smaak 0.2.1 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9f812bcc83c465efcb9ac8bced9fc731fc993531
-  data.tar.gz: 1235b3097d2ab15db4bec391a8c19bb491c65ea6
+  metadata.gz: 7e314a8921be1280f317cf55cd6a1a0120fd58cc
+  data.tar.gz: a69c88890f1a0df5a99343e9bc1cccd6f3d69388
 SHA512:
-  metadata.gz: 6d6c57ed9ddddd0686426108b4c164b31514719b79cf060385796af245c0813cde0e8466d3888e80df50a6d46642eb97b4c72182f4a93d481a39f13a8b678b03
-  data.tar.gz: ced1b4463255bd43686babea4ca745cc345c08ab9ebfe8b9c897d405eedda2053eb42dd52553a3f0eb2088ec253e455a902de52c1bbadc34a1e91b5a25139f01
+  metadata.gz: 79c97ce8e16c9bb1150428a424bc4480092a26ea195d1824327230b8f06cc0e737d5e64dac4f591ded660cf60b4ac265e6f961c6faeb4ad1b4a7f49a82cca8f8
+  data.tar.gz: 5dc1ea24854f06c8cc5e6a7ca9763cde370aff76b24abca955447f773dc23d9b96267cf99a3fb450fbe62af8d6deaa257680288add653fbecad355a8e096f914

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.0.0
+before_install:

data/README.md

@@ -1,5 +1,10 @@
 # Smaak
 
+[![Gem Version](https://badge.fury.io/rb/smaak.png)](https://badge.fury.io/rb/smaak)
+[![Build Status](https://travis-ci.org/evangraan/smaak.svg?branch=master)](https://travis-ci.org/evangraan/smaak)
+[![Coverage Status](https://coveralls.io/repos/github/evangraan/smaak/badge.svg?branch=master)](https://coveralls.io/github/evangraan/smaak?branch=master)
+[![Codacy Badge](https://api.codacy.com/project/badge/Grade/e7a22dd7299242fcae3f3dda681103f6)](https://www.codacy.com/app/ernst-van-graan/smaak?utm_source=github.com&utm_medium=referral&utm_content=evangraan/smaak&utm_campaign=Badge_Grade)
+
 This gems caters for both client and server sides of a signed message interaction over HTTP implementing RFC2617 Digest Access Authentication as well as IETF draft-cavage-http-signatures-04, extended with 'x-smaak-recipient', 'x-smaak-identifier', 'x-smaak-route-info', 'x-smaak-psk', 'x-smaak-expires' and 'x-smaak-nonce' headers. The following compromises are protected against as specified: Man in the middle (header and payload signature, as well as body digest) / snooping (message body encryption), Replay (nonce + expiry), Forgery (signature), Masquerading (identifier and signature), Forwarding / Unintended recipient (recipient pub key check), Clear-text password compromise (MD5 pre-shared key, obfuscated), lack of password (pre-shared key), Message fabrication (associations are purpose-fully provisioned to known associates.)
 
 ## Smaak mechanism
@@ -22,7 +27,7 @@ In order for smaak to utilize adaptors and technology you choose, ensure to requ
 
 ### Example Server
 
-A Smaak::Server operates on an instance of an HTTP request received. The Smaak module can be told about different request technology implementations by providing an adaptor to a request technology (Smaak::add_request_adaptor). The gem ships with a Rack::Request adaptor. Call Smaak::create_adaptor with your request to get an instance of an adaptor.
+A Smaak::Server operates on an instance of an HTTP request received. The Smaak module can be told about different request technology implementations by providing an adaptor to a request technology (Smaak.add_request_adaptor). The gem ships with a Rack::Request adaptor. Call Smaak.create_adaptor with your request to get an instance of an adaptor.
 
 A Smaak::Server needs to keep track of nonces received in the fresh-ness interval of requests. To make this easy, you can extend Smaak::SmaakService. Override the configure_services method to provide your server's public key, private key and associations. Smaak::SmaakService provides a cache of received nonces checked against the freshness interval.
 
