tilia-http 4.1.0

data/examples/reverseproxy.rb

@@ -0,0 +1,39 @@
+#!/usr/bin/env ruby
+# The url we're proxying to.
+remote_url = 'http://example.org/'
+
+# The url we're proxying from. Please note that this must be a relative url,
+# and basically acts as the base url.
+#
+# If your remote_url doesn't end with a slash, this one probably shouldn't
+# either.
+my_base_url = ''
+# my_base_url = '/~evert/sabre/http/examples/reverseproxy.php/'
+
+# Expected to be called "bundle exec examples/reverseproxy.rb"
+require './lib/tilia_http'
+require 'rack'
+
+app = proc do |env|
+  sapi = Tilia::Http::Sapi.new(env)
+  request = sapi.request
+  request.base_url = my_base_url
+
+  sub_request = request.dup
+
+  # Removing the Host header.
+  sub_request.remove_header('Host')
+
+  # Rewriting the url.
+  sub_request.url = remote_url + request.path
+
+  client = Tilia::Http::Client.new
+
+  # Sends the HTTP request to the server
+  response = client.send(sub_request)
+
+  # Sends the response back to the client that connected to the proxy.
+  sapi.send_response(response)
+end
+
+Rack::Handler::WEBrick.run app

data/examples/stringify.rb

@@ -0,0 +1,37 @@
+#!/usr/bin/env ruby
+require 'json'
+# This simple example shows the capability of Request and Response objects to
+# serialize themselves as strings.
+#
+# This is mainly useful for debugging purposes.
+#
+# @copyright Copyright (C) 2009-2015 fruux GmbH (https://fruux.com/).
+# @author Evert Pot (http://evertpot.com/)
+# @license http://sabre.io/license/ Modified BSD License
+
+# Expected to be called "bundle exec examples/stringify.rb"
+require './lib/tilia_http'
+
+request = Tilia::Http::Request.new('POST', '/foo')
+request.update_headers(
+  'Host'         => 'example.org',
+  'Content-Type' => 'application/json'
+)
+
+request.body = JSON.generate('foo' => 'bar')
+
+puts request.to_s
+puts
+puts
+
+response = Tilia::Http::Response.new(424)
+response.update_headers(
+  'Content-Type' => 'text/plain',
+  'Connection'   => 'close'
+)
+
+response.body = 'ABORT! ABORT!'
+
+puts response.to_s
+
+puts

data/lib/tilia/http/auth/abstract_auth.rb

@@ -0,0 +1,51 @@
+module Tilia
+  module Http
+    module Auth
+      # HTTP Authentication base class.
+      #
+      # This class provides some common functionality for the various base classes.
+      class AbstractAuth
+        protected
+
+        # Authentication realm
+        #
+        # @return [String]
+        attr_accessor :realm
+
+        # Request object
+        #
+        # @return [RequestInterface]
+        attr_accessor :request
+
+        # Response object
+        #
+        # @return [ResponseInterface]
+        attr_accessor :response
+
+        public
+
+        # Creates the object
+        #
+        # @param [String] realm
+        # @return [void]
+        def initialize(realm = 'TiliaTooth', request, response)
+          @realm = realm
+          @request = request
+          @response = response
+        end
+
+        # This method sends the needed HTTP header and statuscode (401) to force
+        # the user to login.
+        #
+        # @return [void]
+        def require_login
+        end
+
+        # Returns the HTTP realm
+        #
+        # @return [String]
+        attr_reader :realm
+      end
+    end
+  end
+end

data/lib/tilia/http/auth/aws.rb

@@ -0,0 +1,191 @@
+require 'digest'
+require 'base64'
+require 'openssl'
+module Tilia
+  module Http
+    module Auth
+      # HTTP AWS Authentication handler
+      #
+      # Use this class to leverage amazon's AWS authentication header
+      class Aws < Tilia::Http::Auth::AbstractAuth
+        protected
+
+        # The signature supplied by the HTTP client
+        #
+        # @return [String]
+        attr_accessor :signature
+
+        # The accesskey supplied by the HTTP client
+        #
+        # @return [String]
+        attr_accessor :access_key
+
+        public
+
+        # An error code, if any
+        #
+        # This value will be filled with one of the ERR_* constants
+        #
+        # @return int
+        attr_accessor :error_code
+
+        ERR_NOAWSHEADER = 1
+        ERR_MD5CHECKSUMWRONG = 2
+        ERR_INVALIDDATEFORMAT = 3
+        ERR_REQUESTTIMESKEWED = 4
+        ERR_INVALIDSIGNATURE = 5
+
+        # Gathers all information from the headers
+        #
+        # This method needs to be called prior to anything else.
+        #
+        # @return bool
+        def init
+          auth_header = @request.header('Authorization') || ''
+          auth_header = auth_header.split(' ')
+
+          if auth_header[0] != 'AWS' || auth_header.size < 2
+            @error_code = self.class::ERR_NOAWSHEADER
+            return false
+          end
+
+          (@access_key, @signature) = auth_header[1].split(':')
+
+          true
+        end
+
+        # Returns the username for the request
+        #
+        # @return [String]
+        attr_reader :access_key
+
+        # Validates the signature based on the secretKey
+        #
+        # @param [String] secret_key
+        # @return bool
+        def validate(secret_key)
+          content_md5 = @request.header('Content-MD5')
+
+          if content_md5
+            # We need to validate the integrity of the request
+            body = @request.body
+            @request.body = body
+
+            if content_md5 != Base64.strict_encode64(::Digest::MD5.digest(body.to_s))
+              # content-md5 header did not match md5 signature of body
+              @error_code = self.class::ERR_MD5CHECKSUMWRONG
+              return false
+            end
+          end
+
+          request_date = @request.header('x-amz-date')
+          request_date = @request.header('Date') unless request_date
+
+          return false unless validate_rfc2616_date(request_date)
+
+          amz_headers = self.amz_headers
+
+          signature = Base64.strict_encode64(
+            hmacsha1(
+              secret_key,
+              @request.method + "\n" +
+              content_md5 + "\n" +
+              @request.header('Content-type').to_s + "\n" +
+              request_date + "\n" +
+              amz_headers +
+              @request.url
+            )
+          )
+
+          unless @signature == signature
+            @error_code = self.class::ERR_INVALIDSIGNATURE
+            return false
+          end
+          true
+        end
+
+        # Returns an HTTP 401 header, forcing login
+        #
+        # This should be called when username and password are incorrect, or not supplied at all
+        #
+        # @return [void]
+        def require_login
+          @response.add_header('WWW-Authenticate', 'AWS')
+          @response.status = 401
+        end
+
+        protected
+
+        # Makes sure the supplied value is a valid RFC2616 date.
+        #
+        # If we would just use strtotime to get a valid timestamp, we have no way of checking if a
+        # user just supplied the word 'now' for the date header.
+        #
+        # This function also makes sure the Date header is within 15 minutes of the operating
+        # system date, to prevent replay attacks.
+        #
+        # @param [String] date_header
+        # @return bool
+        def validate_rfc2616_date(date_header)
+          date = Tilia::Http::Util.parse_http_date(date_header)
+
+          # Unknown format
+          unless date
+            @error_code = self.class::ERR_INVALIDDATEFORMAT
+            return false
+          end
+
+          min = Time.zone.now - 15.minutes
+          max = Time.zone.now + 15.minutes
+
+          # We allow 15 minutes around the current date/time
+          if date > max || date < min
+            @error_code = self.class::ERR_REQUESTTIMESKEWED
+            return false
+          end
+
+          date
+        end
+
+        # Returns a list of AMZ headers
+        #
+        # @return [String]
+        def amz_headers
+          amz_headers = {}
+          headers = @request.headers
+
+          headers.each do |header_name, header_value|
+            if header_name.downcase.index('x-amz-') == 0
+              amz_headers[header_name.downcase] = header_value[0].gsub(/\r?\n/, ' ') + "\n"
+            end
+          end
+
+          header_str = ''
+          amz_headers.keys.sort.each do |h|
+            header_str << "#{h}:#{amz_headers[h]}"
+          end
+
+          header_str
+        end
+
+        private
+
+        # Generates an HMAC-SHA1 signature
+        #
+        # @param [String] key
+        # @param [String] message
+        # @return [String]
+        def hmacsha1(key, message)
+          # Built in in Ruby
+          OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), key, message)
+        end
+
+        # TODO: document
+        def initialize(realm = 'TiliaTooth', request, response)
+          super
+          @error_code = 0
+        end
+      end
+    end
+  end
+end

data/lib/tilia/http/auth/basic.rb

@@ -0,0 +1,43 @@
+require 'base64'
+module Tilia
+  module Http
+    module Auth
+      # HTTP Basic authentication utility.
+      #
+      # This class helps you setup basic auth. The process is fairly simple:
+      #
+      # 1. Instantiate the class.
+      # 2. Call getCredentials (this will return null or a user/pass pair)
+      # 3. If you didn't get valid credentials, call 'requireLogin'
+      class Basic < Tilia::Http::Auth::AbstractAuth
+        # This method returns a numeric array with a username and password as the
+        # only elements.
+        #
+        # If no credentials were found, this method returns null.
+        #
+        # @return null|array
+        def credentials
+          auth = @request.header('Authorization')
+
+          return nil unless auth
+          return nil unless auth[0..5].downcase == 'basic '
+
+          credentials = Base64.decode64(auth[6..-1]).split(':', 2)
+
+          return nil unless credentials.size == 2
+
+          credentials
+        end
+
+        # This method sends the needed HTTP header and statuscode (401) to force
+        # the user to login.
+        #
+        # @return [void]
+        def require_login
+          @response.add_header('WWW-Authenticate', "Basic realm=\"#{@realm}\"")
+          @response.status = 401
+        end
+      end
+    end
+  end
+end

data/lib/tilia/http/auth/bearer.rb

@@ -0,0 +1,37 @@
+module Tilia
+  module Http
+    module Auth
+      # HTTP Bearer authentication utility.
+      #
+      # This class helps you setup bearer auth. The process is fairly simple:
+      #
+      # 1. Instantiate the class.
+      # 2. Call getToken (this will return null or a token as string)
+      # 3. If you didn't get a valid token, call 'requireLogin'
+      class Bearer < Tilia::Http::Auth::AbstractAuth
+        # This method returns a string with an access token.
+        #
+        # If no token was found, this method returns null.
+        #
+        # @return null|string
+        def token
+          auth = @request.header('Authorization')
+
+          return nil unless auth
+          return nil unless auth[0..6].downcase == 'bearer '
+
+          auth[7..-1]
+        end
+
+        # This method sends the needed HTTP header and statuscode (401) to force
+        # authentication.
+        #
+        # @return [void]
+        def require_login
+          @response.add_header('WWW-Authenticate', "Bearer realm=\"#{@realm}\"")
+          @response.status = 401
+        end
+      end
+    end
+  end
+end

data/lib/tilia/http/auth/digest.rb

@@ -0,0 +1,187 @@
+require 'digest'
+module Tilia
+  module Http
+    module Auth
+      # HTTP Digest Authentication handler
+      #
+      # Use this class for easy http digest authentication.
+      # Instructions:
+      #
+      #  1. Create the object
+      #  2. Call the set_realm method with the realm you plan to use
+      #  3. Call the init method function.
+      #  4. Call the user_name function. This function may return null if no
+      #     authentication information was supplied. Based on the username you
+      #     should check your internal database for either the associated password,
+      #     or the so-called A1 hash of the digest.
+      #  5. Call either validate_password or validate_a1. This will return true
+      #     or false.
+      #  6. To make sure an authentication prompt is displayed, call the
+      #     require_login method.
+      class Digest < Tilia::Http::Auth::AbstractAuth
+        # These constants are used in qop
+        QOP_AUTH = 1
+        QOP_AUTHINT = 2
+
+        protected
+
+        attr_accessor :nonce
+        attr_accessor :opaque
+        attr_accessor :digest_parts
+        attr_accessor :a1
+        attr_reader :qop
+
+        public
+
+        # Initializes the object
+        def initialize(realm = 'TiliaTooth', request, response)
+          @qop = self.class::QOP_AUTH
+
+          @nonce = ::Digest::SHA1.hexdigest((Time.now.to_f + rand).to_s)[0..14]
+          @opaque = ::Digest::MD5.hexdigest(realm)
+          super(realm, request, response)
+        end
+
+        # Gathers all information from the headers
+        #
+        # This method needs to be called prior to anything else.
+        #
+        # @return [void]
+        def init
+          digest = self.digest
+          @digest_parts = parse_digest(digest)
+        end
+
+        # Sets the quality of protection value.
+        #
+        # Possible values are:
+        #   Sabre\HTTP\DigestAuth::QOP_AUTH
+        #   Sabre\HTTP\DigestAuth::QOP_AUTHINT
+        #
+        # Multiple values can be specified using logical OR.
+        #
+        # QOP_AUTHINT ensures integrity of the request body, but this is not
+        # supported by most HTTP clients. QOP_AUTHINT also requires the entire
+        # request body to be md5'ed, which can put strains on CPU and memory.
+        #
+        # @param int qop
+        # @return [void]
+        attr_writer :qop
+
+        # Validates the user.
+        #
+        # The A1 parameter should be md5(username . ':' . realm . ':' . password)
+        #
+        # @param [String] a1
+        # @return bool
+        def validate_a1(a1)
+          @a1 = a1
+          validate
+        end
+
+        # Validates authentication through a password. The actual password must be provided here.
+        # It is strongly recommended not store the password in plain-text and use validateA1 instead.
+        #
+        # @param [String] password
+        # @return bool
+        def validate_password(password)
+          return false unless @digest_parts.any? # RUBY
+
+          @a1 = ::Digest::MD5.hexdigest(@digest_parts['username'] + ':' + @realm + ':' + password)
+          validate
+        end
+
+        # Returns the username for the request
+        #
+        # @return [String]
+        def username
+          @digest_parts['username']
+        end
+
+        protected
+
+        # Validates the digest challenge
+        #
+        # @return bool
+        def validate
+          return false unless @digest_parts.any? # RUBY
+
+          a2 = @request.method + ':' + @digest_parts['uri']
+
+          if @digest_parts['qop'] == 'auth-int'
+            # Making sure we support this qop value
+            return false unless @qop & self.class::QOP_AUTHINT
+
+            # We need to add an md5 of the entire request body to the A2 part of the hash
+            body = @request.body_as_string
+            @request.body = body
+
+            a2 << ':' + ::Digest::MD5.hexdigest(body)
+          else
+            # We need to make sure we support this qop value
+            return false unless @qop & self.class::QOP_AUTH
+          end
+
+          a2 = ::Digest::MD5.hexdigest(a2)
+          valid_response = ::Digest::MD5.hexdigest("#{@a1}:#{@digest_parts['nonce']}:#{@digest_parts['nc']}:#{@digest_parts['cnonce']}:#{@digest_parts['qop']}:#{a2}")
+
+          @digest_parts['response'] == valid_response
+        end
+
+        public
+
+        # Returns an HTTP 401 header, forcing login
+        #
+        # This should be called when username and password are incorrect, or not supplied at all
+        #
+        # @return [void]
+        def require_login
+          qop = ''
+          case @qop
+          when self.class::QOP_AUTH
+            qop = 'auth'
+          when self.class::QOP_AUTHINT
+            qop = 'auth-int'
+          when self.class::QOP_AUTH | self.class::QOP_AUTHINT
+            qop = 'auth,auth-int'
+          end
+
+          @response.add_header('WWW-Authenticate', "Digest realm=\"#{@realm}\",qop=\"#{qop}\",nonce=\"#{@nonce}\",opaque=\"#{@opaque}\"")
+          @response.status = 401
+        end
+
+        # This method returns the full digest string.
+        #
+        # It should be compatibile with mod_php format and other webservers.
+        #
+        # If the header could not be found, null will be returned
+        #
+        # @return mixed
+        def digest
+          @request.header('Authorization')
+        end
+
+        protected
+
+        # Parses the different pieces of the digest string into an array.
+        #
+        # This method returns false if an incomplete digest was supplied
+        #
+        # @param [String] digest
+        # @return mixed
+        def parse_digest(digest)
+          # protect against missing data
+          needed_parts = { 'nonce' => 1, 'nc' => 1, 'cnonce' => 1, 'qop' => 1, 'username' => 1, 'uri' => 1, 'response' => 1 }
+          data = {}
+
+          digest.scan(/(\w+)=(?:(?:")([^"]+)"|([^\s,$]+))/) do |m1, m2, m3|
+            data[m1] = m2 ? m2 : m3
+            needed_parts.delete m1
+          end
+
+          needed_parts.any? ? {} : data
+        end
+      end
+    end
+  end
+end

data/lib/tilia/http/auth.rb

@@ -0,0 +1,12 @@
+module Tilia
+  module Http
+    # Namespace for Tilia::Http::Auth::* classes
+    module Auth
+      require 'tilia/http/auth/abstract_auth'
+      require 'tilia/http/auth/aws'
+      require 'tilia/http/auth/basic'
+      require 'tilia/http/auth/bearer'
+      require 'tilia/http/auth/digest'
+    end
+  end
+end