has_global_session 0.8.2 → 0.8.3

data/README.rdoc

@@ -134,7 +134,7 @@ Here are some reasons you might consider dividing your systems into different
 authorities:
 * beta/staging system vs. production system
 * system hosted by a third party vs. system hosted internally
-* e-commerce node vs. storefront node
+* e-commerce node vs. storefront node vs. admin node
 
 == The Directory
 
@@ -142,8 +142,8 @@ The Directory is a Ruby object instantiated by HasGlobalSession in order to
 perform lookups of public and private keys. Given an authority name (as found
 in a session cookie), the Directory can find the corresponding public key.
 
-If the local system is an authority itself, the method #my_authority_name will
-return non-nil and #my_private_key will return a private key suitable for
+If the local system is an authority itself, #local_authority_name will
+return non-nil and #private_key will return a private key suitable for
 signing session attributes.
 
 The Directory implementation included with HasGlobalSession uses the filesystem
@@ -171,18 +171,15 @@ To replace or enhance the built-in Directory, simply create a new class that
 extends Directory and put the class somewhere in your app (the lib directory
 is a good choice). In the HasGlobalSession configuration file, specify the
 class name of the directory under the 'common' section, like so:
+
   common:
     integrated: true
     directory: MyCoolDirectory
 
 = To-Do
 
-* Configurable session expiry
-
 * Option to auto-renew session
 
-* Option for non-sticky global session
-  (e.g. cookie expires at close of browser session, not at global session
-  expiration!)
+* Implement single sign-out via redirect
 
 Copyright (c) 2010 Tony Spataro <code@tracker.xeger.net>, released under the MIT license

data/has_global_session.gemspec

@@ -7,8 +7,8 @@ spec = Gem::Specification.new do |s|
   s.required_ruby_version = Gem::Requirement.new(">= 1.8.7")
 
   s.name    = 'has_global_session'
-  s.version = '0.8.2'
-  s.date    = '2010-06-09'
+  s.version = '0.8.3'
+  s.date    = '2010-06-11'
 
   s.authors = ['Tony Spataro']
   s.email   = 'code@tracker.xeger.net'

data/lib/has_global_session.rb

@@ -1,10 +1,14 @@
 module HasGlobalSession
   class MissingConfiguration < Exception; end
-  class SessionExpired < Exception; end  
+  class ConfigurationError < Exception; end
+  class InvalidSession < Exception; end
+  class UnserializableType < Exception; end
+  class NoAuthority < Exception; end
 end
 
 basedir = File.dirname(__FILE__)
 require File.join(basedir, 'has_global_session', 'configuration')
 require File.join(basedir, 'has_global_session', 'directory')
+require File.join(basedir, 'has_global_session', 'encoding')
 require File.join(basedir, 'has_global_session', 'global_session')
 require File.join(basedir, 'has_global_session', 'integrated_session')

data/lib/has_global_session/directory.rb

@@ -1,36 +1,39 @@
 module HasGlobalSession
   class Directory
-    attr_reader :authorities, :my_private_key, :my_authority_name
+    attr_reader :authorities, :private_key, :local_authority_name
 
     def initialize(keystore_directory)
       certs = Dir[File.join(keystore_directory, '*.pub')]
       keys  = Dir[File.join(keystore_directory, '*.key')]
+      raise ConfigurationError, "Excepted 0 or 1 key files, found #{keys.size}" unless [0, 1].include?(keys.size)
 
       @authorities = {}
       certs.each do |cert_file|
         basename = File.basename(cert_file)
         authority = basename[0...(basename.rindex('.'))] #chop trailing .ext
         @authorities[authority] = OpenSSL::PKey::RSA.new(File.read(cert_file))
-        raise TypeError, "Expected #{basename} to contain an RSA public key" unless @authorities[authority].public?
+        raise ConfigurationError, "Expected #{basename} to contain an RSA public key" unless @authorities[authority].public?
       end
 
-      raise ArgumentError, "Excepted 0 or 1 key files, found #{keys.size}" if ![0, 1].include?(keys.size)
-      if (key_file = keys[0])
-        basename = File.basename(key_file)
-        @my_private_key  = OpenSSL::PKey::RSA.new(File.read(key_file))
-        raise TypeError, "Expected #{basename} to contain an RSA private key" unless @my_private_key.private?
-        @my_authority_name = basename[0...(basename.rindex('.'))] #chop trailing .ext
+      if (authority_name = Configuration['authority'])
+        key_file = keys.detect { |kf| kf =~ /#{authority_name}.key$/ }
+        raise ConfigurationError, "Key file #{authority_name}.key not found" unless key_file        
+        @private_key  = OpenSSL::PKey::RSA.new(File.read(key_file))
+        raise ConfigurationError, "Expected #{basename} to contain an RSA private key" unless @private_key.private?
+        @local_authority_name = authority_name
       end
     end
 
