rack-pubcookie 0.0.1

data/.gitignore

@@ -0,0 +1,8 @@
+pkg/*
+*.gem
+.bundle
+
+ext/**/*.bundle
+ext/**/Makefile
+ext/**/*.so
+ext/**/*.o

data/Gemfile

@@ -0,0 +1,4 @@
+source :rubygems
+
+# Specify your gem's dependencies in rack-pubcookie.gemspec
+gemspec :require => 'rack/pubcookie'

data/Gemfile.lock

@@ -0,0 +1,37 @@
+PATH
+  remote: .
+  specs:
+    rack-pubcookie (0.0.1)
+      activesupport
+      rack
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    activesupport (3.0.1)
+    diff-lcs (1.1.2)
+    nokogiri (1.4.3.1)
+    rack (1.2.1)
+    rack-test (0.5.6)
+      rack (>= 1.0)
+    rspec (2.0.1)
+      rspec-core (~> 2.0.1)
+      rspec-expectations (~> 2.0.1)
+      rspec-mocks (~> 2.0.1)
+    rspec-core (2.0.1)
+    rspec-expectations (2.0.1)
+      diff-lcs (>= 1.1.2)
+    rspec-mocks (2.0.1)
+      rspec-core (~> 2.0.1)
+      rspec-expectations (~> 2.0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activesupport
+  nokogiri
+  rack
+  rack-pubcookie!
+  rack-test
+  rspec

data/README.md

@@ -0,0 +1,73 @@
+rack-pubcookie
+==============
+
+This is an implementation of the [pubcookie](http://pubcookie.org) protocol over Rack in Ruby.
+
+Installation
+------------
+
+In a Gemfile: `gem 'rack-pubcookie'`
+
+Otherwise: `gem install rack-pubcookie`
+
+The gem can be required through either `rack-pubcookie` or `rack/pubcookie`
+
+Usage
+-----
+
+To use pubcookie in your application, you'll need a few things.
+
+* The URL of the login server
+* A FQDN for which you have an SSL certificate and which the server is running off of
+* An application ID (normally this is gotten from the login server provider)
+* A keyfile. This is generated via the `keyclient` program provided by the official pubcookie source code. Currently there is no equivalent of said program in this gem, so you'll need to create this on another server or acquire it from your login provider
+* The granting certificate. This is the x509 .crt/cert file which your login provider signs all cookies with. You need a copy of the public key (.crt) file to verify cookies
+* An SSL-enabled server. Pubcookie will not redirect to an `http` host, but rather only an `https` one
+
+Once these six pieces have been obtained, you can then use it like this:
+
+<pre>
+# This is located in config.ru
+require 'rack/pubcookie'
+
+use Rack::Pubcookie::Auth, @login_server, @hostname, @appid, @keyfile_path,
+  @granting_certificate_path
+
+# @login_server => 'login.example.com[:port]' (port optional)
+# @hostname     => 'myapp.example.com[:port]' (port optional)
+# @appid        => 'myappid'
+# @keyfile_path => '/path/to/key/file'
+# @granting_certificate_path => '/path/to/granting.crt'
+
+run Your::Application
+</pre>
+
+Then, in your application, if you need the user authenticated and they're not currently, then you need to redirect them to `/auth/pubcookie`. This will then redirect the user to the login server (with some extra variables and things).
+
+Once authenticated, the user will then be redirected to `/auth/pubcookie/callback`. If we are able to decrypt the response from the login server, the `REMOTE_USER` environment variable will be set in the request for use.
+
+The response to `/auth/pubcookie/callback` will also set the session cookie for the current user. It has the `secure` flag, so it will only be sent on HTTPS connections.
+
+Also, every request where the pubcookie session cookie is present, the `REMOTE_USER` variable will be set. This only applies to `https` connections before the expiration date of the cookie
+
+License
+----
+Copyright (c) 2010 Alex Crichton
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,10 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks
+
+desc "Build the C extensions"
+task :build_extensions do
+  Dir.chdir(File.expand_path('../ext/openssl', __FILE__)) do
+    sh 'make distclean' if File.exists? 'Makefile'
+    sh 'ruby extconf.rb && make'
+  end
+end

data/ext/openssl/evp.c

@@ -0,0 +1,36 @@
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <ruby.h>
+
+#define GetX509(obj, x509) Data_Get_Struct(obj, X509, x509)
+
+#ifndef RUBY_19
+# define RSTRING_LEN(s) (RSTRING(s)->len)
+# define RSTRING_PTR(s) (RSTRING(s)->ptr)
+#endif
+
+VALUE evp_verify_md5(VALUE self, VALUE cert, VALUE signature, VALUE str) {
+  X509 *x509;
+  EVP_MD_CTX ctx;
+  EVP_PKEY *key;
+
+  GetX509(cert, x509);
+  key = X509_extract_key(x509);
+
+  EVP_VerifyInit(&ctx, EVP_md5());
+  EVP_VerifyUpdate(&ctx, RSTRING_PTR(str), RSTRING_LEN(str));
+
+  int ret_val = EVP_VerifyFinal(&ctx,
+        (unsigned char*) RSTRING_PTR(signature),
+        (unsigned int)   RSTRING_LEN(signature),
+        key);
+
+  return ret_val == 1 ? Qtrue : Qfalse;
+}
+
+Init_evp() {
+  VALUE cOpenSSL = rb_define_module("OpenSSL");
+  VALUE cEVP     = rb_define_module_under(cOpenSSL, "EVP");
+
+  rb_define_singleton_method(cEVP, "verify_md5", evp_verify_md5, 3);
+}

data/ext/openssl/extconf.rb

@@ -0,0 +1,9 @@
+require 'mkmf'
+
+if RUBY_VERSION =~ /1\.9/
+  $CFLAGS << ' -DRUBY_19'
+end
+
+if have_header('openssl/evp.h') && have_header('openssl/x509.h')
+  create_makefile('evp')
+end

data/lib/rack/pubcookie/aes.rb

@@ -0,0 +1,16 @@
+module Rack
+  module Pubcookie
+    module AES
+
+      def aes_decrypt bytes, index1, index2
+        # When an example of an AES encrypted cookie is acquired, the method for
+        # decryption is outlined at https://wiki.doit.wisc.edu/confluence/display/WEBISO/Pubcookie+Granting+Reply+Interface
+        # For now, I have no examples of AES encrypted cookies, so with nothing
+        # to test on I wouldn't be sure if this were working.
+
+        raise 'I need an example!'
+      end
+
+    end
+  end
+end

data/lib/rack/pubcookie/auth.rb

@@ -0,0 +1,136 @@
+require 'active_support/core_ext/object/to_query'
+require 'openssl'
+require 'openssl/evp'
+require 'base64'
+
+module Rack
+  module Pubcookie
+    class Auth
+
+      include AES
+      include DES
+
+      def initialize app, login_server, host, appid, keyfile, granting_cert,
+          opts = {}
+        @app          = app
+        @login_server = login_server
+        @host         = host
+        @appid        = appid
+        @keyfile      = keyfile
+        @granting = OpenSSL::X509::Certificate.new(::File.read(granting_cert))
+        ::File.open(@keyfile, 'rb'){ |f| @key = f.read.bytes.to_a }
+
+        @options = opts
+        @options[:expires_after] = 24 * 3600 # 24 hrs
+      end
+
+      def call env
+        request = Rack::Request.new env
+
+        if request.path == '/auth/pubcookie'
+          response = Rack::Response.new login_page_html
+        else
+          request.env['REMOTE_USER'] = extract_username request
+          status, headers, body = @app.call(request.env)
+          response = Rack::Response.new body, status, headers
+
+          if !request.params['pubcookie_g'].nil? &&
+              request.params['pubcookie_g'] != request.cookies['pubcookie_g']
+            response.set_cookie 'pubcookie_g', :path => '/', :secure => true,
+              :value => request.params['pubcookie_g']
+          end
+        end
+
+        response.finish
+      end
+
+      protected
+
+      def extract_username request
+        # If coments below refer to a URL, they mean this one:
+        # http://svn.cac.washington.edu/viewvc/pubcookie/trunk/src/pubcookie.h?view=markup
+        cookie = request.params['pubcookie_g'] || request.cookies['pubcookie_g']
+
+        return nil if cookie.nil?
+
+        bytes  = Base64.decode64(cookie).bytes.to_a
+        index2 = bytes.pop
+        index1 = bytes.pop
+
+        if true # Should eventually check for aes vs des encryption...
+          decrypted = des_decrypt bytes, index1, index2
+        else
+          decrypted = aes_decrypt bytes, index1, index2
+        end
+
+        return nil if decrypted.nil?
+
+        # These values are all from the pubcookie source. For more info, see the
+        # above URL. The relevant size definitions are around line 42 and the
+        # struct begins on line 69 ish
+        user, version, appsrvid, appid, type, creds, pre_sess_tok,
+          create_ts, last_ts = decrypted.unpack('A42A4A40A128aaINN')
+
+        create_ts = Time.at create_ts
+        last_ts   = Time.at last_ts
+
+        if Time.now < create_ts + @options[:expires_after] && appid == @appid
+          user
+        else
+          nil
+        end
+      end
+
+      # For a better description on what each of these values are, go to
+      # https://wiki.doit.wisc.edu/confluence/display/WEBISO/Pubcookie+Granting+Request+Interface
+      def request_login_arguments
+        args = {
+          :one          => @host,     # FQDN of our host
+          :two          => @appid,    # Our AppID for pubcookie
+          :three        => 1,         # ?
+          :four         => 'a5',      # Version/encryption?
+          :five         => 'GET',     # method, even though we lie?
+          :six          => @host,     # our host domain name
+          :seven        => '/auth/pubcookie/callback', # Where to return
+          :eight        => '',        # ?
+          :nine         => 1,         # Probably should be different...
+          :hostname     => @host,     # Pubcookie needs it 3 times...
+          :referer      => '(null)',  # Just don't bother
+          :sess_re      => 0,         # Don't force re-authentication
+          :pre_sess_tok => Kernel.rand(2000000), # Just a random 32bit number
+          :flag         => 0,         # ?
+          :file         => ''         # ?
+        }
+
+        args[:seven] = Base64.encode64(args[:seven]).chomp
+        args
+      end
+
+      def login_page_html
+        input_val = Base64.encode64 request_login_arguments.to_query
+        input_val = input_val.gsub("\n", '')
+
+        # Curious why exactly this template? This was taken from the pubcookie
+        # source. We just do the same thing here...
+        <<-HTML
+<html>
+<head></head>
+<body onLoad="document.relay.submit()">
+  <form method='post' action="https://#{@login_server}" name='relay'>
+    <input type='hidden' name='pubcookie_g_req' value="#{input_val}">
+    <input type='hidden' name='post_stuff' value="">
+    <input type='hidden' name='relay_url' value="https://#{@host}/auth/pubcookie/callback">
+    <noscript>
+      <p align='center'>You do not have Javascript turned on,   please click the button to continue.
+      <p align='center'>
+        <input type='submit' name='go' value='Continue'>
+      </p>
+    </noscript>
+  </form>
+</html>
+HTML
+      end
+
+    end
+  end
+end

data/lib/rack/pubcookie/des.rb

@@ -0,0 +1,31 @@
+module Rack
+  module Pubcookie
+    module DES
+
+      def des_decrypt bytes, index1, index2
+        # In the URL of #extract_username, the initial IVEC is defined around
+        # line 63 and for some reason only the first byte is used in the xor'ing
+        ivec = @key[index2, 8]
+        ivec = ivec.map{ |i| i ^ 0x4c }
+
+        key = @key[index1, 8]
+
+        c  = OpenSSL::Cipher.new('des-cfb')
+        c.decrypt
+        c.key = key.pack('c*')
+        c.iv  = ivec.pack('c*')
+
+        # This should be offset by the size of the granting key? Not sure...
+        signature = c.update(bytes[0..127].pack('c*'))
+        decrypted = c.update(bytes[128..-1].pack('c*'))
+
+        if OpenSSL::EVP.verify_md5(@granting, signature, decrypted)
+          decrypted
+        else
+          nil
+        end
+      end
+
+    end
+  end
+end

data/lib/rack/pubcookie/fake.rb

@@ -0,0 +1,16 @@
+module Rack
+  module Pubcookie
+    class Fake
+
+      def initialize app, username
+        @app, @username = app, username
+      end
+
+      def call env
+        env['REMOTE_USER'] = @username
+        @app.call env
+      end
+
+    end
+  end
+end

data/lib/rack/pubcookie/version.rb

@@ -0,0 +1,5 @@
+module Rack
+  module Pubcookie
+    VERSION = '0.0.1'
+  end
+end

data/lib/rack/pubcookie.rb

@@ -0,0 +1,11 @@
+require 'rack'
+
+module Rack
+  module Pubcookie
+    autoload :VERSION, 'rack/pubcookie/version'
+
+    autoload :Auth, 'rack/pubcookie/auth'
+    autoload :AES, 'rack/pubcookie/aes'
+    autoload :DES, 'rack/pubcookie/des'
+  end
+end

data/lib/rack-pubcookie.rb

@@ -0,0 +1 @@
+require 'rack/pubcookie'

data/rack-pubcookie.gemspec

@@ -0,0 +1,26 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path('../lib', __FILE__)
+require 'rack/pubcookie/version'
+
+Gem::Specification.new do |s|
+  s.name        = 'rack-pubcookie'
+  s.version     = Rack::Pubcookie::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ['Alex Crichton']
+  s.email       = ['alex@alexcrichton.com']
+  s.homepage    = 'http://github.com/alexcrichton/rack-pubcookie'
+  s.summary     = 'An implentation of pubcookie based on Rack in Ruby'
+  s.description = 'Pubcookie finally leaves the world of apache!'
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.extensions    = ['ext/openssl/extconf.rb']
+  s.require_paths = ['lib', 'ext']
+
+  s.add_dependency 'rack'
+  s.add_dependency 'activesupport'
+
+  s.add_development_dependency 'rspec'
+  s.add_development_dependency 'rack-test'
+  s.add_development_dependency 'nokogiri'
+end

data/spec/fixtures/granting.crt

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIIChjCCAe+gAwIBAgIJAOSRfhmxiDrWMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
+BAYTAlVTMRUwEwYDVQQIDAxQZW5uc3lsdmFuaWExEzARBgNVBAcMClBpdHRzYnVy
+Z2gxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xMDEwMjcy
+MzUyMjNaFw0xMDExMjYyMzUyMjNaMFwxCzAJBgNVBAYTAlVTMRUwEwYDVQQIDAxQ
+ZW5uc3lsdmFuaWExEzARBgNVBAcMClBpdHRzYnVyZ2gxITAfBgNVBAoMGEludGVy
+bmV0IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+x9lZVZApmH7H9PMH6rcTTq7A/wXU0WmVGkorlcZ9oyyUGUbG4zOSpYRWES6U6/Ds
+h3NJDEZ59Vr1O5aeQ6/hP0yfTuBpEwTiDHZptLTdS6O94WvrsqCyjO7mjs4NGMaI
+hun8i7VnC2ks/s37w5tlUBHAvee3jC1sZh9kxwio7ZcCAwEAAaNQME4wHQYDVR0O
+BBYEFCCFiEdU1jEHksMoXauyb5dqrdovMB8GA1UdIwQYMBaAFCCFiEdU1jEHksMo
+Xauyb5dqrdovMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAofqrTpwX
+T6Z55kTWGQWqh1CpF0M2G8vMoD61ZjwbUfiPMm/oQs7tiKyAKBK6XUcJBDAI85ev
+jboQYpTJmgv3BJa5mSdBPwfznbW3kPHIW2I9e44woWZUQpj504f8mge8FIS8nH8o
+KgPO0SdEYE7yi1UktyY4VlUNm+x9ImjcFOE=
+-----END CERTIFICATE-----

data/spec/fixtures/invalid.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFszCCA5sCCQCl4nWG581TtjANBgkqhkiG9w0BAQUFADCBsjELMAkGA1UEBhMC
+VVMxDTALBgNVBAgTBElvd2ExEzARBgNVBAcTCkRlcyBNb2luZXMxFjAUBgNVBAoT
+DUNyaWNodG9uIEluYy4xDTALBgNVBAsTBEFsZXgxMzAxBgNVBAMTKkFsZXggQ3Jp
+Y2h0b24gU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTEjMCEGCSqGSIb3DQEJ
+ARYUYWRjcmljaHRvbkBnbWFpbC5jb20wHhcNMDkwNzAyMDMzOTA3WhcNMTkwNjMw
+MDMzOTA3WjCBgzELMAkGA1UEBhMCVVMxDTALBgNVBAgTBElvd2ExEzARBgNVBAcT
+CkRlcyBNb2luZXMxFjAUBgNVBAoTDUNyaWNodG9uIEluYy4xEjAQBgNVBAMTCWxv
+Y2FsaG9zdDEkMCIGCSqGSIb3DQEJARYVYWxleEBhbGV4Y3JpY2h0b24uY29tMIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA41aMpO3Z9mxxovHKZ+oH8Xsn
+YYzQm+q/DqJc7Wg+8ig7TOsjACI7FK3e/5DCBU7djs/7Jfp03YGvhK4dNcq2MVQ2
+BG0+Fze5+bsuY2LRoDs21ix9eKccf2Tu/SGMzA1nKzW0I/pTrRhT1BxUbj5irmt8
+hoED7Bm5Z/Uwyp5HUdGnA3NW8aJdoU2LANCArWnt3482QHdv+5X2kVaMIrW6looa
+J4XpGzBZJ5/Wiq4L8UmiNaD1pOPjyCZkxhR24utTftJMwkhl8/hPlBf4/v2hd7IZ
+GXtrtWKyb9rH/kXo55p2QC5D4F8l2ZJur3fN2hMhOjhcINsFsicIx7DcQKjG1cKF
+qTH14qaKak54rCpSq6t9ZhFnefpvGEe2iEy2FcMAt5ma6OmZn8AxbICBm2R8PFwB
+Fq/rK2Q6PnrH5z1JlWxt2YBJOLxu0vTssmBdy6l16iK6Z57HeybYwYYhuEpZBjuN
+F4UOK7eMn5CeQxGqWIqPvoKAMIMPmFr3IfAlDepP59rTtH9D8lcosp6pVopJPyGj
+lvTUzT0BaO7jgAG0KMYSZ45lYlZ4jYr8rjxFBURVumVeqMYkBdyjgEA6I2F2KLus
+E2/qQBLMpMG0KrR/Xgg2LzfhiZ4kvYsvn1gmCAhTNEdVfck0F0euQN6NwoRnFq6z
+4EGC6jeGFxzFfcNCgBsCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEAODArc6lGKnlx
+mEdUrCddGWZDNH9C2MI0goG9W4+8jBcrQeQ6orGvcta9yHH+4wfMOBj43zYvfOfT
+3oJcm2PGWa8RQ1E+gsdvTay3+hspYgRg8NHCe3tKLM6tvnLD99rmXG9LrxraebsR
+T1AQekoaLBZZBqmbfKMDsTSHeBAob1H9+A8/A/V6tm+M5ayPbo9X8HuvJJsqr5Xj
+eirzyjN99qMncQxhYrcmGflgib2N8kRmwdx7QimTYyOi6TUHQQdbrUZsSMiYN7vT
+R1zypt0JkgZsrRG4ZLOs3oWQo52gOwxxas/a73ib6vRGImG3FUrddgpgu52I0MR5
+1VsvGQE6Nxkr3QCHwA+q9/9GksCqI5rbKkDYf4agqL1jItX7zfj4PL5sXeX5h90Q
+SysXSy5vUv/npHiZwvZgg7BHWZQ8NxlZ3bkPKZYY+rIDKIwAQc9NHCzjw7bcKEhZ
+o4w44XxsHF1HOPXFwlCg96j6Sq8xLCSxvhh7giCkKCmHcSZcoofb4pyUq5xvB2ev
+6H56Jvza0qrTT5LglWPdd7UeDwNqbsyZOxGy93l2KE69s0z4ejuNzzGGlYDJid6I
+iJ5dNwOsVXGQBTXu7+EpCtzD61F4t3mR3KGoSCo50f/QC1R0km1sF6PdV226SwKz
+wANRDTA9mXpJpurKtol8sUOQ80mZ8K4=
+-----END CERTIFICATE-----

data/spec/fixtures/test.com

@@ -0,0 +1,32 @@
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key
+key key key key key key key key key key key key key key key key

data/spec/rack/pubcookie/auth_spec.rb

@@ -0,0 +1,131 @@
+require 'spec_helper'
+
+describe Rack::Pubcookie::Auth do
+
+  include Rack::Test::Methods
+
+  def app
+    Rack::Builder.new {
+      use Rack::Pubcookie::Auth, 'example.com', 'myhost.com', 'testappid',
+        Rack::Test.fixture_path + '/test.com',
+        Rack::Test.fixture_path + '/granting.crt'
+      run lambda { |env| [200, {'Content-Type' => 'text/plain'}, ['llama']] }
+    }.to_app
+  end
+
+  describe "a valid session" do
+    before :each do
+      Time.stub(:at).and_return Time.now
+    end
+
+    it "renders a login page to send a request to the login server" do
+      Kernel.stub(:rand).and_return(100)
+
+      get '/auth/pubcookie'
+
+      doc   = Nokogiri::HTML(last_response.body)
+      forms = doc.css('form')
+      forms.length.should == 1
+      form = forms.first
+
+      form['method'].should == 'post'
+      form['action'].should == 'https://example.com'
+
+      inputs = form.css('input[type=hidden]')
+      inputs.size.should == 3
+
+      inputs[0]['name'].should == 'pubcookie_g_req'
+      pubcookie_g = Rack::Utils.parse_query Base64.decode64(inputs[0]['value'])
+      pubcookie_g.should == {
+        "one" => "myhost.com", "two" => "testappid", "three" => "1",
+        "four" => "a5", "five" => "GET", "six" => "myhost.com",
+        "seven" => Base64.encode64('/auth/pubcookie/callback').chomp,
+        "eight" => "", "nine" => "1", "hostname" => "myhost.com",
+        "referer" => "(null)", "sess_re" => "0", "pre_sess_tok" => "100",
+        "flag" => "0", "file" => ""
+      }
+
+      inputs[1]['name'].should == 'post_stuff'
+      inputs[1]['value'].should == ''
+
+      inputs[2]['name'].should == 'relay_url'
+      inputs[2]['value'].should == 'https://myhost.com/auth/pubcookie/callback'
+    end
+
+    it "parses the response cookie and sets the REMOTE_USER varible" do
+      post '/auth/pubcookie/callback',
+        'pubcookie_g' => Rack::Test.sample_response
+
+      last_request.env['REMOTE_USER'].should == 'testing'
+    end
+
+    it "authenticates based off of the cookie given" do
+      escaped = Rack::Utils.escape Rack::Test.sample_response
+      set_cookie "pubcookie_g=#{escaped}"
+
+      post '/auth/pubcookie/callback'
+
+      last_request.env['REMOTE_USER'].should == 'testing'
+    end
+
+    it "sets a cookie based on the response from the login server" do
+      escaped = Rack::Utils.escape Rack::Test.sample_response
+
+      post '/auth/pubcookie/callback',
+        'pubcookie_g' => Rack::Test.sample_response
+
+      last_response.headers['Set-Cookie'].should eql(
+        "pubcookie_g=#{escaped}; path=/; secure")
+    end
+
+    it "doesn't have the Set-Cookie header when authenticated by a cookie" do
+      set_cookie "pubcookie_g=#{Rack::Test.sample_response}"
+
+      post '/auth/pubcookie/callback'
+
+      last_response.headers['Set-Cookie'].should be_nil
+    end
+  end
+
+  describe "invalid authentications" do
+    it "doesn't tamper with any variables if no authentication is present" do
+      post '/auth/pubcookie/callback'
+
+      last_response.headers['Set-Cookie'].should be_nil
+      last_request.env['REMOTE_USER'].should be_nil
+    end
+
+    it "doesn't allow an expired valid authentication cookie" do
+      # The login cookie contains a struct with the issued at timestamp as a
+      # 32 bit integer. We use Time.at on the integer to get the time object for
+      # when it was issued. By stubbing that, we can simulate the cookie being
+      # issued 2 days ago without having to work around different cookies and
+      # such
+      Time.stub(:at).and_return Time.now - 48 * 3600
+
+      post '/auth/pubcookie/callback',
+        'pubcookie_g' => Rack::Test.sample_response
+
+      last_request.env['REMOTE_USER'].should be_nil
+    end
+  end
+
+  describe "an invalid signature" do
+    def app
+      Rack::Builder.new {
+        use Rack::Pubcookie::Auth, 'example.com', 'myhost.com', 'testappid',
+          Rack::Test.fixture_path + '/test.com',
+          Rack::Test.fixture_path + '/invalid.crt'
+        run lambda { |env| [200, {'Content-Type' => 'text/plain'}, ['llama']] }
+      }.to_app
+    end
+
+    it "realizes the cookie has an invalid signature and discards the cookie" do
+      post '/auth/pubcookie/callback',
+        'pubcookie_g' => Rack::Test.sample_response
+
+      last_request.env['REMOTE_USER'].should be_nil
+    end
+  end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,29 @@
+require 'rubygems'
+require 'bundler'
+Bundler.require :default, :development
+
+require 'rspec/core'
+require 'rack/test'
+
+RSpec.configure do |c|
+  c.color_enabled = true
+end
+
+module Rack
+  module Test
+
+    def self.fixture_path
+      ::File.expand_path('../fixtures', __FILE__)
+    end
+
+    def self.sample_response
+      # This data was pre-constructed using DES encryption and a dummy test
+      # server. Slightly magical, but the setup was just a test pubcookie server
+      # and a local nginx server handling SSL requests proxing to a small app.
+      # All of the certificates were signed correctly and whatnot and everything
+      # worked out somehow eventually to the cookie below.
+      "6zDplapzi0TAIG3mzfff99EII888gkBUo2fywh1f52ff6Hq4QlrlZ6HbMVSUph7X0x9q0JxbZIfcVjRB9ir92WoihBBRuM4ES/MkqfZs2coB8KeNWQMBls+Nl19IYXv7dJoFjQ8lfBkzgV8BzQ9CIETQqT6AF+7vZBdUddKwu+9kCVtaVk4Pl7Vl0TfzYHCp831xrNxepLx6xtSg33l05CsXtaTVXhm/9khsU8/ONb5xEu21YM5D2OjM1cTUvan3bbCnRHVpqrq1fo8+cNeufP7lUGPoMEjEzjTTLpEXTsfvshX8Ojgl2mowxhbGIkC+MRJuKEAQV9kvdnFmdMWFnMo2j5KJzeiNoRvWg0DfVon8Ya7JAAt+PkpnGu6FwzOHYvYoj+7t1HJIW/iyjXfXjOhzRDSY22YYEOIgqfodCzSURi5hrmUwSsAtXTmpqHrTDN4smIfEUQvQAIMlEhnH2ocSztbJFw=="
+    end
+
+  end
+end

metadata

@@ -0,0 +1,153 @@
+--- !ruby/object:Gem::Specification 
+name: rack-pubcookie
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- Alex Crichton
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-10-28 00:00:00 -04:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rack
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: activesupport
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: rack-test
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: nokogiri
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id005
+description: Pubcookie finally leaves the world of apache!
+email: 
+- alex@alexcrichton.com
+executables: []
+
+extensions: 
+- ext/openssl/extconf.rb
+extra_rdoc_files: []
+
+files: 
+- .gitignore
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- ext/openssl/evp.c
+- ext/openssl/extconf.rb
+- lib/rack-pubcookie.rb
+- lib/rack/pubcookie.rb
+- lib/rack/pubcookie/aes.rb
+- lib/rack/pubcookie/auth.rb
+- lib/rack/pubcookie/des.rb
+- lib/rack/pubcookie/fake.rb
+- lib/rack/pubcookie/version.rb
+- rack-pubcookie.gemspec
+- spec/fixtures/granting.crt
+- spec/fixtures/invalid.crt
+- spec/fixtures/test.com
+- spec/rack/pubcookie/auth_spec.rb
+- spec/spec_helper.rb
+has_rdoc: true
+homepage: http://github.com/alexcrichton/rack-pubcookie
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+- ext
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: An implentation of pubcookie based on Rack in Ruby
+test_files: 
+- spec/fixtures/granting.crt
+- spec/fixtures/invalid.crt
+- spec/fixtures/test.com
+- spec/rack/pubcookie/auth_spec.rb
+- spec/spec_helper.rb