smaak 0.0.8 → 0.0.9
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +4 -2
- data/lib/smaak/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 12e1cb11d8ac0cb1bd10c7c2e790b119d89f7f78
|
4
|
+
data.tar.gz: f4c4ca1fe20a2091c4f2f751c43471bc827a1e96
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2ba087f5050e285ef0c4022ba4125490e36a18858235b0077cff55c48c0cc58c3d79a929a41b7f1159220a809946667ea3227df24e158334f7dfabcf5e66a143
|
7
|
+
data.tar.gz: cfd736dccbfb714961c3588304a8a12396444ae40eb081f8a710e8a11111182a3842886b3b32bea45e3de94f735cced8bf1eaec519ab8fa0e8c1f5cf45830264
|
data/README.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
# Smaak
|
2
2
|
|
3
|
-
|
3
|
+
This gems caters for both client and server sides of a signed message interaction over HTTP or HTTPS implementing the RFC2617 Digest Access Authentication. The following compromises are protected against as specified: Man in the middle (header and payload signature- see 'Extending') / snooping (HTTPS turned on), Replay (nonce + expires), Forgery (signature), Masquerading (recipient pub key check), Clear-text password compromise (MD5 pre-shared key)
|
4
4
|
|
5
5
|
## Installation
|
6
6
|
|
@@ -36,6 +36,8 @@ Replay:
|
|
36
36
|
|
37
37
|
The request is signed with an expiry and a nonce.
|
38
38
|
|
39
|
+
## Extending
|
40
|
+
|
39
41
|
Designing for future protocol security requirements. The nonce and expiry becomes an optional feature (timestamp header signed could replace these). Passing in a RequestData object for signing, and a RequestSigningValidator object that validates the data content includes all that is required for security, allows us to, in future, cater for man-in-the-middle attacks as well if, for example, the validator requires timestamp, url, form data/querystring, method, etc. to be in the data. If this is all signed, a device in the middle cannot modify the request without the source's private key, and man-in-the-middle is defeated.
|
40
42
|
|
41
43
|
Though arbitrary data can be added for signature and an arbitrary validator provided to ensure the data and headers required are included for signing on request, on the server side the payload is not automatically checked by the Smaak::Server class. Ensure after verification of signature that you look in message_data['data'] and verify your payload has what you require to prove no man-in-the middle modification. This could be automated in a future release.
|
@@ -51,7 +53,7 @@ Inject your certs and pre-shared keys from the environment, or configuration fil
|
|
51
53
|
client.set_private_key(File.read '/home/ubuntu/secure/service-provider-public.pem')
|
52
54
|
client.add_association('service-provider-internal', File.read('/home/ubuntu/secure/service-provider-internal-pub.pem'), 'pre-shared-key')
|
53
55
|
|
54
|
-
response = Unirest.get "http://service-provider-internal:9393/secure-service", headers:{ "Authorization" => client.build_auth_header('service-provider-internal') }, parameters:{ :
|
56
|
+
response = Unirest.get "http://service-provider-internal:9393/secure-service", headers:{ "Authorization" => client.build_auth_header('service-provider-internal') }, parameters:{ :someparam => 'somevalue'] }
|
55
57
|
|
56
58
|
### Server
|
57
59
|
|
data/lib/smaak/version.rb
CHANGED