lockbox_middleware 1.5.1 → 1.6.2

data/lib/hmac_request.rb

@@ -0,0 +1,145 @@
+require 'rubygems'
+gem 'dnclabs-auth-hmac'
+require 'auth-hmac'
+require 'digest/md5'
+
+class HmacRequest
+  attr_accessor :request, :env, :body, :hmac_id, :hmac_hash
+  undef :method
+  
+  @@valid_date_window = 600 # seconds
+  
+  HTTP_HEADER_TO_ENV_MAP = { 'Content-Type'  => 'CONTENT_TYPE', 
+                             'Content-MD5'   => 'CONTENT_MD5', 
+                             'Date'          => 'HTTP_DATE', 
+                             'Method'        => 'REQUEST_METHOD', 
+                             'Authorization' => 'HTTP_AUTHORIZATION' }
+
+  def self.new_from_rack_env(env)
+    r = self.new(env)
+    return r
+  end
+  
+  def self.new_from_rails_request(request)
+    r = self.new(request.headers)
+    #pull stuff out of X-Referer, which is where the middleware sticks it
+    HTTP_HEADER_TO_ENV_MAP.each_pair do |h,e|
+      r.env[e] = r.env["X-Referer-#{h}"] unless r.env["X-Referer-#{h}"].blank?
+    end
+  
+    return r
+  end
+
+  def initialize(env)
+    @request = Rack::Request.new(env)
+    @env = @request.env
+    @body = @request.body if has_body?(@env['REQUEST_METHOD'])
+  end
+  
+  def [](key)
+    @request[key]
+  end
+
+  def path
+    #use Referer if it's there, which it will be when this gets called while hitting the AuthenticationController
+    if @env['Referer'].to_s =~ /^(?:http:\/\/)?[^\/]*(\/.*)$/
+      return $1
+    end
+    #if we're in the middleware, it won't be there but we can use the request's path to the same effect
+    return @request.path
+  end
+  
+  def has_body?(method)
+    ["PUT","POST"].include?(method)
+  end
+  
+  def hmac_id
+    get_hmac_vals if @hmac_id.nil?
+    @hmac_id
+  end
+  
+  def hmac_hash
+    get_hmac_vals if @hmac_hash.nil?
+    @hmac_hash
+  end
+  
+  def get_hmac_vals
+    @env['HTTP_AUTHORIZATION'].to_s =~ /^AuthHMAC ([^:]+):(.*)$/
+    @hmac_id = $1
+    @hmac_hash = $2
+  end
+
+
+  def hmac_auth(credential_store)
+    authhmac = AuthHMAC.new(credential_store)
+    if authhmac.authenticated?(self) && (@env['HTTP_DATE'].blank? || self.date_is_recent? )
+      credential_store[self.hmac_id]
+    else
+      log_auth_error(credential_store[self.hmac_id])
+      return false
+    end
+  end
+
+  def date_is_recent?()
+    req_date = nil
+
+    begin
+      req_date = Time.httpdate(@env['HTTP_DATE'])
+    rescue Exception => ex
+      if ex.message =~ /not RFC 2616 compliant/
+        # try rfc2822
+        req_date = Time.rfc2822(@env['HTTP_DATE'])
+      else
+        raise ex
+      end
+    end
+
+    if Time.now.to_i - req_date.to_i >= @@valid_date_window
+      log "Request date #{req_date} is more than #{@@valid_date_window} seconds old"
+      return false
+    else
+      return true
+    end
+  end
+  
+  #these are the X-Referer-Headers that get passed along to lockbox from the middleware for authentication
+  def get_xreferer_auth_headers()
+    headers = {}    
+    headers['Referer'] = "#{@env['rack.url_scheme']}://#{@env['SERVER_NAME']}#{@env['PATH_INFO']}"
+    headers['Referer'] << "?#{@env['QUERY_STRING']}" unless @env['QUERY_STRING'].blank?
+    HTTP_HEADER_TO_ENV_MAP.each_pair do |h,e|
+      headers["X-Referer-#{h}"] = @env[e] unless @env[e].blank?
+    end
+    headers['X-Referer-Content-MD5'] = Digest::MD5.hexdigest(@request.body.read) if @env['CONTENT_TYPE']
+    headers["X-Referer-Date"] = @env['HTTP_X_AUTHHMAC_REQUEST_DATE'] unless @env['HTTP_X_AUTHHMAC_REQUEST_DATE'].blank?
+    headers
+  end
+  
+  def log_auth_error(key)
+    log "Logging Lockbox HMAC authorization error:"
+    log "Path: #{self.path}"
+
+    HTTP_HEADER_TO_ENV_MAP.values.each do |header|
+      log "#{header}: #{@env[header]}"
+    end
+
+    log "HMAC Canonical String: #{ AuthHMAC::CanonicalString.new(self).inspect}"
+
+    if self.hmac_id.nil?
+      log("HMAC failed because request is not signed")
+    elsif key
+      log("HMAC failed - expected #{AuthHMAC.signature(self,key)} but was #{self.hmac_hash}")
+    end
+  end
+
+
+  def log(msg)
+    logger = nil
+    if defined?(Rails.logger)
+      Rails.logger.error msg
+    else
+      $stdout.puts msg
+    end
+  end
+
+end

