selfsdk 0.0.124

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: df6729e3320be7cc2abd4ea22a94ff757b8e8d72ee5e1f2b2ddbafed509483c4
+  data.tar.gz: c7202790ad7ac8c0fcb984a3c494983b08549e9e516b238cc247d869a630d2a2
+SHA512:
+  metadata.gz: 860606a05e95e553e6c1e36c63b15a1e3b93922d56e0a58a773d911da0ea29d95f5395406b13124b005e05c468d1c2740308e55908decffc77eb79d6c569ac14
+  data.tar.gz: 7a3ba36d29276730966cc01ce4d2730c0613142ce6d844deb61380a3b3055596e724bfe78160061436cf43f9f510b49b7407a3a9eb107e0e057c094f9d8e7f32

data/lib/acl.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require 'date'
+
+# Namespace for classes and modules that handle Self interactions.
+module SelfSDK
+  # Access control list
+  class ACL
+    def initialize(messaging)
+      @messaging = messaging
+      @jwt = @messaging.jwt
+    end
+
+    # Lists allowed connections.
+    def list
+      SelfSDK.logger.info "Listing allowed connections"
+      rules = {}
+      @messaging.list_acl_rules.each do |c|
+        rules[c['acl_source']] = DateTime.parse(c['acl_exp'])
+      end
+      rules
+    end
+
+    # Allows incomming messages from the given identity.
+    def allow(id)
+      SelfSDK.logger.info "Allowing connections from #{id}"
+      @messaging.add_acl_rule(@jwt.prepare(jti: SecureRandom.uuid,
+                                           cid: SecureRandom.uuid,
+                                           typ: 'acl.permit',
+                                           iss: @jwt.id,
+                                           sub: @jwt.id,
+                                           iat: (SelfSDK::Time.now - 5).strftime('%FT%TZ'),
+                                           exp: (SelfSDK::Time.now + 60).strftime('%FT%TZ'),
+                                           acl_source: id,
+                                           acl_exp: (SelfSDK::Time.now + 360_000).to_datetime.rfc3339))
+    end
+
+    # Deny incomming messages from the given identity.
+    def deny(id)
+      SelfSDK.logger.info "Denying connections from #{id}"
+      @messaging.remove_acl_rule(@jwt.prepare(jti: SecureRandom.uuid,
+                                               cid: SecureRandom.uuid,
+                                               typ: 'acl.revoke',
+                                               iss: @jwt.id,
+                                               sub: @jwt.id,
+                                               iat: (SelfSDK::Time.now - 5).strftime('%FT%TZ'),
+                                               exp: (SelfSDK::Time.now + 60).strftime('%FT%TZ'),
+                                               acl_source: id,
+                                               acl_exp: (SelfSDK::Time.now + 360_000).to_datetime.rfc3339))
+    end
+  end
+end

data/lib/authenticated.rb

@@ -0,0 +1,26 @@
+module SelfSDK
+  class Authenticated
+    attr_accessor :payload, :uuid, :selfsdk, :status
+
+    def initialize(payload)
+      return if payload.nil?
+
+      @payload = payload
+      @uuid = payload[:cid]
+      @selfsdk = payload[:sub]
+    end
+
+    def accepted?
+      return false if @payload.nil?
+
+      @payload[:status] == "accepted"
+    end
+
+    def to_hash
+      { uuid: @uuid,
+        selfsdk: @selfsdk,
+        accepted: accepted? }
+    end
+
+  end
+end

data/lib/client.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require 'httparty'
+
+module SelfSDK
+  class RestClient
+    attr_reader :self_url, :jwt, :env
+
+    # RestClient initializer
+    #
+    # @param url [string] self-messaging url
+    # @param token [string] jwt token identifying the authenticated user
+    def initialize(url, app_id, app_key, env)
+      SelfSDK.logger.info "client setup with #{url}"
+      @self_url = url
+      @env = env
+      @jwt = SelfSDK::JwtService.new(app_id, app_key)
+    end
+
+    # Get identity details
+    #
+    # @param id [string] identity self_id.
+    def identity(id)
+      get_identity "/v1/identities/#{id}"
+    end
+
+    # Get app details
+    #
+    # @param id [string] app self_id.
+    def app(id)
+      get_identity "/v1/apps/#{id}"
+    end
+
+    # Get app/identity details
+    #
+    # @param id [string] app/identity self_id.
+    def entity(id)
+      #TODO : Consider a better check for this conditional
+      if id.length == 11
+        return identity(id)
+      else
+        return app(id)
+      end
+    end
+
+    # Lists all devices assigned to the given identity
+    #
+    # @param id [string] identity id
+    def devices(id)
+      res = get "/v1/identities/#{id}/devices"
+      body = JSON.parse(res.body, symbolize_names: true)
+      if res.code != 200
+        SelfSDK.logger.error "identity response : #{body[:message]}"
+        raise "you need connection permissions"
+      end
+      body
+    end
+
+    # Lists all public keys stored on self for the given ID
+    #
+    # @param id [string] identity id
+    def public_keys(id)
+      i = entity(id)
+      i[:public_keys]
+    end
+
+    private
+
+    def get_identity(endpoint)
+      res = get endpoint
+      body = JSON.parse(res.body, symbolize_names: true)
+      if res.code != 200
+        SelfSDK.logger.error "app response : #{body[:message]}"
+        raise body[:message]
+      end
+      body
+    end
+
+    def get(endpoint)
+      HTTParty.get("#{@self_url}#{endpoint}", headers: {
+                     'Content-Type' => 'application/json',
+                     'Authorization' => "Bearer #{@jwt.auth_token}"
+                   })
+    end
+
+    def post(endpoint, body)
+      HTTParty.post("#{@self_url}#{endpoint}",
+                    headers: {
+                      'Content-Type' => 'application/json',
+                      'Authorization' => "Bearer #{@jwt.auth_token}"
+                    },
+                    body: body)
+    end
+  end
+end

data/lib/jwt_service.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'json'
+
+module SelfSDK
+  class JwtService
+    attr_reader :id, :key
+
+    # Jwt initializer
+    #
+    # @param app_id [string] the app id.
+    # @param app_key [string] the app api key provided by developer portal.
+    def initialize(app_id, app_key)
+      @id = app_id
+      @key = app_key
+    end
+
+    # Prepares a jwt object based on an input
+    #
+    # @param input [string] input to be prepared
+    def prepare(input)
+      signed(input).to_json
+    end
+
+    def signed(input)
+      payload = encode(input.to_json)
+      {
+        payload: payload,
+        protected: header,
+        signature: sign("#{header}.#{payload}")
+      }
+    end
+
+    def parse(input)
+      JSON.parse(input, symbolize_names: true)
+    end
+
+    # Encodes the input with base64
+    #
+    # @param input [string] the string to be encoded.
+    def encode(input)
+      Base64.urlsafe_encode64(input, padding: false)
+    end
+
+    # Base64 decodes the input string
+    #
+    # @param input [string] the string to be decoded.
+    def decode(input)
+      Base64.urlsafe_decode64(input)
+    end
+
+    # Signs the given input with the configured Ed25519 key.
+    #
+    # @param input [string] the string to be signed.
+    def sign(input)
+      signing_key = Ed25519::SigningKey.new(decode(@key))
+      signature = signing_key.sign(input)
+      encode(signature)
+    end
+
+    def verify(payload, key)
+      verify_key = Ed25519::VerifyKey.new(decode(key))
+      if verify_key.verify(decode(payload[:signature]), "#{payload[:protected]}.#{payload[:payload]}")
+        return true
+      end
+    rescue StandardError
+      false
+    end
+
+    # Generates the auth_token based on the app's private key.
+    def auth_token
+      payload = header + "." + encode({
+        jti: SecureRandom.uuid,
+        cid: SecureRandom.uuid,
+        typ: 'auth.token',
+        iat: (SelfSDK::Time.now - 5).to_i,
+        exp: (SelfSDK::Time.now + 60).to_i,
+        iss: @id,
+        sub: @id}.to_json)
+      signature = sign(payload)
+      "#{payload}.#{signature}"
+    end
+
+    private
+
+    def header
+      encode({ alg: "EdDSA", typ: "JWT" }.to_json)
+    end
+  end
+end

data/lib/log.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'logger'
+
+module SelfSDK
+  class << self
+    attr_writer :logger
+
+    def logger
+      @logger ||= ::Logger.new($stdout).tap do |log|
+        log.progname = name
+      end
+    end
+  end
+end

data/lib/messages/attestation.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module SelfSDK
+  module Messages
+    class Attestation
+      attr_accessor :verified, :origin, :source, :value, :operator, :expected_value, :fact_name, :to, :audience
+
+      def initialize(messaging)
+        @messaging = messaging
+      end
+
+      def parse(name, attestation)
+        payload = JSON.parse(@messaging.jwt.decode(attestation[:payload]), symbolize_names: true)
+        @origin = payload[:iss]
+        @to = payload[:sub]
+        @audience = payload[:aud]
+        @source = payload[:source]
+        @verified = valid_signature?(attestation)
+        @expected_value = payload[:expected_value]
+        @operator = payload[:operator]
+        @fact_name = name.to_s
+        unless payload[name].nil?
+          @value = payload[name]
+        end
+      end
+
+      def valid_signature?(body)
+        k = @messaging.client.public_keys(@origin).first[:key]
+        raise ::StandardError.new("invalid signature") unless @messaging.jwt.verify(body, k)
+
+        true
+      end
+
+      def validate!(original)
+        raise ::StandardError.new("invalid origin") if @to != original.to
+      end
+
+      def signed
+        o = {
+            sub: @to,
+            iss: @origin,
+            source: @source,
+            fact: @fact_name,
+            expected_value: @expected_value,
+            operator: @operator,
+        }
+        o[:aud] = @audience unless @audience.nil?
+        o[@fact_name.to_sym] = @value
+        @messaging.jwt.signed(o)
+      end
+    end
+  end
+end

data/lib/messages/authentication_message.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require_relative 'base'
+require_relative '../ntptime'
+
+module SelfSDK
+  module Messages
+    class AuthenticationMessage < Base
+
+      def parse(input, original=nil)
+        @input = input
+        @typ = @typ
+        @payload = get_payload input
+        @id = payload[:cid]
+        @from = payload[:iss]
+        @to = payload[:sub]
+        @audience = payload[:aud]
+        @from_device = payload[:device_id]
+        @expires = ::Time.parse(payload[:exp])
+        @issued = ::Time.parse(payload[:iat])
+        @status = payload[:status]
+      end
+    end
+  end
+end

data/lib/messages/authentication_req.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require_relative 'base'
+require_relative '../ntptime'
+require_relative 'authentication_message'
+
+module SelfSDK
+  module Messages
+    class AuthenticationReq < AuthenticationMessage
+      MSG_TYPE = "identities.authenticate.req"
+      DEFAULT_EXP_TIMEOUT = 300
+
+      def initialize(messaging)
+        @typ = MSG_TYPE
+        super
+      end
+
+      def populate(selfid, opts)
+        @id = SecureRandom.uuid
+        @from = @client.jwt.id
+        @to = selfid
+
+        @id = opts[:cid] if opts.include?(:cid)
+        @description = opts.include?(:description) ? opts[:description] : nil
+        @exp_timeout = opts.fetch(:exp_timeout, DEFAULT_EXP_TIMEOUT)
+      end
+
+      def body
+        { typ: MSG_TYPE,
+          iss: @jwt.id,
+          sub: @to,
+          aud: @to,
+          iat: SelfSDK::Time.now.strftime('%FT%TZ'),
+          exp: (SelfSDK::Time.now + @exp_timeout).strftime('%FT%TZ'),
+          cid: @id,
+          jti: SecureRandom.uuid }
+      end
+
+      protected
+
+      def proto
+        @to_device = @client.devices(@to).first
+        Msgproto::Message.new(type: Msgproto::MsgType::MSG,
+                              sender: "#{@jwt.id}:#{@messaging.device_id}",
+                              id: @id,
+                              recipient: "#{@to}:#{@to_device}",
+                              ciphertext: @jwt.prepare(body))
+      end
+
+    end
+  end
+end

data/lib/messages/authentication_resp.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require_relative 'base'
+require_relative '../ntptime'
+require_relative 'authentication_message'
+
+module SelfSDK
+  module Messages
+    class AuthenticationResp < AuthenticationMessage
+      MSG_TYPE = "identities.authenticate.resp"
+      def initialize(messaging)
+        @typ = MSG_TYPE
+        super
+      end
+
+      protected
+
+      def proto
+        nil
+      end
+    end
+  end
+end