hmac_auth 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 04268ea75914ebc68d8fa7ba962c3ed8a59587b6
+  data.tar.gz: af2783c9026c0d7a8aed49d3ab41c4c857cf410f
+SHA512:
+  metadata.gz: 578a859ff43e9dffb42c8babc64d26719b0d31bc2c6d513960486af4094a5855de4c6b19975d96d4a7b3b2f3266ae5ec7aca26c1b1f4dd6397d4f377c9285e20
+  data.tar.gz: 33b8a97b3f2d96c0dc94d03c62d3db9f3399b5f500d26b786d3cb72ccd92ea4d56ee2503e6ddb09541afbfa7d94aec64aa6dd0a308a0a5c1acf59031e5c85e18

data/.coveralls.yml

@@ -0,0 +1 @@
+service_name: travis-ci

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format documentation

data/.ruby-gemset

@@ -0,0 +1 @@
+hmac_auth

data/.ruby-version

@@ -0,0 +1 @@
+ruby-2.0.0

data/.travis.yml

@@ -0,0 +1,5 @@
+language: ruby
+rvm:
+  - 1.9.3
+  - 2.0.0
+script: bundle exec rspec

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Gebhard Wöstemeyer <g.woestemeyer@gmail.com>
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,53 @@
+# HMACAuth
+
+[![Build Status](https://travis-ci.org/gewo/hmac_auth.png)](https://travis-ci.org/gewo/hmac_auth/)
+[![Code Coverage](https://coveralls.io/repos/gewo/hmac_auth/badge.png)](https://coveralls.io/r/gewo/hmac_auth)
+
+```
+    __  ____  ______   _________         __  __
+   / / / /  |/  /   | / ____/   | __  __/ /_/ /_
+  / /_/ / /|_/ / /| |/ /   / /| |/ / / / __/ __ \
+ / __  / /  / / ___ / /___/ ___ / /_/ / /_/ / / /
+/_/ /_/_/  /_/_/  |_\____/_/  |_\__,_/\__/_/ /_/
+
+```
+
+Ruby gem providing HMAC based message signing and verification. Without
+fancy Rails integration.
+
+## Installation
+
+```ruby
+gem 'hmac_auth'       # Gemfile
+gem install hmac_auth # manual
+```
+
+## Usage
+
+```ruby
+# Configuration
+HMACAuth.secret      = 't0p_s3cr3!!eins1'
+HMACAuth.reject_keys = %w(action controller format)
+HMACAuth.valid_for   = 15.minutes
+
+to_be_signed = {
+  b: 2,
+  a: { d: 4, c: 3 }
+}
+
+signed = HMACAuth::Signature.sign to_be_signed
+# => Hash including 'timestamp' and 'signature'
+
+HMACAuth::Signature.verify(signed)                        # => true
+HMACAuth::Signature.verify(signed.merge(evil: 'yes'))     # => false
+HMACAuth::Signature.verify(signed, secret: 'good guess?') # => false
+
+sleep 20.minutes
+HMACAuth::Signature.verify(signed)                        # => false
+
+# That's it. Nothing more, nothing less.
+```
+
+## Contributing
+
+This is very much appreciated :-)

data/Rakefile

@@ -0,0 +1 @@
+require 'bundler/gem_tasks'

data/hmac_auth.gemspec

@@ -0,0 +1,27 @@
+# encoding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'hmac_auth/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = 'hmac_auth'
+  gem.version       = HmacAuth::VERSION
+  gem.authors       = ['Gebhard Wöstemeyer']
+  gem.email         = ['g.woestemeyer@gmail.com']
+  gem.description   = 'HMAC based message signing and verification'
+  gem.summary       = 'Ruby gem providing HMAC based message signing and ' \
+                      'verification. Without fancy Rails integration.'
+  gem.homepage      = 'https://github.com/gewo/hmac_auth'
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ['lib']
+
+  gem.add_runtime_dependency 'activesupport'
+
+  gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'rspec'
+  gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'coveralls'
+end

data/lib/hmac_auth.rb

@@ -0,0 +1,25 @@
+# coding: utf-8
+require 'openssl'
+require 'json'
+require 'active_support/core_ext/module/attribute_accessors'
+require 'active_support/core_ext/numeric/time'
+
+require 'hmac_auth/version'
+require 'hmac_auth/error'
+require 'hmac_auth/signature'
+
+module HMACAuth
+  mattr_accessor :secret,
+    :reject_keys,
+    :valid_for
+
+  # The shared secret.
+  self.secret = nil
+
+  # Keys to ignore when signing/verifying.
+  self.reject_keys = %w(action controller format)
+
+  # Time the signature is valid when verifying
+  self.valid_for = 15.minutes
+
+end

data/lib/hmac_auth/error.rb

@@ -0,0 +1,4 @@
+# coding: utf-8
+module HMACAuth
+  Error = Class.new(StandardError)
+end

data/lib/hmac_auth/signature.rb

@@ -0,0 +1,79 @@
+# coding: utf-8
+module HMACAuth
+  class Signature
+
+    class << self
+      def verify(params, options = {})
+        self.new(params, options).verify
+      end
+
+      def sign(params, options = {})
+        self.new(params, options).sign
+      end
+    end
+
+    def initialize(params, options = {})
+      @secret = options.delete(:secret) || HMACAuth.secret
+      @valid_for = options.delete(:valid_for) || HMACAuth.valid_for
+      @reject_keys = options.delete(:reject_keys) || HMACAuth.reject_keys
+      @_params = params
+
+      raise Error.new 'You *must* tell me a secret!' unless @secret
+    end
+
+    def verify
+      valid_timestamp && signature == calculated_signature
+    end
+
+    # @return [Hash] Signed parameters
+    def sign
+      timestamp || params['timestamp'] = Time.now.to_i.to_s
+      params.merge('signature' => calculated_signature)
+    end
+
+    private
+
+      def calculated_signature
+        OpenSSL::HMAC.hexdigest(
+          OpenSSL::Digest::Digest.new('sha256'),
+          secret,
+          deep_sort(params_without_signature).to_json)
+      end
+
+      def deep_sort(hash)
+        Hash[hash.sort.map { |k, v| [k, v.is_a?(Hash) ? deep_sort(v) : v] }]
+      end
+
+      def deep_stringify(hash)
+        Hash[hash.map do |k, v|
+          [k.to_s, v.is_a?(Hash) ? deep_stringify(v) : v.to_s]
+        end]
+      end
+
+      def valid_timestamp
+        timestamp && timestamp >= valid_for.ago.to_i
+      end
+
+      def timestamp
+        params['timestamp'].present? &&
+          params['timestamp'].to_s =~ /\A\d+\Z/ &&
+          params['timestamp'].to_i
+      end
+
+      def signature
+        params['signature']
+      end
+
+      def params_without_signature
+        params.reject { |k, v| k == 'signature' }
+      end
+
+      def params
+        @params ||= deep_stringify(@_params.reject do |k, v|
+          reject_keys.include? k
+        end)
+      end
+
+      attr_reader :secret, :valid_for, :reject_keys
+  end
+end

data/lib/hmac_auth/version.rb

@@ -0,0 +1,4 @@
+# coding: utf-8
+module HmacAuth
+  VERSION = '0.1.0'
+end

data/spec/signature_spec.rb

@@ -0,0 +1,68 @@
+# coding: utf-8
+require 'spec_helper'
+
+module HMACAuth
+
+  describe Signature do
+    let(:secret) { 't0p_s3cr3t!!eins1' }
+    let(:params) do
+      {
+        b: 2,
+        a: { d: 4, c: 3 }
+      }
+    end
+
+    describe '.verify' do
+      describe 'timestamp' do
+        let(:timestamp) { Time.now.to_i }
+        let(:params_with_timestamp) { params.merge(timestamp: timestamp) }
+        let(:signed_params) do
+          Signature.sign(params_with_timestamp, secret: secret)
+        end
+
+        subject { Signature.verify(signed_params, secret: secret) }
+
+        context 'valid' do
+          let(:timestamp) { 10.minutes.ago.to_i.to_s }
+          it { should be_true }
+        end
+
+        context 'invalid' do
+          let(:timestamp) { 20.minutes.ago.to_i }
+          it { should be_false }
+        end
+      end
+    end
+
+    describe '.sign' do
+      def signature(hash)
+        HMACAuth::Signature.sign(hash, secret: secret)['signature']
+      end
+
+      describe 'hash' do
+        subject { HMACAuth::Signature.sign(params, secret: secret) }
+
+        it { should be_a Hash }
+        its(['signature']) { should be_a String }
+        its(['timestamp']) { should be }
+        its(['b']) { should be_a String }
+
+        context 'nested hash' do
+          subject { HMACAuth::Signature.sign(params, secret: secret)['a'] }
+          it { should be_a Hash }
+          its(['d']) { should == '4' }
+          its(['c']) { should == '3' }
+        end
+      end
+
+      describe 'unsorted input' do
+        let(:hasha) { { a: 1, b: { c: 3, d: 4 } } }
+        let(:hashd) { { b: { d: 4, c: 3 }, a: 1 } }
+
+        it 'calculates the same signature' do
+          signature(hasha).should == signature(hashd)
+        end
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,26 @@
+# coding: utf-8
+
+require 'simplecov'
+require 'coveralls'
+
+SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter[
+  SimpleCov::Formatter::HTMLFormatter,
+  Coveralls::SimpleCov::Formatter
+]
+
+SimpleCov.at_exit do
+  File.open(File.join(SimpleCov.coverage_path, 'percent.txt'), 'w') do |f|
+    f.write SimpleCov.result.covered_percent
+  end
+  SimpleCov.result.format!
+end
+SimpleCov.start
+
+require 'hmac_auth'
+
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+  config.order = 'random'
+end

metadata

@@ -0,0 +1,133 @@
+--- !ruby/object:Gem::Specification
+name: hmac_auth
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Gebhard Wöstemeyer
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-08-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: HMAC based message signing and verification
+email:
+- g.woestemeyer@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .coveralls.yml
+- .gitignore
+- .rspec
+- .ruby-gemset
+- .ruby-version
+- .travis.yml
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- hmac_auth.gemspec
+- lib/hmac_auth.rb
+- lib/hmac_auth/error.rb
+- lib/hmac_auth/signature.rb
+- lib/hmac_auth/version.rb
+- spec/signature_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/gewo/hmac_auth
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.3
+signing_key: 
+specification_version: 4
+summary: Ruby gem providing HMAC based message signing and verification. Without fancy
+  Rails integration.
+test_files:
+- spec/signature_spec.rb
+- spec/spec_helper.rb