hawk-auth 0.0.0 → 0.1.0

data/lib/hawk/server.rb

@@ -0,0 +1,54 @@
+module Hawk
+  module Server
+    extend self
+
+    def authenticate(authorization_header, options)
+      Hawk::AuthorizationHeader.authenticate(authorization_header, options)
+    end
+
+    def authenticate_bewit(bewit, options)
+      padding = '=' * ((4 - bewit.size) % 4)
+      id, timestamp, mac, ext = Base64.decode64(bewit + padding).split('\\')
+
+      unless options[:credentials_lookup].respond_to?(:call) && (credentials = options[:credentials_lookup].call(id))
+        return AuthenticationFailure.new(:id, "Unidentified id")
+      end
+
+      if Time.at(timestamp.to_i) < Time.now
+        return AuthenticationFailure.new(:ts, "Stale timestamp")
+      end
+
+      expected_bewit = Crypto.bewit(
+        :credentials => credentials,
+        :host => options[:host],
+        :path => remove_bewit_param_from_path(options[:path]),
+        :port => options[:port],
+        :method => options[:method],
+        :ts => timestamp,
+        :ext => ext
+      )
+
+      unless expected_bewit == bewit
+        return AuthenticationFailure.new(:bewit, "Invalid signature")
+      end
+
+      credentials
+    end
+
+    def build_authorization_header(options)
+      Hawk::AuthorizationHeader.build(options, [:hash, :ext, :mac])
+    end
+
+    private
+
+    def remove_bewit_param_from_path(path)
+      path, query = path.split('?')
+      return path unless query
+      query, fragment = query.split('#')
+      query = query.split('&').reject { |i| i =~ /\Abewit=/ }.join('&')
+      path << "?#{query}" if query != ''
+      path << "#{fragment}" if fragment
+      path
+    end
+  end
+end

data/lib/hawk/version.rb

@@ -1,3 +1,3 @@
 module Hawk
-  VERSION = "0.0.0"
+  VERSION = "0.1.0"
 end

data/spec/authentication_header_spec.rb

@@ -0,0 +1,33 @@
+require 'spec_helper'
+
+describe Hawk::AuthenticationFailure do
+  let(:algorithm) { "sha256" }
+  let(:credentials) do
+    {
+      :id => '123456',
+      :key => '2983d45yun89q',
+      :algorithm => algorithm
+    }
+  end
+
+  describe "#header" do
+    let(:instance) {
+      described_class.new(:mac, "Invalid mac", :credentials => credentials)
+    }
+
+    let(:timestamp) { Time.now.to_i }
+
+    let(:timestamp_mac) {
+      Hawk::Crypto.ts_mac({ :ts => timestamp, :credentials => credentials })
+    }
+
+    before do
+      now = Time.now
+      Time.stubs(:now).returns(now)
+    end
+
+    it "returns valid hawk authentication failure header" do
+      expect(instance.header).to eql(%(Hawk ts="#{timestamp}", tsm="#{timestamp_mac}", error="#{instance.message}"))
+    end
+  end
+end

data/spec/client_spec.rb

@@ -0,0 +1,174 @@
+require 'spec_helper'
+require 'support/shared_examples/authorization_header'
+
+describe Hawk::Client do
+
+  let(:credentials) do
+    {
+      :id => '123456',
+      :key => '2983d45yun89q',
+      :algorithm => algorithm
+    }
+  end
+
+  let(:timestamp) { Time.now.to_i }
+  let(:nonce) { 'Ygvqdz' }
+
+  describe ".authenticate" do
+    let(:payload) {}
+    let(:ext) {}
+
+    let(:input) do
+      _input = {
+        :method => 'POST',
+        :path => '/somewhere/over/the/rainbow',
+        :host => 'example.net',
+        :port => 80,
+        :content_type => 'text/plain',
+        :credentials => credentials,
+        :ts => timestamp,
+        :nonce => nonce
+      }
+      _input[:payload] = payload if payload
+      _input
+    end
+
+    let(:client_input) do
+      _input = input
+      _input[:ext] = ext if ext
+      _input
+    end
+
+    let(:expected_mac) { Hawk::Crypto.mac(client_input) }
+    let(:expected_hash) { client_input[:payload] ? Hawk::Crypto.hash(client_input) : nil }
+
+    let(:authorization_header) do
+      parts = []
+      parts << %(hash="#{expected_hash}") if expected_hash
+      parts << %(mac="#{expected_mac}")
+      parts << %(ext="#{ext}") if ext
+      "Hawk #{parts.join(', ')}"
+    end
+
+    shared_examples "an authorization response header authenticator" do
+      it_behaves_like "an authorization header authenticator"
+    end
+
+    context "when using sha256" do
+      let(:algorithm) { "sha256" }
+
+      it_behaves_like "an authorization response header authenticator"
+    end
+
+    context "when using sha1" do
+      let(:algorithm) { "sha1" }
+
+      it_behaves_like "an authorization response header authenticator"
+    end
+  end
+
+  describe ".build_authorization_header" do
+    before do
+      now = Time.now
+      Time.stubs(:now).returns(now)
+    end
+
+    let(:expected_mac) { Hawk::Crypto.mac(input) }
+    let(:expected_hash) { input[:payload] ? Hawk::Crypto.hash(input) : nil }
+
+    let(:input) do
+      _input = {
+        :credentials => credentials,
+        :ts => timestamp,
+        :method => 'POST',
+        :path => '/somewhere/over/the/rainbow',
+        :host => 'example.net',
+        :port => 80,
+        :payload => 'something to write about',
+        :ext => 'Bazinga!'
+      }
+      _input[:nonce] = nonce if nonce
+      _input
+    end
+
+    let(:expected_output_parts) do
+      parts = []
+      parts << %(id="#{credentials[:id]}")
+      parts << %(ts="#{timestamp}")
+      parts << %(nonce="#{input[:nonce]}")
+      parts << %(hash="#{expected_hash}") if input[:payload]
+      parts << %(ext="#{input[:ext]}") if input[:ext]
+      parts << %(mac="#{expected_mac}")
+      parts
+    end
+
+    let(:expected_output) do
+      "Hawk #{expected_output_parts.join(', ')}"
+    end
+
+    shared_examples "an authorization request header builder" do
+      it_behaves_like "an authorization header builder"
+
+      context "without nonce" do
+        let(:nonce) { nil }
+
+        it "generates a nonce" do
+          actual = described_class.build_authorization_header(input)
+          expect(actual).to match(%r{\bnonce="[^"]+"})
+        end
+      end
+    end
+
+    context "when using sha256" do
+      let(:algorithm) { "sha256" }
+
+      it_behaves_like "an authorization request header builder"
+    end
+
+    context "when using sha1" do
+      let(:algorithm) { "sha1" }
+
+      it_behaves_like "an authorization request header builder"
+    end
+  end
+
+  describe ".calculate_time_offset" do
+    let(:algorithm) { 'sha256' }
+    let(:timestamp) { 1365741469 }
+    let(:header) do
+      %(Hawk ts="#{timestamp}", tsm="#{timestamp_mac}", error="Some Error Message")
+    end
+
+    before do
+      Time.stubs(:now).returns(Time.at(timestamp + offset))
+    end
+
+    context "with valid timestamp mac" do
+      let(:timestamp_mac) { Hawk::Crypto.ts_mac(:ts => timestamp, :credentials => credentials) }
+
+      context "with positive offset" do
+        let(:offset) { -2030 }
+        it "returns time offset in seconds" do
+          expect(described_class.calculate_time_offset(header, :credentials => credentials)).to eql(offset * -1)
+        end
+      end
+
+      context "with negative offset" do
+        let(:offset) { 12345 }
+        it "returns time offset in seconds" do
+          expect(described_class.calculate_time_offset(header, :credentials => credentials)).to eql(offset * -1)
+        end
+      end
+    end
+
+    context "with invalid timestamp mac" do
+      let(:timestamp_mac) { "fooabr" }
+      let(:offset) { 1432 }
+
+      it "returns nil" do
+        expect(described_class.calculate_time_offset(header, :credentials => credentials)).to be_nil
+      end
+    end
+  end
+
+end

data/spec/crypto_spec.rb

@@ -0,0 +1,197 @@
+require 'spec_helper'
+
+describe Hawk::Crypto do
+
+  let(:algorithm) { "sha256" }
+  let(:credentials) do
+    {
+      :id => '123456',
+      :key => '2983d45yun89q',
+      :algorithm => algorithm
+    }
+  end
+
+  describe "#hash" do
+    let(:hashing_method) { "hash" }
+
+    shared_examples "a payload hashing method" do
+      it "returns valid base64 encoded hash of payload" do
+        expect(described_class.send(hashing_method, input)).to eql(expected_output)
+      end
+    end
+
+    let(:input) do
+      {
+        :credentials => credentials,
+        :ts => 1353809207,
+        :nonce => 'Ygvqdz',
+        :method => 'POST',
+        :path => '/somewhere/over/the/rainbow',
+        :host => 'example.net',
+        :port => 80,
+        :payload => 'something to write about',
+        :ext => 'Bazinga!'
+      }
+    end
+
+    context "when using sha1 algorithm" do
+      let(:expected_output) { "bsvY3IfUllw6V5rvk4tStEvpBhE=" }
+      let(:algorithm) { "sha1" }
+
+      it_behaves_like "a payload hashing method"
+    end
+
+    context "when using sha256 algorithm" do
+      let(:expected_output) { "LjRmtkSKTW0ObTUyZ7N+vjClKd//KTTdfhF1M4XCuEM=" }
+
+      it_behaves_like "a payload hashing method"
+    end
+  end
+
+  shared_examples "a mac digest method" do
+    it "returns valid base64 encoded hmac" do
+      expect(described_class.send(mac_digest_method, input)).to eql(expected_output)
+    end
+  end
+
+  describe ".bewit" do
+    let(:mac_digest_method) { "bewit" }
+
+    context "when using sha256 algorithm" do
+      let(:input) do
+        {
+          :credentials => credentials,
+          :method => 'GET',
+          :path => '/resource/4?a=1&b=2',
+          :host => 'example.com',
+          :port => 80,
+          :ext => 'some-app-data',
+          :ttl => 60 * 60 * 24 * 365 * 100
+        }
+      end
+
+      let(:expected_output) {
+        "MTIzNDU2XDQ1MTkzMTE0NThcYkkwanFlS1prUHE0V1hRMmkxK0NrQ2lOanZEc3BSVkNGajlmbElqMXphWT1cc29tZS1hcHAtZGF0YQ"
+      }
+
+      before do
+        Time.stubs(:now).returns(Time.at(1365711458))
+      end
+
+      it_behaves_like "a mac digest method"
+    end
+  end
+
+  describe ".mac" do
+    let(:mac_digest_method) { "mac" }
+
+    let(:input) do
+      {
+        :credentials => credentials,
+        :ts => 1353809207,
+        :nonce => 'Ygvqdz',
+        :method => 'POST',
+        :path => '/somewhere/over/the/rainbow',
+        :host => 'example.net',
+        :port => 80,
+        :payload => 'something to write about',
+        :ext => 'Bazinga!'
+      }
+    end
+
+    context "when using sha1 algorithm" do
+      let(:expected_output) { "qbf1ZPG/r/e06F4ht+T77LXi5vw=" }
+      let(:algorithm) { "sha1" }
+
+      it_behaves_like "a mac digest method"
+    end
+
+    context "when using sha256 algorithm" do
+      let(:expected_output) { "dh5kEkotNusOuHPolRYUhvy2vlhJybTC2pqBdUQk5z0=" }
+
+      it_behaves_like "a mac digest method"
+    end
+  end
+
+  describe ".ts_mac" do
+    let(:input) do
+      {
+        :credentials => credentials,
+        :ts => 1365741469
+      }
+    end
+
+    it "returns valid timestamp mac" do
+      expect(described_class.ts_mac(input)).to eql("h/Ff6XI1euObD78ZNflapvLKXGuaw1RiLI4Q6Q5sAbM=")
+    end
+  end
+
+  describe ".normalized_string" do
+    let(:normalization_method) { "normalized_string" }
+
+    shared_examples "an input normalization method" do
+      it "returns a valid normalized string" do
+        expect(described_class.send(normalization_method, input)).to eql(expected_output)
+      end
+    end
+
+    let(:input) do
+      {
+        :ts => 1365701514,
+        :nonce => '5b4e',
+        :method => 'GET',
+        :path => "/path/to/foo?bar=baz",
+        :host => 'example.com',
+        :port => 8080
+      }
+    end
+
+    let(:expected_output) do
+      %(hawk.1.header\n#{input[:ts]}\n#{input[:nonce]}\n#{input[:method]}\n#{input[:path]}\n#{input[:host]}\n#{input[:port]}\n\n\n)
+    end
+
+    it_behaves_like "an input normalization method"
+
+    context "with ext" do
+      let(:input) do
+        {
+          :ts => 1365701514,
+          :nonce => '5b4e',
+          :method => 'GET',
+          :path => '/path/to/foo?bar=baz',
+          :host => 'example.com',
+          :port => 8080,
+          :ext => 'this is some app data'
+        }
+      end
+
+      let(:expected_output) do
+        %(hawk.1.header\n#{input[:ts]}\n#{input[:nonce]}\n#{input[:method]}\n#{input[:path]}\n#{input[:host]}\n#{input[:port]}\n\n#{input[:ext]}\n)
+      end
+
+      it_behaves_like "an input normalization method"
+    end
+
+    context "with payload and ext" do
+      let(:input) do
+        {
+          :ts => 1365701514,
+          :nonce => '5b4e',
+          :method => 'GET',
+          :path => '/path/to/foo?bar=baz',
+          :host => 'example.com',
+          :port => 8080,
+          :hash => 'U4MKKSmiVxk37JCCrAVIjV/OhB3y+NdwoCr6RShbVkE=',
+          :ext => 'this is some app data'
+        }
+      end
+
+      let(:expected_output) do
+        %(hawk.1.header\n#{input[:ts]}\n#{input[:nonce]}\n#{input[:method]}\n#{input[:path]}\n#{input[:host]}\n#{input[:port]}\n#{input[:hash]}\n#{input[:ext]}\n)
+      end
+
+      it_behaves_like "an input normalization method"
+    end
+  end
+
+end