signed_request 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- data/.document +5 -0
- data/.gitignore +5 -0
- data/LICENSE +21 -0
- data/README.rdoc +56 -0
- data/Rakefile +49 -0
- data/VERSION +1 -0
- data/lib/signed_request.rb +32 -0
- data/signed_request.gemspec +47 -0
- data/spec/signed_request_spec.rb +56 -0
- data/spec/spec_helper.rb +9 -0
- metadata +66 -0
data/.document
ADDED
data/LICENSE
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
Copyright (c) 2009 Evri, Inc
|
2
|
+
Authored by David Balatero
|
3
|
+
|
4
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
5
|
+
a copy of this software and associated documentation files (the
|
6
|
+
"Software"), to deal in the Software without restriction, including
|
7
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
8
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
9
|
+
permit persons to whom the Software is furnished to do so, subject to
|
10
|
+
the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be
|
13
|
+
included in all copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
16
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
17
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
18
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
19
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
20
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
21
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.rdoc
ADDED
@@ -0,0 +1,56 @@
|
|
1
|
+
= signed_request
|
2
|
+
|
3
|
+
A simple 25-line gem for signing/verifying an HTTP request that has gone over the wire.
|
4
|
+
|
5
|
+
The sender and receiver must share the same secret key between them.
|
6
|
+
|
7
|
+
This gem should be used in conjunction with SSL certificates to defend against
|
8
|
+
replay attacks.
|
9
|
+
|
10
|
+
Any key can be used to sign the request -- choosing a secure key is the choice of the
|
11
|
+
user of this library.
|
12
|
+
|
13
|
+
== Signing a request
|
14
|
+
|
15
|
+
require 'signed_request'
|
16
|
+
|
17
|
+
def send_over_the_wire
|
18
|
+
key = 'mykey' # insecure, use something else :)
|
19
|
+
params = { 'param1' => 'foo',
|
20
|
+
'param2' => 'bar' }
|
21
|
+
signature = SignedRequest.sign(params, key)
|
22
|
+
|
23
|
+
params['signature'] = key
|
24
|
+
|
25
|
+
# post it to the receiver.
|
26
|
+
req = Net::HTTP::Get.new('/secret/url')
|
27
|
+
req.form_data = params
|
28
|
+
http = Net::HTTP.new('mydomain.com', 443)
|
29
|
+
http.use_ssl = true
|
30
|
+
response = http.start do |session|
|
31
|
+
session.request(req)
|
32
|
+
end
|
33
|
+
|
34
|
+
# do something w/ response
|
35
|
+
end
|
36
|
+
|
37
|
+
== Verifying a signed request
|
38
|
+
|
39
|
+
require 'signed_request'
|
40
|
+
|
41
|
+
class SecretController < ApplicationController
|
42
|
+
def verify_request
|
43
|
+
key = 'mykey'
|
44
|
+
|
45
|
+
if SignedRequest.verified(params, key)
|
46
|
+
# we are good
|
47
|
+
else
|
48
|
+
abort "get the hell out of here!"
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|
52
|
+
|
53
|
+
== Copyright
|
54
|
+
|
55
|
+
Copyright (c) 2009 Evri, Inc
|
56
|
+
Authored by David Balatero <dbalatero AT no-spam evri DOT com>. See LICENSE for details.
|
data/Rakefile
ADDED
@@ -0,0 +1,49 @@
|
|
1
|
+
require 'rubygems'
|
2
|
+
require 'rake'
|
3
|
+
|
4
|
+
begin
|
5
|
+
require 'jeweler'
|
6
|
+
Jeweler::Tasks.new do |gem|
|
7
|
+
gem.name = "signed_request"
|
8
|
+
gem.summary = %Q{A simple gem that allows you to sign HTTP requests between two parties with a shared secret key.}
|
9
|
+
gem.email = "dbalatero@evri.com"
|
10
|
+
gem.homepage = "http://github.com/dbalatero/signed_request"
|
11
|
+
gem.authors = ["David Balatero"]
|
12
|
+
gem.rubyforge_project = 'evrigems'
|
13
|
+
# gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
|
14
|
+
end
|
15
|
+
|
16
|
+
rescue LoadError
|
17
|
+
puts "Jeweler (or a dependency) not available. Install it with: sudo gem install jeweler"
|
18
|
+
end
|
19
|
+
|
20
|
+
require 'spec/rake/spectask'
|
21
|
+
Spec::Rake::SpecTask.new(:spec) do |spec|
|
22
|
+
spec.libs << 'lib' << 'spec'
|
23
|
+
spec.spec_files = FileList['spec/**/*_spec.rb']
|
24
|
+
end
|
25
|
+
|
26
|
+
Spec::Rake::SpecTask.new(:rcov) do |spec|
|
27
|
+
spec.libs << 'lib' << 'spec'
|
28
|
+
spec.pattern = 'spec/**/*_spec.rb'
|
29
|
+
spec.rcov = true
|
30
|
+
end
|
31
|
+
|
32
|
+
|
33
|
+
task :default => :spec
|
34
|
+
|
35
|
+
require 'rake/rdoctask'
|
36
|
+
Rake::RDocTask.new do |rdoc|
|
37
|
+
if File.exist?('VERSION.yml')
|
38
|
+
config = YAML.load(File.read('VERSION.yml'))
|
39
|
+
version = "#{config[:major]}.#{config[:minor]}.#{config[:patch]}"
|
40
|
+
else
|
41
|
+
version = ""
|
42
|
+
end
|
43
|
+
|
44
|
+
rdoc.rdoc_dir = 'rdoc'
|
45
|
+
rdoc.title = "signed_request #{version}"
|
46
|
+
rdoc.rdoc_files.include('README*')
|
47
|
+
rdoc.rdoc_files.include('lib/**/*.rb')
|
48
|
+
end
|
49
|
+
|
data/VERSION
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
1.0.0
|
@@ -0,0 +1,32 @@
|
|
1
|
+
require 'base64'
|
2
|
+
require 'openssl'
|
3
|
+
require 'openssl/digest'
|
4
|
+
|
5
|
+
module SignedRequest
|
6
|
+
STRIP_PARAMS = ['action', 'controller']
|
7
|
+
|
8
|
+
# Sign a request on the sending end.
|
9
|
+
def self.sign(params, secret_key)
|
10
|
+
query = params.sort_by { |k,v| k.to_s.downcase }
|
11
|
+
digest = OpenSSL::Digest::Digest.new('sha1')
|
12
|
+
hmac = OpenSSL::HMAC.digest(digest, secret_key, query.to_s)
|
13
|
+
encoded = Base64.encode64(hmac).chomp
|
14
|
+
end
|
15
|
+
|
16
|
+
# Validate an incoming request on the receiving end.
|
17
|
+
def self.validate(params, secret_key)
|
18
|
+
signature = params.delete('signature')
|
19
|
+
return false if !signature
|
20
|
+
|
21
|
+
strip_keys_from!(params, *STRIP_PARAMS)
|
22
|
+
actual_signature = sign(params, secret_key)
|
23
|
+
actual_signature == signature
|
24
|
+
end
|
25
|
+
|
26
|
+
private
|
27
|
+
def self.strip_keys_from!(hash, *keys)
|
28
|
+
keys.each do |key|
|
29
|
+
hash.delete(key)
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
@@ -0,0 +1,47 @@
|
|
1
|
+
# -*- encoding: utf-8 -*-
|
2
|
+
|
3
|
+
Gem::Specification.new do |s|
|
4
|
+
s.name = %q{signed_request}
|
5
|
+
s.version = "1.0.0"
|
6
|
+
|
7
|
+
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
8
|
+
s.authors = ["David Balatero"]
|
9
|
+
s.date = %q{2009-06-22}
|
10
|
+
s.email = %q{dbalatero@evri.com}
|
11
|
+
s.extra_rdoc_files = [
|
12
|
+
"LICENSE",
|
13
|
+
"README.rdoc"
|
14
|
+
]
|
15
|
+
s.files = [
|
16
|
+
".document",
|
17
|
+
".gitignore",
|
18
|
+
"LICENSE",
|
19
|
+
"README.rdoc",
|
20
|
+
"Rakefile",
|
21
|
+
"VERSION",
|
22
|
+
"lib/signed_request.rb",
|
23
|
+
"signed_request.gemspec",
|
24
|
+
"spec/signed_request_spec.rb",
|
25
|
+
"spec/spec_helper.rb"
|
26
|
+
]
|
27
|
+
s.homepage = %q{http://github.com/dbalatero/signed_request}
|
28
|
+
s.rdoc_options = ["--charset=UTF-8"]
|
29
|
+
s.require_paths = ["lib"]
|
30
|
+
s.rubyforge_project = %q{evrigems}
|
31
|
+
s.rubygems_version = %q{1.3.4}
|
32
|
+
s.summary = %q{A simple gem that allows you to sign HTTP requests between two parties with a shared secret key.}
|
33
|
+
s.test_files = [
|
34
|
+
"spec/signed_request_spec.rb",
|
35
|
+
"spec/spec_helper.rb"
|
36
|
+
]
|
37
|
+
|
38
|
+
if s.respond_to? :specification_version then
|
39
|
+
current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
|
40
|
+
s.specification_version = 3
|
41
|
+
|
42
|
+
if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
|
43
|
+
else
|
44
|
+
end
|
45
|
+
else
|
46
|
+
end
|
47
|
+
end
|
@@ -0,0 +1,56 @@
|
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
|
2
|
+
|
3
|
+
describe SignedRequest do
|
4
|
+
before(:each) do
|
5
|
+
@test_key = 'mykey'
|
6
|
+
end
|
7
|
+
|
8
|
+
describe "sign" do
|
9
|
+
it "should sign the request and return the correct signed key as base64" do
|
10
|
+
params = {
|
11
|
+
"tokenID" => "N1CHGCG13NNB4JMVJN1Q1JXIKBQDO4DQ595NRSCTILAU47P7GA7JVQMMJNXRUJFM",
|
12
|
+
"callerReference" => "44441234567fdsa44",
|
13
|
+
"expiry" => "10/2014",
|
14
|
+
"status" => "SC"
|
15
|
+
}
|
16
|
+
|
17
|
+
result = SignedRequest.sign(params, @test_key)
|
18
|
+
result.should == "uoOmSftU4gnUMK6Q1ylyGnr5hEw="
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
|
23
|
+
describe "validate" do
|
24
|
+
it "should return true given a correct request" do
|
25
|
+
good_params = {
|
26
|
+
"tokenID" => "N1CHGCG13NNB4JMVJN1Q1JXIKBQDO4DQ595NRSCTILAU47P7GA7JVQMMJNXRUJFM",
|
27
|
+
"callerReference" => "44441234567fdsa44",
|
28
|
+
"action" => "amazon_return",
|
29
|
+
"signature" => "uoOmSftU4gnUMK6Q1ylyGnr5hEw=",
|
30
|
+
"controller" => "checkout",
|
31
|
+
"expiry" => "10/2014",
|
32
|
+
"status" => "SC"
|
33
|
+
}
|
34
|
+
|
35
|
+
SignedRequest.validate(good_params, @test_key).should be_true
|
36
|
+
end
|
37
|
+
|
38
|
+
it "should return false if there is no signature given" do
|
39
|
+
good_params_without_signature = {
|
40
|
+
"tokenID" => "N1CHGCG13NNB4JMVJN1Q1JXIKBQDO4DQ595NRSCTILAU47P7GA7JVQMMJNXRUJFM",
|
41
|
+
"callerReference" => "44441234567fdsa44",
|
42
|
+
"action" => "amazon_return",
|
43
|
+
"controller" => "checkout",
|
44
|
+
"expiry" => "10/2014",
|
45
|
+
"status" => "SC"
|
46
|
+
}
|
47
|
+
|
48
|
+
SignedRequest.validate(good_params_without_signature, @test_key).should be_false
|
49
|
+
end
|
50
|
+
|
51
|
+
it "should return false if there is a bad signature given" do
|
52
|
+
result = SignedRequest.validate({'signature' => 'bad', 'param1' => 'ok'}, @test_key)
|
53
|
+
result.should be_false
|
54
|
+
end
|
55
|
+
end
|
56
|
+
end
|
data/spec/spec_helper.rb
ADDED
metadata
ADDED
@@ -0,0 +1,66 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: signed_request
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 1.0.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- David Balatero
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
|
12
|
+
date: 2009-06-22 00:00:00 -07:00
|
13
|
+
default_executable:
|
14
|
+
dependencies: []
|
15
|
+
|
16
|
+
description:
|
17
|
+
email: dbalatero@evri.com
|
18
|
+
executables: []
|
19
|
+
|
20
|
+
extensions: []
|
21
|
+
|
22
|
+
extra_rdoc_files:
|
23
|
+
- LICENSE
|
24
|
+
- README.rdoc
|
25
|
+
files:
|
26
|
+
- .document
|
27
|
+
- .gitignore
|
28
|
+
- LICENSE
|
29
|
+
- README.rdoc
|
30
|
+
- Rakefile
|
31
|
+
- VERSION
|
32
|
+
- lib/signed_request.rb
|
33
|
+
- signed_request.gemspec
|
34
|
+
- spec/signed_request_spec.rb
|
35
|
+
- spec/spec_helper.rb
|
36
|
+
has_rdoc: true
|
37
|
+
homepage: http://github.com/dbalatero/signed_request
|
38
|
+
licenses: []
|
39
|
+
|
40
|
+
post_install_message:
|
41
|
+
rdoc_options:
|
42
|
+
- --charset=UTF-8
|
43
|
+
require_paths:
|
44
|
+
- lib
|
45
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
46
|
+
requirements:
|
47
|
+
- - ">="
|
48
|
+
- !ruby/object:Gem::Version
|
49
|
+
version: "0"
|
50
|
+
version:
|
51
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
52
|
+
requirements:
|
53
|
+
- - ">="
|
54
|
+
- !ruby/object:Gem::Version
|
55
|
+
version: "0"
|
56
|
+
version:
|
57
|
+
requirements: []
|
58
|
+
|
59
|
+
rubyforge_project: evrigems
|
60
|
+
rubygems_version: 1.3.4
|
61
|
+
signing_key:
|
62
|
+
specification_version: 3
|
63
|
+
summary: A simple gem that allows you to sign HTTP requests between two parties with a shared secret key.
|
64
|
+
test_files:
|
65
|
+
- spec/signed_request_spec.rb
|
66
|
+
- spec/spec_helper.rb
|