rubysspi 1.2.2

data/CHANGELOG.txt

@@ -0,0 +1,13 @@
+== 1.2.2
+ * Fixed incompatibility with RubyGems >= 0.9.2 and RubySSPI Net::HTTP patch. Patch now directly requires the SSPI files, rather than relying on RubyGems to load it.
+ * Updated gem tests for compatibility with RubyGems >= 0.9.2.
+
+== 1.2.0
+ * Refactored naming in preparation for inclusion in ruby distribution
+   * rubysspi.rb renamed to win32/sspi.rb
+   * rubysspi/proxy_auth.rb renamed to win32/net/http_proxy_patch.rb
+ * Updated apply_sspi_patch to determine if RubySSPI gem is installed and fail if not. Also fails if the patch has already been installed.
+ * Added test to "test_patched_net_http.rb" to ensure net/http has been patched first.
+ * Removed Win32 platform restriction on gem (though it will still only run in Win32 environments, real or emulated).
+ * CHANGELOG begun
+   

data/LICENSE.txt

@@ -0,0 +1,11 @@
+#
+# = RubySSPI
+#
+# Copyright (c) 2006-2007 Justin Bailey
+# 
+# Written and maintained by Justin Bailey <jgbailey@gmail.com>.
+#
+# This program is free software. You can re-distribute and/or
+# modify this program under the same terms of ruby itself ---
+# Ruby Distribution License or GNU General Public License.
+#

data/README.txt

@@ -0,0 +1,131 @@
+= Introduction
+
+This library provides bindings to the Win32 SSPI libraries, which implement various security protocols for Windows. The library was primarily developed to give Negotiate/NTLM proxy authentication abilities to Net::HTTP, similar to support found in Internet Explorer or Firefox.
+
+The libary is NOT an implementation of the NTLM protocol, and does not give the ability to authenticate as any given user. It is able to authenticate with a proxy server as the current user.
+
+This project can be found on rubyforge at:
+
+http://rubyforge.org/projects/rubysspi
+
+= Using with rubygems (and other libraries)
+
+If RubyGems is not working because of proxy authorization errors, the rubysspi library can be used to solve the problem. The gem includes a file called <tt>spa.rb</tt> in the root directory. Copy this file to your site_ruby directory and then run the gem script directly:
+
+  ruby -rspa 'C:\Program Files\ruby\gem' 
+
+For example, to list remote gems that match "sspi" this command can be used  
+
+  ruby -rspa 'C:\Program Files\ruby\gem' list --remote sspi
+
+You must copy the <tt>spa.rb</tt> file yourself, however. Rubygems is not able to do it for you on install.
+
+= Using with open-uri
+
+To use the library with open-uri, make sure to set the environment variable +http_proxy+ to your proxy server. This must be a hostname and port in URL form. E.g.:
+
+  http://proxy.corp.com:8080
+  
+The library will grab your current username and domain from the environment variables +USERNAME+ and +USERDOMAIN+. This should be set for you by Windows already.
+
+The library implements a patch on top of Net::HTTP, which means open-uri gets it too. At the top of your script, make sure to require the patch after <tt>open-uri</tt>:
+
+  require 'open-uri'
+  require 'win32/sspi/http_proxy_patch'
+  
+  open("http://www.google.com") { |f| puts(f.gets(nil)) }
+
+Note that this patch does NOT work with the +http_proxy_user+ and +http_proxy_password+ environment variables. The library will ONLY authenticate as the current user.
+
+= Using with Net::HTTP
+
+Net::HTTP will not use the proxy server supplied in the environment variable automatically, so you have to supply the proxy address yourself. Otherwise, it's exactly the same:
+
+  require 'net/http'
+  require 'win32/sspi/http_proxy_patch'
+  
+  Net::HTTP::Proxy("proxy.corp.com", 8080).start("www.google.com") do |http|
+    resp = http.request_get "/"
+    puts resp.body
+  end
+  
+= Using rubysspi directly
+
+As stated, the library is geared primarily towards supporting Negotiate/NTLM authentication with proxy servers. In this vein, you can manually authenticate a given HTTP connection with a single call:
+
+  require 'win32/sspi'
+
+  Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
+    resp = SSPI::NegotiateAuth.proxy_auth_get http, "/"
+  end
+
+The +resp+ variable will contain the response from Google, with any proxy authorization necessary taken care of automatically. Note that if the +http+ connection is not closed, any subsequent requests will NOT require authentication. 
+
+If the above method is used, you should NOT require the 'win32/sspi/http_proxy_patch' library, as the interaction between the two will fail.
+
+The library can be used directly to generate tokens appropriate for the current user, too.
+
+To get started, first create an instance of the SSPI::NegotiateAuth class:
+
+  require 'win32/sspi'
+  
+  n = SSPI::NegotiateAuth.new
+  
+Next, get the first token by calling get_initial_token:
+
+  token = n.get_initial_token
+  
+This token returned will be Base64 encoded and can be directly placed in an HTTP header. This token can be easily decoded, however, and is usually an NTLM Type 1 message.
+
+After getting a response from the server (usually an NTLM Type 2 message), pass it into the complete_authentication:
+
+  token = n.complete_authentication(server_token)
+  
+Note that server_token can be Base64 encoded or not, and if it starts with "Negotiate", that phrase will be stripped off. This allows the response from a Proxy-Authentication header to be passed into the method directly. The token can be decoded externally and passed in, too.
+
+The token returned (usually an NTLM Type 3) message can then be sent to the server and the connection should be authenticated.
+
+= Patching Ruby
+
+ A short script to patch Net::HTTP is also included. This patch will give the Net::HTTP (and consequently, open-uri) the ability to directly authenticate with Negotiate/NTLM proxy servers. The main advantage of patching Ruby itself is that other scripts, such as gems, will work directly with these proxy servers and will not require running with the 'spa' library. Similarly, any scripts which use open-uri or Net::HTTP will gain the ability to authenticate with the proxy server.
+ 
+ To run the script, just run <tt>apply_sspi_patch</tt>. The backup will be made of the original 'http.rb' file, and a new patched file will be copied in. After patching, run the test script 'test\test_patched_net_http.rb'. It ensures that proxy authentication now works without extra libraries. 
+ 
+ Be aware - this has only been tested on Ruby 1.8.4 and 1.8.5. Though the Net::HTTP libraries are not likely to change much, do some testing afterwards. 
+ 
+ If you want the patch disabled for a certain script, just define the constant DISABLE_RUBY_SSPI_PATCH at the top level. If you want to back the patch out, go to the ruby library directory, open the net folder, and rename the file called "http.orig.X.rb" (where X is some number) to http.rb. If the patch has been applied multiple times, uses the lowest "X" found. 
+ 
+= Upgrading to a new version of the library
+
+ If you have installed the RubySSPI library previously, and wish to upgrade to a new version, follow these steps:
+ 
+  - Install the new version of the gem
+  - If you applied the patch before, go to your Ruby library directory (under the One-click installer, its usually ruby\lib\ruby\1.8):
+    - If any http.orig.N.rb files exist (where N is a number), then delete http.rb and rename the lowest http.orig.N.rb file to http.rb
+    - Delete any other nttp.orig.N.rb files.
+  - Run "apply_sspi_patch" to apply the patch again
+ 
+= Disabling proxy for certain servers
+
+ Sometimes it is necessary to NOT use the proxy for certain addresses, especially in a LAN environment. While not a feature directly provided by this library, setting the 'no_proxy' environment variable to a list of servers will ensure no proxy connection is made for them. The list should be comma-delimited, and can consist of any mix of domain names and ports. URLs, however, are not allowed. For example "somehost, somehost.corporate.com, myhost:9000, myhost.corporate.com:80" would all be legal. Note that if a port is NOT specified, then no proxying occurs for that host regardless of the port requested by open-uri. 
+ 
+ Finally, the above technique will only work with the open-uri library. Net::HTTP will not use a proxy automatically in any case.
+
+= Thanks & References
+
+Many references were used in decoding both NTLM messages and integrating with the SSPI library. Among them are:
+
+* Managed SSPI Sample - A .NET implementation of a simple client/server using SSPI. A complex undertaking but provides a great resource for playing with the API.
+  * http://msdn.microsoft.com/library/?url=/library/en-us/dndotnet/html/remsspi.asp?frame=true
+* John Lam's RubyCLR - http://www.rubyclr.com
+  * Originally, I used RubyCLR to call into the Managed SSPI sample which really helped me decode what the SSPI interface did and how it worked. I did not end up using that implementation but it was great for research.
+* The NTLM Authentication Protocol - The definitive explanation for the NTLM protocol (outside MS internal documents, I presume).
+  * http://davenport.sourceforge.net/ntlm.html
+* Ruby/NTLM - A pure Ruby implementation of the NTLM protocol. Again, not used in this project but invaluable for decoding NTLM messages and figuring out what SSPI was returning.
+  * http://rubyforge.org/projects/rubyntlm/
+* Seamonkey/Mozilla NTLM implementation - The only source for an implementation in an actual browser. How they figured out how to use SSPI themselves is beyond me.
+  * http://lxr.mozilla.org/seamonkey/source/mailnews/base/util/nsMsgProtocol.cpp#899
+
+And of course, thanks to my Lord and Savior, Jesus Christ. In the name of the Father, the Son, and the Holy Spirit.
+
+

data/Rakefile

@@ -0,0 +1,40 @@
+require 'rubygems'
+Gem::manage_gems
+require 'rake/gempackagetask'
+require 'rake/testtask'
+
+spec = Gem::Specification.new do |s|
+	s.name = "rubysspi"
+	s.summary = "A library which implements Ruby bindings to the Win32 SSPI library. Also includes a module to add Negotiate authentication support to Net::HTTP."
+	s.version = "1.2.2"
+	s.author = "Justin Bailey"
+	s.email = "jgbailey @nospam@ gmail.com"
+	s.homepage = "http://rubyforge.org/projects/rubysspi/"
+	s.rubyforge_project = "http://rubyforge.org/projects/rubysspi/"
+	s.description = <<EOS
+This gem provides bindings to the Win32 SSPI libraries, primarily to support Negotiate (i.e. SPNEGO, NTLM)
+authentication with a proxy server. Enough support is implemented to provide the necessary support for
+the authentication.
+
+A module is also provided which overrides Net::HTTP and adds support for Negotiate authentication to it.
+
+This implies that open-uri automatically gets support for it, as long as the http_proxy environment variable
+is set.
+EOS
+
+	s.files = FileList["lib/**/*", "test/*", "*.txt", "Rakefile", "spa.rb"].to_a
+	s.bindir = "bin"
+	s.executables = ["apply_sspi_patch"]
+
+	s.require_path = "lib"
+
+	s.has_rdoc = true
+	s.extra_rdoc_files = ["README.txt", "CHANGELOG.txt", "LICENSE.txt"]
+	s.rdoc_options << '--title' << 'Ruby SSPI -- Win32 SSPI Bindings for Ruby' <<
+                       '--main' << 'README.txt' <<
+                       '--line-numbers'
+end
+
+Rake::GemPackageTask.new(spec) do |pkg|
+  pkg.need_tar = true
+end

data/bin/apply_sspi_patch

@@ -0,0 +1,83 @@
+#
+# = bin/apply_sspi_patch
+#
+# Copyright (c) 2006-2007 Justin Bailey
+# 
+# Written and maintained by Justin Bailey <jgbailey@gmail.com>.
+#
+# This program is free software. You can re-distribute and/or
+# modify this program under the same terms of ruby itself ---
+# Ruby Distribution License or GNU General Public License.
+#
+
+# This file will patch the local net/http installation to include support for NTLM/Negotiate authentication.
+# The original http.rb file will be renamed to http.orig.N.rb
+
+require 'rbconfig'
+require 'pathname'
+require 'fileutils'
+
+begin
+  require 'net/http'
+  if Net::HTTP.sspi?
+		puts <<-EOF
+You don't need to patch - it appears to have already been installed.
+
+If you wish to upgrade your patch, please delete the previous patch by 
+renaming net/http.orig.1.rb to http.rb, and deleting any other
+http.orig.N.rb files which may exist, then run this file again.
+	EOF
+
+		exit
+	end
+	
+rescue NoMethodError
+end
+
+begin 
+	require 'rubygems'
+	require 'win32/sspi/http_proxy_patch'
+rescue LoadError
+	puts "Unable to load ruby gems or the rubysspi gem. You cannot patch until the gem is installed."
+	exit
+end
+
+# Original http.rb file
+orig_file = Pathname.new(Config::CONFIG["rubylibdir"]) + 'net\http.rb'
+
+# Determine that original actually exists
+raise "Original http.rb not not found at expected location #{orig_file}" unless orig_file.exist?
+
+# Determine name to copy original file to
+@i += 1 while (orig_dest = Pathname.new(Config::CONFIG["rubylibdir"]) + "net\\http.orig.#{@i ||= 1}.rb").exist?
+
+# Copy original to back up
+puts "Backing up original #{orig_file} to #{orig_dest}"
+FileUtils.cp orig_file, orig_dest
+
+# Get path to current version of the gem.
+spec = Gem::GemPathSearcher.new.find("win32/sspi")
+unless spec
+	puts "Unable to find path win32/sspi in gem repository. Can't install patch."
+	exit
+end
+
+gem_path = Pathname.new(spec.full_gem_path) + spec.require_path
+
+# Write patch file. 
+puts "Creating patch file to replace #{orig_file}"
+orig_file.open("w") { |f| f.write(<<EOS) }
+# Include original net/http
+require 'net/#{orig_dest.basename(orig_dest.extname)}'
+
+# This magic constant can be defined to disable the patch. 
+unless defined? DISABLE_RUBY_SSPI_PATCH
+	# Because rubygems >= 0.9.2 requires net/http, 
+	# we can't depend on ruby gems here. Instead, directly
+	# require path containing RubySSPI gem.
+	$: << "#{gem_path}" unless $:.include?("#{gem_path}")
+  require 'win32/sspi/http_proxy_patch'
+end
+EOS
+
+puts 'Patch applied! Please run ..\test\test_patched_net_http.rb to test the patch.'

data/lib/win32/sspi.rb

@@ -0,0 +1,331 @@
+#
+# = win32/sspi.rb
+#
+# Copyright (c) 2006-2007 Justin Bailey
+# 
+# Written and maintained by Justin Bailey <jgbailey@gmail.com>.
+#
+# This program is free software. You can re-distribute and/or
+# modify this program under the same terms of ruby itself ---
+# Ruby Distribution License or GNU General Public License.
+#
+
+require 'Win32API'
+require 'base64'
+
+# Implements bindings to Win32 SSPI functions, focused on authentication to a proxy server over HTTP.
+module Win32
+	module SSPI
+		# Specifies how credential structure requested will be used. Only SECPKG_CRED_OUTBOUND is used
+		# here.
+		SECPKG_CRED_INBOUND = 0x00000001
+		SECPKG_CRED_OUTBOUND = 0x00000002
+		SECPKG_CRED_BOTH = 0x00000003
+
+		# Format of token. NETWORK format is used here.
+		SECURITY_NATIVE_DREP = 0x00000010
+		SECURITY_NETWORK_DREP = 0x00000000
+
+		# InitializeSecurityContext Requirement flags
+		ISC_REQ_REPLAY_DETECT = 0x00000004
+		ISC_REQ_SEQUENCE_DETECT = 0x00000008
+		ISC_REQ_CONFIDENTIALITY = 0x00000010
+		ISC_REQ_USE_SESSION_KEY = 0x00000020
+		ISC_REQ_PROMPT_FOR_CREDS = 0x00000040
+		ISC_REQ_CONNECTION = 0x00000800
+
+		# Win32 API Functions. Uses Win32API to bind methods to constants contained in class. 
+		module API
+			# Can be called with AcquireCredentialsHandle.call()
+			AcquireCredentialsHandle = Win32API.new("secur32", "AcquireCredentialsHandle", 'ppLpppppp', 'L')
+			# Can be called with InitializeSecurityContext.call()
+			InitializeSecurityContext = Win32API.new("secur32", "InitializeSecurityContext", 'pppLLLpLpppp', 'L')
+			# Can be called with DeleteSecurityContext.call()
+			DeleteSecurityContext = Win32API.new("secur32", "DeleteSecurityContext", 'P', 'L')
+			# Can be called with FreeCredentialsHandle.call()
+			FreeCredentialsHandle = Win32API.new("secur32", "FreeCredentialsHandle", 'P', 'L')
+		end
+	  
+		# SecHandle struct
+		class SecurityHandle
+			def upper
+				@struct.unpack("LL")[1]
+			end
+	    
+			def lower
+				@struct.unpack("LL")[0]
+			end
+	    
+			def to_p
+				@struct ||= "\0" * 8
+			end
+		end
+	  
+		# Some familiar aliases for the SecHandle structure
+		CredHandle = CtxtHandle = SecurityHandle
+
+		# TimeStamp struct
+		class TimeStamp
+			attr_reader :struct
+
+			def to_p
+				@struct ||= "\0" * 8
+			end
+		end
+	  
+		# Creates binary representaiton of a SecBufferDesc structure,
+		# including the SecBuffer contained inside.
+		class SecurityBuffer
+
+			SECBUFFER_TOKEN = 2   # Security token
+	    
+			TOKENBUFSIZE = 12288
+			SECBUFFER_VERSION = 0
+
+			def initialize(buffer = nil)
+				@buffer = buffer || "\0" * TOKENBUFSIZE
+				@bufferSize = @buffer.length
+				@type = SECBUFFER_TOKEN
+			end
+	    
+			def bufferSize
+				unpack
+				@bufferSize
+			end
+	    
+			def bufferType
+				unpack
+				@type
+			end
+	    
+			def token
+				unpack
+				@buffer
+			end
+	    
+			def to_p
+				# Assumption is that when to_p is called we are going to get a packed structure. Therefore,
+				# set @unpacked back to nil so we know to unpack when accessors are next accessed.
+				@unpacked = nil
+				# Assignment of inner structure to variable is very important here. Without it,
+				# will not be able to unpack changes to the structure. Alternative, nested unpacks,
+				# does not work (i.e. @struct.unpack("LLP12")[2].unpack("LLP12") results in "no associated pointer")
+				@sec_buffer ||= [@bufferSize, @type, @buffer].pack("LLP")
+				@struct ||= [SECBUFFER_VERSION, 1, @sec_buffer].pack("LLP")    
+			end
+	  
+		private
+	  
+			# Unpacks the SecurityBufferDesc structure into member variables. We
+			# only want to do this once per struct, so the struct is deleted
+			# after unpacking. 
+			def unpack
+				if ! @unpacked && @sec_buffer && @struct
+					@bufferSize, @type = @sec_buffer.unpack("LL")
+					@buffer = @sec_buffer.unpack("LLP#{@bufferSize}")[2]
+					@struct = nil
+					@sec_buffer = nil
+					@unpacked = true
+				end
+			end
+		end
+	  
+		# SEC_WINNT_AUTH_IDENTITY structure
+		class Identity
+			SEC_WINNT_AUTH_IDENTITY_ANSI = 0x1
+
+			attr_accessor :user, :domain, :password
+	    
+			def initialize(user = nil, domain = nil, password = nil)
+				@user = user
+				@domain = domain
+				@password = password
+				@flags = SEC_WINNT_AUTH_IDENTITY_ANSI
+			end
+	    
+			def to_p
+				[@user, @user ? @user.length : 0, 
+				 @domain, @domain ? @domain.length : 0,
+				 @password, @password ? @password.length : 0,
+				 @flags].pack("PLPLPLL")
+			end    
+		end
+
+		# Takes a return result from an SSPI function and interprets the value.
+		class SSPIResult 
+			# Good results
+			SEC_E_OK = 0x00000000
+			SEC_I_CONTINUE_NEEDED = 0x00090312
+
+			# These are generally returned by InitializeSecurityContext
+			SEC_E_INSUFFICIENT_MEMORY = 0x80090300
+			SEC_E_INTERNAL_ERROR = 0x80090304
+			SEC_E_INVALID_HANDLE = 0x80090301
+			SEC_E_INVALID_TOKEN = 0x80090308
+			SEC_E_LOGON_DENIED = 0x8009030C
+			SEC_E_NO_AUTHENTICATING_AUTHORITY = 0x80090311
+			SEC_E_NO_CREDENTIALS = 0x8009030E
+			SEC_E_TARGET_UNKNOWN = 0x80090303
+			SEC_E_UNSUPPORTED_FUNCTION = 0x80090302
+			SEC_E_WRONG_PRINCIPAL = 0x80090322
+
+			# These are generally returned by AcquireCredentialsHandle
+			SEC_E_NOT_OWNER = 0x80090306
+			SEC_E_SECPKG_NOT_FOUND = 0x80090305
+			SEC_E_UNKNOWN_CREDENTIALS = 0x8009030D
+	    
+			@@map = {}
+			constants.each { |v| @@map[self.const_get(v.to_s)] = v }
+
+			attr_reader :value
+	    
+			def initialize(value)
+				# convert to unsigned long
+				value = [value].pack("L").unpack("L").first
+				raise "#{value.to_s(16)} is not a recognized result" unless @@map.has_key? value
+				@value = value
+			end
+	    
+			def to_s
+				@@map[@value].to_s
+			end
+	    
+			def ok?
+				@value == SEC_I_CONTINUE_NEEDED || @value == SEC_E_OK
+			end
+	    
+			def ==(other)
+				if other.is_a?(SSPIResult)
+					@value == other.value
+				elsif other.is_a?(Fixnum)
+					@value == @@map[other]
+				else
+					false
+				end
+			end
+		end
+
+		# Handles "Negotiate" type authentication. Geared towards authenticating with a proxy server over HTTP
+		class NegotiateAuth  
+			attr_accessor :credentials, :context, :contextAttributes, :user, :domain
+
+			# Default request flags for SSPI functions
+			REQUEST_FLAGS = ISC_REQ_CONFIDENTIALITY | ISC_REQ_REPLAY_DETECT | ISC_REQ_CONNECTION
+
+			# NTLM tokens start with this header always. Encoding alone adds "==" and newline, so remove those
+			B64_TOKEN_PREFIX = Base64.encode64("NTLMSSP").delete("=\n")  
+
+			# Given a connection and a request path, performs authentication as the current user and returns
+			# the response from a GET request. The connnection should be a Net::HTTP object, and it should
+			# have been constructed using the Net::HTTP.Proxy method, but anything that responds to "get" will work.
+			# If a user and domain are given, will authenticate as the given user.
+			# Returns the response received from the get method (usually Net::HTTPResponse)
+			def NegotiateAuth.proxy_auth_get(http, path, user = nil, domain = nil)
+				raise "http must respond to :get" unless http.respond_to?(:get)
+				nego_auth = self.new user, domain
+	      
+				resp = http.get path, { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token }
+				if resp["Proxy-Authenticate"]
+					resp = http.get path, { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(resp["Proxy-Authenticate"].split(" ").last.strip) }
+				end
+
+				resp
+			end
+	    
+			# Creates a new instance ready for authentication as the given user in the given domain.
+			# Defaults to current user and domain as defined by ENV["USERDOMAIN"] and ENV["USERNAME"] if
+			# no arguments are supplied.
+			def initialize(user = nil, domain = nil)
+				if user.nil? && domain.nil? && ENV["USERNAME"].nil? && ENV["USERDOMAIN"].nil?
+					raise "A username or domain must be supplied since they cannot be retrieved from the environment"
+				end
+	      
+				@user = user || ENV["USERNAME"]
+				@domain = domain || ENV["USERDOMAIN"]
+			end
+
+			# Gets the initial Negotiate token. Returns it as a base64 encoded string suitable for use in HTTP. Can
+			# be easily decoded, however.
+			def get_initial_token
+				raise "This object is no longer usable because its resources have been freed." if @cleaned_up
+				get_credentials
+
+				outputBuffer = SecurityBuffer.new
+				@context = CtxtHandle.new
+				@contextAttributes = "\0" * 4
+
+				result = SSPIResult.new(API::InitializeSecurityContext.call(@credentials.to_p, nil, nil, 
+					REQUEST_FLAGS,0, SECURITY_NETWORK_DREP, nil, 0, @context.to_p, outputBuffer.to_p, @contextAttributes, TimeStamp.new.to_p))
+
+				if result.ok? then
+					return encode_token(outputBuffer.token)
+				else
+					raise "Error: #{result.to_s}"
+				end
+			end
+	    
+			# Takes a token and gets the next token in the Negotiate authentication chain. Token can be Base64 encoded or not. 
+			# The token can include the "Negotiate" header and it will be stripped.
+			# Does not indicate if SEC_I_CONTINUE or SEC_E_OK was returned.
+			# Token returned is Base64 encoded w/ all new lines removed.
+			def complete_authentication(token)
+				raise "This object is no longer usable because its resources have been freed." if @cleaned_up
+
+				# Nil token OK, just set it to empty string      
+				token = "" if token.nil?
+
+				if token.include? "Negotiate"
+					# If the Negotiate prefix is passed in, assume we are seeing "Negotiate <token>" and get the token.
+					token = token.split(" ").last
+				end
+
+				if token.include? B64_TOKEN_PREFIX 
+					# indicates base64 encoded token
+					token = Base64.decode64(token.strip)
+				end
+	      
+				outputBuffer = SecurityBuffer.new
+				result = SSPIResult.new(API::InitializeSecurityContext.call(@credentials.to_p, @context.to_p, nil, 
+					REQUEST_FLAGS, 0, SECURITY_NETWORK_DREP, SecurityBuffer.new(token).to_p, 0, 
+					@context.to_p,
+					outputBuffer.to_p, @contextAttributes, TimeStamp.new.to_p))
+	       
+				if result.ok? then
+					return encode_token(outputBuffer.token)
+				else
+					raise "Error: #{result.to_s}"
+				end
+			ensure
+				# need to make sure we don't clean up if we've already cleaned up.
+				clean_up unless @cleaned_up
+			end
+
+		 private
+
+			def clean_up
+				# free structures allocated
+				@cleaned_up = true
+				API::FreeCredentialsHandle.call(@credentials.to_p)
+				API::DeleteSecurityContext.call(@context.to_p)
+				@context = nil
+				@credentials = nil
+				@contextAttributes = nil
+			end
+
+			# Gets credentials based on user, domain or both. If both are nil, an error occurs
+			def get_credentials
+				@credentials = CredHandle.new
+				ts = TimeStamp.new
+				@identity = Identity.new @user, @domain
+				result = SSPIResult.new(API::AcquireCredentialsHandle.call(nil, "Negotiate", SECPKG_CRED_OUTBOUND, nil, @identity.to_p, 
+					nil, nil, @credentials.to_p, ts.to_p))
+				raise "Error acquire credentials: #{result}" unless result.ok?
+			end
+
+			def encode_token(t)
+				# encode64 will add newlines every 60 characters so we need to remove those.
+				Base64.encode64(t).delete("\n")
+			end
+		end
+	end
+end

data/lib/win32/sspi/http_proxy_patch.rb

@@ -0,0 +1,88 @@
+#
+# = win32/net/http_proxy_patch.rb
+#
+# Copyright (c) 2006-2007 Justin Bailey
+# 
+# Written and maintained by Justin Bailey <jgbailey@gmail.com>.
+#
+# This file extends code originally found in lib/net/net.http,
+# see that file for attribution.
+# 
+# This program is free software. You can re-distribute and/or
+# modify this program under the same terms of ruby itself ---
+# Ruby Distribution License or GNU General Public License.
+#
+
+require 'net/http'
+require 'win32/sspi'
+
+module Net 
+  # Replaces Net::HTTP.request to understand Negotiate HTTP proxy authorization. Uses native Win32
+  # libraries to authentic as the current user (as defined by the ENV["USERNAME"] and ENV["USERDOMAIN"]
+  # environment variables.
+  class HTTP 
+		
+		# Indicates that net/http has been patched by SSPI.
+		def self.sspi?
+			true
+		end
+		
+    def request(req, body = nil, &block) # :yield: +response+
+      unless started?
+        start {
+          req['connection'] ||= 'close'
+          return request(req, body, &block)
+        }
+      end
+      if proxy_user()
+        unless use_ssl?
+          req.proxy_basic_auth proxy_user(), proxy_pass()
+        end
+      end
+
+      req.set_body_internal body
+      begin_transport req
+        req.exec @socket, @curr_http_version, edit_path(req.path)
+        begin
+          res = HTTPResponse.read_new(@socket)
+        end while res.kind_of?(HTTPContinue)
+        # If proxy was specified, and the server is demanding authentication, negotiate with it
+        if res.kind_of?(HTTPProxyAuthenticationRequired) && proxy? && res["Proxy-Authenticate"].include?("Negotiate")
+          begin
+            n = Win32::SSPI::NegotiateAuth.new
+            res.reading_body(@socket, req.response_body_permitted?) { }
+            end_transport req, res
+            begin_transport req
+            req["Proxy-Authorization"] = "Negotiate #{n.get_initial_token}"
+            # Some versions of ISA will close the connection if this isn't present.
+            req["Connection"] = "Keep-Alive"
+            req["Proxy-Connection"] = "Keep-Alive"
+            req.exec @socket, @curr_http_version, edit_path(req.path)
+            begin
+              res = HTTPResponse.read_new(@socket)
+            end while res.kind_of?(HTTPContinue)
+            if res["Proxy-Authenticate"]
+              res.reading_body(@socket, req.response_body_permitted?) { }
+              req["Proxy-Authorization"] = "Negotiate #{n.complete_authentication res["Proxy-Authenticate"]}"
+              req["Connection"] = "Keep-Alive"
+              req["Proxy-Connection"] = "Keep-Alive"
+              req.exec @socket, @curr_http_version, edit_path(req.path)
+              begin
+                res = HTTPResponse.read_new(@socket)
+              end while res.kind_of?(HTTPContinue)
+            end
+          rescue
+            exc = $!.exception("Error occurred during proxy negotiation. socket.io: #{@socket.inspect}; socket.closed? #{@socket.closed?}; req: #{req.inspect}; res: #{res.inspect}; Original message: #{$!.message}")
+            exc.set_backtrace $!.backtrace
+            raise exc
+          end
+        end
+        res.reading_body(@socket, req.response_body_permitted?) {
+          yield res if block_given?
+        }
+      end_transport req, res
+
+      res
+    end
+  end
+end

data/spa.rb

@@ -0,0 +1,19 @@
+# Copy this file to site_ruby directory to enable inclusion of Negotiate authoritation on arbitrary scripts. 
+# For example, to run gems w/ the library use:
+#
+#  ruby -rspa 'C:\Program Files\ruby\bin\gem'
+#
+# Notice the gem script is executed directly, instead of executing the gem.cmd file.
+#
+
+require 'pathname'
+if (Pathname.new(__FILE__).dirname + "/lib/sspi.rb").exist? 
+  # If running directly from root of gem, load rubysspi directly
+  $: << (Pathname.new(__FILE__).dirname + "/lib").to_s
+  require 'win32/sspi/http_proxy_patch'
+else
+  # Production require - must be running from site_ruby. Use rubygems to get
+  # to rubysspi 
+  require 'rubygems'
+  require 'win32/sspi/http_proxy_patch'
+end

data/test/test_gem_list.rb

@@ -0,0 +1,44 @@
+#
+# = test/test_gem_list.rb
+#
+# Copyright (c) 2006-2007 Justin Bailey
+# 
+# Written and maintained by Justin Bailey <jgbailey@gmail.com>.
+#
+# This program is free software. You can re-distribute and/or
+# modify this program under the same terms of ruby itself ---
+# Ruby Distribution License or GNU General Public License.
+#
+
+# Magic constant will ensure that, if the SSPI patch has been applied, it won't break these tests
+DISABLE_RUBY_SSPI_PATCH = true
+
+require 'test/unit'
+require 'net/http'
+require 'rubygems'
+$: << (File.dirname(__FILE__) << "/../lib")
+require 'win32/sspi/http_proxy_patch'
+
+class NTLMTest < Test::Unit::TestCase
+  def setup
+    assert ENV["http_proxy"], "http_proxy must be set before running tests."
+  end
+  
+  # Previous implementation of rubysspi used dl/win32 and a
+  # bug occurred when gem list was executed. This tests to ensure
+  # bug does not come back.
+  def test_gem_list
+		Gem.manage_gems
+		
+		if Gem::Version.new(Gem::RubyGemsVersion) < Gem::Version.new("0.9.2")
+			assert_nothing_raised "'gem list --remote rubysspi' failed to execute"  do
+				Gem::GemRunner.new.run(%w(list rubysspi --remote --http-proxy ))
+			end
+		elsif Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new("0.9.2")
+			# --http-proxy  option not needed after 0.9.2 (at least)
+			assert_nothing_raised "'gem list --remote rubysspi' failed to execute"  do
+				Gem::GemRunner.new.run(%w(list rubysspi --remote))
+			end
+		end
+  end
+end

data/test/test_net_http.rb

@@ -0,0 +1,46 @@
+#
+# = test/test_net_http.rb
+#
+# Copyright (c) 2006-2007 Justin Bailey
+# 
+# Written and maintained by Justin Bailey <jgbailey@gmail.com>.
+#
+# This program is free software. You can re-distribute and/or
+# modify this program under the same terms of ruby itself ---
+# Ruby Distribution License or GNU General Public License.
+#
+
+DISABLE_RUBY_SSPI_PATCH = true
+
+require 'test/unit'
+require 'net/http'
+require 'pathname'
+$: << (File.dirname(__FILE__) << "/../lib")
+require 'win32/sspi/http_proxy_patch'
+
+class NTLMTest < Test::Unit::TestCase
+  def test_net_http
+    proxy = get_proxy 
+    Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
+      resp = http.get("/")
+      assert resp.code.to_i == 200, "Did not get response from Google as expected."
+    end
+  end
+  
+  def test_head_request
+    proxy = get_proxy 
+    Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
+      resp = http.head("/")
+      assert resp.code.to_i == 200, "Did not get response from Google as expected."
+    end
+    
+  end
+  
+  def get_proxy
+    assert ENV["http_proxy"], "http_proxy environment variable must be set."
+    proxy = URI.parse(ENV["http_proxy"])
+    assert proxy.host && proxy.port, "Could not parse http_proxy (#{ENV["http_proxy"]}). http_proxy should be a URL with a port (e.g. http://proxy.corp.com:8080)."
+    
+    return proxy
+  end
+end

data/test/test_patched_net_http.rb

@@ -0,0 +1,37 @@
+#
+# = test/test_patched_net_http.rb
+#
+# Copyright (c) 2006-2007 Justin Bailey
+# 
+# Written and maintained by Justin Bailey <jgbailey@gmail.com>.
+#
+# This program is free software. You can re-distribute and/or
+# modify this program under the same terms of ruby itself ---
+# Ruby Distribution License or GNU General Public License.
+#
+
+require 'test/unit'
+require 'net/http'
+
+# Intended to test 'patched' version of Net::HTTP. Notice lack of requires at the top.
+class PatchedRubyTest < Test::Unit::TestCase
+  def setup
+    assert ENV["http_proxy"], "http_proxy must be set before running tests."
+  end
+  
+  def test_net_http
+		
+		assert_nothing_raised "net/http does not appear to be patched" do
+			assert Net::HTTP.sspi?, "sspi? patch applied but did not return true."
+		end
+		
+    assert ENV["http_proxy"], "http_proxy environment variable must be set."
+    proxy = URI.parse(ENV["http_proxy"])
+    assert proxy.host && proxy.port, "Could not parse http_proxy (#{ENV["http_proxy"]}). http_proxy should be a URL with a port (e.g. http://proxy.corp.com:8080)."
+    
+    Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
+      resp = http.get("/")
+      assert resp.code.to_i == 200, "Did not get response from Google as expected."
+    end
+  end
+end

data/test/test_ruby_sspi.rb

@@ -0,0 +1,99 @@
+#
+# = test/test_ruby_sspi.rb
+#
+# Copyright (c) 2006-2007 Justin Bailey
+# 
+# Written and maintained by Justin Bailey <jgbailey@gmail.com>.
+#
+# This program is free software. You can re-distribute and/or
+# modify this program under the same terms of ruby itself ---
+# Ruby Distribution License or GNU General Public License.
+#
+
+# Magic constant will ensure that, if the SSPI patch has been applied, it won't break these tests
+DISABLE_RUBY_SSPI_PATCH = true
+
+require 'test/unit'
+require 'net/http'
+require 'pathname'
+$: << (File.dirname(__FILE__) << "/../lib")
+require 'win32/sspi'
+
+class NTLMTest < Test::Unit::TestCase
+  def test_auth
+    proxy = get_proxy
+    
+    Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
+      nego_auth = Win32::SSPI::NegotiateAuth.new 
+      sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token }
+      resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(sr["Proxy-Authenticate"].split(" ").last.strip) }
+      # Google redirects to country of origins domain if not US.
+      assert success_or_redirect(resp.code), "Response code not as expected: #{resp.inspect}"
+      resp = http.get "/foobar.html"
+      # Some proxy servers don't return 404 but 407.
+      assert(resp.code.to_i == 404 || resp.code.to_i == 407, "Response code not as expected: #{resp.inspect}")
+    end
+  end
+  
+  def test_proxy_auth_get
+    proxy = get_proxy
+    
+    Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
+      resp = Win32::SSPI::NegotiateAuth.proxy_auth_get http, "/"
+      assert success_or_redirect(resp.code), "Response code not as expected: #{resp.inspect}"
+    end
+  end
+  
+  def test_one_time_use_only
+    proxy = get_proxy
+    
+    Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
+      nego_auth = Win32::SSPI::NegotiateAuth.new 
+      sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token }
+      resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(sr["Proxy-Authenticate"].split(" ").last.strip) }
+      assert success_or_redirect(resp.code), "Response code not as expected: #{resp.inspect}"
+      assert_raises(RuntimeError, "Should not be able to call complete_authentication again") do
+        nego_auth.complete_authentication "foo"
+      end
+    end
+  end
+  
+  def test_token_variations
+    proxy = get_proxy
+
+    # Test that raw token works
+    Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
+      nego_auth = Win32::SSPI::NegotiateAuth.new 
+      sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token }
+      token = Base64.decode64(sr["Proxy-Authenticate"].split(" ").last.strip)
+      completed_token = nego_auth.complete_authentication(token)
+      resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + completed_token }
+      assert success_or_redirect(resp.code), "Response code not as expected: #{resp.inspect}"
+    end
+
+    # Test that token w/ "Negotiate" header included works
+    Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
+      nego_auth = Win32::SSPI::NegotiateAuth.new 
+      sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token }
+      resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(sr["Proxy-Authenticate"]) }
+      assert success_or_redirect(resp.code), "Response code not as expected: #{resp.inspect}"
+    end
+  end
+  
+private
+  
+  # Gets the proxy from the environment and makes some assertions
+  def get_proxy
+    assert ENV["http_proxy"], "http_proxy environment variable must be set."
+    proxy = URI.parse(ENV["http_proxy"])
+    assert proxy.host && proxy.port, "Could not parse http_proxy (#{ENV["http_proxy"]}). http_proxy should be a URL with a port (e.g. http://proxy.corp.com:8080)."
+    
+    return proxy
+  end
+  
+  # Returns true if code given is 200 or 302. I.e. if HTTP request was successful or resulted in redirect.
+  def success_or_redirect(code)
+    code.to_i == 200 || code.to_i == 302
+  end
+  
+end

