tanker-identity 2.16.0.alpha.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 88d5a8e184f0271d9b431a9440eb7a358d9a3d7f4e0e88f5774b9c8601a74cb3
+  data.tar.gz: 501f29acdb04b8777fcff7fedabeebcb97d6be545b825958d31d985720c00d2c
+SHA512:
+  metadata.gz: 62fe18c7feea78adbbb5d52aae664d3a4a806bd34dd04130e9ba20a49bf8acab96741d8525a8be50d213ee86d0b9e8d8532374df33a101db1c5cb05910a7ab8f
+  data.tar.gz: 227bcb9e1e49db803afa686eb511048929a04ad5cac2da25ce54a800cf4ca3b295b0c6fe149826c92a5c544f29ed5c2ea5e1a16db9162eb74a48039da9662c15

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright 2019 Kontrol SAS
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,133 @@
+<a href="#readme"><img src="https://tanker.io/images/github-logo.png" alt="Tanker logo" width="180" /></a>
+
+# Identity SDK
+
+[![Actions Status](https://github.com/TankerHQ/identity-ruby/workflows/Tests/badge.svg)](https://github.com/TankerHQ/identity-ruby/actions) [![codecov](https://codecov.io/gh/TankerHQ/identity-ruby/branch/master/graph/badge.svg)](https://codecov.io/gh/TankerHQ/identity-ruby)
+
+Identity generation in Ruby for the [Tanker SDK](https://docs.tanker.io/latest/).
+
+## Requirements
+
+This gem requires Ruby v2.5 or greater (transitive requirement from [rbnacl](https://github.com/crypto-rb/rbnacl)).
+
+If still on an older version of Ruby, use `tanker-identity` with the [`603b35f8` commit ref](https://github.com/TankerHQ/identity-ruby/tree/603b35f8e1ca889c4862e8f9c1e54632a38b32b6).
+
+## Installation
+
+This project depends on the [rbnacl](https://github.com/crypto-rb/rbnacl) gem, which requires the [libsodium](https://download.libsodium.org/doc/) cryptographic library.
+
+Before going further, please follow [instructions to install libsodium](https://github.com/crypto-rb/rbnacl/wiki/Installing-libsodium).
+
+Then, add this line to your application's Gemfile:
+
+```ruby
+gem 'tanker-identity', git: 'https://github.com/TankerHQ/identity-ruby' #, ref: '<commit>'
+```
+
+Finally, execute:
+
+```shell
+bundle
+```
+
+## API
+
+```ruby
+Tanker::Identity.create_identity(app_id, app_secret, user_id)
+```
+Create a new Tanker identity. This identity is secret and must only be given to a user who has been authenticated by your application. This identity is used by the Tanker client SDK to open a Tanker session.
+
+**app_id**<br>
+The app ID. You can access it from the [Tanker dashboard](https://dashboard.tanker.io).
+
+**app_secret**<br>
+The app secret. A secret that you have saved right after the creation of your app on the [Tanker dashboard](https://dashboard.tanker.io).
+
+**user_id**<br>
+The unique ID of a user in your application.
+<br><br>
+
+```ruby
+Tanker::Identity.create_provisional_identity(app_id, email)
+```
+Create a Tanker provisional identity. It allows you to share a resource with a user who does not have an account in your application yet.
+
+**app_id**<br>
+The app ID. You can access it from the [Tanker dashboard](https://dashboard.tanker.io).
+
+**email**<br>
+The email of the potential recipient of the resource.
+<br><br>
+
+```ruby
+Tanker::Identity.get_public_identity(identity)
+```
+Return the public identity from an identity. This public identity can be used by the Tanker client SDK to share encrypted resource.
+
+**identity**<br>
+A secret identity.
+<br><br>
+
+## Usage example
+
+The server-side pseudo-code below demonstrates a typical flow to safely deliver identities to your users:
+
+```ruby
+require 'tanker-identity'
+
+# 1. store these configurations in a safe place
+app_id = '<app-id>'
+app_secret = '<app-secret>'
+
+# 2. you will typically have methods to check user authentication
+def authenticated? # check user is authenticated on the server
+def current_user   # current authenticated user
+
+# 3. you will need to add internal methods to store / load identities
+def db_store_identity(user_id, identity)
+def db_load_identity(user_id)
+
+# 4. finally, add user facing functionality
+def tanker_secret_identity(user_id)
+  raise 'Not authenticated' unless authenticated?
+  raise 'Not authorized' unless current_user.id == user_id
+
+  identity = db_load_identity(user_id)
+
+  if identity.nil?
+    identity = Tanker::Identity.create_identity(app_id, app_secret, user_id)
+    db_store_identity(user_id, identity)
+  end
+
+  identity
+end
+
+def tanker_public_identity(user_id)
+  raise 'Not authenticated' unless authenticated?
+
+  identity = db_load_identity(user_id)
+
+  raise 'User does not exist or has no identity yet' unless identity
+
+  Tanker::Identity.get_public_identity(identity)
+end
+```
+
+Read more about identities in the [Tanker documentation](https://docs.tanker.io/latest/).
+
+Check the [examples](https://github.com/TankerHQ/identity-ruby/tree/master/examples/) folder for usage examples.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+To audit the Gemfile.lock against the [advisory database](https://rubysec.com/), run `bundle exec bundle-audit check --update`.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/TankerHQ/identity-ruby.
+
+[build-badge]: https://travis-ci.org/TankerHQ/identity-ruby.svg?branch=master
+[build]: https://travis-ci.org/TankerHQ/identity-ruby

