macaroons 0.4.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1b8c0a4138d4382ec9066b5c95912acba6d473cd
+  data.tar.gz: d7c04a35aa9e133a51cc87538ef5eb93b0210e20
+SHA512:
+  metadata.gz: 581dba3fd34883934f9cec9c7ea0bc85657471df394b15ed3a79ecfed7aa1bf508a4d40f3665512b7ad01720446c305a7378d1cfe4586591b3f093471000e3d5
+  data.tar.gz: 67bc07973505ed6ba9853622274c23725143bc9ae539877cf480233cabd5ddcfce5418f8a023bdab9e25fe9a1ce467f9b6047bb157f05aaa409f608c7706c0b8

data/.gitignore

@@ -0,0 +1,22 @@
+*.gem
+*.rbc
+Gemfile.lock
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+api.txt
+
+## Environment normalisation:
+/.bundle/
+/lib/bundler/man/

data/.rspec

@@ -0,0 +1,4 @@
+--require spec_helper
+--color
+--format doc
+-b

data/.travis.yml

@@ -0,0 +1,15 @@
+language: ruby
+rvm:
+  - 2.1.0
+  - 2.0.0
+  - ruby-head
+before_install:
+  - wget https://github.com/jedisct1/libsodium/releases/download/0.7.0/libsodium-0.7.0.tar.gz
+  - tar xzvf libsodium-0.7.0.tar.gz
+  - cd libsodium-0.7.0
+  - ./configure && make && make check && sudo make install
+  - sudo ldconfig
+  - cd ..
+install: "bundle install"
+script: rspec .
+after_success: coveralls

data/Gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+gem 'coveralls', require: false
+
+gemspec

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2014 LocalMed, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,120 @@
+# Macaroons
+[![Build Status](https://travis-ci.org/localmed/ruby-macaroons.svg?branch=master)](https://travis-ci.org/localmed/ruby-macaroons)
+[![Coverage Status](https://img.shields.io/coveralls/localmed/ruby-macaroons.svg)](https://coveralls.io/r/localmed/ruby-macaroons?branch=master)
+
+This is a Ruby implementation of Macaroons. It is still under active development but is in a useable state - please report any bugs in the issue tracker.
+
+## What is a Macaroon? 
+Macaroons, like cookies, are a form of bearer credential. Unlike opaque tokens, macaroons embed *caveats* that define specific authorization requirements for the *target service*, the service that issued the root macaroon and which is capable of verifying the integrity of macaroons it recieves. 
+
+Macaroons allow for delegation and attenuation of authorization. They are simple and fast to verify, and decouple authorization policy from the enforcement of that policy.
+
+Simple examples are outlined below. For more in-depth examples check out the [functional tests](https://github.com/localmed/ruby-macaroons/blob/master/spec/integration_spec.rb) and [references](#references).
+
+## Installing
+
+Macaroons requires a sodium library like libsodium or tweetnacl to be installed on the host system.
+
+To install [libsodium](https://github.com/jedisct1/libsodium):
+
+For OS X users, libsodium is available via homebrew and can be installed with:
+
+    brew install libsodium
+
+For other systems, please see the [libsodium documentation](http://doc.libsodium.org/).
+
+### Macaroons gem
+
+Once you have libsodium installed, add this line to your application's Gemfile:
+
+    gem 'macaroons'
+
+And then execute:
+
+    $ bundle
+
+Or install it manually:
+
+    $ gem install macaroons
+
+Inside of your Ruby program:
+
+    require 'macaroons'
+
+## Quickstart
+
+    key => Very secret key used to sign the macaroon
+    identifier => An identifier, to remind you which key was used to sign the macaroon
+    location => The location at which the macaroon is created
+
+    # Construct a Macaroon.
+    m = Macaroon.new(key: key, identifier: identifier, location: 'http://foo.com')
+
+    # Add first party caveat
+    m.add_first_party_caveat('caveat_1')
+
+    # List all first party caveats
+    m.first_party_caveats
+
+    # Add third party caveat
+    m.add_third_party_caveat('caveat_key', 'caveat_id', 'http://foo.com')
+
+    # List all third party caveats
+    m.third_party_caveats
+
+## Example with first- and third-party caveats
+
+```ruby
+
+# Create macaroon. Sign with a key and identifier (a way to remember which key was used)
+m = Macaroon.new(
+  location: 'http://mybank/',
+  identifier: 'we used our other secret key',
+  key: 'this is a different super-secret key; never use the same secret twice'
+)
+
+# Add a first party caveat
+m.add_first_party_caveat('account = 3735928559')
+
+# Add a third party caveat
+caveat_key = '4; guaranteed random by a fair toss of the dice'
+identifier = 'this was how we remind auth of key/pred'
+m.add_third_party_caveat(caveat_key, identifier, 'http://auth.mybank/')
+
+# User collects a discharge macaroon (likely from a separate service), that proves the claims in the third-party caveat and which may add additional caveats of its own
+discharge = Macaroon.new(
+  location: 'http://auth.mybank/',
+  identifier: identifier,
+  caveat: Ocaveat_key
+)
+discharge.add_first_party_caveat('time < 2015-01-01T00:00')
+
+# discharge macaroons are bound to the root macaroon so they cannot be reused
+protected_discharge = m.prepare_for_request(discharge)
+
+# The user sends their macaroon along with their discharge macaroons, and we verify them
+v = Macaroon::Verifier.new()
+v.satisfy_exact('account = 3735928559')
+v.satisfy_exact('time < 2015-01-01T00:00')
+verified = v.verify(
+    macaroon: m,
+    key: 'this is a different super-secret key; never use the same secret twice',
+    discharge_macaroons: [protected_discharge]
+)
+```
+
+## More Macaroons
+
+[PyMacaroons](https://github.com/ecordell/pymacaroons) is available for Python. PyMacaroons and Ruby-Macaroons are completely compatible (they can be used interchangibly within the same target service).
+
+The [libmacaroons library](https://github.com/rescrv/libmacaroons) comes with Python and Go bindings.
+ 
+PyMacaroons, libmacaroons, and Ruby-Macaroons all use the same underlying cryptographic library (libsodium).
+
+## References
+
+- [The Macaroon Paper](http://research.google.com/pubs/pub41892.html)
+- [Mozilla Macaroon Tech Talk](https://air.mozilla.org/macaroons-cookies-with-contextual-caveats-for-decentralized-authorization-in-the-cloud/)
+- [libmacaroons](https://github.com/rescrv/libmacaroons)
+- [PyMacaroons](https://github.com/ecordell/pymacaroons)
+- [libnacl](https://github.com/saltstack/libnacl)

