signed_config 0.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 02a530752f0bb7d45a71a7e5b5c63a48c82ba866
+  data.tar.gz: 04ff0c5fccc77cefde01ff9d3e932e270d8bde02
+SHA512:
+  metadata.gz: 2368c9dcad07fc216d00d046f5259cb9fcca43000347d5b286ad558d190b6eefcf2f4092da28daaebe52748ee9e0b723ee910655735a7d3f0f887fb5d77b2257
+  data.tar.gz: ba14d2d8a428d11406156136c19b4d4779a696e90c9bf1284f8e4f1a9054c6bfff45e18c6da1f2605b993efae9de52104119baca9a335929784ef2af6322f317

data/MIT_LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2015 Kevin Trowbridge
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,95 @@
+# SignedConfig
+
+SignedConfig has two modes: 
+
+Writer mode : intended to be used by a sort of "licensing console", takes a config hash and a private key and generates 
+signed "license text."  The licensed text contains a YML serialized "human readable" version of the config hash and
+a matching signature.
+
+Reader mode: intended to be used by the "licensed application" takes a public key (which should be distributed with the
+application) and the "license text."  It confirms the signature matches the config hash, and deserializes the license text 
+from YML back into a Ruby hash.
+
+This gem was extracted from an enterprise Rails webapp.  It's unusual for a Rails application in that, it's installed onsite
+on clients' servers.  (This is not unusual for an "enterprise application," however.) 
+
+
+## Writing licenses
+
+    config_hash = {
+      :client_name: "Acme Inc."
+      :license_level: "high"
+      :licensed_features: ["widget_management", "foobar_creation"],
+      :expiration_date: 2099-01-01 00:00:00 UTC
+      :num_superusers: 1
+      :num_users: 20
+    }
+    org_name = "BRANDED"
+
+    writer = SignedConfig::Writer.new(SIGNED_CONFIG_PRIVATE_KEY, config_hash, org_name)
+    self.signed_config = writer.signed_config
+
+
+## Reading licenses
+
+    def verify
+      begin
+        reader = SignedConfig::Reader.new(SIGNED_CONFIG_PUBLIC_KEY, params[:license])
+        @config = reader.config
+        flash[:success] = 'License is valid.'
+      rescue SignedConfig::SignatureDoesNotMatch
+        flash[:error] = 'License is invalid.'
+        flash.discard
+        render :new
+      end
+    end
+
+
+
+## Example of generated license:
+```
+
+=========================BEGIN BRANDED LICENSE=========================
+---
+:config: |
+  ---
+  :client_name: Acme Inc.
+  :license_level: high
+  :licensed_features:
+  - widget_management
+  - foobar_creation
+  :expiration_date: 2099-01-01 00:00:00 UTC
+  :num_superusers: 1
+  :num_users: 20
+:signature: |
+  VUiNY22N9cIs+RUJ1+w+T7pXEkBwOhGx2heeo3ekxybWjm+gEBXkt8n3Y8+s
+  pUyK0RfLM6NK9LMP6/Ke5IXL199hDLKXJnfy/nuZ+uIkNmoL1Bd7FhMqXCmd
+  HyRuuSkHTsQG4hk1VCS/mn/KaZWn1P+dyng4HWYWCAJYt2dtJqf/ZbLmIXdI
+  xX9GplIG5wCto7Dss7ksBR2x97QFe5P3OGQAjX0qw/jFWY8pOy+JCaJqB4b4
+  U/xy9p/+VWPhdmQPY8/hIowx9WC2UqbV5QKTEJzqWebG7xbvwmJfywE60+qO
+  rhEqh8fza8jagTbmzBtpsXyyTd4ZAusXuwc7uMTtFQ==
+
+=========================END BRANDED LICENSE=========================
+```
+
+## How "secure" is this? 
+
+Since Ruby is not compiled and trivially easy to modify, it's very unsuited for being "hacker proof."  Normally this doesn't
+matter as, enforcing license compliance is trivial for a classic consumer webapp where users only interact with the app via
+their web browsers.
+
+However, for enterprise clients, it makes sense to just make it "slightly difficult" to modify the license to add users,
+enable additional features, or extend the expiration date.  The security that this gem provides raises the bar just from 
+the point where anyone could read and alter a plain text configuration file, to the point where any "programmer" type could
+figure out modifications in an hour or two.  
+
+However, I believe this is sufficient to enforce 95% of business agreements.
+ 
+Additionally SignedConfig only uses a SHA1 hashing algorithm which is not hacker-proof anymore.
+
+
+## Development
+
+### Running the tests
+
+    rake

data/lib/signed_config.rb

@@ -0,0 +1,10 @@
+require 'yaml'
+
+require 'signed_config/crypto'
+require 'signed_config/errors'
+require 'signed_config/reader'
+require 'signed_config/writer'
+
+module SignedConfig
+  VERSION = "0.0.2"
+end

data/lib/signed_config/crypto.rb

@@ -0,0 +1,28 @@
+# Adapted from: https://blog.atechmedia.com/encrypting-signing-data-ruby/
+
+require 'openssl'
+require 'base64'
+
+module SignedConfig
+  module Crypto
+
+    class << self
+
+      # Return a signature for the string
+      def sign(key, string)
+        Base64.encode64(rsa_key(key).sign(OpenSSL::Digest::SHA1.new, string))
+      end
+
+      # Verify the string and signature
+      def verify(key, signature, string)
+        rsa_key(key).verify(OpenSSL::Digest::SHA1.new, Base64.decode64(signature), string)
+      end
+
+      private
+
+      def rsa_key(key)
+        OpenSSL::PKey::RSA.new(key)
+      end
+    end
+  end
+end

data/lib/signed_config/errors.rb

@@ -0,0 +1,5 @@
+module SignedConfig
+
+  class SignatureDoesNotMatch < StandardError
+  end
+end

data/lib/signed_config/reader.rb

@@ -0,0 +1,18 @@
+module SignedConfig
+  class Reader
+    def initialize(public_key, signed_config)
+      yml = signed_config.split("\n")[1..-2].join("\n")
+      hash = YAML.load(yml)
+      signature = hash[:signature]
+      @config_string = hash[:config]
+
+      unless Crypto.verify(public_key, signature, @config_string)
+        raise SignatureDoesNotMatch
+      end
+    end
+
+    def config
+      YAML.load(@config_string)
+    end
+  end
+end

data/lib/signed_config/writer.rb

@@ -0,0 +1,20 @@
+module SignedConfig
+  class Writer
+    def initialize(private_key, config_hash, org_name = nil)
+      config_string = YAML::dump(config_hash)
+      signature = Crypto.sign(private_key, config_string)
+      @org_name = org_name
+      @signed_config = YAML::dump({:config => config_string,
+                                   :signature => signature})
+    end
+
+    def signed_config
+      dramatic = '=' * 25
+      brand_txt = @org_name ? @org_name + " " : nil
+
+      "#{dramatic}BEGIN #{brand_txt}LICENSE#{dramatic}\n" +
+      @signed_config + "\n" +
+      "#{dramatic}END #{brand_txt}LICENSE#{dramatic}"
+    end
+  end
+end

data/test/support/test_private.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAvLGrsJK6IobzhJ288tFHLae6hqrRzeftQIBsJ7htIp8fmHbn
+OfPdf9p+e4WJMQkM5YX8bdv/TJLmsd8qCKdZ/5FTJB4RsH7gm9ef/4edXuuH7tUH
+QZuz+J87sq6UNGfpth7IsXkWcPqjmzZlpYAXL4kRZ1TtoXNt5WUMCyWRltGBnHuE
+TZs4D+RBXNYLL1wb98/FBWUQUfUI2KPOnVkTcysGLhfpEEVGgsAWdwi2+Jn3KKZz
+6BInElRBrGYXIK5wPLigLebDUUGmNj8PL6LaJe7o2TO6cJXWLOSTIr1x3+giL5kX
+2w++kJcWyCmnffW/CscTX3em+qJX67q3p84vXQIDAQABAoIBAQCZMM0ofxaqbVFK
+ex0pLQpSYHeoWQoX1pDg6uHjpXDEyNbH2tCCVh+fau2Arrrgmm5j8NEtB4xOyHyO
+L5VajTMdrwgGrHrEBV2oZ/g3Zgw3QZSMK1rGwvfrgqret6kOmsY82uUoYBv+AR3O
+Ju2C3Wj1aJw+fc6mYqX3tH+AlTGLdImO+wq7g40A1EDISHd0kaE4jTlljUiTf4Wn
+6lCSE+ie5z+s6pIYopnlwSX99X1VIClVXhD54rpngRF6ZrFgLtgIrfR4KOHfOuUa
+euaa1Mnwjn/DV9KfS2q5wRytJhF+bJTf0fxBHC7gCwYXXj2meKVNC8HfvIGdOWsJ
+LIIGmmkBAoGBAO1VwuMGu567IsUHkNv+GpHtiOSvQK9VrC3fT8/APS8uwmEXNcY2
+eWlfjl1Eockf1jx79M8HjXfEjGfjdtFzgxwaf5v9lBGhzw0YMuVDRhXNkOsucclj
+H/liNAmoAw4tSo9OUvqs3G5n0gcvZmeJRVAG/qTTXe+sJ0opcRwIeOKhAoGBAMuI
+oEaO8roYcUyeqxVSJGHzMG+PpU6NwS9jrm4QnlFvm1/Z7iQHUbxv2Id/nost7ioQ
+EsHo5r3S42CYgFvc4P/vWJpiM7ey/Db014fOayjDmn0ui9TwQSXQm8c4GsoQhpjz
+PGALlaGRi5KXp4pWhkk+/2TSJO4QBclzxCkLwM89AoGBAOZaW/qv2UCaD4g+7Kmp
+ey5x53FWbCkBtUkcusFAq+H0t3M27NmCm9rbhTkfWQv126D/CsA6a2N4oHJhAz0N
+qY6IZZ0IxUNL0sO53gRJhGe7CtJJVOWLUUhiuXE54iVLblejRMTLLHP4TpDsv670
+PBMNhvCBumXaqJPBn2f/DR2hAoGBAI/eSpS1dMOwhV3IhlwyzP7jvOgO3KWTM+wA
+hQrN+mrL/kMZs+iJt/AAC0l0Hyh4VfIrnGau73Ncf1cHVSwaDH08vR+brLz76qYa
+GcOoWDzfTvOPlE33acWGGKcQdHdCiTHSNWoapjEnxUXgpw/1K0TZIAQvOuWAM+b7
+SrxMz4RtAoGANI/eHiSeMlRmRBAlpTXERqtHxcookrWkxMEpeqNsiBi0iiicfi4S
+ECSu3rqmpFnwOx4rxPuXmP8+zCEdAg8CvlN/GOG5j1cAfQ5W8HhmGdlnWXhqxDvN
+2vrfCkomVTICJSn4tpIBfffwJzuIKXzJEZk23HmN5HcS0IsaCbQwGFk=
+-----END RSA PRIVATE KEY-----

data/test/support/test_public.key

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvLGrsJK6IobzhJ288tFH
+Lae6hqrRzeftQIBsJ7htIp8fmHbnOfPdf9p+e4WJMQkM5YX8bdv/TJLmsd8qCKdZ
+/5FTJB4RsH7gm9ef/4edXuuH7tUHQZuz+J87sq6UNGfpth7IsXkWcPqjmzZlpYAX
+L4kRZ1TtoXNt5WUMCyWRltGBnHuETZs4D+RBXNYLL1wb98/FBWUQUfUI2KPOnVkT
+cysGLhfpEEVGgsAWdwi2+Jn3KKZz6BInElRBrGYXIK5wPLigLebDUUGmNj8PL6La
+Je7o2TO6cJXWLOSTIr1x3+giL5kX2w++kJcWyCmnffW/CscTX3em+qJX67q3p84v
+XQIDAQAB
+-----END PUBLIC KEY-----

data/test/test_signed_config.rb

@@ -0,0 +1,27 @@
+require 'minitest/autorun'
+require 'signed_config'
+
+class SignedConfigTest < Minitest::Test
+
+  def test_flow
+    private_key_path = File.expand_path("../support/test_private.key", __FILE__)
+    private_key = File.open(private_key_path, 'rb') { |f| f.read }
+    config_hash = {
+      :num_users => '1',
+      :functionality_enabled => false
+    }
+
+    writer = SignedConfig::Writer.new(private_key, config_hash)
+    signed_config = writer.signed_config
+
+    assert signed_config
+
+    public_key_path = File.expand_path("../support/test_private.key", __FILE__)
+    public_key = File.open(public_key_path, 'rb') { |f| f.read }
+    reader = SignedConfig::Reader.new(public_key, signed_config)
+
+    config = reader.config
+    assert config[:num_users] == '1'
+    assert config[:functionality_enabled] == false
+  end
+end

metadata

@@ -0,0 +1,58 @@
+--- !ruby/object:Gem::Specification
+name: signed_config
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+platform: ruby
+authors:
+- Kevin Trowbridge
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-12-07 00:00:00.000000000 Z
+dependencies: []
+description: 
+email:
+- kevinmtrowbridge@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT_LICENSE
+- README.md
+- lib/signed_config.rb
+- lib/signed_config/crypto.rb
+- lib/signed_config/errors.rb
+- lib/signed_config/reader.rb
+- lib/signed_config/writer.rb
+- test/support/test_private.key
+- test/support/test_public.key
+- test/test_signed_config.rb
+homepage: https://github.com/kevinmtrowbridge/signed_config
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.0
+signing_key: 
+specification_version: 4
+summary: Cryptograpically sign a configuration hash.  A way to enforce configuration
+  / licensing of an installed Ruby application.
+test_files:
+- test/support/test_private.key
+- test/support/test_public.key
+- test/test_signed_config.rb