sparoid 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 97ffed008109eb32f070fc300c536cd29f000c6ff943b67bff64658c218f70ce
+  data.tar.gz: 87fcc661eb04ee0a79b9d9cbd4ef12b5f80c8a4c1856569076f1eac57a37c41b
+SHA512:
+  metadata.gz: ded717258409725cbf49b97fd9c704dbbe550a024f4ce09b484640306079f67ccfd43f64d063326c787ed700cef4db09179b6facb98c7403304dad0a861216ea
+  data.tar.gz: 180a6a9ae33549e198130f73e3e4bd5e9ce4e63727668e6ea2124e22ade18b4e7324efb15abf00053fc22b0728a05d17f49cff353a6f68cdf6b3bf9709b5fab4

data/.github/workflows/main.yml

@@ -0,0 +1,18 @@
+name: Ruby
+
+on: [push,pull_request]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.7.2
+    - name: Run the default task
+      run: |
+        gem install bundler -v 2.2.14
+        bundle install
+        bundle exec rake

data/.gitignore

@@ -0,0 +1,8 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rubocop.yml

@@ -0,0 +1,14 @@
+AllCops:
+  TargetRubyVersion: 2.4
+  NewCops: enable
+
+Style/StringLiterals:
+  Enabled: true
+  EnforcedStyle: double_quotes
+
+Style/StringLiteralsInInterpolation:
+  Enabled: true
+  EnforcedStyle: double_quotes
+
+Layout/LineLength:
+  Max: 120

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [1.0.0] - 2021-03-11
+
+- Initial release

data/Gemfile

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in sparoid.gemspec
+gemspec
+
+gem "rake", "~> 13.0"
+
+gem "minitest", "~> 5.0"
+
+gem "rubocop", "~> 1.7"
+
+gem "rubocop-minitest", require: false
+
+gem "rubocop-rake", require: false

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2021 Carl Hörberg
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,37 @@
+# SPAroid
+
+Single Packet Authorization client implementation in Ruby, both a library and a CLI app. SPA sends a single encrypted and HMACed UDP package to a server, the server upon receiving it verifies and decrypts it and then executes a command, most often opening the firewall for the client that sent the package. This allows you to employ a reject-all firewall but open the firewall for e.g. SSH access. It's a first line of defence, in the case of 0-day attacks on SSH or similar.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'sparoid'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install sparoid
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/84codes/sparoid.rb.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+end
+
+require "rubocop/rake_task"
+
+RuboCop::RakeTask.new
+
+task default: %i[test rubocop]

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "sparoid"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/sparoid

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require_relative "../lib/sparoid/cli"
+Sparoid::CLI.start

data/lib/sparoid.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require_relative "sparoid/version"
+require "socket"
+require "openssl"
+require "resolv"
+
+# Single Packet Authorisation client
+module Sparoid
+  def self.send(key, hmac_key, host, port)
+    msg = message(public_ip)
+    data = prefix_hmac(hmac_key, encrypt(key, msg))
+    udp_send(host, port, data)
+  end
+
+  def self.udp_send(host, port, data)
+    socket = UDPSocket.new
+    socket.connect host, port
+    socket.send data, 0
+    socket.close
+  end
+
+  def self.encrypt(key, data)
+    key = [key].pack("H*") # hexstring to bytes
+    raise ArgumentError, "Key must be 32 bytes hex encoded" if key.bytesize != 32
+
+    cipher = OpenSSL::Cipher.new("aes-256-cbc")
+    cipher.encrypt
+    iv = cipher.random_iv
+    cipher.key = key
+    cipher.iv = iv
+    output = iv
+    output << cipher.update(data)
+    output << cipher.final
+  end
+
+  def self.prefix_hmac(hmac_key, data)
+    hmac_key = [hmac_key].pack("H*") # hexstring to bytes
+    raise ArgumentError, "HMAC key must be 32 bytes hex encoded" if hmac_key.bytesize != 32
+
+    hmac = OpenSSL::HMAC.digest("SHA256", hmac_key, data)
+    hmac + data
+  end
+
+  def self.message(ip)
+    version = 1
+    ts = (Time.now.utc.to_f * 1000).floor
+    nounce = OpenSSL::Random.random_bytes(16)
+    [version, ts, nounce, ip.address].pack("Nq>a16a4")
+  end
+
+  def self.public_ip
+    Resolv::DNS.open(nameserver: ["resolver1.opendns.com"]) do |dns|
+      dns.each_address("myip.opendns.com") do |resolv|
+        case resolv
+        when Resolv::IPv4 then return resolv
+        end
+      end
+      raise Error, "No public IPv4 address found"
+    end
+  end
+
+  def self.keygen
+    cipher = OpenSSL::Cipher.new("aes-256-cbc")
+    key = cipher.random_key.unpack1("H*")
+    hmac_key = OpenSSL::Random.random_bytes(32).unpack1("H*")
+    puts "key = #{key}"
+    puts "hmac-key = #{hmac_key}"
+  end
+
+  class Error < StandardError; end
+end

data/lib/sparoid/cli.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require "thor"
+require_relative "../sparoid"
+
+module Sparoid
+  # CLI
+  class CLI < Thor
+    desc "send HOST [PORT]", "Send a packet"
+    method_option :config, default: "~/.sparoid.ini"
+    def send(host, port = 8484)
+      abort "Config not found" unless File.exist? options[:config]
+
+      key, hmac_key = get_keys(parse_ini(options[:config]))
+      Sparoid.send(key, hmac_key, host, port.to_i)
+    end
+
+    desc "keygen", "Generate an encryption key and a HMAC key"
+    def keygen
+      Sparoid.keygen
+    end
+
+    def self.exit_on_failure?
+      true
+    end
+
+    private
+
+    def parse_ini(path)
+      File.readlines(path).map! { |l| l.split("=", 2).map!(&:strip) }.to_h
+    end
+
+    def get_keys(config)
+      config.values_at("key", "hmac-key")
+    end
+  end
+end

data/lib/sparoid/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Sparoid
+  VERSION = "1.0.0"
+end

data/sparoid.gemspec

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_relative "lib/sparoid/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "sparoid"
+  spec.version       = Sparoid::VERSION
+  spec.authors       = ["Carl Hörberg"]
+  spec.email         = ["carl@84codes.com"]
+
+  spec.summary       = "Single Packet Authorisation client"
+  spec.homepage      = "https://github.com/84codes/sparoid.rb"
+  spec.license       = "MIT"
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.4.0")
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = spec.homepage
+  spec.metadata["changelog_uri"] = "https://raw.githubusercontent.com/84codes/sparoid.rb/main/CHANGELOG.md"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{\A(?:test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "thor"
+end

metadata

@@ -0,0 +1,76 @@
+--- !ruby/object:Gem::Specification
+name: sparoid
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Carl Hörberg
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2021-03-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description:
+email:
+- carl@84codes.com
+executables:
+- sparoid
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/main.yml"
+- ".gitignore"
+- ".rubocop.yml"
+- CHANGELOG.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/sparoid
+- lib/sparoid.rb
+- lib/sparoid/cli.rb
+- lib/sparoid/version.rb
+- sparoid.gemspec
+homepage: https://github.com/84codes/sparoid.rb
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/84codes/sparoid.rb
+  source_code_uri: https://github.com/84codes/sparoid.rb
+  changelog_uri: https://raw.githubusercontent.com/84codes/sparoid.rb/main/CHANGELOG.md
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.4.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.4
+signing_key:
+specification_version: 4
+summary: Single Packet Authorisation client
+test_files: []