data/lib/lockbox_cache.rb

@@ -3,22 +3,8 @@ require 'forwardable'
 module LockBoxCache
   class Cache
     extend Forwardable
-    def_delegators :@cache, :write, :read, :delete
+    def_delegators :@cache, :write, :read, :delete, :clear
     
-    class RailsCache
-      def write(key, value)
-        Rails.cache.write(key, value)
-      end
-
-      def read(key)
-        Rails.cache.read(key)
-      end
-
-      def delete(key)
-        Rails.cache.delete(key)
-      end
-    end
-
     class HashCache
       def initialize
         @store = Hash.new
@@ -35,14 +21,18 @@ module LockBoxCache
       def delete(key)
         @store.delete(key)
       end
+      
+      def clear
+        @store = {}
+      end
     end
     
     def initialize(use_rails_cache=true)
       if use_rails_cache && defined?(Rails)
-        @cache = RailsCache.new
+        @cache = Rails.cache
       else
         @cache = HashCache.new
       end
     end
   end
-end
+end

data/lib/lockbox_middleware.rb

@@ -1,36 +1,35 @@
 require 'rubygems'
-gem 'dnclabs-httparty'
-require 'httparty'
+require 'httpotato'
 require 'lockbox_cache'
-require 'digest/md5'
+require 'hmac_request'
 
 class LockBox
-  include HTTParty
+  include HTTPotato
   include LockBoxCache
+
+  attr_accessor :cache
+
   @@config = nil
+  @@protected_paths = nil
 
   def self.config
     return @@config if @@config
-    if defined?(Rails)
-      root_dir = Rails.root
+    #use rails config if it's there
+    if defined?(Rails) && Rails.root
+      config_file = Rails.root.join('config','lockbox.yml')
+      @@config = YAML.load_file(config_file)[Rails.env]
     else
-      root_dir = '.'
-    end
-    yaml_config = YAML.load_file(File.join(root_dir,'config','lockbox.yml'))
-    return_config = {}
-    environment = Rails.env if defined? Rails
-    environment ||= ENV['RACK_ENV']
-    environment ||= 'test'
-    if !environment.nil?
-      if !yaml_config['all'].nil?
+      env = ENV['RACK_ENV'] || "test"
+      config_file = File.join(Dir.pwd, 'config','lockbox.yml')
+      all_configs = YAML.load_file(config_file)
+      if !all_configs['all'].nil?
         $stderr.puts "The 'all' environment is deprecated in lockbox.yml; use built-in yaml convention instead."
-        return_config = yaml_config['all']
-        return_config.merge!(yaml_config[environment])
+        @@config = all_configs['all'].merge!(all_configs[env])
       else
-        return_config = yaml_config[environment]
+        @@config = all_configs[env]
       end
     end
-    @@config = return_config
+    return @@config
   end
 
   base_uri config['base_uri']
@@ -43,64 +42,65 @@ class LockBox
   def call(env)
     dup.call!(env)
   end
-  
+
+  def cache_string_for_key(api_key)
+    "lockbox_key_#{api_key}"
+  end
+
+  def cache_string_for_hmac(hmac_id)
+    "lockbox_hmac_#{hmac_id.gsub(/[^a-z0-9]/i,'_')}"
+  end
+
   def protected_paths
-    self.class.config['protect_paths'].map do |path|
-      Regexp.new(path)
-    end
+    @@protect_paths ||= self.class.config['protect_paths'].map{ |path| Regexp.new(path) }
   end
 
   def call!(env)
-    #attempt to authenticate any requests to /api
-    request = Rack::Request.new(env)
-    path_protected = false
-    protected_paths.each do |path|
-      if env['PATH_INFO'] =~ path
-        path_protected = true
-        authorized = false
-        key = request['key']
-        if key.blank?
-          key = 'hmac'
+    protected_path = protected_paths.detect{|path| env['PATH_INFO'] =~ path}
+    #if the requested path is protected, it needs to be authenticated
+    if protected_path
+        request = HmacRequest.new_from_rack_env(env)
+        if !request['key'].nil?
+          auth = auth_via_key(request['key'], request)
+        else
+          auth = auth_via_hmac(request)
         end
-      
-        auth = auth_response(key,env)
-        authorized = auth[:authorized]
-        auth_headers = auth[:headers]
-      
-        if authorized
+
+        if auth[:authorized]
           app_response = @app.call(env)
-          app_headers = app_response[1]
-          response_headers = app_headers.merge(auth_headers)
-          return [app_response[0], response_headers, app_response[2]]
+          return [app_response[0], app_response[1].merge(auth[:headers]), app_response[2]]
         else
           message = "Access Denied"
           return [401, {'Content-Type' => 'text/plain', 'Content-Length' => "#{message.length}"}, [message]]
         end
-      end
-    end
-    unless path_protected
+    else
       #pass everything else straight through to app
       return @app.call(env)
     end
   end
 
-  def auth_response(api_key, env={})
-    if api_key != 'hmac'
-      cached_auth = auth_cache(api_key)
-      if !cached_auth.nil?
-        # currently we don't cache forward headers
-        return {:authorized => cached_auth, :headers => {}}
-      end
-    end
-    auth_response = self.class.get("/authentication/#{api_key}", {:headers => auth_headers(env), :request => {:application_name => LockBox.config['application_name']}})
+  def auth_via_key(api_key, request)
+    cached_auth = check_key_cache(api_key)
+    # currently we don't cache forward headers
+    return {:authorized => cached_auth, :headers => {}} if cached_auth
+    auth_response = self.class.get("/authentication/#{api_key}", {:headers => request.get_xreferer_auth_headers, :request => {:application_name => LockBox.config['application_name']}})
+    authorized = (auth_response.code == 200)
+    cache_key_response_if_allowed(api_key, auth_response) if authorized
+    {:authorized => authorized, :headers => response_headers(auth_response)}
+  end
+
+  def auth_via_hmac(hmac_request)
+    cached_auth = check_hmac_cache(hmac_request)
+    return {:authorized => cached_auth, :headers => {}} if cached_auth
+    auth_response = self.class.get("/authentication/hmac", {:headers => hmac_request.get_xreferer_auth_headers, :request => {:application_name => LockBox.config['application_name']}})
     authorized = (auth_response.code == 200)
-    cache_response_if_allowed(api_key, auth_response) if authorized
+    cache_hmac_response_if_allowed(hmac_request, auth_response) if authorized
     {:authorized => authorized, :headers => response_headers(auth_response)}
   end
-  
+
   private
-  
-  def cache_response_if_allowed(api_key, auth_response)
+
+  def cache_key_response_if_allowed(api_key, auth_response)
     cache_control = auth_response.headers['Cache-Control'].split(/,\s*/)
     cache_max_age = 0
     cache_public = false
@@ -113,52 +113,63 @@ class LockBox
     end
     caching_allowed = (cache_max_age > 0 && cache_public)
     expiration = Time.at(Time.now.to_i + cache_max_age)
-    cache_auth(api_key,expiration) if caching_allowed
+    @cache.write(cache_string_for_key(api_key), expiration.to_i) if caching_allowed
   end
 
-  def response_headers(auth_response)
-    headers = {}
-    auth_response.headers.each_pair do |h,v|
-      if h =~ /^X-RateLimit-/
-        headers[h] = v
-      elsif h =~ /^X-LockBox-/
-        headers[h] = v
+  def cache_hmac_response_if_allowed(hmac_request, auth_response)
+    cache_control = auth_response.headers['Cache-Control'].split(/,\s*/)
+    cache_max_age = 0
+    cache_public = false
+    cache_control.each do |c|
+      if c =~ /^max-age=\s*(\d+)$/
+        cache_max_age = $1.to_i
+      elsif c == 'public'
+        cache_public = true
       end
     end
-    headers
+    caching_allowed = (cache_max_age > 0 && cache_public)
+    expiration = Time.at(Time.now.to_i + cache_max_age)
+    if caching_allowed
+      api_key = auth_response.headers['X-LockBox-API-Key']
+      @cache.write(cache_string_for_hmac(hmac_request.hmac_id), [api_key, expiration.to_i])
+    end
   end
 
-  def auth_headers(env)
+  def response_headers(auth_response)
     headers = {}
-    headers['Referer'] = "#{env['rack.url_scheme']}://#{env['SERVER_NAME']}#{env['PATH_INFO']}"
-    headers['Referer'] << "?#{env['QUERY_STRING']}" unless env['QUERY_STRING'].blank?
-    headers['X-Referer-Content-MD5'] = Digest::MD5.hexdigest(Rack::Request.new(env).body.read) if env['CONTENT_TYPE']
-    {'Content-Type' => 'CONTENT_TYPE', 'Date' => 'HTTP_DATE', 'Method' => 'REQUEST_METHOD',
-     'Authorization' => 'HTTP_AUTHORIZATION'}.each_pair do |h,e|
-      headers["X-Referer-#{h}"] = env[e] unless env[e].blank?
+    auth_response.headers.each_pair do |h,v|
+      headers[h] = v if h =~ /^X-RateLimit-|^X-LockBox-/
     end
-    headers["X-Referer-Date"] = env['HTTP_X_AUTHHMAC_REQUEST_DATE'] unless env['HTTP_X_AUTHHMAC_REQUEST_DATE'].blank?
     headers
   end
-  
-  def cache_key(api_key)
-    "lockbox_#{api_key}"
-  end
 
-  def auth_cache(api_key)
-    expiration = @cache.read(cache_key(api_key))
+  def check_key_cache(api_key)
+    expiration = @cache.read(cache_string_for_key(api_key))
     return nil if expiration.nil?
     expiration = Time.at(expiration)
     if expiration <= Time.now
-      @cache.delete(cache_key(api_key))
+      @cache.delete(cache_string_for_key(api_key))
       nil
-    elsif expiration > Time.now
+    else
       true
     end
   end
 
-  def cache_auth(api_key,expiration)
-    @cache.write(cache_key(api_key),expiration.to_i)
+  def check_hmac_cache(hmac_request)
+    hmac_id, hmac_hash = hmac_request.hmac_id, hmac_request.hmac_hash
+    return nil if hmac_id.nil? || hmac_hash.nil?
+    cached_val = @cache.read(cache_string_for_hmac(hmac_id))  
+    return nil if cached_val.nil?
+    key, expiration = cached_val
+    expiration = Time.at(expiration)
+    if expiration <= Time.now
+      @cache.delete(cache_string_for_hmac(hmac_id))
+      nil
+    else
+      #as long as the request is signed correctly, no need to contact the lockbox server to verify
+      #just see if the request is signed properly and let it through if it is
+      return true if hmac_request.hmac_auth({hmac_id => key}) == key
+      return nil
+    end
   end
-
 end

data/spec/lib/lockbox_middleware_spec.rb

@@ -99,7 +99,7 @@ describe 'LockBox' do
     end
   end
   
-  context "hitting API actions" do
+  context "hitting API actions with key-based authentication" do
     before :each do
       @max_age = 3600
       successful_response = mock("MockResponse")
@@ -214,9 +214,7 @@ describe 'LockBox' do
       @path = "/api/some_controller/some_action"
       
       hmac_request = Net::HTTP::Get.new(@path, {'Date' => Time.now.httpdate})
-      store = mock("MockStore")
-      store.stubs(:[]).with('key-id').returns("123456")
-      authhmac = AuthHMAC.new(store)
+      authhmac = AuthHMAC.new({"key-id" => "123456"})
       authhmac.sign!(hmac_request, 'key-id')
       @hmac_headers = hmac_request.to_hash
     end
@@ -228,7 +226,7 @@ describe 'LockBox' do
       get @path
       last_response.status.should == 200
     end
-
+  
     it "should return 200 for a valid HMAC request from a .NET client" do
       # first test w/ a Date header too, then test w/o a separate Date header
       @hmac_headers['X-AuthHMAC-Request-Date'] = @hmac_headers['Date']
@@ -238,7 +236,7 @@ describe 'LockBox' do
       get @path
       last_response.status.should == 200
     end
-
+  
     it "should return 200 for a valid HMAC request from a .NET client with no Date header" do
       @hmac_headers['X-AuthHMAC-Request-Date'] = @hmac_headers.delete('Date')
       @hmac_headers.each_pair do |key,value|
@@ -256,8 +254,9 @@ describe 'LockBox' do
       get @path
       last_response.status.should == 401
     end
+  
   end
-
+  
   context "hitting API actions via POST requests with HMAC auth" do
     before :each do
       @content = "" # TODO: Rack::Test sucks at some stuff, like setting the request body when making a POST
@@ -280,9 +279,7 @@ describe 'LockBox' do
       
       hmac_request = Net::HTTP::Post.new(@path, {'Date' => Time.now.httpdate})
       hmac_request.body = @content
-      store = mock("MockStore")
-      store.stubs(:[]).with('key-id').returns("123456")
-      authhmac = AuthHMAC.new(store)
+      authhmac = AuthHMAC.new({"key-id" => "123456"})
       authhmac.sign!(hmac_request, 'key-id')
       @hmac_headers = hmac_request.to_hash
     end
@@ -303,8 +300,9 @@ describe 'LockBox' do
       post @path, @content
       last_response.status.should == 401
     end
+    
   end
-
+  
   context "hitting actions without API" do
   
     it "should not try to authenticate a request that doesn't start with /api" do
@@ -314,5 +312,67 @@ describe 'LockBox' do
     end
   
   end
+  
+  context "hitting API actions with HMAC auth caching" do
+    before :each do
+      Time.stubs(:now).returns(Time.parse("2010-05-10 16:30:00 EDT"))
+      @response_with_caching = mock("MockResponse")
+      @response_with_caching.stubs(:code).returns(200)
+      @response_with_caching.stubs(:headers).returns({'Cache-Control' => "public,max-age=3600,must-revalidate", "X-LockBox-API-Key" => "123456"})
+
+      @response_without_caching = mock("MockResponse")
+      @response_without_caching.stubs(:code).returns(200)
+      @response_without_caching.stubs(:headers).returns({'Cache-Control' => 'public, no-cache', "X-LockBox-API-Key" => "123456"})
+
+      @bad_response = mock("MockResponse")
+      @bad_response.stubs(:code).returns(401)
+      @bad_response.stubs(:headers).returns({'Cache-Control' => 'public, no-cache'})
+
+      @path = "/api/some_controller/some_action"
+
+      hmac_request = Net::HTTP::Get.new(@path, {'Date' => Time.now.httpdate, 'Referer' =>'http://example.org/api/some_controller/some_action' })
+      authhmac = AuthHMAC.new({'key-id' => '123456'})
+      authhmac.sign!(hmac_request, 'key-id')
+      @hmac_headers = hmac_request.to_hash
+      @hmac_headers.each_pair do |key,value|
+        header key, value
+      end
+
+    end
+    
+    after :each do
+      app.cache.clear
+    end
+
+
+    it "should cache lockbox responses for max-age when Cache-Control allows it" do
+      LockBox.stubs(:get).returns(@response_with_caching)
+      get @path
+      last_response.status.should == 200
+      LockBox.stubs(:get).returns(@bad_response)
+      get @path
+      last_response.status.should == 200
+    end
+    
+    it "should expire cached lockbox responses when max-age seconds have passed" do
+      LockBox.stubs(:get).returns(@response_with_caching)
+      get @path
+      last_response.status.should == 200
+      expired_time = Time.at(Time.now.to_i + 3600)
+      Time.stubs(:now).returns(expired_time)
+      LockBox.stubs(:get).returns(@bad_response)
+      get @path
+      last_response.status.should == 401
+    end
+
+    it "should not cache lockbox responses when Cache-Control does not allow it" do
+      LockBox.stubs(:get).returns(@response_without_caching)
+      get @path
+      last_response.status.should == 200
+      LockBox.stubs(:get).returns(@bad_response)
+      get @path
+      last_response.status.should == 401
+    end    
+  end
 
 end

data/spec/support/mocha.rb

@@ -10,6 +10,6 @@ module Mocha
     end
     def teardown_mocks_for_rspec
       mocha_teardown
-    end 
+    end
   end
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: lockbox_middleware
 version: !ruby/object:Gem::Version 
-  hash: 1
-  prerelease: false
+  hash: 11
+  prerelease: 
   segments: 
   - 1
-  - 5
-  - 1
-  version: 1.5.1
+  - 6
+  - 2
+  version: 1.6.2
 platform: ruby
 authors: 
 - Chris Gill
@@ -19,7 +19,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-12-28 00:00:00 -06:00
+date: 2011-03-02 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -37,7 +37,7 @@ dependencies:
   type: :runtime
   version_requirements: *id001
 - !ruby/object:Gem::Dependency 
-  name: dnclabs-httparty
+  name: httpotato
   prerelease: false
   requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
@@ -50,6 +50,20 @@ dependencies:
         version: "0"
   type: :runtime
   version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: dnclabs-auth-hmac
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id003
 description: Rack middleware for the LockBox centralized API authorization service. Brought to you by the DNC Innovation Lab.
 email: innovationlab@dnc.org
 executables: []
@@ -62,6 +76,7 @@ extra_rdoc_files:
 files: 
 - lib/lockbox_cache.rb
 - lib/lockbox_middleware.rb
+- lib/hmac_request.rb
 - LICENSE
 - README.rdoc
 - spec/lib/lockbox_cache_spec.rb
@@ -100,7 +115,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.7
+rubygems_version: 1.6.0
 signing_key: 
 specification_version: 3
 summary: Rack middleware for the LockBox centralized API authorization service.