hash-auth 0.1.0

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2013 YOURNAME
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,201 @@
+# HashAuth
+[![Code Climate](https://codeclimate.com/github/maxwells/hash-auth.png)](https://codeclimate.com/github/maxwells/hash-auth)
+[![Dependency Status](https://gemnasium.com/maxwells/hash-auth.png)](https://gemnasium.com/maxwells/hash-auth)
+[![Build Status](https://travis-ci.org/maxwells/hash-auth.png?branch=master)](https://travis-ci.org/maxwells/hash-auth)
+
+HashAuth allows your Rails application to support incoming and outgoing two-factor authentication via hashing some component of an HTTPS request. Both sides of the request (your Rails app and your client or provider) must have some unique shared secret. This secret is used to create a hash of some portion of the request, ensuring that (if neither side has been compromised) only the other party could have created the request.
+
+Solely using a shared key leaves one hole open: the ability for a third party to send a duplicate request if they are playing man in the middle, so it is important to combine the secret key with some unique data (eg. request IP and datetime) to reduce the scope of when and from where a given request is valid. Again, this only applies to duplicate requests.
+
+_Note: Only Ruby 1.9.2 and above are supported, due to lack of ordered Hash objects in previous versions._
+
+## Features
+- HashAuth can be configured to support multiple clients, each with their own authentication blocks (ie. customer 1 could use MD5 hash, customer 2 could use hmac-SHA256).
+- Clients can be authenticated as a proxy user upon successful hash authentication (ie. if your controller action depends on having current_user, you can assign an email address to your client and have it log in that user)
+- Custom blocks can be provided to (a) acquire the string to hash, (b) hash the string, or (c) perform a custom action upon authentication from a request from each indivudual client
+- Enhanced security can be enabled by requiring each client to submit a GMT version of their system time to be included in the hash, which will mean any given request is only valid within a predefined window (reduces the possibility of a man in the middle attack through duplicate requests)
+
+## Usage
+
+### Installation
+
+1) Install the HashAuth gem from RubyGems
+
+	$ gem install hash-auth
+
+2) Add it to your Rails application's Gemfile
+
+	gem "hash-auth"
+	
+3) Install it into your Rails application
+
+	$ rails g hashauth:install	
+	
+4) If you need to create your own strategies
+
+	$ rails g hashauth:strategy [name]
+
+### Configuration
+
+The install generator will place an initializer (hashauth.rb) into your config/initializers directory. The following will walk you through the default configuration options and what they mean
+
+
+**_Adding an authentication strategy._**
+
+Generate a new strategy, which will live in lib/hash_auth/strategies
+
+	rails g hash_auth:strategy name_of_strategy
+
+This will generate a template that needs to be filled in with the necessary behavior for authenticating your client. Here is an example strategy
+
+
+```ruby	
+
+	module HashAuth
+      module Strategies
+        class NameOfStrategy < Base
+
+          def name
+            :name_of_strategy
+          end
+
+		  ## The string that your client hashes for its signature is a concatenation of parameters in order, joined by '&' and appended with the client's secret key.
+          def acquire_string_to_hash(controller, client)
+            controller.params.select{|k,v| k != 'controller' && k != 'action' }.map{|k,v| "#{k}=#{v}"}.join('&') + client.customer_key
+          end
+
+		  # Client hashes string with SHA256
+          def hash_string(string, client)
+            Digest::sha2.new(256) << string
+          end
+
+          def on_authentication(client)
+            # Do nothing. If you were so inclined, you could use the client information to do something specific to your system (like logging in a proxy user for your API client with your favorite user management system)
+          end
+
+        end
+      end
+    end
+
+```
+
+**_Adding Clients via hardcoding (Config)._**
+
+
+```ruby
+
+	#### Adding a new client
+	
+	# Add a client to a strategy. Any key:value sets can be added to the hash, which will be accessible in your strategy. The required ones are shown below (though there are default options for customer_identifier_param and strategy)
+	add_client {
+		:customer_key => '1234567890',
+			# the shared secret between you and a client
+		:customer_identifier => 'my_organization',
+			# the unique identifer the client will pass you to identify themselves
+		:customer_identifier_param => 'customer_id',
+			# the name of the parameter the client will pass their unique identifier in
+		:valid_domains => '*my_organization.org',
+			# will allow request from anything ending with my_organization.org, can also provide a list
+		:strategy => :my_auth_strategy,
+			# If no strategy is provided, then the default (HashAuth::Strategies::Default) will be used. If the strategy symbol does not reference a valid strategy, then an exception will be raised
+	}
+```
+**_Adding Clients from an external resource (eg YAML, Database)._**
+		
+YAML file (config/clients.yml in this example):
+
+	clients:
+      -
+        customer_key: 1234567890
+        customer_identifier: my_organization
+        customer_identifier_param: customer_id
+        valid_domains: '*my_organization.org'
+        strategy: :default
+        custom_key: custom_value
+      -
+        customer_key: 0987654321
+        customer_identifier: your_organization
+        customer_identifier_param: customer_id
+        valid_domains: ['your_organization.com', 'your_organization.org']
+        strategy: :my_auth_strategy
+        custom_key: custom_value
+	
+hash-auth initializer:
+
+```ruby
+
+	clients = YAML::load( File.open('config/clients.yml') )
+    add_clients clients["clients"]
+	
+```
+
+**_Options in hash-auth initializer_**
+
+Any custom client field can be initialized with a default value through method missing 
+
+	HashAuth.configure do
+		set_default_authentication_success_status_message {:status => "success" }
+	end
+	
+will allow that value to be used in blocks later without initializing them in every client object. Ie. you could have 5 clients, three of which have a custom failure_json value in their definition and two of which will then use the default.
+
+	## In a custom strategy…
+	
+	def self.on_failure(client, controller)
+		@failed_authentication_status = {:status => 'failure'}
+	end
+	
+	## In the controller…
+	def my_action
+		if (@authenticated)
+			... Do necessary stuff
+			response = @client.authentication_success_status_message
+		else
+			response = @failed_authentication_json
+		end
+	
+		respond_to do |format|
+			format.json { render :json => response }
+		end
+	end
+
+Additionally, the default strategy for every client can be set (if not set, will revert to HashAuth::Strategies::Default)
+
+	set_default_strategy :strategy_identifier
+
+	
+#### Implementation: _Receiving hashed requests_
+
+In whatever controller(s) require hash authentication of requests
+
+	validates_auth_for :action_one, :action_two
+
+The following variables are available in implementing controller actions
+
+	@client : HashAuth::Client - instance of client (if found, whether or not authenticated)
+	@authenticated : Boolean - whether or not the hashed request was considered validated
+
+
+#### Implementation: _Making hashed requests_	
+In whatever controllers, models, or otherwise that require creating hash authenticated requests, use the HashAuth::WebRequest around [REST client](https://github.com/rest-client/rest-client).
+
+	client = HashAuth.find_client 'my_organization'
+	HashAuth::WebRequest.post client, 'localhost:3000/test/one', {:foo => :bar, :bar => :baz}
+
+WebRequest supports:
+
+	def self.get(client, url, parameters = {}, &block)
+    def self.post(client, url, payload, headers = {}, &block)
+    def self.patch(client, url, payload, headers = {}, &block)
+    def self.put(client, url, payload, headers = {}, &block)
+    def self.delete(client, url, parameters = {}, &block)
+    def self.head(client, url, parameters = {}, &block)
+    def self.options(client, url, parameters = {}, &block)
+
+See [REST client](https://github.com/rest-client/rest-client) for futher detail.
+
+
+## Examples
+
+
+This project rocks and uses MIT-LICENSE.

data/Rakefile

@@ -0,0 +1,37 @@
+#!/usr/bin/env rake
+require 'rspec/core/rake_task'
+
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Specifind'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+desc "Run all metrics"
+task :metrics do
+  puts "Generating Metrics with metric_fu.\nCheck your browser for output."
+  `metric_fu -r`
+end
+
+Bundler::GemHelper.install_tasks
+
+desc "Run all specs"
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/lib/generators/hash_auth/install_generator.rb

@@ -0,0 +1,11 @@
+class HashAuth::InstallGenerator < ::Rails::Generators::Base
+  include Rails::Generators::Migration
+
+  source_root File.expand_path('../templates', __FILE__)
+  desc "Installs HashAuth."
+
+  def install
+    template "initializer.rb", "config/initializers/hash-auth.rb"
+  end
+
+end

data/lib/generators/hash_auth/strategy_generator.rb

@@ -0,0 +1,12 @@
+class HashAuth::StrategyGenerator < ::Rails::Generators::NamedBase
+  include Rails::Generators::Migration
+
+  source_root File.expand_path('../templates', __FILE__)
+
+  desc "Generates a HashAuth strategy."
+
+  def strategy
+    template "strategy.rb", "lib/hash-auth/#{file_name}.rb"
+  end
+
+end

data/lib/generators/hash_auth/templates/initializer.rb

@@ -0,0 +1,26 @@
+HashAuth.configure do
+
+  ## Block to allow dynamic loading of customer keys (Optional)
+  #### Could be from YAML
+  #### Could be from DB
+  
+  # add_clients do |clients|
+  #   YAML::load( File.open('../clients.yml') )
+  # end
+
+
+  ## Any attributes can be added to a client object at initialization.
+  #### The default can be added to HashAuth configuration and will be picked up in every strategy automagically
+  #### Default values must be set with set_default_* methods and will be picked up by [client].* methods
+  # eg.
+  # set_default_foo_bar 'bar baz'
+  #
+  # client.foo_bar will return 'bar baz' unless specifically set for that client
+
+
+  ## Set default strategy by handle
+  # set_default_strategy :strategy_fifty_one
+
+
+
+end

data/lib/generators/hash_auth/templates/strategy.rb

@@ -0,0 +1,47 @@
+require 'digest'
+
+module HashAuth
+  module Strategies
+    class <%= class_name %> < Base
+      # provide the HashAuth system with a handle for this strategy
+      def self.identifier
+        :<%= file_name %>
+      end
+
+      # upon receiving a hashed request, extract the string that needs to be hashed and compared to the signature passed
+      def self.acquire_string_to_hash(controller, client)
+
+      end
+
+      # how the querystring should be hashed (eg. hmac-sha1, md5)
+      def self.hash_string(client, string)
+
+      end
+
+      # determine equality of the target string, as calculated by acquire_string_to_hash -> hash_string, with the actual signature passed by client
+      def self.verify_hash(target_string, client, controller)
+
+      end
+
+      # anything special that needs to be done upon successful authentication of a request (eg. log in proxy user for a given client)
+      def self.on_authentication(client, controller)
+
+      end
+
+      # on_failure is triggered during the before_filter of an action that requires hash authentication
+      # if any of the cases are met (these are the options for type):
+      #  - :no_matching_client
+      #  - :invalid_domain
+      #  - :invalid_hash
+      def self.on_failure(client, controller, type)
+
+      end
+
+      # sign_request should sign the outgoing request. Given the different objects available at request
+      # creation time versus receipt time, this method needs to be included in addition to acquire_string_to_hash
+      def self.sign_request(client, verb, params)
+
+      end
+    end
+  end
+end

data/lib/hash-auth/client.rb

@@ -0,0 +1,34 @@
+module HashAuth
+  class Client
+    # The hash passed in to a new client will initialize this Client object
+    # with getters and setters for each key in the hash. The default value
+    # for each getter will be the associated value passed in the hash
+    def initialize(hash)
+      hash.each do |key,value|
+        add_instance_getters_and_setters key
+        send "#{key}=", value
+      end
+    end
+
+    # Add instance specific getters and setters for the name passed in,
+    # so as to allow different Client objects to have different properties
+    # that are accessible by . notation
+    def add_instance_getters_and_setters(var)
+      singleton = (class << self; self end)
+      singleton.send :define_method, var.to_sym do
+        instance_variable_get "@#{var}"
+      end
+      singleton.send :define_method, "#{var}=".to_sym do |val|
+        instance_variable_set "@#{var}", val
+      end
+    end
+
+    def method_missing(method, *args, &block)
+      # Check config for default value
+      default = "default_#{method}"
+      if HashAuth.configuration.respond_to? default
+        HashAuth.configuration.send default
+      end
+    end
+  end
+end

data/lib/hash-auth/config.rb

@@ -0,0 +1,110 @@
+module HashAuth
+  class MissingConfiguration < StandardError
+    def initialize
+      super("Configuration for hash-auth missing. Do you have a hash-auth initializer?")
+    end
+  end
+
+  def self.configure(&block)
+    @config = Config::Builder.new(&block).build
+  end
+
+  def self.configuration
+    @config || (raise MissingConfiguration.new)
+  end
+
+  def self.configuration=(val)
+    @config = val
+  end
+
+  def self.clients=(val)
+    @clients = val
+  end
+
+  def self.clients
+    @clients
+  end
+
+  def self.find_client(name)
+    @clients.select{|c| c.customer_identifier == name}[0]
+  end
+
+  def self.strategies
+    return @strategies if @strategies
+    
+    constants = HashAuth::Strategies.constants.select { |c| Class === HashAuth::Strategies.const_get(c) }
+    @strategies = constants.map{ |c| HashAuth::Strategies.const_get(c) }.select{|c| c != HashAuth::Strategies::Base}
+    @strategies
+  end
+
+  def self.find_strategy(name)
+    strategy = self.strategies.select{|s| s.identifier == name}[0]
+    raise "Strategy specified with name = #{name} does not exist" unless strategy
+    strategy
+  end
+
+  class Config
+    class Builder
+      def initialize(&block)
+        @config = Config.new
+        instance_eval(&block)
+      end
+
+      def build
+        @config
+      end
+
+      def set_default_strategy(val)
+        strategy = HashAuth.find_strategy val
+        @config.instance_variable_set("@default_strategy", strategy)
+      end
+
+      def add_client(client)
+        (HashAuth.clients ||= []) << create_client_from_hash_if_valid(client)
+      end
+
+      # add_clients calls add_client on a list of client hashes
+      #
+      # @param [Hash] clients - an Array of client hashes
+      def add_clients(clients)
+        clients.each do |client| 
+          add_client client
+        end
+      end
+
+      def create_client_from_hash_if_valid(client)
+        [:customer_key, :customer_identifier, :valid_domains].each do |required_val|
+          raise "Client hash is missing #{required_val}" unless client[required_val]
+        end
+        client[:strategy] = HashAuth.find_strategy(client[:strategy]) if client[:strategy]
+        client[:valid_domains] = [client[:valid_domains]] unless client[:valid_domains].kind_of? Array
+        HashAuth::Client.new client
+      end
+
+      def method_missing(method, *args, &block)
+        match = /set_(default_.*)/.match method.to_s
+        if match
+          default_var_name = match[1]
+          @config.instance_variable_set("@#{default_var_name}", args[0])
+          if @config.respond_to?("#{default_var_name}".to_sym) == false
+            singleton = (class << @config; self end)
+            singleton.send :define_method, "#{default_var_name}".to_sym do instance_variable_get("@#{default_var_name}") end
+          end
+        end
+      end
+    end
+
+    def default_customer_identifier_param
+      @default_customer_identifier_param || "customer_id"
+    end
+
+    def default_signature_param
+      @default_signature_param || "signature"
+    end
+
+    def default_strategy
+      @default_strategy || HashAuth::Strategies::Default
+    end
+
+  end
+end

data/lib/hash-auth/controllers/helpers.rb

@@ -0,0 +1,52 @@
+module HashAuth
+  module Controllers
+    module Helpers
+    extend ActiveSupport::Concern
+
+      module ClassMethods
+        def initialize_for_hash_auth(actions_requiring_hash_verification)
+          before_filter :verify_hash, :only => actions_requiring_hash_verification
+        end
+      end
+
+      protected 
+      def verify_hash
+        @client = extract_client_from_request
+        return HashAuth.configuration.default_strategy.on_failure(nil, self, :no_matching_client) unless @client
+
+        valid_domain = check_host(request.host)
+        return @client.strategy.on_failure(@client, self, :invalid_domain) unless valid_domain
+
+        string_to_hash = @client.strategy.acquire_string_to_hash self, @client
+        target_string = @client.strategy.hash_string @client, string_to_hash
+        @authenticated = @client.strategy.verify_hash(target_string, @client, self) && valid_domain
+        
+        if @authenticated
+          @client.strategy.on_authentication @client, self
+        else
+          @client.strategy.on_failure(@client, self, :invalid_hash)
+        end
+      end
+
+      def extract_client_from_request
+        HashAuth.clients.each do |c|
+          return c if params[c.customer_identifier_param] == c.customer_identifier
+        end
+        nil
+      end
+
+      def check_host(host)
+        @client.valid_domains.each do |d|
+          match = regexp_from_host(d).match(host)
+          return true if match != nil
+        end
+        false
+      end
+
+      def regexp_from_host(host)
+        Regexp.new '^'+host.gsub('.','\.').gsub('*', '.*') + '$'
+      end
+
+    end
+  end
+end

data/lib/hash-auth/controllers.rb

@@ -0,0 +1,5 @@
+module HashAuth
+  module Controllers
+    autoload :Helpers, 'hash-auth/controllers/helpers'
+  end
+end

data/lib/hash-auth/railtie.rb

@@ -0,0 +1,10 @@
+require 'active_record/railtie'
+require 'action_controller'
+
+module HashAuth
+  class Railtie < Rails::Railtie
+    if defined?(ActionController::Base)
+      ActionController::Base.send :include, HashAuth
+    end
+  end
+end

data/lib/hash-auth/strategies/base.rb

@@ -0,0 +1,47 @@
+require 'digest'
+
+module HashAuth
+  module Strategies
+    class Base
+      # provide the HashAuth system with a handle for this strategy
+      def self.identifier
+        raise "identifier method not implemented in #{self.class.name}"
+      end
+
+      # upon receiving a hashed request, extract the string that needs to be hashed and compared to the signature passed
+      def self.acquire_string_to_hash(controller, client)
+        raise "acquire_string_to_hash method not implemented in #{self.class.name}"
+      end
+
+      # how the querystring should be hashed (eg. hmac-sha1, md5)
+      def self.hash_string(client, string)
+        raise "hash_string method not implemented in #{self.class.name}"
+      end
+
+      # determine equality of the target string, as calculated by acquire_string_to_hash -> hash_string, with the actual signature passed by client
+      def self.verify_hash(target_string, client, controller)
+        raise "verify_hash method not implemented in #{self.class.name}"
+      end
+
+      # anything special that needs to be done upon successful authentication of a request (eg. log in proxy user for a given client)
+      def self.on_authentication(client, controller)
+        raise "on_authentication method not implemented in #{self.class.name}"
+      end
+
+      # on_failure is triggered during the before_filter of an action that requires hash authentication
+      # if any of the cases are met (these are the options for type):
+      #  - :no_matching_client
+      #  - :invalid_domain
+      #  - :invalid_hash
+      def self.on_failure(client, controller, type)
+        raise "on_failure method not implemented in #{self.class.name}"
+      end
+
+      # sign_request should sign the outgoing request. Given the different objects available at request
+      # creation time versus receipt time, this method needs to be included in addition to acquire_string_to_hash
+      def self.sign_request(client, verb, params)
+        raise "sign_request method not implemented in #{self.class.name}"
+      end
+    end
+  end
+end

data/lib/hash-auth/strategies/default.rb

@@ -0,0 +1,39 @@
+module HashAuth
+  module Strategies
+    class Default < Base
+
+      def self.identifier
+        :default
+      end
+
+      def self.acquire_string_to_hash(controller, client)
+        params = controller.params.select{|k,v| k != 'controller' && k != 'action' && k != client.signature_param }.map{|k,v| "#{k}=#{v}"}.join('&')
+        params + client.customer_key.to_s
+      end
+
+      def self.hash_string(client, string)
+        Digest::SHA2.new(256) << string
+      end
+
+      def self.verify_hash(target_string, client, controller)
+        return false if controller.params[client.signature_param] == nil
+        target_string == controller.params[client.signature_param]
+      end
+
+      def self.on_authentication(client, controller)
+        # Do nothing
+      end
+
+      def self.on_failure(client, controller, type)
+        controller.instance_variable_set '@failure_message', 'Not a valid client' if type == :no_matching_client
+        controller.instance_variable_set '@failure_message', 'Request coming from invalid domain' if type == :invalid_domain
+        controller.instance_variable_set '@failure_message', 'Signature hash is invalid' if type == :invalid_hash
+      end
+
+      def self.sign_request(client, verb, params)
+        self.hash_string(client, params.map{|k,v| "#{k}=#{v}"}.join('&') + client.customer_key.to_s)
+      end
+
+    end
+  end
+end

data/lib/hash-auth/strategies.rb

@@ -0,0 +1,6 @@
+module HashAuth
+  module Strategies
+    autoload :Base, 'hash-auth/strategies/base'
+    autoload :Default, 'hash-auth/strategies/default'
+  end
+end

data/lib/hash-auth/version.rb

@@ -0,0 +1,3 @@
+module HashAuth
+  VERSION = "0.1.0"
+end

data/lib/hash-auth/web_request.rb

@@ -0,0 +1,65 @@
+require 'rest-client'
+
+module HashAuth
+  class WebRequest
+
+    def self.get(client, url, headers = {}, &block)
+      self.delegate_to_rest_client_passive :get, client, url, headers, &block
+    end
+
+    def self.post(client, url, payload, headers = {}, &block)
+      self.delegate_to_rest_client_active :post, client, url, payload, headers, &block
+    end
+
+    def self.patch(client, url, payload, headers = {}, &block)
+      self.delegate_to_rest_client_active :post, client, url, payload, headers, &block
+    end
+
+    def self.put(client, url, payload, headers = {}, &block)
+      self.delegate_to_rest_client_active :post, client, url, payload, headers, &block
+    end
+
+    def self.delete(client, url, headers = {}, &block)
+      self.delegate_to_rest_client_passive :delete, client, url, headers, &block
+    end
+
+    def self.head(client, url, headers = {}, &block)
+      self.delegate_to_rest_client_passive :head, client, url, headers, &block
+    end
+
+    def self.options(client, url, headers = {}, &block)
+      self.delegate_to_rest_client_passive :options, client, url, headers, &block
+    end
+
+    def self.delegate_to_rest_client_passive(action, client, url, headers, &block)
+      headers = self.sign_and_identify client, action, headers
+      RestClient.send action, url, headers, &block
+    end
+
+    def self.delegate_to_rest_client_active(action, client, url, payload, headers, &block)
+      payload = self.sign_and_identify client, action, payload
+      RestClient.send action, url, payload, headers, &block
+    end
+
+    def self.sign_and_identify(client, verb, params)
+      params = self.add_client_to_params(client, params)
+      params = self.add_signature_to_params(client, verb, params)
+      if [:get, :delete, :head, :options].include? verb
+        {:params => params}
+      else
+        params
+      end
+    end
+
+    def self.add_client_to_params(client, params)
+      params[client.customer_identifier_param.to_sym] = client.customer_identifier
+      params
+    end
+
+    def self.add_signature_to_params(client, verb, params)
+      params[client.signature_param.to_sym] = client.strategy.sign_request(client, verb, params)
+      params
+    end
+
+  end
+end

data/lib/hash-auth.rb

@@ -0,0 +1,27 @@
+require 'hash-auth/config'
+
+module HashAuth
+  extend ActiveSupport::Concern
+  extend ActiveSupport::Autoload
+
+  included do
+    #puts "HashAuth included"
+  end
+  autoload :Controllers, 'hash-auth/controllers'
+  autoload :Strategies, 'hash-auth/strategies'
+  autoload :Client, 'hash-auth/client'
+  autoload :WebRequest, 'hash-auth/web_request'
+
+  module ClassMethods
+    def validates_auth_for(*methods, &block)
+      self.send :include, Controllers::Helpers
+      initialize_for_hash_auth methods
+    end
+  end
+
+  def self.configured?
+    @config.present?
+  end
+end
+
+require 'hash-auth/railtie'

data/lib/tasks/hash-auth_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :hash-auth do
+#   # Task goes here
+# end

data/spec/controllers/helper_spec.rb

@@ -0,0 +1,41 @@
+require File.expand_path('../../spec_helper', __FILE__)
+
+describe TestRailsApp::TestController do
+
+  it "extracts client from request" do
+    controller.params = Request.parse_params 'a=b&c=d&customer_id=my_organization'
+    client = controller.extract_client_from_request_helper
+    client.customer_key.should == 1234567890
+  end
+
+  it "checks the request host for a clients valid domain" do
+    controller.params = Request.parse_params 'a=b&c=d&customer_id=my_organization'
+    controller.instance_variable_set '@client', controller.extract_client_from_request_helper
+    controller.check_host_helper('localhost').should == true
+    controller.check_host_helper('localhostwithstuffafterit').should == false
+    controller.check_host_helper('prependinglocalhost').should == false
+    controller.check_host_helper('localSTUFFhost').should == false
+  end
+
+  it "checks the request host for client's valid domain with wildcarding" do
+    controller.params = Request.parse_params 'a=b&c=d&customer_id=your_organization'
+    controller.instance_variable_set '@client', controller.extract_client_from_request_helper
+    controller.check_host_helper('maps.google.com').should == true
+    controller.check_host_helper('google.com').should == true
+    controller.check_host_helper('google.coma').should == false
+    controller.check_host_helper('google.co.uk').should == false
+    controller.check_host_helper('hello.org').should == true
+    controller.check_host_helper('org').should == false
+  end
+
+  it "executes on_failure block when request parameters do not match a client" do
+    controller.params = Request.parse_params 'a=b&c=d&customer_id=not_an_organization'
+    controller.verify_hash_helper
+    controller.instance_variable_get('@failure_message').should_not == nil
+  end
+
+  it "responds on_failure when authentication fails" do
+    controller.params = Request.parse_params 'a=b&c=d&customer_id=test&signature=abcde'
+    expect{controller.verify_hash_helper}.to raise_error(OnFailureError)
+  end
+end

data/spec/fake-rails-app.rb

@@ -0,0 +1,168 @@
+#### Faking a rails application that is configured with HashAuth for spec purposes
+
+class OnFailureError < Exception
+end
+
+module HashAuth
+  module Strategies
+    class New < Base
+
+      def self.identifier
+        :new
+      end
+
+      def self.acquire_string_to_hash(controller, client)
+        controller.params.select{|k,v| k != 'controller' && k != 'action' && k != client.signature_parameter }.map{|k,v| "#{k}=#{v}"}.join('&')
+      end
+
+      def self.hash_string(client, string)
+        Digest::MD5.digest string
+      end
+
+      def self.verify_hash(target_string, client, controller)
+        raise 'Parameters do not contain this client\'s signature_parameter' if controller.params[client.signature_parameter] == nil
+        target_string == controller.params[client.signature_parameter]
+      end
+
+      def self.on_authentication(client, controller)
+        # Do nothing
+      end
+
+      def self.on_failure(client, controller, type)
+        raise OnFailureError, "Failure to authenticate"
+        # Do nothingå
+      end
+
+    end
+  end
+end
+
+clients = [
+  {
+    :customer_key => 1234567890,
+    :customer_identifier => 'my_organization',
+    :customer_identifier_param => 'customer_id',
+    :valid_domains => 'localhost',
+    :strategy => :default
+  },
+  {
+    :customer_key => 987654321,
+    :customer_identifier => 'your_organization',
+    :customer_identifier_param => 'customer_id',
+    :valid_domains => ['*google.com', '*.org'],
+    :strategy => :default
+  },
+  {
+    :customer_key => 'zyxwvut',
+    :customer_identifier => 'test',
+    :valid_domains => '*',
+    :strategy => :new
+  },
+  {
+    :customer_key => 9988776655,
+    :customer_identifier => 'no_matching_client',
+    :customer_identifier_param => 'customer_id',
+    :valid_domains => 'localhost',
+    :strategy => :default
+  },
+  {
+    :customer_key => 'something other than will be on server',
+    :customer_identifier => 'incorrect_hash',
+    :customer_identifier_param => 'customer_id',
+    :valid_domains => 'localhost',
+    :strategy => :default
+  }
+]
+
+HashAuth.configure do
+
+  ## Block to allow dynamic loading of customer keys (Optional)
+  #### Could be from YAML
+  #### Could be from DB
+  
+  #set_default_customer_identifier_param 
+
+  add_clients clients
+
+  set_default_signature_parameter 'signature'
+
+end
+
+module TestRailsApp
+
+  class Application < Rails::Application
+    # app config here
+    # config.secret_token = '572c86f5ede338bd8aba8dae0fd3a326aabababc98d1e6ce34b9f5'
+    routes.draw do
+      match "test_rails_app/test/one" => "test#one"
+      match "/test/two" => "test#two"
+      match "/test/three" => "test#three"
+     end
+  end
+
+  class ApplicationController < ActionController::Base
+    # setup
+  end
+
+  class TestController < ApplicationController
+    validates_auth_for :one, :two
+
+    def one
+    end
+
+    def two
+    end
+
+    def three
+    end
+
+    def extract_client_from_request_helper
+      extract_client_from_request
+    end
+
+    def check_host_helper(host)
+      check_host(host)
+    end
+
+    def verify_hash_helper
+      verify_hash
+    end
+
+  end
+
+  require 'rspec/rails'
+
+end
+
+# Faking controller/action requests
+class Request
+
+  def self.parse_params(string)
+    h = {}
+    s = string.split('&').map{|set| set.split '=' }.each do |p|
+      h[p[0]] = p[1]
+    end
+    h
+  end
+
+  def initialize(hash)
+    hash.each do |key,value|
+      add_instance_getters_and_setters key
+      send "#{key}=", value
+    end
+  end
+
+  # Add instance specific getters and setters for the name passed in,
+  # so as to allow different Client objects to have different properties
+  # that are accessible by . notation
+  def add_instance_getters_and_setters(var)
+    singleton = (class << self; self end)
+    singleton.send :define_method, var.to_sym do
+      instance_variable_get "@#{var}"
+    end
+    singleton.send :define_method, "#{var}=".to_sym do |val|
+      instance_variable_set "@#{var}", val
+    end
+  end
+
+end

data/spec/lib/client_spec.rb

@@ -0,0 +1,23 @@
+require File.expand_path('../../spec_helper', __FILE__)
+require 'active_support/all'
+require 'hash-auth'
+
+describe HashAuth::Client do
+
+  it "can be instantiated with a hash that adds getters and setters to the instance" do
+    hash = {:a => :b, :c => :d}
+    c = HashAuth::Client.new hash
+    c.a.should == :b
+    c.c.should == :d
+  end
+
+  it "does not add getters and setters to the entire Client class" do
+    hash = {:a => :b, :c => :d}
+    c = HashAuth::Client.new hash
+    hash = {:b => :a, :d => :c}
+    d = HashAuth::Client.new hash
+    c.respond_to?(:a).should == true
+    d.respond_to?(:a).should == false
+  end
+  
+end

data/spec/lib/config_spec.rb

@@ -0,0 +1,41 @@
+require File.expand_path('../../spec_helper', __FILE__)
+
+prev_config = HashAuth.configuration
+
+describe HashAuth::Config do
+
+  after :all do
+    HashAuth.configuration = prev_config
+  end
+
+  it "sets default_customer_identifier_param (via method missing)" do
+    HashAuth.configure { set_default_customer_identifier_param 'customer_identifier' }
+    HashAuth.configuration.default_customer_identifier_param.should == 'customer_identifier'
+  end
+
+  it "sets default signature param (via method missing)" do
+    HashAuth.configure { set_default_signature_param 'random_signature_param' }
+    HashAuth.configuration.default_signature_param.should == 'random_signature_param'
+  end
+
+  it "sets default strategy" do
+    expect{HashAuth.configure { set_default_strategy :my_new_strategy }}.to raise_error
+    HashAuth.configure { set_default_strategy :new }
+    HashAuth.configuration.default_strategy.should == HashAuth::Strategies::New
+  end
+
+  it "adds a new client" do
+    client = {
+      :customer_key => 'ABCDEFG',
+      :customer_identifier => 'globocorp',
+      :customer_identifier_param => 'id',
+      :valid_domains => ['*'],
+    }
+    num_clients = HashAuth.clients.length
+    HashAuth.configure { add_client client }
+    HashAuth.clients.length.should == num_clients + 1
+  end
+
+  it "takes a block to determine what to do when authentication fails to find a matching client"
+
+end

data/spec/lib/railtie_spec.rb

@@ -0,0 +1,9 @@
+require File.expand_path('../../spec_helper', __FILE__)
+
+describe HashAuth::Railtie do
+
+  it "includes HashAuth in ActionController::Base" do
+    ActionController::Base.included_modules.include?(HashAuth).should == true
+  end
+
+end

data/spec/lib/web_request_spec.rb

@@ -0,0 +1,74 @@
+require File.expand_path('../../spec_helper', __FILE__)
+
+# HashAuth::WebRequest specs rely on having the dummy app running on localhost:3000.
+# This will remain true until a test server is put up. These specs are commented out in
+# commits so that Travis ci can show passing status until then
+#
+# These tests rely on the default strategy
+#
+#
+# Update: added new specs to double check that the request parameters are properly encoded
+
+describe HashAuth::WebRequest do
+
+  after :each do
+    ObjectSpace.garbage_collect
+  end
+
+  # it "generates a properly signed query string that gets validated by server" do
+  #   client = HashAuth.find_client 'my_organization' 
+  #   response = JSON.parse(HashAuth::WebRequest.get client, 'localhost:3000/test/one', {:foo => :bar, :bar => :baz})
+  #   response['message'].should == 'ok'
+  # end
+
+  # it "receives invalid domain failure when query string is invalid" do
+  #   client = HashAuth.find_client 'your_organization'
+  #   response = JSON.parse(HashAuth::WebRequest.post client, 'localhost:3000/test/one', {:foo => :bar, :bar => :baz})
+  #   response['message'].should == 'Request coming from invalid domain'
+  # end
+
+  # it "receives no matching client failure method when query string is invalid" do
+  #   client = HashAuth.find_client 'no_matching_client'
+  #   response = JSON.parse(HashAuth::WebRequest.post client, 'localhost:3000/test/one', {})
+  #   response['message'].should == 'Not a valid client'
+  # end
+
+  # it "receives incorrect hash method when query string is invalid" do
+  #   client = HashAuth.find_client 'incorrect_hash'
+  #   response = JSON.parse(HashAuth::WebRequest.get client, 'localhost:3000/test/one', {:foo => :bar, :bar => :baz})
+  #   response['message'].should == 'Signature hash is invalid'
+  # end
+
+  it "forms proper urls for requests for get requests" do
+    client = HashAuth.find_client 'my_organization' 
+    expect{response = JSON.parse(HashAuth::WebRequest.get client, 'localhost:3000/test/one', {:foo => :bar, :bar => :baz})}.to raise_error
+    request = nil
+    ObjectSpace.each_object(RestClient::Request){|r| request = r}
+    string_to_hash = "foo=bar&bar=baz&#{client.customer_identifier_param}=#{client.customer_identifier}"
+    hashed_string = Digest::SHA2.new(256) << string_to_hash + client.customer_key.to_s
+    /.*\?(.*)/.match(request.instance_variable_get('@url'))[1].should == "#{string_to_hash}&#{client.signature_param}=#{hashed_string}"
+  end
+
+  # it "forms proper urls for requests for post requests" do
+  #   client = HashAuth.find_client 'my_organization' 
+  #   expect{response = JSON.parse(HashAuth::WebRequest.post client, 'localhost:3000/test/one', {:foo => :bar, :bar => :baz})}.to raise_error
+  #   request = nil
+  #   ObjectSpace.each_object(RestClient::Request){|r| request = r}
+  #   string_to_hash = "foo=bar&bar=baz&#{client.customer_identifier_param}=#{client.customer_identifier}"
+  #   hashed_string = Digest::SHA2.new(256) << string_to_hash + client.customer_key.to_s
+  #   request.instance_variable_get('@headers').should == "#{string_to_hash}&#{client.signature_param}=#{hashed_string}"
+  # end
+
+  # it "can get from server"
+
+  # it "can post to server"
+
+  # it "can put to server"
+
+  # it "can option to server"
+
+  # it "can head to server"
+
+  # it "can delete to server"
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,8 @@
+require 'rails'
+require 'active_support/all'
+require 'action_controller/railtie'
+require 'hash-auth'
+require 'fake-rails-app'
+RSpec.configure do |config|
+  config.order = "random"
+end

metadata

@@ -0,0 +1,117 @@
+--- !ruby/object:Gem::Specification
+name: hash-auth
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Max Lahey
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-04-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.2.11
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.2.11
+- !ruby/object:Gem::Dependency
+  name: rest-client
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.6.7
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.6.7
+description: HashAuth allows your Rails application to support incoming and outgoing
+  two-factor authentication via hashing some component of an HTTPS request. Both sides
+  of the request (your Rails app and your client or provider) must have some unique
+  shared secret. This secret is used to create a hash of some portion of the request,
+  ensuring that (if neither side has been compromised) only the other party could
+  have created the request.
+email:
+- maxwellslahey@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/generators/hash_auth/install_generator.rb
+- lib/generators/hash_auth/strategy_generator.rb
+- lib/generators/hash_auth/templates/initializer.rb
+- lib/generators/hash_auth/templates/strategy.rb
+- lib/hash-auth/client.rb
+- lib/hash-auth/config.rb
+- lib/hash-auth/controllers/helpers.rb
+- lib/hash-auth/controllers.rb
+- lib/hash-auth/railtie.rb
+- lib/hash-auth/strategies/base.rb
+- lib/hash-auth/strategies/default.rb
+- lib/hash-auth/strategies.rb
+- lib/hash-auth/version.rb
+- lib/hash-auth/web_request.rb
+- lib/hash-auth.rb
+- lib/tasks/hash-auth_tasks.rake
+- MIT-LICENSE
+- Rakefile
+- README.md
+- spec/controllers/helper_spec.rb
+- spec/fake-rails-app.rb
+- spec/lib/client_spec.rb
+- spec/lib/config_spec.rb
+- spec/lib/railtie_spec.rb
+- spec/lib/web_request_spec.rb
+- spec/spec_helper.rb
+homepage: http://maxwells.github.com
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Rails gem to authenticate HTTP requests by hashing request components and
+  passing as parameter
+test_files:
+- spec/controllers/helper_spec.rb
+- spec/fake-rails-app.rb
+- spec/lib/client_spec.rb
+- spec/lib/config_spec.rb
+- spec/lib/railtie_spec.rb
+- spec/lib/web_request_spec.rb
+- spec/spec_helper.rb
+has_rdoc: