signature 0.1.0

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,21 @@
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+
+## PROJECT::SPECIFIC

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2010 Martyn Loughran
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,37 @@
+signature
+---------
+
+Examples
+========
+
+Client example
+
+    params = {:some => 'parameters'}
+    token = Signature::Token.new(key, secret)
+    request = Signature::Request.new('POST', '/api/thing, params)
+    auth_hash = request.sign(token)
+    
+    HTTParty.post('http://myservice/api/thing', {
+      :query => params.merge(auth_hash)
+    })
+
+Server example (sinatra)
+
+    error Signature::AuthenticationError do |controller|
+      error = controller.env["sinatra.error"]
+      halt 401, "401 UNAUTHORIZED: #{error.message}\n"
+    end
+
+    post '/api/thing' do
+      request = Authentication::Request.new('POST', env["REQUEST_PATH"], params)
+      token = request.authenticate do |key|
+        Signature::Token.new(key, lookup_secret(key))
+      end
+
+      # Do whatever you need to do
+    end
+
+Copyright
+=========
+
+Copyright (c) 2010 Martyn Loughran. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,46 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "signature"
+    gem.summary = %Q{Simple key/secret based authentication for apis}
+    gem.description = %Q{Simple key/secret based authentication for apis}
+    gem.email = "me@mloughran.com"
+    gem.homepage = "http://github.com/mloughran/signature"
+    gem.authors = ["Martyn Loughran"]
+    gem.add_dependency "ruby-hmac"
+    gem.add_development_dependency "rspec", ">= 1.2.9"
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+require 'spec/rake/spectask'
+Spec::Rake::SpecTask.new(:spec) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.spec_files = FileList['spec/**/*_spec.rb']
+end
+
+Spec::Rake::SpecTask.new(:rcov) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+task :spec => :check_dependencies
+
+task :default => :spec
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "signature #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.1.0

data/lib/signature.rb

@@ -0,0 +1,142 @@
+require 'hmac-sha2'
+require 'base64'
+
+module Signature
+  class AuthenticationError < RuntimeError; end
+
+  class Token
+    attr_reader :key, :secret
+
+    def initialize(key, secret)
+      @key, @secret = key, secret
+    end
+
+    def sign(request)
+      request.sign(self)
+    end
+  end
+
+  class Request
+    attr_accessor :path, :query_hash
+
+    # http://www.w3.org/TR/NOTE-datetime
+    ISO8601 = "%Y-%m-%dT%H:%M:%SZ"
+
+    def initialize(method, path, query)
+      raise ArgumentError, "Expected string" unless path.kind_of?(String)
+      raise ArgumentError, "Expected hash" unless query.kind_of?(Hash)
+
+      query_hash = {}
+      auth_hash = {}
+      query.each do |key, v|
+        k = key.to_s.downcase
+        k[0..4] == 'auth_' ? auth_hash[k] = v : query_hash[k] = v
+      end
+
+      @method = method.upcase
+      @path, @query_hash, @auth_hash = path, query_hash, auth_hash
+    end
+
+    def sign(token)
+      @auth_hash = {
+        :auth_version => "1.0",
+        :auth_key => token.key,
+        :auth_timestamp => Time.now.to_i
+      }
+
+      @auth_hash[:auth_signature] = signature(token)
+
+      return @auth_hash
+    end
+
+    # Authenticates the request with a token
+    #
+    # Timestamp check: Unless timestamp_grace is set to nil (which will skip
+    # the timestamp check), an exception will be raised if timestamp is not
+    # supplied or if the timestamp provided is not within timestamp_grace of
+    # the real time (defaults to 10 minutes)
+    #
+    # Signature check: Raises an exception if the signature does not match the
+    # computed value
+    #
+    def authenticate_by_token!(token, timestamp_grace = 600)
+      validate_version!
+      validate_timestamp!(timestamp_grace)
+      validate_signature!(token)
+      true
+    end
+
+    def authenticate_by_token(token, timestamp_grace = 600)
+      authenticate_by_token!(token, timestamp_grace)
+    rescue AuthenticationError
+      false
+    end
+
+    def authenticate(timestamp_grace = 600, &block)
+      key = @auth_hash['auth_key']
+      raise AuthenticationError, "Authentication key required" unless key
+      token = yield key
+      unless token && token.secret
+        raise AuthenticationError, "Invalid authentication key"
+      end
+      authenticate_by_token!(token, timestamp_grace)
+      return token
+    end
+
+    def auth_hash
+      raise "Request not signed" unless @auth_hash && @auth_hash[:auth_signature]
+      @auth_hash
+    end
+
+    private
+
+      def signature(token)
+        HMAC::SHA256.hexdigest(token.secret, string_to_sign)
+      end
+
+      def string_to_sign
+        [@method, @path, parameter_string].join("\n")
+      end
+
+      def parameter_string
+        param_hash = @query_hash.merge(@auth_hash || {})
+
+        # Convert keys to lowercase strings
+        hash = {}; param_hash.each { |k,v| hash[k.to_s.downcase] = v }
+
+        # Exclude signature from signature generation!
+        hash.delete("auth_signature")
+
+        hash.keys.sort.map { |k| "#{k}=#{hash[k]}" }.join("&")
+      end
+
+      def validate_version!
+        version = @auth_hash["auth_version"]
+        raise AuthenticationError, "Version required" unless version
+        raise AuthenticationError, "Version not supported" unless version == '1.0'
+      end
+
+      def validate_timestamp!(grace)
+        return true if grace.nil?
+
+        timestamp = @auth_hash["auth_timestamp"]
+        error = (timestamp.to_i - Time.now.to_i).abs
+        raise AuthenticationError, "Timestamp required" unless timestamp
+        if error >= grace
+          raise AuthenticationError, "Timestamp expired: Given timestamp "\
+            "(#{Time.at(timestamp.to_i).utc.strftime(ISO8601)}) "\
+            "not within #{grace}s of server time "\
+            "(#{Time.now.utc.strftime(ISO8601)})"
+        end
+        return true
+      end
+
+      def validate_signature!(token)
+        unless @auth_hash["auth_signature"] == signature(token)
+          raise AuthenticationError, "Invalid signature: you should have "\
+            "sent HmacSHA256Hex(#{string_to_sign.inspect}, your_secret_key)"
+        end
+        return true
+      end
+  end
+end