@@ -51,7 +56,7 @@ trust stores as follows. USE WITH CAUTION:
 
 ### Example Client
 
-A Smaak::Client operates on an instance of an HTTP request. The Smaak module can be told about different request technology implementations by providing an adaptor to a request technology (Smaak::add_request_adaptor). The gem ships with a Net::HTTP adaptor. Call Smaak::create_adaptor with your request to get an instance of an adaptor.
+A Smaak::Client operates on an instance of an HTTP request. The Smaak module can be told about different request technology implementations by providing an adaptor to a request technology (Smaak.add_request_adaptor). The gem ships with a Net::HTTP adaptor. Call Smaak.create_adaptor with your request to get an instance of an adaptor.
 
     # The user requested some data which requires my service to talk to another, a Smaak::Server
     class SecureController

data/Rakefile

@@ -1 +1,7 @@
-require "bundler/gem_tasks"
+task :default => :test
+
+desc "Test SMAAK protocol"
+task :test do
+  sh %{bundle install}
+  sh %{bundle exec rspec -cfd spec}
+end

data/lib/smaak.rb

@@ -34,7 +34,7 @@ module Smaak
     @@adaptors.each do |r, a|
       return a.new(request) if request.is_a? r
     end
-    raise ArgumentError.new("Unknown request class #{request.class}. Add an adaptor using Smaak::add_request_adaptor.")
+    raise ArgumentError.new("Unknown request class #{request.class}. Add an adaptor using Smaak.add_request_adaptor.")
   end
 
   def self.select_specification(adaptor, specification)
@@ -44,18 +44,18 @@ module Smaak
   end
 
   def self.sign_authorization_headers(key, auth_message, adaptor, specification = Smaak::Cavage04::SPECIFICATION)
-    specification = Smaak::select_specification(adaptor, specification)
+    specification = Smaak.select_specification(adaptor, specification)
 
     signature_headers = specification.compile_signature_headers(auth_message)
-    signature_data = Smaak::Crypto::sign_data(signature_headers, key)
-    signature = Smaak::Crypto::encode64(signature_data)
+    signature_data = Smaak::Crypto.sign_data(signature_headers, key)
+    signature = Smaak::Crypto.encode64(signature_data)
     specification.compile_auth_header(signature)
     specification.adaptor
   end
 
   def self.verify_authorization_headers(adaptor, pubkey)
     raise ArgumentError.new("Key is required") if pubkey.nil?
-    signature_headers, signature = Smaak::get_signature_data_from_request(adaptor)
+    signature_headers, signature = Smaak.get_signature_data_from_request(adaptor)
     if signature.nil?
       puts "[smaak error]: could not extract signature"
       return false
@@ -64,20 +64,20 @@ module Smaak
       puts "[smaak error]: could not extract signature headers"
       return false
     end
-    verified = Smaak::Crypto::verify_signature(signature, Smaak::Crypto::encode64(signature_headers), pubkey)
-    puts "[smaak error]: verification of headers and signature using pubkey failed" if not verified
+    verified = Smaak::Crypto.verify_signature(signature, Smaak::Crypto.encode64(signature_headers), pubkey)
+    puts "[smaak error]: verification of headers and signature using pubkey failed" unless verified
     verified
   end
 
   private
 
   def self.get_signature_data_from_request(adaptor, specification = Smaak::Cavage04::SPECIFICATION)
-    specification = Smaak::select_specification(adaptor, specification)
+    specification = Smaak.select_specification(adaptor, specification)
 
     signature_headers = specification.extract_signature_headers
     signature = specification.extract_signature
 
-    return signature_headers, Smaak::Crypto::decode64(signature)
+    return signature_headers, Smaak::Crypto.decode64(signature)
   end
 end
 

data/lib/smaak/adaptors/net_http_adaptor.rb

@@ -7,12 +7,12 @@ module Smaak
     attr_reader :request
 
     def initialize(request)
-      raise ArgumentError.new("Must provide a Net::HTTPRequest") if not request.is_a? Net::HTTPRequest
+      raise ArgumentError.new("Must provide a Net::HTTPRequest") unless request.is_a? Net::HTTPRequest
       @request = request
     end
 
     def set_header(header, value)
-      raise ArgumentError.new("Header must be a non-blank string") if not Smaak::Utils::non_blank_string?(header)
+      raise ArgumentError.new("Header must be a non-blank string") unless Smaak::Utils.non_blank_string?(header)
       @request[header] = value
     end
 

data/lib/smaak/adaptors/rack_adaptor.rb

@@ -6,20 +6,13 @@ module Smaak
     attr_reader :request
 
     def initialize(request)
-      raise ArgumentError.new("Must provide a Rack::Request") if not request.is_a? Rack::Request
+      raise ArgumentError.new("Must provide a Rack::Request") unless request.is_a? Rack::Request
       @request = request
     end
 
     def header(header)
-      raise ArgumentError.new("Header must be a non-blank string") if not Smaak::Utils::non_blank_string?(header)
-      if header == "content-length"
-        value = @request.env["CONTENT_LENGTH"]
-        value = 0 if value.nil?
-        return value
-      end
-      return @request.env["HTTP_HOST"].split(':')[0] if not @request.env["HTTP_HOST"].nil? and header == "host"
-      return value = @request.env["REQUEST_METHOD"] if header == "request-method"
-      return @request.env["HTTP_#{header.upcase.gsub("-", "_")}"]
+      raise ArgumentError.new("Header must be a non-blank string") unless Smaak::Utils.non_blank_string?(header)
+      match_header(header)
     end
   
     def method
@@ -33,5 +26,20 @@ module Smaak
     def body
       @request.body
     end
+
+    private
+
+    def match_header(header)
+      return content_length if header == "content-length"
+      return @request.env["HTTP_HOST"].split(':')[0] if (not @request.env["HTTP_HOST"].nil?) and (header == "host")
+      return @request.env["REQUEST_METHOD"] if header == "request-method"
+      return @request.env["HTTP_#{header.upcase.gsub("-", "_")}"]
+    end
+
+    def content_length
+      value = @request.env["CONTENT_LENGTH"]
+      value = 0 if value.nil?
+      return value
+    end
   end
 end

data/lib/smaak/associate.rb

@@ -19,13 +19,13 @@ module Smaak
     end
 
     def set_token_life(token_life)
-      raise ArgumentError.new("Token life has to be a positive number of seconds") if not validate_token_life(token_life)
+      raise ArgumentError.new("Token life has to be a positive number of seconds") unless validate_token_life(token_life)
       @token_life = token_life
     end
 
     def add_association(identifier, key, psk, encrypt = false)
       the_key = key.is_a?(String) ? OpenSSL::PKey::RSA.new(key) : key
-      raise ArgumentError.new("Key needs to be valid") if not validate_key(the_key)
+      raise ArgumentError.new("Key needs to be valid") unless validate_key(the_key)
       @association_store[identifier] = { 'public_key' => the_key, 'psk' => psk, 'encrypt' => encrypt }
 
       rescue OpenSSL::PKey::RSAError
@@ -36,7 +36,7 @@ module Smaak
 
     def adapt_rsa_key(key)
       the_key = key.is_a?(String) ? OpenSSL::PKey::RSA.new(key) : key
-      raise ArgumentError.new("Key needs to be valid") if not validate_key(the_key)
+      raise ArgumentError.new("Key needs to be valid") unless validate_key(the_key)
       the_key
     end
 
@@ -45,14 +45,14 @@ module Smaak
     def validate_key(key)
       return false if key.nil?
       return false if key.is_a? String and key.empty?
-      return false if not key.is_a? OpenSSL::PKey::RSA
+      return false unless key.is_a? OpenSSL::PKey::RSA
       true
     end
 
     def validate_token_life(token_life)
       return false if token_life.nil?
-      return false if not token_life.is_a? Integer
-      return false if not token_life > 0
+      return false unless token_life.is_a? Integer
+      return false unless token_life > 0
       true
     end
   end

data/lib/smaak/auth_message.rb

@@ -11,37 +11,57 @@ module Smaak
     attr_reader :encrypt
 
     def self.create(recipient_public_key, psk, token_life, identifier, route_info = "", encrypt = false)
-      nonce = Smaak::Crypto::generate_nonce
+      nonce = Smaak::Crypto.generate_nonce
       expires = Time.now.to_i + token_life
-      #Must obfuscate PSK. AuthMessage must always have an obfuscated PSK
-      psk = Smaak::Crypto::obfuscate_psk(psk)
-      AuthMessage::build(recipient_public_key, psk, expires, identifier, route_info, nonce, encrypt)
+      # Must obfuscate PSK. AuthMessage must always have an obfuscated PSK
+      psk = Smaak::Crypto.obfuscate_psk(psk)
+      AuthMessage.build(recipient_public_key, psk, expires, identifier, route_info, nonce, encrypt)
     end
 
     def self.build(recipient_public_key, psk, expires, identifier, route_info, nonce, encrypt = false)
-      #No need to obfuscate PSK. Off the wire we should always expect an obfuscated PSK
+      # No need to obfuscate PSK. Off the wire we should always expect an obfuscated PSK
       AuthMessage.new(identifier, route_info, nonce, expires, psk, recipient_public_key, encrypt)
     end
 
     def initialize(identifier, route_info, nonce, expires, psk, recipient_public_key, encrypt)
+      set_and_validate_identifier(identifier)
+      set_and_validate_route_info(route_info)
+      set_and_validate_nonce(nonce)
+      set_and_validate_expires(expires)
+      set_recipient(recipient_public_key)
+      set_psk(psk)
+      set_encrypt(encrypt)
+    end
+
+    def set_and_validate_identifier(identifier)
       raise ArgumentError.new("Message must have a valid identifier set") if identifier.nil? or identifier.empty?      
-      raise ArgumentError.new("Message must have a valid route information set") if route_info.nil?
       @identifier = identifier
       @identifier.freeze
-      @route_info = route_info
+    end
 
+    def set_and_validate_route_info(route_info)
+      raise ArgumentError.new("Message must have a valid route information set") if route_info.nil?
+      @route_info = route_info
       @route_info.freeze
+    end
 
-      raise ArgumentError.new("Message must have a valid nonce set") if not validate_nonce(nonce)
+    def set_and_validate_nonce(nonce)
+      raise ArgumentError.new("Message must have a valid nonce set") unless validate_nonce(nonce)
       @nonce = nonce
       @nonce.freeze
+    end
 
+    def set_and_validate_expires(expires)
+      raise ArgumentError.new("Message must have a valid expiry set") unless validate_expiry(expires)
+      @expires = expires
+    end
+
+    def set_recipient(recipient_public_key)
       @recipient = recipient_public_key
-      @psk = psk
+    end
 
-      raise ArgumentError.new("Message must have a valid expiry set") if not validate_expiry(expires)
-      @expires = expires
-      set_encrypt(encrypt)
+    def set_psk(psk)
+      @psk = psk
     end
 
     def set_encrypt(encrypt)
@@ -56,7 +76,7 @@ module Smaak
     def psk_match?(psk)
       return false if psk.nil?
       return false if @psk.nil?
-      @psk == Smaak::Crypto::obfuscate_psk(psk)
+      @psk == Smaak::Crypto.obfuscate_psk(psk)
     end
 
     def intended_for_recipient?(pubkey)
@@ -66,7 +86,7 @@ module Smaak
     end
 
     def verify(psk)
-      return false if not psk_match?(psk)
+      return false unless psk_match?(psk)
       true
     end
 
@@ -83,7 +103,7 @@ module Smaak
 
     def validate_expiry(expires)
       return false if expires.nil?
-      return false if not (expires.to_i > 0)
+      return false unless (expires.to_i > 0)
       true
 
       rescue

data/lib/smaak/cavage_04.rb

@@ -9,7 +9,7 @@ module Smaak
     def initialize(adaptor)
       raise ArgumentError.new("Must provide a valid request adaptor") if adaptor.nil?
       @adaptor = adaptor
-      @headers_to_be_signed = Smaak::Cavage04::headers_to_be_signed + Smaak::headers_to_be_signed
+      @headers_to_be_signed = Smaak::Cavage04.headers_to_be_signed + Smaak.headers_to_be_signed
     end
   
     def self.headers_to_be_signed
@@ -21,9 +21,9 @@ module Smaak
     end
 
     def compile_auth_header(signature)
-      raise ArgumentError.new("invalid signature") if not Smaak::Utils::non_blank_string?(signature)
+      raise ArgumentError.new("invalid signature") unless Smaak::Utils.non_blank_string?(signature)
       ordered_headers = ""
-      @adaptor.each_header do |header, value|
+      @adaptor.each_header do |header, _value|
         ordered_headers = "#{ordered_headers} #{header}" if @headers_to_be_signed.include?(header)
       end
       ordered_headers = ordered_headers[1..ordered_headers.size]
@@ -31,20 +31,7 @@ module Smaak
     end
 
     def compile_signature_headers(auth_message)
-      body = @adaptor.body.nil? ? "" : @adaptor.body
-      @adaptor.set_header("authorization", "")
-      @adaptor.set_header("host", "#{@adaptor.host}")
-      @adaptor.set_header("date", "#{gmt_now}")
-      @adaptor.set_header("digest", "SHA-256=#{Digest::SHA256.hexdigest(body)}")
-      @adaptor.set_header("x-smaak-recipient", "#{Smaak::Crypto::encode64(auth_message.recipient)}")
-      @adaptor.set_header("x-smaak-identifier", "#{auth_message.identifier}")
-      @adaptor.set_header("x-smaak-route-info", "#{auth_message.route_info}")
-      @adaptor.set_header("x-smaak-psk", "#{auth_message.psk}")
-      @adaptor.set_header("x-smaak-expires", "#{auth_message.expires}")
-      @adaptor.set_header("x-smaak-nonce", "#{auth_message.nonce}")
-      @adaptor.set_header("x-smaak-encrypt", "#{auth_message.encrypt}")
-      @adaptor.set_header("content-type", "text/plain")
-      @adaptor.set_header("content-length", "#{body.size}")
+      set_adaptor_headers(auth_message)
 
       signature_headers = ""
       @adaptor.each_header do |header, value|
@@ -68,6 +55,7 @@ module Smaak
       @adaptor.header("authorization") =~ /signature=\"([^"]*)\"/
       $1
     end
+
     private
 
     def gmt_now
@@ -75,11 +63,28 @@ module Smaak
     end
 
     def append_header(header_list, header)
-      header_list = "#{header_list}\n#{header}"
+      "#{header_list}\n#{header}"
     end
 
     def prepend_header(header, value, signature_headers)
       "#{header}: #{value}#{signature_headers}"
     end
+
+    def set_adaptor_headers(auth_message)
+      body = @adaptor.body.nil? ? "" : @adaptor.body
+      @adaptor.set_header("authorization", "")
+      @adaptor.set_header("host", "#{@adaptor.host}")
+      @adaptor.set_header("date", "#{gmt_now}")
+      @adaptor.set_header("digest", "SHA-256=#{Digest::SHA256.hexdigest(body)}")
+      @adaptor.set_header("x-smaak-recipient", "#{Smaak::Crypto.encode64(auth_message.recipient)}")
+      @adaptor.set_header("x-smaak-identifier", "#{auth_message.identifier}")
+      @adaptor.set_header("x-smaak-route-info", "#{auth_message.route_info}")
+      @adaptor.set_header("x-smaak-psk", "#{auth_message.psk}")
+      @adaptor.set_header("x-smaak-expires", "#{auth_message.expires}")
+      @adaptor.set_header("x-smaak-nonce", "#{auth_message.nonce}")
+      @adaptor.set_header("x-smaak-encrypt", "#{auth_message.encrypt}")
+      @adaptor.set_header("content-type", "text/plain")
+      @adaptor.set_header("content-length", "#{body.size}")
+    end
   end
 end

data/lib/smaak/client.rb

@@ -18,7 +18,7 @@ module Smaak
     end
 
     def set_identifier(identifier)
-      raise ArgumentError.new("Invalid identifier") if not Smaak::Utils::non_blank_string?(identifier)
+      raise ArgumentError.new("Invalid identifier") unless Smaak::Utils.non_blank_string?(identifier)
       @identifier = identifier
     end
 
@@ -28,12 +28,12 @@ module Smaak
     end
 
     def sign_request(associate_identifier, adaptor)
-      raise ArgumentError.new("Associate invalid") if not validate_associate(associate_identifier)
+      raise ArgumentError.new("Associate invalid") unless validate_associate(associate_identifier)
       associate = @association_store[associate_identifier]
       raise ArgumentError.new("Invalid adaptor") if adaptor.nil?
       auth_message = Smaak::AuthMessage.create(associate['public_key'].export, associate['psk'], @token_life, @identifier, @route_info, associate['encrypt'])
-      adaptor.body = Smaak::Crypto::encrypt(adaptor.body, associate['public_key']) if auth_message.encrypt
-      adaptor = Smaak::sign_authorization_headers(@key, auth_message, adaptor, Smaak::Cavage04::SPECIFICATION)
+      adaptor.body = Smaak::Crypto.encrypt(adaptor.body, associate['public_key']) if auth_message.encrypt
+      Smaak.sign_authorization_headers(@key, auth_message, adaptor, Smaak::Cavage04::SPECIFICATION)
     end
 
     def get(identifier, uri, body, ssl = false, ssl_verify = OpenSSL::SSL::VERIFY_PEER)
@@ -53,23 +53,35 @@ module Smaak
     end
 
     def connect(connector, identifier, uri, body, ssl, ssl_verify)
+      url, http = build_http(uri, ssl, ssl_verify)
+      req = build_request(connector, url, body, identifier)
+      request_and_respond(http, req, identifier)
+
+      rescue => ex
+        puts "[smaak error] request to associate failed"
+        throw ex
+    end
+
+    def build_http(uri, ssl, ssl_verify)
       url = URI.parse(uri)
       http = Net::HTTP.new(url.host, url.port)
       http.use_ssl = ssl
       http.verify_mode = ssl_verify
+      return url, http
+    end  
+
+    def build_request(connector, url, body, identifier)
       req = connector.new(url.to_s)
       req.body = body
-      adaptor = Smaak::create_adaptor(req)
-      req = (sign_request(identifier, adaptor)).request
+      adaptor = Smaak.create_adaptor(req)
+      (sign_request(identifier, adaptor)).request      
+    end
+
+    def request_and_respond(http, req, identifier)
       response = http.request(req)
-      
-      response.body = Smaak::Crypto::decrypt(response.body, @key) if encrypt_associate?(identifier) and response.code[0] == '2'
-      puts "[smaak error]: response from #{identifier} was #{response.code}" if not response.code[0] == '2'
+      response.body = Smaak::Crypto.decrypt(response.body, @key) if encrypt_associate?(identifier) and response.code[0] == '2'
+      puts "[smaak error]: response from #{identifier} was #{response.code}" unless response.code[0] == '2'
       response
-
-      rescue => ex
-        puts "[smaak error] request to associate failed"
-        throw ex
     end
 
     def encrypt_associate?(identifier)