mongrel_secure_download 0.1

data/COPYING

@@ -0,0 +1,19 @@
+Copyright (c) 2006 Josh Ferguson
+
+Permission is hereby granted, free of charge, to any person obtaining 
+a copy of this software and associated documentation files (the "Software"), 
+to deal in the Software without restriction, including without limitation 
+the rights to use, copy, modify, merge, publish, distribute, sublicense, 
+and/or sell copies of the Software, and to permit persons to whom the 
+Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included 
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 
+OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 
+SOFTWARE.

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2006 Josh Ferguson
+
+Permission is hereby granted, free of charge, to any person obtaining 
+a copy of this software and associated documentation files (the "Software"), 
+to deal in the Software without restriction, including without limitation 
+the rights to use, copy, modify, merge, publish, distribute, sublicense, 
+and/or sell copies of the Software, and to permit persons to whom the 
+Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included 
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 
+OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 
+SOFTWARE.

data/README

@@ -0,0 +1,86 @@
+== Mongrel_secure_download GemPlugin
+
+The need to send secured files in a fast and reliable way is common.
+
+Sending a file from inside of a web application can be slow
+and also utilizes an entire application thread/process until the user
+is done downloading the file. For large files this is inefficient.
+The other option is to have the web server itself send the files as normal
+static content. This is faster but means that the files have to be in a web 
+accessible public directory so that if someone guessed the URI of a file
+they could gain access to it. This is not a reasonable solution for
+situations where files need to be secured against unauthorized downloading.
+
+This handler addresses the problem of having a fast and secure
+download mechanism for web applications. The mechanism works by having
+the application generate a special URI containing a token that is only 
+valid for a certain period of time. The server then recognizes this URI
+and generates a token using the parameters passed in and checks for a match 
+before sending the file to the user. The key to the process is the secret string 
+that both the server and the application are aware of.
+
+
+The URI generated has a path of the following format:
+
+<uri-prefix>/?token=<token>&relative-path=<relative-path>&timestamp=<timestamp>
+
+<uri-prefix> is a directory that does not exist in the directory structure of the application but does
+exist in the directory structure of the server.
+example: /downloads
+
+<relative-path> is the path to the file being requested, relative to the path
+at which the web server is running. The web server must have permissions to read the file.
+example: /files/your_secured_file.txt
+
+<timestamp> is the number of seconds since epoch until the time when this download expires
+example (in ruby on rails): 1.minute.from_now.to_i
+
+<token> is the SHA1 hash of the concatenation of the following items:
+1) the secret string defined in the configuration script
+2) the relative path to the file
+3) the timestamp
+
+
+To use the plugin you need to do the following:
+
+1) setup the handler within a configuration script and pass in the secret string.
+
+example configuration script:
+
+uri "/download", :handler => plugin('/handlers/securedownload',{:secret_string => "my_secret_string"})
+
+2) In your application, form a secured URI by creating the proper parameters and 
+perform an SHA1 hash of the parameters to create the proper token
+
+example code (ruby on rails):
+	
+require 'digest/sha1'
+
+secret_string = 'my_secret_string'
+uri_prefix = '/downloads'
+relative_path = '/files/secret_document.pdf'
+timestamp = 1.minute.from_now.to_i
+token = Digest::SHA1.hexdigest(secret_string + relative_path + timestamp)
+uri = "#{uri_prefix}/?token=#{token}&relative-path=#{relative_path}&timestamp=#{timestamp}"
+
+3) Start mongel by passing in the location of the configuration script from step 1 with the -S command 
+line switch
+
+example:
+
+mongrel_rails start -S config/secure_download_config.rb
+
+
+Error messages
+
+If any of the parameters in the URI or the secret_string are missing
+the handler returns a 500 Application Error.
+
+If the token passed in as a parameter does not match the token generated
+by the handler (if someone tries to guess the token) the handler returns
+a 403 Forbidden error.
+
+If the timestamp is earlier than the current server time, meaning that the file is
+no longer a valid download then the handler returns a 408 Request Time-out Error.
+This error is not technically correct but it makes the most sense in the context of
+the handler.

data/Rakefile

@@ -0,0 +1,38 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/clean'
+require 'rake/gempackagetask'
+require 'rake/rdoctask'
+require 'tools/rakehelp'
+require 'fileutils'
+include FileUtils
+
+setup_tests
+setup_clean ["pkg", "lib/*.bundle", "*.gem", ".config"]
+
+setup_rdoc ['README', 'LICENSE', 'COPYING', 'lib/**/*.rb', 'doc/**/*.rdoc']
+
+desc "Does a full compile, test run"
+task :default => [:test, :package]
+
+version="0.1"
+name="mongrel_secure_download"
+
+setup_gem(name, version) do |spec|
+  spec.summary = "Mongrel Secure Download Plugin"
+  spec.description = spec.summary
+  spec.author="Josh Ferguson"
+  spec.add_dependency('gem_plugin', '>= 0.2.1')
+  spec.add_dependency('mongrel', '>= 0.3.13')
+  spec.files += Dir.glob("resources/**/*")
+end
+
+
+task :install => [:test, :package] do
+  sh %{sudo gem install pkg/#{name}-#{version}.gem}
+end
+
+task :uninstall => [:clean] do
+  sh %{sudo gem uninstall #{name}}
+end
+

data/lib/mongrel_secure_download/init.rb

@@ -0,0 +1,146 @@
+require 'gem_plugin'
+require 'mongrel'
+require 'digest/sha1'
+
+# = Mongrel Secure Download Handler
+#  
+# The need to send secured files in a fast and reliable way is common.
+# 
+# Sending a file from inside of a web application can be slow
+# and also utilizes an entire application thread/process until the user
+# is done downloading the file. For large files this is inefficient.
+# The other option is to have the web server itself send the files as normal
+# static content. This is faster but means that the files have to be in a web 
+# accessible public directory so that if someone guessed the URI of a file
+# they could gain access to it. This is not a reasonable solution for
+# situations where files need to be secured against unauthorized downloading.
+# 
+# This handler addresses the problem of having a fast and secure
+# download mechanism for web applications. The mechanism works by having
+# the application generate a special URI containing a token that is only 
+# valid for a certain period of time. The server then recognizes this URI
+# and generates a token using the parameters passed in and checks for a match 
+# before sending the file to the user. The key to the process is the secret 
+# string that both the server and the application are aware of.
+# 
+# == URI Format
+# 
+# A properly formed URI will have a path and query of the following format
+#
+# <uri-prefix>/?token=<token>&relative-path=<relative-path>&timestamp=<timestamp>
+# 
+# === Where
+#
+# <uri-prefix> is a directory that does not exist in the directory structure of the application but does
+# exist in the directory structure of the server.
+# 
+# <b>example uri-prefix</b>
+#
+# 	/downloads
+#
+# <relative-path> is the path to the file being requested, relative to the path
+# at which the web server is running. The web server must have permissions to read the file.
+# 
+# <b>example relative-path</b>
+# 
+# 	/files/your_secured_file.txt
+#
+# <timestamp> is the number of seconds since epoch until the time when this download expires
+#
+# <b>example timestamp (ruby on rails)</b>
+# 
+# 	1.minute.from_now.to_i
+#
+# <token> is the SHA1 hash of the concatenation of the following items:
+# 1. the user defined secret string
+# 2. the relative path to the file
+# 3. the timestamp
+#
+# == Using the Handler
+#
+# To use the handler you need to do the following:
+#
