opentoken 0.2.0

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Ryan Sonnek
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,17 @@
+= opentoken
+
+Parse encrypted opentoken properties
+
+see http://www.pingidentity.com/opentoken
+
+== Note on Patches/Pull Requests
+ 
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a future version unintentionally.
+* Commit, do not mess with rakefile, version, or history. (bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.
+
+== Copyright
+
+Copyright (c) 2010 Ryan Sonnek. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,55 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "opentoken"
+    gem.summary = %Q{ruby implementation of the opentoken specification}
+    gem.description = %Q{parse opentoken properties passed for Single Signon requests}
+    gem.email = "ryan@socialcast.com"
+    gem.homepage = "http://github.com/wireframe/opentoken"
+    gem.authors = ["Ryan Sonnek"]
+    gem.add_dependency "activesupport", ">=2.3.4"
+    gem.add_development_dependency "shoulda", ">= 0"
+    gem.add_development_dependency "timecop", ">=0.3.4"
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::RubygemsDotOrgTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
+end
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/test_*.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test => :check_dependencies
+
+task :default => :test
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "opentoken #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.2.0

data/lib/opentoken.rb

@@ -0,0 +1,326 @@
+require 'base64'
+require 'openssl'
+require 'digest/sha1'
+require 'zlib'
+require 'stringio'
+require 'cgi'
+
+class OpenToken
+  class TokenExpiredError < StandardError;  end
+
+  DEBUG = false
+  CIPHER_NULL = 0
+  CIPHER_AES_256_CBC = 1
+  CIPHER_AES_128_CBC = 2
+  CIPHER_3DES_168_CBC = 3
+
+  CIPHERS = {
+    CIPHER_NULL => {
+      :iv_length => 0
+    },
+    CIPHER_AES_256_CBC => {
+      :algorithm => 'aes-256-cbc',
+      :iv_length => 32,
+      :key_length => 256
+    },  
+    CIPHER_AES_128_CBC => {
+      :algorithm => 'aes-128-cbc',
+      :iv_length => 16,
+      :key_length => 128
+    },
+    CIPHER_3DES_168_CBC => {
+      :algorithm => 'des-cbc',
+      :iv_length => 8,
+      :key_length => 168
+    }
+  }
+
+  def initialize(token, options = {})
+    #ruby 1.9 has Base64.urlsafe_decode64 which can be used instead of gsubbing '_' and '-'
+    string = (token || '').gsub('*', '=').gsub('_', '/').gsub('-', '+')
+    data = Base64.decode64(string)
+    inspect_binary_string 'DATA', data
+
+    #header: should be OTK
+    header = data[0..2]
+    raise "Invalid token header: #{header}" unless header == 'OTK'
+
+    #version: should == 1
+    version = data[3]
+    raise "Unsupported token version: #{version}" unless version == 1
+
+    #cipher suite identifier
+    cipher_suite = data[4]
+    cipher = CIPHERS[cipher_suite]
+    raise "Unknown cipher suite: #{cipher_suite}" if cipher.nil?
+
+    #SHA-1 HMAC
+    payload_hmac = data[5..24]
+    inspect_binary_string "PAYLOAD HMAC [5..24]", payload_hmac
+
+    #Initialization Vector (iv)
+    iv_length = data[25]
+    iv_end = [26, 26 + iv_length - 1].max
+    iv = data[26..iv_end]
+    inspect_binary_string "IV [26..#{iv_end}]", iv
+    raise "Cipher expects iv length of #{cipher[:iv_length]} and was: #{iv_length}" unless iv_length == cipher[:iv_length]
+
+    #key (not currently used)
+    key_length = data[iv_end + 1]
+    key_end = iv_end + 1
+    raise "Token key embedding is not currently supported" unless key_length == 0
+
+    #payload
+    payload_length = data[(key_end + 1)..(key_end + 2)].unpack('n').first
+    payload_offset = key_end + 3
+    encrypted_payload = data[payload_offset..(data.length - 1)]
+    raise "Payload length is #{encrypted_payload.length} and was expected to be #{payload_length}" unless encrypted_payload.length == payload_length
+    inspect_binary_string "ENCRYPTED PAYLOAD [#{payload_offset}..#{data.length - 1}]", encrypted_payload
+
+    key = PasswordKeyGenerator.generate(options[:password], cipher)
+    inspect_binary_string 'KEY', key
+
+    compressed_payload = decrypt_payload(encrypted_payload, cipher, key, iv)
+    inspect_binary_string 'COMPRESSED PAYLOAD', compressed_payload
+
+    #decompress the payload
+    #see http://stackoverflow.com/questions/1361892/how-to-decompress-gzip-data-in-ruby
+    unparsed_payload = begin
+      Zlib::Inflate.inflate(compressed_payload)
+    rescue Zlib::BufError
+      Zlib::Inflate.new(-Zlib::MAX_WBITS).inflate(compressed_payload[2, compressed_payload.size])
+    end
+
+    #validate payload hmac
+    mac = "0x01".hex.chr
+    mac += cipher_suite.chr
+    mac += iv
+    mac += key if key_length > 0 #key embedding is not currently supported
+    mac += unparsed_payload
+    hash = OpenSSL::HMAC.digest(PasswordKeyGenerator::SHA1_DIGEST, key, mac)
+    if (hash <=> payload_hmac) != 0
+      raise "HMAC for payload was #{hash} and expected to be #{payload_hmac}" unless payload_hmac == hash
+    end
+
+    @payload = KeyValueSerializer.deserialize CGI::unescapeHTML(unparsed_payload)
+    raise TokenExpiredError.new("#{Time.now.utc} is not within token duration: #{self.start_at} - #{self.end_at}") if self.expired?
+  end
+
+  def [](key)
+    @payload[key.to_s]
+  end
+  #verify that the current time is between the not-before and not-on-or-after values
+  def expired?
+    now = Time.now.utc
+    now < start_at || now >= end_at
+  end
+  def start_at
+    payload_date('not-before')
+  end
+  def end_at
+    payload_date('not-on-or-after')
+  end
+  #"renew-until"=>"2010-03-05T07:19:15Z"
+  def valid_until
+    payload_date('renew-until')
+  end
+  def payload_date(key)
+    Time.iso8601(self[key]).utc
+  end
+
+  private
+  def decrypt_payload(encrypted_payload, cipher, key, iv)
+    return encrypted_payload unless cipher[:algorithm]
+    #see http://snippets.dzone.com/posts/show/4975
+    #see http://jdwyah.blogspot.com/2009/12/decrypting-ruby-aes-encryption.html
+    #see http://snippets.dzone.com/posts/show/576
+    crypt = OpenSSL::Cipher::Cipher.new(cipher[:algorithm])
+    crypt.decrypt
+    crypt.key = key 
+    crypt.iv = iv
+    crypt.update(encrypted_payload) + crypt.final
+  end
+
+  def inspect_binary_string(header, string)
+    return unless DEBUG
+    puts "#{header}:"
+    index = 0
+    string.each_byte do |b| 
+      puts "#{index}: #{b} => #{b.chr}" 
+      index += 1 
+    end
+  end
+end
+
+class PasswordKeyGenerator
+  SHA1_DIGEST = OpenSSL::Digest::Digest.new('sha1')
+
+  def self.generate(password, cipher_suite)
+    salt = 0.chr * 8
+    self.generate_impl(password, cipher_suite, salt, 1000)
+  end
+
+  def self.generate_block(password, salt, count, index)
+    mac = salt
+    mac += [index].pack("N")
+    
+    result = OpenSSL::HMAC.digest(SHA1_DIGEST, password, mac)
+    cur = result
+    
+    i_count = 1
+    while i_count < count
+      i_count +=1
+      
+      cur = OpenSSL::HMAC.digest(SHA1_DIGEST, password, cur)
+      
+      20.times do |i|
+        result[i] = result[i] ^ cur[i]
+      end
+    end
+
+    return result
+  end
+  
+  def self.generate_impl(password, cipher, salt, iterations)
+    return unless cipher[:algorithm]
+
+    key_size = cipher[:key_length] / 8
+    numblocks = key_size / 20
+    numblocks += 1 if (key_size % 20) > 0
+    
+    # Generate the appropriate number of blocks and write their output to
+    # the key bytes; note that it's important to start from 1 (vs. 0) as the
+    # initial block number affects the hash. It's not clear that this fact
+    # is stated explicitly anywhere, but without this approach, the generated
+    # keys will not match up with test cases defined in RFC 3962.
+    key_buffer_index = 0
+    key = ""
+    
+    numblocks.times do |i|
+      i+=1 # Previously zero based, needs to be 1 based
+      block = self.generate_block(password, salt, iterations, i)
+      len = [20, (key_size - key_buffer_index)].min
+      key += block[0, len]
+      key_buffer_index += len
+    end
+    
+    return key
+  end
+end
+
+class KeyValueSerializer
+  LINE_START = 0
+  EMPTY_SPACE = 1
+  VALUE_START = 2
+  LINE_END = 3
+  IN_KEY = 4
+  IN_VALUE = 5
+  IN_QUOTED_VALUE = 6
+
+  def self.unescape_value(value)
+    value.gsub("\\\"", "\"").gsub("\'", "'")
+  end
+
+  def self.deserialize(string)
+    result = {}
+    state = LINE_START
+    open_quote_char = 0.chr
+    currkey = ""
+    token = ""
+    nextval = ""
+    
+    string.split(//).each do |c|
+      
+      nextval = c
+
+      case c
+      when "\t"
+        if state == IN_KEY
+          # key ends
+          currkey = token
+          token = ""
+          state = EMPTY_SPACE
+        elsif state == IN_VALUE
+          # non-quoted value ends
+          result[currkey] = self.deserialize(token)
+          token = ""
+          state = LINE_END
+        elsif state == IN_QUOTED_VALUE
+          token += c
+        end
+      when " "
+        if state == IN_KEY
+          # key ends
+          currkey = token
+          token = ""
+          state = EMPTY_SPACE
+        elsif state == IN_VALUE
+          # non-quoted value ends
+          result[currkey] = self.deserialize(token)
+          token = ""
+          state = LINE_END
+        elsif state == IN_QUOTED_VALUE
+          token += c
+        end
+      when "\n"
+        # newline
+        if (state == IN_VALUE) || (state == VALUE_START)
+          result[currkey] = self.unescape_value(token)
+          token = ""
+          state = LINE_START
+        elsif state == LINE_END
+          token = ""
+          state = LINE_START
+        elsif state == IN_QUOTED_VALUE
+          token += c
+        end
+      when "="
+        if state == IN_KEY
+          currkey = token
+          token = ""
+          state = VALUE_START
+        elsif (state == IN_QUOTED_VALUE) || (state == IN_VALUE)
+          token += c
+        end
+      when "\""
+        if state == IN_QUOTED_VALUE
+          if (c == open_quote_char) && (token[token.size-1] != "\\")
+            result[currkey] = self.unescape_value(token)
+            token = ""
+            state = LINE_END
+          else
+            token += c
+          end
+        elsif state == VALUE_START
+          state = IN_QUOTED_VALUE
+          open_quote_char = c
+        end
+      when "'"
+        if state == IN_QUOTED_VALUE
+          if (c == open_quote_char) && (token[token.size-1] != "\\")
+            result[currkey] = self.unescape_value(token)
+            token = ""
+            state = LINE_END
+          else
+            token += c
+          end
+        else state == VALUE_START
+          state = IN_QUOTED_VALUE
+          open_quote_char = c
+        end
+      else
+        if state == LINE_START
+          state = IN_KEY
+        elsif state == VALUE_START
+          state = IN_VALUE
+        end
+        token += c
+      end
+      
+      if (state == IN_QUOTED_VALUE) || (state == IN_VALUE)
+        result[currkey] = unescape_value(token)
+      end
+    end
+    result
+  end
+end

data/opentoken.gemspec

@@ -0,0 +1,57 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{opentoken}
+  s.version = "0.2.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Ryan Sonnek"]
+  s.date = %q{2011-01-12}
+  s.description = %q{parse opentoken properties passed for Single Signon requests}
+  s.email = %q{ryan@socialcast.com}
+  s.extra_rdoc_files = [
+    "LICENSE",
+    "README.rdoc"
+  ]
+  s.files = [
+    ".document",
+    "LICENSE",
+    "README.rdoc",
+    "Rakefile",
+    "VERSION",
+    "lib/opentoken.rb",
+    "opentoken.gemspec",
+    "test/helper.rb",
+    "test/test_opentoken.rb"
+  ]
+  s.homepage = %q{http://github.com/wireframe/opentoken}
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.4.2}
+  s.summary = %q{ruby implementation of the opentoken specification}
+  s.test_files = [
+    "test/helper.rb",
+    "test/test_opentoken.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<activesupport>, [">= 2.3.4"])
+      s.add_development_dependency(%q<shoulda>, [">= 0"])
+      s.add_development_dependency(%q<timecop>, [">= 0.3.4"])
+    else
+      s.add_dependency(%q<activesupport>, [">= 2.3.4"])
+      s.add_dependency(%q<shoulda>, [">= 0"])
+      s.add_dependency(%q<timecop>, [">= 0.3.4"])
+    end
+  else
+    s.add_dependency(%q<activesupport>, [">= 2.3.4"])
+    s.add_dependency(%q<shoulda>, [">= 0"])
+    s.add_dependency(%q<timecop>, [">= 0.3.4"])
+  end
+end
+

data/test/helper.rb

@@ -0,0 +1,12 @@
+require 'rubygems'
+require 'test/unit'
+require 'shoulda'
+require 'timecop'
+require 'activesupport'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'opentoken'
+
+class Test::Unit::TestCase
+end

data/test/test_opentoken.rb

@@ -0,0 +1,48 @@
+require 'helper'
+
+class TestOpentoken < Test::Unit::TestCase
+  #"renew-until"=>"2010-03-05T07:19:15Z"
+  #"not-before"=>"2010-03-04T19:19:15Z"
+  #"not-on-or-after"=>"2010-03-04T19:24:15Z"
+  context "aes-128-cbc token with subject attribute" do
+    setup do
+      @opentoken = "T1RLAQJ0Ca97sl6MLJAZDa_hdFzMlicMQBDjqUzrXl0EOXKmpj5oo7L5AACgaWoW8fZizrsLbtxb_F00aTdFmhw8flGy4iGqPWPtqYpdIzQZzg5WvrvYH8Rnq7ckJpYk2YPZw6yNyA4ohG-BgFdTHc0U7CwZTFmodg1MuO0cTh7T98s2RXiTcaZa21MNO0yuXKm2Q10cbrWhnB5yHJUhSHx6JLxlgMTZ0oE0DoUOB6JmoLMYHcyL9hKRiPTh62ky_QmXRaifDNOdl4sH2w**"
+      @password = 'Test123'
+    end
+    context "parsing token between expiration dates" do
+      setup do
+        Timecop.travel(Time.iso8601('2010-03-04T19:20:10Z')) do
+          assert_nothing_raised do
+            @token = OpenToken.new @opentoken, :password => @password
+          end
+        end
+      end
+      should "decrypt subject from token payload" do
+        assert_equal 'john@example.com', @token[:subject]
+      end
+      should "parse 'renew-until' date" do
+        assert_equal Time.iso8601('2010-03-05T07:19:15Z'), @token.valid_until
+      end
+    end
+
+    context "parsing token when current time is before expiration date" do
+      should "raise TokenExpiredError" do
+        Timecop.travel(Time.iso8601('2010-03-04T19:19:10Z')) do
+          assert_raises OpenToken::TokenExpiredError do
+            @token = OpenToken.new @opentoken, :password => @password
+          end
+        end
+      end
+    end
+
+    context "parsing token when current time is equal to expiration date" do
+      should "raise TokenExpiredError" do
+        Timecop.travel(Time.iso8601('2010-03-04T19:24:15Z')) do
+          assert_raises OpenToken::TokenExpiredError do
+            @token = OpenToken.new @opentoken, :password => @password
+          end
+        end
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,122 @@
+--- !ruby/object:Gem::Specification 
+name: opentoken
+version: !ruby/object:Gem::Version 
+  hash: 23
+  prerelease: 
+  segments: 
+  - 0
+  - 2
+  - 0
+  version: 0.2.0
+platform: ruby
+authors: 
+- Ryan Sonnek
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-01-12 00:00:00 -06:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: activesupport
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 11
+        segments: 
+        - 2
+        - 3
+        - 4
+        version: 2.3.4
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: shoulda
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: timecop
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 27
+        segments: 
+        - 0
+        - 3
+        - 4
+        version: 0.3.4
+  type: :development
+  version_requirements: *id003
+description: parse opentoken properties passed for Single Signon requests
+email: ryan@socialcast.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- .document
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- lib/opentoken.rb
+- opentoken.gemspec
+- test/helper.rb
+- test/test_opentoken.rb
+has_rdoc: true
+homepage: http://github.com/wireframe/opentoken
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.4.2
+signing_key: 
+specification_version: 3
+summary: ruby implementation of the opentoken specification
+test_files: 
+- test/helper.rb
+- test/test_opentoken.rb