touchpass 0.0.8.1

data/lib/generators/touchpass/install_generator.rb

@@ -0,0 +1,36 @@
+require 'rails/generators'
+require 'rails/generators/migration'
+
+module Touchpass
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      include Rails::Generators::Migration
+      source_root File.expand_path("../../templates", __FILE__)
+
+      desc "Install Touchpass files (migrations, initializers, locales)."
+
+      def create_migration_file
+        # no db config for relying partiues
+      end
+
+      def copy_initializer_files
+        copy_file "config/initializers/devise.rb", "config/initializers/devise.rb"
+        copy_file "config/initializers/touchpass.rb", "config/initializers/touchpass.rb"
+      end
+
+      def copy_locale_files
+        copy_file "config/locales/devise.en.yml", "config/locales/devise.en.yml"
+      end
+
+      private
+      def self.next_migration_number(dirname)
+        if ActiveRecord::Base.timestamped_migrations
+          Time.new.utc.strftime("%Y%m%d%H%M%S")
+        else
+          "%.3d" % (current_migration_number(dirname) + 1)
+        end
+      end
+
+    end
+  end
+end

data/lib/touchpass/client.rb

@@ -0,0 +1,431 @@
+# Geodica Touchpass
+# (C) Copyright 2009-2012 Geodica, a Carpadium Pty Ltd Venture
+# All rights reserved
+
+require 'rubygems'
+require 'thor'
+require 'httparty'
+require 'openssl'
+require 'fileutils'
+require 'base64'
+require 'pp'
+require 'cgi'
+require 'json'
+
+module Touchpass
+
+  # Provide a simple Ruby interface to a Touchpass verification server
+  class Client
+    
+    attr_accessor :hostname, :debug, :api_key
+
+    API_KEY_HEADER = "X-TouchPass-ApiKey"
+    ENVIRONMENT = ENV['RAILS_ENV']
+
+    ## Host and port to use for service invocations, default to the main Touchpass server
+    DFT_HOSTNAME = ENVIRONMENT == 'production' ? "https://touchpass.geodica.com" : "https://localhost:3000" 
+
+    # Default response output to json
+    DFT_OUTPUT = "json"
+    
+    # Default debug state (on: dev|test, off: prod)
+    DFT_DEBUG = ENV['TPC_DEBUG'] ? true : false
+
+    # Create a new Touchpass client instance and default the hostname and output
+    def initialize(hostname=DFT_HOSTNAME, debug=DFT_DEBUG)
+      @hostname = hostname.nil? ? DFT_HOSTNAME : hostname
+      @debug    = debug
+      @output   = DFT_OUTPUT   # always use json internally
+    end
+
+    # Register a new relying party with the Touchpass server
+    # needs: :email, :username, :password
+    def register_party(params) 
+      http_options = standard_http_options(params, %W{email username password})
+      response = submit_request("post", "#{@hostname}/parties.#{@output}", http_options)
+      set_api_key_from_response(response)
+      response
+    end
+  
+    # Authenticate a party to obtain the API key
+    # needs: :login, :password
+    def authenticate_party(params) 
+      http_options = standard_http_options(params, %W{login password})
+      
+      response = submit_request(
+        "post",
+        "#{@hostname}/parties/authenticate.#{@output}", 
+        http_options)        
+      set_api_key_from_response(response)
+      response
+    end
+
+    # Get details for a party
+    # needs: :api_key; uses: :id OR :username
+    def get_party(params) 
+      http_options = standard_http_options(params)
+
+      if !params[:username].nil?
+        response = submit_request("get", "#{@hostname}/#{params[:username]}.#{@output}", http_options)
+      elsif !params[:id].nil?
+        response = submit_request("get", "#{@hostname}/parties/#{params[:id]}.#{@output}", http_options)
+      else
+        response = format_response({"error" => "Either username or id must be provided."})
+      end
+      response
+    end
+
+    # Update details for a party
+    # needs: :api_key; uses: :username, :id, :email, :first_name, :last_name
+    def update_party(params) 
+      id           = params[:id]
+      username     = params[:username]
+      http_options = standard_http_options(params, %W{username email first_name last_name})
+      
+      if !username.nil?
+        response = submit_request("put", "#{@hostname}/#{username}.#{@output}", http_options)
+      elsif !id.nil?
+        response = submit_request("put", "#{@hostname}/parties/#{id}.#{@output}", http_options)
+      else
+        response = format_response({"error" => "Either username or id must be provided."})
+      end
+      response
+    end
+
+    # Register a new device for a party
+    # needs: :api_key, :username, :udid, :devicename; uses: :messaging_type, :messaging_value
+    def register_device(params)
+
+      # Generate private & public key for this device
+      crypt = KeyFileCreator.new(params[:udid])
+      crypt.generate_keys
+
+      # Collect attributes of new device
+      device_attributes = params.merge({
+        :udid            => params[:udid], 
+        :name            => params[:name], 
+        :pub_key         => crypt.public_key,
+        :messaging_type  => params[:messaging_type], 
+        :messaging_value => params[:messaging_value],
+      })
+      http_options = standard_http_options(device_attributes, %W{udid name pub_key messaging_type messaging_value})
+
+      # Provision the new device with the Touchpass server
+      new_device = submit_request("post", "#{@hostname}/#{params[:username]}/devices.#{@output}", http_options)
+
+      # We made the key files for the new device earlier (see
+      # KeyFileCreator above) but at that stage we didn't know the
+      # :deviceid of the newly provisioned device. So now we need to
+      # move the cert directory around based on the :deviceid returned
+      # from TouchPass.
+      begin
+        devices = submit_request("post", "#{@hostname}/#{params[:username]}/devices.json", http_options)
+        raise devices["error"] if devices["error"]
+        raise "unknown device id" unless devices["id"]
+        device_id = devices["id"].to_s
+
+        orig_file = crypt.keys_path
+        crypt.id = device_id
+        new_file = crypt.keys_path
+        puts "Renaming directory #{orig_file} to #{new_file}" if @debug
+        result = File.rename(orig_file, new_file)
+      rescue Exception => e
+        puts "Exception: #{e.message}"
+        puts "error: updating key file location based on device id: udid:#{params[:udid]}, device_id:#{device_id}"
+      end      
+      
+      # Return details of the newly provisioned device
+      new_device
+    end
+
+    # Get all devices for a party
+    # needs: :username, :api_key
+    def get_devices(params)
+      # Just return the device list for the specified user
+      http_options = standard_http_options(params)
+      devices = submit_request("get", "#{@hostname}/#{params[:username]}/devices.#{@output}", http_options)
+
+      # Look for errors, and just build an empty device array hashed from 'devices'
+      if !devices['devices'].nil? or !devices['error'].nil?
+        devices
+      else
+        { 'devices' => [] }
+      end
+    end
+
+    # Get details for a specific device, returns an 'errors' hash if the device cannot be found
+    # needs: :username, :api_key, :id
+    def get_device(params)
+      # Return the device for the specified user and device id
+      http_options = standard_http_options(params)
+      submit_request("get", "#{@hostname}/#{params[:username]}/devices/#{params[:id]}.#{@output}", http_options)
+    end
+    
+    # Update details of a device, returns an 'errors' hash if the device cannot be found
+    # needs: :username, :id, api_key; uses: :name, :messaging_type, :messaging_value, :update_pub_key
+    def update_device(params)
+      update_pub_key  = params[:update_pub_key] # TODO: Regenerate and update pub_key
+      
+      http_options = standard_http_options(params, %W{name messaging_type messaging_value})
+
+      submit_request("put", "#{@hostname}/#{params[:username]}/devices/#{params[:id]}.#{@output}", http_options)
+    end
+
+    # Remove device, returns an 'errors' hash if the device cannot be found
+    # needs: :username, :id, :api_key
+    def remove_device(params)
+      http_options = standard_http_options(params)
+      submit_request("delete", "#{@hostname}/#{params[:username]}/devices/#{params[:id]}.#{@output}", http_options)
+    end
+
+    # Create a new verification
+    # needs: :to_party, :api_key; uses: :message, :address (for LV), :resolution (for LV)
+    def create_verification(params)
+      http_options = standard_http_options(params, %W{to_party})
+      message = params[:message]
+      address = params[:address]
+
+      # Get the list of verifying party devices so we can encrypt data for them using each device's public key
+      response = submit_request("get", "#{@hostname}/#{params[:to_party]}/devices.json",
+                                standard_http_options(params))
+      vp_devices = response["devices"]
+
+      # Generate token
+      token = Crypt.salt
+      hashed_token = Crypt.encrypt(token)
+      http_options[:body][:claimed_token] = hashed_token
+
+      if !vp_devices.nil? and (vp_devices.is_a? Array and !vp_devices.empty?)
+
+        # Encrypt message using each verifying party's (to_party) device public keys
+        if !message.nil? 
+          vp_devices.each_with_index do |device, index|
+            device_id   = device["id"]
+            pub_key_str = device["pub_key"]
+            public_key  = Crypt.read_key(pub_key_str)
+            crypted_message = Base64.encode64(public_key.public_encrypt(message))
+            http_options[:body]["crypted_messages[#{index}][device_id]"] = device_id
+            http_options[:body]["crypted_messages[#{index}][value]"] = crypted_message
+          end
+        end
+
+        # Encrypt token using each verifying party's (to_party) device public keys
+        crypted_tokens = []
+        vp_devices.each_with_index do |device, index|
+          device_id   = device["id"]
+          pub_key_str = device["pub_key"]
+          public_key  = Crypt.read_key(pub_key_str)
+          crypted_token = Base64.encode64(public_key.public_encrypt(token)) # per-transaction token generated by Crypt.salt above
+          http_options[:body]["crypted_tokens[#{index}][device_id]"] = device_id
+          http_options[:body]["crypted_tokens[#{index}][value]"] = crypted_token
+        end
+      end
+
+      # Encrypt prp-hash using verifying_party (to_party) devices
+      if !address.nil? # For location verification
+        http_options[:body][:location_verification] = true
+
+        # Convert address to PRP      
+        resolution = options[:resolution] || "LOCAL" # Resolution used to calculate PRP
+        http_options[:body][:resolution] = resolution
+        prp = Proximity::PRP.new(:address => params[:address], :resolution => resolution)
+        # puts prp.print_bbox # for debugging
+
+        # Generate random salt
+        salt = Crypt.salt
+        # puts "Using salt: #{salt}" # for debugging
+
+        # Encrypt PRP using salt
+        claimed_prp = prp.encrypt(salt)
+        http_options[:body][:claimed_prp] = claimed_prp
+
+        # Encrypt salt using verifiying_party (to_party) devices
+        crypted_salts = []
+        vp_devices.each_with_index do |device, index|
+          device_id    = device["id"]
+          pub_key_str  = device["pub_key"]
+          public_key   = Crypt.read_key(pub_key_str)
+          crypted_salt = Base64.encode64(public_key.public_encrypt(salt))
+          http_options[:body]["crypted_salts[#{index}][device_id]"] = device_id
+          http_options[:body]["crypted_salts[#{index}][value]"] = crypted_salt
+        end
+      end
+
+      submit_request("post", "#{@hostname}/verifications.#{@output}", http_options)
+    end
+
+    # Get a page of verifications for a particular party
+    # needs: :api_key; uses: :username, :party_id
+    def get_verifications(params)
+      http_options = standard_http_options(params)
+      response = nil
+      if !params[:username].nil?
+        response = submit_request("get", "#{@hostname}/#{params[:username]}/verifications.#{@output}", http_options)
+      elsif !params[:party_id].nil?
+        http_options[:body][:party_id] = params[:party_id]
+        response = submit_request("get", "#{@hostname}/verifications.#{@output}", http_options)
+      else
+        response = {"error" => "Either username or id must be provided."}
+      end
+      response
+    end
+
+    # Get details of a specific verification, will include decrypted message if :device_id is provided
+    # needs: :api_key, :id; uses: :device_id
+    def get_verification(params)
+      http_options = standard_http_options(params)
+      response = submit_request("get", "#{@hostname}/verifications/#{params[:id]}.json", http_options)
+
+      # TODO: as this stands, it will not decrypt the message unless a :device_id is provided. However,
+      # there is currently no way to pass in the keys to use - it will just try to use the local keys
+      # stored in #{local_key_path}/:device_id. So, we need to fix this up at some point.
+      decrypted_message = nil
+      if response.has_key?("crypted_messages") and !response["crypted_messages"].empty?
+        if !params[:device_id].nil?
+          decrypted_message = decrypt_salt(response["crypted_messages"], params[:device_id], self.api_key)
+        end
+      end
+      # return verification plus decrypted message (if available)
+      response[:decrypted_message] = decrypted_message
+      response
+    end
+
+    # Update Verification
+    # needs: :api_key, :id, :device_id; uses: :address
+    def update_verification(params)
+      # Call show verification to get the crypted salts and resolution for the verification
+      # Note: crypted salts and resolution are also returned in the list verifications response
+      http_options = standard_http_options(params)
+
+      verification   = submit_request("get", "#{@hostname}/verifications/#{params[:id]}.json", http_options)
+      crypted_tokens = verification["crypted_tokens"]
+      crypted_salts  = verification["crypted_salts"]
+      resolution     = verification["resolution"]
+
+      token = decrypt_salt(crypted_tokens, params[:device_id], self.api_key)
+      hashed_token = Crypt.encrypt(token)
+
+      http_options = standard_http_options(params, %W{id})
+      http_options[:body][:verified_token] = hashed_token
+
+      # Generate verified PRP for location verification
+      if !params[:address].nil?
+        prp = Proximity::PRP.new(:address => params[:address], :resolution => resolution)
+        # puts prp.print_bbox # for debugging
+
+        salt = decrypt_salt(crypted_salts, params[:device_id], self.api_key)
+        # puts "Using salt: #{salt}"
+        verified_prp = prp.encrypt(salt)
+
+        http_options[:body][:verified_prp] = verified_prp
+        # puts "Verified PRP: #{verified_prp}"
+      end
+      submit_request("put", "#{@hostname}/verifications/#{params[:id]}.#{@output}",
+                     http_options)
+    end
+
+    # Cancel an existing verification
+    # needs: :api_key, :id
+    def cancel_verification(params)
+      submit_request("put", "#{@hostname}/verifications/#{params[:id]}/cancel.#{@output}",
+                     standard_http_options(params))
+    end
+
+    # Reject a verification
+    # needs: :api_keu, :id
+    def reject_verification(params)
+      submit_request("put", "#{@hostname}/verifications/#{params[:id]}/reject.#{@output}",
+                     standard_http_options(params))
+    end  
+    
+    private
+
+    # Decrypt salt for a specific device and api_key
+    def decrypt_salt(crypted_salts, device_id, api_key)
+      return nil if crypted_salts.nil?
+
+      # Find crypted salt associated with the device
+      crypted_salt = crypted_salts.detect{|cs| cs["device_id"] == device_id.to_i}
+      return nil if crypted_salt.nil?
+      device_id = crypted_salt["device_id"].to_s
+      ct = crypted_salt["value"]
+
+      # Load the private key
+      crypt = KeyFileCreator.new(device_id)
+      private_key = crypt.private_key()
+
+      # Decrypt the crypted salt
+      salt = private_key.private_decrypt(Base64.decode64(ct))
+      return salt
+    end  
+    
+    # Returns true if the repsonse contains errors
+    def errors?(response)
+      response.nil? || response['error'] || response['errors']
+    end
+
+    def error_message(response)
+      msg = ""
+      if response['error']
+        msg = response['error']
+      elsif response['errors'].kind_of(Array)
+        # TODO
+        msg = response['errors'].inspect
+      end
+      msg
+    end
+
+    def standard_http_options(params, body_params = [])
+      http_options = { :body => {}, :headers => api_key_header(params) }
+
+      body_params.each do |param_name|
+        param_name = param_name.to_sym
+        next if param_name == :api_key  # this is now sent as a header field
+        http_options[:body][param_name] = params[param_name] unless params[param_name].nil?
+      end
+
+      http_options
+    end
+
+    def set_api_key_from_response(response)
+      self.api_key = response["api_key"] if response && response["api_key"]
+    end
+
+    def api_key_header(params)
+      self.api_key ? { API_KEY_HEADER => self.api_key } : {}
+    end
+
+    # Submit the request to the server and process the response (for errors)
+    def submit_request(http_verb, request, params)
+
+      if @debug
+        puts "DEBUG: "
+        puts "DEBUG:  hostname: #{@hostname}"
+        puts "DEBUG:    output: #{@output}"
+        puts "DEBUG:   request: #{http_verb.upcase} #{request}"      
+        puts "DEBUG:    params: #{params}"
+      end
+
+      case http_verb
+      when "put"
+        response = HTTParty.put(request, params)
+      when "delete"
+        response = HTTParty.delete(request, params)
+      when "post"
+        response = HTTParty.post(request, params)
+      else
+        response = HTTParty.get(request, :query => params[:body],
+                                :headers => params[:headers])
+      end
+      
+      if @debug
+        puts "DEBUG:  response: #{response}" 
+        puts "DEBUG: "
+      end
+
+      response.to_hash
+    end
+
+  end # class Touchpass::Client
+  
+end # module Touchpass

data/lib/touchpass/crypt.rb

@@ -0,0 +1,51 @@
+
+module Touchpass
+  class Crypt
+    # Encryption method
+    # Options: :md5, :sha1, :sha256, :sha512
+    CRYPTO_PROVIDER = :sha256
+
+    def self.salt(length=10)
+      seeds = ('a'..'z').to_a
+      seeds.concat( ('A'..'Z').to_a )
+      seeds.concat( (0..9).to_a )
+      seeds.concat ['/', '.']
+      seeds.compact!
+
+      salt_string = '$1$'
+      length.times { salt_string << seeds[ rand(seeds.size) ].to_s }
+
+      salt_string
+    end
+
+    def self.encrypt(string)
+      crypto_provider = nil
+      case CRYPTO_PROVIDER
+      when :md5
+        require 'digest/md5' unless defined?(Digest::MD5)
+        crypto_provider = Digest::MD5
+      when :sha1
+        require 'digest/sha1' unless defined?(Digest::SHA1)
+        crypto_provider = Digest::SHA1
+      when :sha256
+        require 'digest/sha2' unless defined?(Digest::SHA2)
+        crypto_provider = Digest::SHA256
+      when :sha512
+        require 'digest/sha2' unless defined?(Digest::SHA2)
+        crypto_provider = Digest::SHA512
+      end
+      return crypto_provider.hexdigest(string)
+    end
+
+    def self.read_key(pem)
+      begin
+        return OpenSSL::PKey::RSA.new(pem)
+      rescue
+        puts "Unable to read key."
+      end
+      return nil
+    end
+  end
+
+end
+

data/lib/touchpass/device.rb

@@ -0,0 +1,18 @@
+module Touchpass
+  module Rp
+    class Device
+      include HTTParty
+      #debug_output
+
+      def initialize
+        self.class.base_uri Touchpass.base_uri
+      end
+
+      def get_all(user)
+        http_options = { :body => {}, :headers => { Touchpass::Client::API_KEY_HEADER => Touchpass.api_key } }
+        response = self.class.get("/#{user}/devices.json", http_options)
+        return response.parsed_response["devices"]
+      end
+    end
+  end
+end

data/lib/touchpass/key_file_creator.rb

@@ -0,0 +1,56 @@
+module Touchpass
+  
+  # Used to help with creation of public / private key files for a device (by clients)
+  class KeyFileCreator
+
+    DEFAULT_KEYS_PATH =  File.join(ENV['HOME'], ".touchpass", "certs")
+    PRIVATE_KEY = "private.pem"
+    PUBLIC_KEY  = "public.pem"
+
+    class << self
+      attr_accessor :keys_path
+    end
+
+    attr_accessor :public_key, :private_key, :id
+
+    def initialize(id)
+      @id = id.to_s
+    end
+
+    # Use openssl command to generate key pair.
+    # RSA public key PEM generated by Ruby’s OpenSSL::PKey::RSA are unreadable by OpenSSL.
+    # See: http://barelyenough.org/blog/2008/04/fun-with-public-keys/
+    def generate_keys
+      directory = keys_path
+      prepare_directories directory
+      `openssl genrsa -out #{directory}/#{PRIVATE_KEY} 1024 > /dev/null 2>&1`
+      `openssl rsa -in #{directory}/#{PRIVATE_KEY} -out #{directory}/#{PUBLIC_KEY} -outform PEM -pubout > /dev/null 2>&1`
+    end
+
+    def private_key
+      pem_file = File.join(keys_path, PRIVATE_KEY)
+      return self.read_key(pem_file)
+    end
+
+    def public_key
+      pem_file = File.join(keys_path, PUBLIC_KEY)
+      return self.read_key(pem_file)
+    end
+
+    def read_key(pem_file)
+      return OpenSSL::PKey::RSA.new(File.read(pem_file))
+    end
+
+    def keys_path
+      File.join(self.class.keys_path, @id)
+    end
+
+    private
+    # Create target directory  
+    def prepare_directories(dir)
+      FileUtils.makedirs dir
+    end
+  end
+end
+
+Touchpass::KeyFileCreator.keys_path = Touchpass::KeyFileCreator::DEFAULT_KEYS_PATH