hash-auth 0.1.1 → 1.0.0

data/README.md

@@ -14,6 +14,7 @@ _Note: Only Ruby 1.9.2 and above are supported, due to lack of ordered Hash obje
 - Clients can be authenticated as a proxy user upon successful hash authentication (ie. if your controller action depends on having current_user, you can assign an email address to your client and have it log in that user)
 - Custom blocks can be provided to (a) acquire the string to hash, (b) hash the string, or (c) perform a custom action upon authentication from a request from each indivudual client
 - Enhanced security can be enabled by requiring each client to submit a GMT version of their system time to be included in the hash, which will mean any given request is only valid within a predefined window (reduces the possibility of a man in the middle attack through duplicate requests)
+- Requests can be filtered by remote ip address specifically or by the reverse dns lookup of the remote ip address
 
 ## Usage
 
@@ -95,7 +96,9 @@ This will generate a template that needs to be filled in with the necessary beha
 		:customer_identifier_param => 'customer_id',
 			# the name of the parameter the client will pass their unique identifier in
 		:valid_domains => '*my_organization.org',
-			# will allow request from anything ending with my_organization.org, can also provide a list
+			# will allow request from anything ending with my_organization.org, can also provide a list. Note: this only works if reverse_dns ip filtering, so the reverse dns lookup for a clients IP must match up. (domain_auth :reverse_dns)
+		:valid_ips => '192.168.1.1',
+			# will allow request from a specific ip or list of ips. Note: only works if ip filtering is enabled (domain_auth :ip)
 		:strategy => :my_auth_strategy,
 			# If no strategy is provided, then the default (HashAuth::Strategies::Default) will be used. If the strategy symbol does not reference a valid strategy, then an exception will be raised
 	}
@@ -110,6 +113,7 @@ YAML file (config/clients.yml in this example):
         customer_identifier: my_organization
         customer_identifier_param: customer_id
         valid_domains: '*my_organization.org'
+        valid_ips: '192.168.1.1'
         strategy: :default
         custom_key: custom_value
       -
@@ -117,6 +121,7 @@ YAML file (config/clients.yml in this example):
         customer_identifier: your_organization
         customer_identifier_param: customer_id
         valid_domains: ['your_organization.com', 'your_organization.org']
+        valid_ips: ['192.168.1.1', '192.168.1.2']
         strategy: :my_auth_strategy
         custom_key: custom_value
 	
@@ -131,7 +136,34 @@ hash-auth initializer:
 
 **_Options in hash-auth initializer_**
 
-Any custom client field can be initialized with a default value through method missing 
+Enable ip or reverse dns filtering
+
+```ruby
+	HashAuth.configure do
+		domain_auth :ip
+	end
+	
+	# or
+	
+	HashAuth.configure do
+		domain_auth :reverse_dns
+	end
+```
+
+Reverse DNS filtering caches the result. You have the option to namespace how that data gets stored. Note: client.
+
+```ruby
+	HashAuth.configure do
+		cache_store_namespace "foo"
+	end
+	
+	# will store the reverse dns lookup associated with an ip address
+	# as "foo-#{ip}" in the Rails.cache
+	# Example: 192.168.1.1 whould become foo-192.168.1.1
+	# Defaults to "hash-auth"
+```
+
+Any custom client field can be initialized with a default value through method missing (set_default_*)
 
 	HashAuth.configure do
 		set_default_authentication_success_status_message {:status => "success" }
@@ -194,8 +226,6 @@ WebRequest supports:
 
 See [REST client](https://github.com/rest-client/rest-client) for futher detail.
 
-
-## Examples
-
+## License
 
 This project rocks and uses MIT-LICENSE.

data/lib/generators/hash_auth/templates/initializer.rb

@@ -10,7 +10,6 @@ HashAuth.configure do
   #   YAML::load( File.open('../clients.yml') )
   # end
 
-
   ## Any attributes can be added to a client object at initialization.
   #### The default can be added to HashAuth configuration and will be picked up in every strategy automagically
   #### Default values must be set with set_default_* methods and will be picked up by [client].* methods
@@ -19,10 +18,12 @@ HashAuth.configure do
   #
   # client.foo_bar will return 'bar baz' unless specifically set for that client
 