data/lib/macaroons/caveat.rb

@@ -0,0 +1,26 @@
+module Macaroons
+  class Caveat
+    def initialize(caveat_id, verification_id=nil, caveat_location=nil)
+      @caveat_id = caveat_id
+      @verification_id = verification_id
+      @caveat_location = caveat_location
+    end
+
+    attr_accessor :caveat_id
+    attr_accessor :verification_id
+    attr_accessor :caveat_location
+
+    def first_party?
+      verification_id.nil?
+    end
+
+    def third_party?
+      !first_party?
+    end
+
+    def to_h
+      {'cid' => @caveat_id, 'vid' => @verification_id, 'cl' => @caveat_location}
+    end
+
+  end
+end

data/lib/macaroons/errors.rb

@@ -0,0 +1,5 @@
+class SignatureMismatchError < StandardError
+end
+
+class CaveatUnsatisfiedError < StandardError
+end

data/lib/macaroons/macaroons.rb

@@ -0,0 +1,63 @@
+require 'macaroons/raw_macaroon'
+
+module Macaroons
+  class Macaroon
+    def initialize(key: nil, identifier: nil, location: nil, raw_macaroon: nil)
+      @raw_macaroon = raw_macaroon || RawMacaroon.new(key: key, identifier: identifier, location: location)
+    end
+
+    def identifier
+      @raw_macaroon.identifier
+    end
+
+    def location
+      @raw_macaroon.location
+    end
+
+    def signature
+      @raw_macaroon.signature
+    end
+
+    def caveats
+      @raw_macaroon.caveats
+    end
+
+    def self.from_binary(serialized)
+      raw_macaroon = RawMacaroon.from_binary(serialized: serialized)
+      macaroon = Macaroons::Macaroon.new(raw_macaroon: raw_macaroon)
+    end
+
+    def self.from_json(serialized)
+      raw_macaroon = RawMacaroon.from_json(serialized: serialized)
+      macaroon = Macaroons::Macaroon.new(raw_macaroon: raw_macaroon)
+    end
+
+    def serialize
+      @raw_macaroon.serialize()
+    end
+
+    def serialize_json
+      @raw_macaroon.serialize_json()
+    end
+
+    def add_first_party_caveat(predicate)
+      @raw_macaroon.add_first_party_caveat(predicate)
+    end
+
+    def first_party_caveats
+      caveats.select(&:first_party?)
+    end
+
+    def add_third_party_caveat(caveat_key, caveat_id, caveat_location)
+      @raw_macaroon.add_third_party_caveat(caveat_key, caveat_id, caveat_location)
+    end
+
+    def third_party_caveats
+      caveats.select(&:third_party?)
+    end
+
+    def prepare_for_request(macaroon)
+      @raw_macaroon.prepare_for_request(macaroon)
+    end
+  end
+end

