rack-authenticate 0.1.0

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--order random

data/.travis.yml

@@ -0,0 +1,11 @@
+rvm:
+  - 1.8.7
+  - 1.9.2
+  - 1.9.3
+  - ree
+  - rbx-18mode
+  - jruby
+gemfile:
+  - gemfiles/rack-1.1.gemfile
+  - gemfiles/rack-1.2.gemfile
+  - gemfiles/rack-1.3.gemfile

data/Appraisals

@@ -0,0 +1,11 @@
+appraise "rack-1.1" do
+  gem 'rack', '~> 1.1.2'
+end
+
+appraise "rack-1.2" do
+  gem 'rack', '~> 1.2.4'
+end
+
+appraise "rack-1.3" do
+  gem 'rack', '~> 1.3.5'
+end

data/Gemfile

@@ -0,0 +1,6 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in rack-authenticate.gemspec
+gemspec
+gem 'rack'
+gem 'appraisal'

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2011 SEOmoz
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler/gem_tasks'
+require "rspec/core/rake_task"
+require 'appraisal'
+
+RSpec::Core::RakeTask.new(:spec)
+task :default => :spec

data/gemfiles/rack-1.1.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "http://rubygems.org"
+
+gem "appraisal"
+gem "rack", "~> 1.1.2"
+
+gemspec :path=>"../"

data/gemfiles/rack-1.1.gemfile.lock

@@ -0,0 +1,39 @@
+PATH
+  remote: /Users/myron/code/rack-authenticate
+  specs:
+    rack-authenticate (0.1.0)
+      ruby-hmac (~> 0.4.0)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    appraisal (0.4.0)
+      bundler
+      rake
+    diff-lcs (1.1.3)
+    rack (1.1.2)
+    rack-test (0.6.1)
+      rack (>= 1.0)
+    rake (0.9.2.2)
+    rspec (2.8.0.rc1)
+      rspec-core (= 2.8.0.rc1)
+      rspec-expectations (= 2.8.0.rc1)
+      rspec-mocks (= 2.8.0.rc1)
+    rspec-core (2.8.0.rc1)
+    rspec-expectations (2.8.0.rc1)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.8.0.rc1)
+    ruby-hmac (0.4.0)
+    timecop (0.3.5)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  appraisal
+  rack (~> 1.1.2)
+  rack-authenticate!
+  rack-test (~> 0.6.1)
+  rake (~> 0.9.2.2)
+  rspec (~> 2.8.0.rc1)
+  timecop (~> 0.3.5)

data/gemfiles/rack-1.2.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "http://rubygems.org"
+
+gem "appraisal"
+gem "rack", "~> 1.2.4"
+
+gemspec :path=>"../"

data/gemfiles/rack-1.2.gemfile.lock

@@ -0,0 +1,39 @@
+PATH
+  remote: /Users/myron/code/rack-authenticate
+  specs:
+    rack-authenticate (0.1.0)
+      ruby-hmac (~> 0.4.0)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    appraisal (0.4.0)
+      bundler
+      rake
+    diff-lcs (1.1.3)
+    rack (1.2.4)
+    rack-test (0.6.1)
+      rack (>= 1.0)
+    rake (0.9.2.2)
+    rspec (2.8.0.rc1)
+      rspec-core (= 2.8.0.rc1)
+      rspec-expectations (= 2.8.0.rc1)
+      rspec-mocks (= 2.8.0.rc1)
+    rspec-core (2.8.0.rc1)
+    rspec-expectations (2.8.0.rc1)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.8.0.rc1)
+    ruby-hmac (0.4.0)
+    timecop (0.3.5)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  appraisal
+  rack (~> 1.2.4)
+  rack-authenticate!
+  rack-test (~> 0.6.1)
+  rake (~> 0.9.2.2)
+  rspec (~> 2.8.0.rc1)
+  timecop (~> 0.3.5)

data/gemfiles/rack-1.3.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "http://rubygems.org"
+
+gem "appraisal"
+gem "rack", "~> 1.3.5"
+
+gemspec :path=>"../"

data/gemfiles/rack-1.3.gemfile.lock

@@ -0,0 +1,39 @@
+PATH
+  remote: /Users/myron/code/rack-authenticate
+  specs:
+    rack-authenticate (0.1.0)
+      ruby-hmac (~> 0.4.0)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    appraisal (0.4.0)
+      bundler
+      rake
+    diff-lcs (1.1.3)
+    rack (1.3.5)
+    rack-test (0.6.1)
+      rack (>= 1.0)
+    rake (0.9.2.2)
+    rspec (2.8.0.rc1)
+      rspec-core (= 2.8.0.rc1)
+      rspec-expectations (= 2.8.0.rc1)
+      rspec-mocks (= 2.8.0.rc1)
+    rspec-core (2.8.0.rc1)
+    rspec-expectations (2.8.0.rc1)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.8.0.rc1)
+    ruby-hmac (0.4.0)
+    timecop (0.3.5)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  appraisal
+  rack (~> 1.3.5)
+  rack-authenticate!
+  rack-test (~> 0.6.1)
+  rake (~> 0.9.2.2)
+  rspec (~> 2.8.0.rc1)
+  timecop (~> 0.3.5)

data/lib/rack-authenticate.rb

@@ -0,0 +1 @@
+require 'rack/authenticate'

data/lib/rack/authenticate.rb

@@ -0,0 +1,11 @@
+module Rack
+  module Authenticate
+    def self.new_secret_key
+      require 'base64'
+      require 'securerandom'
+      require 'digest/sha2'
+      Base64.encode64(Digest::SHA2.new(512).digest(SecureRandom.random_bytes(512))).chomp
+    end
+  end
+end
+

data/lib/rack/authenticate/client.rb

@@ -0,0 +1,42 @@
+require 'hmac-sha1'
+require 'digest/md5'
+require 'time'
+
+module Rack
+  module Authenticate
+    class Client
+      attr_reader :access_id, :secret_key
+      def initialize(access_id, secret_key)
+        @access_id, @secret_key = access_id, secret_key
+      end
+
+      def request_signature_headers(method, url, content_type = nil, content = nil)
+        {}.tap do |headers|
+          headers['Date'] = date = Time.now.httpdate
+          request = [method.to_s.upcase, url, date]
+
+          if content_md5 = content_md5_for(content_type, content)
+            headers['Content-MD5'] = content_md5
+            request += [content_type, content_md5]
+          end
+
+          digest = HMAC::SHA1.hexdigest(secret_key, request.join("\n"))
+          headers['Authorization'] = "HMAC #{access_id}:#{digest}"
+        end
+      end
+
+    private
+
+      def content_md5_for(content_type, content)
+        if content_type.nil? && content.nil?
+          # no-op
+        elsif content_type && content
+          Digest::MD5.hexdigest(content)
+        else
+          raise ArgumentError.new("Both content_type and content must be given or neither.")
+        end
+      end
+    end
+  end
+end
+

data/lib/rack/authenticate/middleware.rb

@@ -0,0 +1,130 @@
+require 'rack'
+require 'hmac-sha1'
+require 'time'
+
+module Rack
+  module Authenticate
+    class Middleware < ::Rack::Auth::Basic
+      class Configuration
+        def initialize(*args)
+          self.timestamp_minute_tolerance ||= 30
+          self.hmac_secret_key { |access_id| }
+          self.basic_auth_validation { |u, p| false }
+        end
+
+        attr_accessor :timestamp_minute_tolerance
+        attr_reader   :basic_auth_validation_block
+
+        def hmac_secret_key(&block)
+          @hmac_secret_key_block = block
+        end
+
+        def hmac_secret_key_for(access_id)
+          @hmac_secret_key_block[access_id]
+        end
+
+        def basic_auth_validation(&block)
+          @basic_auth_validation_block = block
+        end
+      end
+
+      class Auth < ::Rack::Auth::AbstractRequest
+        def initialize(env, configuration = Configuration.new)
+          super(env)
+          @configuration = configuration
+        end
+
+        def basic?
+          :basic == scheme
+        end
+
+        def hmac?
+          :hmac == scheme
+        end
+
+        def has_all_required_parts?
+          return false unless date
+
+          if has_content?
+            content_md5.to_s != '' && request.content_type.to_s != ''
+          else
+            true
+          end
+        end
+
+        def request
+          @request ||= ::Rack::Request.new(@env)
+        end unless method_defined?(:request)
+
+        def date
+          request.env['HTTP_DATE']
+        end
+
+        def valid_current_date?
+          timestamp = Time.httpdate(date)
+        rescue ArgumentError
+          return false
+        else
+          tolerance = @configuration.timestamp_minute_tolerance * 60
+          now = Time.now
+          (now - tolerance) <= timestamp && (now + tolerance) >= timestamp
+        end
+
+        def has_content?
+          request.content_length.to_i > 0
+        end
+
+        # TODO: replace the request body with a proxy object that verifies this when it is read.
+        def content_md5
+          request.env['HTTP_CONTENT_MD5']
+        end
+
+        def canonicalized_request
+          parts = [ request.request_method, request.url, date ]
+          parts += [ request.content_type, content_md5 ] if has_content?
+          parts.join("\n")
+        end
+
+        def access_id
+          @access_id ||= params.split(':').first
+        end
+
+        def secret_key
+          @configuration.hmac_secret_key_for(access_id)
+        end
+
+        def given_digest
+          @given_digest ||= params.split(':').last
+        end
+
+        def calculated_digest
+          @calculated_digest ||= HMAC::SHA1.hexdigest(secret_key, canonicalized_request)
+        end
+
+        def valid?
+          provided? &&
+          secret_key &&
+          valid_current_date? &&
+          calculated_digest == given_digest
+        end
+      end
+
+      def initialize(app)
+        @configuration = Configuration.new
+        yield @configuration
+        super(app, &@configuration.basic_auth_validation_block)
+      end
+
+      def call(env)
+        auth = Auth.new(env, @configuration)
+        return unauthorized unless auth.provided?
+        return super        if     auth.basic?
+        return bad_request  unless auth.hmac?
+        return bad_request  unless auth.has_all_required_parts?
+        return unauthorized unless auth.valid?
+        @app.call(env)
+      end
+    end
+  end
+end
+

data/lib/rack/authenticate/version.rb

@@ -0,0 +1,5 @@
+module Rack
+  module Authenticate
+    VERSION = "0.1.0"
+  end
+end

data/rack-authenticate.gemspec

@@ -0,0 +1,26 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "rack/authenticate/version"
+
+Gem::Specification.new do |s|
+  s.name        = "rack-authenticate"
+  s.version     = Rack::Authenticate::VERSION
+  s.authors     = ["Myron Marston"]
+  s.email       = ["myron.marston@gmail.com"]
+  s.homepage    = ""
+  s.summary     = %q{A rack middleware that authenticates requests either using basic auth or via signed HMAC.}
+  s.description = %q{A rack middleware that authenticates requests either using basic auth or via signed HMAC.}
+
+  s.rubyforge_project = "rack-authenticate"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_dependency 'ruby-hmac', '~> 0.4.0'
+  s.add_development_dependency 'rspec', '~> 2.8.0.rc1'
+  s.add_development_dependency 'rack-test', '~> 0.6.1'
+  s.add_development_dependency 'timecop', '~> 0.3.5'
+  s.add_development_dependency 'rake', '~> 0.9.2.2'
+end

data/spec/rack/authenticate/client_spec.rb

@@ -0,0 +1,126 @@
+require 'rack/authenticate/client'
+require 'timecop'
+
+RSpec.configure do |c|
+  c.treat_symbols_as_metadata_keys_with_true_values = true
+  c.filter_run :f
+  c.run_all_when_everything_filtered = true
+end
+
+module Rack
+  module Authenticate
+    describe Client do
+      let(:http_date) { "Tue, 15 Nov 1994 08:12:31 GMT" }
+      let(:base_time) { Time.httpdate(http_date) }
+      around(:each) { |e| Timecop.travel(base_time, &e) }
+
+      let(:access_id)  { 'my-access-id' }
+      let(:secret_key) { 'the-s3cr3t' }
+      subject { Client.new(access_id, secret_key) }
+
+      describe "#request_signature_headers" do
+        it 'raises an Argument error if given a content type but not content' do
+          expect {
+            subject.request_signature_headers("get", "http://foo.com/", "text/plain", nil)
+          }.to raise_error(ArgumentError)
+        end
+
+        it 'raises an Argument error if given a content but no content type' do
+          expect {
+            subject.request_signature_headers("get", "http://foo.com/", nil, "content")
+          }.to raise_error(ArgumentError)
+        end
+
+        it 'returns the auth header using the HMAC digest' do
+          HMAC::SHA1.stub(:hexdigest => 'the-hex-digest')
+          headers = subject.request_signature_headers("get", "http://foo.com/")
+          headers.should include('Authorization' => "HMAC my-access-id:the-hex-digest")
+        end
+
+        it 'uses the secret key to generate the digest' do
+          HMAC::SHA1.should_receive(:hexdigest).with(secret_key, anything)
+          subject.request_signature_headers("get", "http://foo.com/")
+        end
+
+        it 'uses the uppercased request method in the digest' do
+          HMAC::SHA1.should_receive(:hexdigest) do |key, request|
+            request.split("\n").first.should eq("GET")
+          end
+
+          subject.request_signature_headers("get", "http://foo.com/")
+        end
+
+        it 'handles symbol methods' do
+          HMAC::SHA1.should_receive(:hexdigest) do |key, request|
+            request.split("\n").first.should eq("DELETE")
+          end
+
+          subject.request_signature_headers(:delete, "http://foo.com/")
+        end
+
+        it 'uses the request URL in the digest' do
+          HMAC::SHA1.should_receive(:hexdigest) do |key, request|
+            request.split("\n")[1].should eq("http://foo.com/bar?q=buzz")
+          end
+
+          subject.request_signature_headers("get", "http://foo.com/bar?q=buzz")
+        end
+
+        it 'uses the current http date in the digest' do
+          HMAC::SHA1.should_receive(:hexdigest) do |key, request|
+            request.split("\n")[2].should eq(http_date)
+          end
+          subject.request_signature_headers("get", "http://foo.com/bar?q=buzz")
+        end
+
+        it 'returns the http date in the headers hash' do
+          headers = subject.request_signature_headers("get", "http://foo.com/bar?q=buzz")
+          headers.should include('Date' => http_date)
+        end
+
+        context 'when there is no content' do
+          it 'does not use anything beyond the method, url and date for the digest' do
+            HMAC::SHA1.should_receive(:hexdigest) do |key, request|
+              request.split("\n").should have(3).parts
+            end
+
+            subject.request_signature_headers("get", "http://foo.com/bar?q=buzz")
+          end
+
+          it 'does not include a Content-MD5 header in the headers hash' do
+            headers = subject.request_signature_headers("get", "http://foo.com/bar?q=buzz")
+            headers.should_not have_key('Content-MD5')
+          end
+        end
+
+        context 'when there is content' do
+          let(:content_md5) { 'the-content-md5' }
+          before(:each) do
+            Digest::MD5.stub(:hexdigest).and_return(content_md5)
+          end
+
+          it 'returns the Content-MD5 header in the headers hash' do
+            headers = subject.request_signature_headers("get", "http://foo.com/bar?q=buzz", "text/plain", "content")
+            headers.should include('Content-MD5' => content_md5)
+          end
+
+          it 'generates the Content-MD5 based on the content' do
+            Digest::MD5.should_receive(:hexdigest).with("content")
+            subject.request_signature_headers("get", "http://foo.com/bar?q=buzz", "text/plain", "content")
+          end
+
+          it 'uses the content type and content md5 in the digest' do
+            HMAC::SHA1.should_receive(:hexdigest) do |key, request|
+              parts = request.split("\n")
+              parts.should have(5).parts
+              parts.last(2).should eq(['text/plain', 'the-content-md5'])
+            end
+
+            subject.request_signature_headers("get", "http://foo.com/bar?q=buzz", "text/plain", "content")
+          end
+        end
+      end
+    end
+  end
+end
+

data/spec/rack/authenticate/middleware_spec.rb

@@ -0,0 +1,336 @@
+require 'timecop'
+require 'rack/authenticate/middleware'
+require 'rack/authenticate/client'
+require 'rack/test'
+
+RSpec.configure do |c|
+  c.treat_symbols_as_metadata_keys_with_true_values = true
+  c.filter_run :f
+  c.run_all_when_everything_filtered = true
+end
+
+class Integer
+  def minutes
+    self * 60
+  end
+end
+
+module Rack
+  module Authenticate
+    class Middleware
+      shared_context 'http_date' do
+        let(:http_date) { "Tue, 15 Nov 1994 08:12:31 GMT" }
+        let(:base_time) { Time.httpdate(http_date) }
+        around(:each) do |example|
+          if example.metadata[:no_timecop]
+            example.run
+          else
+            Timecop.travel(base_time, &example)
+          end
+        end
+      end
+
+      describe Auth do
+        include_context 'http_date'
+        let(:content_md5) { 'some-long-md5' }
+        let(:basic_env) do {
+          "HTTP_HOST"       => "example.org",
+          "SERVER_NAME"     => "example.org",
+          "CONTENT_LENGTH"  => "0",
+          "rack.url_scheme" => "http",
+          "HTTPS"           => "off",
+          "PATH_INFO"       => "/foo/bar",
+          "SERVER_PORT"     => "80",
+          "REQUEST_METHOD"  => "GET",
+          "QUERY_STRING"    => "",
+          "HTTP_DATE"       => http_date,
+          "rack.input"      => StringIO.new("")
+        } end
+
+        describe "#basic?" do
+          it 'returns true if given a basic auth header' do
+            basic_env['HTTP_AUTHORIZATION'] = 'BASIC abc:asfkj23asdfkj'
+            Auth.new(basic_env).should be_basic
+          end
+
+          it 'returns false if given an hmac auth header' do
+            basic_env['HTTP_AUTHORIZATION'] = 'HMAC abc:asfkj23asdfkj'
+            Auth.new(basic_env).should_not be_basic
+          end
+        end
+
+        describe "#hmac?" do
+          it 'returns true if given an hmac auth header' do
+            basic_env['HTTP_AUTHORIZATION'] = 'HMAC abc:asfkj23asdfkj'
+            Auth.new(basic_env).should be_hmac
+          end
+
+          it 'returns false if given a basic auth header' do
+            basic_env['HTTP_AUTHORIZATION'] = 'BASIC abc:asfkj23asdfkj'
+            Auth.new(basic_env).should_not be_hmac
+          end
+        end
+
+        describe "#canonicalized_request" do
+          it 'combines the HTTP verb, the date and the Request URI' do
+            Auth.new(basic_env).canonicalized_request.split("\n").should eq([
+              'GET',
+              'http://example.org/foo/bar',
+              http_date
+            ])
+          end
+
+          it 'does not blow up if there is no date' do
+            basic_env.delete('HTTP_DATE')
+            Auth.new(basic_env).canonicalized_request
+          end
+
+          it 'includes the content MD5 and Type when they are present' do
+            basic_env['CONTENT_LENGTH'] = '10'
+            basic_env['HTTP_CONTENT_MD5'] = content_md5
+            basic_env['CONTENT_TYPE'] = 'text/plain'
+
+            Auth.new(basic_env).canonicalized_request.split("\n").should eq([
+              'GET',
+              'http://example.org/foo/bar',
+              http_date,
+              'text/plain',
+              content_md5
+            ])
+          end
+        end
+
+        describe "#valid_current_date?" do
+          it 'returns false if the date is not in the correct format' do
+            basic_env['HTTP_DATE'] = 'some time yesterday'
+            auth = Auth.new(basic_env, stub(:timestamp_minute_tolerance => 10))
+            auth.should_not be_valid_current_date
+          end
+
+          it 'returns false if the date is outside the configured tolerance' do
+            auth = Auth.new(basic_env, stub(:timestamp_minute_tolerance => 10))
+            auth.should be_valid_current_date
+
+            Timecop.freeze(base_time - 11.minutes) do
+              auth.should_not be_valid_current_date
+            end
+
+            Timecop.freeze(base_time + 11.minutes) do
+              auth.should_not be_valid_current_date
+            end
+          end
+        end
+
+        describe "#has_all_required_parts?" do
+          subject { Auth.new(env) }
+
+          context 'for a request with no body' do
+            let(:env) { basic_env }
+
+            it 'returns true if it has everything it needs' do
+              should have_all_required_parts
+            end
+
+            it 'returns false if it lacks the Date header' do
+              basic_env.delete('HTTP_DATE')
+              should_not have_all_required_parts
+            end
+          end
+
+          context 'for a request with a body' do
+            let(:env) { basic_env.merge('CONTENT_LENGTH' => '10') }
+
+            it 'returns true if it has a content type and content MD5' do
+              basic_env['HTTP_CONTENT_MD5'] = content_md5
+              basic_env['CONTENT_TYPE'] = 'text/plain'
+              should have_all_required_parts
+            end
+
+            it 'returns false if it lacks the content md5 header' do
+              basic_env['CONTENT_TYPE'] = 'text/plain'
+              should_not have_all_required_parts
+            end
+
+            it 'returns false if it lacks the content type header' do
+              basic_env['HTTP_CONTENT_MD5'] = content_md5
+              should_not have_all_required_parts
+            end
+          end
+        end
+
+        describe "#access_id" do
+          it 'extracts it from the Auth header' do
+            basic_env['HTTP_AUTHORIZATION'] = 'HMAC abc:asfkj23asdfkj'
+            Auth.new(basic_env).access_id.should eq('abc')
+          end
+        end
+
+        describe "#secret_key" do
+          it 'finds the key matching the given access id from the configured creds' do
+            basic_env['HTTP_AUTHORIZATION'] = 'HMAC abc:asfkj23asdfkj'
+            configuration = Configuration.new
+            configuration.hmac_secret_key do |access_id|
+              { 'def' => '123456', 'abc' => '654321' }[access_id]
+            end
+            auth = Auth.new(basic_env, configuration)
+            auth.secret_key.should eq('654321')
+          end
+        end
+
+        describe "#given_digest" do
+          it 'extracts it from the Auth header' do
+            basic_env['HTTP_AUTHORIZATION'] = 'HMAC abc:asfkj23asdfkj'
+            Auth.new(basic_env).given_digest.should eq('asfkj23asdfkj')
+          end
+        end
+
+        describe "#calculated_digest" do
+          it 'calculates the digest using the secret key, the canonicalized request and HMAC-SHA1' do
+            digest = 'e593edc35cc753591052923c39ce6981330a4f13'
+            HMAC::SHA1.hexdigest('the-key', 'canonicalized-request').should eq(digest)
+            auth = Auth.new(basic_env)
+            auth.stub(:secret_key => 'the-key', :canonicalized_request => 'canonicalized-request')
+            auth.calculated_digest.should eq(digest)
+          end
+        end
+
+        describe "#valid?" do
+          let(:configuration) do
+            Configuration.new.tap do |c|
+              c.timestamp_minute_tolerance = 10
+              c.hmac_secret_key { |id| { 'abc' => '123' }[id] }
+            end
+          end
+
+          let(:access_id)     { 'abc' }
+          let(:digest)        { '2baf72a8a52e1cfec37f588c5b4e0914cb4f63b5' }
+          let(:env)           { basic_env.merge('HTTP_AUTHORIZATION' => "HMAC #{access_id}:#{digest}") }
+          let(:auth)          { Auth.new(env, configuration) }
+
+          it 'returns true if the calculated digest matches the given digest' do
+            auth.should be_valid
+          end
+
+          it 'returns false if the digests do not match' do
+            digest.gsub!('7', '6')
+            auth.should_not be_valid
+          end
+
+          it 'returns false if no secret key can be found for the given access id' do
+            access_id.gsub!('a', '1')
+            auth.should_not be_valid
+          end
+
+          it 'returns false if there is no given credential' do
+            env.delete('HTTP_AUTHORIZATION')
+            auth.should_not be_valid
+          end
+
+          it 'returns false if the date is not in a valid range' do
+            Timecop.freeze(base_time + 12.minutes) do
+              auth.should_not be_valid
+            end
+          end
+        end
+      end
+
+      describe self do
+        include_context 'http_date'
+        include Rack::Test::Methods
+
+        let(:hmac_auth_creds) do {
+          'abc' => '123',
+          'def' => '456'
+        } end
+
+        let(:basic_auth_creds) do {
+          'abc' => 'foo',
+          'def' => 'bar'
+        } end
+
+        def basis_auth_value(username, password)
+          ["#{username}:#{password}"].pack("m*")
+        end
+
+        let(:app) do
+          hmac_creds = hmac_auth_creds
+          basic_creds = basic_auth_creds
+
+          Rack::Builder.new do
+            use Rack::ContentLength
+            use Rack::Authenticate::Middleware do |config|
+              config.hmac_secret_key { |access_id| hmac_creds[access_id] }
+              config.basic_auth_validation { |u, p| basic_creds[u] == p }
+              config.timestamp_minute_tolerance = 30
+            end
+
+            run lambda { |env| [200, {}, ['OK']] }
+          end
+        end
+
+        it 'responds with a 401 if there are no headers at all' do
+          get '/'
+          last_response.status.should eq(401)
+        end
+
+        it 'responds with a 400 when the request is missing required information for HMAC authorization' do
+          # no date header set...
+          header 'Authorization', 'HMAC abc:adfafdsfdas'
+          get '/'
+          last_response.status.should eq(400)
+        end
+
+        it 'responds with a 400 when given an unrecognized type of authorization' do
+          header 'Date', "Tue, 15 Nov 1994 08:12:31 GMT"
+          header 'Authorization', 'DIGEST abc:adfafdsfdas'
+          get '/'
+          last_response.status.should eq(400)
+        end
+
+        it 'responds with a 401 when there is no authorization header' do
+          header 'Date', "Tue, 15 Nov 1994 08:12:31 GMT"
+          get '/'
+          last_response.status.should eq(401)
+        end
+
+        it 'responds with a 401 when there is an HMAC authorization header but it is invalid' do
+          header 'Authorization', 'HMAC abc:asfkj23asdfkj'
+          header 'Date', "Tue, 15 Nov 1994 08:12:31 GMT"
+          get '/'
+          last_response.status.should eq(401)
+        end
+
+        it 'lets the request through when there is a valid HMAC authorization header' do
+          header 'Authorization', 'HMAC abc:34a70d9901bd447a02157f9fc598e43d6bf5b484'
+          header 'Date', http_date
+          get '/'
+          last_response.status.should eq(200)
+        end
+
+        it 'lets the request through when there is a valid Basic authorization header' do
+          header 'Authorization', "BASIC #{basis_auth_value('abc', 'foo')}"
+          get '/'
+          last_response.status.should eq(200)
+        end
+
+        it 'responds with a 401 when there is a BASIC authorization header but it is invalid' do
+          header 'Authorization', "BASIC #{basis_auth_value('abc', 'foot')}"
+          get '/'
+          last_response.status.should eq(401)
+        end
+
+        it 'generates the same signature as the client', :no_timecop do
+          client = Client.new('abc', hmac_auth_creds['abc'])
+          client.request_signature_headers('post', 'http://example.org/foo', 'text/plain', "some content").each do |key, value|
+            header key, value
+          end
+
+          header 'Content-Type', 'text/plain'
+          post '/foo', "some content"
+          last_response.status.should eq(200)
+        end
+      end
+    end
+  end
+end
+

data/spec/rack/authenticate_spec.rb

@@ -0,0 +1,17 @@
+require 'rack/authenticate'
+
+RSpec.configure do |c|
+  c.treat_symbols_as_metadata_keys_with_true_values = true
+  c.filter_run :f
+  c.run_all_when_everything_filtered = true
+end
+
+module Rack
+  describe Authenticate do
+    describe "#new_secret_key" do
+      it "generates a long random string" do
+        Rack::Authenticate.new_secret_key.should match(/[A-Za-z0-9\\\/]{60,}/)
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,133 @@
+--- !ruby/object:Gem::Specification
+name: rack-authenticate
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Myron Marston
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2011-12-14 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: ruby-hmac
+  requirement: &2165123900 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.4.0
+  type: :runtime
+  prerelease: false
+  version_requirements: *2165123900
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &2165122980 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.8.0.rc1
+  type: :development
+  prerelease: false
+  version_requirements: *2165122980
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: &2165121800 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.6.1
+  type: :development
+  prerelease: false
+  version_requirements: *2165121800
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: &2165119880 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.3.5
+  type: :development
+  prerelease: false
+  version_requirements: *2165119880
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: &2165118740 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.9.2.2
+  type: :development
+  prerelease: false
+  version_requirements: *2165118740
+description: A rack middleware that authenticates requests either using basic auth
+  or via signed HMAC.
+email:
+- myron.marston@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- .travis.yml
+- Appraisals
+- Gemfile
+- LICENSE
+- Rakefile
+- gemfiles/rack-1.1.gemfile
+- gemfiles/rack-1.1.gemfile.lock
+- gemfiles/rack-1.2.gemfile
+- gemfiles/rack-1.2.gemfile.lock
+- gemfiles/rack-1.3.gemfile
+- gemfiles/rack-1.3.gemfile.lock
+- lib/rack-authenticate.rb
+- lib/rack/authenticate.rb
+- lib/rack/authenticate/client.rb
+- lib/rack/authenticate/middleware.rb
+- lib/rack/authenticate/version.rb
+- rack-authenticate.gemspec
+- spec/rack/authenticate/client_spec.rb
+- spec/rack/authenticate/middleware_spec.rb
+- spec/rack/authenticate_spec.rb
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 3915972377908680387
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 3915972377908680387
+requirements: []
+rubyforge_project: rack-authenticate
+rubygems_version: 1.8.6
+signing_key: 
+specification_version: 3
+summary: A rack middleware that authenticates requests either using basic auth or
+  via signed HMAC.
+test_files:
+- spec/rack/authenticate/client_spec.rb
+- spec/rack/authenticate/middleware_spec.rb
+- spec/rack/authenticate_spec.rb