data/test/trace_proxy.rb

@@ -0,0 +1,39 @@
+#
+# = test/trace_proxy.rb
+#
+# Copyright (c) 2006-2007 Justin Bailey
+# 
+# Written and maintained by Justin Bailey <jgbailey@gmail.com>.
+#
+# This program is free software. You can re-distribute and/or
+# modify this program under the same terms of ruby itself ---
+# Ruby Distribution License or GNU General Public License.
+#
+
+# This file provides a trace of the HTTP request/response sequence between the local computer and the proxy. Useful
+# for debugging problems with the library. Outputs trace to standard output.
+ 
+# Magic constant will ensure that, if the SSPI patch has been applied, it won't break these tests
+DISABLE_RUBY_SSPI_PATCH = true
+
+require 'net/http'
+require 'pathname'
+$: << (File.dirname(__FILE__) << "/../lib")
+require 'win32/sspi'
+
+raise "http_proxy environment variable must be set." unless ENV["http_proxy"]
+proxy = URI.parse(ENV["http_proxy"])
+raise "Could not parse http_proxy (#{ENV["http_proxy"]}). http_proxy should be a URL with a port (e.g. http://proxy.corp.com:8080)." unless proxy.host && proxy.port
+
+conn =  Net::HTTP.Proxy(proxy.host, proxy.port).new("www.google.com")
+conn.set_debug_output $stdout
+conn.start() do |http|
+  nego_auth = Win32::SSPI::NegotiateAuth.new 
+  sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token }
+  resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(sr["Proxy-Authenticate"].split(" ").last.strip) }
+  # Google redirects to country of origins domain if not US.
+  raise "Response code not as expected: #{resp.inspect}" unless resp.code.to_i == 200 || resp.code.to_i == 302
+  resp = http.get "/foobar.html"
+  # Some proxy servers don't return 404 but 407.
+  raise "Response code not as expected: #{resp.inspect}" unless resp.code.to_i == 404 || resp.code.to_i == 407
+end

metadata

@@ -0,0 +1,65 @@
+--- !ruby/object:Gem::Specification 
+rubygems_version: 0.9.2
+specification_version: 1
+name: rubysspi
+version: !ruby/object:Gem::Version 
+  version: 1.2.2
+date: 2007-03-12 00:00:00 -07:00
+summary: A library which implements Ruby bindings to the Win32 SSPI library. Also includes a module to add Negotiate authentication support to Net::HTTP.
+require_paths: 
+- lib
+email: jgbailey @nospam@ gmail.com
+homepage: http://rubyforge.org/projects/rubysspi/
+rubyforge_project: http://rubyforge.org/projects/rubysspi/
+description: This gem provides bindings to the Win32 SSPI libraries, primarily to support Negotiate (i.e. SPNEGO, NTLM) authentication with a proxy server. Enough support is implemented to provide the necessary support for the authentication.  A module is also provided which overrides Net::HTTP and adds support for Negotiate authentication to it.  This implies that open-uri automatically gets support for it, as long as the http_proxy environment variable is set.
+autorequire: 
+default_executable: 
+bindir: bin
+has_rdoc: true
+required_ruby_version: !ruby/object:Gem::Version::Requirement 
+  requirements: 
+  - - ">"
+    - !ruby/object:Gem::Version 
+      version: 0.0.0
+  version: 
+platform: ruby
+signing_key: 
+cert_chain: 
+post_install_message: 
+authors: 
+- Justin Bailey
+files: 
+- lib/win32
+- lib/win32/sspi
+- lib/win32/sspi.rb
+- lib/win32/sspi/http_proxy_patch.rb
+- test/test_gem_list.rb
+- test/test_net_http.rb
+- test/test_patched_net_http.rb
+- test/test_ruby_sspi.rb
+- test/trace_proxy.rb
+- CHANGELOG.txt
+- LICENSE.txt
+- README.txt
+- Rakefile
+- spa.rb
+test_files: []
+
+rdoc_options: 
+- --title
+- Ruby SSPI -- Win32 SSPI Bindings for Ruby
+- --main
+- README.txt
+- --line-numbers
+extra_rdoc_files: 
+- README.txt
+- CHANGELOG.txt
+- LICENSE.txt
+executables: 
+- apply_sspi_patch
+extensions: []
+
+requirements: []
+
+dependencies: []
+