data/lib/tanker-identity.rb

@@ -0,0 +1 @@
+require 'tanker/identity'

data/lib/tanker/crypto.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+require 'rbnacl'
+require 'securerandom'
+
+module Tanker
+  module Crypto
+    class InvalidSignature < StandardError; end
+
+    HASH_MIN_SIZE = RbNaCl::Hash::Blake2b::BYTES_MIN # 16
+
+    def self.generichash(input, size)
+      binary_input = input.dup.force_encoding(Encoding::ASCII_8BIT)
+      RbNaCl::Hash.blake2b(binary_input, digest_size: size)
+    end
+
+    # We need this static method since a RbNaCl::SigningKey instance can't be
+    # directly initialized with a given private_signature_key
+    def self.sign_detached(message, private_signature_key)
+      signature_bytes = RbNaCl::SigningKey.signature_bytes
+      buffer = RbNaCl::Util.prepend_zeros(signature_bytes, message)
+      buffer_len = RbNaCl::Util.zeros(8) # 8 bytes for an int64 (FFI::Type::LONG_LONG.size)
+
+      RbNaCl::SigningKey.sign_ed25519(buffer, buffer_len, message, message.bytesize, private_signature_key)
+
+      buffer[0, signature_bytes]
+    end
+
+    def self.verify_sign_detached(message, signature, public_signature_key)
+      verify_key = RbNaCl::VerifyKey.new(public_signature_key)
+      verify_key.verify(signature, message)
+    rescue RbNaCl::BadSignatureError
+      raise InvalidSignature.new
+    end
+
+    def self.generate_signature_keypair
+      signing_key = RbNaCl::SigningKey.generate
+
+      {
+        private_key: signing_key.keypair_bytes,
+        public_key: signing_key.verify_key.to_bytes
+      }
+    end
+
+    def self.generate_encryption_keypair
+      encryption_key = RbNaCl::PrivateKey.generate
+
+      {
+        private_key: encryption_key.to_bytes,
+        public_key: encryption_key.public_key.to_bytes
+      }
+    end
+
+    def self.random_bytes(size)
+      SecureRandom.bytes(size)
+    end
+  end
+end

data/lib/tanker/identity.rb

@@ -0,0 +1,125 @@
+require 'tanker/crypto'
+require 'tanker/identity/version'
+require 'base64'
+require 'json'
+
+module Tanker
+  module Identity
+    APP_CREATION_NATURE = 1
+    APP_SECRET_SIZE = 64
+    APP_PUBLIC_KEY_SIZE = 32
+    AUTHOR_SIZE = 32
+    BLOCK_HASH_SIZE = 32
+    USER_SECRET_SIZE = 32
+
+    private
+
+    def self.hash_user_id(app_id, user_id)
+      binary_user_id = user_id.dup.force_encoding(Encoding::ASCII_8BIT)
+      Crypto.generichash(binary_user_id + app_id, BLOCK_HASH_SIZE)
+    end
+
+    def self.user_secret(hashed_user_id)
+      random_bytes = Crypto.random_bytes(USER_SECRET_SIZE - 1)
+      check = Crypto.generichash(random_bytes + hashed_user_id, Crypto::HASH_MIN_SIZE)
+      random_bytes + check[0]
+    end
+
+    def self.assert_string_values(hash)
+      hash.each_pair do |key, value|
+        unless value.is_a?(String)
+          raise TypeError.new("expected #{key} to be a String but was a #{value.class}")
+        end
+      end
+    end
+
+    def self.generate_app_id(app_secret)
+      block_nature = APP_CREATION_NATURE.chr(Encoding::ASCII_8BIT)
+      none_author = 0.chr(Encoding::ASCII_8BIT) * AUTHOR_SIZE
+      app_public_key = app_secret[-APP_PUBLIC_KEY_SIZE..-1]
+      Crypto.generichash(block_nature + none_author + app_public_key, BLOCK_HASH_SIZE)
+    end
+
+    public
+
+    def self.deserialize(b64_json)
+      JSON.parse(Base64.strict_decode64(b64_json))
+    end
+
+    def self.serialize(hash)
+      Base64.strict_encode64(JSON.generate(hash))
+    end
+
+    def self.create_identity(b64_app_id, b64_app_secret, user_id)
+      assert_string_values({
+        app_id: b64_app_id,
+        app_secret: b64_app_secret,
+        user_id: user_id
+      })
+
+      app_id = Base64.strict_decode64(b64_app_id)
+      app_secret = Base64.strict_decode64(b64_app_secret)
+
+      raise ArgumentError.new("Invalid app_id") if app_id.bytesize != BLOCK_HASH_SIZE
+      raise ArgumentError.new("Invalid app_secret") if app_secret.bytesize != APP_SECRET_SIZE
+      raise ArgumentError.new("Invalid (app_id, app_secret) combination") if app_id != generate_app_id(app_secret)
+
+      hashed_user_id = hash_user_id(app_id, user_id)
+      signature_keypair = Crypto.generate_signature_keypair
+      message = signature_keypair[:public_key] + hashed_user_id
+      signature = Crypto.sign_detached(message, app_secret)
+
+      serialize({
+        trustchain_id: Base64.strict_encode64(app_id),
+        target: 'user',
+        value: Base64.strict_encode64(hashed_user_id),
+        delegation_signature: Base64.strict_encode64(signature),
+        ephemeral_public_signature_key: Base64.strict_encode64(signature_keypair[:public_key]),
+        ephemeral_private_signature_key: Base64.strict_encode64(signature_keypair[:private_key]),
+        user_secret: Base64.strict_encode64(user_secret(hashed_user_id))
+      })
+    end
+
+    def self.create_provisional_identity(b64_app_id, email)
+      assert_string_values({
+        app_id: b64_app_id,
+        email: email
+      })
+
+      app_id = Base64.strict_decode64(b64_app_id)
+      raise ArgumentError.new("Invalid app_id") if app_id.bytesize != BLOCK_HASH_SIZE
+
+      encryption_keypair = Crypto.generate_encryption_keypair
+      signature_keypair = Crypto.generate_signature_keypair
+
+      serialize({
+        trustchain_id: b64_app_id,
+        target: 'email',
+        value: email,
+        public_encryption_key: Base64.strict_encode64(encryption_keypair[:public_key]),
+        private_encryption_key: Base64.strict_encode64(encryption_keypair[:private_key]),
+        public_signature_key: Base64.strict_encode64(signature_keypair[:public_key]),
+        private_signature_key: Base64.strict_encode64(signature_keypair[:private_key])
+      })
+    end
+
+    def self.get_public_identity(serialized_identity)
+      assert_string_values({ identity: serialized_identity })
+
+      identity = deserialize(serialized_identity)
+
+      if identity['target'] == 'user'
+        public_keys = ['trustchain_id', 'target', 'value']
+      else
+        public_keys = ['trustchain_id', 'target', 'value', 'public_encryption_key', 'public_signature_key']
+      end
+
+      public_identity = {}
+      public_keys.each { |key| public_identity[key] = identity.fetch(key) }
+
+      serialize(public_identity)
+    rescue KeyError # failed fetch
+      raise ArgumentError.new('Not a valid Tanker identity')
+    end
+  end
+end

data/lib/tanker/identity/version.rb

@@ -0,0 +1,11 @@
+module Tanker
+  module Identity
+    VERSION = '2.16.0.alpha.1'
+  end
+
+  def self.const_missing(name)
+    super unless name == :VERSION
+    warn "DEPRECATION WARNING: Using `Tanker::VERSION` is deprecated in favor of `Tanker::Identity::VERSION`"
+    Tanker::Identity::VERSION
+  end
+end

metadata

@@ -0,0 +1,165 @@
+--- !ruby/object:Gem::Specification
+name: tanker-identity
+version: !ruby/object:Gem::Version
+  version: 2.16.0.alpha.1
+platform: ruby
+authors:
+- Tanker Team
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2021-06-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rbnacl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: bundler-audit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rubygems-tasks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.5
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.5
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: codecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Building blocks to add Tanker identity management to your application
+  server
+email:
+- contact@tanker.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- lib/tanker-identity.rb
+- lib/tanker/crypto.rb
+- lib/tanker/identity.rb
+- lib/tanker/identity/version.rb
+homepage: https://tanker.io
+licenses:
+- Apache-2.0
+metadata:
+  homepage_uri: https://tanker.io
+  source_code_uri: https://github.com/TankerHQ/identity-ruby
+  changelog_uri: https://docs.tanker.io/latest/release-notes/identity/ruby
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Tanker identity management library packaged as a gem
+test_files: []