data/lib/macaroons/raw_macaroon.rb

@@ -0,0 +1,90 @@
+require 'base64'
+
+require 'rbnacl'
+
+require 'macaroons/caveat'
+require 'macaroons/utils'
+require 'macaroons/serializers/binary'
+require 'macaroons/serializers/json'
+
+module Macaroons
+  class RawMacaroon
+
+    def initialize(key: nil, identifier: nil, location: nil)
+      if key.nil? || identifier.nil? || location.nil?
+        raise ArgumentError, 'Must provide all three: (key, id, location)'
+      end
+
+      @key = key
+      @identifier = identifier
+      @location = location
+      @signature = create_initial_macaroon_signature(key, identifier)
+      @caveats = []
+    end
+
+    def self.from_binary(serialized: serialized)
+      Macaroons::BinarySerializer.new().deserialize(serialized)
+    end
+
+    def self.from_json(serialized: serialized)
+      Macaroons::JsonSerializer.new().deserialize(serialized)
+    end
+
+    attr_reader :identifier
+    attr_reader :key
+    attr_reader :location
+    attr_accessor :caveats
+    attr_accessor :signature
+
+    def signature
+      Utils.hexlify(@signature).downcase
+    end
+
+    def add_first_party_caveat(predicate)
+      caveat = Caveat.new(predicate)
+      @caveats << caveat
+      @signature = Utils.sign_first_party_caveat(@signature, predicate)
+    end
+
+    def add_third_party_caveat(caveat_key, caveat_id, caveat_location)
+      derived_caveat_key = Utils.truncate_or_pad(Utils.hmac('macaroons-key-generator', caveat_key))
+      truncated_or_padded_signature = Utils.truncate_or_pad(@signature)
+      box = RbNaCl::SimpleBox.from_secret_key(truncated_or_padded_signature)
+      ciphertext = box.encrypt(derived_caveat_key)
+      verification_id = Base64.strict_encode64(ciphertext)
+      caveat = Caveat.new(caveat_id, verification_id, caveat_location)
+      @caveats << caveat
+      @signature = Utils.sign_third_party_caveat(@signature, verification_id, caveat_id)
+    end
+
+    def serialize
+      Macaroons::BinarySerializer.new().serialize(self)
+    end
+
+    def serialize_json
+      Macaroons::JsonSerializer.new().serialize(self)
+    end
+
+    def prepare_for_request(macaroon)
+      bound_macaroon = Marshal.load( Marshal.dump( macaroon ) )
+      raw = bound_macaroon.instance_variable_get(:@raw_macaroon)
+      raw.signature = bind_signature(macaroon.signature)
+      bound_macaroon
+    end
+
+    def bind_signature(signature)
+      key = Utils.truncate_or_pad('0')
+      hash1 = Utils.hmac(key, Utils.unhexlify(self.signature))
+      hash2 = Utils.hmac(key, Utils.unhexlify(signature))
+      Utils.hmac(key, hash1 + hash2)
+    end
+
+    private
+
+    def create_initial_macaroon_signature(key, identifier)
+      derived_key = Utils.generate_derived_key(key)
+      Utils.hmac(derived_key, identifier)
+    end
+
+  end
+end

data/lib/macaroons/serializers/base.rb

@@ -0,0 +1,13 @@
+module Macaroons
+  class BaseSerializer
+
+    def serialize(macaroon)
+      raise NotImplementedError
+    end
+
+    def deserialize(serialized)
+      raise NotImplementedError
+    end
+
+  end
+end

data/lib/macaroons/serializers/binary.rb

@@ -0,0 +1,89 @@
+require 'base64'
+
+require 'macaroons/serializers/base'
+
+module Macaroons
+  class BinarySerializer < BaseSerializer
+    PACKET_PREFIX_LENGTH = 4
+
+    def serialize(macaroon)
+      combined = packetize('location', macaroon.location)
+      combined += packetize('identifier', macaroon.identifier)
+
+      for caveat in macaroon.caveats
+        combined += packetize('cid', caveat.caveat_id)
+
+        if caveat.verification_id and caveat.caveat_location
+          combined += packetize('vid', caveat.verification_id)
+          combined += packetize('cl', caveat.caveat_location)
+        end
+      end
+
+      combined += packetize(
+        'signature',
+        Utils.unhexlify(macaroon.signature)
+      )
+      Base64.urlsafe_encode64(combined)
+    end
+
+    def deserialize(serialized)
+      caveats = []
+      decoded = Base64.urlsafe_decode64(serialized)
+
+      index = 0
+
+      while index < decoded.length
+        packet_length = decoded[index..(index + PACKET_PREFIX_LENGTH - 1)].to_i(16)
+        stripped_packet = decoded[index + PACKET_PREFIX_LENGTH..(index + packet_length - 2)]
+
+        key, value = depacketize(stripped_packet)
+
+        case key
+        when 'location'
+          location = value
+        when 'identifier'
+          identifier = value
+        when 'cid'
+          caveats << Caveat.new(value)
+        when 'vid'
+          caveats[-1].verification_id = value
+        when 'cl'
+          caveats[-1].caveat_location = value
+        when 'signature'
+          signature = value
+        else
+          raise KeyError, 'Invalid key in binary macaroon. Macaroon may be corrupted.'
+        end
+
+        index = index + packet_length
+      end
+      macaroon = Macaroons::RawMacaroon.new(key: 'no_key', identifier: identifier, location: location)
+      macaroon.caveats = caveats
+      macaroon.signature = signature
+      macaroon
+    end
+
+    private
+
+    def packetize(key, data)
+      # The 2 covers the space and the newline
+      packet_size = PACKET_PREFIX_LENGTH + 2 + key.length + data.length
+      if packet_size > 65535
+        # Due to packet structure, length of packet must be less than 0xFFFF
+        raise ArgumentError, 'Data is too long for a binary packet.'
+      end
+      packet_size_hex = packet_size.to_s(16)
+      header = packet_size_hex.to_s.rjust(4, '0')
+      packet_content = "#{key} #{data}\n"
+      packet = "#{header}#{packet_content}"
+      packet
+    end
+
+    def depacketize(packet)
+      key = packet.split(" ")[0]
+      value = packet[key.length + 1..-1]
+      [key, value]
+    end
+
+  end
+end

data/lib/macaroons/serializers/json.rb

@@ -0,0 +1,28 @@
+require 'json'
+
+module Macaroons
+  class JsonSerializer
+
+    def serialize(macaroon)
+        serialized = {
+          location: macaroon.location,
+          identifier: macaroon.identifier,
+          caveats: macaroon.caveats.map!(&:to_h),
+          signature: macaroon.signature
+        }
+        return serialized.to_json
+    end
+
+    def deserialize(serialized)
+      deserialized = JSON.parse(serialized)
+      macaroon = Macaroons::RawMacaroon.new(key: 'no_key', identifier: deserialized['identifier'], location: deserialized['location'])
+      deserialized['caveats'].each do |c|
+        caveat = Macaroons::Caveat.new(c['cid'], c['vid'], c['cl'])
+        macaroon.caveats << c
+      end
+      macaroon.signature = Utils.unhexlify(deserialized['signature'])
+      macaroon
+    end
+
+  end
+end

data/lib/macaroons/utils.rb

@@ -0,0 +1,49 @@
+require 'openssl'
+
+module Macaroons
+  module Utils
+
+    def self.convert_to_bytes(string)
+      string.encode('us-ascii') unless string.nil?
+    end
+
+    def self.hexlify(value)
+      value.unpack('C*').map { |byte| '%02X' % byte }.join('')
+    end
+
+    def self.unhexlify(value)
+      [value].pack('H*')
+    end
+
+    def self.truncate_or_pad(string, size=nil)
+      size = size.nil? ? 32 : size
+      if string.length > size
+        string[0, size]
+      elsif string.length > size
+        string + '\0'*(size-string.length)
+      else
+        string
+      end
+    end
+
+    def self.hmac(key, data, digest=nil)
+      digest = OpenSSL::Digest.new('sha256') if digest.nil?
+      OpenSSL::HMAC.digest(digest, key, data)
+    end
+
+    def self.sign_first_party_caveat(signature, predicate)
+      Utils.hmac(signature, predicate)
+    end
+
+    def self.sign_third_party_caveat(signature, verification_id, caveat_id)
+      verification_id_hash = Utils.hmac(signature, verification_id)
+      caveat_id_hash = Utils.hmac(signature, caveat_id)
+      combined = verification_id_hash + caveat_id_hash
+      Utils.hmac(signature, combined)
+    end
+
+    def self.generate_derived_key(key)
+      Utils.hmac('macaroons-key-generator', key)
+    end
+  end
+end

data/lib/macaroons/verifier.rb

@@ -0,0 +1,116 @@
+require 'rbnacl'
+
+require 'macaroons/errors'
+
+module Macaroons
+  class Verifier
+    attr_accessor :predicates
+    attr_accessor :callbacks
+
+    def initialize
+      @predicates = []
+      @callbacks = []
+      @calculated_signature = nil
+    end
+
+    def satisfy_exact(predicate)
+      raise ArgumentError, 'Must provide predicate' unless predicate
+      @predicates << predicate
+    end
+
+    def satisfy_general(callback = nil, &block)
+      raise ArgumentError, 'Must provide callback or block' unless callback || block_given?
+      callback = block if block_given?
+      @callbacks << callback
+    end
+
+    def verify(macaroon: nil, key: nil, discharge_macaroons: nil)
+      raise ArgumentError, 'Macaroon and Key required' if macaroon.nil? || key.nil?
+      key = Utils.generate_derived_key(key)
+      verify_discharge(root: macaroon, macaroon: macaroon, key: key, discharge_macaroons:discharge_macaroons)
+    end
+
+    def verify_discharge(root: root, macaroon: macaroon, key: key, discharge_macaroons: [])
+      @calculated_signature = Utils.hmac(key, macaroon.identifier)
+
+      verify_caveats(macaroon, discharge_macaroons)
+
+      if root != macaroon
+        raw = root.instance_variable_get(:@raw_macaroon)
+        @calculated_signature = raw.bind_signature(Utils.hexlify(@calculated_signature).downcase)
+      end
+
+      raise SignatureMismatchError, 'Signatures do not match.' unless signatures_match(Utils.unhexlify(macaroon.signature), @calculated_signature)
+
+      return true
+    end
+
+    private
+
+    def verify_caveats(macaroon, discharge_macaroons)
+      for caveat in macaroon.caveats
+        if caveat.first_party?
+          caveat_met = verify_first_party_caveat(caveat)
+        else
+          caveat_met = verify_third_party_caveat(caveat, macaroon, discharge_macaroons)
+        end
+        raise CaveatUnsatisfiedError, "Caveat not met. Unable to satisfy: #{caveat.caveat_id}" unless caveat_met
+      end
+    end
+
+    def verify_first_party_caveat(caveat)
+      caveat_met = false
+      if @predicates.include? caveat.caveat_id
+        caveat_met = true
+      else
+        @callbacks.each do |callback|
+          caveat_met = true if callback.call(caveat.caveat_id)
+        end
+      end
+      @calculated_signature = Utils.sign_first_party_caveat(@calculated_signature, caveat.caveat_id) if caveat_met
+      return caveat_met
+    end
+
+    def verify_third_party_caveat(caveat, root_macaroon, discharge_macaroons)
+      caveat_met = false
+
+      caveat_macaroon = discharge_macaroons.find { |m| m.identifier == caveat.caveat_id }
+      raise CaveatUnsatisfiedError, "Caveat not met. No discharge macaroon found for identifier: #{caveat.caveat_id}" unless caveat_macaroon
+
+      caveat_key = extract_caveat_key(@calculated_signature, caveat)
+      caveat_macaroon_verifier = Verifier.new()
+      caveat_macaroon_verifier.predicates = @predicates
+      caveat_macaroon_verifier.callbacks = @callbacks
+
+      caveat_met = caveat_macaroon_verifier.verify_discharge(
+          root: root_macaroon,
+          macaroon: caveat_macaroon,
+          key: caveat_key,
+          discharge_macaroons: discharge_macaroons
+      )
+      if caveat_met
+        @calculated_signature = Utils.sign_third_party_caveat(@calculated_signature, caveat.verification_id, caveat.caveat_id)
+      end
+      return caveat_met
+    end
+
+    def extract_caveat_key(signature, caveat)
+      key = Utils.truncate_or_pad(signature)
+      box = RbNaCl::SimpleBox.from_secret_key(key)
+      decoded_vid = Base64.strict_decode64(caveat.verification_id)
+      box.decrypt(decoded_vid)
+    end
+
+    def signatures_match(a, b)
+      # Constant time compare, taken from Rack
+      return false unless a.bytesize == b.bytesize
+
+      l = a.unpack("C*")
+
+      r, i = 0, -1
+      b.each_byte { |v| r |= v ^ l[i+=1] }
+      r == 0
+    end
+
+  end
+end

data/lib/macaroons/version.rb

@@ -0,0 +1,3 @@
+module Macaroons
+  VERSION = '0.4.0'
+end

data/lib/macaroons.rb

@@ -0,0 +1,24 @@
+require 'macaroons/macaroons'
+require 'macaroons/verifier'
+
+module Macaroon
+  class << self
+    def new(location: location, identifier: identifier, key: key)
+      Macaroons::Macaroon.new(location:location, identifier:identifier, key:key)
+    end
+
+    def from_binary(serialized)
+      Macaroons::Macaroon.from_binary(serialized)
+    end
+
+    def from_json(serialized)
+      Macaroons::Macaroon.from_json(serialized)
+    end
+  end
+
+  class Verifier
+    def self.new()
+      Macaroons::Verifier.new()
+    end
+  end
+end

data/macaroons.gemspec

@@ -0,0 +1,28 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'macaroons/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'macaroons'
+  spec.version = Macaroons::VERSION
+  spec.authors       = ["Evan Cordell", "Peter Browne", "Joel James"]
+  spec.email         = ["ecordell@localmed.com", "pete@localmed.com", "joel.james@localmed.com"]
+  spec.summary       = "Macaroons library in Ruby"
+  spec.description   = "Macaroons library in Ruby"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+  spec.required_ruby_version = "~> 2.0"
+  spec.add_dependency "json"
+  spec.add_dependency "rbnacl", "~> 3.1.2"
+
+  spec.add_development_dependency "bundler", "> 1.3"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec",   "~> 3.1.0"
+  spec.add_development_dependency "pry"
+  spec.add_development_dependency "pry-stack_explorer"
+  spec.add_development_dependency "rspec_junit_formatter"
+end

data/spec/integration_spec.rb

@@ -0,0 +1,262 @@
+require 'spec_helper'
+require 'macaroons'
+require 'macaroons/errors'
+
+describe 'Macaroon' do
+  context 'without caveats' do
+    it 'should have correct signature' do
+      m = Macaroon.new(
+        location: 'http://mybank/',
+        identifier: 'we used our secret key',
+        key: 'this is our super secret key; only we should know it'
+      )
+      expect(m.signature).to eql('e3d9e02908526c4c0039ae15114115d97fdd68bf2ba379b342aaf0f617d0552f')
+    end
+  end
+
+  context 'with first party caveat' do
+    it 'should have correct signature' do
+      m = Macaroon.new(
+        location: 'http://mybank/',
+        identifier: 'we used our secret key',
+        key: 'this is our super secret key; only we should know it'
+      )
+      m.add_first_party_caveat('test = caveat')
+      expect(m.signature).to eql('197bac7a044af33332865b9266e26d493bdd668a660e44d88ce1a998c23dbd67')
+    end
+  end
+
+  context 'when serilizing as binary' do
+    it 'should serialize properly' do
+      m = Macaroon.new(
+        location: 'http://mybank/',
+        identifier: 'we used our secret key',
+        key: 'this is our super secret key; only we should know it'
+      )
+      m.add_first_party_caveat('test = caveat')
+      expect(m.serialize()).to eql('MDAxY2xvY2F0aW9uIGh0dHA6Ly9teWJhbmsvCjAwMjZpZGVudGlmaWVyIHdlIHVzZWQgb3VyIHNlY3JldCBrZXkKMDAxNmNpZCB0ZXN0ID0gY2F2ZWF0CjAwMmZzaWduYXR1cmUgGXusegRK8zMyhluSZuJtSTvdZopmDkTYjOGpmMI9vWcK')
+    end
+  end
+
+  context 'when deserializing binary' do
+    it 'should deserialize properly' do
+      m = Macaroon.from_binary(
+        'MDAxY2xvY2F0aW9uIGh0dHA6Ly9teWJhbmsvCjAwMjZpZGVudGlmaWVyIHdlIHVzZWQgb3VyIHNlY3JldCBrZXkKMDAxNmNpZCB0ZXN0ID0gY2F2ZWF0CjAwMmZzaWduYXR1cmUgGXusegRK8zMyhluSZuJtSTvdZopmDkTYjOGpmMI9vWcK'
+      )
+      expect(m.signature).to eql('197bac7a044af33332865b9266e26d493bdd668a660e44d88ce1a998c23dbd67')
+    end
+  end
+
+  context 'when serilizing as json' do
+    it 'should serialize properly' do
+      m = Macaroon.new(
+        location: 'http://mybank/',
+        identifier: 'we used our secret key',
+        key: 'this is our super secret key; only we should know it'
+      )
+      m.add_first_party_caveat('test = caveat')
+      expect(m.serialize_json()).to eql('{"location":"http://mybank/","identifier":"we used our secret key","caveats":[{"cid":"test = caveat","vid":null,"cl":null}],"signature":"197bac7a044af33332865b9266e26d493bdd668a660e44d88ce1a998c23dbd67"}')
+    end
+  end
+
+  context 'when deserializing json' do
+    it 'should deserialize properly' do
+      m = Macaroon.from_json(
+        '{"location":"http://mybank/","identifier":"we used our secret key","caveats":[{"cid":"test = caveat","vid":null,"cl":null}],"signature":"197bac7a044af33332865b9266e26d493bdd668a660e44d88ce1a998c23dbd67"}'
+      )
+      expect(m.signature).to eql('197bac7a044af33332865b9266e26d493bdd668a660e44d88ce1a998c23dbd67')
+    end
+  end
+
+  context 'when serializing/deserializing binary with first and third caveats' do
+    it 'should serialize/deserialize properly' do
+      m = Macaroon.new(
+          location: 'http://mybank/',
+          identifier: 'we used our other secret key',
+          key: 'this is a different super-secret key; never use the same secret twice'
+      )
+      m.add_first_party_caveat('account = 3735928559')
+      caveat_key = '4; guaranteed random by a fair toss of the dice'
+      identifier = 'this was how we remind auth of key/pred'
+      m.add_third_party_caveat(caveat_key, identifier, 'http://auth.mybank/')
+      n = Macaroon.from_binary(m.serialize())
+      expect(m.signature).to eql(n.signature)
+    end
+  end
+
+  context 'when serializing/deserializing json with first and third caveats' do
+    it 'should serialize/deserialize properly' do
+      m = Macaroon.new(
+          location: 'http://mybank/',
+          identifier: 'we used our other secret key',
+          key: 'this is a different super-secret key; never use the same secret twice'
+      )
+      m.add_first_party_caveat('account = 3735928559')
+      caveat_key = '4; guaranteed random by a fair toss of the dice'
+      identifier = 'this was how we remind auth of key/pred'
+      m.add_third_party_caveat(caveat_key, identifier, 'http://auth.mybank/')
+      n = Macaroon.from_json(m.serialize_json())
+      expect(m.signature).to eql(n.signature)
+    end
+  end
+
+  context 'when preparing a macaroon for request' do
+    it 'should bind the signature to the root' do
+      m = Macaroon.new(
+        location: 'http://mybank/',
+        identifier: 'we used our other secret key',
+        key: 'this is a different super-secret key; never use the same secret twice'
+      )
+      m.add_first_party_caveat('account = 3735928559')
+      caveat_key = '4; guaranteed random by a fair toss of the dice'
+      identifier = 'this was how we remind auth of key/pred'
+      m.add_third_party_caveat(caveat_key, identifier, 'http://auth.mybank/')
+
+      discharge = Macaroon.new(
+        location: 'http://auth.mybank/',
+        identifier: identifier,
+        key: caveat_key
+      )
+      discharge.add_first_party_caveat('time < 2015-01-01T00:00')
+      protected_discharge = m.prepare_for_request(discharge)
+
+      expect(discharge.signature).not_to eql(protected_discharge.signature)
+    end
+  end
+end
+
+describe 'Verifier' do
+  context 'verifying first party exact caveats' do
+    before(:all) do
+      @m = Macaroon.new(
+        location: 'http://mybank/',
+        identifier: 'we used our secret key',
+        key: 'this is our super secret key; only we should know it'
+      )
+      @m.add_first_party_caveat('test = caveat')
+    end
+
+    context 'all caveats met' do
+      it 'should verify the macaroon' do
+        v = Macaroon::Verifier.new()
+        v.satisfy_exact('test = caveat')
+        verified = v.verify(
+            macaroon: @m,
+            key: 'this is our super secret key; only we should know it'
+        )
+        expect(verified).to be(true)
+      end
+    end
+    context 'not all caveats met' do
+      it 'should raise an error' do
+        v = Macaroon::Verifier.new()
+        expect {
+          v.verify(
+            macaroon: @m,
+            key: 'this is our super secret key; only we should know it'
+          )
+        }.to raise_error
+      end
+    end
+  end
+
+  context 'verifying first party general caveats' do
+    before(:all) do
+      @m = Macaroon.new(
+        location: 'http://mybank/',
+        identifier: 'we used our secret key',
+        key: 'this is our super secret key; only we should know it'
+      )
+      @m.add_first_party_caveat('general caveat')
+    end
+
+    context 'all caveats met' do
+      it 'should verify the macaroon' do
+        v = Macaroon::Verifier.new()
+        v.satisfy_general { |predicate| predicate == 'general caveat' }
+        verified = v.verify(
+            macaroon: @m,
+            key: 'this is our super secret key; only we should know it'
+        )
+        expect(verified).to be(true)
+      end
+    end
+    context 'not all caveats met' do
+      it 'should raise an error' do
+        v = Macaroon::Verifier.new()
+        v.satisfy_general { |predicate| predicate == 'unmet' }
+        expect {
+          v.verify(
+            macaroon: @m,
+            key: 'this is our super secret key; only we should know it'
+          )
+        }.to raise_error
+      end
+    end
+  end
+
+  context 'verifying third party caveats' do
+    before(:all) do
+      @m = Macaroon.new(
+        location: 'http://mybank/',
+        identifier: 'we used our other secret key',
+        key: 'this is a different super-secret key; never use the same secret twice'
+      )
+      @m.add_first_party_caveat('account = 3735928559')
+      caveat_key = '4; guaranteed random by a fair toss of the dice'
+      identifier = 'this was how we remind auth of key/pred'
+      @m.add_third_party_caveat(caveat_key, identifier, 'http://auth.mybank/')
+
+      discharge = Macaroon.new(
+        location: 'http://auth.mybank/',
+        identifier: identifier,
+        key: caveat_key
+      )
+      discharge.add_first_party_caveat('time < 2015-01-01T00:00')
+      @protected_discharge = @m.prepare_for_request(discharge)
+    end
+
+    context 'all caveats met and discharges provided' do
+      it 'should verify the macaroon' do
+        v = Macaroon::Verifier.new()
+        v.satisfy_exact('account = 3735928559')
+        v.satisfy_exact('time < 2015-01-01T00:00')
+        verified = v.verify(
+            macaroon: @m,
+            key: 'this is a different super-secret key; never use the same secret twice',
+            discharge_macaroons: [@protected_discharge]
+        )
+      end
+    end
+
+    context 'not all caveats met' do
+      it 'should raise an error' do
+        v = Macaroon::Verifier.new()
+        v.satisfy_exact('account = 3735928559')
+        expect {
+          v.verify(
+            macaroon: @m,
+            key: 'this is a different super-secret key; never use the same secret twice',
+            discharge_macaroons: [@protected_discharge]
+          )
+        }.to raise_error
+      end
+    end
+
+    context 'not all discharges provided' do
+      it 'should raise an error' do
+        v = Macaroon::Verifier.new()
+        v.satisfy_exact('account = 3735928559')
+        v.satisfy_exact('time < 2015-01-01T00:00')
+        expect {
+          v.verify(
+            macaroon: @m,
+            key: 'this is a different super-secret key; never use the same secret twice',
+            discharge_macaroons: []
+          )
+        }.to raise_error
+      end
+    end
+  end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,8 @@
+require 'coveralls'
+Coveralls.wear!
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+end

