describe '#ping' do
+      it 'succeeds' do
+        VCR.use_cassette("api_ping_success") do
+          duo = API.new(host, skey, ikey)
+          duo.ping.must_equal true
+        end
+      end
+    end
+
+    describe '#check' do
+      it 'succeeds with correct credentials' do
+        VCR.use_cassette("api_check_success") do
+          duo = API.new(host, skey, ikey)
+          duo.check.must_equal true
+        end
+      end
+
+      it 'fails with incorrect skey' do
+        VCR.use_cassette("api_check_wrong_skey") do
+          duo = API.new(host, "wrong", ikey)
+          duo.check.must_equal false
+        end
+      end
+
+      it 'fails with incorrect ikey' do
+        VCR.use_cassette("api_check_wrong_ikey") do
+          duo = API.new(host, skey, "wrong")
+          duo.check.must_equal false
+        end
+      end
+    end
+
+    describe '#preauth' do
+      it 'returns a list of possible factors' do
+        VCR.use_cassette("api_preauth") do
+          duo = API.new(host, skey, ikey)
+          result = duo.preauth("marten")
+          result["factors"].must_equal({"1"=>"push1", "2"=>"sms1", "default"=>"push1"})
+          result["result"].must_equal("auth")
+        end
+      end
+
+      it 'raises when user does not exist' do
+        VCR.use_cassette("api_preauth_unknown_user") do
+          duo = API.new(host, skey, ikey)
+          -> { duo.preauth("unknown") }.must_raise(API::UnknownUser)
+        end
+      end
+    end
+
+    describe '#auth' do
+      let(:duo) { API.new(host, skey, ikey) }
+
+      it 'returns true if user OKs the request' do
+        VCR.use_cassette("api_auth_user_accepts") do
+          result = duo.auth("marten", "push", "phone" => "phone1")
+          result.must_equal(true)
+        end
+      end
+
+      it 'returns false if the user denies the request as a mistake' do
+        VCR.use_cassette("api_auth_user_denies_mistake") do
+          result = duo.auth("marten", "push", "phone" => "phone1")
+          result.must_equal(false)
+        end
+      end
+
+      it 'returns false if the user denies the request as a fraudulent attack' do
+        VCR.use_cassette("api_auth_user_denies_fraud") do
+          result = duo.auth("marten", "push", "phone" => "phone1")
+          result.must_equal(false)
+        end
+      end
+
+      it 'raises an exception when factor is unknown' do
+        -> { duo.auth("marten", "something") }.must_raise(ArgumentError)
+      end
+    end
+  end
+end

data/spec/duo_security/attempt_spec.rb

@@ -0,0 +1,28 @@
+require 'minitest/autorun'
+require_relative '../../lib/duo_security/attempt'
+
+module DuoSecurity
+  describe Attempt do
+    let(:api) { API.new(ENV["DUO_HOST"], ENV["DUO_SKEY"], ENV["DUO_IKEY"]) }
+
+    describe 'when using push notifications' do
+      it 'returns true if the user accepts the login' do
+        VCR.use_cassette("attempt_allowed") do
+          Attempt.new(api, "marten").login!.must_equal true
+        end
+      end
+
+      it 'returns false if the user denies the login' do
+        VCR.use_cassette("attempt_disallowed") do
+          Attempt.new(api, "marten").login!.must_equal false
+        end
+      end
+
+      it 'returns false if the user is not known' do
+        VCR.use_cassette("attempt_user_unknown") do
+          Attempt.new(api, "unknown").login!.must_equal false
+        end
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,96 @@
+--- !ruby/object:Gem::Specification
+name: duo_security
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Marten Veldthuis
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-09-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: &70240733958400 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.8.3
+  type: :runtime
+  prerelease: false
+  version_requirements: *70240733958400
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: &70240733957900 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.2.4
+  type: :development
+  prerelease: false
+  version_requirements: *70240733957900
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: &70240733957380 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.8.9
+  type: :development
+  prerelease: false
+  version_requirements: *70240733957380
+description: Perform 2-factor authentication using duosecurity.com
+email:
+- marten@veldthuis.com
+executables:
+- duo
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/duo
+- data/ca-bundle.crt
+- duo_security.gemspec
+- lib/duo_security.rb
+- lib/duo_security/api.rb
+- lib/duo_security/attempt.rb
+- lib/duo_security/version.rb
+- spec/duo_security/api_spec.rb
+- spec/duo_security/attempt_spec.rb
+homepage: https://github.com/roqua/duo_security
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.11
+signing_key: 
+specification_version: 3
+summary: ''
+test_files:
+- spec/duo_security/api_spec.rb
+- spec/duo_security/attempt_spec.rb
+has_rdoc: