snuffleupagus 0.0.4 → 0.1.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (15) hide show
  1. checksums.yaml +5 -5
  2. data/.gitignore +1 -0
  3. data/.rubocop.yml +4 -0
  4. data/.travis.yml +3 -5
  5. data/CHANGELOG.md +49 -0
  6. data/Gemfile +2 -0
  7. data/README.md +2 -2
  8. data/Rakefile +4 -0
  9. data/lib/snuffleupagus.rb +1 -1
  10. data/lib/snuffleupagus/auth_token.rb +14 -7
  11. data/lib/snuffleupagus/version.rb +3 -1
  12. data/snuffleupagus.gemspec +7 -3
  13. data/spec/snuffleupagus_spec.rb +24 -7
  14. metadata +34 -12
  15. data/Gemfile.lock +0 -50
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 68e2db1fb837ccce5226567bc8ad644d001d4bdb
4
- data.tar.gz: 6aa0a6f6360a55c75ed1bf1a8680e8c36743c27e
2
+ SHA256:
3
+ metadata.gz: a5c80cc86ec5c07d58eb1fa6287556951aece8f295df96637b68158ccd2f45c4
4
+ data.tar.gz: 73727b009732dd19becd8b9de8445e1479d3e41613256965d18c468bf3d11328
5
5
  SHA512:
6
- metadata.gz: f65cce422e5ed05068a9f8e72c723298d1b7cbd581201014a091bc86ec46a9975c6d19c55521bc9e2510b78f946c87d42c1788749b85430223775d5739b8ea42
7
- data.tar.gz: abe49c714541338737ef2ca9a11f65b0a9d1c0a710d35c8e42b6b6e7d3963cf8486a89802fdea0bdcefba643b0a2a94848cfab949f7ff7f936563ae5b3f1cde3
6
+ metadata.gz: e415b78f8922d193d697206295901e9e17324c480c29451ebd4c5f9b891ab368bda214c4dd3be01cf3c2fe2226cdcad2506f6859f13f6a85f77b4ebf865e5098
7
+ data.tar.gz: c78c98c4e9e3f35dec5226e633ea305ee630ab2bb46a3ca237bec82f8ae056cb345c11628aa65010ab73a9a715747962213b6a6453e523e741cb1d8a1c3a4ab0
data/.gitignore CHANGED
@@ -1 +1,2 @@
1
1
  *.gem
2
+ Gemfile.lock
data/.rubocop.yml CHANGED
@@ -1,3 +1,7 @@
1
+ AllCops:
2
+ NewCops: enable
3
+ TargetRubyVersion: 2.5
4
+
1
5
  Metrics/BlockLength:
2
6
  Exclude:
3
7
  - 'spec/**/*'
data/.travis.yml CHANGED
@@ -1,15 +1,13 @@
1
1
  language: ruby
2
2
 
3
3
  rvm:
4
- - 2.0
5
- - 2.1
6
- - 2.2
7
- - 2.3
8
- - 2.4
9
4
  - 2.5
5
+ - 2.6
6
+ - 2.7
10
7
 
