encrypted-cookies 0.2

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/Gemfile

@@ -0,0 +1,3 @@
+source "http://rubygems.org"
+
+gemspec

data/README.rdoc

@@ -0,0 +1,60 @@
+= Encrypted Cookies
+
+== Description
+
+Encrypted cookie jar for Rails 3.
+
+== Summary
+
+There are times when one must store things in a cookie that are not necessarily meant for anyone's eyes. It is probably not the best practice to do so, but when one must, it's better to do so with at least a minimal bit of security.  +encrypted-cookies+ will encrypt and sign the contents of the cookie before writing it back to the browser and then decrypt and verify the data on each subsequent request.
+
+EncryptedCookieJar is very much like the SignedCookieJar. The difference is it uses ActiveSupport::MessageEncryptor instead of ActiveSupport::MessageVerifier to generate the value set on the cookie.  Fairly straight forward.
+
+== Usage
+
+Write an encrypted cookie:
+
+    cookies.encrypted[:encrypted_cookie] = "You don't know what this says."
+
+Read the encrypted cookie:
+
+    cookies.encrypted[:encrypted_cookie] # => You don't know what this says.
+
+You can chain the encrypted cookie jar:
+
+    cookies.permanent.encrypted[:permanent_encrypted_cookie] = "You don't know what this says, and it will be here for 20 years..."
+    cookies.encrypted[:permanent_encrypted_cookie] # => "You don't know what this says, and it will be here for 20 years..."
+
+== Requirements
+
+Encrypted cookies works with Rails 3.0.0, but because of a requirement bug in ActionPack 3.0.4, the tests only run with version 3.0.5.
+
+For more information:
+https://rails.lighthouseapp.com/projects/8994/tickets/6393-action_dispatchhttprequestrb-missing-a-require
+
+== Disclaimer
+
+This is provided as is. No guarantee is given for the security of the data written or read by this software. This has not been tested for cryptographic rigor. Use at your own discretion and risk. This should not be only level of security you use for your data.  It uses ActiveSupport::MessageEncryptor to encrypt and ActiveSupport::MessageVerifier to sign the cookie values, so it is at best as secure as these two libraries. Be sure to keep your AppName::Application.config.secret_token safe and secret, as both of the above libraries use it in your Rails application.
+
+== License
+
+Copyright (c) 2011 Les Fletcher
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,7 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks
+
+desc "Run all tests"
+task :test do
+	sh "ruby test/encryped_cookie_test.rb"
+end

data/encrypted-cookies.gemspec

@@ -0,0 +1,28 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "encrypted-cookies/version"
+
+Gem::Specification.new do |s|
+  s.name        = "encrypted-cookies"
+  s.version     = EncryptedCookies::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["Les Fletcher"]
+  s.email       = ["les.fletcher@gmail.com"]
+  s.homepage    = ""
+  s.summary     = %q{Encrypted cookies for Rails 3}
+  s.description = %q{Add an encrypted cookie jar for Rails 3 that can be chained with permanent and signed cookies}
+
+  s.rubyforge_project = "encrypted-cookies"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_dependency('test-unit', '~> 2.2.0')
+  s.add_dependency('activesupport', '~> 3.0.0')
+  s.add_dependency('actionpack', '~> 3.0.0')
+
+  # needs rails 3.0.5 because of an actionpack requirement bug in 3.0.4
+  # https://rails.lighthouseapp.com/projects/8994/tickets/6393-action_dispatchhttprequestrb-missing-a-require
+end

data/lib/encrypted-cookies.rb

@@ -0,0 +1,2 @@
+require File.expand_path( File.join( File.dirname( __FILE__ ), 'encrypted-cookies', 'cookie_jar' ) )
+require File.expand_path( File.join( File.dirname( __FILE__ ), 'encrypted-cookies', 'encrypted_cookie_jar' ) )

data/lib/encrypted-cookies/cookie_jar.rb

@@ -0,0 +1,24 @@
+module EncryptedCookies
+  module CookieJar
+    # Returns a jar that'll automatically set the assigned cookies to the top level domain, regardless of if there 
+    # is a subdomain present or not. Example:
+    # 
+    #     cookies.encypted[:encrypted_cookie] = "you don't know what this says"
+    #     # => Set-Cookie: LSuus8pkXd...ckqiG6qGlwuhSQn--4Eb16w1z7ouNXQZAxV5Bjw==; path=/; expires=Sun, 27-Mar-2011 03:24:16 GMT
+    # 
+    # This jar allows chaining with other jars as well, so you can set tld, signed cookies. Examples:
+    # 
+    #     cookies.permanent.encypted[:encrypted_permanent] = "you don't know what this says, but it will be here for 20 years"
+    #     # => Set-Cookie: Sok2G6hGs...XFeUpDWQLT8=--UZe+JlZPlMuxHYSq09oV0w==; path=/; expires=Thu, 27 Mar 2031 13:48:43 GMT
+    # 
+    # To read encypted cookies:
+    # 
+    #     cookies.encrypted[:encrypted_cookie] # => "you don't know what this says"
+    #     cookies.encrypted[:encrypted_permanent] # => "you don't know what this says, but it will be here for 20 years"
+    def encrypted
+      @encrypted ||= EncryptedCookieJar.new(self, @secret)
+    end
+  end
+end
+
+ActionDispatch::Cookies::CookieJar.send(:include, EncryptedCookies::CookieJar)

data/lib/encrypted-cookies/encrypted_cookie_jar.rb

@@ -0,0 +1,61 @@
+module EncryptedCookies
+  class EncryptedCookieJar < ActionDispatch::Cookies::CookieJar #:nodoc:
+    MAX_COOKIE_SIZE = 4096 # Cookies can typically store 4096 bytes.
+    SECRET_MIN_LENGTH = 30 # Characters
+
+    def initialize(parent_jar, secret)
+      ensure_secret_secure(secret)
+      @parent_jar = parent_jar
+      @encrypter  = ActiveSupport::MessageEncryptor.new(secret)
+    end
+
+    def [](name)
+      if encrypted_message = @parent_jar[name]
+        @encrypter.decrypt(encrypted_message)
+      end
+    rescue ActiveSupport::MessageVerifier::InvalidSignature
+      nil
+    rescue ActiveSupport::MessageEncryptor::InvalidMessage
+      nil
+    end
+
+    def []=(key, options)
+      if options.is_a?(Hash)
+        options.symbolize_keys!
+        options[:value] = @encrypter.encrypt(options[:value])
+      else
+        options = { :value => @encrypter.encrypt(options) }
+      end
+
+      raise CookieOverflow if options[:value].size > MAX_COOKIE_SIZE
+      @parent_jar[key] = options
+    end
+
+    def method_missing(method, *arguments, &block)
+      @parent_jar.send(method, *arguments, &block)
+    end
+
+    protected
+
+    # To prevent users from using something insecure like "Password" we make sure that the
+    # secret they've provided is at least 30 characters in length.
+    def ensure_secret_secure(secret)
+      if secret.blank?
+        raise ArgumentError, "A secret is required to generate an " +
+          "integrity hash for cookie session data. Use " +
+          "config.secret_token = \"some secret phrase of at " +
+          "least #{SECRET_MIN_LENGTH} characters\"" +
+          "in config/initializers/secret_token.rb"
+      end
+
+      if secret.length < SECRET_MIN_LENGTH
+        raise ArgumentError, "Secret should be something secure, " +
+          "like \"#{ActiveSupport::SecureRandom.hex(16)}\".  The value you " +
+          "provided, \"#{secret}\", is shorter than the minimum length " +
+          "of #{SECRET_MIN_LENGTH} characters"
+      end
+    end
+  end
+end
+
+ActionDispatch::Cookies.send(:include, EncryptedCookies)

