encrypted_cookie 0.0.1 → 0.0.2

data/Manifest

@@ -1,4 +1,7 @@
+Manifest
+README.markdown
 Rakefile
-encrypted_cookie_spec.rb
+encrypted_cookie.gemspec
 lib/encrypted_cookie.rb
-Manifest
+spec/encrypted_cookie_spec.rb
+test/demo.rb

data/Rakefile

@@ -2,7 +2,7 @@ require 'rubygems'
 require 'rake'
 require 'echoe'
 
-Echoe.new('encrypted_cookie', '0.0.1') do |p|
+Echoe.new('encrypted_cookie', '0.0.2') do |p|
   p.description    = "Encrypted session cookies for Rack"
   p.url            = "http://github.com/cvonkleist/encrypted_cookie"
   p.author         = "Christian von Kleist"

data/encrypted_cookie.gemspec

@@ -2,18 +2,18 @@
 
 Gem::Specification.new do |s|
   s.name = %q{encrypted_cookie}
-  s.version = "0.0.1"
+  s.version = "0.0.2"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
   s.authors = ["Christian von Kleist"]
   s.cert_chain = ["/home/cvk/.gemcert/gem-public_cert.pem"]
-  s.date = %q{2011-03-01}
+  s.date = %q{2011-03-02}
   s.description = %q{Encrypted session cookies for Rack}
   s.email = %q{cvonkleist at-a-place-called gmail.com}
-  s.extra_rdoc_files = ["lib/encrypted_cookie.rb"]
-  s.files = ["Rakefile", "encrypted_cookie_spec.rb", "lib/encrypted_cookie.rb", "Manifest", "encrypted_cookie.gemspec"]
+  s.extra_rdoc_files = ["README.markdown", "lib/encrypted_cookie.rb"]
+  s.files = ["Manifest", "README.markdown", "Rakefile", "encrypted_cookie.gemspec", "lib/encrypted_cookie.rb", "spec/encrypted_cookie_spec.rb", "test/demo.rb"]
   s.homepage = %q{http://github.com/cvonkleist/encrypted_cookie}
-  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Encrypted_cookie"]
+  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Encrypted_cookie", "--main", "README.markdown"]
   s.require_paths = ["lib"]
   s.rubyforge_project = %q{encrypted_cookie}
   s.rubygems_version = %q{1.3.7}

data/lib/encrypted_cookie.rb

@@ -1,27 +1,78 @@
 require 'openssl'
+require 'rack/session/cookie'
 
 module Rack
   module Session
-    class Cookie
-      class AES
-        def initialize(key)
-          @key = key
+    class EncryptedCookie < Cookie
+      def initialize(app, options={})
+        @app = app
+        @key = options[:key] || "rack.session"
+        @secret = options[:secret]
+        fail "Error! A secret is required to use encrypted cookies. Do something like this:\n\nuse Rack::Session::EncryptedCookie, :secret => YOUR_VERY_LONG_VERY_RANDOM_SECRET_KEY_HERE" unless @secret
+        @default_options = {:domain => nil,
+          :path => "/",
+          :expire_after => nil}.merge(options)
+      end
+
+      def load_session(env)
+        request = Rack::Request.new(env)
+        session_data = request.cookies[@key]
+
+        if session_data
+          session_data = decrypt(session_data)
+          session_data, digest = session_data.split("--")
+          session_data = nil  unless digest == generate_hmac(session_data)
         end
 
-        def encode(str)
-          aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').encrypt
-          salt = OpenSSL::Random.random_bytes(aes.key_len)
-          iv = OpenSSL::Random.random_bytes(aes.iv_len)
-          [iv + (aes.update(str) << aes.final)].pack('m0')
+        begin
+          session_data = session_data.unpack("m*").first
+          session_data = Marshal.load(session_data)
+          env["rack.session"] = session_data
+        rescue
+          env["rack.session"] = Hash.new
         end
 
-        def decode(str)
-          str = str.unpack('m0').first
-          aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').decrypt
-          iv = str[0, aes.iv_len]
-          crypted_text = str[aes.iv_len..-1]
-          aes.update(crypted_text) << aes.final
+        env["rack.session.options"] = @default_options.dup
+      end
+
+      def commit_session(env, status, headers, body)
+        session_data = Marshal.dump(env["rack.session"])
+        session_data = [session_data].pack("m*")
+
+        session_data = "#{session_data}--#{generate_hmac(session_data)}"
+
+        session_data = encrypt(session_data)
+
+        if session_data.size > (4096 - @key.size)
+          env["rack.errors"].puts("Warning! Rack::Session::Cookie data size exceeds 4K. Content dropped.")
+        else
+          options = env["rack.session.options"]
+          cookie = Hash.new
+          cookie[:value] = session_data
+          cookie[:expires] = Time.now + options[:expire_after] unless options[:expire_after].nil?
+          Utils.set_cookie_header!(headers, @key, cookie.merge(options))
         end
+
+        [status, headers, body]
+      end
+
+      private
+
+      def encrypt(str)
+        aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').encrypt
+        aes.key = @secret
+        salt = OpenSSL::Random.random_bytes(aes.key_len)
+        iv = OpenSSL::Random.random_bytes(aes.iv_len)
+        [iv + (aes.update(str) << aes.final)].pack('m0')
+      end
+
+      def decrypt(str)
+        str = str.unpack('m0').first
+        aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').decrypt
+        aes.key = @secret
+        iv = str[0, aes.iv_len]
+        crypted_text = str[aes.iv_len..-1]
+        aes.update(crypted_text) << aes.final
       end
     end
   end

