sworn 0.0.1

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.travis.yml

@@ -0,0 +1,3 @@
+language: ruby
+rvm:
+  - 1.9.3

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in sworn.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Martin Svangren
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,29 @@
+# Sworn
+
+Sworn is Rack middleware to handle OAuth 1.0a signed requests.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'sworn'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install sworn
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/lib/sworn.rb

@@ -0,0 +1,17 @@
+require "sworn/configuration"
+require "sworn/middleware"
+require "sworn/replay_protector/custom"
+require "sworn/verifier"
+require "sworn/version"
+
+module Sworn
+  class << self
+    def configure
+      yield(configuration)
+    end
+
+    def configuration
+      @configuration ||= Configuration.new
+    end
+  end
+end

data/lib/sworn/configuration.rb

@@ -0,0 +1,28 @@
+module Sworn
+  class Configuration
+    # A hash of consumer keys and their secrets
+    attr_accessor :consumers
+
+    # Maximum timestamp drift allowed
+    attr_accessor :max_drift
+
+    # A Proc that takes an OAuth options hash and returns true if the request
+    # is replayed, and false if it is not
+    attr_reader :replay_protector
+
+    def replay_protector=(*args)
+      klass, *parameters = args.flatten
+      @replay_protector = klass.new(parameters)
+    end
+
+    # A hash of access tokens and their secrets
+    attr_accessor :tokens
+
+    def initialize
+      consumers        = Hash.new
+      max_drift        = 30
+      replay_protector = Sworn::ReplayProtector::Custom, lambda { |_| false }
+      tokens           = Hash.new
+    end
+  end
+end

data/lib/sworn/middleware.rb

@@ -0,0 +1,32 @@
+require "simple_oauth"
+
+module Sworn
+  class Middleware
+    attr_reader :verifier_class
+
+    def initialize(app, options = {})
+      @app = app
+      @verifier_class = options.fetch(:verifier_class) { Verifier }
+    end
+
+    def call(env)
+      request = Rack::Request.new(env)
+      verifier = verifier_class.new(request)
+
+      return bad_request    if verifier.unsigned?
+      return not_authorized if verifier.expired?
+      return not_authorized if verifier.replayed?
+      return not_authorized unless verifier.valid?
+
+      return @app.call(env)
+    end
+
+    def bad_request
+      [400, {}, ["Bad request"]]
+    end
+
+    def not_authorized
+      [401, {}, ["Not authorized"]]
+    end
+  end
+end

data/lib/sworn/replay_protector/custom.rb

@@ -0,0 +1,13 @@
+module Sworn
+  module ReplayProtector
+    class Custom
+      def initialize(*options)
+        @evaluator, _ = options.flatten
+      end
+
+      def replayed?(oauth)
+        @evaluator.call(oauth)
+      end
+    end
+  end
+end

data/lib/sworn/verifier.rb

@@ -0,0 +1,40 @@
+module Sworn
+  class Verifier
+    attr_accessor :config, :oauth, :request
+
+    def initialize(request, options = {})
+      @config = options.fetch(:config) { Sworn.configuration }
+      @request = request
+      @oauth = SimpleOAuth::Header.parse(request.env["HTTP_AUTHORIZATION"])
+    end
+
+    def unsigned?
+      oauth.empty?
+    end
+
+    def expired?
+      timestamp = oauth.fetch(:timestamp).to_i
+      now = Time.now.to_i
+      window = (now - config.max_drift .. now + config.max_drift)
+      !window.include?(timestamp)
+    end
+
+    def replayed?
+      config.replay_protector.replayed?(oauth)
+    end
+
+    def valid?
+      consumer_key = oauth[:consumer_key]
+      consumer_secret = config.consumers[consumer_key]
+      access_token = oauth[:token]
+      token_secret = config.tokens[access_token]
+
+      valid = SimpleOAuth::Header.new(
+        request.request_method,
+        request.url,
+        request.params,
+        oauth
+      ).valid?(:consumer_secret => consumer_secret, :token_secret => token_secret)
+    end
+  end
+end

data/lib/sworn/version.rb

@@ -0,0 +1,3 @@
+module Sworn
+  VERSION = "0.0.1"
+end

data/spec/spec_helper.rb

@@ -0,0 +1,2 @@
+$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
+require 'sworn'

