smaak 0.0.10 → 0.1.0

data/spec/lib/smaak_spec.rb

@@ -1,88 +1,166 @@
 require './spec/spec_helper.rb'
+require 'net/http'
 
 describe Smaak do
+  before :all do
+    @test_server_private_key = OpenSSL::PKey::RSA.new(4096)
+    @test_server_public_key = @test_server_private_key.public_key
+    @request = Net::HTTP::Post.new("http://rubygems.org:80/gems/smaak")
+    @request.body = "body-data"
+    @test_nonce = 1234567890
+    @test_expires = Time.now.to_i + 5
+    @test_psk = "testpresharedkey"
+    @test_identifier = 'test-service-1.cpt1.host-h.net'
+    @test_recipient = @test_server_public_key.export
+    @test_encrypt = true
+    @auth_message = Smaak::AuthMessage.new(@test_identifier, @test_nonce, @test_expires, Smaak::Crypto::obfuscate_psk(@test_psk), @test_recipient, @test_encrypt)
+    @adaptor = Smaak::create_adaptor(@request)
+    @mock_specification = Smaak::Cavage04.new(@adaptor)
+  end
+
   context "when loaded" do
     it "should specify a default token life" do
      expect(Smaak::DEFAULT_TOKEN_LIFE).to eq(2)
     end
   end
 
-  context "when asked to obfuscate a clear-text psk" do
-    it "should reverse the psk and appluy an MD5 hexadecimal digest to the result" do
-      expect(Smaak::obfuscate_psk('sharedsecret')).to eq(Digest::MD5.hexdigest('sharedsecret'.reverse))
+  context "when asked which headers should be signed" do
+    it "should list all the smaak header extensions" do
+      expect(Smaak::headers_to_be_signed.include?("x-smaak-recipient")).to eql(true)
+      expect(Smaak::headers_to_be_signed.include?("x-smaak-identifier")).to eql(true)
+      expect(Smaak::headers_to_be_signed.include?("x-smaak-psk")).to eql(true)
+      expect(Smaak::headers_to_be_signed.include?("x-smaak-expires")).to eql(true)
+      expect(Smaak::headers_to_be_signed.include?("x-smaak-nonce")).to eql(true)
+      expect(Smaak::headers_to_be_signed.include?("x-smaak-encrypt")).to eql(true)
     end
   end
 
-  context "when asked to build an auth message" do
-    it "should base 64 encode a json representation of the message" do
-      testm = {'a' => 'A'}
-      expect(Smaak::build_message(testm)).to eq(Base64::encode64(testm.to_json))
+  context "when told about a new request adaptor" do
+    it "should remember the adaptor class associated with the request class" do
+      Smaak::add_request_adaptor(Integer, String)
+      expect(Smaak::adaptors[Integer]).to eql(String)
     end
   end
 
-  context "when asked to sign a message given a private key" do
-    it "should sign the message with the key using a 256 bit digest" do
-      private_key = OpenSSL::PKey::RSA.new(4096)
-      message_data = {'a' => 'B'}
-      message = Smaak::build_message(message_data)
-      digest = OpenSSL::Digest::SHA256.new
-      expect(Smaak::sign_message_data(message_data, private_key)).to eq(private_key.sign(digest, message))
+  context "when asked to create a request adaptor" do
+    it "should raise an ArgumentError if the request type does not have an adaptor configured" do
+      expect {
+        Smaak::create_adaptor(0.1)
+      }.to raise_error ArgumentError, "Unknown request class Float. Add an adaptor using Smaak::add_request_adaptor."
+    end
+
+    it "should create a new instance of the adaptor class specified in the request adaptor dictionary" do
+      adaptor = Smaak::create_adaptor(Net::HTTP::Post.new("http://rubygems.org:80/gems/smaak"))
+      expect(adaptor.is_a? Smaak::NetHttpAdaptor).to eql(true)
     end
   end
 
-  context "when asked to generate a nonce" do
-    it "should generate a random nonce with at most 1 in a ten billion probability of a consecutive clash" do
-      expect(SecureRandom).to receive(:random_number).with(10000000000)
-      Smaak::generate_nonce
-    end
-
-    it "should generate a different nonce every time with high probability (less than 1 in 10000) given a history of 1000000 nonces" do
-      repeat = {}
-      failed = 0
-      threshold = 1000000
-      for i in 1..threshold do
-        value = Smaak::generate_nonce
-        failed = failed + 1 if repeat[value] == 1
-        repeat[value] = 1
-      end
-      failed_p = (failed.to_f / threshold) * 100
-      puts "I've seen #{failed_p} % of nonces before in #{threshold} generations"
-      expect(failed_p < 0.01).to eq(true)
+  context "when asked to select a header signature specification" do
+    it "should raise an ArgumentError if the specification is unknown" do
+      expect {
+        Smaak::select_specification(@adaptor, "unknown specification")
+      }.to raise_error ArgumentError, "Unknown specification"
+    end
+
+    it "should return an instance of a known specification" do
+      expect(Smaak::select_specification(@adaptor, Smaak::Cavage04::SPECIFICATION).is_a?(Smaak::Cavage04)).to eql(true)
+    end
+
+    it "should raise an ArgumentError if the adaptor specified is nil" do
+      expect {
+        Smaak::select_specification(nil, Smaak::Cavage04::SPECIFICATION)
+      }.to raise_error ArgumentError, "Adaptor must be provided"
     end
   end
 
-  context "when asked to compile an auth message data dictionary with addressed to an associate" do
-    before :all do
-      @associate_public_key = OpenSSL::PKey::RSA.new(4096).public_key
-      @associate_psk = 'sharedsecret'
-      @token_life = 3
-      @identity = 'test-service'
-      @test_data = {}
+  context "when asked to sign authorization headers given a key, auth_message, request adaptor and specification" do
+    it "should select the requested specification" do
+      expect(Smaak::Cavage04).to receive(:new).and_return(@mock_specification)
+      Smaak::sign_authorization_headers(@test_server_private_key, @auth_message, @adaptor, Smaak::Cavage04::SPECIFICATION)
+    end
+
+    it "should compile the signature header from the auth_message using the specification" do
+      expect(Smaak::Cavage04).to receive(:new).and_return(@mock_specification)
+      expect(@mock_specification).to receive(:compile_signature_headers).with(@auth_message).and_return "headers"
+      Smaak::sign_authorization_headers(@test_server_private_key, @auth_message, @adaptor, Smaak::Cavage04::SPECIFICATION)
+    end
+
+    it "should sign the signature headers using the key" do
+      expect(Smaak::Cavage04).to receive(:new).and_return(@mock_specification)
+      expect(@mock_specification).to receive(:compile_signature_headers).with(@auth_message).and_return "headers"
+      expect(Smaak::Crypto).to receive(:sign_data).with("headers", @test_server_private_key).and_return("signed headers")
+      Smaak::sign_authorization_headers(@test_server_private_key, @auth_message, @adaptor, Smaak::Cavage04::SPECIFICATION)
+    end
+
+    it "should compile an auth header using the signature as the signature data base 64 encoded" do
+      expect(Smaak::Cavage04).to receive(:new).and_return(@mock_specification)
+      expect(@mock_specification).to receive(:compile_signature_headers).with(@auth_message).and_return "headers"
+      expect(Smaak::Crypto).to receive(:sign_data).with("headers", @test_server_private_key).and_return("signed headers")
+      expect(@mock_specification).to receive(:compile_auth_header).with(Base64::strict_encode64("signed headers"))
+      Smaak::sign_authorization_headers(@test_server_private_key, @auth_message, @adaptor, Smaak::Cavage04::SPECIFICATION)
+    end
+
+    it "should return the adapter" do
+      expect(Smaak::Cavage04).to receive(:new).and_return(@mock_specification)
+      expect(Smaak::sign_authorization_headers(@test_server_private_key, @auth_message, @adaptor, Smaak::Cavage04::SPECIFICATION)).to eql(@adaptor)
+    end
+  end
+
+  context "when asked if signed authorization headers are ok given a public key" do
+    it "should select the requested specification" do
+      expect(Smaak::Cavage04).to receive(:new).and_return(@mock_specification)
+      expect {
+        Smaak::verify_authorization_headers(@adaptor, @test_server_public_key)
+      }.to raise_error
+    end
+
+    it "should extract the signature headers using the specification" do
+      expect(Smaak::Cavage04).to receive(:new).and_return(@mock_specification)
+      expect(@mock_specification).to receive(:extract_signature_headers).and_return "headers"
+      expect {
+        Smaak::verify_authorization_headers(@adaptor, @test_server_public_key)
+      }.to raise_error
+    end
+
+    it "should extract the signature using the specification" do
+      expect(Smaak::Cavage04).to receive(:new).and_return(@mock_specification)
+      expect(@mock_specification).to receive(:extract_signature_headers).and_return "headers"
+      expect(@mock_specification).to receive(:extract_signature).and_return "signature"
+      Smaak::verify_authorization_headers(@adaptor, @test_server_public_key)
     end
 
-    before :each do
-      @iut = Smaak::compile_auth_message_data(@associate_public_key, @associate_psk, @token_life, @identity, @test_data)
-      @timestamp = Time.now.to_i
+    it "should return false if the signature is nil" do
+      expect(Smaak).to receive(:get_signature_data_from_request).with(@adaptor).and_return(["headers", nil])
+      expect(Smaak::verify_authorization_headers(@adaptor, @test_server_public_key)).to eql(false)
     end
 
-    it "should set the recipient to the recipient specified" do
-      expect(@iut['recipient']).to eq(@associate_public_key.export)
+    it "should return false if the signature headers are nil" do
+      expect(Smaak).to receive(:get_signature_data_from_request).with(@adaptor).and_return([nil, "signature"])
+      expect(Smaak::verify_authorization_headers(@adaptor, @test_server_public_key)).to eql(false)
     end
 
-    it "should set the identity to the sender's identity" do
-      expect(@iut['identity']).to eq(@identity)
+    it "should raise an ArgumentError if the public key is nil" do
+      expect {
+        Smaak::verify_authorization_headers(@adaptor, nil)
+      }.to raise_error ArgumentError, "Key is required"
     end
 
-    it "should set the psk to the psk specified, obfuscated" do
-      expect(@iut['psk']).to eq(Smaak::obfuscate_psk(@associate_psk))
+    it "should verify the signature using the signature headers base 64 encoded, with the public key. I.e. can I produce the same signature?" do
+      expect(Smaak).to receive(:get_signature_data_from_request).with(@adaptor).and_return(["headers", "signature"])
+      expect(Smaak::Crypto).to receive(:verify_signature).with("signature", Smaak::Crypto::encode64("headers"), @test_server_public_key).and_return true
+      Smaak::verify_authorization_headers(@adaptor, @test_server_public_key)
     end
 
-    it "should set the expiry to now + the token life specified" do
-      expect(@iut['expires']).to eq(@timestamp + @token_life)
+    it "should return false if verification fails" do
+      expect(Smaak).to receive(:get_signature_data_from_request).with(@adaptor).and_return(["headers", "signature"])
+      expect(Smaak::Crypto).to receive(:verify_signature).with("signature", Smaak::Crypto::encode64("headers"), @test_server_public_key).and_return false
+      expect(Smaak::verify_authorization_headers(@adaptor, @test_server_public_key)).to eql(false)
     end
 
-    it "should generate and assign a nonce" do
-      expect(@iut['nonce'] > 0).to eq(true)
+    it "should return true if verification succeeds" do
+      expect(Smaak).to receive(:get_signature_data_from_request).with(@adaptor).and_return(["headers", "signature"])
+      expect(Smaak::Crypto).to receive(:verify_signature).with("signature", Smaak::Crypto::encode64("headers"), @test_server_public_key).and_return true
+      expect(Smaak::verify_authorization_headers(@adaptor, @test_server_public_key)).to eql(true)
     end
   end
 end

data/spec/spec_helper.rb

@@ -4,6 +4,8 @@ require 'tempfile'
 require 'simplecov'
 require 'simplecov-rcov'
 require 'byebug'
+require 'net/http'
+require 'rack/request'
 
