smaak 0.0.10 → 0.1.0

data/lib/smaak/server.rb

@@ -5,7 +5,7 @@ require 'smaak/auth_message'
 module Smaak
   class Server < Associate
     attr_accessor :nonce_store
-    attr_accessor :public_key
+    attr_reader :private_key
 
     def initialize
       super
@@ -16,6 +16,10 @@ module Smaak
       set_key(key)
     end
 
+    def set_private_key(key)
+      @private_key = adapt_rsa_key(key)
+    end
+
     def auth_message_unique?(auth_message)
       if nonce_store[auth_message.nonce].nil?
         nonce_store[auth_message.nonce] = 1
@@ -24,26 +28,39 @@ module Smaak
       false
     end
 
-    def get_signed_auth_message_from_request(request)
-      authorization = request.env['HTTP_AUTHORIZATION']
-      auth_body = JSON.parse(authorization)
-      message = auth_body['message']
-      signature = auth_body['signature']
-      return AuthMessage.new(message), Base64.decode64(signature)
+    def build_auth_message_from_request(adaptor)
+      recipient_public_key = Base64.decode64(adaptor.header("x-smaak-recipient"))
+      psk = adaptor.header("x-smaak-psk")
+      expires = adaptor.header("x-smaak-expires")
+      identifier = adaptor.header("x-smaak-identifier")
+      nonce = adaptor.header("x-smaak-nonce")
+      encrypt = adaptor.header("x-smaak-encrypt")
+      auth_message = Smaak::AuthMessage.build(recipient_public_key, psk, expires, identifier, nonce, encrypt)
+    end
+
+    def verify_auth_message(auth_message)
+      return false if not auth_message_unique?(auth_message)
+      return false if not auth_message.intended_for_recipient?(@key.export)
+      identifier = auth_message.identifier
+      psk = @association_store[identifier]['psk']
+      return false if not auth_message.verify(psk)
+      true
     end
 
     def verify_signed_request(request)
-      auth_message, signature = get_signed_auth_message_from_request(request)
-      verify_auth_message(auth_message, signature)
+      adaptor = Smaak::create_adaptor(request)
+      auth_message = build_auth_message_from_request(adaptor)
+      return false if not verify_auth_message(auth_message)
+      pubkey = @association_store[auth_message.identifier]['public_key']
+      body = Smaak::Crypto::sink(adaptor.body)
+      body = Smaak::Crypto::decrypt(body, @private_key) if auth_message.encrypt
+      return false, nil if not Smaak::verify_authorization_headers(adaptor, pubkey)
+      return auth_message, body # TBD return ID from cert
     end
 
-    def verify_auth_message(auth_message, signature)
-      return false if not auth_message_unique?(auth_message)
-      return false if not auth_message.intended_for_recipient?(@key.export)
-      identity = auth_message.identity
-      pubkey = @association_store[identity]['public_key']
-      psk = @association_store[identity]['psk']
-      auth_message.verify(signature, pubkey, psk)
+    def compile_response(auth_message, data)
+      return Smaak::Crypto::encrypt(data, @association_store[auth_message.identifier]['public_key']) if auth_message.encrypt
+      data
     end
   end
 end

data/lib/smaak/smaak_service.rb

@@ -0,0 +1,29 @@
+require 'smaak.rb'
+require 'smaak/server.rb'
+
+module Smaak
+  class SmaakService
+    @@mutex = Mutex.new
+    @@instance = nil
+    attr_reader :smaak_server
+
+    def self.get_instance
+      @@mutex.synchronize do
+        if (@@instance.nil?)
+          @@instance = self.new
+        end
+        @@instance
+      end
+    end
+
+    def initialize
+      @smaak_server = Smaak::Server.new
+      configure_service
+    end
+
+    def configure_service
+      # @smaak_server.set_public_key(File.read('/service-provider-pub.pem'))
+      # @smaak_server.add_association('service-client-01', File.read('service-client-01-public.pem'), 'pre-shared-key')
+    end
+  end
+end

data/lib/smaak/utils.rb

@@ -0,0 +1,10 @@
+module Smaak
+  class Utils
+    def self.non_blank_string?(s)
+      return false if s.nil?
+      return false if not s.is_a? String
+      return false if s.strip == ""
+      return true
+    end
+  end
+end

data/lib/smaak/version.rb

@@ -1,3 +1,3 @@
 module Smaak
-  VERSION = "0.0.10"
+  VERSION = "0.1.0"
 end

data/lib/smaak.rb

@@ -1,34 +1,74 @@
-require "smaak/version"
-
 require 'openssl'
+require 'time'
+
+require "smaak/version"
+require "smaak/cavage_04"
+require "smaak/adaptors/net_http_adaptor"
+require "smaak/adaptors/rack_adaptor"
+require "smaak/crypto"
 
 module Smaak
   DEFAULT_TOKEN_LIFE = 2 unless defined? DEFAULT_TOKEN_LIFE; DEFAULT_TOKEN_LIFE.freeze
 
-  def self.obfuscate_psk(psk)
-    Digest::MD5.hexdigest(psk.reverse)
+  @@adaptors = { Net::HTTPRequest => NetHttpAdaptor, Rack::Request => RackAdaptor}
+ 
+  def self.headers_to_be_signed
+    [ "x-smaak-recipient",
+      "x-smaak-identifier",
+      "x-smaak-psk",
+      "x-smaak-expires",
+      "x-smaak-nonce",
+      "x-smaak-encrypt" ]
+  end
+
+  def self.adaptors
+    @@adaptors
+  end
+
+  def self.add_request_adaptor(request_clazz, adaptor_clazz)
+    @@adaptors[request_clazz] = adaptor_clazz
+  end
+
+  def self.create_adaptor(request)
+    @@adaptors.each do |r, a|
+      return a.new(request) if request.is_a? r
+    end
+    raise ArgumentError.new("Unknown request class #{request.class}. Add an adaptor using Smaak::add_request_adaptor.")
   end
 
-  def self.build_message(message_data)
-    Base64.encode64(message_data.to_json)
+  def self.select_specification(adaptor, specification)
+    raise ArgumentError.new("Adaptor must be provided") if adaptor.nil?
+    return Cavage04.new(adaptor) if specification == Smaak::Cavage04::SPECIFICATION
+    raise ArgumentError.new("Unknown specification")
   end
 
-  def self.sign_message_data(message_data, private_key)
-    digest = OpenSSL::Digest::SHA256.new
-    private_key.sign(digest, Smaak::build_message(message_data))
+  def self.sign_authorization_headers(key, auth_message, adaptor, specification = Smaak::Cavage04::SPECIFICATION)
+    specification = Smaak::select_specification(adaptor, specification)
+
+    signature_headers = specification.compile_signature_headers(auth_message)
+    signature_data = Smaak::Crypto::sign_data(signature_headers, key)
+    signature = Smaak::Crypto::encode64(signature_data)
+    specification.compile_auth_header(signature)
+    specification.adaptor
   end
 
-  def self.generate_nonce
-    SecureRandom::random_number(10000000000)
+  def self.verify_authorization_headers(adaptor, pubkey)
+    raise ArgumentError.new("Key is required") if pubkey.nil?
+    signature_headers, signature = Smaak::get_signature_data_from_request(adaptor)
+    return false if signature.nil?
+    return false if signature_headers.nil?
+    Smaak::Crypto::verify_signature(signature, Smaak::Crypto::encode64(signature_headers), pubkey)
   end
 
-  def self.compile_auth_message_data(recipient_public_key, recipient_psk, token_life, identity, request_signing_data)
-    { 'recipient' => recipient_public_key.export,
-      'identity' => identity,
-      'psk' => Smaak::obfuscate_psk(recipient_psk),
-      'expires' => Time.now.to_i + token_life,
-      'nonce' => Smaak::generate_nonce,
-      'data' => request_signing_data }
+  private
+
+  def self.get_signature_data_from_request(adaptor, specification = Smaak::Cavage04::SPECIFICATION)
+    specification = Smaak::select_specification(adaptor, specification)
+
+    signature_headers = specification.extract_signature_headers
+    signature = specification.extract_signature
+
+    return signature_headers, Base64.decode64(signature)
   end
 end
 

data/smaak.gemspec

@@ -27,4 +27,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'simplecov'
   spec.add_development_dependency 'simplecov-rcov'
   spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rack'
 end

data/spec/lib/smaak/adaptors/net_http_adaptor_spec.rb

@@ -0,0 +1,99 @@
+require './spec/spec_helper.rb'
+
+describe Smaak::NetHttpAdaptor do
+  before :each do
+    @request = Net::HTTP::Post.new("http://rubygems.org:80/gems/smaak")
+    @request.body = "body-data"
+    @iut = Smaak::NetHttpAdaptor.new(@request)
+  end
+
+  context "when initialized" do
+    it "should remember the request provided" do
+      expect(@iut.request).to eq(@request)
+    end
+
+    it "should raise an ArgumentError if request is not a Net::HTTPRequest" do
+      expect{
+        Smaak::NetHttpAdaptor.new("notarequest")
+      }.to raise_error ArgumentError, "Must provide a Net::HTTPRequest"
+      expect{
+        Smaak::NetHttpAdaptor.new(nil)
+      }.to raise_error ArgumentError, "Must provide a Net::HTTPRequest"
+    end
+  end
+
+  context "when asked to set a header" do
+    it "should raise an ArgumentError if the header is not a non-blank string" do
+      expect {
+        @iut.set_header("", "value")
+      }.to raise_error ArgumentError, "Header must be a non-blank string"
+      expect {
+        @iut.set_header("  ", "value")
+      }.to raise_error ArgumentError, "Header must be a non-blank string"
+    end
+
+    it "should raise and ArgumentError if the header is not a string" do
+      expect {
+        @iut.set_header({:a => 'A'}, "value")
+      }.to raise_error ArgumentError, "Header must be a non-blank string"
+    end
+
+    it "should set the header on the request" do
+      @iut.set_header("one", "1")
+      @iut.set_header("two", "2")
+      expect(@iut.request["one"]).to eq("1")
+      expect(@iut.request["two"]).to eq("2")
+    end
+  end
+
+  context "when asked to iterate all headers" do
+    it "should iterate each header if there are headers set" do
+      @iut.set_header("one", "1")
+      @iut.set_header("two", "2")
+      count = 0
+      one = false
+      two = false
+      @iut.each_header do |header, value|
+        count = count + 1
+        one = true if header == "one" and value == "1"
+        two = true if header == "two" and value == "2"
+      end
+      expect(count).to eq(5) #some default headers come with a vanilla request
+      expect(one).to eq(true)
+      expect(two).to eq(true)
+    end
+
+    it "should not iterate any headers if there are no headers set" do
+      count = 0
+      @iut.each_header do |header, value|
+        count = count + 1
+      end
+      expect(count).to eq(3) #some default headers come with a vanilla request
+    end
+  end
+
+  context "when asked for request attributes" do
+    it "should provide an accessor to the host" do
+      expect(@iut.host).to eq("rubygems.org")
+    end
+
+    it "should provide an accessor to the path" do
+      expect(@iut.path).to eq("/gems/smaak")
+    end
+
+    it "should provide an accessor to the method" do
+      expect(@iut.method).to eq("POST")
+    end
+
+    it "should provide an accessor to the body" do
+      expect(@iut.body).to eq("body-data")
+    end
+  end
+
+  context "when setting the body" do
+    it "should set the request's body attribute" do
+      @iut.body = "new body"
+      expect(@iut.body).to eq("new body")
+    end
+  end
+end

data/spec/lib/smaak/adaptors/rack_adaptor_spec.rb

@@ -0,0 +1,83 @@
+require './spec/spec_helper.rb'
+
+describe Smaak::RackAdaptor do
+  before :each do
+    @env = {"CONTENT_LENGTH" => "25", "REQUEST_METHOD" => "POST", "PATH_INFO" => "/gems/smaak", "HTTP_X_SMAAK_ENCRYPT" => "false"}
+    @request = Rack::Request.new(@env)
+    
+    @iut = Smaak::RackAdaptor.new(@request)
+  end
+
+  context "when initialized" do
+    it "should remember the request provided" do
+      expect(@iut.request).to eq(@request)
+    end
+
+    it "should raise an ArgumentError if request is not a Rack::Request" do
+      expect{
+        Smaak::NetHttpAdaptor.new("notarequest")
+      }.to raise_error ArgumentError, "Must provide a Net::HTTPRequest"
+      expect{
+        Smaak::NetHttpAdaptor.new(nil)
+      }.to raise_error ArgumentError, "Must provide a Net::HTTPRequest"
+    end
+  end
+
+  context "when asked for a header" do
+    it "should return an ArgumentError if the header is blank" do
+      expect {
+        @iut.header("")
+      }.to raise_error ArgumentError, "Header must be a non-blank string"
+      expect {
+        @iut.header("  ")
+      }.to raise_error ArgumentError, "Header must be a non-blank string"
+    end
+
+    it "should raise and ArgumentError if the header is not a string" do
+      expect {
+        @iut.header({:a => 'A'})
+      }.to raise_error ArgumentError, "Header must be a non-blank string"
+    end
+
+    it "return the value of the requested header" do
+      expect(@iut.header("content-length")).to eq("25")
+      expect(@iut.header("x-smaak-encrypt")).to eq("false")
+    end
+
+    it "should translate the header from the Rack HTTP_header index in the Rack upcase" do
+      expect(@iut.header("x-smaak-encrypt")).to eq("false")
+    end
+
+    it "should translate the header from the Rack underscore index" do
+      expect(@iut.header("x-smaak-encrypt")).to eq("false")
+    end
+
+    it "should ignore header case" do
+      expect(@iut.header("x-SMAAK-encrypt")).to eq("false")
+    end
+ 
+    it "should understand that content-length does not have HTTP_ prepended in the rack env" do
+      expect(@iut.header("content-length")).to eq("25")
+    end
+ 
+    it "should understand that request-method does not have HTTP_ prepended in the rack env" do
+      expect(@iut.header("request-method")).to eq("POST")
+    end
+  end
+
+  context "when asked for request attributes" do
+    it "should provide an accessor to the path" do
+      expect(@iut.path).to eq("/gems/smaak")
+    end
+
+    it "should provide an accessor to the method" do
+      expect(@iut.method).to eq("POST")
+    end
+  end
+
+  context "when asked for the body" do
+    it "should return the request body" do
+      @request.body
+    end
+  end
+end