kennedy 0.0.1

data/lib/kennedy/ticket.rb

@@ -0,0 +1,97 @@
+require 'openssl'
+require 'json'
+require 'time'
+
+module Kennedy
+  class BadTicketException < RuntimeError; end
+
+  # A ticket represents a time-constrained period in which an authenticated
+  # person can access a service
+  class Ticket
+    DefaultExpiry = 30 # In seconds
+    attr_reader :identifier
+
+    class << self
+      private :new
+    end
+
+    # Creates a new ticket with the given arguments
+    # @param [Hash] args The arguments to generate the ticket with
+    # @option args [String] :identifier An identifier to use in the ticket
+    # @option args [String] :iv An iv to use to encrypt and decrypt the ticket
+    # @option args [String] :passphrase A passphrase to encrypt and decrypt the ticket
+    # @option args [String] :expiry A length of time in seconds for which this ticket is valid
+    #                               after to_encrypted is called
+    def self.create(args = {})
+      identifier = args[:identifier] || raise(ArgumentError, "Ticket identifier must be given as :identifier")
+      ticket = new(:iv => args[:iv], :passphrase => args[:passphrase], :expiry => args[:expiry])
+      ticket.identifier = identifier
+      ticket
+    end
+    
+    # Decrypts a ticket from the given arguments
+    # @param [Hash] args The arguments to build the ticket with
+    # @option args [String] :data An encrypted ticket
+    # @option args [String] :iv An IV to use to decrypt the ticket
+    # @option args [String] :passphrase A passphrase to use to decrypt the ticket
+    def self.from_encrypted(args = {})
+      data = args[:data] || raise(ArgumentError, "Data must be given as :data")
+      ticket = new(:iv => args[:iv], :passphrase => args[:passphrase])
+      ticket.decrypt(data)
+      ticket
+    end
+
+    # @param [Hash] args The arguments to construct the ticket with
+    # @option args [String] :iv An iv to use to encrypt and decrypt the ticket
+    # @option args [String] :passphrase A passphrase to encrypt and decrypt the ticket
+    def initialize(args = {})
+      @iv = args[:iv] || raise(ArgumentError, "Ticket encryption IV must be given as :iv")
+      @passphrase = args[:passphrase] || raise(ArgumentError, "Ticket encryption passphrase must be given as :passphrase")
+      @expiry = args[:expiry] || DefaultExpiry
+    end
+    
+    def identifier=(identifier)
+      @identifier ||= identifier
+    end
+
+    # Generates an encrypted chunk of JSON with the identifier and expiration time for this
+    # ticket encoded in
+    # @return [String] An encrypted JSON string
+    def to_encrypted
+      cipher = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
+      cipher.encrypt
+      cipher.key = @passphrase
+      cipher.iv = @iv
+      encrypted = cipher.update(to_expiring_json)
+      encrypted << cipher.final
+      encrypted
+    end
+    
+    # Decrypts the given ticket data
+    # @param data [String] The ticket data to decrypt
+    def decrypt(data)
+      cipher = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
+      cipher.decrypt
+      cipher.key = @passphrase
+      cipher.iv = @iv
+      decrypted = cipher.update(data)
+      decrypted << cipher.final
+      json = JSON.parse(decrypted)
+      self.identifier = json['identifier']
+      @expiry = Time.parse(json['expiry'])
+    rescue OpenSSL::Cipher::CipherError => e
+      raise Kennedy::BadTicketException, "Given data was not decryptable"
+    end
+    
+    def expired?
+      !@expiry.nil? && (@expiry < Time.now)
+    end
+
+  private
+    
+    def to_expiring_json
+      {'identifier' => @identifier, 'expiry' => Time.now + @expiry}.to_json
+    end
+
+  end # Ticket
+end   # Kennedy

data/template/config.ru.erb

@@ -0,0 +1,22 @@
+# Rackup file auto-generated by kennedy-gen at <%= Time.now %>
+here = File.dirname(__FILE__)
+bundler_env = File.join(here, 'vendor/gems/environment.rb')
+config_dir = File.join(here, 'config')
+
+if File.exist?(bundler_env)
+  load bundler_env
+else
+  require 'rubygems'
+end
+
+RACK_ENV = ENV["RACK_ENV"] ||= "development" unless defined?(RACK_ENV)
+
+require 'kennedy/server'
+require 'kennedy/instance_configuration'
+
+config = Kennedy::InstanceConfiguration.load_config(config_dir)
+Kennedy::ServerInstance = Kennedy::Server.create(:encryption => {:iv => config.encryption['iv'], :passphrase => config.encryption['passphrase']},
+                                                 :backend    => config.backend, :session_secret => config.session_secret,
+                                                 :api_keys   => config.api_keys, :require_ssl => !(ENV['RACK_ENV'] == 'development'))
+                                                 
+run Kennedy::ServerInstance

data/template/config/api_keys.yml.erb

@@ -0,0 +1 @@
+"foo@example.com": <%= Digest::SHA1.hexdigest("#{Time.now}#{Time.now.usec}") %>

data/template/config/encryption.yml.erb

@@ -0,0 +1,2 @@
+iv: <%= Digest::SHA1.hexdigest("#{Time.now}#{Time.now.usec}") %>
+passphrase: <%= Digest::SHA1.hexdigest("#{Time.now}#{Time.now.usec}") %>

data/template/config/sessions.yml.erb

@@ -0,0 +1 @@
+secret: <%= Digest::SHA1.hexdigest("#{Time.now}#{Time.now.usec}") %>

data/test/granter_test.rb

@@ -0,0 +1,93 @@
+require 'teststrap'
+require 'digest/sha1'
+
+context "kennedy granter" do
+
+  should "raise an exception if not given an IV" do
+    Kennedy::Granter.new(:passphrase => Digest::SHA1.hexdigest(Time.now.to_i.to_s),
+                         :backend    => Object.new) 
+  end.raises(ArgumentError, "Encryption IV must be given as :iv")
+  
+  should "raise an exception if not given a passphrase" do
+    Kennedy::Granter.new(:iv      => Digest::SHA1.hexdigest(Time.now.to_i.to_s),
+                         :backend => Object.new)
+  end.raises(ArgumentError, "Encryption passphrase must be given as :passphrase")
+
+  should "raise an exception if not given a backend" do
+    Kennedy::Granter.new(:iv         => Digest::SHA1.hexdigest(Time.now.to_i.to_s),
+                         :passphrase => Digest::SHA1.hexdigest(Time.now.to_i.to_s))
+  end.raises(ArgumentError, "Authentication backend must be given as :backend")
+  
+  context "with valid arguments and a given backend" do
+    
+    setup do
+      @granter = Kennedy::Granter.new(:iv         => Digest::SHA1.hexdigest(Time.now.to_i.to_s),
+                                      :passphrase => Digest::SHA1.hexdigest(Time.now.to_i.to_s),
+                                      :backend    => @backend = StubBackend.new)
+    end
+
+    should "use the given backend to authenticate" do
+      @granter.authenticate(:identifier => "foo", :password => "bar")
+      @backend.credentials
+    end.equals(["foo", "bar"])
+    
+    should "return true with valid credentials" do
+      @granter.authenticate(:identifier => "foo", :password => "bar") == true
+    end
+
+    should "return false with invalid credentials" do
+      @granter.authenticate(:identifier => "foo", :password => "baz") == false
+    end
+    
+  end # with valid arguments and a given backend
+
+  context "generating a ticket for a service" do
+    context "with default expiry time" do
+      setup do
+        @granter = Kennedy::Granter.new(:iv         => Digest::SHA1.hexdigest(Time.now.to_i.to_s),
+                                        :passphrase => Digest::SHA1.hexdigest(Time.now.to_i.to_s),
+                                        :backend    => @backend = StubBackend.new)
+      end
+      
+      should "require an identifier to generate a ticket" do
+        @granter.generate_ticket
+      end.raises(ArgumentError, "An identifier must be given as :identifier")
+      
+      should "return a ticket object when granting" do
+        @granter.generate_ticket(:identifier => "foo@example.com")
+      end.kind_of(Kennedy::Ticket)
+
+    end # with default expiry time
+  end   # generating a ticket for a service
+  
+  context "reading an encrypted ticket" do
+    setup do
+      @granter = Kennedy::Granter.new(:iv         => Digest::SHA1.hexdigest(Time.now.to_i.to_s),
+                                      :passphrase => Digest::SHA1.hexdigest(Time.now.to_i.to_s),
+                                      :backend    => @backend = StubBackend.new)
+    end
+    
+    should "require data to read a ticket" do
+      @granter.read_ticket
+    end.raises(ArgumentError, "Data must be given as :data")
+
+    context "with gibberish data" do
+      should "raise an exception" do
+        @granter.read_ticket(:data => "bzzt")
+      end.raises(Kennedy::BadTicketException)
+    end
+
+    context "with valid data" do
+      setup do
+        encrypted_ticket = @granter.generate_ticket(:identifier => "foo@example.com").to_encrypted
+        @granter.read_ticket(:data => encrypted_ticket)
+      end
+      
+      should "be a kennedy ticket" do
+        topic
+      end.kind_of(Kennedy::Ticket)
+    end
+  end # reading an encrypted ticket
+
+end
+

data/test/ldap_backend_test.rb

@@ -0,0 +1,66 @@
+require 'teststrap'
+
+context "kennedy ldap backend" do
+
+  should "require a :host argument" do
+    Kennedy::Backends::LDAP.new(:auth => {}, :base => "cn=foo")
+  end.raises(ArgumentError, "Host must be given as :host")
+
+  should "require an :auth argument" do
+    Kennedy::Backends::LDAP.new(:host => "example.com", :base => "cn=foo")
+  end.raises(ArgumentError, "Auth must be given as :auth")
+
+  should "require a :base argument" do
+    Kennedy::Backends::LDAP.new(:host => "example.com", :auth => {})
+  end.raises(ArgumentError, "Base must be given as :base")
+
+  should "raise if no filter block is given and authentication is attempted" do
+    backend = Kennedy::Backends::LDAP.new(:host => "example.com", :auth => {}, :base => "foo")
+    backend.authenticate("foo", "bar")
+  end.raises(ArgumentError, "Set a filter block on this object using the 'filter' writer")
+
+  context "trying to authenticate" do
+    
+    setup do
+      @backend = Kennedy::Backends::LDAP.new(:host => "example.com", :auth => {}, :base => "foo")
+      @backend.filter = lambda do |identifier|
+        "(mail=#{identifier})"
+      end
+      ldap_conn = nil
+      @backend.instance_eval { ldap_conn = @ldap_conn = StubLDAP.new(nil) } 
+      ldap_conn
+    end
+
+    should "use the given filter block to generate the search filter" do
+      @backend.authenticate("foo@example.com", "bar")
+      topic.bind_as_arguments[:filter]
+    end.equals("(mail=foo@example.com)")
+    
+    should "use the given password to bind as" do
+      @backend.authenticate("foo@example.com", "bar")
+      topic.bind_as_arguments[:password]
+    end.equals("bar")
+    
+    context "succesfully" do
+      setup do
+        @backend.instance_eval { @ldap_conn = StubLDAP.new(Object.new) } 
+      end
+
+      should "return true when the backend returns a non-nil value" do
+        @backend.authenticate("foo@example.com", "bar") == true
+      end
+    end
+
+    context "unsuccesfully" do
+      setup do
+        @backend.instance_eval {  @ldap_conn = StubLDAP.new(nil) } 
+      end
+
+      should "return false when the backend returns nil" do
+        @backend.authenticate("foo@example.com", "bar") == false
+      end
+    end
+
+  end
+
+end

data/test/server_test.rb

@@ -0,0 +1,285 @@
+require 'teststrap'
+require 'kennedy/server'
+require 'digest/sha1'
+require 'base64'
+
+context "kennedy server" do
+  iv =  Digest::SHA1.hexdigest("what")
+  passphrase =  Digest::SHA1.hexdigest("qhat")
+  session_secret = "foobarbaz"
+
+  new_backend = lambda do
+    StubBackend.new
+  end
+
+  new_server = lambda do 
+    Kennedy::Server.create(:encryption => {:iv => iv, :passphrase => passphrase},
+                           :backend    => new_backend, :session_secret => "foobarbaz",
+                           :api_keys => {'foo@example.com' => 'password'})
+  end
+
+  encode_credentials = lambda do |username,password|
+    "Basic " + Base64.encode64("#{username}:#{password}")
+  end
+  
+  should "use tamper-proof cookies" do
+    new_server[].middleware.detect do |mw|
+      mw[0] == Rack::Session::Cookie && !mw[1][0][:secret].nil?
+    end
+  end
+
+  context "delete to /session" do
+    setup do
+      @server = Rack::MockRequest.new(new_server[])
+    end
+
+    should "not allow non-ssl connections" do
+      @server.delete('/session').status
+    end.equals(403)
+
+    context "via ssl" do
+      setup do
+        @server = SSLMockRequest.new(new_server[])
+        @server.delete('/session', 'CONTENT_TYPE' => 'application/json')
+      end
+      
+      should "return a 200" do
+        topic.status
+      end.equals(200)
+
+      should "return success" do
+        JSON.parse(topic.body)['success']
+      end.equals('session_destroyed')
+
+    end
+  end
+
+  context "post to /session" do
+    setup do
+      @server = Rack::MockRequest.new(new_server[])
+    end
+
+    should "not allow non-ssl connections" do
+      @server.post('/session').status
+    end.equals(403)
+
+    context "via ssl" do  
+      setup do
+        @server = SSLMockRequest.new(new_server[])
+      end
+      
+      should "not allow non-JSON requests" do
+        @server.post('/session').status
+      end.equals(415)
+      
+      context "with invalid credentials" do
+        setup do
+          @server.post('/session', 'CONTENT_TYPE' => 'application/json', :input => {}.to_json)
+        end
+
+        should "return a 406" do
+          topic.status
+        end.equals(406)
+        
+        should "return json" do
+          topic.content_type
+        end.equals("application/json")
+        
+        should "return an error" do
+          JSON.parse(topic.body)['error']
+        end.equals('bad_credentials')
+
+      end
+
+      context "with valid credentials" do
+        setup do
+          @server.post('/session', 'CONTENT_TYPE' => 'application/json', :input => {'credentials' => {'identifier' => 'foo', 'password' => 'bar'}}.to_json)
+        end
+
+        should "return a 201" do
+          topic.status
+        end.equals(201)
+        
+        should "return json" do
+          topic.content_type
+        end.equals("application/json")
+
+        should "return success" do
+          JSON.parse(topic.body)['success']
+        end.equals('session_created')
+        
+        should "set a session cookie" do
+          topic.headers['Set-Cookie']
+        end.matches(/rack\.session=/)
+        
+      end
+    end 
+
+  end # post to /session
+  
+  context "get to /session" do
+    setup do
+      @server = Rack::MockRequest.new(new_server[])
+    end
+
+    should "not allow non-ssl connections" do
+      @server.get('/session').status
+    end.equals(403)
+    
+    context "via ssl" do  
+      setup do
+        @server = SSLMockRequest.new(new_server[])
+      end
+      
+      should "not allow non-JSON requests" do
+        @server.get('/session').status
+      end.equals(415)
+      
+      context "when already logged in" do
+        setup do
+          response = @server.post('/session', 'CONTENT_TYPE' => 'application/json', :input => {'credentials' => {'identifier' => 'foo', 'password' => 'bar'}}.to_json)
+          cookie = response.headers['Set-Cookie'].split(";").first
+          @server.get('/session', 'CONTENT_TYPE' => 'application/json', 'HTTP_COOKIE' => cookie)
+        end
+        
+        should "return json" do
+          topic.content_type
+        end.equals("application/json")
+
+        should "respond with a ticket" do
+          JSON.parse(topic.body)['ticket']
+        end.kind_of(String)
+
+      end # when already logged in
+
+      context "when not logged in" do
+        setup do
+          @server.get('/session', 'CONTENT_TYPE' => 'application/json')
+        end
+        
+        should "return json" do
+          topic.content_type
+        end.equals("application/json")
+        
+        should "return a 401" do
+          topic.status
+        end.equals(401)
+      
+      end # when not logged in
+    end # via ssl
+  end # get to /session
+  
+  context "post to /validation_request" do
+    setup do
+      @server = Rack::MockRequest.new(new_server[])
+    end
+
+    should "not allow non-ssl connection" do
+      @server.post('/validation_request').status
+    end.equals(403)
+    
+    context "via ssl" do
+      setup do
+        @server = SSLMockRequest.new(new_server[])
+      end
+
+      should "not allow non-JSON requests" do
+        @server.post('/validation_request').status
+      end.equals(415)
+     
+      context "with no API key" do
+        setup do
+          @server.post('/validation_request', 'CONTENT_TYPE' => 'application/json', :input => {'ticket' => '123'}.to_json)
+        end
+        
+        should "return a 401" do
+          topic.status
+        end.equals(401)
+
+        should "return an error" do
+          JSON.parse(topic.body)['error']
+        end.equals('authentication_required')
+      end
+
+      context "with a bad API key" do
+
+        setup do
+          @server.post('/validation_request', 'CONTENT_TYPE' => 'application/json', 'HTTP_AUTHORIZATION'=> encode_credentials['foo@example.com', 'badpassword'],
+                       :input => {'ticket' => '123'}.to_json)
+        end
+        
+        should "return a 401" do
+          topic.status
+        end.equals(401)
+
+        should "return an error" do
+          JSON.parse(topic.body)['error']
+        end.equals('authentication_required')
+
+      end
+
+      context "with a valid ticket" do
+        setup do
+          granter = Kennedy::Granter.new(:iv => iv, :passphrase => passphrase, :backend => StubBackend.new)
+          ticket = granter.generate_ticket(:identifier => "foo@example.com")
+          @server.post('/validation_request', 'CONTENT_TYPE' => 'application/json', 'HTTP_AUTHORIZATION'=> encode_credentials['foo@example.com', 'password'],
+                       :input => {'ticket' => Base64.encode64(ticket.to_encrypted)}.to_json)
+        end
+
+        should "return json" do
+          topic.content_type
+        end.equals("application/json")
+
+        should "return a 200" do
+          topic.status
+        end.equals(200)
+        
+        should "return an identifier" do
+          JSON.parse(topic.body)['identifier']
+        end.equals('foo@example.com')
+
+      end
+      
+      context "with gibberish" do
+        setup do
+          @server.post('/validation_request', 'CONTENT_TYPE' => 'application/json', 'HTTP_AUTHORIZATION'=> encode_credentials['foo@example.com', 'password'],
+                       :input => {'ticket' => 'bzzt'}.to_json)
+        end
+
+        should "return json" do
+          topic.content_type
+        end.equals("application/json")
+
+        should "return a 406" do
+          topic.status
+        end.equals(406)
+        
+        should "return an error" do
+          JSON.parse(topic.body)['error']
+        end.equals('bad_ticket')
+
+      end
+
+      context "with an expired ticket" do
+        setup do
+          ticket = Kennedy::Ticket.create(:identifier => "foo@example.com", :iv => iv, :expiry => -30, :passphrase => passphrase)
+          @server.post('/validation_request', 'CONTENT_TYPE' => 'application/json', 'HTTP_AUTHORIZATION'=> encode_credentials['foo@example.com', 'password'],
+                       :input => {'ticket' => Base64.encode64(ticket.to_encrypted)}.to_json)
+        end
+        
+        should "return json" do
+          topic.content_type
+        end.equals("application/json")
+
+        should "return a 406" do
+          topic.status
+        end.equals(406)
+
+        should "return an error" do
+          JSON.parse(topic.body)['error']
+        end.equals('expired_ticket')
+      end
+    end # via ssl
+  end
+end
+