 # This file was generated by the `rspec --init` command. Conventionally, all
 # specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
@@ -20,6 +22,7 @@ require 'lib/smaak/associate.rb'
 require 'lib/smaak/server.rb'
 require 'lib/smaak/client.rb'
 require 'lib/smaak/auth_message.rb'
+require 'lib/smaak/smaak_service.rb'
 
 RSpec.configure do |config|
   config.run_all_when_everything_filtered = true

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: smaak
 version: !ruby/object:Gem::Version
-  version: 0.0.10
+  version: 0.1.0
 platform: ruby
 authors:
 - Ernst van Graan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-06-15 00:00:00.000000000 Z
+date: 2015-06-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: persistent-cache
@@ -122,6 +122,20 @@ dependencies:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Signed Message Authentication and Authorization with Key validation
 email:
 - ernst.van.graan@hetzner.co.za
@@ -137,17 +151,27 @@ files:
 - README.md
 - Rakefile
 - lib/smaak.rb
+- lib/smaak/adaptors/net_http_adaptor.rb
+- lib/smaak/adaptors/rack_adaptor.rb
 - lib/smaak/associate.rb
 - lib/smaak/auth_message.rb
+- lib/smaak/cavage_04.rb
 - lib/smaak/client.rb
-- lib/smaak/request_signing_validator.rb
+- lib/smaak/crypto.rb
 - lib/smaak/server.rb
+- lib/smaak/smaak_service.rb
+- lib/smaak/utils.rb
 - lib/smaak/version.rb
 - smaak.gemspec
+- spec/lib/smaak/adaptors/net_http_adaptor_spec.rb
+- spec/lib/smaak/adaptors/rack_adaptor_spec.rb
 - spec/lib/smaak/associate_spec.rb
 - spec/lib/smaak/auth_message_spec.rb
+- spec/lib/smaak/cavage_04_spec.rb
 - spec/lib/smaak/client_spec.rb
+- spec/lib/smaak/crypto_spec.rb
 - spec/lib/smaak/server_spec.rb
+- spec/lib/smaak/smaak_service_spec.rb
 - spec/lib/smaak_spec.rb
 - spec/mock/request.rb
 - spec/spec_helper.rb
@@ -180,10 +204,15 @@ summary: 'This gems caters for both client and server side of a signed message i
   turned on), Replay (nonce + expires), Forgery (signature), Masquerading (recipient
   pub key check), Clear-text password compromise (MD5 pre-shared key)'
 test_files:
+- spec/lib/smaak/adaptors/net_http_adaptor_spec.rb
+- spec/lib/smaak/adaptors/rack_adaptor_spec.rb
 - spec/lib/smaak/associate_spec.rb
 - spec/lib/smaak/auth_message_spec.rb
+- spec/lib/smaak/cavage_04_spec.rb
 - spec/lib/smaak/client_spec.rb
+- spec/lib/smaak/crypto_spec.rb
 - spec/lib/smaak/server_spec.rb
+- spec/lib/smaak/smaak_service_spec.rb
 - spec/lib/smaak_spec.rb
 - spec/mock/request.rb
 - spec/spec_helper.rb

data/lib/smaak/request_signing_validator.rb

@@ -1,20 +0,0 @@
-module Smaak
-  class RequestSigningValidator
-    def validate(data)
-      raise ArgumentError.new("Request data needs to be a Hash") if not data.is_a? Hash
-      ensure_present(data, "HTTPRequestMethod")
-      ensure_present(data, "CanonicalURI")
-      ensure_present(data, "CanonicalQueryString")
-      ensure_present(data, "CanonicalHeaders")
-      ensure_present(data, "SignedHeaders")
-      ensure_present(data, "RequestPayload")
-    end
-
-    private
-
-    def ensure_present(data, key)
-#      raise ArgumentError.new("Request data needs to include #{key}") if data[key].nil?
-      puts "WARNING: Request data needs to include #{key}" if data[key].nil?
-    end
-  end
-end