net-http-sspi 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e20365ef4eaf3a469c477b1ba868280bf2c79c3060750273de64152d36064f8f
+  data.tar.gz: 3a1cc8c70bd4783e9675808fe1a5a2fd97c0de47befa98e70762223d7932208a
+SHA512:
+  metadata.gz: 48c9e4a3b8469638d60734f4725fb5527f2bec31043b4389560d22bd45a868dc12d30ab17f7fbd32bf0df8c7c34421465108af0e9f908b08f0ddabcfe8ec77d6
+  data.tar.gz: bc45ab63e507d5a8a1b5dfbbfea9362a4697e8eb7e91b6f6acf51a5d62788c1cd16f6660460b5ab58cab10b957554dedff60ef50c5ccec8652c0e38f6a93a908

data/.mailmap

@@ -0,0 +1,21 @@
+# aamine
+Minero Aoki                             <aamine@loveruby.net>
+Minero Aoki                             <aamine@loveruby.net> <aamine@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+
+# hsbt
+Hiroshi SHIBATA                         <hsbt@ruby-lang.org>
+Hiroshi SHIBATA                         <hsbt@ruby-lang.org> <hsbt@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+
+# naruse
+NARUSE, Yui                             <naruse@airemix.jp>
+NARUSE, Yui                             <naruse@airemix.jp> <naruse@ruby-lang.org>
+NARUSE, Yui                             <naruse@airemix.jp> <naruse@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+
+# nobu
+Nobuyoshi Nakada                        <nobu@ruby-lang.org>
+Nobuyoshi Nakada                        <nobu@ruby-lang.org> <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+
+# usa
+U.Nakamura                              <usa@ruby-lang.org>
+U.Nakamura                              <usa@ruby-lang.org> <usa@garbagecollect.jp>
+U.Nakamura                              <usa@ruby-lang.org> <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>

data/BSDL

@@ -0,0 +1,22 @@
+Copyright (C) 1993-2013 Yukihiro Matsumoto. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.

data/COPYING

@@ -0,0 +1,56 @@
+Ruby is copyrighted free software by Yukihiro Matsumoto <matz@netlab.jp>.
+You can redistribute it and/or modify it under either the terms of the
+2-clause BSDL (see the file BSDL), or the conditions below:
+
+1. You may make and give away verbatim copies of the source form of the
+   software without restriction, provided that you duplicate all of the
+   original copyright notices and associated disclaimers.
+
+2. You may modify your copy of the software in any way, provided that
+   you do at least ONE of the following:
+
+   a. place your modifications in the Public Domain or otherwise
+      make them Freely Available, such as by posting said
+      modifications to Usenet or an equivalent medium, or by allowing
+      the author to include your modifications in the software.
+
+   b. use the modified software only within your corporation or
+      organization.
+
+   c. give non-standard binaries non-standard names, with
+      instructions on where to get the original software distribution.
+
+   d. make other distribution arrangements with the author.
+
+3. You may distribute the software in object code or binary form,
+   provided that you do at least ONE of the following:
+
+   a. distribute the binaries and library files of the software,
+      together with instructions (in the manual page or equivalent)
+      on where to get the original distribution.
+
+   b. accompany the distribution with the machine-readable source of
+      the software.
+
+   c. give non-standard binaries non-standard names, with
+      instructions on where to get the original software distribution.
+
+   d. make other distribution arrangements with the author.
+
+4. You may modify and include the part of the software into any other
+   software (possibly commercial).  But some files in the distribution
+   are not written by the author, so that they are not under these terms.
+
+   For the list of those files and their copying conditions, see the
+   file LEGAL.
+
+5. The scripts and library files supplied as input to or produced as
+   output from the software do not automatically fall under the
+   copyright of the software, but belong to whomever generated them,
+   and may be sold commercially, and may be aggregated with this
+   software.
+
+6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
+   IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+   WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+   PURPOSE.

data/README.md

@@ -0,0 +1,50 @@
+# Win32::SSPI
+
+win32-sspi implements bindings to Win32 SSPI functions, focused on
+authentication to a proxy server over HTTP.
+
+## Installation
+
+win32-sspi is a bundled gem of the ruby standard library, so that the
+latest version on the ruby release date is preinstalled on Windows.
+Other versions of the gem can be installed in addition like so:
+
+Install the gem and add to the application's Gemfile by executing:
+
+    $ bundle add win32-sspi
+
+If bundler is not being used to manage dependencies, install the gem
+by executing:
+
+    $ gem install win32-sspi
+
+## Usage
+
+```ruby
+require "net/http"
+
+proxy_arguments = [proxy_server,] # ...
+http = Net::HTTP.new(hostname, nil, *proxy_arguments)
+http.instance_variable_set(:@sspi_enabled, true)
+
+req = Net::HTTP::Get.new('/todos/1')
+http.request(req)
+```
+
+See [Proxy Server in Net::HTTP] for proxy arguments.
+
+[Proxy Server in Net::HTTP]: https://docs.ruby-lang.org/en/master/Net/HTTP.html#class-Net::HTTP-label-Proxy+Server
+
+## Development
+
+To install this gem onto your local machine, run `bundle exec rake
+install`. To release a new version, update the version number in
+`version.rb`, and then run `bundle exec rake release`, which will
+create a git tag for the version, push git commits and the created
+tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on [GitHub].
+
+[GitHub]: https://github.com/ruby/win32-sspi

data/lib/win32/sspi.rb

@@ -0,0 +1,339 @@
+# frozen_string_literal: false
+#
+# = win32/sspi.rb
+#
+# Copyright (c) 2006-2007 Justin Bailey
+#
+# Written and maintained by Justin Bailey <jgbailey@gmail.com>.
+#
+# This program is free software. You can re-distribute and/or
+# modify this program under the same terms of ruby itself ---
+# Ruby Distribution License or GNU General Public License.
+#
+
+require 'fiddle/import'
+
+# Implements bindings to Win32 SSPI functions, focused on authentication to a proxy server over HTTP.
+module Win32
+  module SSPI
+    # Specifies how credential structure requested will be used. Only SECPKG_CRED_OUTBOUND is used
+    # here.
+    SECPKG_CRED_INBOUND = 0x00000001
+    SECPKG_CRED_OUTBOUND = 0x00000002
+    SECPKG_CRED_BOTH = 0x00000003
+
+    # Format of token. NETWORK format is used here.
+    SECURITY_NATIVE_DREP = 0x00000010
+    SECURITY_NETWORK_DREP = 0x00000000
+
+    # InitializeSecurityContext Requirement flags
+    ISC_REQ_REPLAY_DETECT = 0x00000004
+    ISC_REQ_SEQUENCE_DETECT = 0x00000008
+    ISC_REQ_CONFIDENTIALITY = 0x00000010
+    ISC_REQ_USE_SESSION_KEY = 0x00000020
+    ISC_REQ_PROMPT_FOR_CREDS = 0x00000040
+    ISC_REQ_CONNECTION = 0x00000800
+
+    # Win32 API Functions. Uses Win32API to bind methods to constants contained in class.
+    module API
+      extend Fiddle::Importer
+      dlload "secur32.dll"
+      [
+        # Can be called with AcquireCredentialsHandleA.call()
+        "unsigned long AcquireCredentialsHandleA(void *, void *, unsigned long, void *, void *, void *, void *, void *, void *)",
+        # Can be called with InitializeSecurityContextA.call()
+        "unsigned long InitializeSecurityContextA(void *, void *, void *, unsigned long, unsigned long, unsigned long, void *, unsigned long, void *, void *, void *, void *)",
+        # Can be called with DeleteSecurityContext.call()
+        "unsigned long DeleteSecurityContext(void *)",
+        # Can be called with FreeCredentialsHandle.call()
+        "unsigned long FreeCredentialsHandle(void *)"
+      ].each do |fn|
+        cfunc = extern fn, :stdcall
+        const_set cfunc.name.intern, cfunc
+      end
+    end
+
+    # SecHandle struct
+    class SecurityHandle
+      def upper
+        @struct.unpack1("x4L")
+      end
+
+      def lower
+        @struct.unpack1("L")
+      end
+
+      def to_p
+        @struct ||= "\0" * 8
+      end
+    end
+
+    # Some familiar aliases for the SecHandle structure
+    CredHandle = CtxtHandle = SecurityHandle
+
+    # TimeStamp struct
+    class TimeStamp
+      attr_reader :struct
+
+      def to_p
+        @struct ||= "\0" * 8
+      end
+    end
+
+    # Creates binary representations of a SecBufferDesc structure,
+    # including the SecBuffer contained inside.
+    class SecurityBuffer
+
+      SECBUFFER_TOKEN = 2   # Security token
+
+      TOKENBUFSIZE = 12288
+      SECBUFFER_VERSION = 0
+
+      def initialize(buffer = nil)
+        @buffer = buffer || "\0" * TOKENBUFSIZE
+        @bufferSize = @buffer.length
+        @type = SECBUFFER_TOKEN
+      end
+
+      def bufferSize
+        unpack
+        @bufferSize
+      end
+
+      def bufferType
+        unpack
+        @type
+      end
+
+      def token
+        unpack
+        @buffer
+      end
+
+      def to_p
+        # Assumption is that when to_p is called we are going to get a packed structure. Therefore,
+        # set @unpacked back to nil so we know to unpack when accessors are next accessed.
+        @unpacked = nil
+        # Assignment of inner structure to variable is very important here. Without it,
+        # will not be able to unpack changes to the structure. Alternative, nested unpacks,
+        # does not work (i.e. @struct.unpack("LLP12")[2].unpack("LLP12") results in "no associated pointer")
+        @sec_buffer ||= [@bufferSize, @type, @buffer].pack("LLP")
+        @struct ||= [SECBUFFER_VERSION, 1, @sec_buffer].pack("LLP")
+      end
+
+    private
+
+      # Unpacks the SecurityBufferDesc structure into member variables. We
+      # only want to do this once per struct, so the struct is deleted
+      # after unpacking.
+      def unpack
+        if ! @unpacked && @sec_buffer && @struct
+          @bufferSize, @type = @sec_buffer.unpack("LL")
+          @buffer = @sec_buffer.unpack1("x8P#{@bufferSize}")
+          @struct = nil
+          @sec_buffer = nil
+          @unpacked = true
+        end
+      end
+    end
+
+    # SEC_WINNT_AUTH_IDENTITY structure
+    class Identity
+      SEC_WINNT_AUTH_IDENTITY_ANSI = 0x1
+
+      attr_accessor :user, :domain, :password
+
+      def initialize(user = nil, domain = nil, password = nil)
+        @user = user
+        @domain = domain
+        @password = password
+        @flags = SEC_WINNT_AUTH_IDENTITY_ANSI
+      end
+
+      def to_p
+        [@user, @user ? @user.length : 0,
+         @domain, @domain ? @domain.length : 0,
+         @password, @password ? @password.length : 0,
+         @flags].pack("PLPLPLL")
+      end
+    end
+
+    # Takes a return result from an SSPI function and interprets the value.
+    class SSPIResult
+      # Good results
+      SEC_E_OK = 0x00000000
+      SEC_I_CONTINUE_NEEDED = 0x00090312
+
+      # These are generally returned by InitializeSecurityContext
+      SEC_E_INSUFFICIENT_MEMORY = 0x80090300
+      SEC_E_INTERNAL_ERROR = 0x80090304
+      SEC_E_INVALID_HANDLE = 0x80090301
+      SEC_E_INVALID_TOKEN = 0x80090308
+      SEC_E_LOGON_DENIED = 0x8009030C
+      SEC_E_NO_AUTHENTICATING_AUTHORITY = 0x80090311
+      SEC_E_NO_CREDENTIALS = 0x8009030E
+      SEC_E_TARGET_UNKNOWN = 0x80090303
+      SEC_E_UNSUPPORTED_FUNCTION = 0x80090302
+      SEC_E_WRONG_PRINCIPAL = 0x80090322
+
+      # These are generally returned by AcquireCredentialsHandle
+      SEC_E_NOT_OWNER = 0x80090306
+      SEC_E_SECPKG_NOT_FOUND = 0x80090305
+      SEC_E_UNKNOWN_CREDENTIALS = 0x8009030D
+
+      RESULT_MAP = constants.to_h {|v| [const_get(v), v]}.freeze
+
+      attr_reader :value
+
+      def initialize(value)
+        # convert to unsigned long
+        value &= 0xffffffff
+        raise "#{value.to_s(16)} is not a recognized result" unless RESULT_MAP.key? value
+        @value = value
+      end
+
+      def to_s
+        RESULT_MAP[@value].to_s
+      end
+
+      def ok?
+        @value == SEC_I_CONTINUE_NEEDED || @value == SEC_E_OK
+      end
+
+      def ==(other)
+        case other
+        when SSPIResult
+          @value == other.value
+        when Integer
+          @value == other
+        when Symbol
+          RESULT_MAP[@value] == other
+        else
+          false
+        end
+      end
+    end
+
+    # Handles "Negotiate" type authentication. Geared towards authenticating with a proxy server over HTTP
+    class NegotiateAuth
+      attr_accessor :credentials, :context, :contextAttributes, :user, :domain
+
+      # Default request flags for SSPI functions
+      REQUEST_FLAGS = ISC_REQ_CONFIDENTIALITY | ISC_REQ_REPLAY_DETECT | ISC_REQ_CONNECTION
+
+      # NTLM tokens start with this header always. Encoding alone adds "==" and newline, so remove those
+      B64_TOKEN_PREFIX = ["NTLMSSP"].pack("m").delete("=\n")
+
+      # Given a connection and a request path, performs authentication as the current user and returns
+      # the response from a GET request. The connection should be a Net::HTTP object, and it should
+      # have been constructed using the Net::HTTP.Proxy method, but anything that responds to "get" will work.
+      # If a user and domain are given, will authenticate as the given user.
+      # Returns the response received from the get method (usually Net::HTTPResponse)
+      def NegotiateAuth.proxy_auth_get(http, path, user = nil, domain = nil)
+        raise "http must respond to :get" unless http.respond_to?(:get)
+        nego_auth = self.new user, domain
+
+        resp = http.get path, { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token }
+        if resp["Proxy-Authenticate"]
+          resp = http.get path, { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(resp["Proxy-Authenticate"].split(" ").last.strip) }
+        end
+
+        resp
+      end
+
+      # Creates a new instance ready for authentication as the given user in the given domain.
+      # Defaults to current user and domain as defined by ENV["USERDOMAIN"] and ENV["USERNAME"] if
+      # no arguments are supplied.
+      def initialize(user = nil, domain = nil)
+        if user.nil? && domain.nil? && ENV["USERNAME"].nil? && ENV["USERDOMAIN"].nil?
+          raise "A username or domain must be supplied since they cannot be retrieved from the environment"
+        end
+
+        @user = user || ENV["USERNAME"]
+        @domain = domain || ENV["USERDOMAIN"]
+      end
+
+      # Gets the initial Negotiate token. Returns it as a base64 encoded string suitable for use in HTTP. Can
+      # be easily decoded, however.
+      def get_initial_token
+        raise "This object is no longer usable because its resources have been freed." if @cleaned_up
+        get_credentials
+
+        outputBuffer = SecurityBuffer.new
+        @context = CtxtHandle.new
+        @contextAttributes = "\0" * 4
+
+        result = SSPIResult.new(API::InitializeSecurityContextA.call(@credentials.to_p, nil, nil,
+          REQUEST_FLAGS,0, SECURITY_NETWORK_DREP, nil, 0, @context.to_p, outputBuffer.to_p, @contextAttributes, TimeStamp.new.to_p))
+
+        if result.ok? then
+          return encode_token(outputBuffer.token)
+        else
+          raise "Error: #{result.to_s}"
+        end
+      end
+
+      # Takes a token and gets the next token in the Negotiate authentication chain. Token can be Base64 encoded or not.
+      # The token can include the "Negotiate" header and it will be stripped.
+      # Does not indicate if SEC_I_CONTINUE or SEC_E_OK was returned.
+      # Token returned is Base64 encoded w/ all new lines removed.
+      def complete_authentication(token)
+        raise "This object is no longer usable because its resources have been freed." if @cleaned_up
+
+        # Nil token OK, just set it to empty string
+        token = "" if token.nil?
+
+        if token.start_with? "Negotiate"
+          # If the Negotiate prefix is passed in, assume we are seeing "Negotiate <token>" and get the token.
+          token = token.split(" ", 2).last
+        end
+
+        if token.start_with? B64_TOKEN_PREFIX
+          # indicates base64 encoded token
+          token = token.strip.unpack1("m")
+        end
+
+        outputBuffer = SecurityBuffer.new
+        result = SSPIResult.new(API::InitializeSecurityContextA.call(@credentials.to_p, @context.to_p, nil,
+          REQUEST_FLAGS, 0, SECURITY_NETWORK_DREP, SecurityBuffer.new(token).to_p, 0,
+          @context.to_p,
+          outputBuffer.to_p, @contextAttributes, TimeStamp.new.to_p))
+
+        if result.ok? then
+          return encode_token(outputBuffer.token)
+        else
+          raise "Error: #{result.to_s}"
+        end
+      ensure
+        # need to make sure we don't clean up if we've already cleaned up.
+        clean_up unless @cleaned_up
+      end
+
+    private
+
+      def clean_up
+        # free structures allocated
+        @cleaned_up = true
+        API::FreeCredentialsHandle.call(@credentials.to_p)
+        API::DeleteSecurityContext.call(@context.to_p)
+        @context = nil
+        @credentials = nil
+        @contextAttributes = nil
+      end
+
+      # Gets credentials based on user, domain or both. If both are nil, an error occurs
+      def get_credentials
+        @credentials = CredHandle.new
+        ts = TimeStamp.new
+        @identity = Identity.new @user, @domain
+        result = SSPIResult.new(API::AcquireCredentialsHandleA.call(nil, "Negotiate", SECPKG_CRED_OUTBOUND, nil, @identity.to_p,
+          nil, nil, @credentials.to_p, ts.to_p))
+        raise "Error acquire credentials: #{result}" unless result.ok?
+      end
+
+      def encode_token(t)
+        [t].pack("m0")
+      end
+    end
+  end
+end

