legacy-fernet 1.6.1

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in fernet.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,29 @@
+PATH
+  remote: .
+  specs:
+    legacy-fernet (1.6.1)
+      multi_json
+      oj
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    diff-lcs (1.1.3)
+    multi_json (1.7.9)
+    oj (2.1.4)
+    rspec (2.11.0)
+      rspec-core (~> 2.11.0)
+      rspec-expectations (~> 2.11.0)
+      rspec-mocks (~> 2.11.0)
+    rspec-core (2.11.1)
+    rspec-expectations (2.11.3)
+      diff-lcs (~> 1.1.3)
+    rspec-mocks (2.11.3)
+
+PLATFORMS
+  java
+  ruby
+
+DEPENDENCIES
+  legacy-fernet!
+  rspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012 Harold Giménez
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,108 @@
+# Fernet
+
+[![Build Status](https://secure.travis-ci.org/hgmnz/fernet.png)](http://travis-ci.org/hgmnz/fernet)
+[![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/hgmnz/fernet)
+
+Fernet allows you to easily generate and verify **HMAC based authentication
+tokens** for issuing API requests between remote servers. It also **encrypts**
+data by default, so it can be used to transmit secure messages over the wire.
+
+![Fernet](http://f.cl.ly/items/2d0P3d26271O3p2v253u/photo.JPG)
+
+Fernet is usually served as a *digestif* after a meal but may also be served
+with coffee and espresso or mixed into coffee and espresso drinks.
+
+Fernet about it!
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'fernet'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install fernet
+
+## Usage
+
+Both server and client must share a secret.
+
+You want to encode some data in the token as well, for example, an email
+address can be used to verify it on the other end.
+
+```ruby
+token = Fernet.generate(secret) do |generator|
+  generator.data = { email: 'harold@heroku.com' }
+end
+```
+On the server side, the receiver can use this token to verify whether it's
+legit:
+
+```ruby
+verified = Fernet.verify(secret, token) do |verifier|
+  verifier.data['email'] == 'harold@heroku.com'
+end
+```
+
+The `verified` variable will be true if:
+
+* The email encoded in the token data is `harold@heroku.com`
+* The token was generated in the last 60 seconds
+* The secret used to generate the token matches
+
+Otherwise, `verified` will be false, and you should deny the request with an
+HTTP 401, for example.
+
+The `Fernet.verify` method can be awkward if extracting the plain text data is
+required. For this case, a `verifier` can be requested that makes that
+use case more pleasent:
+
+```ruby
+verifier = Fernet.verifier(secret, token)
+if verifier.valid? # signature valid, TTL verified
+  operate_on(verifier.data) # the original, decrypted data
+end
+```
+
+The specs
+([spec/fernet_spec.rb](https://github.com/hgmnz/fernet/blob/master/spec/fernet_spec.rb))
+have more usage examples.
+
+### Global configuration
+
+It's possible to configure fernet via the `Configuration` class. Put this in an initializer:
+
+```ruby
+# default values shown here
+Fernet::Configuration.run do |config|
+  config.enforce_ttl = true
+  config.ttl         = 60
+  config.encrypt     = true
+end
+```
+
+### Generating a secret
+
+Generating appropriate secrets is beyond the scope of `Fernet`, but you should
+generate it using `/dev/random` in a *nix. To generate a base64-encoded 256 bit
+(32 byte) random sequence, try:
+
+    dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64
+
+### Attribution
+
+This library was largely made possible by [Mr. Tom
+Maher](http://twitter.com/#tmaher), who clearly articulated the mechanics
+behind this process, and further found ways to make it
+[more](https://github.com/hgmnz/fernet/commit/2bf0b4a66b49ef3fc92ef50708a2c8b401950fc2)
+[secure](https://github.com/hgmnz/fernet/commit/051161d0afb0b41480734d84bc824bdbc7f9c563).
+
+## License
+
+Fernet is copyright (c) Harold Giménez and is released under the terms of the
+MIT License found in the LICENSE file.

data/Rakefile

@@ -0,0 +1,2 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"

data/fernet.gemspec

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/fernet/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Harold Giménez"]
+  gem.email         = ["harold.gimenez@gmail.com"]
+  gem.description   = %q{Delicious HMAC Digest(if) authentication and encryption}
+  gem.summary       = %q{Easily generate and verify AES encrypted HMAC based authentication tokens}
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "legacy-fernet"
+  gem.require_paths = ["lib"]
+  gem.version       = Legacy::Fernet::VERSION
+
+  gem.add_dependency "oj"
+  gem.add_dependency "multi_json"
+
+  gem.add_development_dependency "rspec"
+end

data/lib/fernet.rb

@@ -0,0 +1,27 @@
+require 'fernet/version'
+require 'fernet/generator'
+require 'fernet/verifier'
+require 'fernet/secret'
+require 'fernet/configuration'
+
+if RUBY_VERSION == '1.8.7'
+  require 'shim/base64'
+end
+
+Legacy::Fernet::Configuration.run
+
+module Legacy::Fernet
+  def self.generate(secret, encrypt = Configuration.encrypt, &block)
+    Generator.new(secret, encrypt).generate(&block)
+  end
+
+  def self.verify(secret, token, encrypt = Configuration.encrypt, &block)
+    Verifier.new(secret, encrypt).verify_token(token, &block)
+  end
+
+  def self.verifier(secret, token, encrypt = Configuration.encrypt)
+    Verifier.new(secret, encrypt).tap do |v|
+      v.verify_token(token)
+    end
+  end
+end

data/lib/fernet/configuration.rb

@@ -0,0 +1,39 @@
+require 'singleton'
+module Legacy::Fernet
+  class Configuration
+    include Singleton
+
+    # Whether to enforce a message TTL
+    # (true or false)
+    attr_accessor :enforce_ttl
+
+    # How long messages are considered valid to the verifier
+    # (an integer in seconds)
+    attr_accessor :ttl
+
+    # Whether to encrypt the payload
+    # (true or false)
+    attr_accessor :encrypt
+
+    def self.run
+      self.instance.enforce_ttl = true
+      self.instance.ttl         = 60
+      self.instance.encrypt     = true
+      yield self.instance if block_given?
+    end
+
+    class << self
+      def method_missing(method)
+        if self.instance.respond_to?(method)
+          self.instance.send(method)
+        else
+          super
+        end
+      end
+
+      def respond_to?(method)
+        self.instance.respond_to?(method) || super
+      end
+    end
+  end
+end

data/lib/fernet/generator.rb

@@ -0,0 +1,71 @@
+require 'base64'
+require 'multi_json'
+require 'openssl'
+require 'date'
+
+module Legacy::Fernet
+  class Generator
+    attr_accessor :data, :payload
+
+    def initialize(secret, encrypt)
+      @secret  = Secret.new(secret, encrypt)
+      @encrypt = encrypt
+      @payload = ''
+      @data    = {}
+    end
+
+    def generate
+      yield self if block_given?
+      data.merge!(:issued_at => DateTime.now)
+
+      if encrypt?
+        iv = encrypt_data!
+        @payload = "#{base64(data)}|#{base64(iv)}"
+      else
+        @payload = base64(MultiJson.dump(data))
+      end
+
+      mac = OpenSSL::HMAC.hexdigest('sha256', payload, signing_key)
+      "#{payload}|#{mac}"
+    end
+
+    def inspect
+      "#<Legacy::Fernet::Generator @secret=[masked] @data=#{@data.inspect}>"
+    end
+    alias to_s inspect
+
+    def data
+      @data ||= {}
+    end
+
+  private
+    attr_reader :secret
+
+    def encrypt_data!
+      cipher = OpenSSL::Cipher.new('AES-128-CBC')
+      cipher.encrypt
+      iv         = cipher.random_iv
+      cipher.iv  = iv
+      cipher.key = encryption_key
+      @data = cipher.update(MultiJson.dump(data)) + cipher.final
+      iv
+    end
+
+    def base64(chars)
+      Base64.urlsafe_encode64(chars)
+    end
+
+    def encryption_key
+      @secret.encryption_key
+    end
+
+    def signing_key
+      @secret.signing_key
+    end
+
+    def encrypt?
+      @encrypt
+    end
+
+  end
+end

data/lib/fernet/secret.rb

@@ -0,0 +1,20 @@
+module Legacy::Fernet
+  class Secret
+    def initialize(secret, encrypt)
+      @secret  = secret
+      @encrypt = encrypt
+    end
+
+    def encryption_key
+      @secret.slice(@secret.size/2, @secret.size)
+    end
+
+    def signing_key
+      if @encrypt
+        @secret.slice(0, @secret.size/2)
+      else
+        @secret
+      end
+    end
+  end
+end

data/lib/fernet/verifier.rb

@@ -0,0 +1,102 @@
+require 'base64'
+require 'multi_json'
+require 'openssl'
+require 'date'
+
+module Legacy::Fernet
+  class Verifier
+    attr_reader :token, :data
+    attr_accessor :ttl, :enforce_ttl
+
+    def initialize(secret, decrypt)
+      @secret      = Secret.new(secret, decrypt)
+      @decrypt     = decrypt
+      @ttl         = Configuration.ttl
+      @enforce_ttl = Configuration.enforce_ttl
+    end
+
+    def verify_token(token)
+      @token = token
+      deconstruct
+
+      if block_given?
+        custom_verification = yield self
+      else
+        custom_verification = true
+      end
+
+      @valid = signatures_match? && token_recent_enough? && custom_verification
+    end
+
+    def valid?
+      @valid
+    end
+
+    def inspect
+      "#<Legacy::Fernet::Verifier @secret=[masked] @token=#{@token} @data=#{@data.inspect} @ttl=#{@ttl}>"
+    end
+    alias to_s inspect
+
+  private
+    attr_reader :secret
+
+    def deconstruct
+      parts = @token.split('|')
+      if decrypt?
+        encrypted_data, iv, @received_signature = *parts
+        @data = MultiJson.load(decrypt!(encrypted_data, Base64.urlsafe_decode64(iv)))
+        signing_blob = "#{encrypted_data}|#{iv}"
+      else
+        encoded_data, @received_signature = *parts
+        signing_blob = encoded_data
+        @data = MultiJson.load(Base64.urlsafe_decode64(encoded_data))
+      end
+      @regenerated_mac = OpenSSL::HMAC.hexdigest('sha256', signing_blob, signing_key)
+    end
+
+    def token_recent_enough?
+      if enforce_ttl?
+        good_till = DateTime.parse(data['issued_at']) + (ttl.to_f / 24 / 60 / 60)
+        good_till > now
+      else
+        true
+      end
+    end
+
+    def signatures_match?
+      regenerated_bytes = @regenerated_mac.bytes.to_a
+      received_bytes    = @received_signature.bytes.to_a
+      received_bytes.inject(0) do |accum, byte|
+        accum |= byte ^ regenerated_bytes.shift
+      end.zero?
+    end
+
+    def decrypt!(encrypted_data, iv)
+      decipher = OpenSSL::Cipher.new('AES-128-CBC')
+      decipher.decrypt
+      decipher.iv  = iv
+      decipher.key = encryption_key
+      decipher.update(Base64.urlsafe_decode64(encrypted_data)) + decipher.final
+    end
+
+    def encryption_key
+      @secret.encryption_key
+    end
+
+    def signing_key
+      @secret.signing_key
+    end
+
+    def decrypt?
+      @decrypt
+    end
+
+    def enforce_ttl?
+      @enforce_ttl
+    end
+
+    def now
+      DateTime.now
+    end
+  end
+end

data/lib/fernet/version.rb

@@ -0,0 +1,5 @@
+module Legacy
+  module Fernet
+    VERSION = "1.6.1"
+  end
+end

data/lib/shim/base64.rb

@@ -0,0 +1,21 @@
+Base64.class_eval do
+  def strict_encode64(bin)
+    encode64(bin).tr("\n",'')
+  end
+
+  def strict_decode64(str)
+    unless str.include?("\n")
+      decode64(str)
+    else
+      raise(ArgumentError,"invalid base64")
+    end
+  end
+
+  def urlsafe_encode64(bin)
+    strict_encode64(bin).tr("+/", "-_")
+  end
+
+  def urlsafe_decode64(str)
+    strict_decode64(str.tr("-_", "+/"))
+  end
+end

data/spec/fernet_spec.rb

@@ -0,0 +1,164 @@
+require 'spec_helper'
+require 'fernet'
+
+describe Legacy::Fernet do
+  after { Legacy::Fernet::Configuration.run }
+
+  let(:token_data) do
+    { :email => 'harold@heroku.com', :id => '123', :arbitrary => 'data' }
+  end
+
+  let(:secret)     { 'JrdICDH6x3M7duQeM8dJEMK4Y5TkBIsYDw1lPy35RiY=' }
+  let(:bad_secret) { 'badICDH6x3M7duQeM8dJEMK4Y5TkBIsYDw1lPy35RiY=' }
+
+  it 'can verify tokens it generates' do
+    token = Legacy::Fernet.generate(secret) do |generator|
+      generator.data = token_data
+    end
+
+    expect(
+      Legacy::Fernet.verify(secret, token) do |verifier|
+        verifier.data['email'] == 'harold@heroku.com'
+      end
+    ).to be_true
+  end
+
+  it 'fails with a bad secret' do
+    token = Legacy::Fernet.generate(secret) do |generator|
+      generator.data = token_data
+    end
+
+    expect(
+      Legacy::Fernet.verify(bad_secret, token) do |verifier|
+        verifier.data['email'] == 'harold@heroku.com'
+      end
+    ).to be_false
+  end
+
+  it 'fails with a bad custom verification' do
+    token = Legacy::Fernet.generate(secret) do |generator|
+      generator.data = { :email => 'harold@heroku.com' }
+    end
+
+    expect(
+      Legacy::Fernet.verify(secret, token) do |verifier|
+        verifier.data['email'] == 'lol@heroku.com'
+      end
+    ).to be_false
+  end
+
+  it 'fails if the token is too old' do
+    token = Legacy::Fernet.generate(secret) do |generator|
+      generator.data = token_data
+    end
+
+    expect(
+      Legacy::Fernet.verify(secret, token) do |verifier|
+        verifier.ttl = 1
+
+        def verifier.now
+          now = DateTime.now
+          DateTime.new(now.year, now.month, now.day, now.hour,
+                       now.min, now.sec + 2, now.offset)
+        end
+        true
+      end
+    ).to be_false
+  end
+
+  it 'verifies without a custom verification' do
+    token = Legacy::Fernet.generate(secret) do |generator|
+      generator.data = token_data
+    end
+
+    expect(Legacy::Fernet.verify(secret, token)).to be_true
+  end
+
+  it 'can ignore TTL enforcement' do
+    token = Legacy::Fernet.generate(secret) do |generator|
+      generator.data = token_data
+    end
+
+    expect(
+      Legacy::Fernet.verify(secret, token) do |verifier|
+        def verifier.now
+          Time.now + 99999999999
+        end
+        verifier.enforce_ttl = false
+        true
+      end
+    ).to be_true
+  end
+
+  it 'can ignore TTL enforcement via global config' do
+    Legacy::Fernet::Configuration.run do |config|
+      config.enforce_ttl = false
+    end
+
+    token = Legacy::Fernet.generate(secret) do |generator|
+      generator.data = token_data
+    end
+
+    expect(
+      Legacy::Fernet.verify(secret, token) do |verifier|
+        def verifier.now
+          Time.now + 99999999999
+        end
+        true
+      end
+    ).to be_true
+  end
+
+  it 'generates without custom data' do
+    token = Legacy::Fernet.generate(secret)
+
+    expect(Legacy::Fernet.verify(secret, token)).to be_true
+  end
+
+  it 'can encrypt the payload' do
+    token = Legacy::Fernet.generate(secret, true) do |generator|
+      generator.data['password'] = 'password1'
+    end
+
+    expect(Base64.decode64(token)).not_to match /password1/
+
+    Legacy::Fernet.verify(secret, token) do |verifier|
+      expect(verifier.data['password']).to eq('password1')
+    end
+  end
+
+  it 'does not encrypt when asked nicely' do
+    token = Legacy::Fernet.generate(secret, false) do |generator|
+      generator.data['password'] = 'password1'
+    end
+
+    expect(Base64.decode64(token)).to match /password1/
+
+    Legacy::Fernet.verify(secret, token, false) do |verifier|
+      expect(verifier.data['password']).to eq('password1')
+    end
+  end
+
+  it 'can disable encryption via global configuration' do
+    Legacy::Fernet::Configuration.run { |c| c.encrypt = false }
+    token = Legacy::Fernet.generate(secret) do |generator|
+      generator.data['password'] = 'password1'
+    end
+
+    expect(Base64.decode64(token)).to match /password1/
+
+    Legacy::Fernet.verify(secret, token) do |verifier|
+      expect(verifier.data['password']).to eq('password1')
+    end
+  end
+
+  it 'returns the unencrypted message upon verify' do
+    token = Legacy::Fernet.generate(secret) do |generator|
+      generator.data['password'] = 'password1'
+    end
+
+    verifier = Legacy::Fernet.verifier(secret, token)
+    expect(verifier.valid?).to be_true
+    expect(verifier.data['password']).to eq('password1')
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,21 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+end

metadata

@@ -0,0 +1,110 @@
+--- !ruby/object:Gem::Specification
+name: legacy-fernet
+version: !ruby/object:Gem::Version
+  version: 1.6.1
+  prerelease: 
+platform: ruby
+authors:
+- Harold Giménez
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-08-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: oj
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Delicious HMAC Digest(if) authentication and encryption
+email:
+- harold.gimenez@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- fernet.gemspec
+- lib/fernet.rb
+- lib/fernet/configuration.rb
+- lib/fernet/generator.rb
+- lib/fernet/secret.rb
+- lib/fernet/verifier.rb
+- lib/fernet/version.rb
+- lib/shim/base64.rb
+- spec/fernet_spec.rb
+- spec/spec_helper.rb
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Easily generate and verify AES encrypted HMAC based authentication tokens
+test_files:
+- spec/fernet_spec.rb
+- spec/spec_helper.rb