rubysspi 0.0.2-i386-mswin32 → 1.0.0-i386-mswin32

data/README.txt

@@ -85,6 +85,22 @@ Note that server_token can be Base64 encoded or not, and if it starts with "Nego
 
 The token returned (usually an NTLM Type 3) message can then be sent to the server and the connection should be authenticated.
 
+= Patching Ruby
+
+ A short script to patch Net::HTTP is also included. This patch will give the Net::HTTP (and consequently, open-uri) the ability to directly authenticate with Negotiate/NTLM proxy servers. The main advantage of patching Ruby itself is that other scripts, such as gems, will work directly with these proxy servers and will not require running with the 'spa' library. Similarly, any scripts which use open-uri or Net::HTTP will gain the ability to authenticate with the proxy server.
+ 
+ To run the script, just run <tt>apply_sspi_patch</tt>. The backup will be made of the original 'http.rb' file, and a new patched file will be copied in. After patching, run the test script 'test\test_patched_net_http.rb'. It ensures that proxy authentication now works without extra libraries. 
+ 
+ Be aware - this has only been tested on Ruby 1.8.4 and 1.8.5. Though the Net::HTTP libraries are not likely to change much, do some testing afterwards. 
+ 
+ If you want the patch disabled for a certain script, just define the constant DISABLE_RUBY_SSPI_PATCH at the top level. If you want to back the patch out, go to the ruby library directory, open the net folder, and rename the file called "http.orig.X.rb" (where X is some number) to http.rb. If the patch has been applied multiple times, uses the lowest "X" found.
+ 
+= Disabling proxy for certain servers
+
+ Sometimes it is necessary to NOT use the proxy for certain addresses, especially in a LAN environment. While not a feature directly provided by this library, setting the 'no_proxy' environment variable to a list of servers will ensure no proxy connection is made for them. The list should be comma-delimited, and can consist of any mix of domain names and ports. URLs, however, are not allowed. For example "somehost, somehost.corporate.com, myhost:9000, myhost.corporate.com:80" would all be legal. Note that if a port is NOT specified, then no proxying occurs for that host regardless of the port requested by open-uri. 
+ 
+ Finally, the above technique will only work with the open-uri library. Net::HTTP will not use a proxy automatically in any case.
+
 = Thanks & References
 
 Many references were used in decoding both NTLM messages and integrating with the SSPI library. Among them are:

data/Rakefile

@@ -4,10 +4,10 @@ require 'rake/gempackagetask'
 
 spec = Gem::Specification.new do |s|
 	s.name = "rubysspi"
-	s.summary = "A library which adds implements Ruby bindings to the Win32 SSPI library. Also includes a module to add Negotate authentication support to Net::HTTP."
-	s.version = "0.0.2"
+	s.summary = "A library which implements Ruby bindings to the Win32 SSPI library. Also includes a module to add Negotate authentication support to Net::HTTP."
+	s.version = "1.0.0"
 	s.author = "Justin Bailey"
-	s.email = "jgbailey @nospan@ gmail.com"
+	s.email = "jgbailey @nospam@ gmail.com"
 	s.homepage = "http://rubyforge.org/projects/rubysspi/"
 	s.rubyforge_project = "http://rubyforge.org/projects/rubysspi/"
 	s.description = <<EOS
@@ -24,6 +24,9 @@ EOS
 	s.platform = Gem::Platform::CURRENT
 	s.files = FileList["lib/**/*", "test/*", "*.txt", "Rakefile", "spa.rb"].to_a
 
+	s.bindir = "bin"
+	s.executables = ["apply_sspi_patch.rb"]
+
 	s.require_path = "lib"
 	s.autorequire = "rubysspi"
 