-
   ## Set default strategy by handle
   # set_default_strategy :strategy_fifty_one
 
-
+  ## Set ip specific filtering
+  # domain_auth :ip
+  ## OR set ip filtering by reverse_dns (uses reverse dns lookup for the remote_ip provided in a request)
+  # domain_auth :reverse_dns
 
 end

data/lib/hash-auth/config.rb

@@ -78,6 +78,7 @@ module HashAuth
         end
         client[:strategy] = HashAuth.find_strategy(client[:strategy]) if client[:strategy]
         client[:valid_domains] = [client[:valid_domains]] unless client[:valid_domains].kind_of? Array
+        client[:valid_ips] = [client[:valid_ips]] unless client[:valid_ips].kind_of? Array
         HashAuth::Client.new client
       end
 
@@ -90,6 +91,13 @@ module HashAuth
             singleton = (class << @config; self end)
             singleton.send :define_method, "#{default_var_name}".to_sym do instance_variable_get("@#{default_var_name}") end
           end
+        else
+          var_name = method
+          @config.instance_variable_set("@#{var_name}", args[0])
+          if @config.respond_to?("#{var_name}".to_sym) == false
+            singleton = (class << @config; self end)
+            singleton.send :define_method, "#{var_name}".to_sym do instance_variable_get("@#{var_name}") end
+          end
         end
       end
     end
@@ -106,5 +114,13 @@ module HashAuth
       @default_strategy || HashAuth::Strategies::Default
     end
 
+    def cache_store_namespace
+      @cache_store_namespace.to_s || "hash-auth"
+    end
+
+    def domain_auth
+      @domain_auth || :none
+    end
+
   end
 end

data/lib/hash-auth/controllers/helpers.rb

@@ -1,3 +1,5 @@
+require 'resolv'
+
 module HashAuth
   module Controllers
     module Helpers
@@ -18,18 +20,20 @@ module HashAuth
         @client = extract_client_from_request
         return HashAuth.configuration.default_strategy.on_failure(nil, self, :no_matching_client) unless @client
 
-        valid_domain = check_host(request.host)
-        return @client.strategy.on_failure(@client, self, :invalid_domain) unless valid_domain
+        case HashAuth.configuration.domain_auth
+        when :ip
+          return @client.strategy.on_failure(@client, self, :invalid_ip) unless check_ip(request.remote_ip)
+        when :reverse_dns
+          domain = extract_domain(request.remote_ip)
+          return @client.strategy.on_failure(@client, self, :invalid_domain) unless check_host(domain)
+        end
 
         string_to_hash = @client.strategy.acquire_string_to_hash self, @client
         target_string = @client.strategy.hash_string @client, string_to_hash
-        @authenticated = @client.strategy.verify_hash(target_string, @client, self) && valid_domain
-        
-        if @authenticated
-          @client.strategy.on_authentication @client, self
-        else
-          @client.strategy.on_failure(@client, self, :invalid_hash)
-        end
+        @authenticated = @client.strategy.verify_hash(target_string, @client, self)
+
+        return @client.strategy.on_authentication @client, self if @authenticated
+        @client.strategy.on_failure(@client, self, :invalid_hash)
       end
 
       def extract_client_from_request
@@ -39,6 +43,20 @@ module HashAuth
         nil
       end
 
+      def extract_domain(ip)
+        cache_address = "#{HashAuth.configuration.cache_store_namespace}-#{ip}"
+        cached_result = Rails.cache.read cache_address
+        return cached_result unless cached_result == nil
+        hostname = Resolv.new.getname(ip)
+        Rails.cache.write cache_address, hostname
+        hostname
+      end
+
+      def check_ip(ip)
+        @client.valid_ips.each { |valid_ip| return true if ip == valid_ip }
+        false
+      end
+
       def check_host(host)
         @client.valid_domains.each do |d|
           match = regexp_from_host(d).match(host)

data/lib/hash-auth/strategies/default.rb

@@ -7,12 +7,13 @@ module HashAuth
       end
 
       def self.acquire_string_to_hash(controller, client)
-        params = controller.params.select{|k,v| k != 'controller' && k != 'action' && k != client.signature_param }.map{|k,v| "#{k}=#{v}"}.join('&')
+        params = controller.params.select{|k,v| !['controller', 'action', 'format', client.signature_param].include? k }.map{|k,v| "#{k}=#{v}"}.join('&')
         params + client.customer_key.to_s
       end
 
       def self.hash_string(client, string)
-        Digest::SHA2.new(256) << string
+        digest = Digest::SHA256.new
+        digest.hexdigest string
       end
 
       def self.verify_hash(target_string, client, controller)
@@ -25,9 +26,16 @@ module HashAuth
       end
 
       def self.on_failure(client, controller, type)
-        controller.instance_variable_set '@failure_message', 'Not a valid client' if type == :no_matching_client
-        controller.instance_variable_set '@failure_message', 'Request coming from invalid domain' if type == :invalid_domain
-        controller.instance_variable_set '@failure_message', 'Signature hash is invalid' if type == :invalid_hash
+        case type
+        when :no_matching_client
+          controller.instance_variable_set '@failure_message', 'Not a valid client'
+        when :invalid_domain
+          controller.instance_variable_set '@failure_message', 'Request coming from invalid domain'
+        when :invalid_hash
+          controller.instance_variable_set '@failure_message', 'Signature hash is invalid'
+        when :invalid_ip
+          controller.instance_variable_set '@failure_message', 'Request coming from invalid IP' 
+        end
       end
 
       def self.sign_request(client, verb, params)

data/lib/hash-auth/version.rb

@@ -1,3 +1,3 @@
 module HashAuth
-  VERSION = "0.1.1"
+  VERSION = "1.0.0"
 end

data/spec/controllers/helper_spec.rb

@@ -1,41 +0,0 @@
-require File.expand_path('../../spec_helper', __FILE__)
-
-describe TestRailsApp::TestController do
-
-  it "extracts client from request" do
-    controller.params = Request.parse_params 'a=b&c=d&customer_id=my_organization'
-    client = controller.extract_client_from_request_helper
-    client.customer_key.should == 1234567890
-  end
-
-  it "checks the request host for a clients valid domain" do
-    controller.params = Request.parse_params 'a=b&c=d&customer_id=my_organization'
-    controller.instance_variable_set '@client', controller.extract_client_from_request_helper
-    controller.check_host_helper('localhost').should == true
-    controller.check_host_helper('localhostwithstuffafterit').should == false
-    controller.check_host_helper('prependinglocalhost').should == false
-    controller.check_host_helper('localSTUFFhost').should == false
-  end
-
-  it "checks the request host for client's valid domain with wildcarding" do
-    controller.params = Request.parse_params 'a=b&c=d&customer_id=your_organization'
-    controller.instance_variable_set '@client', controller.extract_client_from_request_helper
-    controller.check_host_helper('maps.google.com').should == true
-    controller.check_host_helper('google.com').should == true
-    controller.check_host_helper('google.coma').should == false
-    controller.check_host_helper('google.co.uk').should == false
-    controller.check_host_helper('hello.org').should == true
-    controller.check_host_helper('org').should == false
-  end
-
-  it "executes on_failure block when request parameters do not match a client" do
-    controller.params = Request.parse_params 'a=b&c=d&customer_id=not_an_organization'
-    controller.verify_hash_helper
-    controller.instance_variable_get('@failure_message').should_not == nil
-  end
-
-  it "responds on_failure when authentication fails" do
-    controller.params = Request.parse_params 'a=b&c=d&customer_id=test&signature=abcde'
-    expect{controller.verify_hash_helper}.to raise_error(OnFailureError)
-  end
-end

data/spec/rails-helpers.rb

@@ -0,0 +1,108 @@
+#### Faking a rails application that is configured with HashAuth for spec purposes
+
+class OnFailureError < Exception
+end
+
+module HashAuth
+  module Strategies
+    class New < Base
+
+      def self.identifier
+        :new
+      end
+
+      def self.acquire_string_to_hash(controller, client)
+        controller.params.select{|k,v| k != 'controller' && k != 'action' && k != client.signature_parameter }.map{|k,v| "#{k}=#{v}"}.join('&')
+      end
+
+      def self.hash_string(client, string)
+        Digest::MD5.digest string
+      end
+
+      def self.verify_hash(target_string, client, controller)
+        raise 'Parameters do not contain this client\'s signature_parameter' if controller.params[client.signature_parameter] == nil
+        target_string == controller.params[client.signature_parameter]
+      end
+
+      def self.on_authentication(client, controller)
+        # Do nothing
+      end
+
+      def self.on_failure(client, controller, type)
+        raise OnFailureError, "Failure to authenticate"
+        # Do nothingå
+      end
+
+    end
+  end
+end
+
+# clients = [
+#   {
+#     :customer_key => 1234567890,
+#     :customer_identifier => 'my_organization',
+#     :customer_identifier_param => 'customer_id',
+#     :valid_domains => 'localhost',
+#     :strategy => :default
+#   },
+#   {
+#     :customer_key => 987654321,
+#     :customer_identifier => 'your_organization',
+#     :customer_identifier_param => 'customer_id',
+#     :valid_domains => ['*google.com', '*.org'],
+#     :strategy => :default
+#   },
+#   {
+#     :customer_key => 'zyxwvut',
+#     :customer_identifier => 'test',
+#     :valid_domains => '*',
+#     :strategy => :new
+#   },
+#   {
+#     :customer_key => 9988776655,
+#     :customer_identifier => 'no_matching_client',
+#     :customer_identifier_param => 'customer_id',
+#     :valid_domains => 'localhost',
+#     :strategy => :default
+#   },
+#   {
+#     :customer_key => 'something other than will be on server',
+#     :customer_identifier => 'incorrect_hash',
+#     :customer_identifier_param => 'customer_id',
+#     :valid_domains => 'localhost',
+#     :strategy => :default
+#   }
+# ]
+
+# Faking controller/action requests
+class RequestHelper
+
+  def self.parse_params(string)
+    h = {}
+    s = string.split('&').map{|set| set.split '=' }.each do |p|
+      h[p[0]] = p[1]
+    end
+    h
+  end
+
+  def initialize(hash)
+    hash.each do |key,value|
+      add_instance_getters_and_setters key
+      send "#{key}=", value
+    end
+  end
+
+  # Add instance specific getters and setters for the name passed in,
+  # so as to allow different Client objects to have different properties
+  # that are accessible by . notation
+  def add_instance_getters_and_setters(var)
+    singleton = (class << self; self end)
+    singleton.send :define_method, var.to_sym do
+      instance_variable_get "@#{var}"
+    end
+    singleton.send :define_method, "#{var}=".to_sym do |val|
+      instance_variable_set "@#{var}", val
+    end
+  end
+
+end

data/spec/spec_helper.rb

@@ -1,8 +1,10 @@
-require 'rails'
+require 'rails/all'
 require 'active_support/all'
 require 'action_controller/railtie'
 require 'hash-auth'
-require 'fake-rails-app'
+require 'rails-helpers'
+require File.expand_path('../../test/dummy/spec/spec_helper', __FILE__)
+require File.expand_path('../../test/dummy/spec/controllers/helper_spec', __FILE__)
 RSpec.configure do |config|
   config.order = "random"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hash-auth
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 1.0.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-04-05 00:00:00.000000000 Z
+date: 2013-05-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -75,11 +75,11 @@ files:
 - Rakefile
 - README.md
 - spec/controllers/helper_spec.rb
-- spec/fake-rails-app.rb
 - spec/lib/client_spec.rb
 - spec/lib/config_spec.rb
 - spec/lib/railtie_spec.rb
 - spec/lib/web_request_spec.rb
+- spec/rails-helpers.rb
 - spec/spec_helper.rb
 homepage: http://maxwells.github.com
 licenses: []
@@ -108,10 +108,10 @@ summary: Rails gem to authenticate HTTP requests by hashing request components a
   passing as parameter
 test_files:
 - spec/controllers/helper_spec.rb
-- spec/fake-rails-app.rb
 - spec/lib/client_spec.rb
 - spec/lib/config_spec.rb
 - spec/lib/railtie_spec.rb
 - spec/lib/web_request_spec.rb
+- spec/rails-helpers.rb
 - spec/spec_helper.rb
 has_rdoc: 

data/spec/fake-rails-app.rb

@@ -1,168 +0,0 @@
-#### Faking a rails application that is configured with HashAuth for spec purposes
-
-class OnFailureError < Exception
-end
-
-module HashAuth
-  module Strategies
-    class New < Base
-
-      def self.identifier
-        :new
-      end
-
-      def self.acquire_string_to_hash(controller, client)
-        controller.params.select{|k,v| k != 'controller' && k != 'action' && k != client.signature_parameter }.map{|k,v| "#{k}=#{v}"}.join('&')
-      end
-
-      def self.hash_string(client, string)
-        Digest::MD5.digest string
-      end
-
-      def self.verify_hash(target_string, client, controller)
-        raise 'Parameters do not contain this client\'s signature_parameter' if controller.params[client.signature_parameter] == nil
-        target_string == controller.params[client.signature_parameter]
-      end
-
-      def self.on_authentication(client, controller)
-        # Do nothing
-      end
-
-      def self.on_failure(client, controller, type)
-        raise OnFailureError, "Failure to authenticate"
-        # Do nothingå
-      end
-
-    end
-  end
-end
-
-clients = [
-  {
-    :customer_key => 1234567890,
-    :customer_identifier => 'my_organization',
-    :customer_identifier_param => 'customer_id',
-    :valid_domains => 'localhost',
-    :strategy => :default
-  },
-  {
-    :customer_key => 987654321,
-    :customer_identifier => 'your_organization',
-    :customer_identifier_param => 'customer_id',
-    :valid_domains => ['*google.com', '*.org'],
-    :strategy => :default
-  },
-  {
-    :customer_key => 'zyxwvut',
-    :customer_identifier => 'test',
-    :valid_domains => '*',
-    :strategy => :new
-  },
-  {
-    :customer_key => 9988776655,
-    :customer_identifier => 'no_matching_client',
-    :customer_identifier_param => 'customer_id',
-    :valid_domains => 'localhost',
-    :strategy => :default
-  },
-  {
-    :customer_key => 'something other than will be on server',
-    :customer_identifier => 'incorrect_hash',
-    :customer_identifier_param => 'customer_id',
-    :valid_domains => 'localhost',
-    :strategy => :default
-  }
-]
-
-HashAuth.configure do
-
-  ## Block to allow dynamic loading of customer keys (Optional)
-  #### Could be from YAML
-  #### Could be from DB
-  
-  #set_default_customer_identifier_param 
-
-  add_clients clients
-
-  set_default_signature_parameter 'signature'
-
-end
-
-module TestRailsApp
-
-  class Application < Rails::Application
-    # app config here
-    # config.secret_token = '572c86f5ede338bd8aba8dae0fd3a326aabababc98d1e6ce34b9f5'
-    routes.draw do
-      match "test_rails_app/test/one" => "test#one"
-      match "/test/two" => "test#two"
-      match "/test/three" => "test#three"
-     end
-  end
-
-  class ApplicationController < ActionController::Base
-    # setup
-  end
-
-  class TestController < ApplicationController
-    validates_auth_for :one, :two
-
-    def one
-    end
-
-    def two
-    end
-
-    def three
-    end
-
-    def extract_client_from_request_helper
-      extract_client_from_request
-    end
-
-    def check_host_helper(host)
-      check_host(host)
-    end
-
-    def verify_hash_helper
-      verify_hash
-    end
-
-  end
-
-  require 'rspec/rails'
-
-end
-
-# Faking controller/action requests
-class Request
-
-  def self.parse_params(string)
-    h = {}
-    s = string.split('&').map{|set| set.split '=' }.each do |p|
-      h[p[0]] = p[1]
-    end
-    h
-  end
-
-  def initialize(hash)
-    hash.each do |key,value|
-      add_instance_getters_and_setters key
-      send "#{key}=", value
-    end
-  end
-
-  # Add instance specific getters and setters for the name passed in,
-  # so as to allow different Client objects to have different properties
-  # that are accessible by . notation
-  def add_instance_getters_and_setters(var)
-    singleton = (class << self; self end)
-    singleton.send :define_method, var.to_sym do
-      instance_variable_get "@#{var}"
-    end
-    singleton.send :define_method, "#{var}=".to_sym do |val|
-      instance_variable_set "@#{var}", val
-    end
-  end
-
-end