     def trusted_authority?(authority)
-      Configuration['trust'].blank? ||
-      authority == my_authority_name ||
-      Configuration['trust'].include?(authority)      
+      Configuration['trust'].include?(authority)
     end
 
     def invalidated_session?(uuid)
       false
     end
+
+    def report_exception(exception, cookie=nil)
+      true
+    end
   end  
 end

data/lib/has_global_session/encoding.rb

@@ -0,0 +1,37 @@
+module HasGlobalSession
+  module Encoding
+    class JSON
+      def self.load(json)
+        ::JSON.load(json)
+      end
+
+      def self.dump(object)
+        return object.to_json
+      end
+    end
+
+    # Implements URL encoding, but without newlines, and using '-' and '_' as
+    # the 62nd and 63rd symbol instead of '+' and '/'. This makes for encoded
+    # values that can be easily stored in a cookie; however, they cannot
+    # be used in a URL query string without URL-escaping them since they
+    # will contain '=' characters.
+    #
+    # This scheme is almost identical to the scheme "Base 64 Encoding with URL
+    # and Filename Safe Alphabet," described in RFC4648, with the exception that
+    # this scheme preserves the '=' padding characters due to limitations of
+    # Ruby's built-in base64 encoding routines.
+    class Base64
+      def self.load(string)
+        tr = string.tr('-_', '+/')
+        return tr.unpack('m')[0]
+      end
+      
+      def self.dump(object)
+        raw = [object].pack('m')
+        raw.tr!('+/', '-_')
+        raw.gsub!("\n", '')
+        return raw
+      end
+    end
+  end
+end

data/lib/has_global_session/global_session.rb

@@ -15,142 +15,114 @@ module HasGlobalSession
       @directory       = directory
 
       if cookie
-        #User presented us with a cookie; let's decrypt and verify it
-        zbin = Base64.decode64(cookie)
-        json = Zlib::Inflate.inflate(zbin)
-        hash = JSON.load(json)
-        @id         = hash['id']
-        @created_at = Time.at(hash['tc'].to_i)
-        @expires_at = Time.at(hash['te'].to_i)
-        @signed     = hash['ds']
-        @insecure   = hash['dx']
-        @signature  = hash['s']
-        @authority  = hash['a']
-
-        hash.delete('s')
-        expected = digest(hash)
-        signer   = @directory.authorities[@authority]
-        raise SecurityError, "Unknown signing authority #{@authority}" unless signer
-
-        got      = signer.public_decrypt(Base64.decode64(@signature))
-        unless (got == expected)
-          raise SecurityError, "Signature mismatch on global session cookie; tampering suspected"
-        end
-
-        unless @directory.trusted_authority?(@authority)
-          raise SecurityError, "Global sessions created by #{@authority} are not trusted"
-        end
-
-        if expired? || @directory.invalidated_session?(@id)
-          raise ExpiredSession, "Global session cookie has expired"
-        end
-
+        load_from_cookie(cookie)
+      elsif @directory.local_authority_name
+        create_from_scratch
       else
-        @signed          = {}
-        @insecure        = {}
-
-        if defined?(::UUIDTools) # UUIDTools v2
-          @id = ::UUIDTools::UUID.timestamp_create.to_s
-        elsif defined?(::UUID)   # UUIDTools v1
-          @id = ::UUID.timestamp_create.to_s
-        else
-          raise TypeError, "Neither UUIDTools nor UUID defined; unsupported UUIDTools version?"
-        end
-
-        @created_at      = Time.now.utc
-        @authority       = @directory.my_authority_name
-        renew!
+        create_invalid
       end
     end
 
-    def expired?
-      (@expires_at <= Time.now)
-    end
-
-    def expire!
-      @expires_at = Time.at(0)
-      @dirty = true
-    end
-
-    def renew!
-      @expires_at = Configuration['timeout'].to_i.minutes.from_now.utc || 1.hours.from_now.utc        
-      @dirty = true
+    def valid?
+      @id && (@expires_at > Time.now) && ! @directory.invalidated_session?(@id)
     end
 
     def to_s
+      if @cookie && !@dirty_insecure && !@dirty_secure
+        #use cached cookie if nothing has changed
+        return @cookie
+      end
+
       hash = {'id'=>@id,
               'tc'=>@created_at.to_i, 'te'=>@expires_at.to_i,
-              'ds'=>@signed, 'dx'=>@insecure}
+              'ds'=>@signed}
 
