signed_request 1.0.0

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,5 @@
+*.sw?
+.DS_Store
+coverage
+rdoc
+pkg

data/LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) 2009 Evri, Inc
+Authored by David Balatero
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,56 @@
+= signed_request
+
+A simple 25-line gem for signing/verifying an HTTP request that has gone over the wire.
+
+The sender and receiver must share the same secret key between them.
+
+This gem should be used in conjunction with SSL certificates to defend against 
+replay attacks.
+
+Any key can be used to sign the request -- choosing a secure key is the choice of the
+user of this library.
+
+== Signing a request
+
+  require 'signed_request'
+
+  def send_over_the_wire
+    key = 'mykey'  # insecure, use something else :)
+    params = { 'param1' => 'foo',
+               'param2' => 'bar' }
+    signature = SignedRequest.sign(params, key)
+    
+    params['signature'] = key
+
+    # post it to the receiver.
+    req = Net::HTTP::Get.new('/secret/url')
+    req.form_data = params
+    http = Net::HTTP.new('mydomain.com', 443)
+    http.use_ssl = true
+    response = http.start do |session|
+      session.request(req)
+    end
+
+    # do something w/ response
+  end
+
+== Verifying a signed request
+
+  require 'signed_request'
+
+  class SecretController < ApplicationController
+    def verify_request
+      key = 'mykey'
+      
+      if SignedRequest.verified(params, key)
+        # we are good
+      else
+        abort "get the hell out of here!"
+      end
+    end
+  end
+
+== Copyright
+
+Copyright (c) 2009 Evri, Inc
+Authored by David Balatero <dbalatero AT no-spam evri DOT com>. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,49 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "signed_request"
+    gem.summary = %Q{A simple gem that allows you to sign HTTP requests between two parties with a shared secret key.}
+    gem.email = "dbalatero@evri.com"
+    gem.homepage = "http://github.com/dbalatero/signed_request"
+    gem.authors = ["David Balatero"]
+    gem.rubyforge_project = 'evrigems'
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
+end
+
+require 'spec/rake/spectask'
+Spec::Rake::SpecTask.new(:spec) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.spec_files = FileList['spec/**/*_spec.rb']
+end
+
+Spec::Rake::SpecTask.new(:rcov) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+
+task :default => :spec
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  if File.exist?('VERSION.yml')
+    config = YAML.load(File.read('VERSION.yml'))
+    version = "#{config[:major]}.#{config[:minor]}.#{config[:patch]}"
+  else
+    version = ""
+  end
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "signed_request #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+

data/VERSION

@@ -0,0 +1 @@
+1.0.0

data/lib/signed_request.rb

@@ -0,0 +1,32 @@
+require 'base64'
+require 'openssl'
+require 'openssl/digest'
+
+module SignedRequest
+  STRIP_PARAMS = ['action', 'controller'] 
+
+  # Sign a request on the sending end.
+  def self.sign(params, secret_key)
+    query   = params.sort_by { |k,v| k.to_s.downcase }
+    digest  = OpenSSL::Digest::Digest.new('sha1')
+    hmac    = OpenSSL::HMAC.digest(digest, secret_key, query.to_s)
+    encoded = Base64.encode64(hmac).chomp
+  end
+
+  # Validate an incoming request on the receiving end.
+  def self.validate(params, secret_key)
+    signature = params.delete('signature')
+    return false if !signature
+
+    strip_keys_from!(params, *STRIP_PARAMS)
+    actual_signature = sign(params, secret_key)
+    actual_signature == signature
+  end
+
+  private
+  def self.strip_keys_from!(hash, *keys)
+    keys.each do |key|
+      hash.delete(key)
+    end
+  end
+end

data/signed_request.gemspec

@@ -0,0 +1,47 @@
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{signed_request}
+  s.version = "1.0.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["David Balatero"]
+  s.date = %q{2009-06-22}
+  s.email = %q{dbalatero@evri.com}
+  s.extra_rdoc_files = [
+    "LICENSE",
+     "README.rdoc"
+  ]
+  s.files = [
+    ".document",
+     ".gitignore",
+     "LICENSE",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "lib/signed_request.rb",
+     "signed_request.gemspec",
+     "spec/signed_request_spec.rb",
+     "spec/spec_helper.rb"
+  ]
+  s.homepage = %q{http://github.com/dbalatero/signed_request}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubyforge_project = %q{evrigems}
+  s.rubygems_version = %q{1.3.4}
+  s.summary = %q{A simple gem that allows you to sign HTTP requests between two parties with a shared secret key.}
+  s.test_files = [
+    "spec/signed_request_spec.rb",
+     "spec/spec_helper.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+    else
+    end
+  else
+  end
+end

data/spec/signed_request_spec.rb

@@ -0,0 +1,56 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe SignedRequest do
+  before(:each) do
+    @test_key = 'mykey'
+  end
+
+  describe "sign" do
+    it "should sign the request and return the correct signed key as base64" do
+      params = {
+        "tokenID" => "N1CHGCG13NNB4JMVJN1Q1JXIKBQDO4DQ595NRSCTILAU47P7GA7JVQMMJNXRUJFM", 
+        "callerReference" => "44441234567fdsa44",
+        "expiry" => "10/2014",
+        "status" => "SC"
+      }
+
+      result = SignedRequest.sign(params, @test_key)
+      result.should == "uoOmSftU4gnUMK6Q1ylyGnr5hEw="
+    end
+  end
+
+
+  describe "validate" do
+    it "should return true given a correct request" do
+      good_params = {
+        "tokenID" => "N1CHGCG13NNB4JMVJN1Q1JXIKBQDO4DQ595NRSCTILAU47P7GA7JVQMMJNXRUJFM", 
+        "callerReference" => "44441234567fdsa44",
+        "action" => "amazon_return",
+        "signature" => "uoOmSftU4gnUMK6Q1ylyGnr5hEw=",
+        "controller" => "checkout",
+        "expiry" => "10/2014",
+        "status" => "SC"
+      }
+
+      SignedRequest.validate(good_params, @test_key).should be_true
+    end
+
+    it "should return false if there is no signature given" do
+      good_params_without_signature = {
+        "tokenID" => "N1CHGCG13NNB4JMVJN1Q1JXIKBQDO4DQ595NRSCTILAU47P7GA7JVQMMJNXRUJFM", 
+        "callerReference" => "44441234567fdsa44",
+        "action" => "amazon_return",
+        "controller" => "checkout",
+        "expiry" => "10/2014",
+        "status" => "SC"
+      }
+
+      SignedRequest.validate(good_params_without_signature, @test_key).should be_false
+    end
+
+    it "should return false if there is a bad signature given" do
+      result = SignedRequest.validate({'signature' => 'bad', 'param1' => 'ok'}, @test_key)
+      result.should be_false
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,9 @@
+require 'spec'
+
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+require 'signed_request'
+
+Spec::Runner.configure do |config|
+  
+end

metadata

@@ -0,0 +1,66 @@
+--- !ruby/object:Gem::Specification 
+name: signed_request
+version: !ruby/object:Gem::Version 
+  version: 1.0.0
+platform: ruby
+authors: 
+- David Balatero
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-06-22 00:00:00 -07:00
+default_executable: 
+dependencies: []
+
+description: 
+email: dbalatero@evri.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- .document
+- .gitignore
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- lib/signed_request.rb
+- signed_request.gemspec
+- spec/signed_request_spec.rb
+- spec/spec_helper.rb
+has_rdoc: true
+homepage: http://github.com/dbalatero/signed_request
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: evrigems
+rubygems_version: 1.3.4
+signing_key: 
+specification_version: 3
+summary: A simple gem that allows you to sign HTTP requests between two parties with a shared secret key.
+test_files: 
+- spec/signed_request_spec.rb
+- spec/spec_helper.rb