rack-simple_auth 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4ed00cc40f3111fa03accfd030db1def811ad27a
-  data.tar.gz: cc12d38b646cb6f258e1914e42467258e1da1598
+  metadata.gz: 7da6de52a27fba5b232011cb9259c8c31ba95473
+  data.tar.gz: 35f166b707a7da786ed0358eb958591bd82ecb67
 SHA512:
-  metadata.gz: ee8ef0e6b86dc1d199fb32db40721ea0ac79be6d0ad2d1d561c2b9b8acb71b218bd96ddc1591cc5929f8f2cd967445c8d21de7994df700eb419cc0de7ac5d30e
-  data.tar.gz: 44443667ba5df710dfd7fd0340397eb2e6e45fd02f91ef8d208dc060a6a3a50fa12dfb3f14ea6719476042a542aebb20a8542109773853896c14554b23640ff5
+  metadata.gz: b7f297881cad83bf4a6123fc2f072e8d487b32f2440f667a9902c16e9ac8af608d07190c88a79a038f51869ec4a795ed39929f0ea9f0fd2932444efe818f90ba
+  data.tar.gz: 758c2e12bc71f147f0a9bce5c5ba9072efc37ca2a6fca980c5f20dc7aa258a0c53ac2698e71a4ca56ba1d8a94670b54c557da74d3d89fb4f216b61a7529f0f57

data/.rubocop.yml

@@ -1,2 +1 @@
-LineLength:
-  Max: 160
+inherit_from: rubocop-todo.yml

data/README.md

@@ -25,20 +25,12 @@ Or install it yourself as:
 [![Gem Version](https://badge.fury.io/rb/rack-simple_auth.png)](http://badge.fury.io/rb/rack-simple_auth)
 [![Dependency Status](https://gemnasium.com/Benny1992/rack-simple_auth.png)](https://gemnasium.com/Benny1992/rack-simple_auth)
 
-
-
-
 ## Usage
 
 ### HMAC Authorization
 
 HMAC should be used for communication between website backend and api server/controller/whatever..
 
-~~For usage between Server <-> Client a sniffer could easily extract the signature/public key and 
-the encrypted message which is for now the same for the same request (see TODO implement timestamp).~~
-
-~~With these 2 informations a "secure" backend could be easily seen public...~~
-
 In version 0.0.5 the timestamp has been added to the msg which will be encrypted, also the possibility to configure the allowed delay a request can have has been added.
 
 Uses Authorization HTTP Header, example:
@@ -56,7 +48,8 @@ config = {
   'DELETE' => 'path',
   'PUT' => 'path',
   'PATCH' => 'path'
-  'tolerance' => 2,
+  'tolerance' => 1,
+  'steps' => 0.1,
   'signature' => 'signature',
   'secret' => 'secret',
   'logpath' => '/path/to/log/file'
@@ -73,6 +66,7 @@ Note: Private Key and Signature should be served by a file which is not checked
 
 
 
+
 #### Config Hash
 
 
@@ -109,6 +103,14 @@ The tolerance which is configureable in the config hash sets the possible delay
 
 Notice: For a set tolerance a Encrypted Message array will be generated and compared with the MessageHash from the AUTH Header
 
+In Version 0.1.0 the stepsize option has been added
+
+You can now specify how many valid hashes are created in a range between eg.: (-1..1) (= tolerance)
+
+A minimum stepsize of 0.01 is required (0.01 are 10 milliseconds, this is the minimum because of ruby's float disaster and therefore the gem has to use Float#round(2))
+
+Let me know if you need a smaller stepsize...
+
 
 #### Logging
 
@@ -123,9 +125,6 @@ It contains following information:
 - The Encrypted Message Array which was expected
 - The Signature which was expected
 
-
-
-
 ## TODO 
 
 ~~Add Timestamp to encryption..~~
@@ -154,3 +153,4 @@ It contains following information:
 
 
 
+

data/lib/rack/simple_auth/hmac.rb

@@ -10,18 +10,22 @@ module Rack
         @app = app
         @signature = config['signature'] || ''
         @secret = config['secret'] || ''
-        @tolerance = config['tolerance'] || 0 # 0 if tolerance not set in config hash
+        @tolerance = config['tolerance'] || 1 # 0 if tolerance not set in config hash
         @logpath = config['logpath']
         @steps = config['steps'] || 1
 
+        valid_stepsize?(0.01)
+        valid_tolerance?
+
         @config = config
       end
 
       # call Method for Rack Middleware/Application
       # @param [Hash] env [Rack Env Hash which contains headers etc..]
       def call(env)
-        request = Rack::Request.new(env)
-        if valid?(request)
+        @request = Rack::Request.new(env)
+
+        if valid_request?
           @app.call(env)
         else
           response = Rack::Response.new('Unauthorized', 401, 'Content-Type' => 'text/html')
@@ -30,90 +34,91 @@ module Rack
       end
 
       # checks for valid HMAC Request
-      # @param [Rack::Request] request [current Request]
       # @return [boolean] ValidationStatus [If authorized returns true, else false]
-      def valid?(request)
-        hash_array = build_allowed_messages(request)
-
-        if request.env['HTTP_AUTHORIZATION'].nil?
-          log(request, hash_array)
+      def valid_request?
+        if @request.env['HTTP_AUTHORIZATION'].nil?
+          log(allowed_messages)
 
           return false
         end
 
-        auth_array = request.env['HTTP_AUTHORIZATION'].split(':')
-        message_hash = auth_array[0]
-        signature = auth_array[1]
-
-        if signature == @signature && hash_array.include?(message_hash)
+        if request_signature == @signature && allowed_messages.include?(request_message)
           true
         else
-          log(request, hash_array)
+          log(allowed_messages)
 
           false
         end
       end
 
+      private
+
+      # Get request signature
+      def request_signature
+        @request.env['HTTP_AUTHORIZATION'].split(':').last
+      end
+
+      # Get encrypted request message
+      def request_message
+        @request.env['HTTP_AUTHORIZATION'].split(':').first
+      end
+
       # Builds Array of allowed message hashs
-      # @param [Rack::Request] request [current Request]
       # @return [Array] hash_array [allowed message hashes as array]
-      def build_allowed_messages(request)
-        hash_array = []
+      def allowed_messages
+        messages = []
 
         (-(@tolerance)..@tolerance).step(@steps) do |i|
           i = i.round(2)
-          hash_array << OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), @secret, message(request, i))
+          messages << OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), @secret, message(i))
         end
 
-        hash_array
+        messages
       end
 
       # Get Message for current Request and delay
-      # @param [Rack::Request] request [current Request]
       # @param [Fixnum] delay [delay in timestamp format]
       # @return [Hash] message [message which will be encrypted]
-      def message(request, delay = 0)
+      def message(delay = 0)
         date = Time.now.to_i + delay
+        date = date.to_i if delay.eql?(0.0)
 
-        if delay.eql?(0.0)
-          date = date.to_i
-        end
-
-        case request.request_method
+        case @request.request_method
         when 'GET'
-          return { 'method' => request.request_method, 'date' => date, 'data' => request_data(request, @config) }.to_json
+          return { 'method' => @request.request_method, 'date' => date, 'data' => request_data(@config) }.to_json
         when 'POST'
-          return { 'method' => request.request_method, 'date' => date, 'data' => request_data(request, @config) }.to_json
+          return { 'method' => @request.request_method, 'date' => date, 'data' => request_data(@config) }.to_json
         when 'DELETE'
-          return { 'method' => request.request_method, 'date' => date, 'data' => request_data(request, @config) }.to_json
+          return { 'method' => @request.request_method, 'date' => date, 'data' => request_data(@config) }.to_json
         when 'PUT'
-          return { 'method' => request.request_method, 'date' => date, 'data' => request_data(request, @config) }.to_json
+          return { 'method' => @request.request_method, 'date' => date, 'data' => request_data(@config) }.to_json
         when 'PATCH'
-          return { 'method' => request.request_method, 'date' => date, 'data' => request_data(request, @config) }.to_json
+          return { 'method' => @request.request_method, 'date' => date, 'data' => request_data(@config) }.to_json
         end
       end
 
       # Get Request Data specified by Config
-      # @param [Rack::Request] request [current Request]
       # @param [Hash] config [Config Hash containing what type of info is data for each request]
       # @return [String|Hash] data [Data for each request]
-      def request_data(request, config)
-        if config[request.request_method] == 'path' || config[request.request_method] == 'params'
-          request.send(config[request.request_method].to_sym)
+      def request_data(config)
+        if config[@request.request_method] == 'path' || config[@request.request_method] == 'params'
+          @request.send(config[@request.request_method].to_sym)
         else
-          fail "Not a valid option #{config[request.request_method]} - Use either params or path"
+          fail "Not a valid option #{config[@request.request_method]} - Use either params or path"
         end
       end
 
       # Log to @logpath if request is unathorized
-      # @param [Rack::Request] request [current Request]
-      def log(request, hash_array)
+      # Contains:
+      #   - allowed messages and received message
+      #   - time when request was made
+      #   - type of request
+      #   - requested path
+      def log(hash_array)
         if @logpath
-          path = request.path
-          method = request.request_method
-
-          log = "#{Time.new} - #{method} #{path} - 400 Unauthorized - HTTP_AUTHORIZATION: #{request.env['HTTP_AUTHORIZATION']}\n"
-          log << "Auth Message Config: #{@config[request.request_method]}\n"
+          log = "#{Time.new} - #{@request.request_method} #{@request.path} - 400 Unauthorized\n"
+          log << "HTTP_AUTHORIZATION: #{@request.env['HTTP_AUTHORIZATION']}\n"
+          log << "Auth Message Config: #{@config[@request.request_method]}\n"
 
           if hash_array
             log << "Allowed Encrypted Messages:\n"
@@ -130,7 +135,21 @@ module Rack
         end
       end
 
-      private :log, :request_data, :message, :valid?, :build_allowed_messages
+      # Check if Stepsize is valid, if > min ensure stepsize is min stepsize
+      # @param [float] min [minimum allowed stepsize]
+      def valid_stepsize?(min)
+        if @steps < min
+          puts "Warning: Minimum allowed stepsize is #{min}"
+          @steps = min
+        end
+      end
+
+      # Check if tolerance is valid, tolerance must be greater than stepsize
+      def valid_tolerance?
+        if @tolerance < @steps
+          fail "Tolerance must be greater than stepsize - Tolerance: #{@tolerance}, Stepsize: #{@steps}"
+        end
+      end
     end
   end
 end

data/lib/rack/simple_auth/version.rb

@@ -2,6 +2,6 @@ module Rack
   # Module which Contains different Authorization / Authentication Classes (HMAC, ..)
   module SimpleAuth
     # Current Gem Version
-    VERSION = '0.1.0'
+    VERSION = '0.1.1'
   end
 end

data/test/config.ru

@@ -7,11 +7,11 @@ config = {
   'DELETE' => 'path',
   'PUT' => 'path',
   'PATCH' => 'path',
-  'tolerance' => 1,
+  'tolerance' => 0.5,
   'signature' => 'test_signature',
   'secret' => 'test_secret',
   'logpath' => "#{File.expand_path('..', __FILE__)}/logs",
-  'steps' => 0.1
+  'steps' => 0.01
 }
 
 use Rack::SimpleAuth::HMAC, config

data/test/rack/simple_auth/hmac_fail_test.rb

@@ -21,6 +21,18 @@ class HMACFailTest < MiniTest::Unit::TestCase
     assert_raises(RuntimeError) { get uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}" }
   end
 
+  def test_fail_step
+    out, err = capture_io do
+      Rack::Builder.parse_file("#{Rack::SimpleAuth.root}/test/config_fail_step.ru").first
+    end
+
+    assert_match('Warning: Minimum allowed stepsize is 0.01', out, 'Warning should be printed if stepsize is below 0.01')
+  end
+
+  def test_fail_tolerance
+    assert_raises(RuntimeError) { Rack::Builder.parse_file("#{Rack::SimpleAuth.root}/test/config_fail_tolerance.ru").first }
+  end
+
   def teardown
   end
 end

data/test/rack/simple_auth/hmac_test.rb

@@ -41,7 +41,7 @@ class HMACTest < MiniTest::Unit::TestCase
     get uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"
 
     assert_equal(200, last_response.status, 'Delay in tolerance range should receive 200')
- end
+  end
 
   def test_get_with_too_big_delay
     uri = '/'
@@ -55,7 +55,7 @@ class HMACTest < MiniTest::Unit::TestCase
 
   def test_get_with_wrong_step
     uri = '/'
-    message = { 'method' => 'GET', 'date' => Time.now.to_i + 0.03, 'data' => uri }.to_json
+    message = { 'method' => 'GET', 'date' => Time.now.to_i + 0.035, 'data' => uri }.to_json
     hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), @secret, message)
 
     get uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"

data/test/test_helper.rb

@@ -1,4 +1,4 @@
-ENV['RACK_ENV']='test'
+ENV['RACK_ENV'] = 'test'
 
 require 'simplecov'
 require 'coveralls'
@@ -44,4 +44,3 @@ Rack::SimpleAuth.failapp = Rack::Builder.parse_file("#{Rack::SimpleAuth.root}/te
 
 @logpath = "#{File.expand_path("..", __FILE__)}/logs"
 system("mkdir #{@logpath}")
-

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-simple_auth
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Benny1992
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-04-21 00:00:00.000000000 Z
+date: 2014-04-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -135,3 +135,4 @@ signing_key:
 specification_version: 4
 summary: SimpleAuth HMAC authentication
 test_files: []
+has_rdoc: