socky-authenticator 0.5.0.beta4

data/.gitignore

@@ -0,0 +1,2 @@
+Gemfile.lock
+pkg/

data/Gemfile

@@ -0,0 +1,3 @@
+source "http://rubygems.org"
+
+gemspec

data/README.md

@@ -0,0 +1,39 @@
+# Socky Authentication Module
+
+## Installation
+
+    gem install socky-authenticator
+
+## Usage
+
+First require authenticator:
+
+    require 'socky/authenticator'
+
+After that call:
+
+    Socky::Authenticator.authenticate(<data>)
+
+where \<data\> is Socky Client authentication data in Hash or JSON-encoded Hash format.
+
+In return you will receive authentication Hash in format:
+    
+    { 'auth' => <auth_data> }
+
+If any error occurs then authenticator will raise ArgumentError with explanation.
+
+If you are validating presence channel then except auth data you will receive user data in JSON-encoded format:
+
+    { 'auth' => <auth_dat>, 'data' => <json-encoded_user_data> }
+
+## Configuration
+
+Before authenticating request you will need to provide application secret. If you are using only one Socky application in code then you can set it once using:
+
+    Socky.secret = <secret>
+
+Otherwise you will need to provide secret each time when authenticating data.
+
+Except of that you can enable or disable authenticaton of user rights - if disabled(default) then user will not be able to change their rights. Full version of authenticator call will look like that:
+
+    Socky::Authenticator.authenticate(<data>, allow_changing_rights, secret)

data/Rakefile

@@ -0,0 +1,9 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks
+
+require 'rspec/core/rake_task'
+
+task :default => :spec
+
+RSpec::Core::RakeTask.new(:spec) do |t|
+end

data/example/config.ru

@@ -0,0 +1,18 @@
+require 'rack'
+require 'json'
+require File.expand_path(File.dirname(__FILE__)) + '/../lib/socky/authenticator'
+
+Socky::Authenticator.secret = 'my_secret'
+
+authenticator = proc do |env|
+  request = Rack::Request.new(env)
+
+  response = Socky::Authenticator.authenticate(request.params, true)
+  body = request.params['callback'].to_s + '(' + response.to_json + ');'
+  [ 200, {}, body ]
+end
+
+
+map '/socky/auth' do
+  run authenticator
+end

data/lib/socky/authenticator.rb

@@ -0,0 +1,94 @@
+require 'json'
+require 'digest/md5'
+require 'hmac-sha2'
+
+module Socky
+  class Authenticator
+    VERSION = '0.5.0.beta4'
+    
+    DEFAULT_RIGHTS = {
+      'read' => true,
+      'write' => false,
+      'hide' => false
+    }
+    
+    class << self
+      attr_accessor :secret
+      
+      def authenticate(args = {}, allow_changing_rights = false, secret = nil)
+        self.new(args, allow_changing_rights, secret).result
+      end
+    end
+    
+    attr_accessor :secret, :salt
+    
+    def initialize(args = {}, allow_changing_rights = false, secret = nil)
+      @args = (args.is_a?(String) ? JSON.parse(args) : args) rescue nil
+      raise ArgumentError, 'Expected hash or JSON' unless @args.kind_of?(Hash)
+      @secret = secret || self.class.secret
+      @allow_changing_rights = allow_changing_rights
+    end
+    
+    def result
+      raise ArgumentError, 'set Authenticator.secret first' unless self.secret
+      raise ArgumentError, 'expected connection_id' unless self.connection_id
+      raise ArgumentError, 'expected channel' unless self.channel_name
+      raise ArgumentError, 'user are not allowed to change channel rights' unless self.rights
+      
+      r = { 'auth' => auth }
+      r.merge!('data' => user_data) unless user_data.nil?
+      r
+    end
+    
+    def auth
+      [salt, signature].join(':')
+    end
+    
+    def signature
+      HMAC::SHA256.hexdigest(self.secret, string_to_sign)
+    end
+    
+    def string_to_sign
+      args = [salt, connection_id, channel_name, rights]
+      args << user_data unless user_data.nil?
+      args.collect(&:to_s).join(":")
+    end
+    
+    def salt
+      @salt ||= Digest::MD5.hexdigest(rand.to_s)
+    end
+    
+    def connection_id
+      @args['connection_id']
+    end
+    
+    def channel_name
+      @args['channel']
+    end
+    
+    def rights
+      return @rights if defined?(@rights)
+      r = DEFAULT_RIGHTS.merge(@args)
+      
+      # Return nil if user is trying to change rights when this option is disabled
+      return nil if !@allow_changing_rights && DEFAULT_RIGHTS.any?{ |right,val| r[right] != val }
+      
+      @rights = ['read', 'write', 'hide'].collect do |right|
+        r[right] && !(right == 'hide' && !self.presence?) ? '1' : '0'
+      end.join
+    end
+    
+    def user_data
+      @user_data ||= case @args['data']
+        when NilClass then nil
+        when String then @args['data']
+        else @args['data'].to_json
+      end
+    end
+    
+    def presence?
+      self.channel_name.is_a?(String) && !!self.channel_name.match(/\Apresence-/)
+    end
+    
+  end
+end

