vidibus-secure 0.0.1

data/.bundle/config

@@ -0,0 +1,2 @@
+--- 
+BUNDLE_DISABLE_SHARED_GEMS: "1"

data/.gitignore

@@ -0,0 +1,22 @@
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+.document
+
+## PROJECT::SPECIFIC

data/.rspec

@@ -0,0 +1,2 @@
+--colour
+--format nested

data/Gemfile

@@ -0,0 +1,12 @@
+source "http://rubygems.org"
+
+gem "mongoid", "~> 2.0.0.beta.20"
+gem "activesupport", "~> 3.0.0"
+gem "rack"
+gem "vidibus-core_extensions"
+
+# Development dependencies
+gem "rails", "~> 3.0.0"
+gem "rspec", "~> 2.0.0.beta.20"
+gem "rr"
+gem "relevance-rcov"

data/Gemfile.lock

@@ -0,0 +1,100 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    abstract (1.0.0)
+    actionmailer (3.0.0)
+      actionpack (= 3.0.0)
+      mail (~> 2.2.5)
+    actionpack (3.0.0)
+      activemodel (= 3.0.0)
+      activesupport (= 3.0.0)
+      builder (~> 2.1.2)
+      erubis (~> 2.6.6)
+      i18n (~> 0.4.1)
+      rack (~> 1.2.1)
+      rack-mount (~> 0.6.12)
+      rack-test (~> 0.5.4)
+      tzinfo (~> 0.3.23)
+    activemodel (3.0.0)
+      activesupport (= 3.0.0)
+      builder (~> 2.1.2)
+      i18n (~> 0.4.1)
+    activerecord (3.0.0)
+      activemodel (= 3.0.0)
+      activesupport (= 3.0.0)
+      arel (~> 1.0.0)
+      tzinfo (~> 0.3.23)
+    activeresource (3.0.0)
+      activemodel (= 3.0.0)
+      activesupport (= 3.0.0)
+    activesupport (3.0.0)
+    arel (1.0.1)
+      activesupport (~> 3.0.0)
+    bson (1.0.4)
+    builder (2.1.2)
+    diff-lcs (1.1.2)
+    erubis (2.6.6)
+      abstract (>= 1.0.0)
+    i18n (0.4.1)
+    mail (2.2.5)
+      activesupport (>= 2.3.6)
+      mime-types
+      treetop (>= 1.4.5)
+    mime-types (1.16)
+    mongo (1.0.7)
+      bson (>= 1.0.4)
+    mongoid (2.0.0.beta.17)
+      activemodel (~> 3.0.0)
+      bson (= 1.0.4)
+      mongo (= 1.0.7)
+      tzinfo (~> 0.3.22)
+      will_paginate (~> 3.0.pre)
+    polyglot (0.3.1)
+    rack (1.2.1)
+    rack-mount (0.6.13)
+      rack (>= 1.0.0)
+    rack-test (0.5.4)
+      rack (>= 1.0)
+    rails (3.0.0)
+      actionmailer (= 3.0.0)
+      actionpack (= 3.0.0)
+      activerecord (= 3.0.0)
+      activeresource (= 3.0.0)
+      activesupport (= 3.0.0)
+      bundler (~> 1.0.0)
+      railties (= 3.0.0)
+    railties (3.0.0)
+      actionpack (= 3.0.0)
+      activesupport (= 3.0.0)
+      rake (>= 0.8.4)
+      thor (~> 0.14.0)
+    rake (0.8.7)
+    relevance-rcov (0.9.2.1)
+    rr (1.0.0)
+    rspec (2.0.0.beta.20)
+      rspec-core (= 2.0.0.beta.20)
+      rspec-expectations (= 2.0.0.beta.20)
+      rspec-mocks (= 2.0.0.beta.20)
+    rspec-core (2.0.0.beta.20)
+    rspec-expectations (2.0.0.beta.20)
+      diff-lcs (>= 1.1.2)
+    rspec-mocks (2.0.0.beta.20)
+    thor (0.14.0)
+    treetop (1.4.8)
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.23)
+    vidibus-core_extensions (0.3.5)
+    will_paginate (3.0.pre2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activesupport (~> 3.0.0)
+  mongoid (~> 2.0.0.beta.20)
+  rack
+  rails (~> 3.0.0)
+  relevance-rcov
+  rr
+  rspec (~> 2.0.0.beta.20)
+  vidibus-core_extensions

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2010 Andre Pankratz
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,38 @@
+= vidibus-secure
+
+This gem is part of the open source SOA framework Vidibus: http://www.vidibus.org
+
+TODO: Describe
+
+
+== Installation
+
+Add the dependency to the Gemfile of your application:
+
+  gem "vidibus-secure"
+
+Then call `bundle install` on your console.
+
+If you want to use Vidibus::Secure::Mongoid in your models, you should generate an initializer to set an unique encryption key:
+
+  rails generate vidibus_secure_key
+
+
+== Usage
+
+TODO: Describe
+
+
+=== Usage in Mongoid model
+
+TODO: Describe
+
+
+== TODO
+
+* Documentation
+
+
+== Copyright
+
+Copyright (c) 2010 Andre Pankratz. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,39 @@
+require "rubygems"
+require "rake"
+require "rake/rdoctask"
+require "rspec"
+require "rspec/core/rake_task"
+
+begin
+  require "jeweler"
+  Jeweler::Tasks.new do |gem|
+    gem.name = "vidibus-secure"
+    gem.summary = %Q{Security tools for Vidibus applications}
+    gem.description = %Q{Description...}
+    gem.email = "andre@vidibus.com"
+    gem.homepage = "http://github.com/vidibus/vidibus-secure"
+    gem.authors = ["Andre Pankratz"]
+    gem.add_dependency "mongoid", "~> 2.0.0.beta.20"
+    gem.add_dependency "activesupport", "~> 3.0.0"
+    gem.add_dependency "rack"
+    gem.add_dependency "vidibus-core_extensions"
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+Rspec::Core::RakeTask.new(:rcov) do |t|
+  t.pattern = "spec/**/*_spec.rb"
+  t.rcov = true
+  t.rcov_opts = ["--exclude", "^spec,/gems/"]
+end
+
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?("VERSION") ? File.read("VERSION") : ""
+  rdoc.rdoc_dir = "rdoc"
+  rdoc.title = "vidibus-secure #{version}"
+  rdoc.rdoc_files.include("README*")
+  rdoc.rdoc_files.include("lib/**/*.rb")
+  rdoc.options << "--charset=utf-8"
+end

data/VERSION

@@ -0,0 +1 @@
+0.0.1

data/lib/generators/vidibus_secure_key/vidibus_secure_key_generator.rb

@@ -0,0 +1,11 @@
+class VidibusSecureKeyGenerator < Rails::Generators::Base
+  desc 'Generates an initializer that sets ENV["VIDIBUS_SECURE_KEY"]'
+
+  def create_initializer
+    create_file "config/initializers/vidibus_secure_key.rb" do
+      %(# This is a secret key for encrypting values of field defined by attr_encrypted.\n) +
+      %(# Do not change this encryption key! Otherwise you will not be able to decrypt data already stored in your database.\n) +
+      %(ENV["VIDIBUS_SECURE_KEY"] = "#{Vidibus::Secure.random(:encoding => :base64, :length => 100)}")
+    end
+  end
+end

data/lib/vidibus/secure/extensions/controller.rb

@@ -0,0 +1,34 @@
+module Vidibus
+  module Secure
+    module Extensions
+
+      # Contains extensions of ApplicationController.
+      module Controller
+        extend ActiveSupport::Concern
+
+        included do
+          helper_method :valid_request?
+        end
+
+        # Generates a signature of a request path.
+        # Will use the current request.fullpath unless an URI is given.
+        #
+        # The given URI will be decomposed into path and request params.
+        # A given +signature_param+ will be removed, all remaining params
+        # will be ordered alphabetically.
+        #
+        # Usage:
+        #
+        #   valid_request?("mysecret")
+        #   valid_request?("mysecret", :uri => "http://...", :method => "get", :params => {})
+        #
+        def valid_request?(secret, options = {})
+          method = options.delete(:method) || request.method
+          uri = options.delete(:uri) || request.protocol + request.host_with_port + request.fullpath
+          params = options.delete(:params) || request.params.except(:action, "action", :controller, "controller", :id, "id")
+          Vidibus::Secure.verify_request(method, uri, params, secret)
+        end
+      end
+    end
+  end
+end

data/lib/vidibus/secure/extensions.rb

@@ -0,0 +1,5 @@
+require "secure/extensions/controller"
+
+ActiveSupport.on_load(:action_controller) do
+  include Vidibus::Secure::Extensions::Controller
+end

data/lib/vidibus/secure/mongoid.rb

@@ -0,0 +1,35 @@
+module Vidibus
+  module Secure
+    module Mongoid
+      extend ActiveSupport::Concern
+      module ClassMethods
+
+        # Sets encrypted attributes.
+        def attr_encrypted(*args)
+          key = ENV["VIDIBUS_SECURE_KEY"]
+          options = args.extract_options!
+          for field in args
+
+            # Define Mongoid field
+            encrypted_field = "#{field}_encrypted"
+            self.send(:field, encrypted_field, :type => Binary)
+
+            # Define setter
+            class_eval <<-EOV
+              def #{field}=(value)
+                self.#{encrypted_field} = value ? Vidibus::Secure.encrypt(value, "#{key}") : nil
+              end
+            EOV
+
+            # Define getter
+            class_eval <<-EOV
+              def #{field}
+                Vidibus::Secure.decrypt(#{encrypted_field}, "#{key}") if #{encrypted_field}
+              end
+            EOV
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vidibus/secure.rb

@@ -0,0 +1,131 @@
+require "openssl"
+require "active_support/secure_random"
+require "rack"
+require "uri"
+
+module Vidibus
+  module Secure
+
+    class KeyError < StandardError; end
+
+    class << self
+
+      # Define default settings for random, sign, and crypt.
+      def settings
+        @settings ||= {
+          :random => { :length => 50, :encoding => :base64 },
+          :sign => { :algorithm => "SHA256", :encoding => :hex },
+          :crypt => { :algorithm => "AES-256-CBC", :encoding => :base64 }
+        }
+      end
+
+      # Returns a truly random string.
+      # Now it is not much more than an interface for ActiveSupport::SecureRandom,
+      # but that might change over time.
+      #
+      # Options:
+      #   :length     Length of string to generate
+      #   :encoding   Encoding of string; hex or base64
+      #
+      # Keep in mind that a hexadecimal string is less secure
+      # than a base64 encoded string with the same length!
+      #
+      def random(options = {})
+        options = settings[:random].merge(options)
+        length = options[:length]
+        ActiveSupport::SecureRandom.send(options[:encoding], length)[0,length]
+      end
+
+      # Returns signature of given data with given key.
+      def sign(data, key, options = {})
+        raise KeyError.new("Please provide a secret key to sign data with.") unless key
+        options = settings[:sign].merge(options)
+        digest = OpenSSL::Digest::Digest.new(options[:algorithm])
+        signature = OpenSSL::HMAC.digest(digest, key, data)
+        encode(signature, options)
+      end
+
+      # Encrypts given data with given key.
+      def encrypt(data, key, options = {})
+        raise KeyError.new("Please provide a secret key to encrypt data with.") unless key
+        options = settings[:crypt].merge(options)
+        encrypted_data = crypt(:encrypt, data, key, options)
+        encode(encrypted_data, options)
+      end
+
+      # Decrypts given data with given key.
+      def decrypt(data, key, options = {})
+        raise KeyError.new("Please provide a secret key to decrypt data with.") unless key
+        options = settings[:crypt].merge(options)
+        decoded_data = decode(data, options)
+        crypt(:decrypt, decoded_data, key, options)
+      end
+
+      # Signs request.
+      def sign_request(verb, path, params, key, signature_param = nil)
+        default_signature_param = :sign
+        params_given = !!params
+        raise ArgumentError.new("Given params is not a Hash.") if params_given and !params.is_a?(Hash)
+        params = {} unless params_given
+        signature_param ||= (params_given and params.keys.first.is_a?(String)) ? default_signature_param.to_s : default_signature_param
+
+        uri = URI.parse(path)
+        path_params = Rack::Utils.parse_query(uri.query)
+        uri.query = nil
+
+        _verb = verb.to_s.downcase
+        _uri = uri.to_s.gsub(/\/+$/, "")
+        _params = (params.merge(path_params)).except(signature_param.to_s, signature_param.to_s.to_sym)
+        _params = _params.any? ? _params.to_a_rec.flatten.sort{|a,b| a.to_s <=> b.to_s}.join("|") : ""
+
+        signature = sign("#{_verb}|#{_uri}|#{_params}", key)
+
+        if %w[post put].include?(_verb) or (params_given and path_params.empty?)
+          params[signature_param] = signature
+        else
+          unless path.gsub!(/(#{signature_param}=)[^&]+/, "\\1#{signature}")
+            glue = path.match(/\?/) ? "&" : "?"
+            path << "#{glue}#{signature_param}=#{signature}"
+          end
+        end
+        [path, params]
+      end
+
+      # Verifies that given request is valid.
+      def verify_request(verb, path, params, key, signature_param = nil)
+        params ||= {}
+        _path = path.dup
+        _params = params.dup
+        sign_request(verb, _path, _params, key, signature_param)
+        return (path == _path and params == _params)
+      end
+
+      protected
+
+      def crypt(cipher_method, data, key, options = {})
+        cipher = OpenSSL::Cipher::Cipher.new(options[:algorithm])
+        digest = OpenSSL::Digest::SHA512.new(key).digest
+        cipher.send(cipher_method)
+        cipher.pkcs5_keyivgen(digest)
+        result = cipher.update(data)
+        result << cipher.final
+      end
+
+      def encode(data, options = {})
+        if options[:encoding] == :hex
+          data.unpack("H*").to_s
+        elsif options[:encoding] == :base64
+          [data].pack("m*")
+        end
+      end
+
+      def decode(data, options = {})
+        if options[:encoding] == :hex
+          [data].pack("H*")
+        elsif options[:encoding] == :base64
+          data.unpack("m*").to_s
+        end
+      end
+    end
+  end
+end

data/lib/vidibus-secure.rb

@@ -0,0 +1,6 @@
+require "vidibus-core_extensions"
+
+$:.unshift(File.join(File.dirname(__FILE__), "..", "lib", "vidibus"))
+require "secure"
+require "secure/mongoid"
+require "secure/extensions"

data/spec/spec_helper.rb

@@ -0,0 +1,21 @@
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
+
+require "rubygems"
+require "mongoid"
+require "rspec"
+require "rr"
+require "vidibus-secure"
+
+Mongoid.configure do |config|
+  name = "vidibus-secure_test"
+  host = "localhost"
+  config.master = Mongo::Connection.new.db(name)
+end
+
+RSpec.configure do |config|
+  config.mock_with :rr
+  config.after :suite do
+    Mongoid.master.collections.select {|c| c.name !~ /system/ }.each(&:drop)
+  end
+end

data/spec/vidibus/secure/extensions/controller_spec.rb

@@ -0,0 +1,75 @@
+require "ostruct"
+require "spec_helper"
+require "action_controller"
+
+class Controller < ActionController::Base; end
+
+describe "Vidibus::Secure::Extensions::Controller" do
+  let(:controller) { Controller.new }
+  let(:secret) { "mysecret" }
+
+  before do
+    stub(controller).request do
+      @request ||= begin
+        Struct.new("Request", :protocol, :host_with_port, :fullpath, :method, :params) unless defined?(Struct::Request)
+        Struct::Request.new("http://", "vidibus.org", "/", "get", {})
+      end
+    end
+  end
+
+  describe "#valid_request?" do
+    it "should available to controllers that stem from ActionController::Base" do
+      controller.should respond_to(:valid_request?)
+    end
+
+    it "should build URI from request object if no :uri is provided" do
+      mock(controller.request).protocol {"http://"}
+      mock(controller.request).host_with_port {"vidibus.org"}
+      mock(controller.request).fullpath {"/"}
+      controller.valid_request?(secret, :method => "get", :params => {})
+    end
+
+    it "should use request.method if no :method is provided" do
+      mock(controller.request).method {"get"}
+      controller.valid_request?(secret, :uri => "something", :params => {})
+    end
+
+    it "should use request.params if no :params are provided" do
+      mock(controller.request).params {{}}
+      controller.valid_request?(secret, :uri => "something", :method => "get")
+    end
+
+    it "should use given params" do
+      dont_allow(controller).request
+      controller.valid_request?(secret, :method => "get", :uri => "something", :params => {})
+    end
+
+    it "should return true for valid requests" do
+      Vidibus::Secure.sign_request(:get, "http://vidibus.org/", controller.request.params, secret)
+      controller.valid_request?(secret).should be_true
+    end
+
+    it "should omit :action, :controller, and :id from request.params" do
+      Vidibus::Secure.sign_request(:get, "http://vidibus.org/", controller.request.params, secret)
+      controller.request.params.merge(:action => "index", :controller => "application", :id => nil)
+      controller.valid_request?(secret).should be_true
+    end
+
+    it "should omit 'action', 'controller', and 'id' from request.params" do
+      Vidibus::Secure.sign_request(:get, "http://vidibus.org/", controller.request.params, secret)
+      controller.request.params.merge("action" => "index", "controller" => "application", "id" => nil)
+      controller.valid_request?(secret).should be_true
+    end
+
+    it "should keep :action, :controller, and :id in custom params" do
+      params = { :action => "index", :controller => "application", :id => "12" }
+      Vidibus::Secure.sign_request(:get, "http://vidibus.org/", params, secret)
+      controller.valid_request?(secret, :params => params).should be_true
+    end
+
+    it "should call Vidibus::Secure.verify_request" do
+      mock(Vidibus::Secure).verify_request("get", "http://vidibus.org/", {}, secret)
+      controller.valid_request?(secret)
+    end
+  end
+end

data/spec/vidibus/secure/mongoid_spec.rb

@@ -0,0 +1,89 @@
+require "spec_helper"
+
+ENV["VIDIBUS_SECURE_KEY"] = "c4l60HC/lyerr2VEnrP7s2YAldyZGfIBePUzCl+tBsTs1EWJOc8dEJ7F2Vty7KPEeRuBWGxZHVAbku8pLo+UvXRpLcRiF7lxKiKl"
+
+class Model
+  include Mongoid::Document
+  include Vidibus::Secure::Mongoid
+  attr_encrypted :my_secret, :another_secret
+end
+
+describe "Vidibus::Secure::Mongoid" do
+  let(:model) { Model.new }
+  let(:secret) { "My name is Bond." }
+  let(:encrypted_secret) { "+PlBG1ChiqUAYMrHlJzDL4NwXHtGBIUm/KQ2ZWfwxjM=\n" }
+
+  it "should add a field :my_secret_encrypted" do
+    model.should respond_to(:my_secret_encrypted)
+  end
+
+  it "should add a setter for :my_secret" do
+    model.should respond_to(:my_secret=)
+  end
+
+  it "should add a getter for :my_secret" do
+    model.should respond_to(:my_secret)
+  end
+
+  it "should add a field :another_secret_encrypted" do
+    model.should respond_to(:another_secret_encrypted)
+  end
+
+  it "should add a setter for :another_secret" do
+    model.should respond_to(:another_secret=)
+  end
+
+  it "should add a getter for :another_secret" do
+    model.should respond_to(:another_secret)
+  end
+
+  describe "#my_secret=" do
+    it "should set :my_secret_encrypted" do
+      model.my_secret_encrypted.should be_nil
+      model.my_secret = "my_secret"
+      model.my_secret_encrypted.should_not be_nil
+    end
+
+    it "should encrypt a given value" do
+      model.my_secret = secret
+      model.my_secret_encrypted.should eql(encrypted_secret)
+    end
+
+    it "should be persistent" do
+      model.my_secret = secret
+      model.save!
+      model.reload
+      model.my_secret_encrypted.should eql(encrypted_secret)
+    end
+
+    it "should not encrypt nil" do
+      model.my_secret = nil
+      model.my_secret_encrypted.should eql(nil)
+    end
+  end
+
+  describe "#my_secret" do
+    it "should get :my_secret_encrypted" do
+      model.my_secret.should be_nil
+      model.my_secret_encrypted = encrypted_secret
+      model.my_secret.should_not be_nil
+    end
+
+    it "should decrypt value of :my_secret_encrypted" do
+      model.my_secret_encrypted = encrypted_secret
+      model.my_secret.should eql(secret)
+    end
+
+    it "should be persistent" do
+      model.my_secret_encrypted = encrypted_secret
+      model.save!
+      model.reload
+      model.my_secret.should eql(secret)
+    end
+
+    it "should not decrypt nil" do
+      model.my_secret_encrypted = nil
+      model.my_secret.should eql(nil)
+    end
+  end
+end

data/spec/vidibus/secure_spec.rb

@@ -0,0 +1,345 @@
+require "spec_helper"
+
+describe "Vidibus::Secure" do
+  let(:key) { "8KTbTanrBTQ5c8CjANpJQjPWcIstFxq/uFIUQBF3gRnztM565xIfe8MStVcLilbEhjYwfZiD4lFWINF22Aw8gVEbkSf2rLN0fnuO9YtNqFLQU6m/OldO5JbsBJPCwuzsPYmZ1w==" }
+  let(:data) { "My name is Bond. You know the rest." }
+  let(:encrypted_base64) { "hXUWa3gHRpYr/Fi2qm9xdTyZg7NSpYq8X2p1EL+/wffUg9IeIjVbSvyUYAvy\nTLbc\n" }
+  let(:encrypted_hex) { "8575166b780746962bfc58b6aa6f71753c9983b352a58abc5f6a7510bfbfc1f7d483d21e22355b4afc94600bf24cb6dc" }
+  let(:signature_base64) { "AhTlmymUI9q2bdrtJ0vLdyV8Y8eUf2U5xrzoK5PdWKQ=\n" }
+  let(:signature_hex) { "0214e59b299423dab66ddaed274bcb77257c63c7947f6539c6bce82b93dd58a4" }
+  let(:base64_format) { /([A-Z]|\+|\/)/ }
+  let(:hex_format) { /^[0-9a-f]+$/ }
+
+  describe ".settings" do
+    context "for :random" do
+      it "should default to a length of 50" do
+        Vidibus::Secure.settings[:random][:length].should eql(50)
+      end
+
+      it "should default to base64 encoding" do
+        Vidibus::Secure.settings[:random][:encoding].should eql(:base64)
+      end
+    end
+
+    context "for :sign" do
+      it "should default to SHA256 algorithm" do
+        Vidibus::Secure.settings[:sign][:algorithm].should eql("SHA256")
+      end
+
+      it "should default to hex encoding" do
+        Vidibus::Secure.settings[:sign][:encoding].should eql(:hex)
+      end
+    end
+
+    context "for :crypt" do
+      it "should default to AES-256-CBC algorithm" do
+        Vidibus::Secure.settings[:crypt][:algorithm].should eql("AES-256-CBC")
+      end
+
+      it "should default to base64 encoding" do
+        Vidibus::Secure.settings[:crypt][:encoding].should eql(:base64)
+      end
+    end
+  end
+
+  describe ".random" do
+    it "should create a base64 random string with a length of 50 chars" do
+      random = Vidibus::Secure.random
+      random.length.should eql(50)
+      random.should match(base64_format)
+    end
+
+    it "should create a hexadecimal random string with a length of 50 chars if :encoding is provided" do
+      random = Vidibus::Secure.random(:encoding => :hex)
+      random.length.should eql(50)
+      random.should match(hex_format)
+    end
+
+    it "should create a random string with a length of 60 chars if :length is provided" do
+      Vidibus::Secure.random(:length => 60).length.should eql(60)
+    end
+
+    it "should create a hexadecimal random string if settings for :random are changed" do
+      Vidibus::Secure.settings[:random][:encoding] = :hex
+      Vidibus::Secure.random.should match(hex_format)
+      Vidibus::Secure.settings[:random][:encoding] = :base64
+    end
+  end
+
+  describe ".sign" do
+    it "should create a hexadecimal signature of given data by default" do
+      Vidibus::Secure.sign(data, key).should eql(signature_hex)
+    end
+
+    it "should create a base64 signature of given data if :encoding is provided" do
+      Vidibus::Secure.sign(data, key, :encoding => :base64).should eql(signature_base64)
+    end
+
+    it "should create a base64 signature of given data if settings for :sign are changed" do
+      Vidibus::Secure.settings[:sign][:encoding] = :base64
+      Vidibus::Secure.sign(data, key).should eql(signature_base64)
+      Vidibus::Secure.settings[:sign][:encoding] = :hex
+    end
+
+    it "should raise an error if given secret key is nil" do
+      expect { Vidibus::Secure.sign(data, nil) }.to raise_error(Vidibus::Secure::KeyError)
+    end
+  end
+
+  describe ".encrypt" do
+    it "should encrypt data as base64 string" do
+      Vidibus::Secure.encrypt(data, key).should eql(encrypted_base64)
+    end
+
+    it "should encrypt data as hexadecimal string if :encoding is provided" do
+      Vidibus::Secure.encrypt(data, key, :encoding => :hex).should eql(encrypted_hex)
+    end
+
+    it "should encrypt data as hexadecimal string if encoding settings for :crypt are set to hex" do
+      Vidibus::Secure.settings[:crypt][:encoding] = :hex
+      Vidibus::Secure.encrypt(data, key).should eql(encrypted_hex)
+      Vidibus::Secure.settings[:crypt][:encoding] = :base64
+    end
+
+    it "should raise an error if given secret key is nil" do
+      expect { Vidibus::Secure.sign(data, nil) }.to raise_error(Vidibus::Secure::KeyError)
+    end
+  end
+
+  describe ".decrypt" do
+    it "should decrypt a base64 string" do
+      Vidibus::Secure.decrypt(encrypted_base64, key).should eql(data)
+    end
+
+    it "should decrypt a hexadecimal string if :encoding is provided" do
+      Vidibus::Secure.decrypt(encrypted_hex, key, :encoding => :hex).should eql(data)
+    end
+
+    it "should decrypt a hexadecimal string if encoding settings for :crypt are set to hex" do
+      Vidibus::Secure.settings[:crypt][:encoding] = :hex
+      Vidibus::Secure.decrypt(encrypted_hex, key).should eql(data)
+      Vidibus::Secure.settings[:crypt][:encoding] = :base64
+    end
+
+    it "should raise an error if given secret key is nil" do
+      expect { Vidibus::Secure.sign(data, nil) }.to raise_error(Vidibus::Secure::KeyError)
+    end
+  end
+
+  describe ".sign_request" do
+    it "should not modifiy path for POST and PUT requests" do
+      for verb in %w[post put]
+        path, params = Vidibus::Secure.sign_request(verb, "/whazzup", {}, key)
+        path.should eql("/whazzup")
+      end
+    end
+
+    it "should require that given params is a Hash" do
+      params = %w[1 2 3]
+      expect {
+        Vidibus::Secure.sign_request(:post, "/", params, key)
+      }.to raise_error(ArgumentError, "Given params is not a Hash.")
+    end
+
+    context "for requests without body" do
+      it "should add signature to params, if no params are given in URI and params argument is a hash" do
+        path = "http://vidibus.org/status"
+        params = {}
+        Vidibus::Secure.sign_request(:get, path, params, key)
+        path.should eql("http://vidibus.org/status")
+        params.should eql(:sign => "09247a2534f14e57081193ef6834b08843352c796af264f77e76445472dae9ed")
+      end
+
+      it "should add signature to URI, if no params are given in URI and params argument nil" do
+        path = "http://vidibus.org/status"
+        params = nil
+        Vidibus::Secure.sign_request(:get, path, params, key)
+        path.should eql("http://vidibus.org/status?sign=09247a2534f14e57081193ef6834b08843352c796af264f77e76445472dae9ed")
+        params.should be_nil
+      end
+
+      it "should add signature to URI, if params argument is a hash, but params are also given in URI" do
+        path = "http://vidibus.org/status?feel=good"
+        params = {}
+        Vidibus::Secure.sign_request(:get, path, params, key)
+        path.should eql("http://vidibus.org/status?feel=good&sign=528bbd5f791960570bd1a53ea5540d9970361b7abff72e8ecc02b12673330270")
+        params.should eql({})
+      end
+
+      it "should accept a custom name as signature param" do
+        path = "http://vidibus.org/status"
+        Vidibus::Secure.sign_request(:get, path, nil, key, "privado")
+        path.should eql("http://vidibus.org/status?privado=09247a2534f14e57081193ef6834b08843352c796af264f77e76445472dae9ed")
+      end
+
+      it "should create a signature of a given URL" do
+        path = "http://vidibus.org/"
+        Vidibus::Secure.sign_request(:get, path, nil, key)
+        path.should eql("http://vidibus.org/?sign=0ff9ec7056fd6a2b8ea1d2a1f462458719e3cf0b65485c55035ac906fd3d3368")
+      end
+
+      it "should create identical signatures for URLs with and without trailing slash" do
+        signature = "0ff9ec7056fd6a2b8ea1d2a1f462458719e3cf0b65485c55035ac906fd3d3368"
+        Vidibus::Secure.sign_request(:get, "http://vidibus.org", nil, key).first.should match(signature)
+        Vidibus::Secure.sign_request(:get, "http://vidibus.org/", nil, key).first.should match(signature)
+      end
+
+      it "should create a signature of a given URI" do
+        path = "http://vidibus.org/status"
+        Vidibus::Secure.sign_request(:get, path, nil, key)
+        path.should eql("http://vidibus.org/status?sign=09247a2534f14e57081193ef6834b08843352c796af264f77e76445472dae9ed")
+      end
+
+      it "should create identical signatures for URIs with and without trailing slash" do
+        signature = "09247a2534f14e57081193ef6834b08843352c796af264f77e76445472dae9ed"
+        Vidibus::Secure.sign_request(:get, "http://vidibus.org/status", nil, key).first.should match(signature)
+        Vidibus::Secure.sign_request(:get, "http://vidibus.org/status/", nil, key).first.should match(signature)
+      end
+
+      it "should create a signature of URI with params" do
+        path = "http://vidibus.org/status?type=server"
+        Vidibus::Secure.sign_request(:get, path, {}, key)
+        path.should eql("http://vidibus.org/status?type=server&sign=afdc286310f98b36a4ad71e493a13ff35b5d841472328faadee270b6c62ca321")
+      end
+
+      it "should create identical signatures for URIs with params with and without trailing slash" do
+        signature = "afdc286310f98b36a4ad71e493a13ff35b5d841472328faadee270b6c62ca321"
+        Vidibus::Secure.sign_request(:get, "http://vidibus.org/status?type=server", {}, key).first.should match(signature)
+        Vidibus::Secure.sign_request(:get, "http://vidibus.org/status/?type=server", {}, key).first.should match(signature)
+      end
+
+      it "should replace signature in URI with params" do
+        path = "http://vidibus.org/status?interval=2&sign=something&type=server"
+        Vidibus::Secure.sign_request(:get, path, {}, key)
+        path.should eql("http://vidibus.org/status?interval=2&sign=647b0f8278ad6536b02886fa2e74ae31574941e74a7a1c1f3abe2c70b5c84625&type=server")
+      end
+
+      it "should replace signature in URI without other params" do
+        path = "http://vidibus.org/status?sign=something"
+        Vidibus::Secure.sign_request(:get, path, {}, key)
+        path.should eql("http://vidibus.org/status?sign=09247a2534f14e57081193ef6834b08843352c796af264f77e76445472dae9ed")
+      end
+
+      it "should create identical signatures for URIs with different params order" do
+        signature = "23a74d6a231961700e45b907b72fd3d47e10f7bc4618d74cb6e839d1de1b8fb7"
+        Vidibus::Secure.sign_request(:get, "http://vidibus.org/status?a=1&b=2", {}, key).first.should match(signature)
+        Vidibus::Secure.sign_request(:get, "http://vidibus.org/status/?b=2&a=1", {}, key).first.should match(signature)
+      end
+    end
+
+    context "for request with body" do
+      it "should create a signature of path and params" do
+        params = {:some => "thing"}
+        Vidibus::Secure.sign_request(:post, "/", params, key)
+        params[:some].should eql("thing")
+        params[:sign].should eql("1c038202044005a8da96c780b79c691af849604dab9dabd283e65271c8012aae")
+      end
+
+      it "should create a signature of path and nested params" do
+        params = {:some => {:nested => "params", :are => {:really => ["serious", "stuff"]}}}
+        Vidibus::Secure.sign_request(:post, "/", params, key)
+        params[:some].should eql({:nested => "params", :are => {:really => ["serious", "stuff"]}})
+        params[:sign].should eql("9419d44fc65b515b31923e2f3f4a166b384df107b61b323a1f7a3be1d7ad27f5")
+      end
+
+      it "should replace existing signature" do
+        params = {:some => "thing", :sign => "something"}
+        Vidibus::Secure.sign_request(:post, "/", params, key)
+        params[:some].should eql("thing")
+        params[:sign].should eql("1c038202044005a8da96c780b79c691af849604dab9dabd283e65271c8012aae")
+      end
+
+      it "should add signature param as string if params are given as strings" do
+        params = {"some" => "thing"}
+        Vidibus::Secure.sign_request(:post, "/", params, key)
+        params["some"].should eql("thing")
+        params["sign"].should_not be_nil
+        params[:sign].should be_nil
+      end
+
+      it "should add signature param as symbol if params are given as symbols" do
+        params = {:some => "thing"}
+        Vidibus::Secure.sign_request(:post, "/", params, key)
+        params[:some].should eql("thing")
+        params[:sign].should_not be_nil
+        params["sign"].should be_nil
+      end
+
+      it "should add signature param as symbol if no params are given" do
+        params = {}
+        Vidibus::Secure.sign_request(:post, "/", params, key)
+        params[:sign].should_not be_nil
+      end
+    end
+  end
+
+  describe ".verify_request" do
+    it "should return true for a valid GET request" do
+      path = "http://vidibus.org/status?type=server&sign=afdc286310f98b36a4ad71e493a13ff35b5d841472328faadee270b6c62ca321"
+      Vidibus::Secure.verify_request(:get, path, {}, key).should be_true
+    end
+
+    it "should return true for a valid GET request even if verb is upcase" do
+      path = "http://vidibus.org/status?type=server&sign=afdc286310f98b36a4ad71e493a13ff35b5d841472328faadee270b6c62ca321"
+      Vidibus::Secure.verify_request("GET", path, {}, key).should be_true
+    end
+
+    it "should return true for a valid GET request if params are given as hash" do
+      path = "http://vidibus.org/status"
+      params = {:type => "server", :sign => "afdc286310f98b36a4ad71e493a13ff35b5d841472328faadee270b6c62ca321"}
+      Vidibus::Secure.verify_request("GET", path, params, key).should be_true
+    end
+
+    it "should return false if additional params are given" do
+      path = "http://vidibus.org/status?type=server&sign=83d49980a04004431602a35941d2f927bfa9a2440fa04ccd2abbbad96309aa07"
+      Vidibus::Secure.verify_request("GET", path, { :some => "thing" }, key).should be_false
+    end
+
+    it "should return true for a valid POST request with params given as symbols" do
+      params = {:sign => "1c038202044005a8da96c780b79c691af849604dab9dabd283e65271c8012aae", :some => "thing"}
+      Vidibus::Secure.verify_request(:post, "/", params, key).should be_true
+    end
+
+    it "should return true for a valid POST request with nested params" do
+      params = {
+        :sign => "9419d44fc65b515b31923e2f3f4a166b384df107b61b323a1f7a3be1d7ad27f5",
+        :some => {:nested => "params", :are => {:really => ["serious", "stuff"]}}
+      }
+      Vidibus::Secure.verify_request(:post, "/", params, key).should be_true
+    end
+
+    it "should return true for a valid POST request with params given as string" do
+      params = {"sign"=>"1c038202044005a8da96c780b79c691af849604dab9dabd283e65271c8012aae", "some"=>"thing"}
+      Vidibus::Secure.verify_request(:post, "/", params, key).should be_true
+    end
+
+    it "should return false if signature is invalid" do
+      path = "http://vidibus.org/status?type=server&sign=invalid"
+      Vidibus::Secure.verify_request(:get, path, {}, key).should be_false
+    end
+
+    it "should return false if path does not match signature" do
+      path = "http://vidibus.org/invalid?type=server&sign=068dbf2695798e3cda2710ae34d74043653eae41d82cbbdf39edebd7e2ae9a50"
+      Vidibus::Secure.verify_request(:get, path, {}, key).should be_false
+    end
+
+    it "should return false if request verb does not match signature" do
+      path = "http://vidibus.org/status?type=server&sign=068dbf2695798e3cda2710ae34d74043653eae41d82cbbdf39edebd7e2ae9a50"
+      Vidibus::Secure.verify_request(:delete, path, {}, key).should be_false
+    end
+
+    it "should return false if params do not match signature" do
+      params = {"sign" => "90c71e477ea155e99b8a85b7f9ad0614e5445acfc33702cd3db614941f1a7df9", "some" => "invalid"}
+      Vidibus::Secure.verify_request(:post, "/", params, key).should be_false
+    end
+
+    it "should return false if signature does not match params" do
+      params = {"sign" => "invalid", "some" => "thing"}
+      Vidibus::Secure.verify_request(:post, "/", params, key).should be_false
+    end
+
+    it "should accept nil params" do
+      expect { Vidibus::Secure.verify_request(:get, "", nil, key) }.to_not raise_error
+    end
+  end
+end

data/vidibus-secure.gemspec

@@ -0,0 +1,75 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{vidibus-secure}
+  s.version = "0.0.1"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Andre Pankratz"]
+  s.date = %q{2010-09-23}
+  s.description = %q{Description...}
+  s.email = %q{andre@vidibus.com}
+  s.extra_rdoc_files = [
+    "LICENSE",
+     "README.rdoc"
+  ]
+  s.files = [
+    ".bundle/config",
+     ".gitignore",
+     ".rspec",
+     "Gemfile",
+     "Gemfile.lock",
+     "LICENSE",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "lib/generators/vidibus_secure_key/vidibus_secure_key_generator.rb",
+     "lib/vidibus-secure.rb",
+     "lib/vidibus/secure.rb",
+     "lib/vidibus/secure/extensions.rb",
+     "lib/vidibus/secure/extensions/controller.rb",
+     "lib/vidibus/secure/mongoid.rb",
+     "spec/spec_helper.rb",
+     "spec/vidibus/secure/extensions/controller_spec.rb",
+     "spec/vidibus/secure/mongoid_spec.rb",
+     "spec/vidibus/secure_spec.rb",
+     "vidibus-secure.gemspec"
+  ]
+  s.homepage = %q{http://github.com/vidibus/vidibus-secure}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.7}
+  s.summary = %q{Security tools for Vidibus applications}
+  s.test_files = [
+    "spec/spec_helper.rb",
+     "spec/vidibus/secure/extensions/controller_spec.rb",
+     "spec/vidibus/secure/mongoid_spec.rb",
+     "spec/vidibus/secure_spec.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<mongoid>, ["~> 2.0.0.beta.20"])
+      s.add_runtime_dependency(%q<activesupport>, ["~> 3.0.0"])
+      s.add_runtime_dependency(%q<rack>, [">= 0"])
+      s.add_runtime_dependency(%q<vidibus-core_extensions>, [">= 0"])
+    else
+      s.add_dependency(%q<mongoid>, ["~> 2.0.0.beta.20"])
+      s.add_dependency(%q<activesupport>, ["~> 3.0.0"])
+      s.add_dependency(%q<rack>, [">= 0"])
+      s.add_dependency(%q<vidibus-core_extensions>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<mongoid>, ["~> 2.0.0.beta.20"])
+    s.add_dependency(%q<activesupport>, ["~> 3.0.0"])
+    s.add_dependency(%q<rack>, [">= 0"])
+    s.add_dependency(%q<vidibus-core_extensions>, [">= 0"])
+  end
+end
+

metadata

@@ -0,0 +1,151 @@
+--- !ruby/object:Gem::Specification 
+name: vidibus-secure
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: false
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- Andre Pankratz
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-09-23 00:00:00 +02:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: mongoid
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 62196427
+        segments: 
+        - 2
+        - 0
+        - 0
+        - beta
+        - 20
+        version: 2.0.0.beta.20
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: activesupport
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 7
+        segments: 
+        - 3
+        - 0
+        - 0
+        version: 3.0.0
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: rack
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: vidibus-core_extensions
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id004
+description: Description...
+email: andre@vidibus.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- .bundle/config
+- .gitignore
+- .rspec
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- lib/generators/vidibus_secure_key/vidibus_secure_key_generator.rb
+- lib/vidibus-secure.rb
+- lib/vidibus/secure.rb
+- lib/vidibus/secure/extensions.rb
+- lib/vidibus/secure/extensions/controller.rb
+- lib/vidibus/secure/mongoid.rb
+- spec/spec_helper.rb
+- spec/vidibus/secure/extensions/controller_spec.rb
+- spec/vidibus/secure/mongoid_spec.rb
+- spec/vidibus/secure_spec.rb
+- vidibus-secure.gemspec
+has_rdoc: true
+homepage: http://github.com/vidibus/vidibus-secure
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: Security tools for Vidibus applications
+test_files: 
+- spec/spec_helper.rb
+- spec/vidibus/secure/extensions/controller_spec.rb
+- spec/vidibus/secure/mongoid_spec.rb
+- spec/vidibus/secure_spec.rb