data/rakelib/epoch.rake

@@ -0,0 +1,5 @@
+task "build" => "date_epoch"
+
+task "date_epoch" do
+  ENV["SOURCE_DATE_EPOCH"] = IO.popen(%W[git -C #{__dir__} log -1 --format=%ct], &:read).chomp
+end

data/sig/win32/sspi.rbs

@@ -0,0 +1,6 @@
+module Win32
+  module SSPI
+    VERSION: String
+    # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+  end
+end

metadata

@@ -0,0 +1,79 @@
+--- !ruby/object:Gem::Specification
+name: net-http-sspi
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Justin Bailey
+bindir: exe
+cert_chain: []
+date: 2024-10-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: fiddle
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: net-http
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: implements bindings to Win32 SSPI functions, focused on authentication
+  to a proxy server over HTTP.
+email:
+- "<jgbailey@gmail.com>"
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".mailmap"
+- BSDL
+- COPYING
+- README.md
+- lib/win32/sspi.rb
+- rakelib/epoch.rake
+- sig/win32/sspi.rbs
+homepage: https://github.com/ruby/net-http-sspi
+licenses:
+- Ruby
+- BSDL
+metadata:
+  homepage_uri: https://github.com/ruby/net-http-sspi
+  source_code_uri: https://github.com/ruby/net-http-sspi
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.0.dev
+specification_version: 4
+summary: Windows SSPI implementation in Ruby
+test_files: []