uri_signature 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 8a1482fdd0e2a6698ec0b611e9a54a898674e065
+  data.tar.gz: 7477e503fe4028a3055fc524c407c6f226ba434b
+SHA512:
+  metadata.gz: 99b51e00cae68744b8204a2b530cdd7f7725e7c9aca3193a660151d53b24afb2e420a60a7bd8da261f93b99f327758d869c29feb13dafc4f8ccc4f621018aa05
+  data.tar.gz: 33f270cbc220e79521eb8ee37a6d2c4086a55d65c43bca560f54fa424552f15949ea6dd7cfba37004b9ef7ba2f14a8bbe9346f353fe1cfd9d5f5d34613686901

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.1.2
+before_install: gem install bundler -v 1.10.6

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in uri_signature.gemspec
+gemspec

data/README.md

@@ -0,0 +1,41 @@
+# UriSignature
+
+A general purpose way of signing a URL when you need the signature to be added
+to the URL. This is useful when you need to redirect a user from one service to
+another and communicate information without any risk of tampering. It's based
+on a shared secret and HMAC being used to sign the URL.
+
+This could be used in techniques described in http://broadcast.oreilly.com/2009/12/principles-for-standardized-rest-authentication.html
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'uri_signature'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install uri_signature
+
+## Usage
+
+```ruby
+pry(main)> require 'uri_signature'
+
+pry(main)> signed_uri = URISignature.sign("http://foobar.com?my_trusted_information=helloworld", expiry: 300, key: "my_shared_secret_key").to_s
+=> "http://foobar.com?my_trusted_information=helloworld&signature=b99f3d00610361be49327938b82802c933aa4fac&signature_expires=1444691758"
+
+pry(main)> URISignature.valid?(signed_uri, key: "my_shared_secret_key")
+=> true
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/dgvz/uri_signature.
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/lib/uri_signature.rb

@@ -0,0 +1,101 @@
+require 'uri_signature/version'
+require 'addressable/uri'
+
+class URISignature
+  class SignatureError < StandardError; end
+  class InvalidSignatureError < SignatureError; end
+  class ExpiredSignatureError < SignatureError; end
+
+  MINUTE = 60
+
+  # Sign the given URI and return a signed URI.
+  #
+  # @param uri [String] a valid URI
+  # @param expiry [Integer] How many seconds before the signature expires.
+  # @param key [String] The key used to sign the uri
+  # @return [String] The signed URI. The signature is added to the query
+  #   params.
+  def self.sign(uri, expiry: 5 * MINUTE, key: ENV['HMAC_SIGNATURE_KEY'])
+    uri = Addressable::URI.parse(uri)
+
+    query_values = (uri.query_values || {}).to_a
+
+    query_values << ["signature_expires", (Time.now + expiry).tv_sec]
+
+    # Sort by the key to guarantee URI is always constructed in the same way
+    query_values = query_values.sort_by { |k, v| k }
+
+    uri.query_values = query_values
+
+    add_signature(uri, key).to_s
+    uri.to_s
+  end
+
+  # Is the given uri correctly signed.
+  #
+  # @param uri [String]
+  # @param raise_error [Boolean] Defaults to to true. Set this to false if
+  #   you don't this to raise but rather return false if it's invalid. We
+  #   default raise_error to true to be extra cautious as wanting to handle
+  #   incorrectly signed callbacks is probably an edge case.
+  # @return [TrueClass, FalseClass] Will return true if correctly signed.
+  #   Otherwise it will raise. If you really don't want it to raise you can
+  #   pass `raise_error: false`.
+  # @raise [URISignature::SignatureError] if for any reason the
+  #   signature is invalid. This can be disabled by setting
+  #   `:raise_error => false`.
+  def self.valid?(uri, key: ENV['HMAC_SIGNATURE_KEY'], raise_error: true)
+
+    # First remove the signature
+    comparison_uri = Addressable::URI.parse(uri).clone.tap do |u|
+      query_values = u.query_values.clone
+      query_values.delete("signature")
+      u.query_values = query_values
+    end
+
+    # Then recalculate and add back in the signature
+    add_signature(comparison_uri, key)
+
+    # Compare the uri to the original
+    if secure_compare(uri, comparison_uri.to_s)
+      expires = Time.at(comparison_uri.query_values["signature_expires"].to_i)
+      if expires < Time.now
+        raise URISignature::ExpiredSignatureError, "The signature for #{uri} has expired."
+      end
+      true
+    else
+      raise URISignature::InvalidSignatureError, "Invalid signature provided in #{uri}."
+    end
+  end
+
+  # @!private
+  # This method is meant to only be used in this class. Do not use it externally.
+  # @param uri [String]
+  # @param key [String]
+  def self.add_signature(uri, key)
+    unsigned_uri = uri.to_s
+
+    digest = OpenSSL::Digest.new('sha1')
+    hmac = OpenSSL::HMAC.hexdigest(digest, key, unsigned_uri)
+
+    query_values = uri.query_values.to_a
+    query_values << ["signature", hmac]
+
+    # Sort again to ensure consistency
+    uri.query_values = query_values.sort_by { |k, v| k }
+  end
+
+  # Use a secure string comparison method to avoid timing attacks
+  # (https://en.wikipedia.org/wiki/Timing_attack)
+  def self.secure_compare(a, b)
+    return false if a.empty? || b.empty? || a.bytesize != b.bytesize
+    l = a.unpack "C#{a.bytesize}"
+
+    res = 0
+    b.each_byte { |byte| res |= byte ^ l.shift }
+    res == 0
+  end
+
+  private_class_method :add_signature
+  private_class_method :secure_compare
+end

data/lib/uri_signature/version.rb

@@ -0,0 +1,3 @@
+module UriSignature
+  VERSION = "0.1.0"
+end

data/uri_signature.gemspec

@@ -0,0 +1,26 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'uri_signature/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "uri_signature"
+  spec.version       = UriSignature::VERSION
+  spec.authors       = ["Dylan Griffith"]
+  spec.email         = ["dyl.griffith@gmail.com"]
+
+  spec.summary       = %q{A general purpose way of signing a URL when you need the signature to be added to the URL.}
+  spec.description   = %q{A general purpose way of signing a URL when you need the signature to be added to the URL.}
+  spec.homepage      = "https://github.com/dgvz/uri_signature"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency "addressable"
+
+  spec.add_development_dependency "bundler", "~> 1.10"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec"
+end

metadata

@@ -0,0 +1,110 @@
+--- !ruby/object:Gem::Specification
+name: uri_signature
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Dylan Griffith
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2015-10-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A general purpose way of signing a URL when you need the signature to
+  be added to the URL.
+email:
+- dyl.griffith@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- README.md
+- Rakefile
+- lib/uri_signature.rb
+- lib/uri_signature/version.rb
+- uri_signature.gemspec
+homepage: https://github.com/dgvz/uri_signature
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: A general purpose way of signing a URL when you need the signature to be
+  added to the URL.
+test_files: []