data/socky-authenticator.gemspec

@@ -0,0 +1,23 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "socky/authenticator"
+
+Gem::Specification.new do |s|
+  s.name        = "socky-authenticator"
+  s.version     = Socky::Authenticator::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["Bernard Potocki"]
+  s.email       = ["bernard.potocki@imanel.org"]
+  s.homepage    = "http://socky.org"
+  s.summary     = %q{Socky - Authentication Module}
+  s.description = %q{Socky is a WebSocket-based framework for realtime web applications.}
+  
+  s.add_dependency 'json'
+  s.add_dependency 'ruby-hmac'
+  s.add_development_dependency 'rspec', '~> 2.0'
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+end

data/spec/authenticator_spec.rb

@@ -0,0 +1,120 @@
+require 'spec_helper'
+
+describe Socky::Authenticator do
+  
+  # Set authenticator secret
+  before { Socky::Authenticator.secret = 'application_secret_key' }
+  
+  it "should raise exception on invalid data" do
+    lambda { Socky::Authenticator.new("invalid") }.should raise_error ArgumentError, "Expected hash or JSON"
+  end
+  
+  it "should allow passing Hash" do
+    subject = Socky::Authenticator.new('some' => 'data')
+    subject.instance_variable_get('@args').should eql('some' => 'data')
+  end
+  
+  it "should allow passing JSON-encoded Hash" do
+    subject = Socky::Authenticator.new('{"some":"data"}')
+    subject.instance_variable_get('@args').should eql('some' => 'data')
+  end
+  
+  it "should raise on JSON-encoded non-Hash" do
+    lambda { Socky::Authenticator.new('["some","data"]') }.should raise_error ArgumentError, "Expected hash or JSON"
+  end
+  
+  context "instance" do
+    subject { Socky::Authenticator.new('connection_id' => '1234ABCD', 'channel' => 'some_channel') }
+    # Set salt to constant to make tests non-random
+    before { subject.salt =  'somerandomstring' }
+  
+    its(:salt) { should eql('somerandomstring') }
+    its(:connection_id) { should eql('1234ABCD') }
+    its(:channel_name) { should eql('some_channel') }
+    its(:rights) { should eql('100') }
+    its(:presence?) { should eql(false) }
+    its(:string_to_sign) { should eql('somerandomstring:1234ABCD:some_channel:100') }
+    its(:signature) { should eql('28f138d68b1d4971d85355a5aa5a301be9084176b6ae1bbe2399de990de2039d') }
+    its(:auth) { should eql('somerandomstring:28f138d68b1d4971d85355a5aa5a301be9084176b6ae1bbe2399de990de2039d') }
+    its(:result) { should eql('auth' => 'somerandomstring:28f138d68b1d4971d85355a5aa5a301be9084176b6ae1bbe2399de990de2039d') }
+  
+    it "should raise if authenticator secret is nil" do
+      subject.secret = nil
+      lambda { subject.result }.should raise_error ArgumentError, 'set Authenticator.secret first'
+    end
+  
+    it "should raise if connection_id is nil" do
+      subject.instance_variable_get('@args').delete('connection_id')
+      subject.connection_id.should be_nil
+      lambda { subject.result }.should raise_error ArgumentError, 'expected connection_id'
+    end
+  
+    it "should raise if channel is nil" do
+      subject.instance_variable_get('@args').delete('channel')
+      subject.channel_name.should be_nil
+      lambda { subject.result }.should raise_error ArgumentError, 'expected channel'
+    end
+  
+    it "should not allow to changing rights at default" do
+      subject.instance_variable_get('@args').merge!('write' => true)
+      subject.rights.should be_nil
+      lambda { subject.result }.should raise_error ArgumentError, 'user are not allowed to change channel rights'
+    end
+  
+    context "with changing rights enables" do
+      before { subject.instance_variable_set('@allow_changing_rights', true) }
+    
+      it "should allow changing 'read' to false" do
+        subject.instance_variable_get('@args').merge!('read' => false)
+        subject.rights.should eql('000')
+      end
+    
+      it "should allow changing 'write' to true" do
+        subject.instance_variable_get('@args').merge!('write' => true)
+        subject.rights.should eql('110')
+      end
+    
+      it "should not allow changing 'hide' to true" do
+        subject.instance_variable_get('@args').merge!('hide' => true)
+        subject.rights.should eql('100')
+      end
+    
+    end
+  
+    context "presence channel" do
+      before { subject.instance_variable_get('@args').merge!('channel' => 'presence-channel') }
+    
+      its(:channel_name) { should eql('presence-channel') }
+      its(:rights) { should eql('100') }
+      its(:presence?) { should eql(true) }
+      its(:user_data) { should eql(nil) }
+      its(:string_to_sign) { should eql('somerandomstring:1234ABCD:presence-channel:100') }
+      its(:signature) { should eql('f0332936d0c3e59e2d9840d0c0b538ad88fba467ba546d8f9f91bc8d3cd95a1c') }
+      its(:auth) { should eql('somerandomstring:f0332936d0c3e59e2d9840d0c0b538ad88fba467ba546d8f9f91bc8d3cd95a1c') }
+      its(:result) { should eql('auth' => 'somerandomstring:f0332936d0c3e59e2d9840d0c0b538ad88fba467ba546d8f9f91bc8d3cd95a1c') }
+    
+      context "with hash user data provided" do
+        before { subject.instance_variable_get('@args').merge!('data' => { 'some' => 'data' }) }
+      
+        its(:user_data) { should eql('{"some":"data"}') }
+        its(:string_to_sign) { should eql('somerandomstring:1234ABCD:presence-channel:100:{"some":"data"}') }
+        its(:signature) { should eql('71dabae0f47da5ac8e4982fa062abf09788f8fab40b7634427e380bfcec29855') }
+        its(:auth) { should eql('somerandomstring:71dabae0f47da5ac8e4982fa062abf09788f8fab40b7634427e380bfcec29855') }
+        its(:result) { should eql('auth' => 'somerandomstring:71dabae0f47da5ac8e4982fa062abf09788f8fab40b7634427e380bfcec29855', 'data' => '{"some":"data"}') }
+      end
+      
+      context "with string user data provided" do
+        before { subject.instance_variable_get('@args').merge!('data' => '{"some":"data"}') }
+      
+        its(:user_data) { should eql('{"some":"data"}') }
+        its(:string_to_sign) { should eql('somerandomstring:1234ABCD:presence-channel:100:{"some":"data"}') }
+        its(:signature) { should eql('71dabae0f47da5ac8e4982fa062abf09788f8fab40b7634427e380bfcec29855') }
+        its(:auth) { should eql('somerandomstring:71dabae0f47da5ac8e4982fa062abf09788f8fab40b7634427e380bfcec29855') }
+        its(:result) { should eql('auth' => 'somerandomstring:71dabae0f47da5ac8e4982fa062abf09788f8fab40b7634427e380bfcec29855', 'data' => '{"some":"data"}') }
+      end
+    
+    end
+  
+  end
+  
+end

data/spec/spec_helper.rb

@@ -0,0 +1,4 @@
+require 'rubygems'
+require 'rspec'
+
+require 'socky/authenticator'

metadata

@@ -0,0 +1,98 @@
+--- !ruby/object:Gem::Specification 
+name: socky-authenticator
+version: !ruby/object:Gem::Version 
+  prerelease: 6
+  version: 0.5.0.beta4
+platform: ruby
+authors: 
+- Bernard Potocki
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-04-16 00:00:00 +02:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: json
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: ruby-hmac
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: "2.0"
+  type: :development
+  version_requirements: *id003
+description: Socky is a WebSocket-based framework for realtime web applications.
+email: 
+- bernard.potocki@imanel.org
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- .gitignore
+- Gemfile
+- README.md
+- Rakefile
+- example/config.ru
+- lib/socky/authenticator.rb
+- socky-authenticator.gemspec
+- spec/authenticator_spec.rb
+- spec/spec_helper.rb
+has_rdoc: true
+homepage: http://socky.org
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">"
+    - !ruby/object:Gem::Version 
+      version: 1.3.1
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.6.1
+signing_key: 
+specification_version: 3
+summary: Socky - Authentication Module
+test_files: 
+- spec/authenticator_spec.rb
+- spec/spec_helper.rb