data/spec/signature_spec.rb

@@ -0,0 +1,176 @@
+require File.expand_path('../spec_helper', __FILE__)
+
+describe Signature do
+  before :each do
+    Time.stub!(:now).and_return(Time.at(1234))
+
+    @token = Signature::Token.new('key', 'secret')
+
+    @request = Signature::Request.new('POST', '/some/path', {
+      "query" => "params",
+      "go" => "here"
+    })
+    @signature = @request.sign(@token)[:auth_signature]
+  end
+
+  it "should generate base64 encoded signature from correct key" do
+    @request.send(:string_to_sign).should == "POST\n/some/path\nauth_key=key&auth_timestamp=1234&auth_version=1.0&go=here&query=params"
+    @signature.should == '3b237953a5ba6619875cbb2a2d43e8da9ef5824e8a2c689f6284ac85bc1ea0db'
+  end
+
+  it "should make auth_hash available after request is signed" do
+    request = Signature::Request.new('POST', '/some/path', {
+      "query" => "params"
+    })
+    lambda {
+      request.auth_hash
+    }.should raise_error('Request not signed')
+
+    request.sign(@token)
+    request.auth_hash.should == {
+      :auth_signature => "da078fcedd72941b6c873caa40d0d6b2000ebfc700cee802b128dd20f72e74e9",
+      :auth_version => "1.0",
+      :auth_key => "key",
+      :auth_timestamp => 1234
+    }
+  end
+
+  it "should cope with symbol keys" do
+    @request.query_hash = {
+      :query => "params",
+      :go => "here"
+    }
+    @request.sign(@token)[:auth_signature].should == @signature
+  end
+
+  it "should cope with upcase keys (keys are lowercased before signing)" do
+    @request.query_hash = {
+      "Query" => "params",
+      "GO" => "here"
+    }
+    @request.sign(@token)[:auth_signature].should == @signature
+  end
+
+  it "should use the path to generate signature" do
+    @request.path = '/some/other/path'
+    @request.sign(@token)[:auth_signature].should_not == @signature
+  end
+
+  it "should use the query string keys to generate signature" do
+    @request.query_hash = {
+      "other" => "query"
+    }
+    @request.sign(@token)[:auth_signature].should_not == @signature
+  end
+
+  it "should use the query string values to generate signature" do
+    @request.query_hash = {
+      "key" => "notfoo",
+      "other" => 'bar'
+    }
+    @request.sign(@token)[:signature].should_not == @signature
+  end
+
+  describe "verification" do
+    before :each do
+      Time.stub!(:now).and_return(Time.at(1234))
+      @request.sign(@token)
+      @params = @request.query_hash.merge(@request.auth_hash)
+    end
+
+    it "should verify requests" do
+      request = Signature::Request.new('POST', '/some/path', @params)
+      request.authenticate_by_token(@token).should == true
+    end
+
+    it "should raise error if signature is not correct" do
+      @params[:auth_signature] =  'asdf'
+      request = Signature::Request.new('POST', '/some/path', @params)
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error('Invalid signature: you should have sent HmacSHA256Hex("POST\n/some/path\nauth_key=key&auth_timestamp=1234&auth_version=1.0&go=here&query=params", your_secret_key)')
+    end
+
+    it "should raise error if timestamp not available" do
+      @params.delete(:auth_timestamp)
+      request = Signature::Request.new('POST', '/some/path', @params)
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error('Timestamp required')
+    end
+
+    it "should raise error if timestamp has expired (default of 600s)" do
+      request = Signature::Request.new('POST', '/some/path', @params)
+      Time.stub!(:now).and_return(Time.at(1234 + 599))
+      request.authenticate_by_token!(@token).should == true
+      Time.stub!(:now).and_return(Time.at(1234 - 599))
+      request.authenticate_by_token!(@token).should == true
+      Time.stub!(:now).and_return(Time.at(1234 + 600))
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error("Timestamp expired: Given timestamp (1970-01-01T00:20:34Z) not within 600s of server time (1970-01-01T00:30:34Z)")
+      Time.stub!(:now).and_return(Time.at(1234 - 600))
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error("Timestamp expired: Given timestamp (1970-01-01T00:20:34Z) not within 600s of server time (1970-01-01T00:10:34Z)")
+    end
+
+    it "should be possible to customize the timeout grace period" do
+      grace = 10
+      request = Signature::Request.new('POST', '/some/path', @params)
+      Time.stub!(:now).and_return(Time.at(1234 + grace - 1))
+      request.authenticate_by_token!(@token, grace).should == true
+      Time.stub!(:now).and_return(Time.at(1234 + grace))
+      lambda {
+        request.authenticate_by_token!(@token, grace)
+      }.should raise_error("Timestamp expired: Given timestamp (1970-01-01T00:20:34Z) not within 10s of server time (1970-01-01T00:20:44Z)")
+    end
+
+    it "should be possible to skip timestamp check by passing nil" do
+      request = Signature::Request.new('POST', '/some/path', @params)
+      Time.stub!(:now).and_return(Time.at(1234 + 1000))
+      request.authenticate_by_token!(@token, nil).should == true
+    end
+    
+    it "should check that auth_version is supplied" do
+      @params.delete(:auth_version)
+      request = Signature::Request.new('POST', '/some/path', @params)
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error('Version required')
+    end
+
+    it "should check that auth_version equals 1.0" do
+      @params[:auth_version] = '1.1'
+      request = Signature::Request.new('POST', '/some/path', @params)
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error('Version not supported')
+    end
+
+    describe "when used with optional block" do
+      it "should optionally take a block which yields the signature" do
+        request = Signature::Request.new('POST', '/some/path', @params)
+        request.authenticate do |key|
+          key.should == @token.key
+          @token
+        end.should == @token
+      end
+
+      it "should raise error if no auth_key supplied to request" do
+        @params.delete(:auth_key)
+        request = Signature::Request.new('POST', '/some/path', @params)
+        lambda {
+          request.authenticate { |key| nil }
+        }.should raise_error('Authentication key required')
+      end
+
+      it "should raise error if block returns nil (i.e. key doesn't exist)" do
+        request = Signature::Request.new('POST', '/some/path', @params)
+        lambda {
+          request.authenticate { |key| nil }
+        }.should raise_error('Invalid authentication key')
+      end
+    end
+  end
+end

data/spec/spec.opts

@@ -0,0 +1 @@
+--color

data/spec/spec_helper.rb

@@ -0,0 +1,11 @@
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+
+require 'rubygems'
+require 'signature'
+require 'spec'
+require 'spec/autorun'
+
+Spec::Runner.configure do |config|
+  
+end

metadata

@@ -0,0 +1,98 @@
+--- !ruby/object:Gem::Specification 
+name: signature
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 1
+  - 0
+  version: 0.1.0
+platform: ruby
+authors: 
+- Martyn Loughran
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-05-07 00:00:00 +01:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: ruby-hmac
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 2
+        - 9
+        version: 1.2.9
+  type: :development
+  version_requirements: *id002
+description: Simple key/secret based authentication for apis
+email: me@mloughran.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.md
+files: 
+- .document
+- .gitignore
+- LICENSE
+- README.md
+- Rakefile
+- VERSION
+- lib/signature.rb
+- spec/signature_spec.rb
+- spec/spec.opts
+- spec/spec_helper.rb
+has_rdoc: true
+homepage: http://github.com/mloughran/signature
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.6
+signing_key: 
+specification_version: 3
+summary: Simple key/secret based authentication for apis
+test_files: 
+- spec/signature_spec.rb
+- spec/spec_helper.rb