-      if @signature && !@dirty
+      if @signature && !@dirty_secure
         #use cached signature unless we've changed secure state
         authority = @authority
         signature = @signature
       else
-        authority = @directory.my_authority_name
+        authority_check
+        authority = @directory.local_authority_name
         hash['a'] = authority
         digest    = digest(hash)
-        signature = Base64.encode64(@directory.my_private_key.private_encrypt(digest))
+        signature = Encoding::Base64.dump(@directory.private_key.private_encrypt(digest))
       end
 
-      hash['s'] = signature
-      hash['a'] = authority
-      json = hash.to_json
+      hash['dx'] = @insecure
+      hash['s']  = signature
+      hash['a']  = authority
+      
+      json = Encoding::JSON.dump(hash)
       zbin = Zlib::Deflate.deflate(json, Zlib::BEST_COMPRESSION)
-      return Base64.encode64(zbin)
+      return Encoding::Base64.dump(zbin)
     end
 
     def supports_key?(key)
       @schema_signed.include?(key) || @schema_insecure.include?(key)
     end
 
+    def has_key?(key)
+      @signed.has_key(key) || @insecure.has_key?(key)
+    end
+
+    def keys
+      @signed.keys + @insecure.keys
+    end
+
+    def values
+      @signed.values + @insecure.values
+    end
+
+    def each_pair(&block)
+      @signed.each_pair(&block)
+      @insecure.each_pair(&block)
+    end
+
     def [](key)
       @signed[key] || @insecure[key]
     end
 
     def []=(key, value)
-      case value
-        when String, Numeric, Array
-          #no-op
-        else
-          raise TypeError, "Cannot store values of type #{value.class.name} reliably"
-      end
+      raise InvalidSession unless valid?
 
-      if @schema_signed.include?(key)
-        unless @directory.my_private_key && @directory.my_authority_name
-          raise StandardError, 'Cannot change secure session attributes; we are not an authority'
-        end
+      #Ensure that the value is serializable (will raise if not)
+      canonicalize(value)
 
+      if @schema_signed.include?(key)
+        authority_check
         @signed[key]  = value
-        @dirty = true
+        @dirty_secure = true
       elsif @schema_insecure.include?(key)
         @insecure[key] = value
+        @dirty_insecure = true
       else
         raise ArgumentError, "Attribute '#{key}' is not specified in global session configuration"
       end
     end
 
-    def has_key?(key)
-      @signed.has_key(key) || @insecure.has_key?(key)
+    def expire!
+      authority_check
+      @expires_at = Time.at(0)
+      @dirty_secure = true
     end
 
-    def keys
-      @signed.keys + @insecure.keys
+    def renew!
+      authority_check
+      @expires_at = Configuration['timeout'].to_i.minutes.from_now.utc || 1.hours.from_now.utc
+      @dirty_secure = true
     end
 
-    def values
-      @signed.values + @insecure.values
-    end
+    private
 
-    def each_pair(&block)
-      @signed.each_pair(&block)
-      @insecure.each_pair(&block)
+    def authority_check
+      unless @directory.local_authority_name
+        raise NoAuthority, 'Cannot change secure session attributes; we are not an authority'
+      end      
     end
 
-    private
-
     def digest(input)
-      canonical = canonicalize(input).to_json
+      canonical = Encoding::JSON.dump(canonicalize(input))
       return Digest::SHA1.new().update(canonical).hexdigest
     end
 
@@ -164,13 +136,84 @@ module HasGlobalSession
           end
         when Array
           output = input.collect { |x| canonicalize(x) }
-        when Numeric, String
+        when Numeric, String, NilClass
           output = input
         else
-          raise TypeError, "Objects of type #{input.class.name} cannot be serialized in the global session"
+          raise UnserializableType, "Objects of type #{input.class.name} cannot be serialized in the global session"
       end
 
       return output
     end
+
+    def load_from_cookie(cookie)
+      zbin = Encoding::Base64.load(cookie)
+      json = Zlib::Inflate.inflate(zbin)
+      hash = Encoding::JSON.load(json)
+
+      id         = hash['id']
+      authority  = hash['a']
+      created_at = Time.at(hash['tc'].to_i)
+      expires_at = Time.at(hash['te'].to_i)
+      signed     = hash['ds']
+      insecure   = hash.delete('dx')
+      signature  = hash.delete('s')
+
+      #Check signature
+      expected = digest(hash)
+      signer   = @directory.authorities[authority]
+      raise SecurityError, "Unknown signing authority #{authority}" unless signer
+      got      = signer.public_decrypt(Encoding::Base64.load(signature))
+      unless (got == expected)
+        raise SecurityError, "Signature mismatch on global session cookie; tampering suspected"
+      end
+
+      #Check trust in signing authority
+      unless @directory.trusted_authority?(authority)
+        raise SecurityError, "Global sessions created by #{authority} are not trusted"
+      end
+
+      #Check expiration
+      if expires_at <= Time.now || @directory.invalidated_session?(id)
+        raise ExpiredSession, "Global session cookie has expired"
+      end
+
+      #If all validation stuff passed, assign our instance variables.
+      @id         = id
+      @authority  = authority
+      @created_at = created_at
+      @expires_at = expires_at
+      @signed     = signed
+      @insecure   = insecure
+      @signature  = signature
+      @cookie     = cookie
+    end
+
+    def create_from_scratch
+      authority_check
+
+      @signed          = {}
+      @insecure        = {}
+      @created_at      = Time.now.utc
+      @authority       = @directory.local_authority_name
+
+      if defined?(::UUIDTools) # UUIDTools v2
+        @id = ::UUIDTools::UUID.timestamp_create.to_s
+      elsif defined?(::UUID)   # UUIDTools v1
+        @id = ::UUID.timestamp_create.to_s
+      else
+        raise TypeError, "Neither UUIDTools nor UUID defined; unsupported UUIDTools version?"
+      end
+
+      renew!
+    end
+
+    def create_invalid
+      @id         = nil
+      @created_at = Time.now
+      @expires_at = created_at
+      @signed     = {}
+      @insecure   = {}
+      @authority  = nil
+    end
   end  
 end

data/lib/has_global_session/integrated_session.rb

@@ -40,5 +40,15 @@ module HasGlobalSession
       @global_session.each_pair(&block)
       @local_session.each_pair(&block)
     end
+
+    def method_missing(meth, *args)
+      if @global_session.respond_to?(meth)
+        return @global_session.send(meth, *args)
+      elsif @local_session.respond_to?(meth)
+        return @local_session.send(meth, *args)
+      else
+        super
+      end
+    end
   end
 end

data/rails/action_controller_instance_methods.rb

@@ -20,7 +20,8 @@ module HasGlobalSession
       rescue Exception => e
         #silently recover from any error by initializing a new global session;
         #the new session will be unauthenticated.
-        #TODO log the error
+        directory.report_exception(e, cookie)
+        logger.error "#{e.class.name}: #{e.message} (at #{e.backtrace[0]})" if logger
         @global_session = GlobalSession.new(directory)
       end
     end
@@ -34,16 +35,25 @@ module HasGlobalSession
 
     def global_session_update_cookie
       return unless @global_session
+      name   = Configuration['cookie']['name']
+      domain = Configuration['cookie']['domain']
 
-      cookie_name = Configuration['cookie']['name']
-      if @global_session.expired?
-        cookies.delete cookie_name
-      else
-        options = {:value   => @global_session.to_s,
-                   :domain  => Configuration['cookie']['domain'],
-                   :expires => @global_session.expires_at}
-        cookies[cookie_name] = options
+      #Default options for invalid session
+      options = {:value   => nil,
+                 :domain  => domain,
+                 :expires => Time.at(0)}
+
+      if @global_session.valid?
+        begin
+          value   = @global_session.to_s 
+          expires = Configuration['ephemeral'] ? nil : @global_session.expires_at          
+          options.merge!(:value => value, :expires => expires)
+        rescue Exception => e
+          logger.error "#{e.class.name}: #{e.message} (at #{e.backtrace[0]})" if logger
+        end
       end
+
+      cookies[name] = options unless (cookies[name] == options[:value])
     end
 
     def log_processing

data/rails/init.rb

@@ -8,7 +8,7 @@ if File.exist?(config_file)
   # and operating environment.
   HasGlobalSession::Configuration.config_file = config_file
   HasGlobalSession::Configuration.environment = RAILS_ENV
-
+  
   require File.join(basedir, 'rails', 'action_controller_instance_methods')
 
   # Enable ActionController integration.

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: has_global_session
 version: !ruby/object:Gem::Version 
-  hash: 59
+  hash: 57
   prerelease: false
   segments: 
   - 0
   - 8
-  - 2
-  version: 0.8.2
+  - 3
+  version: 0.8.3
 platform: ruby
 authors: 
 - Tony Spataro
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-06-09 00:00:00 -07:00
+date: 2010-06-11 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -66,6 +66,7 @@ files:
 - lib/has_global_session.rb
 - lib/has_global_session/configuration.rb
 - lib/has_global_session/directory.rb
+- lib/has_global_session/encoding.rb
 - lib/has_global_session/global_session.rb
 - lib/has_global_session/integrated_session.rb
 - rails/action_controller_instance_methods.rb