RubyGems - vacman_controller - Versions diffs - 0.1.0 - Mend

vacman_controller 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +7 -0
data/ext/vacman_controller/extconf.rb +24 -0
data/ext/vacman_controller/vacman_controller.c +394 -0
data/lib/vacman_controller.rb +141 -0
metadata +63 -0

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: a82c1e1da792a6d845ed3fa39e2ad0a7f24dc022
+  data.tar.gz: df608d69585f838e1d1591fc2c4ba1c6496e61ed
+SHA512:
+  metadata.gz: f6348405cfdec6d7cdb5450625d9b8bdb5f08c034f0a93d7f27884f03f91560152b8e16d92195abfb157f896ce654dc3fef6463ff0e0d77184552cc206c20e29
+  data.tar.gz: 3a023343b469676f06956f1e14ec7dfc63301e397ea66ac50e827199dd97b293b65e73640607ef23ea51cb9c1350b88c2eb244f6bb4e0246e21287d816f7460b

data/ext/vacman_controller/extconf.rb ADDED Viewed

@@ -0,0 +1,24 @@
+require 'mkmf'
+def find_vacman_controller
+  Dir.glob('/opt/vasco/VACMAN_Controller-*').sort.reverse.first
+end
+VACMAN_CONTROLLER = ENV['VACMAN_PATH'] || find_vacman_controller
+if VACMAN_CONTROLLER
+  puts "Using VACMAN controller from #{VACMAN_CONTROLLER}"
+else
+  puts "No VASCO Vacman controller found in /opt/vasco"
+  exit 1
+end
+append_cflags "-I#{VACMAN_CONTROLLER}/include -Wall"
+append_ldflags "-L#{VACMAN_CONTROLLER}/lib -laal2sdk -Wl,-rpath #{VACMAN_CONTROLLER}/lib"
+if find_library('aal2sdk', 'AAL2DPXInit', "#{VACMAN_CONTROLLER}/lib")
+  create_makefile('vacman_controller/vacman_controller')
+ else
+  puts "No libaal2sdk found"
+  exit 1
+end

data/ext/vacman_controller/vacman_controller.c ADDED Viewed

@@ -0,0 +1,394 @@
+#include <ruby.h>
+#include <string.h>
+#include <aal2sdk.h>
+static VALUE e_vacmanerror;  // our ruby exception type
+TKernelParms KernelParms;    // Kernel Params
+/*
+ * raise an error and tell wich method failed with wich error code
+ */
+static void vacman_raise_error(char* method, int error_code) {
+  aat_ascii error_message[100];
+  AAL2GetErrorMsg (error_code, error_message);
+  rb_raise(e_vacmanerror, "%s error %d: %s", method, error_code, error_message);
+}
+/*
+ * convert a ruby hash to TDigipassBlob structure
+ */
+static void rbhash_to_digipass(VALUE token, TDigipassBlob* dpdata) {
+  memset(dpdata, 0, sizeof(*dpdata));
+  VALUE blob = rb_hash_aref(token, rb_str_new2("blob"));
+  VALUE serial = rb_hash_aref(token, rb_str_new2("serial"));
+  VALUE app_name = rb_hash_aref(token, rb_str_new2("app_name"));
+  VALUE flag1 = rb_hash_aref(token, rb_str_new2("flags1"));
+  VALUE flag2 = rb_hash_aref(token, rb_str_new2("flags2"));
+  strcpy(dpdata->Blob, rb_string_value_cstr(&blob));
+  strncpy(dpdata->Serial, rb_string_value_cstr(&serial), sizeof(dpdata->Serial));
+  strncpy(dpdata->AppName, rb_string_value_cstr(&app_name), sizeof(dpdata->AppName));
+  dpdata->DPFlags[0] = rb_fix2int(flag1);
+  dpdata->DPFlags[1] = rb_fix2int(flag2);
+}
+static void digipass_to_rbhash(TDigipassBlob* dpdata, VALUE hash) {
+  char buffer[256];
+  memset(buffer, 0, sizeof(buffer));
+  strncpy(buffer, dpdata->Serial, 10);
+  rb_hash_aset(hash, rb_str_new2("serial"), rb_str_new2(buffer));
+  memset(buffer, 0, sizeof(buffer));
+  strncpy(buffer, dpdata->AppName, 12);
+  rb_hash_aset(hash, rb_str_new2("app_name"), rb_str_new2(buffer));
+  memset(buffer, 0, sizeof(buffer));
+  strncpy(buffer, dpdata->Blob, 224);
+  rb_hash_aset(hash, rb_str_new2("blob"), rb_str_new2(buffer));
+  rb_hash_aset(hash, rb_str_new2("flags1"), rb_fix_new(dpdata->DPFlags[0]));
+  rb_hash_aset(hash, rb_str_new2("flags2"), rb_fix_new(dpdata->DPFlags[1]));
+}
+/*
+ * Get library version and return it as an hash
+ */
+static VALUE vacman_library_version(VALUE module) {
+  aat_ascii version[16];
+  aat_int32 version_len = sizeof(version);
+  aat_ascii bitness[4];
+  aat_int32 bitness_len = sizeof(bitness);
+  aat_ascii type[8];
+  aat_int32 type_len = sizeof(type);
+  aat_int32 result = AAL2GetLibraryVersion(version, &version_len, bitness,
+      &bitness_len, type, &type_len);
+  if (result != 0) {
+    vacman_raise_error("AAL2GetLibraryVersion", result);
+    return Qnil;
+  }
+  VALUE hash = rb_hash_new();
+  rb_hash_aset(hash, rb_str_new2("version"), rb_str_new2(version));
+  rb_hash_aset(hash, rb_str_new2("bitness"), rb_str_new2(bitness));
+  rb_hash_aset(hash, rb_str_new2("type"),    rb_str_new2(type));
+  return hash;
+}
+/*
+ * generate a password
+ * this will not work with all the dpx files available, it must be prepared for it
+ */
+static VALUE vacman_generate_password(VALUE module, VALUE token) {
+  TDigipassBlob dpdata;
+  rbhash_to_digipass(token, &dpdata);
+  aat_ascii password[18];
+  memset(password, 0, sizeof(password));
+  aat_int32 result = AAL2GenPassword(&dpdata, &KernelParms, password, NULL);
+  digipass_to_rbhash(&dpdata, token);
+  if (result != 0) {
+    vacman_raise_error("AAL2GenPassword", result);
+    return Qnil;
+  }
+  return rb_str_new2(password);
+}
+/*
+ * Properties names and IDs registry
+ */
+struct token_property {
+  char *name;
+  aat_int32 id;
+};
+static struct token_property token_properties[] = {
+  {"token_model",                   TOKEN_MODEL                   },
+  {"token_status",                  TOKEN_STATUS                  },
+  {"use_count",                     USE_COUNT                     },
+  {"last_time_used",                LAST_TIME_USED                },
+  {"last_time_shift",               LAST_TIME_SHIFT               },
+  {"time_based_algo",               TIME_BASED_ALGO               },
+  {"event_based_algo",              EVENT_BASED_ALGO              },
+  {"pin_supported",                 PIN_SUPPORTED                 },
+  {"unlock_supported",              UNLOCK_SUPPORTED              },
+  {"pin_ch_on",                     PIN_CH_ON                     },
+  {"pin_change_enabled",            PIN_CH_ON                     },
+  {"pin_len",                       PIN_LEN                       },
+  {"pin_length",                    PIN_LEN                       },
+  {"pin_min_len",                   PIN_MIN_LEN                   },
+  {"pin_minimum_length",            PIN_MIN_LEN                   },
+  {"pin_enabled",                   PIN_ENABLED                   },
+  {"pin_ch_forced",                 PIN_CH_FORCED                 },
+  {"pin_change_forced",             PIN_CH_FORCED                 },
+  {"virtual_token_type",            VIRTUAL_TOKEN_TYPE            },
+  {"virtual_token_grace_period",    VIRTUAL_TOKEN_GRACE_PERIOD    },
+  {"virtual_token_remain_use",      VIRTUAL_TOKEN_REMAIN_USE      },
+  {"last_response_type",            LAST_RESPONSE_TYPE            },
+  {"error_count",                   ERROR_COUNT                   },
+  {"event_value",                   EVENT_VALUE                   },
+  {"last_event_value",              LAST_EVENT_VALUE              },
+  {"sync_windows",                  SYNC_WINDOWS                  },
+  {"primary_token_enabled",         PRIMARY_TOKEN_ENABLED         },
+  {"virtual_token_supported",       VIRTUAL_TOKEN_SUPPORTED       },
+  {"virtual_token_enabled",         VIRTUAL_TOKEN_ENABLED         },
+  {"code_word",                     CODE_WORD                     },
+  {"auth_mode",                     AUTH_MODE                     },
+  {"ocra_suite",                    OCRA_SUITE                    },
+  {"derivation_supported",          DERIVATION_SUPPORTED          },
+  {"max_dtf_number",                MAX_DTF_NUMBER                },
+  {"response_len",                  RESPONSE_LEN                  },
+  {"response_length",               RESPONSE_LEN                  },
+  {"response_format",               RESPONSE_FORMAT               },
+  {"response_chk",                  RESPONSE_CHK                  },
+  {"response_checksum",             RESPONSE_CHK                  },
+  {"time_step",                     TIME_STEP                     },
+  {"use_3des",                      TRIPLE_DES_USED               },
+  {"triple_des_used",               TRIPLE_DES_USED               },
+};
+static size_t properties_count = sizeof(token_properties)/sizeof(struct token_property);
+/*
+ * Convert property name to property ID
+ */
+static long vacman_get_property_id(char *property_name) {
+  for (int i = 0; i < properties_count; i++) {
+    if (strcmp(property_name, token_properties[i].name) == 0) {
+      return token_properties[i].id;
+    }
+  }
+  rb_raise(e_vacmanerror, "Invalid property name `%s'", property_name);
+  return 0;
+}
+/*
+ * Get token properties
+ */
+static VALUE vacman_get_token_property(VALUE module, VALUE token, VALUE property) {
+  TDigipassBlob dpdata;
+  rbhash_to_digipass(token, &dpdata);
+  aat_ascii value[64];
+  aat_int32 property_id = vacman_get_property_id(StringValueCStr(property));
+  aat_int32 result = AAL2GetTokenProperty(&dpdata, &KernelParms, property_id, value);
+  if (result == 0) {
+    return rb_str_new2(value);
+  } else {
+    vacman_raise_error("AAL2GetTokenProperty", result);
+    return Qnil;
+  }
+}
+/*
+ * Set token properties
+ */
+static VALUE vacman_set_token_property(VALUE module, VALUE token, VALUE property, VALUE rbval) {
+  TDigipassBlob dpdata;
+  aat_int32 property_id = vacman_get_property_id(StringValueCStr(property));
+  aat_int32 value = rb_fix2int(rbval);
+  rbhash_to_digipass(token, &dpdata);
+  aat_int32 result = AAL2SetTokenProperty(&dpdata, &KernelParms, property_id, value);
+  digipass_to_rbhash(&dpdata, token);
+  if (result == 0) {
+    return Qtrue;
+  } else {
+    vacman_raise_error("AAL2SetTokenProperty", result);
+    return Qnil;
+  }
+}
+/*
+ * verify password
+ * this is the main usecase, check the use input for authentication
+ */
+static VALUE vacman_verify_password(VALUE module, VALUE token, VALUE password ) {
+  TDigipassBlob dpdata;
+  rbhash_to_digipass(token, &dpdata);
+  aat_int32 result = AAL2VerifyPassword(&dpdata, &KernelParms, rb_string_value_cstr(&password), 0);
+  digipass_to_rbhash(&dpdata, token);
+  if (result == 0)
+    return Qtrue;
+  else {
+    vacman_raise_error("AAL2VerifyPassword", result);
+    return Qnil;
+  }
+}
+/*
+ * Import a .DPX file containing token seeds and initialisation values.
+ *
+ * Pass the pre-shared key to validate it as the second argument. Or if
+ * you don't have the key, replace the DC line with one from a file you
+ * know the key. Yes.
+ */
+static VALUE vacman_import(VALUE module, VALUE filename, VALUE key) {
+  TDPXHandle dpx_handle;
+  aat_int16 appl_count;
+  aat_ascii appl_names[13*8];
+  aat_int16 token_count;
+  aat_int32 result = AAL2DPXInit(&dpx_handle, rb_string_value_cstr(&filename), rb_string_value_cstr(&key),
+      &appl_count, appl_names, &token_count);
+  if (result != 0) {
+    vacman_raise_error("AAL2DPXInit", result);
+    return Qnil;
+  }
+  aat_ascii sw_out_serial_No[22+1];
+  aat_ascii sw_out_type[5+1];
+  aat_ascii sw_out_authmode[2+1];
+  TDigipassBlob dpdata;
+  VALUE list = rb_ary_new();
+  while (1) {
+    result = AAL2DPXGetToken(&dpx_handle,
+        &KernelParms,
+        appl_names,
+        sw_out_serial_No,
+        sw_out_type,
+        sw_out_authmode,
+        &dpdata);
+    if (result < 0) {
+      vacman_raise_error("AAL2DPXGetToken", result);
+      return Qnil;
+    }
+    if (result == 107) break;
+    VALUE hash = rb_hash_new();
+    digipass_to_rbhash(&dpdata, hash);
+    rb_ary_push(list, hash);
+  }
+  AAL2DPXClose(&dpx_handle);
+  return list;
+}
+struct kernel_property {
+  char *name;
+  aat_int32 *value;
+  aat_int32 deflt;
+};
+static struct kernel_property kernel_properties[] = {
+  { "ITimeWindow",    &KernelParms.ITimeWindow,    30  },  // Identification Window size in time steps
+  { "STimeWindow",    &KernelParms.STimeWindow,    24  },  // Signature Window size in secs
+  { "DiagLevel",      &KernelParms.DiagLevel,      0   },  // Requested Diagnostic Level
+  { "GMTAdjust",      &KernelParms.GMTAdjust,      0   },  // GMT Time adjustment to perform
+  { "CheckChallenge", &KernelParms.CheckChallenge, 0   },  // Verify Challenge Corrupted (mandatory for Gordian)
+  { "IThreshold",     &KernelParms.IThreshold,     3   },  // Identification Error Threshold
+  { "SThreshold",     &KernelParms.SThreshold,     1   },  // Signature Error Threshold
+  { "ChkInactDays",   &KernelParms.ChkInactDays,   0   },  // Check Inactive Days
+  { "DeriveVector",   &KernelParms.DeriveVector,   0   },  // Vector used to make Data Encryption unique
+  { "SyncWindow",     &KernelParms.SyncWindow,     2   },  // Synchronisation Time Window (h)
+  { "OnLineSG",       &KernelParms.OnLineSG,       2   },  // On line signature
+  { "EventWindow",    &KernelParms.EventWindow,    100 },  // Event Window size in nbr of iterations
+  { "HSMSlotId",      &KernelParms.HSMSlotId,      0   },  // HSM Slot id uses to store DB and Transport Key
+};
+static int kernel_properties_count = sizeof(kernel_properties)/sizeof(struct kernel_property);
+/*
+ * Set kernel parameter
+ */
+static VALUE vacman_set_kernel_param(VALUE module, VALUE paramname, VALUE rbval) {
+  char *name = StringValueCStr(paramname);
+  int value  = rb_fix2int(rbval);
+  for (int i = 0; i < kernel_properties_count; i++) {
+    if (strcmp(name, kernel_properties[i].name) == 0) {
+      *kernel_properties[i].value = value;
+      return Qtrue;
+    }
+  }
+  rb_raise(e_vacmanerror, "Invalid kernel param %s", name);
+  return Qnil;
+}
+/*
+ * Get kernel parameter
+ */
+static VALUE vacman_get_kernel_param(VALUE module, VALUE paramname) {
+  char *name = StringValueCStr(paramname);
+  for (int i = 0; i < kernel_properties_count; i++) {
+    if (strcmp(name, kernel_properties[i].name) == 0) {
+      return LONG2FIX(*kernel_properties[i].value);
+    }
+  }
+  rb_raise(e_vacmanerror, "Invalid kernel param %s", name);
+  return Qnil;
+}
+/*
+ * Init the kernel parameters, with their defaults
+ */
+static void init_kernel_params() {
+  memset(&KernelParms, 0, sizeof(TKernelParms));
+  KernelParms.ParmCount = 19; /* Number of valid parameters in this list */
+  for (int i = 0; i < kernel_properties_count; i++) {
+    *kernel_properties[i].value = kernel_properties[i].deflt;
+  }
+}
+/*
+ * rubys entry point to load the extension
+ */
+void Init_vacman_controller(void) {
+  VALUE vacman_module = rb_define_module("VacmanLowLevel");
+  e_vacmanerror = rb_define_class("VacmanError", rb_eStandardError);
+  init_kernel_params();
+  rb_define_singleton_method(vacman_module, "version",            vacman_library_version, 0);
+  rb_define_singleton_method(vacman_module, "import",             vacman_import, 2);
+  rb_define_singleton_method(vacman_module, "generate_password",  vacman_generate_password, 1);
+  rb_define_singleton_method(vacman_module, "verify_password",    vacman_verify_password, 2);
+  rb_define_singleton_method(vacman_module, "get_kernel_param",   vacman_get_kernel_param, 1);
+  rb_define_singleton_method(vacman_module, "set_kernel_param",   vacman_set_kernel_param, 2);
+  rb_define_singleton_method(vacman_module, "get_token_property", vacman_get_token_property, 2);
+  rb_define_singleton_method(vacman_module, "set_token_property", vacman_set_token_property, 3);
+}

data/lib/vacman_controller.rb ADDED Viewed

@@ -0,0 +1,141 @@
+require 'vacman_controller/vacman_controller'
+# Provides VACMAN Controller functionality to identify and authorize user via VASCO DIGIPASS tokens.
+#
+#
+module VacmanController
+  extend self
+  # Import .dpx file containing the secure token-data
+  #
+  # == Parameters:
+  # filename::
+  #   The path of the .dpx file to load
+  # key::
+  #   The secure key to decrypt the dpx file
+  #
+  # == Returns:
+  # A list of hashes. Each hash contains
+  #   serial: the serial number of the token
+  #   blob:   the blob containing some secret magic data
+  #   app_name: the application name (the security method)
+  #   flags1: some flags
+  #   flags2: more flags
+  #
+  # this hash must be persisted and regained for each call of verify_password and generate_password
+  #
+  def import(filename, key)
+    VacmanLowLevel.import(filename, key)
+  end
+  # Generate a Password for a user. This does the same as hitting the button on your hardware token
+  #
+  # == Parameters:
+  # hash::
+  #   The hash for a specific token (you get these in import)
+  #
+  # == Returns:
+  # The password string. The password is only valid for a period (todo: add method to change the period, currently its 30 seconds)
+  #
+  def generate_password(hash)
+    VacmanLowLevel.generate_password(hash)
+  end
+  # Verify a password. This is the usecase a user sends you a password generated by his token and we have to verify it.
+  #
+  # == Parameters:
+  # hash::
+  #   The hash for a specific token (you get these in import)
+  # pw::
+  #   The password provided by the user
+  #
+  # == Returns:
+  # true if the password is valid, false otherwise
+  #
+  # ATTENTION: it is very important to persist the hash afterwards!!!
+  #
+  def verify_password(hash, pw)
+    VacmanLowLevel.verify_password(hash, pw)
+  end
+  # Get a kernel parameter, wich is a basically a setting for vacman controller
+  #
+  # == Parameters:
+  # name::
+  #   the param name. Most TKernelParms struct elements are accessible.
+  #
+  def get_kernel_param(name)
+    VacmanLowLevel.get_kernel_param(name)
+  end
+  # Change a kernel parameter, wich is a basically a setting for vacman controller
+  #
+  # == Parameters:
+  # name::
+  #   the param name. Most TKernelParms struct elements are accessible.
+  # val::
+  #   the fixnum value
+  #
+  def set_kernel_param(name, val)
+    VacmanLowLevel.set_kernel_param(name, val)
+  end
+  # Get a token single property
+  #
+  # == Parameters:
+  # hash::
+  #   the hash for a specific token (you get these in import)
+  # property::
+  #   the property names
+  #
+  # possible names:
+  #
+  #   token_model
+  #   use_count
+  #   last_time_used
+  #   last_time_shift
+  #   time_based_algo
+  #   event_based_algo
+  #   pin_supported
+  #   unlock_supported
+  #   pin_change_enabled
+  #   pin_length
+  #   pin_minimum_length
+  #   pin_enabled
+  #   pin_change_forced
+  #   virtual_token_type
+  #   virtual_token_grace_period
+  #   virtual_token_remain_use
+  #   last_response_type
+  #   error_count
+  #   event_value
+  #   last_event_value
+  #   sync_windows
+  #   primary_token_enabled
+  #   virtual_token_supported
+  #   virtual_token_enabled
+  #   code_word
+  #   auth_mode
+  #   ocra_suite
+  #   derivation_supported
+  #   max_dtf_number
+  #   response_length
+  #   response_format
+  #   response_checksum
+  #   time_step
+  #   use_3des
+  #
+  def get_token_property(hash, property)
+    VacmanLowLevel.get_token_property(hash, property)
+  end
+end

metadata ADDED Viewed

@@ -0,0 +1,63 @@
+--- !ruby/object:Gem::Specification
+name: vacman_controller
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Marcus Lankenau
+- Marcello Barnaba
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2019-01-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake-compiler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Authenticate user via vacman controller
+email:
+- marcus.lankenau@gmail.com
+- marcello.barnaba@gmail.com
+executables: []
+extensions:
+- ext/vacman_controller/extconf.rb
+extra_rdoc_files: []
+files:
+- ext/vacman_controller/extconf.rb
+- ext/vacman_controller/vacman_controller.c
+- lib/vacman_controller.rb
+homepage: http://github.com/ifad/vacman_controller
+licenses: []
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.5.2.1
+signing_key:
+specification_version: 4
+summary: Access to the vacman controller library
+test_files: []