oauth2_hmac_rails 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4bd7cd3a18431250766d52ff1e3ba568d9c594f1
+  data.tar.gz: 4090b3dc9fda27742c250af149b2cf480471810f
+SHA512:
+  metadata.gz: b46700be8f8a16574b4c747ef90da88b8fc1d094af3dd757845bbb8b9ef11016d59d62e1baef5b0f206effb91d7a9eb57b41f94f1b03ef318d50bf5ca0752b5e
+  data.tar.gz: 42aee3e43862e007050b14da9e75a37caffd7e653480583d1dfa44587d0c746789bc91df829c932b6a920dc5462ec3b5af38e5e85fbff747ea176da631b34474

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2015 Mustafa TURAN
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,28 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Oauth2HmacRails'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+
+load 'rails/tasks/statistics.rake'
+
+
+
+Bundler::GemHelper.install_tasks
+
+APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+require "rspec/core/rake_task"
+

data/app/controllers/oauth2_hmac_rails/application_controller.rb

@@ -0,0 +1,4 @@
+module Oauth2HmacRails
+  class ApplicationController < ActionController::Base
+  end
+end

data/app/controllers/oauth2_hmac_rails/concerns/helper.rb

@@ -0,0 +1,92 @@
+require 'oauth2_hmac_header'
+module Oauth2HmacRails
+  module Concerns
+    module Helper
+      extend ActiveSupport::Concern
+      included do
+        AUTHORIZATION_DEFAULT_HEADER_KEY = 'Authorization'
+
+        attr_accessor :client_authorization_header_key
+        attr_reader :current_client
+
+        def client_authorization_header_key
+          AUTHORIZATION_DEFAULT_HEADER_KEY
+        end
+
+        def authorize!
+          begin
+            client_id, ts, nonce, ext, mac = ::Oauth2HmacHeader::AuthorizationHeader.parse(client_authorization_header)
+          rescue KeyError => e
+            return unauthorized I18n.t("oauth2_hmac_rails.missing_hmac_key", details: e)
+          end
+
+          # get client data
+          begin
+            @current_client = Client.find(client_id)
+          rescue ActiveRecord::RecordNotFound
+            return unauthorized I18n.t("oauth2_hmac_rails.client_not_found", client_id: client_id)
+          end
+
+          # validate signature
+          begin
+            validity_flag = ::Oauth2HmacHeader::AuthorizationHeader.is_valid?(
+              mac,
+              @current_client.mac_algorithm,
+              @current_client.mac_key,
+              ts,
+              nonce,
+              request.method,
+              request.path,
+              request.host,
+              request.port,
+              ext
+            )
+            return unauthorized I18n.t("oauth2_hmac_rails.invalid_signature", mac: mac, client_id: client_id) unless validity_flag
+            return unauthorized I18n.t("oauth2_hmac_rails.request_timeout_for_client_signature", mac: mac, client_id: client_id) if (ts.to_i + @current_client.mac_request_expires_in) < Time.now.to_i # request timeout
+          rescue
+            return unauthorized I18n.t("oauth2_hmac_rails.unauthorized")
+          end
+
+          # add valid request to db for preventing replay attacks and api analytics
+          create_mac_request(client_id, ts, nonce, ext, mac)
+        end
+
+        private
+
+        def client_authorization_header
+          request.headers[client_authorization_header_key].to_s
+        end
+
+        def unauthorized(reason)
+          logger.info "#{self.class.name} / #{reason}"
+          attach_unauthorized_header
+          render(json: { error: reason }, status: :unauthorized) and return false
+        end
+
+        def attach_unauthorized_header
+          response.headers['WWW-Authenticate'] = 'MAC'
+        end
+
+        def create_mac_request(client_id, ts, nonce, ext, mac)
+          begin
+            MacRequest.create(
+              ip: request.ip,
+              method: request.method,
+              uri: request.path,
+              host: request.host,
+              port: request.port,
+              client_id: client_id,
+              ts: ts,
+              nonce: nonce,
+              ext: ext.to_s,
+              mac: mac,
+              uts: Time.now.to_i
+            )
+          rescue ActiveRecord::RecordNotUnique => e
+            return unauthorized I18n.t("oauth2_hmac_rails.replay_attack")
+          end
+        end
+      end
+    end
+  end
+end

data/app/models/oauth2_hmac_rails/client.rb

@@ -0,0 +1,9 @@
+require 'attr_encrypted'
+
+module Oauth2HmacRails
+  class Client < ActiveRecord::Base
+    include ::Oauth2HmacRails::Concerns::AutoId
+    attr_encrypted :mac_key, key: Rails.application.secrets.secret_key_base, encode: true
+    serialize :settings, OpenStruct
+  end
+end

data/app/models/oauth2_hmac_rails/concerns/auto_id.rb

@@ -0,0 +1,19 @@
+module Oauth2HmacRails
+  module Concerns
+    module AutoId
+      extend ActiveSupport::Concern
+    
+      included do
+        self.primary_key = 'id'
+    
+        before_create :generate_id
+        def generate_id
+          (self.id = SecureRandom.uuid.gsub('-', '')) if self.id.nil?
+        end
+      end
+    
+      class_methods do
+      end
+    end
+  end
+end

data/app/models/oauth2_hmac_rails/mac_request.rb

@@ -0,0 +1,5 @@
+module Oauth2HmacRails
+  class MacRequest < ActiveRecord::Base
+    include ::Oauth2HmacRails::Concerns::AutoId
+  end
+end

data/config/locales/en.yml

@@ -0,0 +1,8 @@
+en:
+  oauth2_hmac_rails:
+    missing_hmac_key: "MISSING_HMAC_KEY: %{details}"
+    client_not_found: "CLIENT_NOT_FOUND: %{client_id}"
+    invalid_signature: "INVALID_SIGNATURE: %{mac} for client id %{client_id}"
+    request_timeout_for_client_signature: "REQUEST_TIMEOUT_FOR_CLIENT_SIGNATURE: #{mac} for client id #{client_id}"
+    unauthorized: "UNAUTHORIZED"
+    replay_attack: "REPLAY_ATTACK"

data/config/routes.rb

@@ -0,0 +1,2 @@
+Oauth2HmacRails::Engine.routes.draw do
+end

data/db/migrate/20151116093517_create_oauth2_hmac_rails_clients.rb

@@ -0,0 +1,13 @@
+class CreateOauth2HmacRailsClients < ActiveRecord::Migration
+  def change
+    create_table :oauth2_hmac_rails_clients, id: false do |t|
+      t.column      :id, 'CHAR(32)'
+      t.text        :encrypted_mac_key, null: false
+      t.string      :mac_algorithm, default: 'hmac-sha-256'
+      t.integer     :mac_request_expires_in, default: 3
+      t.text        :settings
+      t.timestamps null: false
+    end
+    add_index :oauth2_hmac_rails_clients, :id, unique: true, using: :btree
+  end
+end

data/db/migrate/20151116093601_create_oauth2_hmac_rails_mac_requests.rb

@@ -0,0 +1,23 @@
+class CreateOauth2HmacRailsMacRequests < ActiveRecord::Migration
+  def change
+    create_table :oauth2_hmac_rails_mac_requests, id: false do |t|
+      t.string      :id, 'CHAR(32)' # uuid
+      t.column      :client_id, 'CHAR(32)' # uuid
+      t.string      :ip, limit: 64 # client ip
+      t.string      :method, limit: 8 # get, post, put, etc...
+      t.string      :uri # request path
+      t.string      :host, limit: 128 # hostname
+      t.string      :port, limit: 8 # port
+      t.string      :ts, null: false, limit: 10 # timestamp
+      t.string      :nonce, null: false # timestamp + random str
+      t.string      :ext, default: '', null: false # generally md5(request_body)
+      t.string      :mac, null: false # mac signature
+      t.string      :uts, null: false, limit: 10 # created at in unixtime format
+      t.string      :status, null: true 
+    end
+
+    add_index :oauth2_hmac_rails_mac_requests, :id, unique: true, using: :btree
+    add_index :oauth2_hmac_rails_mac_requests, :client_id
+    add_index :oauth2_hmac_rails_mac_requests, [ :mac, :nonce, :ext ], unique: true
+  end
+end

data/lib/oauth2_hmac_rails.rb

@@ -0,0 +1,4 @@
+require "oauth2_hmac_rails/engine"
+
+module Oauth2HmacRails
+end

data/lib/oauth2_hmac_rails/engine.rb

@@ -0,0 +1,10 @@
+module Oauth2HmacRails
+  class Engine < ::Rails::Engine
+    isolate_namespace Oauth2HmacRails
+    
+    config.generators do |g|
+      g.test_framework :rspec
+      g.fixture_replacement :factory_girl, dir: 'spec/factories'
+    end
+  end
+end

data/lib/oauth2_hmac_rails/version.rb

@@ -0,0 +1,3 @@
+module Oauth2HmacRails
+  VERSION = '0.1.0'
+end

data/lib/tasks/oauth2_hmac_rails_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :oauth2_hmac_rails do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,143 @@
+--- !ruby/object:Gem::Specification
+name: oauth2_hmac_rails
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Mustafa TURAN
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-11-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.2.5
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.2.5
+- !ruby/object:Gem::Dependency
+  name: oauth2_hmac_header
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.2
+- !ruby/object:Gem::Dependency
+  name: attr_encrypted
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: factory_girl_rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+description: Authorization server 'Rails Engine' for Oauth2 HMac Draft 01.
+email:
+- mustafaturan.net@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- Rakefile
+- app/controllers/oauth2_hmac_rails/application_controller.rb
+- app/controllers/oauth2_hmac_rails/concerns/helper.rb
+- app/models/oauth2_hmac_rails/client.rb
+- app/models/oauth2_hmac_rails/concerns/auto_id.rb
+- app/models/oauth2_hmac_rails/mac_request.rb
+- config/locales/en.yml
+- config/routes.rb
+- db/migrate/20151116093517_create_oauth2_hmac_rails_clients.rb
+- db/migrate/20151116093601_create_oauth2_hmac_rails_mac_requests.rb
+- lib/oauth2_hmac_rails.rb
+- lib/oauth2_hmac_rails/engine.rb
+- lib/oauth2_hmac_rails/version.rb
+- lib/tasks/oauth2_hmac_rails_tasks.rake
+homepage: https://github.com/mustafaturan/oauth2_hmac_rails
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: Authorization server 'Rails Engine' for Oauth2 HMac Draft 01.
+test_files: []