oauth2_proxy_authentication 0.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 278ce6d918f64afb1121aa9e1f2f0acbcce80824
+  data.tar.gz: d0f399c5b596cec593dd66bd8f99afcd077fd2ec
+SHA512:
+  metadata.gz: 929cc47ace48e42e7c94fd4591f21075b9372cee7efa372b6c61e4a3e67050d84f058fbaea49a41c581e11e66301e5a5cf059b5f971e8df1b1a6b799726bb6b6
+  data.tar.gz: 91083ca7264de9f44e0efff771ca74b5b17de292a69c7542492654a0bbde38977565c76a0fbc2101cdfcd6c29c3ec22fe4c0a8d0ce5c7b5e697f3857e66c8d34

data/CONTRIBUTING.md

@@ -0,0 +1,15 @@
+## Welcome!
+
+We're so glad you're thinking about contributing to an 18F open source project! If you're unsure or afraid of anything, just ask or submit the issue or pull request anyways. The worst that can happen is that you'll be politely asked to change something. We appreciate any sort of contribution, and don't want a wall of rules to get in the way of that.
+
+Before contributing, we encourage you to read our CONTRIBUTING policy (you are here), our LICENSE, and our README, all of which should be in this repository. If you have any questions, or want to read more about our underlying policies, you can consult the 18F Open Source Policy GitHub repository at https://github.com/18f/open-source-policy, or just shoot us an email/official government letterhead note to [18f@gsa.gov](mailto:18f@gsa.gov).
+
+## Public domain
+
+This project is in the public domain within the United States, and
+copyright and related rights in the work worldwide are waived through
+the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/).
+
+All contributions to this project will be released under the CC0
+dedication. By submitting a pull request, you are agreeing to comply
+with this waiver of copyright interest.

data/LICENSE.md

@@ -0,0 +1,31 @@
+As a work of the United States Government, this project is in the
+public domain within the United States.
+
+Additionally, we waive copyright and related rights in the work
+worldwide through the CC0 1.0 Universal public domain dedication.
+
+## CC0 1.0 Universal Summary
+
+This is a human-readable summary of the [Legal Code (read the full text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode).
+
+### No Copyright
+
+The person who associated a work with this deed has dedicated the work to
+the public domain by waiving all of his or her rights to the work worldwide
+under copyright law, including all related and neighboring rights, to the
+extent allowed by law.
+
+You can copy, modify, distribute and perform the work, even for commercial
+purposes, all without asking permission.
+
+### Other Information
+
+In no way are the patent or trademark rights of any person affected by CC0,
+nor are the rights that other persons may have in the work or in how the
+work is used, such as publicity or privacy rights.
+
+Unless expressly stated otherwise, the person who associated a work with
+this deed makes no warranties about the work, and disclaims liability for
+all uses of the work, to the fullest extent permitted by applicable law.
+When using or citing the work, you should not imply endorsement by the
+author or the affirmer.

data/README.md

@@ -0,0 +1,45 @@
+# `oauth2_proxy_authentication` gem
+
+**NOTE: This gem will not work until after bitly/oauth2_proxy#147 is integrated.**
+
+Authenticates requests from
+[bitly/oauth2_proxy](https://github.com/bitly/oauth2_proxy) based on a
+shared-secret HMAC signature of the request.
+
+## Installation
+
+If you're using [Bundler](http://bundler.io) in your project, add the
+following to your `Gemfile`:
+
+```ruby
+gem 'oauth2_proxy_authentication'
+```
+
+If you're not using Bundler, start.
+
+## Usage
+
+Inject something resembling the following code fragment into your request
+handling logic as the first thing that happens before the request body is
+parsed, where `secret_key` is the shared secret between your application and
+the running instance of `bitly/oauth2_proxy`:
+
+```ruby
+def my_handler(request)
+  result, header_signature, computed_signature = (
+    Oauth2ProxyAuthentication.validate_request(request, secret_key))
+  if result != Oauth2ProxyAuthentication::MATCH
+    # Cancel the request, optionally logging the values above.
+  end
+end
+```
+
+## Public domain
+
+This project is in the worldwide [public domain](LICENSE.md). As stated in [CONTRIBUTING](CONTRIBUTING.md):
+
+> This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/).
+>
+> All contributions to this project will be released under the CC0
+>dedication. By submitting a pull request, you are agreeing to comply
+>with this waiver of copyright interest.

data/lib/oauth2_proxy_authentication.rb

@@ -0,0 +1,2 @@
+require_relative 'oauth2_proxy_authentication/signature'
+require_relative 'oauth2_proxy_authentication/version'

data/lib/oauth2_proxy_authentication/signature.rb

@@ -0,0 +1,54 @@
+require 'base64'
+require 'openssl'
+
+module Oauth2ProxyAuthentication
+  HEADERS = %w(
+    Content-Length
+    Content-Md5
+    Content-Type
+    Date
+    Authorization
+    X-Forwarded-User
+    X-Forwarded-Email
+    X-Forwarded-Access-Token
+    Cookie
+    Gap-Auth
+  )
+
+  NO_SIGNATURE = 1
+  INVALID_FORMAT = 2
+  UNSUPPORTED_ALGORITHM = 3
+  MATCH = 4
+  MISMATCH = 5
+
+  def self.signed_headers(request)
+    HEADERS.map { |name| request[name] || '' }
+  end
+
+  def self.string_to_sign(req)
+    [req.method, signed_headers(req).join("\n"), req.uri.path].join("\n")
+  end
+
+  def self.request_signature(request, digest, secret_key)
+    hmac = OpenSSL::HMAC.new secret_key, digest
+    hmac << string_to_sign(request) << (request.body || '')
+    digest.name.downcase + ' ' + Base64.strict_encode64(hmac.digest)
+  end
+
+  def self.parse_digest(name)
+    OpenSSL::Digest.new name
+  rescue
+    nil
+  end
+
+  def self.validate_request(request, key)
+    header = request['Gap-Signature']
+    return NO_SIGNATURE unless header
+    components = header.split ' '
+    return INVALID_FORMAT, header unless components.size == 2
+    digest = parse_digest components.first
+    return UNSUPPORTED_ALGORITHM, header unless digest
+    computed = request_signature(request, digest, key)
+    [(header == computed) ? MATCH : MISMATCH, header, computed]
+  end
+end

data/lib/oauth2_proxy_authentication/version.rb

@@ -0,0 +1,3 @@
+module Oauth2ProxyAuthentication
+  VERSION = '0.0.0'
+end

metadata

@@ -0,0 +1,163 @@
+--- !ruby/object:Gem::Specification
+name: oauth2_proxy_authentication
+version: !ruby/object:Gem::Version
+  version: 0.0.0
+platform: ruby
+authors:
+- Mike Bland
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-10-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: go_script
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.4'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: codeclimate-test-reporter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: about_yml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Authenticates requests proxied by a bitly/oauth2_proxy server using shared-secret
+  HMAC request signatures.
+email:
+- michael.bland@gsa.gov
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CONTRIBUTING.md
+- LICENSE.md
+- README.md
+- lib/oauth2_proxy_authentication.rb
+- lib/oauth2_proxy_authentication/signature.rb
+- lib/oauth2_proxy_authentication/version.rb
+homepage: https://github.com/18F/oauth2_proxy_authentication_gem
+licenses:
+- CC0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: Authenticates requests from bitly/oauth2_proxy
+test_files: []