rack-simple_auth 0.0.4 → 0.0.5

checksums.yaml

@@ -1,7 +1,7 @@
----
-SHA1:
-  metadata.gz: 1ddc2a8a4e31a86469b6294b78c31ce0a9b938cc
-  data.tar.gz: 081aed6f5c4d847f20297bd15a32a70a143f8f52
-SHA512:
-  metadata.gz: df03c3b8b38e2648e130dbb14e3c82bfc848077151a8600615e2fd071a6d302533baa864f9455f3c72b4bc0d59e3f5aa0db6650700877cdc080a38d3a2a44853
-  data.tar.gz: df55389faa3883774789585ed0041ebfd5b87b8092504363640e910b7da72def4dc0ded4218ac03e1d01c73f6f532c039b9a2d79a9b9e3d34db2e1609dd4204e
+--- 
+SHA1: 
+  metadata.gz: 679543cc4da776a8986f3d8477153db2daa11c3f
+  data.tar.gz: befc0a5d1bae82ae0b1bf169af01270124a63b0c
+SHA512: 
+  metadata.gz: 02c9398175da001fbb27384be1c6c2d39b2b385e45751924cb5edf567b903e6c55f6bccce0edbeb57e700d6b74209185d451659a734246f9ef9df8e92a59c887
+  data.tar.gz: f32117cd429abfe524be90fd69a4627d765427fc6f2d5fe5e2d7dc89130be0ba6a327d29f1216adb0f22222e5bf931bd498c0ad879b583cd82c39afd7fd4adff

data/README.md

@@ -25,11 +25,15 @@ Or install it yourself as:
 [![Gem Version](https://badge.fury.io/rb/rack-simple_auth.png)](http://badge.fury.io/rb/rack-simple_auth)
 [![Dependency Status](https://gemnasium.com/Benny1992/rack-simple_auth.png)](https://gemnasium.com/Benny1992/rack-simple_auth)
 
+
+
+
 ## Usage
 
 ### HMAC Authorization
 
 HMAC should be used for communication between website backend and api server/controller/whatever..
+
 For usage between Server <-> Client a sniffer could easily extract the signature/public key and 
 the encrypted message which is for now the same for the same request (see TODO implement timestamp).
 
@@ -91,6 +95,7 @@ It contains following information:
 - The Encrypted Message which was expected
 - The Signature which was expected
 
+
 ## TODO 
 
 Add Timestamp to encryption..
@@ -107,3 +112,7 @@ He got the encrypted message for the specific request && signature -> No securit
 4. Push to the branch (`git push origin my-new-feature`)
 5. Create new Pull Request
 
+
+
+
+

data/lib/rack/simple_auth/hmac.rb

@@ -12,6 +12,7 @@ module Rack
         @signature = signature
         @secret = secret
         @config = config
+        @tolerance = config['tolerance'] || 0 # 0 if tolerance not set in config hash
         @logpath = logpath
       end
 
@@ -41,9 +42,9 @@ module Rack
         message_hash = auth_array[0]
         signature = auth_array[1]
 
-        @hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message(request))
+        @hash_array = build_allowed_messages(request)
 
-        if signature == @signature && @hash == message_hash
+        if signature == @signature && @hash_array.include?(message_hash)
           true
         else
           log(request)
@@ -52,21 +53,35 @@ module Rack
         end
       end
 
+      # Builds Array of allowed message hashs
+      # @param [Rack::Request] request [current Request]
+      # @return [Array] hash_array [allowed message hashes as array]
+      def build_allowed_messages(request)
+        hash_array = []
+
+        (-(@tolerance)..@tolerance).each do |i|
+          hash_array << OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message(request, i))
+        end
+
+        hash_array
+      end
+
       # Get Message for current Request
       # @param [Rack::Request] request [current Request]
       # @return [Hash] message [message which will be encrypted]
-      def message(request)
+      def message(request, delay = 0)
+        date = Time.now.to_i + delay
         case request.request_method
         when 'GET'
-          return { 'method' => request.request_method, 'data' => request_data(request, @config) }.to_json
+          return { 'method' => request.request_method, 'date' => date, 'data' => request_data(request, @config) }.to_json
         when 'POST'
-          return { 'method' => request.request_method, 'data' => request_data(request, @config) }.to_json
+          return { 'method' => request.request_method, 'date' => date, 'data' => request_data(request, @config) }.to_json
         when 'DELETE'
-          return { 'method' => request.request_method, 'data' => request_data(request, @config) }.to_json
+          return { 'method' => request.request_method, 'date' => date, 'data' => request_data(request, @config) }.to_json
         when 'PUT'
-          return { 'method' => request.request_method, 'data' => request_data(request, @config) }.to_json
+          return { 'method' => request.request_method, 'date' => date, 'data' => request_data(request, @config) }.to_json
         when 'PATCH'
-          return { 'method' => request.request_method, 'data' => request_data(request, @config) }.to_json
+          return { 'method' => request.request_method, 'date' => date, 'data' => request_data(request, @config) }.to_json
         end
       end
 
@@ -91,8 +106,13 @@ module Rack
 
           log = "#{Time.new} - #{method} #{path} - 400 Unauthorized - HTTP_AUTHORIZATION: #{request.env['HTTP_AUTHORIZATION']}\n"
           log << "Auth Message Config: #{@config[request.request_method]}\n"
-          log << "Auth Encrypted Message: #{@hash}\n"
-          log << "Auth Signature: #{@signature}\n"
+          log << "Allowed Encrypted Messages:\n"
+
+          @hash_array.each do |hash|
+            log << "#{hash}\n"
+          end
+
+          log << "Auth Signature: #{@signature}"
 
           open("#{@logpath}/#{ENV['RACK_ENV']}_error.log", 'a') do |f|
             f << "#{log}\n"

data/lib/rack/simple_auth/version.rb

@@ -2,6 +2,6 @@ module Rack
   # Module which Contains different Authorization / Authentication Classes (HMAC, ..)
   module SimpleAuth
     # Current Gem Version
-    VERSION = '0.0.4'
+    VERSION = '0.0.5'
   end
 end

data/test/config.ru

@@ -7,6 +7,7 @@ config = {
   'DELETE' => 'path',
   'PUT' => 'path',
   'PATCH' => 'path',
+  'tolerance' => 2
 }
 
 use Rack::SimpleAuth::HMAC, 'test_signature', 'test_secret', config, "#{File.expand_path('..', __FILE__)}/logs"

data/test/rack/simple_auth/hmac_test.rb

@@ -25,7 +25,7 @@ class HMACTest < MiniTest::Unit::TestCase
 
   def test_get_with_right_auth_header
     uri = '/'
-    message = { 'method' => 'GET', 'data' => uri }.to_json
+    message = { 'method' => 'GET', 'date' => Time.now.to_i, 'data' => uri }.to_json
     hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message)
 
     get uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"
@@ -33,6 +33,26 @@ class HMACTest < MiniTest::Unit::TestCase
     assert_equal(200, last_response.status, 'Authorized Request should receive 200')
   end
 
+  def test_get_with_delay_in_tolerance_range
+    uri = '/'
+    message = { 'method' => 'GET', 'date' => Time.now.to_i - 2, 'data' => uri }.to_json
+    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message)
+
+    get uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"
+
+    assert_equal(200, last_response.status, 'Delay in tolerance range should receive 200')
+ end
+
+  def test_get_with_too_big_delay
+    uri = '/'
+    message = { 'method' => 'GET', 'date' => Time.now.to_i - 50, 'data' => uri }.to_json
+    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message)
+
+    get uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"
+
+    assert_equal(401, last_response.status, 'Delay not in tolerance range should receive 401')
+  end
+
   def test_post_with_wrong_auth_header
     post '/', { 'name' => 'Bensn' }, 'HTTP_AUTHORIZATION' => 'wrong_header'
     assert_equal(401, last_response.status, 'Wrong HTTP_AUTHORIZATION Header should receive 401')
@@ -40,7 +60,7 @@ class HMACTest < MiniTest::Unit::TestCase
 
   def test_post_with_right_auth_header
     params = { 'name' => 'Bensn' }
-    message = { 'method' => 'POST', 'data' => params }.to_json
+    message = { 'method' => 'POST', 'date' => Time.now.to_i, 'data' => params }.to_json
     hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message)
 
     post '/', params, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"
@@ -55,7 +75,7 @@ class HMACTest < MiniTest::Unit::TestCase
 
   def test_delete_with_right_auth_header
     uri = '/'
-    message = { 'method' => 'DELETE', 'data' => uri }.to_json
+    message = { 'method' => 'DELETE', 'date' => Time.now.to_i, 'data' => uri }.to_json
     hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message)
 
     delete uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"
@@ -70,7 +90,7 @@ class HMACTest < MiniTest::Unit::TestCase
 
   def test_put_with_right_auth_header
     uri = '/'
-    message = { 'method' => 'PUT', 'data' => uri }.to_json
+    message = { 'method' => 'PUT', 'date' => Time.now.to_i, 'data' => uri }.to_json
     hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message)
 
     put uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"
@@ -85,7 +105,7 @@ class HMACTest < MiniTest::Unit::TestCase
 
   def test_patch_with_right_auth_header
     uri = '/'
-    message = { 'method' => 'PATCH', 'data' => uri }.to_json
+    message = { 'method' => 'PATCH', 'date' => Time.now.to_i, 'data' => uri }.to_json
     hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message)
 
     patch uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"

metadata

@@ -1,96 +1,75 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: rack-simple_auth
-version: !ruby/object:Gem::Version
-  version: 0.0.4
+version: !ruby/object:Gem::Version 
+  version: 0.0.5
 platform: ruby
-authors:
+authors: 
 - Benny1992
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-03-14 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+
+date: 2014-03-16 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
   name: rack
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    requirements: 
+    - &id003 
+      - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
   name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
-  type: :development
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.5'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: "1.5"
   type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: rake
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: coveralls
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    requirements: 
+    - *id003
   type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: coveralls
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rack-test
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    requirements: 
+    - *id003
   type: :development
+  version_requirements: *id005
+- !ruby/object:Gem::Dependency 
+  name: rack-test
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
+  requirement: &id006 !ruby/object:Gem::Requirement 
+    requirements: 
+    - *id003
+  type: :development
+  version_requirements: *id006
 description: SimpleAuth HMAC authentication
-email:
+email: 
 - klotz.benjamin@yahoo.de
 executables: []
+
 extensions: []
+
 extra_rdoc_files: []
-files:
-- ".gitignore"
-- ".rubocop.yml"
-- ".travis.yml"
-- ".yardopts"
+
+files: 
+- .gitignore
+- .rubocop.yml
+- .travis.yml
+- .yardopts
 - Gemfile
 - LICENSE.txt
 - MANIFEST
@@ -111,27 +90,28 @@ files:
 - test/rack/simple_auth/hmac_test.rb
 - test/test_helper.rb
 homepage: http://www.bennyklotz.at
-licenses:
+licenses: 
 - MIT
 metadata: {}
+
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
-  requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      version: '0'
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - *id003
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - *id003
 requirements: []
+
 rubyforge_project: 
 rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: SimpleAuth HMAC authentication
 test_files: []
+
+has_rdoc: