opentoken-newrelic-rails23 1.2.2

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,22 @@
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+Gemfile.lock
+
+## PROJECT::SPECIFIC

data/CONTRIBUTORS.txt

@@ -0,0 +1,7 @@
+Ryan Sonnek - Original Author
+
+Dan Alvizu - contributed OpenToken encode functionality
+
+Complete list of contributors:
+https://github.com/socialcast/opentoken/contributors
+

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in opentoken-newrelic-rails23.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+The MIT License
+
+Copyright (c) 2011 Socialcast, Inc
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+

data/README.md

@@ -0,0 +1,33 @@
+# opentoken
+
+Parse encrypted opentoken properties
+
+see http://www.pingidentity.com/opentoken
+
+## Usage
+
+```ruby
+# configure decryption with shared key
+OpenToken.password = 'shared_secret_to_decrypt'
+
+# decrypt opentoken into hash of attributes
+attributes = OpenToken.decode 'opentoken-hashed-string'
+
+# encrypt opentoken from hash of attributes
+attributes = { 'subject' => 'foo', 'bar' => 'bak' }
+token = OpenToken.encode attributes, OpenToken::Cipher::AES_128_CBC
+```
+  
+## Contributing
+ 
+* Fork the project
+* Fix the issue
+* Add tests
+* Send me a pull request. Bonus points for topic branches.
+
+see CONTRIBUTORS.txt for complete list of contributors.
+
+## Copyright
+
+Copyright (c) 2011 Socialcast Inc.
+See LICENSE.txt for details.

data/Rakefile

@@ -0,0 +1,11 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+task :default => :test

data/lib/opentoken-newrelic-rails23.rb

@@ -0,0 +1,182 @@
+require 'base64'
+require 'openssl'
+require 'digest/sha1'
+require 'zlib'
+require 'stringio'
+require 'cgi'
+require 'time'
+require File.join(File.dirname(__FILE__), 'opentoken-newrelic-rails23', 'token')
+require File.join(File.dirname(__FILE__), 'opentoken-newrelic-rails23', 'key_value_serializer')
+require File.join(File.dirname(__FILE__), 'opentoken-newrelic-rails23', 'password_key_generator')
+require File.join(File.dirname(__FILE__), 'opentoken-newrelic-rails23', 'cipher')
+
+module OpenToken
+  class TokenInvalidError < StandardError;  end
+
+  class << self
+    attr_accessor :debug
+    def debug?
+      !!debug
+    end
+
+    attr_accessor :password
+    attr_accessor :token_lifetime
+    attr_accessor :renew_until_lifetime
+
+    def encode(attributes, cipher)
+      attributes['not-before'] = Time.now.utc.iso8601.to_s
+      attributes['not-on-or-after'] = Time.at(Time.now.to_i + token_lifetime).utc.iso8601.to_s
+      attributes['renew-until'] = Time.at(Time.now.to_i + renew_until_lifetime).utc.iso8601.to_s
+
+      serialized = OpenToken::KeyValueSerializer.serialize(attributes)
+      compressed = zip_payload serialized
+
+      key = cipher.generate_key
+      iv = cipher.generate_iv
+      encrypted = cipher.encrypt_payload compressed, key, iv
+
+      mac = []
+      mac << "0x01".hex.chr # OTK version
+      mac << cipher.suite.chr
+      mac << iv
+      mac << force_encoding(serialized, 'BINARY')
+      hash = OpenSSL::HMAC.digest(OpenToken::PasswordKeyGenerator::SHA1_DIGEST, key, mac.join)
+
+      token_string = ""
+      token_string = "OTK" + 1.chr + cipher.suite.chr
+      token_string += hash
+      token_string += cipher.iv_length.chr
+      token_string += iv
+      token_string += 0.chr # key info length
+      token_string += ((encrypted.length >> 8) &0xFF ).chr
+      token_string += (encrypted.length & 0xFF).chr
+      token_string += encrypted
+      inspect_binary_string "Unencoded", token_string
+      encoded = urlsafe_encode64 token_string
+      inspect_binary_string "Encoded", encoded
+      encoded
+    end
+    def decode(opentoken = nil)
+      verify opentoken.present?, 'Unable to parse empty token'
+      data = urlsafe_decode64(opentoken)
+      inspect_binary_string 'DATA', data
+
+      verify_header data
+      verify_version data
+
+      #cipher suite identifier
+      cipher_suite = char_value_of data[4]
+      cipher = OpenToken::Cipher.for_suite cipher_suite
+
+      #SHA-1 HMAC
+      payload_hmac = data[5..24]
+      inspect_binary_string "PAYLOAD HMAC [5..24]", payload_hmac
+
+      #Initialization Vector (iv)
+      iv_length = char_value_of data[25]
+      iv_end = char_value_of [26, 26 + iv_length - 1].max
+      iv = data[26..iv_end]
+      inspect_binary_string "IV [26..#{iv_end}]", iv
+      verify iv_length == cipher.iv_length, "Cipher expects iv length of #{cipher.iv_length} and was: #{iv_length}"
+
+      #key (not currently used)
+      key_length = char_value_of data[iv_end + 1]
+      key_end = iv_end + 1
+      verify key_length == 0, "Token key embedding is not currently supported. Key length is: #{key_length}"
+
+      #payload
+      payload_length = data[(key_end + 1)..(key_end + 2)].unpack('n').first
+      payload_offset = key_end + 3
+      encrypted_payload = data[payload_offset..(data.length - 1)]
+      verify encrypted_payload.length == payload_length, "Payload length is #{encrypted_payload.length} and was expected to be #{payload_length}"
+      inspect_binary_string "ENCRYPTED PAYLOAD [#{payload_offset}..#{data.length - 1}]", encrypted_payload
+
+      key = cipher.generate_key
+      inspect_binary_string 'KEY', key
+
+      compressed_payload = cipher.decrypt_payload encrypted_payload, key, iv
+      inspect_binary_string 'COMPRESSED PAYLOAD', compressed_payload
+
+      unparsed_payload = unzip_payload compressed_payload
+      puts 'EXPANDED PAYLOAD', unparsed_payload if debug?
+
+      #validate payload hmac
+      mac = []
+      mac << "0x01".hex.chr
+      mac << cipher_suite.chr
+      mac << iv
+      mac << key if key_length > 0 #key embedding is not currently supported
+      mac << unparsed_payload
+      hash = OpenSSL::HMAC.digest(OpenToken::PasswordKeyGenerator::SHA1_DIGEST, key, mac.join)
+      if (hash <=> payload_hmac) != 0
+        verify payload_hmac == hash, "HMAC for payload was #{hash} and expected to be #{payload_hmac}"
+      end
+
+      unescaped_payload = CGI::unescapeHTML(unparsed_payload)
+      puts 'UNESCAPED PAYLOAD', unescaped_payload if debug?
+      token = OpenToken::KeyValueSerializer.deserialize force_encoding(unescaped_payload, 'UTF-8')
+      puts token.inspect if debug?
+      token.validate!
+      token
+    end
+
+    private
+    def char_value_of(character)
+      if RUBY_VERSION < "1.9"
+        return character
+      else
+        return character.chr.ord
+      end
+    end
+    def verify_header(data)
+      header = data[0..2]
+      verify header == 'OTK', "Invalid token header: #{header}"
+    end
+    def verify_version(data)
+      version = char_value_of data[3]
+      verify version == 1, "Unsupported token version: '#{version}'"
+    end
+    #ruby 1.9 has Base64.urlsafe_decode64 which can be used instead of gsubbing '_' and '-'
+    def urlsafe_decode64(token)
+      string = token.gsub('*', '=').gsub('_', '/').gsub('-', '+')
+      data = Base64.decode64(string)
+    end
+    def urlsafe_encode64(token)
+      string = Base64.encode64(token);
+      string = string.gsub('=', '*').gsub('/', '_').gsub('+', '-').gsub(10.chr, '').gsub(11.chr, '')
+      string
+    end
+    def verify(assertion, message = 'Invalid Token')
+      raise OpenToken::TokenInvalidError.new(message) unless assertion
+    end
+    #decompress the payload
+    #see http://stackoverflow.com/questions/1361892/how-to-decompress-gzip-data-in-ruby
+    def unzip_payload(compressed_payload)
+      unparsed_payload = begin
+        Zlib::Inflate.inflate(compressed_payload)
+      rescue Zlib::BufError
+        Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(compressed_payload[2, compressed_payload.size])
+      end
+    end
+    def zip_payload(uncompressed)
+      compressed = Zlib::Deflate.deflate(uncompressed, 9)
+      compressed
+    end
+    def inspect_binary_string(header, string)
+      return unless debug?
+      puts "#{header}:"
+      index = 0
+      string.each_byte do |b| 
+        puts "#{index}: #{b} => #{b.chr}" 
+        index += 1 
+      end
+    end
+    def force_encoding(string, encoding)
+      string.respond_to?(:force_encoding) ? string.force_encoding(encoding) : string
+    end
+  end
+end
+
+# intialize defaults
+OpenToken.token_lifetime = 300
+OpenToken.renew_until_lifetime = 43200

data/lib/opentoken-newrelic-rails23/cipher.rb

@@ -0,0 +1,69 @@
+require 'openssl'
+
+module OpenToken
+  class Cipher
+    class InvalidCipherError < StandardError;  end
+
+    attr_reader :algorithm
+    attr_reader :iv_length
+    attr_reader :key_length
+    attr_reader :suite
+
+    def initialize(attrs = {})
+      @suite = attrs[:suite]
+      @iv_length = attrs[:iv_length]
+      @key_length = attrs[:key_length]
+      @algorithm = attrs[:algorithm]
+    end
+    def self.for_suite(cipher_suite)
+      cipher = REGISTERED_CIPHERS.detect {|c| c.suite == cipher_suite }
+      raise InvalidCipherError.new("Unknown cipher suite: #{cipher_suite}") unless cipher
+      cipher
+    end
+
+    def generate_key
+      OpenToken::PasswordKeyGenerator.generate OpenToken.password, self
+    end
+    def generate_iv
+      OpenSSL::Random.random_bytes(iv_length)
+    end
+
+    #see http://snippets.dzone.com/posts/show/4975
+    #see http://jdwyah.blogspot.com/2009/12/decrypting-ruby-aes-encryption.html
+    #see http://snippets.dzone.com/posts/show/576
+    def decrypt_payload(encrypted_payload, key, iv)
+      return encrypted_payload unless algorithm
+      c = crypt :decrypt, key, iv
+      c.update(encrypted_payload) + c.final
+    end
+    def encrypt_payload(payload, key, iv)
+      c = crypt :encrypt, key, iv
+      padding = if payload.length % iv_length == 0
+        iv_length
+      else
+        iv_length - (payload.length % iv_length)
+      end
+      c.update(payload + (padding.chr * padding))
+    end
+
+    private
+    def crypt(operation, key, iv)
+      crypt = OpenSSL::Cipher::Cipher.new(algorithm)
+      crypt.send operation
+      crypt.key = key 
+      crypt.iv = iv
+      crypt
+    end
+
+    NULL = Cipher.new(:suite => 0, :iv_length => 0)
+    AES_256_CBC = Cipher.new(:suite => 1, :iv_length => 32, :key_length => 256, :algorithm => 'aes-256-cbc')
+    AES_128_CBC = Cipher.new(:suite => 2, :iv_length => 16, :key_length => 128, :algorithm => 'aes-128-cbc')
+    DES3_168_CBC = Cipher.new(:suite => 3, :iv_length => 8, :key_length => 168, :algorithm => 'des-cbc')
+
+    REGISTERED_CIPHERS = []
+    REGISTERED_CIPHERS << NULL
+    REGISTERED_CIPHERS << AES_256_CBC
+    REGISTERED_CIPHERS << AES_128_CBC
+    REGISTERED_CIPHERS << DES3_168_CBC
+  end
+end

data/lib/opentoken-newrelic-rails23/key_value_serializer.rb

@@ -0,0 +1,142 @@
+module OpenToken
+  class KeyValueSerializer
+    LINE_START = 0
+    EMPTY_SPACE = 1
+    VALUE_START = 2
+    LINE_END = 3
+    IN_KEY = 4
+    IN_VALUE = 5
+    IN_QUOTED_VALUE = 6
+
+    class << self
+      def serialize(hashmap)
+        result = String.new
+        count = 0;
+        hashmap.each_pair do |key,value|
+          if (count != 0)
+            result = result + "\n"
+          end
+          count +=1
+          result += key + "="
+          result += escape_value(value)
+        end
+        result
+      end
+      def deserialize(string)
+        result = OpenToken::Token.new
+        state = LINE_START
+        open_quote_char = 0.chr
+        currkey = ""
+        token = ""
+        nextval = ""
+      
+        string.split(//).each do |c|
+          nextval = c
+
+          case c
+          when "\t"
+            if state == IN_KEY
+              # key ends
+              currkey = token
+              token = ""
+              state = EMPTY_SPACE
+            elsif state == IN_VALUE
+              # non-quoted value ends
+              result[currkey] = self.deserialize(token)
+              token = ""
+              state = LINE_END
+            elsif state == IN_QUOTED_VALUE
+              token += c
+            end
+          when " "
+            if state == IN_KEY
+              # key ends
+              currkey = token
+              token = ""
+              state = EMPTY_SPACE
+            elsif state == IN_VALUE
+              # non-quoted value ends
+              result[currkey] = self.deserialize(token)
+              token = ""
+              state = LINE_END
+            elsif state == IN_QUOTED_VALUE
+              token += c
+            end
+          when "\n"
+            # newline
+            if (state == IN_VALUE) || (state == VALUE_START)
+              result[currkey] = unescape_value(token)
+              token = ""
+              state = LINE_START
+            elsif state == LINE_END
+              token = ""
+              state = LINE_START
+            elsif state == IN_QUOTED_VALUE
+              token += c
+            end
+          when "="
+            if state == IN_KEY
+              currkey = token
+              token = ""
+              state = VALUE_START
+            elsif (state == IN_QUOTED_VALUE) || (state == IN_VALUE)
+              token += c
+            end
+          when "\""
+            if state == IN_QUOTED_VALUE
+              if (c == open_quote_char) && (token[token.size-1] != "\\"[0])
+                result[currkey] = unescape_value(token)
+                token = ""
+                state = LINE_END
+              else
+                token += c
+              end
+            elsif state == VALUE_START
+              state = IN_QUOTED_VALUE
+              open_quote_char = c
+            end
+          when "'"
+            if state == IN_QUOTED_VALUE
+              if (c == open_quote_char) && (token[token.size-1] != "\\"[0])
+                result[currkey] = unescape_value(token)
+                token = ""
+                state = LINE_END
+              else
+                token += c
+              end
+            else state == VALUE_START
+              state = IN_QUOTED_VALUE
+              open_quote_char = c
+            end
+          else
+            if state == LINE_START
+              state = IN_KEY
+            elsif state == VALUE_START
+              state = IN_VALUE
+            end
+            token += c
+          end
+        
+          if (state == IN_QUOTED_VALUE) || (state == IN_VALUE)
+            result[currkey] = unescape_value(token)
+          end
+        end
+        result
+      end
+      private
+      def unescape_value(value)
+        value.gsub("\\\"", "\"").gsub("\\\'", "'")
+      end
+      def escape_value(value)
+        value.each_byte do |b|
+          c = b.chr
+          if c == "\n" or c == "\t" or c == " " or c == "'" or c == "\""
+            value = "'" + value.gsub("'", "\'").gsub("\"", "\\\"") + "'"
+            break
+          end
+        end
+        value
+      end
+    end
+  end
+end

data/lib/opentoken-newrelic-rails23/password_key_generator.rb

@@ -0,0 +1,65 @@
+module OpenToken
+  class PasswordKeyGenerator
+    SHA1_DIGEST = OpenSSL::Digest::Digest.new('sha1')
+
+    class << self
+      def generate(password, cipher)
+        salt = 0.chr * 8
+        generate_impl(password, cipher, salt, 1000)
+      end
+
+      private
+      def generate_block(password, salt, count, index)
+        mac = salt
+        mac += [index].pack("N")
+      
+        result = OpenSSL::HMAC.digest(SHA1_DIGEST, password, mac)
+        cur = result
+      
+        i_count = 1
+        while i_count < count
+          i_count +=1
+        
+          cur = OpenSSL::HMAC.digest(SHA1_DIGEST, password, cur)
+        
+          20.times do |i|
+            if RUBY_VERSION < "1.9"
+              result[i] = result[i] ^ cur[i]
+            else
+              result[i] = (result[i].chr.ord ^ cur[i].chr.ord).chr
+            end
+          end
+        end
+
+        return result
+      end
+    
+      def generate_impl(password, cipher, salt, iterations)
+        return unless cipher.algorithm
+
+        key_size = cipher.key_length / 8
+        numblocks = key_size / 20
+        numblocks += 1 if (key_size % 20) > 0
+      
+        # Generate the appropriate number of blocks and write their output to
+        # the key bytes; note that it's important to start from 1 (vs. 0) as the
+        # initial block number affects the hash. It's not clear that this fact
+        # is stated explicitly anywhere, but without this approach, the generated
+        # keys will not match up with test cases defined in RFC 3962.
+        key_buffer_index = 0
+        key = ""
+      
+        numblocks.times do |i|
+          i+=1 # Previously zero based, needs to be 1 based
+          block = generate_block(password, salt, iterations, i)
+          len = [20, (key_size - key_buffer_index)].min
+          key += block[0, len]
+          key_buffer_index += len
+        end
+      
+        return key
+      end
+    end
+
+    end
+end

data/lib/opentoken-newrelic-rails23/token.rb

@@ -0,0 +1,33 @@
+require 'time'
+require 'active_support'
+
+module OpenToken
+  class TokenExpiredError < StandardError;  end
+
+  class Token < HashWithIndifferentAccess
+    def validate!
+      raise OpenToken::TokenExpiredError.new("#{Time.now.utc} is not within token duration: #{self.start_at} - #{self.end_at}") if self.expired?
+    end
+    #verify that the current time is between the not-before and not-on-or-after values
+    def valid?
+      start_at.past? && end_at.future?
+    end
+    def expired?
+      !valid?
+    end
+    def start_at
+      payload_date('not-before')
+    end
+    def end_at
+      payload_date('not-on-or-after')
+    end
+    def valid_until
+      payload_date('renew-until')
+    end
+
+    private
+    def payload_date(key)
+      Time.iso8601(self[key])
+    end
+  end
+end

data/lib/opentoken-newrelic-rails23/version.rb

@@ -0,0 +1,3 @@
+module OpenToken
+  VERSION = '1.2.2'
+end

data/opentoken-newrelic-rails23.gemspec

@@ -0,0 +1,28 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "opentoken-newrelic-rails23/version"
+
+Gem::Specification.new do |s|
+  s.name        = "opentoken-newrelic-rails23"
+  s.version     = OpenToken::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["Ryan Sonnek"]
+  s.email       = ["ryan@socialcast.com"]
+  s.homepage    = "http://github.com/newrelic/opentoken-newrelic-rails23"
+  s.summary     = %q{ruby implementation of the opentoken specification, forked for Rails 2.3 compatibility. Use the non-forked version for Rails 3+}
+  s.description = %q{parse opentoken properties passed for Single Signon requests}
+
+  s.rubyforge_project = "opentoken-newrelic-rails23"
+
+  # If you are on a newer version of Rails, you should be using the opentoken gem, not our fork.
+  s.add_runtime_dependency(%q<activesupport>, ["~> 2.3.14"])
+  s.add_runtime_dependency(%q<i18n>, [">= 0"])
+  s.add_development_dependency(%q<shoulda>, ["2.11.3"])
+  s.add_development_dependency(%q<timecop>, ["0.3.5"])
+  s.add_development_dependency(%q<rake>, ["0.9.2"])
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+end

data/test/helper.rb

@@ -0,0 +1,19 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+require 'shoulda'
+require 'timecop'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'opentoken-newrelic-rails23'
+
+class Test::Unit::TestCase
+end

data/test/test_opentoken.rb

@@ -0,0 +1,105 @@
+require 'helper'
+
+class TestOpentoken < Test::Unit::TestCase
+  # OpenToken.debug = true
+
+  #"renew-until"=>"2010-03-05T07:19:15Z"
+  #"not-before"=>"2010-03-04T19:19:15Z"
+  #"not-on-or-after"=>"2010-03-04T19:24:15Z"
+  context "aes-128-cbc token with subject attribute" do
+    setup do
+      @opentoken = "T1RLAQJ0Ca97sl6MLJAZDa_hdFzMlicMQBDjqUzrXl0EOXKmpj5oo7L5AACgaWoW8fZizrsLbtxb_F00aTdFmhw8flGy4iGqPWPtqYpdIzQZzg5WvrvYH8Rnq7ckJpYk2YPZw6yNyA4ohG-BgFdTHc0U7CwZTFmodg1MuO0cTh7T98s2RXiTcaZa21MNO0yuXKm2Q10cbrWhnB5yHJUhSHx6JLxlgMTZ0oE0DoUOB6JmoLMYHcyL9hKRiPTh62ky_QmXRaifDNOdl4sH2w**"
+      @password = 'Test123'
+      OpenToken.password = @password
+    end
+    context "decoding token between expiration dates" do
+      setup do
+        Timecop.travel(Time.iso8601('2010-03-04T19:20:10Z')) do
+          assert_nothing_raised do
+            @token = OpenToken.decode @opentoken
+          end
+        end
+      end
+      should "decrypt subject from token payload" do
+        assert_equal 'john@example.com', @token[:subject]
+      end
+      should "decrypt subject using string or symbol" do
+        assert_equal 'john@example.com', @token['subject']
+      end
+      should "parse 'renew-until' date" do
+        assert_equal Time.iso8601('2010-03-05T07:19:15Z'), @token.valid_until
+      end
+    end
+
+    context "decoding token when current time is before expiration date" do
+      should "raise TokenExpiredError" do
+        Timecop.travel(Time.iso8601('2010-03-04T19:19:10Z')) do
+          assert_raises OpenToken::TokenExpiredError do
+            @token = OpenToken.decode @opentoken
+          end
+        end
+      end
+    end
+
+    context "decoding token when current time is equal to expiration date" do
+      should "raise TokenExpiredError" do
+        Timecop.travel(Time.iso8601('2010-03-04T19:24:15Z')) do
+          assert_raises OpenToken::TokenExpiredError do
+            @token = OpenToken.decode @opentoken
+          end
+        end
+      end
+    end
+
+    context "decoding token with attribute value containing apostrophe" do
+      setup do
+        Timecop.travel(Time.iso8601('2011-01-13T11:08:01Z')) do
+          @opentoken = "T1RLAQLIjiqgexqi1PQcEKCetvGoSYR2jhDFSIfE5ctlSBxEnq3S1ydjAADQUNRIKJx6_14aE3MQZnDABupGJrKNfoJHFS5VOnKexjMtboeOgst31Hf-D9CZBrpB7Jv0KBwnQ7DN3HizecPT76oX3UGtq_Vi5j5bKYCeObYm9W6h7NY-VzcZY5TTqIuulc2Jit381usAWZ2Sv1c_CWwhrH4hw-x7vUQMSjErvXK1qvsrFCpfNr7XlArx0HjI6kT5XEaHgQNdC0zrLw9cZ4rewoEisR3H5oM7B6gMaP82wTSFVBXvpn5r0KT-Iuc3JuG2en1zVh3GNf110oQCKQ**"
+          @token = OpenToken.decode @opentoken
+        end
+      end
+      should 'preserve apostrophe in attribute payload' do
+        assert_equal "D'angelo", @token[:last_name]
+      end
+    end
+
+    should 'raise invalid token error parsing nil token' do
+      assert_raises OpenToken::TokenInvalidError do
+        OpenToken.decode nil
+      end
+    end
+  end
+
+  context "encoding token" do
+    setup do
+      OpenToken.password = "Password1"
+    end
+    context "with aes-128-cbc and subject attribute" do
+      setup do
+          @attributesIn = { "subject" => "john", "email" => "john@example.com"}
+          @token = OpenToken.encode @attributesIn, OpenToken::Cipher::AES_128_CBC
+      end
+      should "be decodable" do
+        @attributesOut = OpenToken.decode @token
+        assert_equal @attributesIn, @attributesOut
+      end
+    end
+  end
+
+  context "encoding token with utf-8 values" do
+    setup do
+      OpenToken.password = "Password1"
+    end
+    context "with aes-128-cbc and subject attribute" do
+      setup do
+          @subject = OpenToken.send(:force_encoding, "Andr\xC3\xA9", 'UTF-8')
+          @attributesIn = { "subject" => @subject, "email" => "john@example.com"}
+          @token = OpenToken.encode @attributesIn, OpenToken::Cipher::AES_128_CBC
+      end
+      should "be decodable" do
+        @attributesOut = OpenToken.decode @token
+        assert_equal @attributesIn, @attributesOut
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,159 @@
+--- !ruby/object:Gem::Specification 
+name: opentoken-newrelic-rails23
+version: !ruby/object:Gem::Version 
+  hash: 27
+  prerelease: 
+  segments: 
+  - 1
+  - 2
+  - 2
+  version: 1.2.2
+platform: ruby
+authors: 
+- Ryan Sonnek
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2012-05-09 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: activesupport
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 31
+        segments: 
+        - 2
+        - 3
+        - 14
+        version: 2.3.14
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: i18n
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: shoulda
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
+        hash: 37
+        segments: 
+        - 2
+        - 11
+        - 3
+        version: 2.11.3
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: timecop
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
+        hash: 25
+        segments: 
+        - 0
+        - 3
+        - 5
+        version: 0.3.5
+  type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: rake
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
+        hash: 63
+        segments: 
+        - 0
+        - 9
+        - 2
+        version: 0.9.2
+  type: :development
+  version_requirements: *id005
+description: parse opentoken properties passed for Single Signon requests
+email: 
+- ryan@socialcast.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- .document
+- .gitignore
+- CONTRIBUTORS.txt
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/opentoken-newrelic-rails23.rb
+- lib/opentoken-newrelic-rails23/cipher.rb
+- lib/opentoken-newrelic-rails23/key_value_serializer.rb
+- lib/opentoken-newrelic-rails23/password_key_generator.rb
+- lib/opentoken-newrelic-rails23/token.rb
+- lib/opentoken-newrelic-rails23/version.rb
+- opentoken-newrelic-rails23.gemspec
+- test/helper.rb
+- test/test_opentoken.rb
+homepage: http://github.com/newrelic/opentoken-newrelic-rails23
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: opentoken-newrelic-rails23
+rubygems_version: 1.8.10
+signing_key: 
+specification_version: 3
+summary: ruby implementation of the opentoken specification, forked for Rails 2.3 compatibility. Use the non-forked version for Rails 3+
+test_files: 
+- test/helper.rb
+- test/test_opentoken.rb