+# Setup the handler within a configuration script and pass in the secret string.
+#
+# <b>example configuration script</b>
+#
+# 	uri "/downloads", :handler => plugin('/handlers/securedownload',{:secret_string => "my_secret_string"})
+#
+# In your application form a secured URI by creating the proper parameters and 
+# perform an SHA1 hash of the parameters to create the proper token
+# 
+# <b>example code (ruby on rails)</b>
+#
+# 	require 'digest/sha1'
+#
+# 	secret_string = 'my_secret_string'
+# 	uri_prefix = '/downloads'
+# 	relative_path = '/files/secret_document.pdf'
+# 	timestamp = 1.minute.from_now.to_i
+# 	token = Digest::SHA1.hexdigest(secret_string + relative_path + timestamp)
+# 	uri = "#{uri_prefix}/?token=#{token}&relative-path=#{relative_path}&timestamp=#{timestamp}"
+#
+# Start mongel by passing in the location of the configuration script from step 1 with the -S command 
+# line switch.
+#
+# <b>example mongrel start command</b>
+#
+# 	mongrel_rails start -S config/secure_download_config.rb
+#
+# == Error messages
+#
+# If any of the parameters in the URI or the secret_string are missing
+# the handler returns a 500 Application Error.
+#
+# If the token passed in as a parameter does not match the token generated
+# by the handler (if someone tries to guess the token) the handler returns
+# a 403 Forbidden error.
+#
+# If the timestamp is earlier than the current server time, meaning that the file is
+# no longer a valid download then the handler returns a 408 Request Time-out Error.
+# This error is not technically correct but it makes the most sense in the context of
+# the handler.
+class SecureDownload < GemPlugin::Plugin "/handlers"
+	include Mongrel::HttpHandlerPlugin	
+	
+  def process(request, response)
+    query = Mongrel::HttpRequest.query_parse(request.params['QUERY_STRING'])	
+		
+		if @options[:secret_string].nil? or query['token'].nil? or query['timestamp'].nil? or query['relative-path'].nil?
+			response.start(500){}
+		elsif query['timestamp'].to_i < Time.now.to_i
+			response.start(408){}
+		elsif query['token'] == Digest::SHA1.hexdigest("#{@options[:secret_string]}#{query['relative-path']}#{query['timestamp']}").to_s
+			send_file(File.expand_path("." + query['relative-path']), response)
+		else
+			response.start(403){}
+		end
+  end
+		
+	private
+		# Sends the contents of a file back to the user.
+		def send_file(path, response)
+			# first we setup the headers and status then we do a very fast send on the socket directly
+			file_status = File.stat(path)
+	
+			response.status = 200
+			# Set the last modified times as well and etag for all files
+			response.header[Mongrel::Const::LAST_MODIFIED] = file_status.mtime.httpdate
+			# Calculated the same as apache, not sure how well the works on win32
+			response.header[Mongrel::Const::ETAG] = Mongrel::Const::ETAG_FORMAT % [file_status.mtime.to_i, file_status.size, file_status.ino]
+			#set the content type to something generic for now
+			response.header[Mongrel::Const::CONTENT_TYPE] = @default_content_type
+			#set the content disposition and filename
+			response.header['Content-Disposition'] = "attachment; filename=\"#{File.basename(path)}\""
+	
+			# send a status with out content length
+			response.send_status(file_status.size)
+			response.send_header
+	
+			if not header_only
+				response.send_file(path)
+			else
+				response.send_body # should send nothing
+			end
+		end
+end

data/resources/defaults.yaml

@@ -0,0 +1,2 @@
+--- 
+:debug: false

data/tools/rakehelp.rb

@@ -0,0 +1,105 @@
+
+def make(makedir)
+    Dir.chdir(makedir) do
+        sh(PLATFORM =~ /win32/ ? 'nmake' : 'make')
+    end
+end
+
+
+def extconf(dir)
+    Dir.chdir(dir) do ruby "extconf.rb" end
+end
+
+
+def setup_tests
+    Rake::TestTask.new do |t|
+        t.libs << "test"
+        t.test_files = FileList['test/test*.rb']
+        t.verbose = true
+    end
+end
+
+
+def setup_clean otherfiles
+    files = ['build/*', '**/*.o', '**/*.so', '**/*.a', 'lib/*-*', '**/*.log'] + otherfiles
+    CLEAN.include(files)
+end
+
+
+def setup_rdoc files
+    Rake::RDocTask.new do |rdoc|
+        rdoc.rdoc_dir = 'doc/rdoc'
+        rdoc.options << '--line-numbers'
+        rdoc.rdoc_files.add(files)
+    end
+end
+
+
+def setup_extension(dir, extension)
+    ext = "ext/#{dir}"
+    ext_so = "#{ext}/#{extension}.#{Config::CONFIG['DLEXT']}"
+    ext_files = FileList[
+    "#{ext}/*.c",
+    "#{ext}/*.h",
+    "#{ext}/extconf.rb",
+    "#{ext}/Makefile",
+    "lib"
+    ] 
+    
+    task "lib" do
+        directory "lib"
+    end
+
+    desc "Builds just the #{extension} extension"
+    task extension.to_sym => ["#{ext}/Makefile", ext_so ]
+
+    file "#{ext}/Makefile" => ["#{ext}/extconf.rb"] do
+        extconf "#{ext}"
+    end
+
+    file ext_so => ext_files do
+        make "#{ext}"
+        cp ext_so, "lib"
+    end
+end
+
+
+def base_gem_spec(pkg_name, pkg_version)
+  pkg_version = pkg_version
+  pkg_name    = pkg_name
+  pkg_file_name = "#{pkg_name}-#{pkg_version}"
+  Gem::Specification.new do |s|
+    s.name = pkg_name
+    s.version = pkg_version
+    s.platform = Gem::Platform::RUBY
+    s.has_rdoc = true
+    s.extra_rdoc_files = [ "README" ]
+    
+    s.files = %w(COPYING LICENSE README Rakefile) +
+      Dir.glob("{bin,doc/rdoc,test,lib}/**/*") + 
+      Dir.glob("ext/**/*.{h,c,rb}") +
+      Dir.glob("examples/**/*.rb") +
+      Dir.glob("tools/*.rb")
+    
+    s.require_path = "lib"
+    s.extensions = FileList["ext/**/extconf.rb"].to_a
+    s.bindir = "bin"
+  end
+end
+
+def setup_gem(pkg_name, pkg_version)
+  spec = base_gem_spec(pkg_name, pkg_version)
+  yield spec if block_given?
+    
+  Rake::GemPackageTask.new(spec) do |p|
+    p.gem_spec = spec
+    p.need_tar = true
+  end
+end
+
+def setup_win32_gem(pkg_name, pkg_version)
+  spec = base_gem_spec(pkg_name, pkg_version)
+  yield spec if block_given?
+
+  Gem::Builder.new(spec).build
+end

metadata

@@ -0,0 +1,69 @@
+--- !ruby/object:Gem::Specification 
+rubygems_version: 0.8.11
+specification_version: 1
+name: mongrel_secure_download
+version: !ruby/object:Gem::Version 
+  version: "0.1"
+date: 2006-05-30 00:00:00 -04:00
+summary: Mongrel Secure Download Plugin
+require_paths: 
+- lib
+email: 
+homepage: 
+rubyforge_project: 
+description: Mongrel Secure Download Plugin
+autorequire: 
+default_executable: 
+bindir: bin
+has_rdoc: true
+required_ruby_version: !ruby/object:Gem::Version::Requirement 
+  requirements: 
+  - - ">"
+    - !ruby/object:Gem::Version 
+      version: 0.0.0
+  version: 
+platform: ruby
+signing_key: 
+cert_chain: 
+authors: 
+- Josh Ferguson
+files: 
+- COPYING
+- LICENSE
+- README
+- Rakefile
+- lib/mongrel_secure_download
+- lib/mongrel_secure_download/init.rb
+- tools/rakehelp.rb
+- resources/defaults.yaml
+test_files: []
+
+rdoc_options: []
+
+extra_rdoc_files: 
+- README
+executables: []
+
+extensions: []
+
+requirements: []
+
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: gem_plugin
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Version::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.2.1
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: mongrel
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Version::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 0.3.13
+    version: