has_global_session 0.9.3 → 0.9.5

data/has_global_session.gemspec

@@ -7,8 +7,8 @@ spec = Gem::Specification.new do |s|
   s.required_ruby_version = Gem::Requirement.new(">= 1.8.7")
 
   s.name    = 'has_global_session'
-  s.version = '0.9.3'
-  s.date    = '2010-07-19'
+  s.version = '0.9.5'
+  s.date    = '2010-07-20'
 
   s.authors = ['Tony Spataro']
   s.email   = 'code@tracker.xeger.net'
@@ -23,6 +23,7 @@ spec = Gem::Specification.new do |s|
 
   s.add_development_dependency('rspec', [">= 1.3.0"])
   s.add_development_dependency('flexmock', [">= 0.8.6"])
+  s.add_development_dependency('actionpack', [">= 2.1.2"])
 
   basedir = File.dirname(__FILE__)
   candidates = ['has_global_session.gemspec', 'init.rb', 'MIT-LICENSE', 'README.rdoc'] +

data/lib/has_global_session/global_session.rb

@@ -9,13 +9,13 @@ module HasGlobalSession
   class GlobalSession
     attr_reader :id, :authority, :created_at, :expired_at, :directory
 
-    def initialize(directory, cookie=nil)
+    def initialize(directory, cookie=nil, valid_signature_digest=nil)
       @schema_signed   = Set.new((Configuration['attributes']['signed']))
       @schema_insecure = Set.new((Configuration['attributes']['insecure']))
       @directory       = directory
 
       if cookie
-        load_from_cookie(cookie)
+        load_from_cookie(cookie, valid_signature_digest)
       elsif @directory.local_authority_name
         create_from_scratch
       else
@@ -40,17 +40,16 @@ module HasGlobalSession
       if @signature && !@dirty_secure
         #use cached signature unless we've changed secure state
         authority = @authority
-        signature = @signature
       else
         authority_check
         authority = @directory.local_authority_name
         hash['a'] = authority
-        digest    = digest(hash)
-        signature = Encoding::Base64Cookie.dump(@directory.private_key.private_encrypt(digest))
+        digest    = canonical_digest(hash)
+        @signature = Encoding::Base64Cookie.dump(@directory.private_key.private_encrypt(digest))
       end
 
       hash['dx'] = @insecure
-      hash['s']  = signature
+      hash['s']  = @signature
       hash['a']  = authority
       
       json = Encoding::JSON.dump(hash)
@@ -66,6 +65,10 @@ module HasGlobalSession
       @signed.has_key(key) || @insecure.has_key?(key)
     end
 
+    def signature_digest
+      @signature ? digest(@signature) : nil
+    end
+
     def keys
       @signed.keys + @insecure.keys
     end
@@ -119,9 +122,13 @@ module HasGlobalSession
       end      
     end
 
-    def digest(input)
+    def canonical_digest(input)
       canonical = Encoding::JSON.dump(canonicalize(input))
-      return Digest::SHA1.new().update(canonical).hexdigest
+      return digest(canonical)
+    end
+
+    def digest(input)
+      return Digest::SHA1.new().update(input).hexdigest
     end
 
     def canonicalize(input)
@@ -143,7 +150,7 @@ module HasGlobalSession
       return output
     end
 
-    def load_from_cookie(cookie)
+    def load_from_cookie(cookie, valid_signature_digest)
       zbin = Encoding::Base64Cookie.load(cookie)
       json = Zlib::Inflate.inflate(zbin)
       hash = Encoding::JSON.load(json)
@@ -156,15 +163,17 @@ module HasGlobalSession
       insecure   = hash.delete('dx')
       signature  = hash.delete('s')
 
-      #Check signature
-      expected = digest(hash)
-      signer   = @directory.authorities[authority]
-      raise SecurityError, "Unknown signing authority #{authority}" unless signer
-      got      = signer.public_decrypt(Encoding::Base64Cookie.load(signature))
-      unless (got == expected)
-        raise SecurityError, "Signature mismatch on global session cookie; tampering suspected"
+      unless valid_signature_digest == digest(signature)
+        #Check signature
+        expected = canonical_digest(hash)
+        signer   = @directory.authorities[authority]
+        raise SecurityError, "Unknown signing authority #{authority}" unless signer
+        got      = signer.public_decrypt(Encoding::Base64Cookie.load(signature))
+        unless (got == expected)
+          raise SecurityError, "Signature mismatch on global session cookie; tampering suspected"
+        end
       end
-
+      
       #Check trust in signing authority
       unless @directory.trusted_authority?(authority)
         raise SecurityError, "Global sessions signed by #{authority} are not trusted"

data/lib/has_global_session/rails/action_controller_instance_methods.rb

@@ -2,10 +2,7 @@ module HasGlobalSession
   module Rails
     module ActionControllerInstanceMethods
       def self.included(base)
-        if Configuration['integrated']
-          base.alias_method_chain :session, :global_session
-        end
-
+        base.alias_method_chain :session, :global_session
         base.before_filter :global_session_read_cookie
         base.before_filter :global_session_auto_renew
         base.after_filter  :global_session_update_cookie
@@ -16,13 +13,14 @@ module HasGlobalSession
       end
 
       def session_with_global_session
-        if global_session
+        if Configuration['integrated'] && @global_session
           unless @integrated_session &&
                  (@integrated_session.local == session_without_global_session) && 
                  (@integrated_session.global == @global_session)
             @integrated_session =
-              IntegratedSession.new(session_without_global_session, global_session)
+              IntegratedSession.new(session_without_global_session, @global_session)
           end
+          
           return @integrated_session
         else
           return session_without_global_session
@@ -35,9 +33,16 @@ module HasGlobalSession
         cookie      = cookies[cookie_name]
 
         begin
+          cached_digest = session_without_global_session[:_session_gbl_valid_sig]
+
           #unserialize the global session from the cookie, or
-          #initialize a new global session if cookie == nil
-          @global_session = GlobalSession.new(directory, cookie)
+          #initialize a new global session if cookie == nil.
+          #
+          #pass along the cached trusted signature (if any) so the new object
+          #can skip the expensive RSA Decrypt operation.
+          @global_session = GlobalSession.new(directory, cookie, cached_digest)
+
+          session_without_global_session[:_session_gbl_valid_sig] = @global_session.signature_digest
           return true
         rescue Exception => e
           #silently recover from any error by initializing a new global session

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: has_global_session
 version: !ruby/object:Gem::Version 
-  hash: 61
+  hash: 49
   prerelease: false
   segments: 
   - 0
   - 9
-  - 3
-  version: 0.9.3
+  - 5
+  version: 0.9.5
 platform: ruby
 authors: 
 - Tony Spataro
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-07-19 00:00:00 -07:00
+date: 2010-07-20 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -98,6 +98,22 @@ dependencies:
         version: 0.8.6
   type: :development
   version_requirements: *id005
+- !ruby/object:Gem::Dependency 
+  name: actionpack
+  prerelease: false
+  requirement: &id006 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 15
+        segments: 
+        - 2
+        - 1
+        - 2
+        version: 2.1.2
+  type: :development
+  version_requirements: *id006
 description: This plugin for Rails allows several web apps in an authentication domain to share session state, facilitating single sign-on in a distributed web app. It only provides session sharing and does not concern itself with authentication or replication of the user database.
 email: code@tracker.xeger.net
 executables: []