hawk-auth 0.2.0 → 0.2.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0520600ff04a5b34f08821c26c42350db21ee2b4
+  data.tar.gz: 6bd61486e985287d0cc944595444f4f9012bc736
+SHA512:
+  metadata.gz: 0b8136675219d0dfb65acb94022f5fc14b1b4595e61fe2391ecf8969b1e3fc0420b19b0c62ee52d54ad9de4650c8891c4c4a675704f0c2ccb3df244c281023e9
+  data.tar.gz: 567bd2820b6a62f80337d37d1c45899d425e770030b060447b1cd92f25aadb06a2542815ef1604692390323ea2c75993eb3a1090a0ffe417efac3f1e5f7fbe80

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2013 Apollic Software, LLC. All rights reserved.
+Copyright (c) 2013 Tent.is, LLC. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -10,7 +10,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Apollic Software, LLC nor the names of its
+   * Neither the name of Tent.is, LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 

data/lib/hawk.rb

@@ -4,6 +4,7 @@ module Hawk
   require 'hawk/crypto'
   require 'hawk/authentication_failure'
   require 'hawk/authorization_header'
+  require 'hawk/timestamp_mac_header'
   require 'hawk/client'
   require 'hawk/server'
 end

data/lib/hawk/authentication_failure.rb

@@ -8,7 +8,7 @@ module Hawk
     def header
       timestamp = Time.now.to_i
       if @options[:credentials]
-        timestamp_mac = Crypto.ts_mac(:ts => timestamp, :credentials => @options[:credentials])
+        timestamp_mac = Crypto.ts_mac(:ts => timestamp, :credentials => @options[:credentials]).to_s
         %(Hawk ts="#{timestamp}", tsm="#{timestamp_mac}", error="#{message}")
       else
         %(Hawk error="#{message}")

data/lib/hawk/authorization_header.rb

@@ -34,14 +34,14 @@ module Hawk
         raise InvalidAlgorithmError.new("#{credentials[:algorithm].inspect} is not a supported algorithm! Use one of the following: #{SUPPORTED_ALGORITHMS.join(', ')}")
       end
 
-      hash = Crypto.hash(options)
+      hash = Crypto.hash(options).to_s
       mac = Crypto.mac(options)
 
       parts = {
         :id => credentials[:id],
         :ts => options[:ts],
         :nonce => options[:nonce],
-        :mac => mac
+        :mac => mac.to_s
       }
       parts[:hash] = hash if options.has_key?(:payload) && !options[:payload].nil?
       parts[:ext] = options[:ext] if options.has_key?(:ext)
@@ -89,21 +89,23 @@ module Hawk
         end
       end
 
-      expected_mac = Crypto.mac(options.merge(
+      mac_opts = options.merge(
         :credentials => credentials,
         :ts => parts[:ts],
         :nonce => parts[:nonce],
         :ext => parts[:ext],
         :app => options[:app] || parts[:app],
         :dig => options[:dig] || parts[:dig]
-      ))
-      unless expected_mac == parts[:mac]
-        return AuthenticationFailure.new(:mac, "Invalid mac")
-      end
+      )
 
       expected_hash = parts[:hash] ? Crypto.hash(options.merge(:credentials => credentials)) : nil
-      if expected_hash && expected_hash != parts[:hash]
-        return AuthenticationFailure.new(:hash, "Invalid hash")
+      if expected_hash && expected_hash.to_s != parts[:hash]
+        return AuthenticationFailure.new(:hash, "Invalid hash. #{expected_hash.normalized_string}")
+      end
+
+      expected_mac = Crypto.mac(mac_opts)
+      unless expected_mac.eql?(parts[:mac])
+        return AuthenticationFailure.new(:mac, "Invalid mac. #{expected_mac.normalized_string}")
       end
 
       credentials

data/lib/hawk/client.rb

@@ -14,7 +14,7 @@ module Hawk
 
     def calculate_time_offset(authorization_header, options)
       parts = AuthorizationHeader.parse(authorization_header)
-      expected_mac = Crypto.ts_mac(:ts => parts[:ts], :credentials => options[:credentials])
+      expected_mac = Crypto.ts_mac(:ts => parts[:ts], :credentials => options[:credentials]).to_s
       return unless expected_mac == parts[:tsm]
       parts[:ts].to_i - Time.now.to_i
     end

data/lib/hawk/crypto.rb

@@ -22,82 +22,193 @@ module Hawk
   module Crypto
     extend self
 
-    def hash(options)
-      parts = []
+    class Base
+      def to_s(options = {})
+        if options[:raw]
+          digest
+        else
+          encode64
+        end
+      end
 
-      parts << "hawk.1.payload"
-      parts << options[:content_type]
-      parts << options[:payload].to_s
-      parts << nil # trailing newline
+      def encode64
+        Base64.encode64(digest).chomp
+      end
 
-      Base64.encode64(OpenSSL::Digest.const_get(options[:credentials][:algorithm].upcase).digest(parts.join("\n"))).chomp
-    end
+      def ==(other)
+        if self.class === other
+          secure_compare(to_s(:raw => true), other.to_s(:raw => true))
+        else
+          # assume base64 encoded mac
+          secure_compare(to_s(:raw => true), Base64.decode64(other))
+        end
+      end
 
-    def normalized_string(options)
-      options = options.dup
-      if !options[:hash] && options.has_key?(:payload) && !options[:payload].nil?
-        options[:hash] = hash(options)
+      def eql?(other)
+        self == other
       end
 
-      parts = []
+      private
+
+      def secure_compare(a, b)
+        return false if a.empty? || b.empty? || a.bytesize != b.bytesize
+        b_bytes = b.unpack "C#{b.bytesize}"
+
+        res = 0
+        a.each_byte { |byte| res |= byte ^ b_bytes.shift }
+        res == 0
+      end
 
-      parts << "hawk.1.#{options[:type] || 'header'}"
-      parts << options[:ts]
-      parts << options[:nonce]
-      parts << options[:method].to_s.upcase
-      parts << options[:request_uri]
-      parts << options[:host]
-      parts << options[:port]
-      parts << options[:hash]
-      parts << options[:ext]
+      def openssl_digest(algorithm)
+        OpenSSL::Digest.const_get(algorithm.upcase)
+      end
+    end
 
-      if options[:app]
-        parts << options[:app]
-        parts << options[:dig]
+    class Mac < Base
+      def initialize(key, options, algorithm = 'sha256')
+        @key, @options, @algorithm = key, options, algorithm
       end
 
-      parts << nil # trailing newline
+      def normalized_string
+        options = @options.dup
+        if !options[:hash] && options.has_key?(:payload) && !options[:payload].nil?
+          options[:hash] = Crypto.hash(options)
+        end
+
+        parts = []
+
+        parts << "hawk.1.#{options[:type] || 'header'}"
+        parts << options[:ts]
+        parts << options[:nonce]
+        parts << options[:method].to_s.upcase
+        parts << options[:request_uri]
+        parts << options[:host]
+        parts << options[:port]
+        parts << options[:hash]
+        parts << options[:ext]
+
+        if options[:app]
+          parts << options[:app]
+          parts << options[:dig]
+        end
+
+        parts << nil # trailing newline
 
-      parts.join("\n")
+        parts.join("\n")
+      end
+
+      def digest
+        @digest ||= OpenSSL::HMAC.digest(openssl_digest(@algorithm).new, @key, normalized_string)
+      end
     end
 
-    def mac(options)
-      Base64.encode64(
-        OpenSSL::HMAC.digest(
-          openssl_digest(options[:credentials][:algorithm]).new,
-          options[:credentials][:key],
-          normalized_string(options)
-        )
-      ).chomp
+    class Hash < Base
+      def initialize(content_type, payload, algorithm)
+        @content_type, @payload, @algorithm = content_type, payload, algorithm
+      end
+
+      def normalized_string
+        @normalized_string ||= begin
+          parts = []
+
+          parts << "hawk.1.payload"
+          parts << @content_type
+          parts << @payload.to_s
+          parts << nil # trailing newline
+
+          parts.join("\n")
+        end
+      end
+
+      def digest
+        @digest ||= openssl_digest(@algorithm).digest(normalized_string)
+      end
     end
 
-    def ts_mac(options)
-      Base64.encode64(
-        OpenSSL::HMAC.digest(
-          openssl_digest(options[:credentials][:algorithm]).new,
-          options[:credentials][:key],
-          "hawk.1.ts\n#{options[:ts]}\n"
-        )
-      ).chomp
+    class TSMac < Base
+      def initialize(key, ts, algorithm = 'sha256')
+        @key, @ts, @algorithm = key, ts, algorithm
+      end
+
+      def normalized_string
+        @normalized_string ||= "hawk.1.ts\n#{@ts}\n"
+      end
+
+      def digest
+        @digest ||= OpenSSL::HMAC.digest(openssl_digest(@algorithm).new, @key, normalized_string)
+      end
     end
 
-    def bewit(options)
-      options[:ts] ||= Time.now.to_i + options[:ttl].to_i
+    class Bewit < Base
+      def self.decode(bewit)
+        padding = '=' * ((4 - bewit.size) % 4)
+        id, timestamp, mac, ext = Base64.decode64(bewit + padding).split('\\')
+
+        new(id, nil, { :mac => mac, :ext => ext, :ts => timestamp }, nil)
+      end
 
-      _mac = mac(options.merge(:type => 'bewit'))
+      attr_reader :id, :ts, :ext
+      def initialize(id, key, options, algorithm = 'sha256')
+        @ts = options[:ts] ||= Time.now.to_i + options[:ttl].to_i
+        @ext = options[:ext]
+        @id, @key, @options, @algorithm = id, key, options.dup, algorithm
+        @mac = options.delete(:mac) if options[:mac]
+      end
+
+      def mac
+        @mac ||= Crypto::Mac.new(@key, @options.merge(:type => 'bewit'), @algorithm)
+      end
+
+      def normalized_string
+        @normalized_string ||= begin
+          parts = []
 
-      parts = []
+          parts << @id
+          parts << @ts
+          parts << mac.to_s
+          parts << @ext
 
-      parts << options[:credentials][:id]
-      parts << options[:ts]
-      parts << _mac
-      parts << options[:ext]
+          parts.join("\\")
+        end
+      end
+
+      def encode64
+        @encoded ||= Base64.urlsafe_encode64(normalized_string).chomp.sub(/=+\Z/, '')
+      end
 
-      Base64.urlsafe_encode64(parts.join("\\")).chomp.sub(/=+\Z/, '')
+      def to_s(options = {})
+        encode64
+      end
+
+      def ==(other)
+        if self.class === other
+          mac == other.mac
+        else
+          # assume base64 encoded bewit
+          self == self.class.decode(other)
+        end
+      end
     end
 
-    def openssl_digest(algorithm)
-      OpenSSL::Digest.const_get(algorithm.upcase)
+    def hash(options)
+      Hash.new(options[:content_type], options[:payload], options[:credentials][:algorithm])
+    end
+
+    def mac(options)
+      Mac.new(options[:credentials][:key], options, options[:credentials][:algorithm])
+    end
+
+    def ts_mac(options)
+      TSMac.new(options[:credentials][:key], options[:ts], options[:credentials][:algorithm])
+    end
+
+    def bewit(options)
+      Bewit.new(
+        options[:credentials][:id],
+        options[:credentials][:key],
+        options,
+        options[:credentials][:algorithm]
+      )
     end
   end
 end

data/lib/hawk/server.rb

@@ -6,15 +6,14 @@ module Hawk
       Hawk::AuthorizationHeader.authenticate(authorization_header, options)
     end
 
-    def authenticate_bewit(bewit, options)
-      padding = '=' * ((4 - bewit.size) % 4)
-      id, timestamp, mac, ext = Base64.decode64(bewit + padding).split('\\')
+    def authenticate_bewit(encoded_bewit, options)
+      bewit = Crypto::Bewit.decode(encoded_bewit)
 
-      unless options[:credentials_lookup].respond_to?(:call) && (credentials = options[:credentials_lookup].call(id))
+      unless options[:credentials_lookup].respond_to?(:call) && (credentials = options[:credentials_lookup].call(bewit.id))
         return AuthenticationFailure.new(:id, "Unidentified id")
       end
 
-      if Time.at(timestamp.to_i) < Time.now
+      if Time.at(bewit.ts.to_i) < Time.now
         return AuthenticationFailure.new(:ts, "Stale timestamp")
       end
 
@@ -24,13 +23,13 @@ module Hawk
         :request_uri => remove_bewit_param_from_path(options[:request_uri]),
         :port => options[:port],
         :method => options[:method],
-        :ts => timestamp,
-        :ext => ext
+        :ts => bewit.ts,
+        :ext => bewit.ext
       )
 
-      unless expected_bewit == bewit
+      unless expected_bewit.eql?(bewit)
         if options[:request_uri].to_s =~ /\Ahttp/
-          return authenticate_bewit(bewit, options.merge(
+          return authenticate_bewit(encoded_bewit, options.merge(
             :request_uri => options[:request_uri].sub(%r{\Ahttps?://[^/]+}, '')
           ))
         else
@@ -45,6 +44,10 @@ module Hawk
       Hawk::AuthorizationHeader.build(options, [:hash, :ext, :mac])
     end
 
+    def build_tsm_header(options)
+      Hawk::TimestampMacHeader.build(options)
+    end
+
     private
 
     def remove_bewit_param_from_path(path)

data/lib/hawk/timestamp_mac_header.rb

@@ -0,0 +1,30 @@
+module Hawk
+  module TimestampMacHeader
+    extend self
+
+    REQUIRED_CREDENTIAL_MEMBERS = AuthorizationHeader::REQUIRED_CREDENTIAL_MEMBERS
+    SUPPORTED_ALGORITHMS = AuthorizationHeader::SUPPORTED_ALGORITHMS
+
+    InvalidCredentialsError = Class.new(StandardError)
+    InvalidAlgorithmError = Class.new(StandardError)
+
+    def build(options)
+      options[:ts] ||= Time.now.to_i
+
+      credentials = options[:credentials]
+      REQUIRED_CREDENTIAL_MEMBERS.each do |key|
+        unless credentials.has_key?(key)
+          raise InvalidCredentialsError.new("#{key.inspect} is missing!")
+        end
+      end
+
+      unless SUPPORTED_ALGORITHMS.include?(credentials[:algorithm])
+        raise InvalidAlgorithmError.new("#{credentials[:algorithm].inspect} is not a supported algorithm! Use one of the following: #{SUPPORTED_ALGORITHMS.join(', ')}")
+      end
+
+      tsm = Crypto.ts_mac(options)
+
+      %(Hawk ts="#{options[:ts]}", tsm="#{tsm}")
+    end
+  end
+end

data/lib/hawk/version.rb

@@ -1,3 +1,3 @@
 module Hawk
-  VERSION = "0.2.0"
+  VERSION = "0.2.1"
 end

data/spec/client_spec.rb

@@ -40,8 +40,8 @@ describe Hawk::Client do
       _input
     end
 
-    let(:expected_mac) { Hawk::Crypto.mac(client_input) }
-    let(:expected_hash) { client_input[:payload] ? Hawk::Crypto.hash(client_input) : nil }
+    let(:expected_mac) { Hawk::Crypto.mac(client_input).to_s }
+    let(:expected_hash) { client_input[:payload] ? Hawk::Crypto.hash(client_input).to_s : nil }
 
     let(:authorization_header) do
       parts = []
@@ -74,8 +74,8 @@ describe Hawk::Client do
       Time.stubs(:now).returns(now)
     end
 
-    let(:expected_mac) { Hawk::Crypto.mac(input) }
-    let(:expected_hash) { input[:payload] ? Hawk::Crypto.hash(input) : nil }
+    let(:expected_mac) { Hawk::Crypto.mac(input).to_s }
+    let(:expected_hash) { input[:payload] ? Hawk::Crypto.hash(input).to_s : nil }
 
     let(:input) do
       _input = {

data/spec/crypto_spec.rb

@@ -125,13 +125,15 @@ describe Hawk::Crypto do
       expect(described_class.ts_mac(input)).to eql("h/Ff6XI1euObD78ZNflapvLKXGuaw1RiLI4Q6Q5sAbM=")
     end
   end
+end
 
+describe Hawk::Crypto::Mac do
   describe ".normalized_string" do
     let(:normalization_method) { "normalized_string" }
 
     shared_examples "an input normalization method" do
       it "returns a valid normalized string" do
-        expect(described_class.send(normalization_method, input)).to eql(expected_output)
+        expect(described_class.new(nil, input, nil).send(normalization_method)).to eql(expected_output)
       end
     end
 

data/spec/server_spec.rb

@@ -54,8 +54,8 @@ describe Hawk::Server do
       _input
     end
 
-    let(:expected_mac) { Hawk::Crypto.mac(client_input) }
-    let(:expected_hash) { client_input[:payload] ? Hawk::Crypto.hash(client_input) : nil }
+    let(:expected_mac) { Hawk::Crypto.mac(client_input).to_s }
+    let(:expected_hash) { client_input[:payload] ? Hawk::Crypto.hash(client_input).to_s : nil }
 
     let(:authorization_header) do
       parts = []
@@ -116,7 +116,7 @@ describe Hawk::Server do
           it "returns error object" do
             actual = described_class.authenticate(authorization_header, input)
             expect(actual).to be_a(Hawk::AuthenticationFailure)
-            expect(actual.key).to eql(:mac)
+            expect(actual.key).to eql(:hash)
             expect(actual.message).to_not eql(nil)
           end
         end
@@ -176,8 +176,8 @@ describe Hawk::Server do
   end
 
   describe ".build_authorization_header" do
-    let(:expected_mac) { Hawk::Crypto.mac(input) }
-    let(:expected_hash) { input[:payload] ? Hawk::Crypto.hash(input) : nil }
+    let(:expected_mac) { Hawk::Crypto.mac(input).to_s }
+    let(:expected_hash) { input[:payload] ? Hawk::Crypto.hash(input).to_s : nil }
     let(:timestamp) { Time.now.to_i }
     let(:nonce) { 'Ygvqdz' }
 
@@ -221,6 +221,44 @@ describe Hawk::Server do
     end
   end
 
+  describe ".build_tsm_header" do
+    let(:expected_tsm) { Hawk::Crypto.ts_mac(input).to_s }
+    let(:timestamp) { Time.now.to_i }
+
+    let(:input) do
+      {
+        :credentials => credentials,
+        :ts => timestamp
+      }
+    end
+
+    let(:expected_output_parts) do
+      [
+        %(ts="#{timestamp}"),
+        %(tsm="#{expected_tsm}")
+      ]
+    end
+
+    let(:expected_output) do
+      "Hawk #{expected_output_parts.join(', ')}"
+    end
+
+    context "when using sha256" do
+      let(:algorithm) { "sha256" }
+
+      it "builds tsm header" do
+        actual = described_class.build_tsm_header(input)
+
+        expected_output_parts.each do |expected_part|
+          matcher = Regexp === expected_part ? expected_part : Regexp.new(Regexp.escape(expected_part))
+          expect(actual).to match(matcher)
+        end
+
+        expect(actual).to eql(expected_output)
+      end
+    end
+  end
+
   describe ".authenticate_bewit" do
     shared_examples "authenticate_bewit" do
       context "when valid" do

metadata

@@ -1,20 +1,18 @@
 --- !ruby/object:Gem::Specification
 name: hawk-auth
 version: !ruby/object:Gem::Version
-  version: 0.2.0
-  prerelease: 
+  version: 0.2.1
 platform: ruby
 authors:
 - Jesse Stuart
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-06-13 00:00:00.000000000 Z
+date: 2013-09-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -22,7 +20,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -30,23 +27,20 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -54,7 +48,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -62,7 +55,6 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -70,7 +62,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -95,6 +86,7 @@ files:
 - lib/hawk/client.rb
 - lib/hawk/crypto.rb
 - lib/hawk/server.rb
+- lib/hawk/timestamp_mac_header.rb
 - lib/hawk/version.rb
 - spec/authentication_header_spec.rb
 - spec/client_spec.rb
@@ -104,27 +96,26 @@ files:
 - spec/support/shared_examples/authorization_header.rb
 homepage: ''
 licenses: []
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.23
+rubygems_version: 2.0.7
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Ruby implementation of Hawk
 test_files:
 - spec/authentication_header_spec.rb