11
8
  install:
12
9
  - bundle install --retry=3
13
10
 
14
11
  script:
15
12
  - bundle exec rubocop
13
+ - bundle exec rake
data/CHANGELOG.md ADDED
@@ -0,0 +1,49 @@
1
+ # Changelog
2
+
3
+ ## Unreleased
4
+ - none
5
+
6
+ ## [0.1.1](releases/tag/v0.1.1) - 2020-10-21
7
+ ### Added
8
+ - Add context to the create/check token to avoid replay in different contexts
9
+
10
+ ## [0.0.9](releases/tag/v0.0.9) - 2020-03-01
11
+ ### Fixed
12
+ - Address CVE-2020-8130 - rake OS command injection vulnerability
13
+
14
+ ## [0.0.8](releases/tag/v0.0.8) - 2018-03-01
15
+ ### Added
16
+ - Rake to gemfile dev dependencies
17
+
18
+ ## [0.0.7](releases/tag/v0.0.7) - 2018-03-01
19
+ ### Fixed
20
+ - Fix missing openssl require
21
+
22
+ ## [0.0.6](releases/tag/v0.0.6) - 2018-03-01
23
+ ### Fixed
24
+ - Fix Rakefile execute permission
25
+ ### Removed
26
+ - gibberish require
27
+ - gemfile.lock file
28
+
29
+ ## [0.0.5](releases/tag/v0.0.5) - 2018-03-01
30
+ ### Fixed
31
+ - Rakefile configuration
32
+
33
+ ## [0.0.4](releases/tag/v0.0.4) - 2018-03-01
34
+ ### Added
35
+ - Initial Rakefile
36
+ - Rspec and Rubocop
37
+ - Travis CI configuration
38
+
39
+ ## [0.0.3](releases/tag/v0.0.3) - 2018-03-01
40
+ ### Removed
41
+ - Dependency on Gibberish gem
42
+
43
+ ## [0.0.2](releases/tag/v0.0.2) - 2014-09-23
44
+ ### Updated
45
+ - Token validity to 2 minutes …
46
+
47
+ ## [0.0.1](releases/tag/v0.0.1) - 2014-08-28
48
+ ### Added
49
+ - Initial release
data/Gemfile CHANGED
@@ -1,2 +1,4 @@
1
+ # frozen_string_literal: true
2
+
1
3
  source 'http://rubygems.org'
2
4
  gemspec
data/README.md CHANGED
@@ -5,7 +5,7 @@ A little simple.. auth token generator
5
5
 
6
6
  Handles basic time-limited authentication token creation / validation
7
7
 
8
- Uses Gibberish::AES with 256 bit CBC encryption
8
+ Uses OpenSSL AES with 256 bit CBC encryption
9
9
 
10
10
  ![Snuffy](/Snuffy.png "Snuffleupagus")
11
11
 
@@ -14,7 +14,7 @@ Uses Gibberish::AES with 256 bit CBC encryption
14
14
  Include it in your Gemfile:
15
15
 
16
16
  ```ruby
17
- gem 'snuffleupagus', :git => 'git@github.com:TutoringAustralasia/snuffleupagus.git'
17
+ gem 'snuffleupagus'
18
18
  ```
19
19
 
20
20
  ## Basic Usage
data/Rakefile CHANGED
@@ -1,3 +1,7 @@
1
+ #!/usr/bin/env rake
2
+ # frozen_string_literal: true
3
+
4
+ require 'bundler/gem_tasks'
1
5
  require 'rspec/core/rake_task'
2
6
 
3
7
  RSpec::Core::RakeTask.new(:spec)
data/lib/snuffleupagus.rb CHANGED
@@ -1,3 +1,3 @@
1
- require 'gibberish'
1
+ # frozen_string_literal: true
2
2
 
3
3
  require 'snuffleupagus/auth_token'
data/lib/snuffleupagus/auth_token.rb CHANGED
@@ -1,3 +1,7 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'openssl'
4
+
1
5
  module Snuffleupagus
2
6
  # Handles basic time-limited authentication token creation / validation
3
7
  #
@@ -20,18 +24,20 @@ module Snuffleupagus
20
24
  class AuthToken
21
25
  def initialize(key)
22
26
  @key = key
23
- @cipher = OpenSSL::Cipher::AES256.new :CBC
27
+ @cipher = OpenSSL::Cipher.new('aes-256-cbc')
24
28
  end
25
29
 
26
- def create_token
27
- encode encrypt "#{CONSTANT}#{Time.now.to_i}"
30
+ def create_token(context)
31
+ encode encrypt "#{CONSTANT}#{context}#{Time.now.to_i}"
28
32
  end
29
33
 
30
- def check_token(token)
31
- return false unless token && token.is_a?(String)
34
+ def token_valid?(token, context)
35
+ return false unless token.is_a? String
36
+
32
37
  decoded = decrypt decode token
33
- match = /^#{CONSTANT}([0-9]+)$/.match decoded
38
+ match = /\A#{CONSTANT}#{Regexp.escape(context)}([0-9]+)\z/.match decoded
34
39
  return false unless match
40
+
35
41
  (match[1].to_i - Time.now.to_i).abs < MAX_VALID_TIME_DIFFERENCE
36
42
  rescue StandardError
37
43
  false
@@ -39,7 +45,7 @@ module Snuffleupagus
39
45
 
40
46
  private
41
47
 
42
- CONSTANT = 'date:'.freeze
48
+ CONSTANT = 'date:'
43
49
  MAX_VALID_TIME_DIFFERENCE = 120 # tokens are only valid for 2 minutes
44
50
 
45
51
  attr_reader :cipher
@@ -53,6 +59,7 @@ module Snuffleupagus
53
59
 
54
60
  def decrypt(data)
55
61
  raise ArgumentError, 'Data is too short' unless data.length >= 16
62
+
56
63
  salt = data[8..15]
57
64
  data = data[16..-1]
58
65
  setup_cipher(:decrypt, salt)
data/lib/snuffleupagus/version.rb CHANGED
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  module Snuffleupagus
2
- VERSION = '0.0.4'.freeze
4
+ VERSION = '0.1.1'
3
5
  end
data/snuffleupagus.gemspec CHANGED
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require File.expand_path('lib/snuffleupagus/version', File.dirname(__FILE__))
2
4
 
3
5
  Gem::Specification.new do |s|
@@ -6,13 +8,15 @@ Gem::Specification.new do |s|
6
8
  s.platform = Gem::Platform::RUBY
7
9
  s.authors = ['Andrew Bromwich']
8
10
  s.email = ['abromwich@studiosity.com']
9
- s.homepage = 'https://studiosity.com'
11
+ s.homepage = 'https://github.com/Studiosity/snuffleupagus'
10
12
  s.description = 'Simple auth token generator/validator'
11
13
  s.summary = "snuffleupagus-#{s.version}"
12
14
  s.required_rubygems_version = '> 1.3.6'
15
+ s.required_ruby_version = ['>= 2.5.0', '< 2.8.0']
13
16
 
14
- s.add_development_dependency 'rspec', '~> 0'
15
- s.add_development_dependency 'rubocop', '~> 0'
17
+ s.add_development_dependency 'rake', '~> 12.3', '>= 12.3.3'
18
+ s.add_development_dependency 'rspec', '~> 3'
19
+ s.add_development_dependency 'rubocop', '~> 0.49'
16
20
  s.add_development_dependency 'timecop', '~> 0'
17
21
 
18
22
  s.files = `git ls-files`.split($OUTPUT_RECORD_SEPARATOR)
data/spec/snuffleupagus_spec.rb CHANGED
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require './lib/snuffleupagus'
2
4
  require 'timecop'
3
5
 
@@ -5,58 +7,73 @@ describe Snuffleupagus::AuthToken do
5
7
  let(:snuffy) { Snuffleupagus::AuthToken.new('sup3r4w3s0m3p4ssw0rd') }
6
8
 
7
9
  describe '#create_token' do
8
- subject { snuffy.create_token }
10
+ subject { snuffy.create_token 'my-context' }
9
11
 
10
12
  it { is_expected.to be_a String }
11
- it { expect(subject.length).to eq 64 }
12
- it { is_expected.to match(/\A[a-f0-9]{64}\z/) }
13
+ it { expect(subject.length).to eq 96 }
14
+ it { is_expected.to match(/\A[a-f0-9]{96}\z/) }
13
15
  end
14
16
 
15
- describe '#check_token' do
16
- subject { snuffy.check_token(token) }
17
+ describe '#token_valid?' do
18
+ subject { snuffy.token_valid?(token, 'my-context') }
17
19
 
18
20
  context 'with a valid token' do
19
- let(:token) { snuffy.create_token }
21
+ let(:token) { snuffy.create_token 'my-context' }
22
+
20
23
  it { is_expected.to be_truthy }
21
24
  end
22
25
 
26
+ context 'when the context doesnt match' do
27
+ let(:token) { snuffy.create_token 'another-context' }
28
+
29
+ it { is_expected.to be_falsey }
30
+ end
31
+
23
32
  context 'with an invalid token' do
24
33
  let(:token) { 'F00B44' }
34
+
25
35
  it { is_expected.to be_falsey }
26
36
  end
27
37
 
28
38
  context 'with an empty token' do
29
39
  let(:token) { '' }
40
+
30
41
  it { is_expected.to be_falsey }
31
42
  end
32
43
 
33
44
  context 'with a nil token' do
34
45
  let(:token) { nil }
46
+
35
47
  it { is_expected.to be_falsey }
36
48
  end
37
49
 
38
50
  context 'testing expired tokens' do
39
- let(:token) { snuffy.create_token }
51
+ let(:token) { snuffy.create_token 'my-context' }
52
+
40
53
  before { token } # pre-load the token
41
54
  after { Timecop.return }
42
55
 
43
56
  context 'just inside the time difference (expired token)' do
44
57
  before { Timecop.freeze Time.now - 119 }
58
+
45
59
  it { is_expected.to be_truthy }
46
60
  end
47
61
 
48
62
  context 'just outside the time difference (expired token)' do
49
63
  before { Timecop.freeze Time.now - 120 }
64
+
50
65
  it { is_expected.to be_falsey }
51
66
  end
52
67
 
53
68
  context 'just inside the time difference (future token)' do
54
69
  before { Timecop.freeze Time.now + 119 }
70
+
55
71
  it { is_expected.to be_truthy }
56
72
  end
57
73
 
58
74
  context 'just outside the time difference (future token)' do
59
75
  before { Timecop.freeze Time.now + 120 }
76
+
60
77
  it { is_expected.to be_falsey }
61
78
  end
62
79
  end
metadata CHANGED
@@ -1,43 +1,63 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: snuffleupagus
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.4
4
+ version: 0.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Andrew Bromwich
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-03-01 00:00:00.000000000 Z
11
+ date: 2020-10-21 00:00:00.000000000 Z
12
12
  dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: rake
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: '12.3'
20
+ - - ">="
21
+ - !ruby/object:Gem::Version
22
+ version: 12.3.3
23
+ type: :development
24
+ prerelease: false
25
+ version_requirements: !ruby/object:Gem::Requirement
26
+ requirements:
27
+ - - "~>"
28
+ - !ruby/object:Gem::Version
29
+ version: '12.3'
30
+ - - ">="
31
+ - !ruby/object:Gem::Version
32
+ version: 12.3.3
13
33
  - !ruby/object:Gem::Dependency
14
34
  name: rspec
15
35
  requirement: !ruby/object:Gem::Requirement
16
36
  requirements:
17
37
  - - "~>"
18
38
  - !ruby/object:Gem::Version
19
- version: '0'
39
+ version: '3'
20
40
  type: :development
21
41
  prerelease: false
22
42
  version_requirements: !ruby/object:Gem::Requirement
23
43
  requirements:
24
44
  - - "~>"
25
45
  - !ruby/object:Gem::Version
26
- version: '0'
46
+ version: '3'
27
47
  - !ruby/object:Gem::Dependency
28
48
  name: rubocop
29
49
  requirement: !ruby/object:Gem::Requirement
30
50
  requirements:
31
51
  - - "~>"
32
52
  - !ruby/object:Gem::Version
33
- version: '0'
53
+ version: '0.49'
34
54
  type: :development
35
55
  prerelease: false
36
56
  version_requirements: !ruby/object:Gem::Requirement
37
57
  requirements:
38
58
  - - "~>"
39
59
  - !ruby/object:Gem::Version
40
- version: '0'
60
+ version: '0.49'
41
61
  - !ruby/object:Gem::Dependency
42
62
  name: timecop
43
63
  requirement: !ruby/object:Gem::Requirement
@@ -62,8 +82,8 @@ files:
62
82
  - ".gitignore"
63
83
  - ".rubocop.yml"
64
84
  - ".travis.yml"
85
+ - CHANGELOG.md
65
86
  - Gemfile
66
- - Gemfile.lock
67
87
  - README.md
68
88
  - Rakefile
69
89
  - Snuffy.png
@@ -72,7 +92,7 @@ files:
72
92
  - lib/snuffleupagus/version.rb
73
93
  - snuffleupagus.gemspec
74
94
  - spec/snuffleupagus_spec.rb
75
- homepage: https://studiosity.com
95
+ homepage: https://github.com/Studiosity/snuffleupagus
76
96
  licenses: []
77
97
  metadata: {}
78
98
  post_install_message:
@@ -83,16 +103,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
83
103
  requirements:
84
104
  - - ">="
85
105
  - !ruby/object:Gem::Version
86
- version: '0'
106
+ version: 2.5.0
107
+ - - "<"
108
+ - !ruby/object:Gem::Version
109
+ version: 2.8.0
87
110
  required_rubygems_version: !ruby/object:Gem::Requirement
88
111
  requirements:
89
112
  - - ">"
90
113
  - !ruby/object:Gem::Version
91
114
  version: 1.3.6
92
115
  requirements: []
93
- rubyforge_project:
94
- rubygems_version: 2.6.14
116
+ rubygems_version: 3.0.6
95
117
  signing_key:
96
118
  specification_version: 4
97
- summary: snuffleupagus-0.0.4
119
+ summary: snuffleupagus-0.1.1
98
120
  test_files: []
data/Gemfile.lock DELETED
@@ -1,50 +0,0 @@
1
- PATH
2
- remote: .
3
- specs:
4
- snuffleupagus (0.0.3)
5
-
6
- GEM
7
- remote: http://rubygems.org/
8
- specs:
9
- ast (2.4.0)
10
- diff-lcs (1.3)
11
- parallel (1.12.1)
12
- parser (2.5.0.2)
13
- ast (~> 2.4.0)
14
- powerpack (0.1.1)
15
- rainbow (3.0.0)
16
- rspec (3.7.0)
17
- rspec-core (~> 3.7.0)
18
- rspec-expectations (~> 3.7.0)
19
- rspec-mocks (~> 3.7.0)
20
- rspec-core (3.7.1)
21
- rspec-support (~> 3.7.0)
22
- rspec-expectations (3.7.0)
23
- diff-lcs (>= 1.2.0, < 2.0)
24
- rspec-support (~> 3.7.0)
25
- rspec-mocks (3.7.0)
26
- diff-lcs (>= 1.2.0, < 2.0)
27
- rspec-support (~> 3.7.0)
28
- rspec-support (3.7.1)
29
- rubocop (0.52.1)
30
- parallel (~> 1.10)
31
- parser (>= 2.4.0.2, < 3.0)
32
- powerpack (~> 0.1)
33
- rainbow (>= 2.2.2, < 4.0)
34
- ruby-progressbar (~> 1.7)
35
- unicode-display_width (~> 1.0, >= 1.0.1)
36
- ruby-progressbar (1.9.0)
37
- timecop (0.4.4)
38
- unicode-display_width (1.3.0)
39
-
40
- PLATFORMS
41
- ruby
42
-
43
- DEPENDENCIES
44
- rspec
45
- rubocop
46
- snuffleupagus!
47
- timecop
48
-
49
- BUNDLED WITH
50
- 1.16.1