ga_verify 0.0.1

data/bin/ga-verify

@@ -0,0 +1,33 @@
+#!/usr/bin/env ruby
+_SELF=File.readlink(__FILE__) rescue __FILE__
+_ROOT=File.expand_path(File.dirname(_SELF) + '/../lib')
+$LOAD_PATH.push _ROOT
+
+require 'ga_verify/paths'
+options = {
+  :socket => GAVerify::Paths.default_socket,
+}
+
+require 'optparse'
+
+optparse = OptionParser.new do |opts|
+  opts.banner += " USER TOKEN"
+  opts.on(
+    '-s', '--socket PATH',
+    "Default: #{options[:socket]}"
+  ) do |path|
+    options[:socket] = path
+  end
+end
+optparse.parse!
+
+if ARGV.size != 2
+  STDERR.write optparse.help
+  exit 1
+end
+user, token = ARGV[0], ARGV[1].to_i
+
+require 'ga_verify/client'
+result = GAVerify::Client.new(options).check_user(user, token)
+puts GAVerify::Result::VALUE_MAP[result]
+exit result

data/bin/ga-verifyd

@@ -0,0 +1,24 @@
+#!/usr/bin/env ruby
+_SELF=File.readlink(__FILE__) rescue __FILE__
+_ROOT=File.expand_path(File.dirname(_SELF) + '/../lib')
+$LOAD_PATH.push _ROOT
+
+require 'ga_verify/paths'
+options = {
+  :socket => GAVerify::Paths.default_socket,
+}
+
+require 'optparse'
+
+optparse = OptionParser.new do |opts|
+  opts.on(
+    '-s', '--socket PATH',
+    "Default: #{options[:socket]}"
+  ) do |path|
+    options[:socket] = path
+  end
+end
+optparse.parse!
+
+require 'ga_verify/server'
+GAVerify::Server.new(options[:socket]).serve!

data/gen-rb/ga-verify_constants.rb

@@ -0,0 +1,10 @@
+#
+# Autogenerated by Thrift
+#
+# DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+#
+
+require 'ga-verify_types'
+
+  module GAVerify
+end

data/gen-rb/ga-verify_types.rb

@@ -0,0 +1,18 @@
+#
+# Autogenerated by Thrift
+#
+# DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+#
+
+
+module GAVerify
+    module Result
+      SUCCESS = 0
+      BAD_TOKEN = 1
+      BAD_USER = 2
+      NO_GOOGLE_AUTH = 3
+      VALUE_MAP = {0 => "SUCCESS", 1 => "BAD_TOKEN", 2 => "BAD_USER", 3 => "NO_GOOGLE_AUTH"}
+      VALID_VALUES = Set.new([SUCCESS, BAD_TOKEN, BAD_USER, NO_GOOGLE_AUTH]).freeze
+    end
+
+  end

data/gen-rb/verifier.rb

@@ -0,0 +1,85 @@
+#
+# Autogenerated by Thrift
+#
+# DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+#
+
+require 'thrift'
+require 'ga-verify_types'
+
+    module GAVerify
+      module Verifier
+        class Client
+          include ::Thrift::Client
+
+          def check_user(name, token)
+            send_check_user(name, token)
+            return recv_check_user()
+          end
+
+          def send_check_user(name, token)
+            send_message('check_user', Check_user_args, :name => name, :token => token)
+          end
+
+          def recv_check_user()
+            result = receive_message(Check_user_result)
+            return result.success unless result.success.nil?
+            raise ::Thrift::ApplicationException.new(::Thrift::ApplicationException::MISSING_RESULT, 'check_user failed: unknown result')
+          end
+
+        end
+
+        class Processor
+          include ::Thrift::Processor
+
+          def process_check_user(seqid, iprot, oprot)
+            args = read_args(iprot, Check_user_args)
+            result = Check_user_result.new()
+            result.success = @handler.check_user(args.name, args.token)
+            write_result(result, oprot, 'check_user', seqid)
+          end
+
+        end
+
+        # HELPER FUNCTIONS AND STRUCTURES
+
+        class Check_user_args
+          include ::Thrift::Struct, ::Thrift::Struct_Union
+          NAME = 1
+          TOKEN = 2
+
+          FIELDS = {
+            NAME => {:type => ::Thrift::Types::STRING, :name => 'name'},
+            TOKEN => {:type => ::Thrift::Types::I32, :name => 'token'}
+          }
+
+          def struct_fields; FIELDS; end
+
+          def validate
+          end
+
+          ::Thrift::Struct.generate_accessors self
+        end
+
+        class Check_user_result
+          include ::Thrift::Struct, ::Thrift::Struct_Union
+          SUCCESS = 0
+
+          FIELDS = {
+            SUCCESS => {:type => ::Thrift::Types::I32, :name => 'success', :enum_class => GAVerify::Result}
+          }
+
+          def struct_fields; FIELDS; end
+
+          def validate
+            unless @success.nil? || GAVerify::Result::VALID_VALUES.include?(@success)
+              raise ::Thrift::ProtocolException.new(::Thrift::ProtocolException::UNKNOWN, 'Invalid value of field success!')
+            end
+          end
+
+          ::Thrift::Struct.generate_accessors self
+        end
+
+      end
+
+    end

data/if/ga-verify.thrift

@@ -0,0 +1,11 @@
+namespace rb GAVerify
+enum Result {
+  SUCCESS = 0,
+  BAD_TOKEN = 1,
+  BAD_USER = 2,
+  NO_GOOGLE_AUTH = 3
+}
+
+service Verifier {
+  Result check_user(1:string name, 2:i32 token);
+}

data/lib/ga_verify.rb

@@ -0,0 +1 @@
+require 'ga_verify/client'

data/lib/ga_verify/client.rb

@@ -0,0 +1,21 @@
+require 'ga_verify/thrift'
+require 'ga_verify/paths'
+
+require 'thrift'
+
+module GAVerify
+  class Client
+    def initialize options={}
+      options[:socket] ||= GAVerify::Paths.default_socket 
+      socket    = Thrift::UNIXSocket.new(options[:socket])
+      transport = Thrift::FramedTransport.new(socket)
+      protocol  = Thrift::BinaryProtocol.new(transport)
+      @client   = GAVerify::Verifier::Client.new(protocol)
+      transport.open
+    end
+
+    def method_missing *args
+      @client.send *args
+    end
+  end
+end

data/lib/ga_verify/handler.rb

@@ -0,0 +1,48 @@
+require 'ga_verify/thrift'
+require 'ga_verify/paths'
+
+require 'rotp'
+
+module GAVerify
+  class Handler
+    def initialize
+      @last_seen   = Hash.new(0)
+      @used_tokens = Hash.new{Hash.new(0)}
+    end
+
+    def check_user user, token
+      unless user =~ /^[a-z]+$/
+        return GAVerify::Result::BAD_USER
+      end
+      unless File.exists? "/home/#{user}"
+        return GAVerify::Result::BAD_USER
+      end
+      path = GAVerify::Paths.config_path(user)
+      unless File.exists? path
+        return GAVerify::Result::NO_GOOGLE_AUTH
+      end
+      now = Time.now.to_i
+      # Max one login every 15s
+      if @last_seen[user] >= now - 15
+        return GAVerify::Result::BAD_TOKEN
+      end
+      @last_seen[user] = now
+
+      secret = File.open(path, 'r').first.strip
+      totp = ROTP::TOTP.new(secret)
+
+      # Allow +- 1 token
+      times = [now - 30, now, now + 30]
+      if times.any?{|time| totp.verify(token, time)}
+        # disallow token re-use within 10 minutes
+        if @used_tokens[user][token] < now - 600
+          @used_tokens[user][token] = now
+          # Cleanup
+          @used_tokens[user].reject!{|k,v| used_tokens[user][token] < now - 600}
+          return GAVerify::Result::SUCCESS
+        end
+      end
+      return GAVerify::Result::BAD_TOKEN
+    end
+  end
+end

data/lib/ga_verify/paths.rb

@@ -0,0 +1,11 @@
+module GAVerify
+  module Paths
+    def self.default_socket
+      '/var/run/ga_verifyd.sock'
+    end
+
+    def self.config_path user
+      "/home/#{user}/.google_authenticator"
+    end
+  end
+end

data/lib/ga_verify/server.rb

@@ -0,0 +1,19 @@
+require 'ga_verify/handler'
+
+require 'thrift'
+
+module GAVerify
+  class Server < GAVerify::Handler
+    def initialize socket_path
+      handler   = GAVerify::Handler.new
+      processor = GAVerify::Verifier::Processor.new handler
+      transport = Thrift::FramedTransportFactory.new
+      socket    = Thrift::UNIXServerSocket.new(socket_path)
+      @server   = Thrift::NonblockingServer.new processor, socket, transport
+    end
+
+    def serve!
+      @server.serve
+    end
+  end
+end

data/lib/ga_verify/thrift.rb

@@ -0,0 +1,9 @@
+module GAVerify
+  THRIFT_PATH=File.expand_path(File.join(File.dirname(__FILE__), '/../../gen-rb'))
+end
+
+$LOAD_PATH.push(GAVerify::THRIFT_PATH)
+require 'verifier'
+require 'ga-verify_constants'
+require 'ga-verify_types'
+$LOAD_PATH.pop

metadata

@@ -0,0 +1,88 @@
+--- !ruby/object:Gem::Specification 
+name: ga_verify
+version: !ruby/object:Gem::Version 
+  prerelease: 
+  version: 0.0.1
+platform: ruby
+authors: 
+- Fred Emmott
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-08-01 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rotp
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: 1.3.0
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: thrift
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: 0.6.0
+  type: :runtime
+  version_requirements: *id002
+description: Provides a unix socket for validating tokens
+email: 
+- mail@fredemmott.co.uk
+executables: 
+- ga-verify
+- ga-verifyd
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- bin/ga-verifyd
+- bin/ga-verify
+- lib/ga_verify.rb
+- lib/ga_verify/paths.rb
+- lib/ga_verify/thrift.rb
+- lib/ga_verify/client.rb
+- lib/ga_verify/handler.rb
+- lib/ga_verify/server.rb
+- gen-rb/verifier.rb
+- gen-rb/ga-verify_constants.rb
+- gen-rb/ga-verify_types.rb
+- if/ga-verify.thrift
+homepage: https://github.com/fredemmott/ga-verify
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.7.2
+signing_key: 
+specification_version: 3
+summary: Thrift client and server for validating google authenticator tokens
+test_files: []
+