rack-oauth-wrap 0.5.1

data/lib/rack/auth/wrap.rb

@@ -0,0 +1,80 @@
+require 'rack/auth/abstract/handler'
+require 'rack/auth/abstract/request'
+require 'lib/simplewebtoken'
+
+module Rack
+  module Auth
+    # Rack::Auth::WRAP implements oAuth WRAP Authentication, as per draft-hardt-oauth-01.
+    # This is a preliminary version based on the Jan 15, 2010 Web Resource Access Profiles as 
+    # developed by the IETF.
+    #
+    # Initialize with the Rack application that you want protecting,
+    # and a set of parameters that enables specific checks. The only mandatory parameter
+    # is **:shared_secret** which is required for HMAC-SHA256 processing.
+    #
+    # See also: SimpleWebToken::SimpleWebTokenHandler
+    class WRAP < AbstractHandler
+      # Middleware Gem Versioning
+      VERSION = "0.5.1"
+      
+      # Creates a new instance of Rack::Auth::WRAP, the opts can be used
+      # as the following.
+      # 
+      #   use Rack::Auth::WRAP, :shared_secret => *secret*, 
+      #                         :trusted_issuers => "http://sts.mycomp.com", 
+      #                         :audiences => "http://app.domain.com"
+      #
+      # The parameters on the sample above are the only one that are currently supported 
+      # by the SimpleWebToken handler. For more information see SimpleWebToken::SimpleWebTokenHandler
+      def initialize(app, opts = {})
+        @app = app
+        @opts = opts
+      end
+      
+      # Authenticates the request when it has the HTTP_AUTHORIZATION header,
+      # and if the header has WRAP as the authentication format. 
+      #
+      # NOTE: it is sent by the client as Authorization, but Rack maps it to 
+      # HTTP_AUTHORIZATION.</strong>
+      #
+      # If the user is successfuly authenticated the resulting token is 
+      # stored on REMOTE_USER into the enviroment. (We didn't want to couple it with session)
+      def call(env)
+        request = Request.new(env)
+        
+        if(request.provided? and request.is_wrap?)
+          return unauthorized('WRAP') unless token_handler.valid?(request.token)
+          env['REMOTE_USER'] = token_handler.parse(request.token)
+        end  
+        
+        return @app.call(env)
+      end
+    
+      # Returns a singleton instance of the SimpleWebToken::SimpleWebTokenHandler based on 
+      # the options provided when initializing the middleware.
+      def token_handler
+        @token_handler ||= SimpleWebToken::SimpleWebTokenHandler.new(@opts)
+      end
+      
+      # Internal class used to parse the current request based on 
+      # the enviroment parameters.
+      class Request < Rack::Auth::AbstractRequest
+        def initialize(env)
+          super(env)
+        end
+   
+        # Returns a value indicating whether the Authentication Scheme sent by 
+        # the user is WRAP.
+        def is_wrap?
+          self.scheme == :wrap
+        end
+        
+        # Returns the token contained inside the access_token parameter
+        # on the Authorization header, when it's using the WRAP Scheme.
+        def token
+          CGI.unescape(self.params[/access_token=([^&]+)/, 1])
+        end
+      end
+    end
+  end
+end

data/lib/simplewebtoken.rb

@@ -0,0 +1,8 @@
+$LOAD_PATH.unshift(File.dirname __FILE__)
+
+require 'cgi'
+require 'base64'
+require 'hmac/sha2'
+
+require 'swt/exceptions'
+require 'swt/simple_web_token_handler'

data/lib/swt/exceptions.rb

@@ -0,0 +1,13 @@
+module SimpleWebToken
+  class InvalidOption < StandardError
+    def initialize(missing_option)
+      super("You did not provide one of the required parameters. Please provide the :#{missing_option}.")
+    end
+  end
+  
+  class InvalidToken < StandardError
+    def initialize
+      super("The token you are trying to parse is invalid. Cannot parse invalid Tokens")
+    end
+  end
+end

data/lib/swt/simple_web_token_handler.rb

@@ -0,0 +1,84 @@
+module SimpleWebToken
+  # Handler for parsing, validating and creating (soon) Simple Web Tokens
+  # as it stated by the protocol under development of the IEFT v0.9.5.1.
+  class SimpleWebTokenHandler
+    attr_accessor :shared_secret, :trusted_issuers, :audiences 
+    
+    # Creates a new instance of the SimpleWebTokenHandler.
+    #
+    # Valid options include:
+    #
+    # -__:shared_secret__ the HMAC:SHA256 key shared between parties.
+    # -__:trusted_issuers__ the URI(s) of the issuers to be validated on the Issue value of the token.
+    # -__:audiences__ the URI(s) of the audiences (apps) to be validated on the Audience value of the token.
+    #
+    # __Only :shared_secret__ is required, the other values aren't present then no check 
+    # is performed.
+    def initialize(opts = {})
+      raise InvalidOption, :shared_secret unless opts[:shared_secret]
+      self.shared_secret = opts[:shared_secret]
+      self.trusted_issuers = opts[:trusted_issuers]
+      self.audiences = opts[:audiences]
+    end
+    
+    # Validates the signature by doing a symmetric signature comparison,
+    # between the value sent as HMACSHA256 on the token and the generated
+    # using the shared_key provided.
+    def valid_signature?(token)
+      return false unless token =~ /&HMACSHA256=(.*)$/
+      original_signature = CGI.unescape(token[/&HMACSHA256=(.*)$/, 1])
+      bare_token = token.gsub(/&HMACSHA256=(.*)$/, '')
+      signature = Base64.encode64(HMAC::SHA256.new(Base64.decode64(shared_secret)).update(bare_token.toutf8).digest).strip
+      return original_signature == signature
+    end
+  
+    # Returns a value indicating whether the __Issuer__ value of the token 
+    # is contained on the trusted_issuer list for the application.
+    def valid_issuer?(token)
+      issuer = token[/&?Issuer=([^&]+)/, 1]
+      [trusted_issuers].flatten.include?(CGI.unescape(issuer))
+    end
+  
+    # Returns a value indicating whether the __Audience__ value of the token 
+    # is contained on the audiences list of the application.
+    def valid_audience?(token)
+      audience = token[/&?Audience=([^&]+)/, 1]
+      [audiences].flatten.include?(CGI.unescape(audience))
+    end
+  
+    # Returns a value indicating whether the __ExpiresOn__ value of the token 
+    # is older than now.
+    def expired?(token)
+      expires_on = token[/&?ExpiresOn=([^&]+)/, 1]
+      expires_on.to_i < Time.now.to_i
+    end
+    
+    # Returns a value indicating whether the token is valid, the calculation
+    # is done as the sum of all the other validations (when values for checking are provided)
+    def valid?(token)
+      valid = valid_signature?(token)
+      valid &&= valid_issuer?(token) if (trusted_issuers)
+      valid &&= valid_audience?(token) if (audiences)
+      valid &&= !expired?(token)
+      return valid
+    end
+    
+    # Returns a key-value pair (hash) with the token values parsed. 
+    #
+    # __NOTE__: multi-valued claims (provided as comma separated values, 
+    # like checkboxes on HTML forms) are returned like arrays.
+    def parse(token)
+      raise InvalidToken unless valid?(token)
+      token.split('&').map{|p| p.split('=') } \
+                      .inject({}){|t, i| t.merge!(CGI.unescape(i[0]) => value_for(CGI.unescape(i[1])))}
+    end
+    
+    private 
+      # Returns an array if the value is multi-valued 
+      # else returns a the value plain.
+      def value_for(value)
+        values = value.split(',').map{|i| i.strip}
+        return values.size == 1 ? values.first() : values
+      end
+  end
+end

data/rakefile

@@ -0,0 +1,51 @@
+require 'rake'
+require 'rubygems'
+require 'spec/rake/spectask'
+require 'rake/gempackagetask'
+require 'rake/rdoctask'
+
+require 'lib/rack/auth/wrap'
+
+namespace :test do
+  Spec::Rake::SpecTask.new('run_with_rcov') do |t|
+    t.spec_files = FileList['spec/rack/auth/*.rb', 'spec/swt/*.rb'].reject{|f| f.include?('functional')}
+    t.rcov = true
+    t.rcov_opts = ['--text-report', '--exclude', "exclude.*/.gem,spec,Library,#{ENV['GEM_HOME']}", '--sort', 'coverage' ]
+    t.spec_opts = ["--colour",  "--loadby random",  "--format progress", "--backtrace"]
+  end
+end
+
+namespace :docs do
+  Rake::RDocTask.new do |t|
+  	t.rdoc_dir = 'sdk/public/'
+  	t.options << '--line-numbers' << '--inline-source' << '-A cattr_accessor=object'
+  	t.options << '--charset' << 'utf-8'
+  	t.rdoc_files.include('README.rdoc')
+  	t.rdoc_files.include('lib/**/*.rb')
+  end
+end
+
+
+namespace :dist do  
+  spec = Gem::Specification.new do |s|
+    s.name              = 'rack-oauth-wrap'
+    s.version           = Gem::Version.new(Rack::Auth::WRAP::VERSION)
+    s.summary           = "Rack Middleware for authenticating users using oAuth WRAP Protocol"
+    s.description       = "A simple implementation of Web Resource Authorization Protocol (WRAP) for Rack as middleware."
+    s.email             = 'johnny.halife@me.com'
+    s.author            = 'Johnny G. Halife & Juan Pablo Garcia Dalolla'
+    s.homepage          = 'http://rack-oauth-wrap.heroku.com'
+    s.require_paths     = ["lib"]
+    s.files             = FileList['rakefile', 'lib/**/*.rb']
+    s.test_files        = Dir['spec/**/*']
+    s.has_rdoc          = true
+    s.rdoc_options      << '--line-numbers' << '--inline-source' << '-A cattr_accessor=object'
+    
+    # Dependencies
+    s.add_dependency 'ruby-hmac'
+  end
+  
+  Rake::GemPackageTask.new(spec) do |pkg|
+    pkg.need_tar = true
+  end
+end

data/spec/rack/auth/wrap_request_spec.rb

@@ -0,0 +1,37 @@
+require 'spec/specs_config'
+require 'lib/rack/auth/wrap'
+
+describe "Request behavior for Client calls	protected	resource using	HTTP Header" do
+  it "should tell if the request is using WRAP Authentication method" do
+    env = Rack::MockRequest.env_for("/", 'HTTP_AUTHORIZATION' => 'WRAP access_token=invalid_token')
+    request = Rack::Auth::WRAP::Request.new(env)
+    request.is_wrap?.should == true
+  end
+  
+  it "should tell if the request isn't using WRAP Authentication method" do
+    env = Rack::MockRequest.env_for("/", 'HTTP_AUTHORIZATION' => 'MD5 an_invalid_hash')
+    request = Rack::Auth::WRAP::Request.new(env)
+    request.is_wrap?.should == false
+  end
+  
+  it "should tell whether the request is given or not" do
+    wrap_env = Rack::MockRequest.env_for("/", 'HTTP_AUTHORIZATION' => 'WRAP with_token')
+    wrap_request = Rack::Auth::WRAP::Request.new(wrap_env)
+    wrap_request.provided?.should == true
+    
+    non_wrap_env = Rack::MockRequest.env_for("/")
+    non_wrap_request = Rack::Auth::WRAP::Request.new(non_wrap_env)
+    non_wrap_request.provided?.should == false
+  end
+  
+  it "should return the token unescaped from the request" do
+    simple_web_token = {'Issuer' => 'http://myidentityprovider2/', 
+                        'Audience' => 'http://site/',
+                        'ExpiresOn' => (Time.now.to_i + 60).to_s}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")
+
+    env = Rack::MockRequest.env_for("/", 'HTTP_AUTHORIZATION' => "WRAP access_token=#{CGI.escape(simple_web_token)}")
+    request = Rack::Auth::WRAP::Request.new(env)
+    request.token.should == simple_web_token
+  end
+end
+

data/spec/rack/auth/wrap_spec.rb

@@ -0,0 +1,59 @@
+require 'spec/specs_config'
+require 'lib/rack/auth/wrap'
+
+describe "OAuth WRAP v.0.9.7.2 Authentication Mechanism using SWT on Rack Module" do
+  it "should return 401 with WWW-Authenticate: WRAP when a token is invalid" do
+    env = Rack::MockRequest.env_for("/", 'Authorization' => 'WRAP access_token=invalid_token')
+
+    (mock_app = mock).expects(:call).with(env).never
+    (mock_validator = mock).expects(:valid?).with("invalid_token").returns(false)
+
+    (mock_request = mock).stubs(:token).returns("invalid_token")
+    mock_request.stubs(:provided?).returns(true)
+    mock_request.stubs(:is_wrap?).returns(true)
+    
+    Rack::Auth::WRAP::Request.expects(:new).with(env).returns(mock_request)
+    SimpleWebToken::SimpleWebTokenHandler.expects(:new).with(:shared_secret => "foo_bar").returns(mock_validator)
+
+    response_code, headers, body = Rack::Auth::WRAP.new(mock_app, :shared_secret => "foo_bar").call(env)
+
+    response_code.should == 401
+    headers['WWW-Authenticate'].should == 'WRAP'
+    headers['Content-Length'].should == '0'
+  end
+  
+  it "should not run assertions when not provided" do
+    env = Rack::MockRequest.env_for("/")
+    (mock_app = mock).expects(:call).with(env).returns([200, {'Content-Length' => '0'}]).once
+    
+    SimpleWebToken::SimpleWebTokenHandler.expects(:new).never
+    response_code, headers, body = Rack::Auth::WRAP.new(mock_app, :shared_secret => "foo_bar").call(env)
+
+    response_code.should == 200
+    headers['Content-Length'].should == '0'
+  end
+  
+  it "should assign pased token to REMOTE_USER when valid" do
+    env = Rack::MockRequest.env_for("/", 'Authorization' => 'WRAP access_token=token')
+    
+    (mock_app = mock).expects(:call).with(env).returns([200, {'Content-Length' => '0'}]).once
+    
+    (mock_handler = mock).expects(:valid?).with("token").returns(true)
+    (mock_handler).expects(:parse).with("token").returns({'UserName' => "us3r", "ExpiresOn" => "1234098765"})
+
+    (mock_request = mock).stubs(:token).returns("token")
+    mock_request.stubs(:provided?).returns(true)
+    mock_request.stubs(:is_wrap?).returns(true)
+    
+    Rack::Auth::WRAP::Request.expects(:new).with(env).returns(mock_request)
+    SimpleWebToken::SimpleWebTokenHandler.expects(:new).with(:shared_secret => "foo_bar").returns(mock_handler)
+
+    response_code, headers, body = Rack::Auth::WRAP.new(mock_app, :shared_secret => "foo_bar").call(env)
+
+    response_code.should == 200
+    headers['Content-Length'].should == '0'
+    env['REMOTE_USER'].nil?.should == false
+    env['REMOTE_USER']['UserName'].should == 'us3r'
+    env['REMOTE_USER']['ExpiresOn'].nil?.should == false
+  end
+end

data/spec/specs_config.rb

@@ -0,0 +1,9 @@
+require 'rubygems'
+require 'spec'
+require 'mocha'
+require 'rack/test'
+require 'rack/mock'
+
+Spec::Runner.configure do |config|
+  config.mock_with :mocha
+end

data/spec/swt/simple_web_token_handler_spec.rb

@@ -0,0 +1,184 @@
+require 'spec/specs_config'
+require 'lib/simplewebtoken'
+
+describe "simple web token hanlder behavior" do 
+  before do
+    @shared_secret = "N4QeKa3c062VBjnVK6fb+rnwURkcwGXh7EoNK34n0uM="
+  end
+  
+  it "should validate hmac256 signature of the token" do
+    simple_web_token = {'Issuer' => 'http://myidentityprovider/', 
+                        'Audience' => 'http://myapp'}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")
+                        
+    signature = Base64.encode64(HMAC::SHA256.new(Base64.decode64(@shared_secret)).update(simple_web_token.toutf8).digest).strip
+    simple_web_token += "&HMACSHA256=#{CGI.escape(signature)}"
+    
+    handler = SimpleWebToken::SimpleWebTokenHandler.new(:shared_secret => @shared_secret)
+    handler.valid_signature?(simple_web_token).should == true
+  end
+  
+  it "should validate the issuer when a single one given" do
+    simple_web_token = {'Issuer' => 'http://myidentityprovider/', 
+                        'Audience' => 'http://myapp'}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")
+    
+    handler = SimpleWebToken::SimpleWebTokenHandler.new(:shared_secret => @shared_secret, :trusted_issuers => 'http://myidentityprovider/')
+    handler.valid_issuer?(simple_web_token).should == true
+  end
+  
+  it "should validate the issuer when a multiple issuers are trusted" do
+    simple_web_token = {'Issuer' => 'http://myidentityprovider2/', 
+                        'Audience' => 'http://myapp'}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")
+    
+    trusted_issuers = ["http://myidentityprovider/", "http://myidentityprovider2/"]
+    handler = SimpleWebToken::SimpleWebTokenHandler.new(:shared_secret => @shared_secret, :trusted_issuers => trusted_issuers)
+    handler.valid_issuer?(simple_web_token).should == true
+  end
+  
+  it "should validate the audience when a single audience is provided" do
+    simple_web_token = {'Issuer' => 'http://myidentityprovider2/', 
+                        'Audience' => 'http://myapp'}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")
+    
+    handler = SimpleWebToken::SimpleWebTokenHandler.new(:shared_secret => @shared_secret, :audiences => 'http://myapp')
+    handler.valid_audience?(simple_web_token).should == true
+  end
+  
+  it "should validate the audience when a multiple audiences are provided" do
+    simple_web_token = {'Issuer' => 'http://myidentityprovider2/', 
+                        'Audience' => 'http://site/'}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")
+
+    audiences = ["http://site/", "http://mysitealias/"]    
+    handler = SimpleWebToken::SimpleWebTokenHandler.new(:shared_secret => @shared_secret, :audiences => audiences)
+    handler.valid_audience?(simple_web_token).should == true
+  end
+  
+  it "should validate if it's expired" do
+    simple_web_token = {'Issuer' => 'http://myidentityprovider2/', 
+                        'ExpiresOn' => (Time.now.to_i + 60).to_s}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")    
+
+    handler = SimpleWebToken::SimpleWebTokenHandler.new(:shared_secret => @shared_secret)
+    handler.expired?(simple_web_token).should == false
+  end
+  
+  it "should tell that the token is expired" do
+    simple_web_token = {'Issuer' => 'http://myidentityprovider2/', 
+                        'ExpiresOn' => (Time.now.to_i - 60).to_s}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")
+
+    signature = Base64.encode64(HMAC::SHA256.new(Base64.decode64(@shared_secret)).update(simple_web_token.toutf8).digest).strip
+    simple_web_token += "&HMACSHA256=#{CGI.escape(signature)}"
+    
+    handler = SimpleWebToken::SimpleWebTokenHandler.new(:shared_secret => @shared_secret)
+    handler.expired?(simple_web_token).should == true
+  end
+  
+  it "should throw an exception when no shared secret is provided" do
+    lambda {SimpleWebToken::SimpleWebTokenHandler.new}.should raise_error SimpleWebToken::InvalidOption
+  end
+  
+  it "should tell that a token is valid when all their components are valid" do
+    simple_web_token = {'Issuer' => 'http://myidentityprovider2/', 
+                        'Audience' => 'http://site/',
+                        'ExpiresOn' => (Time.now.to_i + 60).to_s}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")
+
+    signature = Base64.encode64(HMAC::SHA256.new(Base64.decode64(@shared_secret)).update(simple_web_token.toutf8).digest).strip
+    simple_web_token += "&HMACSHA256=#{CGI.escape(signature)}"
+ 
+    handler = SimpleWebToken::SimpleWebTokenHandler.new(:shared_secret => @shared_secret)
+    handler.valid?(simple_web_token).should == true
+  end
+  
+  it "should tell that a token is invalid when no HMAC signature is provided" do
+    simple_web_token = {'Issuer' => 'http://myidentityprovider2/', 
+                        'Audience' => 'http://site/',
+                        'ExpiresOn' => (Time.now.to_i + 60).to_s}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")
+                        
+    handler = SimpleWebToken::SimpleWebTokenHandler.new(:shared_secret => @shared_secret)
+    handler.valid?(simple_web_token).should == false
+  end
+  
+  it "should tell that a token is invalid when the token is expired" do
+    simple_web_token = {'Issuer' => 'http://myidentityprovider2/', 
+                        'Audience' => 'http://site/',
+                        'ExpiresOn' => (Time.now.to_i - 60).to_s}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")
+
+    signature = Base64.encode64(HMAC::SHA256.new(Base64.decode64(@shared_secret)).update(simple_web_token.toutf8).digest).strip
+    simple_web_token += "&HMACSHA256=#{CGI.escape(signature)}"
+ 
+    handler = SimpleWebToken::SimpleWebTokenHandler.new(:shared_secret => @shared_secret)
+    handler.valid?(simple_web_token).should == false
+  end
+  
+  it "should tell that a token is invalid when audience isn't trusted" do
+    simple_web_token = {'Issuer' => 'http://myidentityprovider2/', 
+                        'Audience' => 'http://site/',
+                        'ExpiresOn' => (Time.now.to_i + 60).to_s}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")
+
+    signature = Base64.encode64(HMAC::SHA256.new(Base64.decode64(@shared_secret)).update(simple_web_token.toutf8).digest).strip
+    simple_web_token += "&HMACSHA256=#{CGI.escape(signature)}"
+ 
+    handler = SimpleWebToken::SimpleWebTokenHandler.new(:shared_secret => @shared_secret, 
+                                                        :audiences => "http://untrusted_audience/")
+    handler.valid?(simple_web_token).should == false
+  end
+  
+  it "should tell that a token is invalid when audience isn't trusted" do
+    simple_web_token = {'Issuer' => 'http://myidentityprovider2/', 
+                        'Audience' => 'http://site/',
+                        'ExpiresOn' => (Time.now.to_i + 60).to_s}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")
+
+    signature = Base64.encode64(HMAC::SHA256.new(Base64.decode64(@shared_secret)).update(simple_web_token.toutf8).digest).strip
+    simple_web_token += "&HMACSHA256=#{CGI.escape(signature)}"
+ 
+    handler = SimpleWebToken::SimpleWebTokenHandler.new(:shared_secret => @shared_secret, 
+                                                        :trusted_issuers => "http://untrusted_issuer")
+    handler.valid?(simple_web_token).should == false
+  end
+  
+  it "should raise invalid token exception while trying to parse a token that isnt valid" do
+     simple_web_token = {'Issuer' => 'http://myidentityprovider2/', 
+                          'Audience' => 'http://site/',
+                          'ExpiresOn' => (Time.now.to_i + 60).to_s}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")
+
+      signature = Base64.encode64(HMAC::SHA256.new(Base64.decode64(@shared_secret)).update(simple_web_token.toutf8).digest).strip
+      simple_web_token += "&HMACSHA256=#{CGI.escape(signature)}"
+
+      handler = SimpleWebToken::SimpleWebTokenHandler.new(:shared_secret => @shared_secret, 
+                                                          :trusted_issuers => "http://untrusted_issuer")
+
+      lambda{ handler.parse(simple_web_token) }.should raise_error SimpleWebToken::InvalidToken
+  end
+  
+  
+  it "should return a dictionary when parsing a valid token" do
+    simple_web_token = {'Issuer' => 'http://myidentityprovider2/', 
+                        'Audience' => 'http://site/',
+                        'org.security.email' => "myemail@mydomain.com",
+                        'ExpiresOn' => (Time.now.to_i + 60).to_s}.map{|k, v| "#{CGI.escape(k)}=#{CGI.escape(v)}"}.join("&")
+    
+    signature = Base64.encode64(HMAC::SHA256.new(Base64.decode64(@shared_secret)).update(simple_web_token.toutf8).digest).strip
+    simple_web_token += "&HMACSHA256=#{CGI.escape(signature)}"
+                        
+    handler = SimpleWebToken::SimpleWebTokenHandler.new(:shared_secret => @shared_secret)
+    token = handler.parse(simple_web_token)
+
+    token.nil?.should == false 
+    token['Audience'].should == "http://site/"
+    token['org.security.email'].should == "myemail@mydomain.com"
+  end
+  
+  it "should return a values as tokens when sent as csv" do
+    simple_web_token = {'Issuer' => 'http://myidentityprovider2/', 
+                        'Audience' => 'http://site/',
+                        'org.security.email' => "myemail@mydomain.com",
+                        'Roles' => 'roleA, roleB, role1, role2',
+                        'ExpiresOn' => (Time.now.to_i + 60).to_s}.map{|k, v| "#{CGI.escape(k)}=#{CGI.escape(v)}"}.join("&")
+    
+    signature = Base64.encode64(HMAC::SHA256.new(Base64.decode64(@shared_secret)).update(simple_web_token.toutf8).digest).strip
+    simple_web_token += "&HMACSHA256=#{CGI.escape(signature)}"
+                        
+    handler = SimpleWebToken::SimpleWebTokenHandler.new(:shared_secret => @shared_secret)
+    token = handler.parse(simple_web_token)
+
+    token.nil?.should == false 
+    token['Roles'].should == ["roleA", "roleB", "role1", "role2"]
+  end
+end

metadata

@@ -0,0 +1,73 @@
+--- !ruby/object:Gem::Specification 
+name: rack-oauth-wrap
+version: !ruby/object:Gem::Version 
+  version: 0.5.1
+platform: ruby
+authors: 
+- Johnny G. Halife & Juan Pablo Garcia Dalolla
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-02-19 00:00:00 -03:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: ruby-hmac
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+    version: 
+description: A simple implementation of Web Resource Authorization Protocol (WRAP) for Rack as middleware.
+email: johnny.halife@me.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- rakefile
+- lib/rack/auth/wrap.rb
+- lib/simplewebtoken.rb
+- lib/swt/exceptions.rb
+- lib/swt/simple_web_token_handler.rb
+has_rdoc: true
+homepage: http://rack-oauth-wrap.heroku.com
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --line-numbers
+- --inline-source
+- -A cattr_accessor=object
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: Rack Middleware for authenticating users using oAuth WRAP Protocol
+test_files: 
+- spec/rack/auth/wrap_request_spec.rb
+- spec/rack/auth/wrap_spec.rb
+- spec/specs_config.rb
+- spec/swt/simple_web_token_handler_spec.rb