data/bin/apply_sspi_patch.rb

@@ -0,0 +1,34 @@
+# This file will patch the local net/http installation to include support for NTLM/Negotiate authentication.
+# The original http.rb file will be renamed to http.orig.rb
+
+require 'rbconfig'
+require 'pathname'
+require 'fileutils'
+
+# Original http.rb file
+orig_file = Pathname.new(Config::CONFIG["rubylibdir"]) + 'net\http.rb'
+
+# Determine that original actually exists
+raise "Original http.rb not not found at expected location #{orig_file}" unless orig_file.exist?
+
+# Determine name to copy original file to
+@i += 1 while (orig_dest = Pathname.new(Config::CONFIG["rubylibdir"]) + "net\\http.orig.#{@i ||= 1}.rb").exist?
+
+# Copy original to back up
+puts "Backing up original #{orig_file} to #{orig_dest}"
+FileUtils.cp orig_file, orig_dest
+
+# Write patch file. 
+puts "Creating patch file to replace #{orig_file}"
+orig_file.open("w") { |f| f.write(<<EOS) }
+# Include original net/http
+require 'net/#{orig_dest.basename(orig_dest.extname)}'
+
+# This magic constant can be defined to disable the patch. 
+unless defined? DISABLE_RUBY_SSPI_PATCH
+  require 'rubygems'
+  require 'rubysspi/proxy_auth'
+end
+EOS
+
+puts 'Patch applied! Please run ..\test\test_patched_net_http.rb to test the patch.'

data/lib/rubysspi.rb

@@ -21,7 +21,7 @@ module SSPI
   ISC_REQ_PROMPT_FOR_CREDS = 0x00000040
   ISC_REQ_CONNECTION = 0x00000800
 
-  # Win32 API Functions. Uses dl/win32 to bind methods to constants contained in class. 
+  # Win32 API Functions. Uses Win32API to bind methods to constants contained in class. 
   module API
     # Can be called with AcquireCredentialsHandle.call()
     AcquireCredentialsHandle = Win32API.new("secur32", "AcquireCredentialsHandle", 'ppLpppppp', 'L')
@@ -195,8 +195,13 @@ module SSPI
   # Handles "Negotiate" type authentication. Geared towards authenticating with a proxy server over HTTP
   class NegotiateAuth  
     attr_accessor :credentials, :context, :contextAttributes, :user, :domain
+
+    # Default request flags for SSPI functions
     REQUEST_FLAGS = ISC_REQ_CONFIDENTIALITY | ISC_REQ_REPLAY_DETECT | ISC_REQ_CONNECTION
 
+    # NTLM tokens start with this header always. Encoding alone adds "==" and newline, so remove those
+    B64_TOKEN_PREFIX = Base64.encode64("NTLMSSP").delete("=\n")  
+
     # Given a connection and a request path, performs authentication as the current user and returns
     # the response from a GET request. The connnection should be a Net::HTTP object, and it should
     # have been constructed using the Net::HTTP.Proxy method, but anything that responds to "get" will work.
@@ -246,21 +251,29 @@ module SSPI
       end
     end
     
-    # Takes a Base64 encoded token and gets the next token in the 
-    # Negotiate authentication chain. The token can include the "Negotiate" header and it will be stripped.
+    # Takes a token and gets the next token in the Negotiate authentication chain. Token can be Base64 encoded or not. 
+    # The token can include the "Negotiate" header and it will be stripped.
     # Does not indicate if SEC_I_CONTINUE or SEC_E_OK was returned.
-    # Token returned is Base64 encoded.
+    # Token returned is Base64 encoded w/ all new lines removed.
     def complete_authentication(token)
       raise "This object is no longer usable because its resources have been freed." if @cleaned_up
-      
-      # If the Negotiate prefix is passed in, assume we are seeing "Negotiate <token>" and get the token.
+
+      # Nil token OK, just set it to empty string      
+      token = "" if token.nil?
+
       if token.include? "Negotiate"
-        token = token.split(" ").last.strip
+        # If the Negotiate prefix is passed in, assume we are seeing "Negotiate <token>" and get the token.
+        token = token.split(" ").last
+      end
+
+      if token.include? B64_TOKEN_PREFIX 
+        # indicates base64 encoded token
+        token = Base64.decode64(token.strip)
       end
-      outputBuffer = SecurityBuffer.new
       
+      outputBuffer = SecurityBuffer.new
       result = SSPIResult.new(API::InitializeSecurityContext.call(@credentials.to_p, @context.to_p, nil, 
-        REQUEST_FLAGS, 0, SECURITY_NETWORK_DREP, SecurityBuffer.new(Base64.decode64(token)).to_p, 0, 
+        REQUEST_FLAGS, 0, SECURITY_NETWORK_DREP, SecurityBuffer.new(token).to_p, 0, 
         @context.to_p,
         outputBuffer.to_p, @contextAttributes, TimeStamp.new.to_p))
        
@@ -298,7 +311,7 @@ module SSPI
 
     def encode_token(t)
       # encode64 will add newlines every 60 characters so we need to remove those.
-      Base64.encode64(t).gsub(/\n/, "")
+      Base64.encode64(t).delete("\n")
     end
   end
 end

data/lib/rubysspi/proxy_auth.rb

@@ -3,7 +3,7 @@ require 'rubysspi'
 
 
 module Net 
-  # Replaces Net::HTTP.request to understand Negotate HTTP proxy authorization. Uses native Win32
+  # Replaces Net::HTTP.request to understand Negotiate HTTP proxy authorization. Uses native Win32
   # libraries to authentic as the current user (as defined by the ENV["USERNAME"] and ENV["USERDOMAIN"]
   # environment variables.
   class HTTP 
@@ -26,8 +26,8 @@ module Net
         begin
           res = HTTPResponse.read_new(@socket)
         end while res.kind_of?(HTTPContinue)
-        # If proxy was specified, and the server is demanding authentication, negotatiate with it
-        if proxy? && res.code.to_i == 407 && res["Proxy-Authenticate"].include?("Negotiate")
+        # If proxy was specified, and the server is demanding authentication, negotiate with it
+        if res.kind_of?(HTTPProxyAuthenticationRequired) && proxy? && res["Proxy-Authenticate"].include?("Negotiate")
           n = SSPI::NegotiateAuth.new
           res.reading_body(@socket, req.response_body_permitted?) { }
           req["Proxy-Authorization"] = "Negotiate #{n.get_initial_token}"
@@ -35,7 +35,6 @@ module Net
           begin
             res = HTTPResponse.read_new(@socket)
           end while res.kind_of?(HTTPContinue)
-          
           if res["Proxy-Authenticate"]
             res.reading_body(@socket, req.response_body_permitted?) { }
             req["Proxy-Authorization"] = "Negotiate #{n.complete_authentication res["Proxy-Authenticate"]}"

data/test/ruby_sspi_test.rb

@@ -1,3 +1,6 @@
+# Magic constant will ensure that, if the SSPI patch has been applied, it won't break these tests
+DISABLE_RUBY_SSPI_PATCH = true
+
 require 'test/unit'
 require 'net/http'
 require 'pathname'
@@ -5,15 +8,8 @@ $: << (File.dirname(__FILE__) << "/../lib")
 require 'rubysspi'
 
 class NTLMTest < Test::Unit::TestCase
- 
-  def setup
-    assert ENV["http_proxy"], "http_proxy must be set before running tests."
-  end
-  
   def test_auth
-    assert ENV["http_proxy"], "http_proxy environment variable must be set."
-    proxy = URI.parse(ENV["http_proxy"])
-    assert proxy.host && proxy.port, "Could not parse http_proxy (#{ENV["http_proxy"]}). http_proxy should be a URL with a port (e.g. http://proxy.corp.com:8080)."
+    proxy = get_proxy
     
     Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
       nego_auth = SSPI::NegotiateAuth.new 
@@ -26,9 +22,7 @@ class NTLMTest < Test::Unit::TestCase
   end
   
   def test_proxy_auth_get
-    assert ENV["http_proxy"], "http_proxy environment variable must be set."
-    proxy = URI.parse(ENV["http_proxy"])
-    assert proxy.host && proxy.port, "Could not parse http_proxy (#{ENV["http_proxy"]}). http_proxy should be a URL with a port (e.g. http://proxy.corp.com:8080)."
+    proxy = get_proxy
     
     Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
       resp = SSPI::NegotiateAuth.proxy_auth_get http, "/"
@@ -37,9 +31,7 @@ class NTLMTest < Test::Unit::TestCase
   end
   
   def test_one_time_use_only
-    assert ENV["http_proxy"], "http_proxy environment variable must be set."
-    proxy = URI.parse(ENV["http_proxy"])
-    assert proxy.host && proxy.port, "Could not parse http_proxy (#{ENV["http_proxy"]}). http_proxy should be a URL with a port (e.g. http://proxy.corp.com:8080)."
+    proxy = get_proxy
     
     Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
       nego_auth = SSPI::NegotiateAuth.new 
@@ -51,4 +43,38 @@ class NTLMTest < Test::Unit::TestCase
       end
     end
   end
+  
+  def test_token_variations
+    proxy = get_proxy
+
+    # Test that raw token works
+    Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
+      nego_auth = SSPI::NegotiateAuth.new 
+      sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token }
+      token = Base64.decode64(sr["Proxy-Authenticate"].split(" ").last.strip)
+      completed_token = nego_auth.complete_authentication(token)
+      resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + completed_token }
+      assert resp.code.to_i == 200, "Response code not as expected: #{resp.inspect}"
+    end
+
+    # Test that token w/ "Negotiate" header included works
+    Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
+      nego_auth = SSPI::NegotiateAuth.new 
+      sr = http.request_get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.get_initial_token }
+      resp = http.get "/", { "Proxy-Authorization" => "Negotiate " + nego_auth.complete_authentication(sr["Proxy-Authenticate"]) }
+      assert resp.code.to_i == 200, "Response code not as expected: #{resp.inspect}"
+    end
+  end
+  
+private
+  
+  # Gets the proxy from the environment and makes some assertions
+  def get_proxy
+    assert ENV["http_proxy"], "http_proxy environment variable must be set."
+    proxy = URI.parse(ENV["http_proxy"])
+    assert proxy.host && proxy.port, "Could not parse http_proxy (#{ENV["http_proxy"]}). http_proxy should be a URL with a port (e.g. http://proxy.corp.com:8080)."
+    
+    return proxy
+  end
+  
 end

data/test/test_patched_net_http.rb

@@ -0,0 +1,21 @@
+require 'test/unit'
+require 'net/http'
+
+# Intended to test 'patched' version of Net::HTTP. Notice lack of requires at the top.
+class PatchedRubyTest < Test::Unit::TestCase
+  def setup
+    assert ENV["http_proxy"], "http_proxy must be set before running tests."
+  end
+  
+  def test_net_http
+
+    assert ENV["http_proxy"], "http_proxy environment variable must be set."
+    proxy = URI.parse(ENV["http_proxy"])
+    assert proxy.host && proxy.port, "Could not parse http_proxy (#{ENV["http_proxy"]}). http_proxy should be a URL with a port (e.g. http://proxy.corp.com:8080)."
+    
+    Net::HTTP.Proxy(proxy.host, proxy.port).start("www.google.com") do |http|
+      resp = http.get("/")
+      assert resp.code.to_i == 200, "Did not get response from Google as expected."
+    end
+  end
+end

metadata

@@ -3,12 +3,12 @@ rubygems_version: 0.9.0
 specification_version: 1
 name: rubysspi
 version: !ruby/object:Gem::Version 
-  version: 0.0.2
-date: 2006-07-17 00:00:00 -07:00
-summary: A library which adds implements Ruby bindings to the Win32 SSPI library. Also includes a module to add Negotate authentication support to Net::HTTP.
+  version: 1.0.0
+date: 2006-09-28 00:00:00 -07:00
+summary: A library which implements Ruby bindings to the Win32 SSPI library. Also includes a module to add Negotate authentication support to Net::HTTP.
 require_paths: 
 - lib
-email: jgbailey @nospan@ gmail.com
+email: jgbailey @nospam@ gmail.com
 homepage: http://rubyforge.org/projects/rubysspi/
 rubyforge_project: http://rubyforge.org/projects/rubysspi/
 description: This gem provides bindings to the Win32 SSPI libraries, primarily to support Negotiate (i.e. SPNEGO, NTLM) authentication with a proxy server. Enough support is implemented to provide the necessary support for the authentication.  A module is also provided which overrides Net::HTTP and adds support for Negotiate authentication to it.  This implies that open-uri automatically gets support for it, as long as the http_proxy environment variable is set.
@@ -35,6 +35,7 @@ files:
 - test/ruby_sspi_test.rb
 - test/test_gem_list.rb
 - test/test_net_http.rb
+- test/test_patched_net_http.rb
 - README.txt
 - Rakefile
 - spa.rb
@@ -48,8 +49,8 @@ rdoc_options:
 - --line-numbers
 extra_rdoc_files: 
 - README.txt
-executables: []
-
+executables: 
+- apply_sspi_patch.rb
 extensions: []
 
 requirements: []