rack-response-signature 0.2.0 → 0.3.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: d05e1b43b17481e66cfa413e96ba3afee5dd09f8
+  data.tar.gz: e18caf974ab9ab97656f0f89729dcee3c37219c7
+SHA512:
+  metadata.gz: bacd6f52898d6449220124eb42384550343eef1f16011d50bfcff0147be5692dae289fbf714ebf62c33caa83bb03a18833678bafbaca6ee6f47949852e92e412
+  data.tar.gz: 260bb0b15b9785f8cd637426a6c661f1aa49d0fd0a0ce03984c56437817a37227ad7fcc91cb55e44527bc44dfa47921dbfd3ec29a5b1a267975b2949033b07c4

data/.gitignore

@@ -0,0 +1,22 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+
+/.rvmrc
+/.rbenv-version
+/.ruby-version
+/.ruby-gemset

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format progress

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2010 Nathaniel Bibler.
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -58,24 +58,3 @@ to `config/environments/production.rb`, or to an initializer:
 You should now see `Rack::ResponseSignature` listed in the middleware stack:
 
     $ rake middleware
-
-=== License
-
-Copyright (c) 2010 Nathaniel Bibler <http://www.nathanielbibler.com/>
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,5 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+task :default => :spec

data/lib/rack/response_signature.rb

@@ -3,52 +3,51 @@ require 'base64'
 require 'cgi'
 
 module Rack
-  
   ##
   # Rack::ResponseSignature is a middleware which will manipulate the server
-  # response by signing the response body against an RSA private key.  Your 
+  # response by signing the response body against an RSA private key.  Your
   # clients may then validate the response against a known-good public key
   # to verify server authenticity against a man-in-the-middle attack.
-  # 
+  #
   # The signature, if generated, is placed in a "X-Response-Signature" HTTP
-  # header.  Currently, signatures are only generated for HTTP SUCCESS (200) 
+  # header.  Currently, signatures are only generated for HTTP SUCCESS (200)
   # responses.
-  # 
-  # Obviously, it would be more straightforward to simply use an SSL 
+  #
+  # Obviously, it would be more straightforward to simply use an SSL
   # certificate provided by a trusted CA and just enable SSL verification
   # per request.  However, the use of SSL accrues significate overhead both for
   # the server, the client, and the network in general.  Not only that, but
   # in some cases (like Heroku) using a custom, verifiable SSL certificate
   # is either not reasonable or not possible.
-  # 
+  #
   # === Using Rack::ResponseSignature
-  # 
+  #
   # To use this middleware, simply:
-  # 
+  #
   #     use Rack::ResponseSignature, "--- BEGIN PRIVATE KEY ----\nabc123....."
-  # 
+  #
   # Or, for Rails,
-  # 
+  #
   #     config.middleware.use "Rack::ResponseSignature", "--- BEGIN PRIVATE KEY ----\nabc123....."
-  # 
-  # Or, a somewhat more secure approach would be to utilize environment 
-  # variables on the production system to define your private key.  This 
+  #
+  # Or, a somewhat more secure approach would be to utilize environment
+  # variables on the production system to define your private key.  This
   # keeps your private keys out of your source code manager and away from
   # prying eyes:
-  # 
+  #
   #     config.middleware.use "Rack::ResponseSignature", ENV['PRIVATE_RESPONSE_KEY']
-  # 
+  #
   # This is especially useful for Heroku deployments.
-  # 
+  #
   # === Manual Verification of Signature
-  # 
-  # Using curl, you can manually inspect to be sure that your signatures are 
+  #
+  # Using curl, you can manually inspect to be sure that your signatures are
   # being generated with:
-  # 
+  #
   #     $ curl -is http://myserver.com
-  # 
+  #
   # Which would return something similar to:
-  # 
+  #
   #     HTTP/1.1 200 OK
   #     Server: nginx/0.6.39
   #     Date: Tue, 23 Feb 2010 05:15:25 GMT
@@ -58,85 +57,85 @@ module Rack
   #     ETag: "54a2096d2c361907b3f9cc7ec9a2231d"
   #     X-Response-Signature: JywymlJfA90Q4x52LKt4J8Tb8p4rXI%2BptKDNm3NC7F495...
   #     Cache-Control: private, max-age=0, must-revalidate
-  # 
+  #
   # === Client Verification
-  # 
+  #
   # To verify your signatures on the client, simply share your public RSA key
   # with your client and verify the response:
-  # 
+  #
   #     require 'net/http'
   #     require 'base64'
   #     require 'cgi'
-  #     
+  #
   #     uri = URI.parse("http://myserver.com/")
   #     response = nil
   #     Net::HTTP.start(uri.host, uri.port) do |http|
   #       response = http.get(uri.path)
   #     end
-  #     
+  #
   #     puts "Response valid? %s" % [OpenSSL::PKey::RSA.new(PublicKey).
-  #       verify(OpenSSL::Digest::SHA256.new, 
-  #             Base64.decode64(CGI.unescape(response['X-Response-Signature'])), 
+  #       verify(OpenSSL::Digest::SHA256.new,
+  #             Base64.decode64(CGI.unescape(response['X-Response-Signature'])),
   #             response.body.strip)]
-  # 
+  #
   # === Options
-  # 
+  #
   # You may pass an optional, third, hash argument into the middleware.  This
   # argument allows you to override defaults.
-  # 
+  #
   # digest::
   #   Set the digest to use when generating the signature (Default: OpenSSL::Digest::SHA256)
-  # 
+  #
   class ResponseSignature
-    
-    VERSION = '0.2.0'
-    
+    VERSION = '0.3.0'
+
     def initialize(app, private_key, options = {})
       options[:digest]  ||= OpenSSL::Digest::SHA256
       @app              = app
       @private_key      = private_key && private_key != '' ? private_key : nil
       @options          = options
     end
-    
+
+
     def call(env)
       status, headers, response = @app.call(env)
-      
+
       if set_signature_header?(status)
-        [status, add_signature(headers, value_of(response)), value_of(response)]
+        [status, add_signature(headers, value_of(response)), response]
       else
         [status, headers, response]
       end
     end
-    
-    
+
+
     private
-    
-    
-    def set_signature_header?(status)
-      @private_key && status.to_i == 200
-    end
-    
+
+
     def add_signature(headers, body)
       headers['X-Response-Signature'] = CGI.escape(Base64.encode64(sign(body)))
       headers
     end
-    
+
+    def digest
+      @options.has_key?(:digest) ? @options[:digest].new : OpenSSL::Digest::SHA256.new
+    end
+
     def rsa
       @rsa ||= OpenSSL::PKey::RSA.new(@private_key)
     end
-    
+
+    def set_signature_header?(status)
+      @private_key && status.to_i == 200
+    end
+
     def sign(data)
       rsa.sign(digest, data)
     end
-    
-    def digest
-      @options.has_key?(:digest) ? @options[:digest].new : OpenSSL::Digest::SHA256.new
-    end
-    
+
     def value_of(response)
-      (response.respond_to?(:body) ? response.body : response).strip
+      body = (response.respond_to?(:body) ? response.body : response)
+      body = body.inject("") { |content, sum| sum += content }
+      body.strip
     end
-    
   end
-  
 end

data/rack-response-signature.gemspec

@@ -0,0 +1,27 @@
+# encoding: utf-8
+lib = File.expand_path('../lib/', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'rack/response_signature'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'rack-response-signature'
+  spec.version       = Rack::ResponseSignature::VERSION
+  spec.platform      = Gem::Platform::RUBY
+  spec.authors       = ['Nathaniel Bibler']
+  spec.email         = ['gem@nathanielbibler.com']
+  spec.description   = 'Rack::ResponseSignature uses RSA key pairs to transparently sign the outgoing responses from any Rack-compliant application.'
+  spec.summary       = 'Rack middleware to add transparent response signing'
+  spec.homepage      = 'http://github.com/nbibler/rack_response_signature'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency 'rack', '~> 1.0'
+
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'bundler', '~> 1.3'
+  spec.add_development_dependency 'rspec', '~> 2.11'
+end

data/spec/lib/rack/response_signature_spec.rb

@@ -0,0 +1,86 @@
+require 'spec_helper'
+
+require 'rack/lint'
+require 'rack/mock'
+
+describe Rack::ResponseSignature do
+  context 'response header' do
+    it 'is added on a 200 response' do
+      app = success_app("Success")
+      expect(response_headers(app)).to have_key('X-Response-Signature')
+    end
+
+    it 'is not added on non-200 responses' do
+      [ 302 , 404 , 503 ].each do |response_code|
+        app = new_app(response_code, response_code.to_s)
+        expect(response_headers(app)).not_to have_key('X-Response-Signature')
+      end
+    end
+  end
+
+  it 'does not modify the response body' do
+    body = [" Whitespace "]
+    app = new_app(200, body)
+    expect(response_body(app)).to equal(body)
+  end
+
+  it 'ignores leading and trailing whitespace when generating signature' do
+    expect(response_headers(success_app('test string'))).
+      to include({'X-Response-Signature' => 't4IMaguaZTUFQ9LtPm7E4ijhVJ53OPe9a7wBujteaHQvHuacYgdSteQVTzxn%0AC%2BGoH8%2BdefNSTJa4fKl0PDXVUA%3D%3D%0A'})
+    expect(response_headers(success_app(' test string'))).
+      to include({'X-Response-Signature' => 't4IMaguaZTUFQ9LtPm7E4ijhVJ53OPe9a7wBujteaHQvHuacYgdSteQVTzxn%0AC%2BGoH8%2BdefNSTJa4fKl0PDXVUA%3D%3D%0A'})
+    expect(response_headers(success_app('test string '))).
+      to include({'X-Response-Signature' => 't4IMaguaZTUFQ9LtPm7E4ijhVJ53OPe9a7wBujteaHQvHuacYgdSteQVTzxn%0AC%2BGoH8%2BdefNSTJa4fKl0PDXVUA%3D%3D%0A'})
+  end
+
+
+  private
+
+
+  def new_app(response_code, response_body)
+    ->(env) { [response_code, {"Content-Type" => "test/plain"}, response_body] }
+  end
+
+  def private_key
+    @private_key ||= <<-KEY.gsub(/^\s+/, '')
+    -----BEGIN RSA PRIVATE KEY-----
+    MIIBOgIBAAJBAMtIiebDa7r1Y+dD/avJpYAqkLMUwoRCrQSIdnG7LA1hFc9/r5JR
+    jEtUSLA+eg0Fh72enu9+CT/q3Q4sg9h5s3UCAwEAAQJACAif2ozSjxrvjc40Ejvv
+    3HbSLSGe5lc0Oz+hXrFE9mpTyFI7l/KYsMB/6JNEfY8LUNTQXz6fet4obIh9STIj
+    6QIhAOVbthtvJK28o5V76ssZ8BkkYWQS9IUCxFXKIzbzJ3NHAiEA4uV0MBd+QHme
+    QAviG5f/ZxlTQGQMtOtYaiNUCuaQaWMCIDjc2/FBRN6t/gB5kGR6McSJ+HtPF8BC
+    R1rdmo1tC0LRAiBI7CPufO53vF6vCOKvqadNNGd8T2uCDg2JdzdAlZ+eLwIhALud
+    aKQMQPo8Ie44nsCIT2FzI4YaNf1RvF+8E8FRXZBJ
+    -----END RSA PRIVATE KEY-----
+    KEY
+  end
+
+  def public_key
+    @public_key ||= <<-KEY.gsub(/^\s+/, '')
+    -----BEGIN PUBLIC KEY-----
+    MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMtIiebDa7r1Y+dD/avJpYAqkLMUwoRC
+    rQSIdnG7LA1hFc9/r5JRjEtUSLA+eg0Fh72enu9+CT/q3Q4sg9h5s3UCAwEAAQ==
+    -----END PUBLIC KEY-----
+    KEY
+  end
+
+  def request
+    Rack::MockRequest.env_for
+  end
+
+  def response(app, *args)
+    Rack::Lint.new(described_class.new(app, private_key, *args)).call(request)
+  end
+
+  def response_headers(app, *args)
+    response(app, *args)[1]
+  end
+
+  def response_body(app, *args)
+    response(app, *args)[2].instance_variable_get("@body")
+  end
+
+  def success_app(body_content)
+    new_app(200, [body_content])
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,17 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+end

metadata

@@ -1,68 +1,113 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: rack-response-signature
-version: !ruby/object:Gem::Version 
-  hash: 23
-  prerelease: false
-  segments: 
-  - 0
-  - 2
-  - 0
-  version: 0.2.0
+version: !ruby/object:Gem::Version
+  version: 0.3.0
 platform: ruby
-authors: 
+authors:
 - Nathaniel Bibler
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2010-12-08 00:00:00 -05:00
-default_executable: 
-dependencies: []
-
-description: Rack::ResponseSignature uses RSA key pairs to transparently sign the outgoing responses from any Rack-compliant application.
-email: gem@nathanielbibler.com
+date: 2013-08-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.11'
+description: Rack::ResponseSignature uses RSA key pairs to transparently sign the
+  outgoing responses from any Rack-compliant application.
+email:
+- gem@nathanielbibler.com
 executables: []
-
 extensions: []
-
 extra_rdoc_files: []
-
-files: 
-- lib/rack/response_signature.rb
+files:
+- .gitignore
+- .rspec
+- Gemfile
+- LICENSE.txt
 - README.rdoc
-has_rdoc: true
+- Rakefile
+- lib/rack/response_signature.rb
+- rack-response-signature.gemspec
+- spec/lib/rack/response_signature_spec.rb
+- spec/spec_helper.rb
 homepage: http://github.com/nbibler/rack_response_signature
-licenses: []
-
+licenses:
+- MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: 
-rubygems_version: 1.3.7
+rubygems_version: 2.0.6
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Rack middleware to add transparent response signing
-test_files: []
-
+test_files:
+- spec/lib/rack/response_signature_spec.rb
+- spec/spec_helper.rb