data/spec/encrypted_cookie_spec.rb

@@ -0,0 +1,95 @@
+require 'rack/test'
+require 'sinatra'
+require 'rspec'
+require 'ruby-debug'
+require 'cgi'
+require File.dirname(__FILE__) + '/../lib/encrypted_cookie'
+
+include Rack::Session
+
+RSpec.configure do |conf|
+  conf.include Rack::Test::Methods
+end
+
+class EncryptedApp < Sinatra::Application
+  use Rack::Session::EncryptedCookie, :secret => 'foo' * 10
+  get '/' do
+    "session: " + session.inspect
+  end
+  get '/set/:key/:value' do
+    session[params[:key]] = params[:value]
+    "all set"
+  end
+end
+
+# this app has cookie integrity protection, but not encryption
+class UnencryptedApp < Sinatra::Application
+  use Rack::Session::Cookie, :secret => 'foo' * 10
+  get '/' do
+    "session: " + session.inspect
+  end
+end
+
+describe EncryptedCookie do
+  it 'should fail if no secret is specified' do
+    lambda { EncryptedCookie.new(nil) }.should raise_error(/A secret is required/)
+    lambda { EncryptedCookie.new(nil, :secret => 'foo') }.should_not raise_error(/A secret is required/)
+  end
+end
+
+describe EncryptedApp do
+  def app
+    EncryptedApp
+  end
+  it "should not include unencrypted marshal'd data" do
+    get '/'
+    last_response.body.should == 'session: {}'
+    last_response.headers['Set-Cookie'].should_not include("BAh7AA")
+  end
+  it "should make decryptable session data" do
+    get '/set/foo/bar'
+    last_response.body.should == 'all set'
+    get '/'
+    last_response.body.should == 'session: {"foo"=>"bar"}'
+    last_response.headers['Set-Cookie'].should_not include("BAh7AA")
+
+    data = last_response.headers['Set-Cookie'][/rack.session=(.*?);/, 1]
+    str = CGI.unescape(data).unpack('m0').first
+    aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').decrypt
+    aes.key = 'foo' * 10
+    iv = str[0, aes.iv_len]
+    crypted_text = str[aes.iv_len..-1]
+
+    plaintext = (aes.update(crypted_text) << aes.final)
+    base64_marshal_data, hmac = plaintext.split('--')
+    session_hash = Marshal.load(base64_marshal_data.unpack('m0').first)
+    session_hash.should == {"foo" => "bar"}
+  end
+  it "should make encrypted session data that can't be decrypted with the wrong key" do
+    get '/set/foo/bar'
+    last_response.body.should == 'all set'
+    get '/'
+    last_response.body.should == 'session: {"foo"=>"bar"}'
+    last_response.headers['Set-Cookie'].should_not include("BAh7AA")
+
+    data = last_response.headers['Set-Cookie'][/rack.session=(.*?);/, 1]
+    str = CGI.unescape(data).unpack('m0').first
+    aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').decrypt
+    aes.key = 'bar' * 10
+    iv = str[0, aes.iv_len]
+    crypted_text = str[aes.iv_len..-1]
+
+    lambda { plaintext = (aes.update(crypted_text) << aes.final) }.should raise_error("bad decrypt")
+  end
+end
+
+describe UnencryptedApp do
+  def app
+    UnencryptedApp
+  end
+  it "should include unencrypted marshal'd data" do
+    get '/'
+    last_response.body.should == 'session: {}'
+    last_response.headers['Set-Cookie'].should include("BAh7AA")
+  end
+end

data/test/demo.rb

@@ -0,0 +1,15 @@
+require 'sinatra'
+require '../lib/encrypted_cookie'
+
+use Rack::Session::EncryptedCookie,
+  :key => 'rack.session',
+  :secret => 'ASDFASDFASDJFsakdfji2j3oij2o3ij4l12kj3'
+
+get '/' do
+  "session = " + session.inspect
+end
+
+get '/set/:data' do
+  session[:data] = params[:data]
+  redirect '/'
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: encrypted_cookie
 version: !ruby/object:Gem::Version 
-  hash: 29
+  hash: 27
   prerelease: false
   segments: 
   - 0
   - 0
-  - 1
-  version: 0.0.1
+  - 2
+  version: 0.0.2
 platform: ruby
 authors: 
 - Christian von Kleist
@@ -36,7 +36,7 @@ cert_chain:
   DnOM3kD7rptG2g==
   -----END CERTIFICATE-----
 
-date: 2011-03-01 00:00:00 -05:00
+date: 2011-03-02 00:00:00 -05:00
 default_executable: 
 dependencies: []
 
@@ -47,13 +47,16 @@ executables: []
 extensions: []
 
 extra_rdoc_files: 
+- README.markdown
 - lib/encrypted_cookie.rb
 files: 
-- Rakefile
-- encrypted_cookie_spec.rb
-- lib/encrypted_cookie.rb
 - Manifest
+- README.markdown
+- Rakefile
 - encrypted_cookie.gemspec
+- lib/encrypted_cookie.rb
+- spec/encrypted_cookie_spec.rb
+- test/demo.rb
 has_rdoc: true
 homepage: http://github.com/cvonkleist/encrypted_cookie
 licenses: []
@@ -64,6 +67,8 @@ rdoc_options:
 - --inline-source
 - --title
 - Encrypted_cookie
+- --main
+- README.markdown
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 

data/encrypted_cookie_spec.rb

@@ -1,11 +0,0 @@
-require 'encrypted_cookie'
-
-include Rack::Session
-
-describe Cookie::AES do
-  it 'should pass the encryption test' do
-    a = Cookie::AES.new('foo')
-    enc = a.encode("bar")
-    a.decode(enc).should == 'bar'
-  end
-end