data/lib/encrypted-cookies/version.rb

@@ -0,0 +1,3 @@
+module EncryptedCookies
+  VERSION = "0.2"
+end

data/test/encryped_cookie_test.rb

@@ -0,0 +1,75 @@
+require File.expand_path( File.join( File.dirname( __FILE__ ), 'test_helper' ) )
+
+# so that we can get access to the encrypted values and mess with them for testing
+module EncryptedCookies
+  class EncryptedCookieJar
+    def encrypted_value(name)
+      @parent_jar[name]
+    end
+
+    def set_encrypted_value(name, value)
+      @parent_jar[name] = value
+    end
+
+  end
+end
+
+class TestEncryptedCookies < Test::Unit::TestCase
+
+  GOOD_SECRET_1 = "200b85f78a0ac1add6494111d899107df8c25f72b13ec7480f906f4cb8bef32cc1e7b4c0d31f57493ff062cdd9bf37d41636fdfb453af7c7c73f598b257d3c89"
+  GOOD_SECRET_2 = "8127a90b3352b34459a1649da6f3a01358632c06a7ded98e4633fcfc8d32a7508d8e87a1db1b826330f090f4518098860dd20c10604df9b1b577e1b39268deb6"
+  BAD_SECRET    = "iamtooshort"
+
+  def setup
+    @cookie_jar             = ActionDispatch::Cookies::CookieJar.new
+    @encrypted_cookie_jar   = EncryptedCookies::EncryptedCookieJar.new(@cookie_jar, GOOD_SECRET_1)
+    @str                    = "test string"
+  end
+
+  def test_secret
+    assert_raise (ArgumentError) { EncryptedCookies::EncryptedCookieJar.new(@cookie_jar, nil) }
+    assert_raise (ArgumentError) { EncryptedCookies::EncryptedCookieJar.new(@cookie_jar, "") }
+    assert_raise (ArgumentError) { EncryptedCookies::EncryptedCookieJar.new(@cookie_jar, BAD_SECRET) }
+    assert_nothing_raised { EncryptedCookies::EncryptedCookieJar.new(@cookie_jar, GOOD_SECRET_1) }
+  end
+
+  def test_basic_encryption_decryption
+    @encrypted_cookie_jar[:test] = @str
+
+    assert @encrypted_cookie_jar.encrypted_value(:test) != @str
+    assert @encrypted_cookie_jar[:test] == @str
+  end
+
+  def test_tampered_signature
+    @encrypted_cookie_jar[:test] = @str
+    enc_value = @encrypted_cookie_jar.encrypted_value(:test)
+
+    data, digest = enc_value.split("--")
+    @encrypted_cookie_jar.set_encrypted_value(:test, "#{data}--sdgsad")
+
+    assert @encrypted_cookie_jar[:test].nil?
+  end
+
+  # a different encrypted cookie jar with a different secret can't read another's values
+  def test_another_cookie_jar
+    @encrypted_cookie_jar[:test] = @str
+    enc_value = @encrypted_cookie_jar.encrypted_value(:test)
+
+    encrypted_cookie_jar_2 = EncryptedCookies::EncryptedCookieJar.new(@cookie_jar, GOOD_SECRET_2)
+    encrypted_cookie_jar_2.set_encrypted_value(:test, enc_value)
+
+    assert encrypted_cookie_jar_2[:test].nil?
+  end
+
+  # a different encrypted jar with the same secret can decode the value
+  def test_same_cookie_jar
+    @encrypted_cookie_jar[:test] = @str
+    enc_value = @encrypted_cookie_jar.encrypted_value(:test)
+
+    encrypted_cookie_jar_2 = EncryptedCookies::EncryptedCookieJar.new(@cookie_jar, GOOD_SECRET_1)
+    encrypted_cookie_jar_2.set_encrypted_value(:test, enc_value)
+
+    assert encrypted_cookie_jar_2[:test] == @str
+  end
+
+end

data/test/test_helper.rb

@@ -0,0 +1,6 @@
+require 'test/unit'
+
+require 'active_support'
+require 'action_dispatch'
+
+require File.expand_path( File.join( File.dirname( __FILE__ ), '..', 'lib', 'encrypted-cookies' ) )

metadata

@@ -0,0 +1,100 @@
+--- !ruby/object:Gem::Specification 
+name: encrypted-cookies
+version: !ruby/object:Gem::Version 
+  prerelease: 
+  version: "0.2"
+platform: ruby
+authors: 
+- Les Fletcher
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-04-03 00:00:00 -07:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: test-unit
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: 2.2.0
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: activesupport
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: 3.0.0
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: actionpack
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: 3.0.0
+  type: :runtime
+  version_requirements: *id003
+description: Add an encrypted cookie jar for Rails 3 that can be chained with permanent and signed cookies
+email: 
+- les.fletcher@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- .gitignore
+- Gemfile
+- README.rdoc
+- Rakefile
+- encrypted-cookies.gemspec
+- lib/encrypted-cookies.rb
+- lib/encrypted-cookies/cookie_jar.rb
+- lib/encrypted-cookies/encrypted_cookie_jar.rb
+- lib/encrypted-cookies/version.rb
+- test/encryped_cookie_test.rb
+- test/test_helper.rb
+has_rdoc: true
+homepage: ""
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+requirements: []
+
+rubyforge_project: encrypted-cookies
+rubygems_version: 1.5.0
+signing_key: 
+specification_version: 3
+summary: Encrypted cookies for Rails 3
+test_files: 
+- test/encryped_cookie_test.rb
+- test/test_helper.rb