metadata

@@ -0,0 +1,181 @@
+--- !ruby/object:Gem::Specification
+name: macaroons
+version: !ruby/object:Gem::Version
+  version: 0.4.0
+platform: ruby
+authors:
+- Evan Cordell
+- Peter Browne
+- Joel James
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-10-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rbnacl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.1.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.1.2
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>'
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>'
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.1.0
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-stack_explorer
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec_junit_formatter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Macaroons library in Ruby
+email:
+- ecordell@localmed.com
+- pete@localmed.com
+- joel.james@localmed.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- .travis.yml
+- Gemfile
+- LICENSE
+- README.md
+- lib/macaroons.rb
+- lib/macaroons/caveat.rb
+- lib/macaroons/errors.rb
+- lib/macaroons/macaroons.rb
+- lib/macaroons/raw_macaroon.rb
+- lib/macaroons/serializers/base.rb
+- lib/macaroons/serializers/binary.rb
+- lib/macaroons/serializers/json.rb
+- lib/macaroons/utils.rb
+- lib/macaroons/verifier.rb
+- lib/macaroons/version.rb
+- macaroons.gemspec
+- spec/integration_spec.rb
+- spec/spec_helper.rb
+homepage: 
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ~>
+    - !ruby/object:Gem::Version
+      version: '2.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Macaroons library in Ruby
+test_files:
+- spec/integration_spec.rb
+- spec/spec_helper.rb