data/spec/sworn/middleware_spec.rb

@@ -0,0 +1,71 @@
+require 'spec_helper'
+require 'rack/test'
+require 'simple_oauth'
+
+describe Sworn::Middleware do
+  include Rack::Test::Methods
+
+  def dummy_app
+    lambda { |_| [200, {}, "Hello"] }
+  end
+
+  def app
+    Sworn.configure do |config|
+      config.consumers    = { "consumer" => "consumersecret" }
+      config.tokens       = { "token" => "tokensecret" }
+      config.max_drift    = 30
+      config.replay_protector = Sworn::ReplayProtector::Custom, lambda { |oauth|
+                                  @store ||= Set.new
+                                  return true if @store.include?(oauth)
+                                  @store << oauth
+                                  false
+                                }
+    end
+
+    Sworn::Middleware.new dummy_app
+  end
+
+  def oauth_signature(options = {})
+    method = options.delete(:method) { "GET" }
+    url    = options.delete(:url) { "http://example.org/" }
+    params = options.delete(:params) { Hash.new }
+
+    options[:consumer_key]    ||= "consumer"
+    options[:consumer_secret] ||= "consumersecret"
+
+    SimpleOAuth::Header.new(method, url, params, options)
+  end
+
+  it "returns 400 when signature is missing" do
+    get "/"
+    expect(last_response.status).to eq 400
+  end
+
+  it "returns 401 when signature is invalid" do
+    get "/", {}, { 'HTTP_AUTHORIZATION' => 'OAuth oauth_consumer_key="invalid", oauth_token="", oauth_nonce="abc", oauth_timestamp="123", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_signature="nowayjose"' }
+    expect(last_response.status).to eq 401
+  end
+
+  it "returns 401 when signature timestamp is out of bounds" do
+    get "/", {}, { 'HTTP_AUTHORIZATION' => oauth_signature(:timestamp => (Time.now.to_i - 60).to_s) }
+    expect(last_response.status).to eq 401
+  end
+
+  it "returns 401 when signature is replayed" do
+    replayed = oauth_signature
+    get "/", {}, { 'HTTP_AUTHORIZATION' => replayed }
+    expect(last_response.status).to eq 200
+    get "/", {}, { 'HTTP_AUTHORIZATION' => replayed }
+    expect(last_response.status).to eq 401
+  end
+
+  it "returns 200 for valid consumer-only signature" do
+    get "/", {}, { 'HTTP_AUTHORIZATION' => oauth_signature }
+    expect(last_response.status).to eq 200
+  end
+
+  it "returns 200 for valid consumer + access token signature" do
+    get "/", {}, { 'HTTP_AUTHORIZATION' => oauth_signature(:token => "token", :token_secret => "tokensecret") }
+    expect(last_response.status).to eq 200
+  end
+end

data/spec/sworn_spec.rb

@@ -0,0 +1,7 @@
+require 'spec_helper'
+
+describe Sworn do
+  it "has a version number" do
+    expect(Sworn::VERSION).not_to be_nil
+  end
+end

data/sworn.gemspec

@@ -0,0 +1,28 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'sworn/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "sworn"
+  spec.version       = Sworn::VERSION
+  spec.authors       = ["Martin Svangren"]
+  spec.email         = ["martin@masv.net"]
+  spec.description   = %q{Sworn is Rack middleware to handle OAuth 1.0a signed requests}
+  spec.summary       = %q{Rack middleware for OAuth 1.0a signed requests}
+  spec.homepage      = ""
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rack-test"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+
+  spec.add_runtime_dependency "rack"
+  spec.add_runtime_dependency "simple_oauth"
+end

metadata

@@ -0,0 +1,161 @@
+--- !ruby/object:Gem::Specification
+name: sworn
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Martin Svangren
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-05-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simple_oauth
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Sworn is Rack middleware to handle OAuth 1.0a signed requests
+email:
+- martin@masv.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .travis.yml
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/sworn.rb
+- lib/sworn/configuration.rb
+- lib/sworn/middleware.rb
+- lib/sworn/replay_protector/custom.rb
+- lib/sworn/verifier.rb
+- lib/sworn/version.rb
+- spec/spec_helper.rb
+- spec/sworn/middleware_spec.rb
+- spec/sworn_spec.rb
+- sworn.gemspec
+homepage: ''
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Rack middleware for OAuth 1.0a signed requests
+test_files:
+- spec/spec_helper.rb
+- spec/sworn/middleware_spec.rb
+- spec/sworn_spec.rb