rack-signature 0.0.1

data/.gitignore

@@ -0,0 +1,18 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+.DS_Store

data/.travis.yml

@@ -0,0 +1,9 @@
+language: ruby
+rvm:
+  - 1.9.2
+  - 1.9.3
+before_install:
+  - gem install bundler
+notifications:
+  recipients:
+    - robert@codewranglers.org

data/Gemfile

@@ -0,0 +1,2 @@
+source :rubygems
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2012 Robert Evans
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,34 @@
+[![Build Status](https://secure.travis-ci.org/revans/rack-signature.png)](https://travis-ci.org/revans/rack-signature)
+[![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/revans/rack-signature)
+
+# Rack::Signature
+
+Rack Middleware used to verify signed requests.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'rack-signature'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install rack-signature
+
+## Usage
+
+```ruby
+  use Rack::Signature, 'your-shared-key'
+```
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs << "test"
+  t.test_files = FileList['test/*_test.rb']
+  t.verbose = true
+end
+
+task :default => 'test'

data/lib/rack/signature.rb

@@ -0,0 +1,12 @@
+require_relative 'signature/version'
+require_relative 'signature/build_message'
+require_relative 'signature/hmac_signature'
+require_relative 'signature/verify'
+
+module Rack
+  module Signature
+    def self.new(app, key)
+      Verify.new(app, key)
+    end
+  end
+end

data/lib/rack/signature/build_message.rb

@@ -0,0 +1,41 @@
+require 'rack/request'
+
+module Rack
+  module Signature
+    class BuildMessage
+      attr_reader :request
+
+      # initialize with a hash of options
+      #
+      # ==== Attributes
+      #
+      # * +env+ - The rack app env
+      #
+      def initialize(env)
+        @request = ::Rack::Request.new(env)
+      end
+
+      def build!
+        create_request_message
+      end
+
+      private
+
+      def sort_query_params
+        request.params.sort.map { |param| param.join('=') }
+      end
+
+      def canonicalized_query_params
+        sort_query_params.join('&')
+      end
+
+      def create_request_message
+        request.request_method.upcase +
+          request.path_info.downcase +
+          request.host.downcase +
+          canonicalized_query_params
+      end
+
+    end
+  end
+end

data/lib/rack/signature/hmac_signature.rb

@@ -0,0 +1,41 @@
+require 'openssl'
+require 'base64'
+
+module Rack
+  module Signature
+    class HmacSignature
+
+      # initialize with the shared key and a hash of options for building the
+      # signature
+      #
+      # ==== Attributes
+      #
+      # * +key+     - The shared key used as a salt.
+      # * +message+ - The built request message
+      #
+      def initialize(key, message)
+        @key, @message = key, message
+      end
+
+      # returns a Base64 encoded HMAC of the request plus the private shared key
+      def sign
+        encode_hmac
+      end
+
+      private
+
+      def encode_hmac
+        Base64.encode64( hmac_message ).chomp
+      end
+
+      def hmac_message
+        ::OpenSSL::HMAC.digest(cipher, @key, @message)
+      end
+
+      def cipher
+        ::OpenSSL::Digest::Digest.new("sha256")
+      end
+
+    end
+  end
+end

data/lib/rack/signature/verify.rb

@@ -0,0 +1,56 @@
+require_relative 'hmac_signature'
+
+# A Rack app to verify requests based on a computed signature passed within the
+# HTTP Header: X-Auth-Sig.
+#
+# This app will rebuild the signature and then compare its own computed HMAC
+# against the one sent from the client to verify authenticity.
+#
+module Rack
+  module Signature
+    class Verify
+
+      # Initializes the Rack Middleware
+      #
+      # ==== Attributes
+      #
+      # * +app+     - A Rack app
+      # * +key+     - The shared key used as a salt.
+      #
+      def initialize(app, key)
+        @app, @key = app, key
+      end
+
+      def call(env)
+        if signature_is_valid?(env)
+          @app.call(env)
+        else
+          invalid_signature
+        end
+      end
+
+      private
+
+      # if the signature is invalid we send back this Rack app
+      def invalid_signature
+        [403, {'Content-Type' => 'text/html'}, 'Invalid Signature']
+      end
+
+      # compares the received Signature against what the Signature should be
+      # (computed signature)
+      def signature_is_valid?(env)
+        received_signature = env["HTTP_X_AUTH_SIG"]
+        expected_signature = compute_signature(env)
+
+        expected_signature == received_signature
+      end
+
+      # builds the request message and tells HmacSignature to sign the message
+      def compute_signature(env)
+        message = BuildMessage.new(env).build!
+        HmacSignature.new(@key, message).sign
+      end
+
+    end
+  end
+end

data/lib/rack/signature/version.rb

@@ -0,0 +1,11 @@
+module Rack
+  module Signature
+    MAJOR = 0
+    MINOR = 0
+    PATCH = 1
+
+    def self.version
+      [MAJOR, MINOR, PATCH].join('.')
+    end
+  end
+end

data/rack-signature.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'rack/signature/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "rack-signature"
+  gem.version       = Rack::Signature.version
+  gem.authors       = ["Robert Evans"]
+  gem.email         = ["robert@codewranglers.org"]
+  gem.description   = %q{Rack Middleware for verifying signed requests}
+  gem.summary       = %q{Rack Middleware for verifying signed requests}
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency 'rack'
+
+  gem.add_development_dependency 'minitest'
+  gem.add_development_dependency 'rack-test'
+  gem.add_development_dependency 'rake'
+end

data/test/build_message_test.rb

@@ -0,0 +1,28 @@
+require_relative '../lib/rack/signature/build_message'
+require 'test_helper'
+
+module Rack::Signature
+  class BuildMessageTest < MiniTest::Unit::TestCase
+
+    def test_build_with_a_valid_request
+      env = Rack::MockRequest.env_for(
+        "http://example.com/api/login?password=123456&email=me@home.com")
+
+      assert_equal "GET/api/loginexample.comemail=me@home.com&password=123456",
+        BuildMessage.new(env).build!
+    end
+
+    def test_build_order
+      env = Rack::MockRequest.env_for(
+        "http://example.com/api/login",
+        "Content-Type"    => "application/json",
+        "REQUEST_METHOD"  => "POST",
+        input: "password=123456&email=me@home.com&name=me&age=1"
+      )
+
+      assert_equal "POST/api/loginexample.comage=1&email=me@home.com&name=me&password=123456",
+        BuildMessage.new(env).build!
+    end
+
+  end
+end

data/test/hmac_signature_test.rb

@@ -0,0 +1,44 @@
+require_relative '../lib/rack/signature/hmac_signature'
+require 'test_helper'
+
+module Rack::Signature
+  class HmacSignatureTest < MiniTest::Unit::TestCase
+
+    def test_valid_signature
+      assert_equal expected_signature,
+        HmacSignature.new(key, request_message).sign
+    end
+
+    def test_tampered_query_params
+      tampered_message = "POST/api/loginexample.comage=1&email=me@home.com&name=me&password=3456"
+
+      refute_equal expected_signature,
+        HmacSignature.new(key, tampered_message).sign
+    end
+
+    def test_different_shared_key
+      refute_equal expected_signature,
+        HmacSignature.new("123", request_message).sign
+    end
+
+    def test_missing_options
+      missing_request_params = "POST/api/loginexample.comemail=me@home.com&password=123456"
+      refute_equal expected_signature,
+        HmacSignature.new(key, missing_request_params).sign
+    end
+
+    # Helper methods
+    def request_message
+      "POST/api/loginexample.comage=1&email=me@home.com&name=me&password=123456"
+    end
+
+    def key
+      ::Digest::SHA2.hexdigest("shared-key")
+    end
+
+    def expected_signature
+      "Z0qY8Hy4a/gJkGZI0gklzM6vZztsAVVDjA18vb1BvHg="
+    end
+
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,4 @@
+require 'minitest/autorun'
+require 'rack/test'
+require 'rack/mock'
+require 'digest/sha2'

data/test/verify_test.rb

@@ -0,0 +1,83 @@
+require_relative '../lib/rack/signature'
+require 'test_helper'
+
+describe "Verifying a signed request" do
+  include Rack::Test::Methods
+
+  def setup
+    @shared_key = key
+    @signature  = expected_signature
+  end
+
+  let(:app)             { lambda { |env| [200, {}, ['Hello World']] } }
+  let(:rack_signature)  { Rack::Signature.new(app, @shared_key) }
+  let(:mock_request)    { Rack::MockRequest.new(rack_signature) }
+
+  describe "when a request is made without a signature" do
+    let(:response) { mock_request.get '/api/login?password=123456&email=me@home.com' }
+
+    it 'returns a 403 status' do
+      assert_equal 403, response.status
+    end
+
+    it 'returns "Invalid Signature" as the response body' do
+      assert_equal 'Invalid Signature', response.body
+    end
+
+    it 'returns the correct header' do
+      expected_header = {"Content-Type"=>"text/html", "Content-Length"=>"17"}
+      assert_equal expected_header, response.header
+    end
+  end
+
+  describe "when a requests is sent with a valid signature" do
+    let(:response) do
+      mock_request.post("http://example.com/api/login",
+        "Content-Type"    => "application/json",
+        "REQUEST_METHOD"  => "POST",
+        "HTTP_X_AUTH_SIG" => @signature,
+        input: "password=123456&email=me@home.com&name=me&age=1")
+    end
+
+    it 'will return a 200 status' do
+      assert_equal 200, response.status
+    end
+
+    it 'will call the next rack app' do
+      assert_equal 'Hello World', response.body
+    end
+  end
+
+  describe "when a requests is sent with a tampered signature" do
+    let(:response) do
+      mock_request.post("http://example.com/api/login",
+        "Content-Type"    => "application/json",
+        "REQUEST_METHOD"  => "POST",
+        "HTTP_X_AUTH_SIG" => @signature,
+        input: "password=1234567&email=me@home.com&name=me&age=1")
+    end
+
+    it 'returns a 403 status' do
+      assert_equal 403, response.status
+    end
+
+    it 'returns "Invalid Signature" as the response body' do
+      assert_equal 'Invalid Signature', response.body
+    end
+
+    it 'returns the correct header' do
+      expected_header = {"Content-Type"=>"text/html", "Content-Length"=>"17"}
+      assert_equal expected_header, response.header
+    end
+  end
+
+  # Helper Methods
+  def key
+    ::Digest::SHA2.hexdigest("shared-key")
+  end
+
+  def expected_signature
+    "Z0qY8Hy4a/gJkGZI0gklzM6vZztsAVVDjA18vb1BvHg="
+  end
+
+end

data/test/version_test.rb

@@ -0,0 +1,9 @@
+require_relative '../lib/rack/signature/version'
+require 'minitest/autorun'
+
+class VersionTest < MiniTest::Unit::TestCase
+  def test_version
+    expected_version = '0.0.1'
+    assert_equal expected_version, Rack::Signature.version
+  end
+end

metadata

@@ -0,0 +1,132 @@
+--- !ruby/object:Gem::Specification
+name: rack-signature
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Robert Evans
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-12-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Rack Middleware for verifying signed requests
+email:
+- robert@codewranglers.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .travis.yml
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/rack/signature.rb
+- lib/rack/signature/build_message.rb
+- lib/rack/signature/hmac_signature.rb
+- lib/rack/signature/verify.rb
+- lib/rack/signature/version.rb
+- rack-signature.gemspec
+- test/build_message_test.rb
+- test/hmac_signature_test.rb
+- test/test_helper.rb
+- test/verify_test.rb
+- test/version_test.rb
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Rack Middleware for verifying signed requests
+test_files:
+- test/build_message_test.rb
+- test/hmac_signature_test.rb
+- test/test_helper.rb
+- test/verify_test.rb
+- test/version_test.rb
+has_rdoc: