secure_uri 0.6.0

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,5 @@
+*.sw?
+.DS_Store
+coverage
+rdoc
+pkg

data/LICENSE

@@ -0,0 +1,9 @@
+Copyright (c) 2009 Brightbox Systems Ltd 
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+See http://www.brightbox.co.uk/ for contact details.  

data/README.rdoc

@@ -0,0 +1,30 @@
+= SecureURI
+
+Adds the ability for URI to generate and validate secure URLs.
+
+== Installation
+
+  sudo gem install secure_uri
+
+== Usage
+
+Generate a secure URI
+
+  require "secure_uri"
+
+  # Set our secret key for hashing, be sure to keep this private!
+  SecureURI.hasher.salt = "our secret key"
+
+  url = URI.parse("http://example.com/action?some=data")
+  url.secure!
+
+  url.to_s # => "http://example.com/action?some=data&hash=d988eb197f2120493b4f1e01382af508ffd123dca791e011fea93d71d01690cf"
+
+Check if a URL is secure
+
+  request_uri = URI.parse("http://example.com/action?some=data&hash=d988eb197f2120493b4f1e01382af508ffd123dca791e011fea93d71d01690cf")
+  request_uri.valid? # => true
+
+== Copyright
+
+Copyright (c) 2009 Brightbox Systems Ltd. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,48 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "secure_uri"
+    gem.summary = %Q{Extends URI with secure urls}
+    gem.description = %Q{Adds methods to URI to let you compare a url to a hash of itself}
+    gem.email = "caius@brightbox.co.uk"
+    gem.homepage = "http://github.com/brightbox/secure_uri"
+    gem.authors = ["Caius Durling"]
+    gem.add_development_dependency "rspec"
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
+end
+
+require 'spec/rake/spectask'
+Spec::Rake::SpecTask.new(:spec) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.spec_files = FileList['spec/**/*_spec.rb']
+end
+
+Spec::Rake::SpecTask.new(:rcov) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+task :spec => :check_dependencies
+
+task :default => :spec
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  if File.exist?('VERSION')
+    version = File.read('VERSION')
+  else
+    version = ""
+  end
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "secure_url #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.6.0

data/lib/secure_uri/hasher.rb

@@ -0,0 +1,43 @@
+module SecureURI
+  # Placeholder class to make sure a hashing class is set before
+  # the class is used.
+  # 
+  # Required methods:
+  # * self.hash
+  # 
+  # The salt mechanism is there as most hashing implementations will
+  # need a shared secret.
+  # 
+  # Subclass this class to automagically set the hasher to your class.
+  class Hasher
+    class << self
+      # Lets us set the salt
+      attr_writer :salt
+      # Lets us read the salt; defaulting to an empty string
+      def salt
+        @salt || ""
+      end
+
+      # Takes a string and hashes it
+      # 
+      # Returns String
+      def hash str
+        raise "hash method needs to be overridden"
+      end
+
+      # Takes a hash and a string. Hashes the string using self#hash and 
+      # compares to the hash passed in.
+      # 
+      # Returns True or False
+      def compare hash, str
+        hash == self.hash(str)
+      end
+
+      # Convenience method so subclassing Hasher automatically
+      # sets the new (sub)class as the Hasher class in SecureURI
+      def inherited klass
+        SecureURI.hasher = klass
+      end
+    end
+  end
+end

data/lib/secure_uri/secure_uri.rb

@@ -0,0 +1,60 @@
+module SecureURI
+
+  HASH_REGEX = /(?:&hash=([^&]+)$|hash=([^&]+)&?)/
+
+  class << self
+    def hasher
+      if @hasher[/::/]
+        arr = @hasher.split("::")
+        klass = Kernel
+        arr.each do |c|
+          klass = klass.const_get(c)
+        end
+        klass
+      else
+        Kernel.const_get(@hasher)
+      end
+    end
+
+    def hasher= class_name
+      @hasher = class_name.to_s
+    end
+    protected :hasher=
+
+    @hasher ||= "SecureURI::Hasher"
+  end
+
+  def secure?
+    !hash_string.empty?
+  end
+
+  def valid?
+    return false unless secure?
+    SecureURI.hasher.compare hash_string, url_minus_hash
+  end
+
+  def secure!
+    hash = URI.escape(url_hash, Regexp.new("([^#{URI::PATTERN::UNRESERVED}]|\\.)"))
+    self.query = (self.query_minus_hash + "&hash=#{hash}")
+    to_s
+  end
+
+protected
+
+  def hash_string
+    URI.unescape(query.to_s.scan(HASH_REGEX).flatten.compact.first.to_s)
+  end
+
+  def url_hash
+    SecureURI.hasher.hash url_minus_hash
+  end
+
+  def url_minus_hash
+    to_s.gsub(HASH_REGEX, "")
+  end
+
+  def query_minus_hash
+    query.to_s.gsub(HASH_REGEX, "")
+  end
+
+end

data/lib/secure_uri/sha256_hasher.rb

@@ -0,0 +1,9 @@
+require "digest/sha2"
+
+module SecureURI
+  class SHA256Hasher < Hasher
+    def self.hash str
+      Digest::SHA256.hexdigest(str+salt)
+    end
+  end
+end

data/lib/secure_uri.rb

@@ -0,0 +1,7 @@
+require "uri"
+%w(secure_uri hasher sha256_hasher).each do |file|
+  require File.join(File.dirname(__FILE__), "secure_uri", file)
+end
+
+# All specific classes of URI are subclasses of Generic
+URI::Generic.__send__(:include, SecureURI)

data/secure_uri.gemspec

@@ -0,0 +1,61 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE
+# Instead, edit Jeweler::Tasks in Rakefile, and run `rake gemspec`
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{secure_uri}
+  s.version = "0.6.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Caius Durling"]
+  s.date = %q{2009-12-03}
+  s.description = %q{Adds methods to URI to let you compare a url to a hash of itself}
+  s.email = %q{caius@brightbox.co.uk}
+  s.extra_rdoc_files = [
+    "LICENSE",
+     "README.rdoc"
+  ]
+  s.files = [
+    ".document",
+     ".gitignore",
+     "LICENSE",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "lib/secure_uri.rb",
+     "lib/secure_uri/hasher.rb",
+     "lib/secure_uri/secure_uri.rb",
+     "lib/secure_uri/sha256_hasher.rb",
+     "secure_uri.gemspec",
+     "spec/hasher_spec.rb",
+     "spec/secure_uri_spec.rb",
+     "spec/sha256_hasher_spec.rb",
+     "spec/spec.opts",
+     "spec/spec_helper.rb"
+  ]
+  s.homepage = %q{http://github.com/brightbox/secure_uri}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.5}
+  s.summary = %q{Extends URI with secure urls}
+  s.test_files = [
+    "spec/hasher_spec.rb",
+     "spec/secure_uri_spec.rb",
+     "spec/sha256_hasher_spec.rb",
+     "spec/spec_helper.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<rspec>, [">= 0"])
+    else
+      s.add_dependency(%q<rspec>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<rspec>, [">= 0"])
+  end
+end

data/spec/hasher_spec.rb

@@ -0,0 +1,28 @@
+require File.dirname(__FILE__) + '/spec_helper'
+
+include SecureURI
+
+describe Hasher do
+  it "should have an empty salt by default" do
+    Hasher.salt.should == ""
+  end
+
+  it "should accept a salt" do
+    Hasher.should respond_to(:salt=)
+
+    Hasher.salt = "my salt"
+    Hasher.salt.should == "my salt"
+  end
+
+  it "should raise when hash is called" do
+    lambda {
+      Hasher.hash("my string")
+    }.should raise_error("hash method needs to be overridden")
+  end
+
+  it "should use the hash method when comparing" do
+    Hasher.should_receive(:hash).with("my string").and_return("my hash")
+
+    Hasher.compare("my hash", "my string").should be_true
+  end
+end

data/spec/secure_uri_spec.rb

@@ -0,0 +1,136 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe "SecureURI" do
+
+  it "should work" do
+
+    url = URI.parse("http://caius.name/foo?bar=sed")
+
+    url.secure?.should == false
+    url.valid?.should == false
+
+    str = url.secure!
+
+    str.should =~ /hash/
+
+    url.secure?.should == true
+    url.valid?.should == true
+
+    url.query = (url.query + "&thing=nothing")
+
+    url.secure?.should == true
+    url.valid?.should == false
+
+    url.secure!
+
+    url.secure?.should == true
+    url.valid?.should == true
+  end
+
+  before do
+    @url = "http://example.com/path?query=string"
+    @uri = URI.parse(@url)
+
+    @secure_url = "http://example.com/path?query=string&hash=ZOMG-HASH"
+    @secure_uri = URI.parse(@secure_url)
+
+    # todo: change to set the salt for the SHA256Hasher
+    # SecureURI.salt = "my lovely salt"
+  end
+
+  it "should be a URI" do
+    @uri.should be_a_kind_of(URI)
+  end
+
+  it "should turn into a secure url" do
+    @uri.query.should_not =~ /hash=/
+    @uri.secure!
+    @uri.query.should =~ /hash=/
+  end
+
+  it "should not be a secure url" do
+    @uri.should_not be_secure
+  end
+
+  it "should be a secure url" do
+    @secure_uri.should be_secure
+  end
+
+  it "should validate as a secure uri" do
+    SecureURI::SHA256Hasher.should_receive(:compare).and_return(true)
+    
+    @secure_uri.should be_valid
+  end
+
+  it "should fail validation as a secure url" do
+    @secure_uri.should_not be_valid
+  end
+
+  it "should update the hash if the query changes" do
+    @secure_uri.query += "&foo=bar"
+    @secure_uri.query.should =~ /foo=bar/
+    @secure_uri.query.should =~ /hash=/
+    old_hash = @secure_uri.send(:hash_string)
+
+    @secure_uri.secure!
+
+    @secure_uri.query.should =~ /hash=/
+    @secure_uri.send(:hash_string).should_not == old_hash
+  end
+
+  it "should secure a url" do
+    @uri.query.should_not =~ /hash=/
+    @uri.secure!
+
+    @uri.query.should =~ /hash=/
+    @uri.should be_secure
+    @uri.should be_valid
+  end
+
+  it "should update a secure url" do
+    @secure_uri.query.should =~ /hash=/
+    q = @secure_uri.query.dup
+
+    @secure_uri.secure!
+
+    @secure_uri.query.should =~ /hash=/
+    q.should_not == @secure_uri.query
+  end
+
+  describe "hasher" do
+    it "should use sha256 by default" do
+      SecureURI.hasher.should == SecureURI::SHA256Hasher
+    end
+
+    describe "class" do
+      before(:all) do
+        @original_hasher = SecureURI.hasher
+
+        class HasherSub < SecureURI::Hasher
+        end
+      end
+
+      after(:all) do
+        # "Naughty naughty", said the Class to the spec
+        # "Neccessary evil", replied the spec.
+        SecureURI.__send__(:hasher=, @original_hasher)
+      end
+
+      it "should set hasher when subclassed" do
+        SecureURI.hasher.should == HasherSub
+      end
+
+      it "should raise an error when hash method isn't overridden" do
+        lambda {
+          SecureURI::Hasher.hash "string"
+        }.should raise_error("hash method needs to be overridden")
+      end
+      
+      it "should raise an error when compare method isn't overridden" do
+        lambda {
+          SecureURI::Hasher.compare "string", "hash"
+        }.should raise_error("hash method needs to be overridden")
+      end
+    end
+  end
+end

data/spec/sha256_hasher_spec.rb

@@ -0,0 +1,36 @@
+require File.dirname(__FILE__) + '/spec_helper'
+
+include SecureURI
+
+describe SHA256Hasher do
+  it "should hash a string" do
+    Digest::SHA256.should_receive(:hexdigest).with("this is my string").and_return("zomg hash!")
+    hash = SHA256Hasher.hash("this is my string")
+
+    hash.should_not be_nil
+    hash.should be_a_kind_of(String)
+    hash.should == "zomg hash!"
+  end
+
+  it "should use the salt when hashing a string" do
+    Digest::SHA256.should_receive(:hexdigest).with("this is my stringmy salt").and_return("my hash")
+
+    SHA256Hasher.salt = "my salt"
+    SHA256Hasher.hash("this is my string").should == "my hash"
+  end
+
+  it "should hash a string using the salt successfully" do
+    hash = "56068fc00a1452ed9b2a22e5535dc57f5dc77071df11fb6c00aa1bf808568ba1"
+
+    SecureURI.hasher.salt = "bbq"
+    SecureURI.hasher.hash("zomgwtf").should == hash
+  end
+
+  it "should compare a string" do
+    hash = "56068fc00a1452ed9b2a22e5535dc57f5dc77071df11fb6c00aa1bf808568ba1"
+    
+    SecureURI.hasher.salt = "bbq"
+    SecureURI.hasher.compare(hash, "zomgwtf").should be_true
+  end
+
+end

data/spec/spec.opts

@@ -0,0 +1,4 @@
+--colour
+--format progress
+--loadby mtime
+--reverse

data/spec/spec_helper.rb

@@ -0,0 +1,10 @@
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+require 'spec'
+require 'spec/autorun'
+
+require 'secure_uri'
+
+Spec::Runner.configure do |config|
+  
+end

metadata

@@ -0,0 +1,99 @@
+--- !ruby/object:Gem::Specification 
+name: secure_uri
+version: !ruby/object:Gem::Version 
+  hash: 7
+  prerelease: false
+  segments: 
+  - 0
+  - 6
+  - 0
+  version: 0.6.0
+platform: ruby
+authors: 
+- Caius Durling
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-12-03 00:00:00 +00:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id001
+description: Adds methods to URI to let you compare a url to a hash of itself
+email: caius@brightbox.co.uk
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- .document
+- .gitignore
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- lib/secure_uri.rb
+- lib/secure_uri/hasher.rb
+- lib/secure_uri/secure_uri.rb
+- lib/secure_uri/sha256_hasher.rb
+- secure_uri.gemspec
+- spec/hasher_spec.rb
+- spec/secure_uri_spec.rb
+- spec/sha256_hasher_spec.rb
+- spec/spec.opts
+- spec/spec_helper.rb
+has_rdoc: true
+homepage: http://github.com/brightbox/secure_uri
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: Extends URI with secure urls
+test_files: 
+- spec/hasher_spec.rb
+- spec/secure_uri_spec.rb
+- spec/sha256_hasher_spec.rb
+- spec/spec_helper.rb