warden-hmac-authentication 0.3.0 → 0.4.0

data/bin/warden-hmac-authentication

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 
 require 'trollop'
-require 'hmac_signer'
+require 'hmac/signer'
 
 opts = Trollop::options do
   
@@ -38,7 +38,7 @@ url = ARGV.shift
 secret = opts.delete(:secret)
 algorithm = opts.delete(:algorithm)
 
-signer = HMACSigner.new(algorithm)
+signer = HMAC::Signer.new(algorithm)
 
 if "sign" == cmd
   puts signer.sign_url(url, secret, opts)
@@ -51,4 +51,4 @@ else
     puts "URL #{url} does not contain a valid signature"
     exit 1
   end
-end
+end

data/lib/hmac/signer.rb

@@ -0,0 +1,245 @@
+require 'addressable/uri'
+require 'openssl'
+require 'rack/utils'
+if defined?(JRUBY_VERSION) && RUBY_VERSION =~ /^1\.9/
+  require 'hmac/string/jruby'
+end
+
+module HMAC
+  # Helper class that provides signing capabilites for the hmac strategies.
+  #
+  # @author Felix Gilcher <felix.gilcher@asquera.de>
+  class Signer
+    attr_accessor :secret, :algorithm, :default_opts
+
+    # create a new HMAC instance
+    #
+    # @param [String] algorithm   The hashing-algorithm to use. See the openssl documentation for valid values.
+    # @param [Hash] default_opts  The default options for all calls that take opts
+    #
+    # @option default_opts [String]             :auth_scheme ('HMAC')   The name of the authorization scheme used in the Authorization header and to construct various header-names
+    # @option default_opts [String]             :auth_param ('auth')   The name of the authentication param to use for query based authentication
+    # @option default_opts [String]             :auth_header ('Authorization') The name of the authorization header to use
+    # @option default_opts [String]             :auth_header_format ('%{auth_scheme} %{signature}') The format of the authorization header. Will be interpolated with the given options and the signature.
+    # @option default_opts [String]             :nonce_header ('X-#{auth_scheme}-Nonce') The header name for the request nonce
+    # @option default_opts [String]             :alternate_date_header ('X-#{auth_scheme}-Date') The header name for the alternate date header
+    # @option default_opts [Bool]               :query_based (false) Whether to use query based authentication
+    # @option default_opts [Bool]               :use_alternate_date_header (false) Use the alternate date header instead of `Date`
+    #
+    def initialize(algorithm = "sha1", default_opts = {})
+      self.algorithm = algorithm
+      self.default_opts = {
+        :auth_scheme => "HMAC",
+        :auth_param => "auth",
+        :auth_header => "Authorization",
+        :auth_header_format => "%{auth_scheme} %{signature}",
+        :nonce_header => "X-%{scheme}-Nonce" % {:scheme => (default_opts[:auth_scheme] || "HMAC")},
+        :alternate_date_header => "X-%{scheme}-Date" % {:scheme => (default_opts[:auth_scheme] || "HMAC")},
+        :query_based => false,
+        :use_alternate_date_header => false
+      }.merge(default_opts)
+    
+    end
+  
+    # Generate the signature from a hash representation
+    # 
+    # returns nil if no secret or an empty secret was given
+    #
+    # @param [Hash] params the parameters to create the representation with
+    # @option params [String] :secret The secret to generate the signature with
+    # @option params [String] :method The HTTP Verb of the request
+    # @option params [String] :date The date of the request as it was formatted in the request
+    # @option params [String] :nonce ('') The nonce given in the request
+    # @option params [String] :path The path portion of the request
+    # @option params [Hash]   :query ({}) The query parameters given in the request. Must not contain the auth param.
+    # @option params [Hash]   :headers ({}) All headers given in the request (optional and required)
+    # @option params [String]             :auth_scheme ('HMAC')   The name of the authorization scheme used in the Authorization header and to construct various header-names
+    # @option params [String]             :auth_param ('auth')   The name of the authentication param to use for query based authentication
+    # @option params [String]             :auth_header ('Authorization') The name of the authorization header to use
+    # @option params [String]             :auth_header_format ('%{auth_scheme} %{signature}') The format of the authorization header. Will be interpolated with the given options and the signature.
+    # @option params [String]             :nonce_header ('X-#{auth_scheme}-Nonce') The header name for the request nonce
+    # @option params [String]             :alternate_date_header ('X-#{auth_scheme}-Date') The header name for the alternate date header
+    # @option params [Bool]               :query_based (false) Whether to use query based authentication
+    # @option params [Bool]               :use_alternate_date_header (false) Use the alternate date header instead of `Date`
+    #
+    # @return [String] the signature
+    def generate_signature(params)
+      secret = params.delete(:secret)
+      
+      # jruby stumbles over empty secrets, we regard them as invalid anyways, so we return an empty digest if no scret was given
+      if '' == secret.to_s
+        nil
+      else
+        OpenSSL::HMAC.hexdigest(algorithm, secret, canonical_representation(params))
+      end
+    end
+  
+    # compares the given signature with the signature created from a hash representation
+    #
+    # @param [String] signature the signature to compare with
+    # @param [Hash] params the parameters to create the representation with
+    # @option params [String] :secret The secret to generate the signature with
+    # @option params [String] :method The HTTP Verb of the request
+    # @option params [String] :date The date of the request as it was formatted in the request
+    # @option params [String] :nonce ('') The nonce given in the request
+    # @option params [String] :path The path portion of the request
+    # @option params [Hash]   :query ({}) The query parameters given in the request. Must not contain the auth param.
+    # @option params [Hash]   :headers ({}) All headers given in the request (optional and required)
+    # @option params [String]             :auth_scheme ('HMAC')   The name of the authorization scheme used in the Authorization header and to construct various header-names
+    # @option params [String]             :auth_param ('auth')   The name of the authentication param to use for query based authentication
+    # @option params [String]             :auth_header ('Authorization') The name of the authorization header to use
+    # @option params [String]             :auth_header_format ('%{auth_scheme} %{signature}') The format of the authorization header. Will be interpolated with the given options and the signature.
+    # @option params [String]             :nonce_header ('X-#{auth_scheme}-Nonce') The header name for the request nonce
+    # @option params [String]             :alternate_date_header ('X-#{auth_scheme}-Date') The header name for the alternate date header
+    # @option params [Bool]               :query_based (false) Whether to use query based authentication
+    # @option params [Bool]               :use_alternate_date_header (false) Use the alternate date header instead of `Date`
+    #
+    # @return [Bool] true if the signature matches
+    def validate_signature(signature, params)
+      signature == generate_signature(params)
+    end
+  
+    # convienience method to check the signature of a url with query-based authentication
+    #
+    # @param [String] url the url to test
+    # @param [String] secret the secret used to sign the url
+    # @param [Hash] opts Options controlling the singature generation
+    #
+    # @option opts [String]             :auth_param ('auth')   The name of the authentication param to use for query based authentication
+    #
+    # @return [Bool] true if the signature is valid
+    def validate_url_signature(url, secret, opts = {})
+      opts = default_opts.merge(opts)
+      opts[:query_based] = true
+    
+      uri = Addressable::URI.parse(url)
+      query_values = uri.query_values
+      auth_params = query_values.delete(opts[:auth_param])
+    
+      date = auth_params["date"]
+      nonce = auth_params["nonce"]
+      validate_signature(auth_params["signature"], :secret => secret, :method => "GET", :path => uri.path, :date => date, :nonce => nonce, :query => query_values, :headers => {})
+    end
+  
+    # generates the canonical representation for a given request
+    # 
+    # @param [Hash] params the parameters to create the representation with
+    # @option params [String] :method The HTTP Verb of the request
+    # @option params [String] :date The date of the request as it was formatted in the request
+    # @option params [String] :nonce ('') The nonce given in the request
+    # @option params [String] :path The path portion of the request
+    # @option params [Hash]   :query ({}) The query parameters given in the request. Must not contain the auth param.
+    # @option params [Hash]   :headers ({}) All headers given in the request (optional and required)
+    # @option params [String] :auth_scheme ('HMAC')   The name of the authorization scheme used in the Authorization header and to construct various header-names
+    # @option params [String] :auth_param ('auth')   The name of the authentication param to use for query based authentication
+    # @option params [String] :auth_header ('Authorization') The name of the authorization header to use
+    # @option params [String] :auth_header_format ('%{auth_scheme} %{signature}') The format of the authorization header. Will be interpolated with the given options and the signature.
+    # @option params [String] :nonce_header ('X-#{auth_scheme}-Nonce') The header name for the request nonce
+    # @option params [String] :alternate_date_header ('X-#{auth_scheme}-Date') The header name for the alternate date header
+    # @option params [Bool]   :query_based (false) Whether to use query based authentication
+    # @option params [Bool]   :use_alternate_date_header (false) Use the alternate date header instead of `Date`
+    #
+    # @return [String] the canonical representation
+    def canonical_representation(params)
+      rep = ""
+    
+      rep << "#{params[:method].upcase}\n" 
+      rep << "date:#{params[:date]}\n"
+      rep << "nonce:#{params[:nonce]}\n"
+    
+      (params[:headers] || {}).sort.each do |pair|
+        name,value = *pair
+        rep << "#{name.downcase}:#{value}\n"
+      end
+    
+      rep << params[:path]
+    
+      p = (params[:query] || {}).dup
+    
+      if !p.empty?
+        query = p.sort.map do |key, value|
+          "%{key}=%{value}" % {
+            :key => Rack::Utils.unescape(key.to_s),
+            :value => Rack::Utils.unescape(value.to_s)
+          }
+        end.join("&")
+        rep << "?#{query}"
+      end
+    
+      rep
+    end
+  
+    # sign the given request
+    #
+    # @param [String] url     The url of the request
+    # @param [String] secret  The shared secret for the signature
+    # @param [Hash]   opts    Options for the signature generation
+    #
+    # @option opts [String]             :nonce ('')           The nonce to use in the signature
+    # @option opts [String, #strftime]  :date (Time.now)      The date to use in the signature
+    # @option opts [Hash]               :headers ({})         A list of optional headers to include in the signature
+    #                                   
+    # @option opts [String]             :auth_scheme ('HMAC')   The name of the authorization scheme used in the Authorization header and to construct various header-names
+    # @option opts [String]             :auth_param ('auth')   The name of the authentication param to use for query based authentication
+    # @option opts [String]             :auth_header ('Authorization') The name of the authorization header to use
+    # @option opts [String]             :auth_header_format ('%{auth_scheme} %{signature}') The format of the authorization header. Will be interpolated with the given options and the signature.
+    # @option opts [String]             :nonce_header ('X-#{auth_scheme}-Nonce') The header name for the request nonce
+    # @option opts [String]             :alternate_date_header ('X-#{auth_scheme}-Date') The header name for the alternate date header
+    # @option opts [Bool]               :query_based (false) Whether to use query based authentication
+    # @option opts [Bool]               :use_alternate_date_header (false) Use the alternate date header instead of `Date`
+    #
+    def sign_request(url, secret, opts = {})
+      opts = default_opts.merge(opts)
+    
+      uri = Addressable::URI.parse(url)
+      headers = opts[:headers] || {}
+    
+      date = opts[:date] || Time.now.gmtime
+      date = date.gmtime.strftime('%a, %e %b %Y %T GMT') if date.respond_to? :strftime
+    
+      signature = generate_signature(:secret => secret, :method => "GET", :path => uri.path, :date => date, :nonce => opts[:nonce], :query => uri.query_values, :headers => opts[:headers])
+      
+      if opts[:query_based]
+        auth_params = {
+          "date" => date,
+          "signature" => signature
+        }
+        auth_params[:nonce] = opts[:nonce] unless opts[:nonce].nil?
+      
+        query_values =  uri.query_values || {}
+        query_values[opts[:auth_param]] = auth_params
+        uri.query_values = query_values
+      else
+        headers[opts[:auth_header]]   = opts[:auth_header_format] % opts.merge({:signature => signature})
+        headers[opts[:nonce_header]]  = opts[:nonce] unless opts[:nonce].nil?
+      
+        if opts[:use_alternate_date_header] 
+          headers[opts[:alternate_date_header]] = date
+        else
+          headers["Date"] = date
+        end
+      end
+    
+      [headers, uri.to_s]
+    end
+  
+    # convienience method to sign a url for use with query-based authentication
+    #
+    # @param [String] url the url to sign
+    # @param [String] secret the secret used to sign the url
+    # @param [Hash] opts Options controlling the singature generation
+    #
+    # @option opts [String] :auth_param ('auth')   The name of the authentication param to use for query based authentication
+    #
+    # @return [String] The signed url
+    def sign_url(url, secret, opts = {})
+      opts = default_opts.merge(opts)
+      opts[:query_based] = true
+    
+      headers, url = *sign_request(url, secret, opts)
+      url  
+    end
+  
+  
+  end
+end

data/lib/hmac/strategies/base.rb

@@ -0,0 +1,178 @@
+require 'hmac/signer'
+require 'warden'
+
+
+module Warden
+  module Strategies
+    module HMAC
+      # Base class for hmac authentication in warden. Provides shared methods such as config access
+      # and various helpers.
+      #
+      # @author Felix Gilcher <felix.gilcher@asquera.de>
+      class Base < Warden::Strategies::Base
+  
+
+        # Performs authentication. Calls success! if authentication was performed successfully and halt!
+        # if the authentication information is invalid.
+        #
+        # Delegates parts of the work to signature_valid? which must be implemented in child-strategies.
+        #
+        # @see https://github.com/hassox/warden/wiki/Strategies
+        def authenticate!
+          if "" == secret.to_s
+            debug("authentication attempt with an empty secret")
+            return fail!("Cannot authenticate with an empty secret")
+          end
+    
+          if check_ttl? && !timestamp_valid?
+            debug("authentication attempt with an invalid timestamp. Given was #{timestamp}, expected was #{Time.now.gmtime}")
+            return fail!("Invalid timestamp")  
+          end
+    
+          if signature_valid?
+            success!(retrieve_user)
+          else
+            debug("authentication attempt with an invalid signature.")
+            fail!("Invalid token passed")
+          end
+        end
+  
+        # Retrieve the current request method
+        #
+        # @return [String] The request method in capital letters
+        def request_method
+          env['REQUEST_METHOD'].upcase
+        end
+  
+        # Retrieve the request query parameters
+        #
+        # @return [Hash] The query parameters
+        def params
+          request.GET
+        end
+  
+        # Retrieve the request headers. Header names are normalized by this method by stripping
+        # the `HTTP_`-prefix and replacing underscores with dashes. `HTTP_X_Foo` is normalized to
+        # `X-Foo`.
+        #
+        # @return [Hash] The request headers
+        def headers
+          pairs = env.select {|k,v| k.start_with? 'HTTP_'}
+              .collect {|pair| [pair[0].sub(/^HTTP_/, '').gsub(/_/, '-'), pair[1]]}
+              .sort
+           headers = Hash[*pairs.flatten]
+           headers   
+        end
+  
+        # Retrieve a user from the database. Stub implementation that just returns true, needed for compat.
+        #
+        # @return [Bool] true
+        def retrieve_user
+          true
+        end
+  
+        # Log a debug message if a logger is available.
+        #
+        # @param [String] msg The message to log
+        def debug(msg)
+          if logger
+            logger.debug(msg)
+          end
+        end
+  
+        # Retrieve a logger. Current implementation can
+        # only handle Padrino loggers
+        #
+        # @return [Logger] the logger, nil if none is available
+        def logger
+          if defined? Padrino
+            Padrino.logger
+          end
+        end
+  
+        private
+          def config
+            env["warden"].config[:scope_defaults][scope][:hmac]
+          end
+    
+          def auth_param
+            config[:auth_param] || "auth"
+          end
+    
+          def auth_header
+            config[:auth_header] || "Authorization"
+          end
+    
+          def auth_scheme_name
+            config[:auth_scheme] || "HMAC"
+          end
+    
+          def nonce_header_name
+            config[:nonce_header] || "X-#{auth_scheme_name}-Nonce"
+          end
+    
+          def alternate_date_header_name
+            config[:alternate_date_header] || "X-#{auth_scheme_name}-Date"
+          end
+
+          def optional_headers
+            (config[:optional_headers] || []) + ["Content-MD5", "Content-Type"]
+          end
+    
+          def lowercase_headers
+
+            if @lowercase_headers.nil?
+              tmp = headers.map do |name,value|
+                [name.downcase, value]
+              end
+              @lowercase_headers = Hash[*tmp.flatten]
+            end
+
+            @lowercase_headers
+          end
+    
+          def hmac
+            ::HMAC::Signer.new(algorithm)
+          end
+    
+          def algorithm
+            config[:algorithm] || "sha1"
+          end
+    
+          def ttl
+            config[:ttl].to_i
+          end
+    
+          def check_ttl?
+            !config[:ttl].nil?
+          end
+
+          def timestamp
+            Time.strptime(request_timestamp, '%a, %e %b %Y %T %z') unless request_timestamp.nil?
+          end
+    
+          def has_timestamp?
+            !timestamp.nil?
+          end
+    
+          def timestamp_valid?
+            now = Time.now.gmtime.to_i
+            timestamp.to_i <= (now + clockskew) && timestamp.to_i >= (now - ttl)
+          end
+    
+          def nonce_required?
+            !!config[:require_nonce]
+          end
+    
+          def secret
+            @secret ||= config[:secret].respond_to?(:call) ? config[:secret].call(self) : config[:secret]
+          end
+    
+          def clockskew
+            (config[:clockskew] || 5)
+          end
+    
+      end
+    end
+  end
+end

data/lib/hmac/strategies/header.rb

@@ -0,0 +1,98 @@
+require_relative 'base'
+
+module Warden
+  module Strategies
+    module HMAC
+      # Implements header-based hmac authentication for warden. The strategy is registered as
+      # `:hmac_header` in the warden strategy list.
+      #
+      # @author Felix Gilcher <felix.gilcher@asquera.de>
+      class Header < Warden::Strategies::HMAC::Base
+  
+        # Checks that this strategy applies. Tests that the required
+        # authentication information was given.
+        #
+        # @return [Bool] true if all required authentication information is available in the request
+        # @see https://github.com/hassox/warden/wiki/Strategies
+        def valid?
+          valid = required_headers.all? { |h| headers.include?(h) } && headers.include?("Authorization") && has_timestamp?
+          valid = valid && scheme_valid?
+          valid
+        end
+  
+        # Check that the signature given in the request is valid.
+        #
+        # @return [Bool] true if the request is valid
+        def signature_valid?
+    
+          #:method => "GET",
+          #:date => "Mon, 20 Jun 2011 12:06:11 GMT",
+          #:nonce => "TESTNONCE",
+          #:path => "/example",
+          #:query => {
+          #  "foo" => "bar",
+          #  "baz" => "foobared"
+          #},
+          #:headers => {
+          #  "Content-Type" => "application/json;charset=utf8",
+          #  "Content-MD5" => "d41d8cd98f00b204e9800998ecf8427e"
+          #}
+    
+          hmac.validate_signature(given_signature, {
+            :secret => secret,
+            :method => request_method,
+            :date => request_timestamp,
+            :nonce => nonce,
+            :path => request.path,
+            :query => params,
+            :headers => headers.select {|name, value| optional_headers.include? name}
+          })
+        end
+
+        # retrieve the signature from the request
+        #
+        # @return [String] The signature from the request
+        def given_signature
+          headers[auth_header].split(" ")[1]
+        end
+
+        # retrieve the nonce from the request
+        #
+        # @return [String] The nonce or an empty string if no nonce was given in the request
+        def nonce
+          headers[nonce_header_name]
+        end
+
+        # retrieve the request timestamp as string
+        #
+        # @return [String] The request timestamp or an empty string if no timestamp was given in the request
+        def request_timestamp
+          headers[date_header]
+        end
+  
+        private
+    
+          def required_headers
+            headers = [auth_header]
+            headers += [nonce_header_name] if nonce_required? 
+            headers
+          end
+
+          def scheme_valid?
+            headers[auth_header].to_s.split(" ").first == auth_scheme_name
+          end
+    
+          def date_header
+            if headers.include? alternate_date_header_name
+              alternate_date_header_name
+            else
+              "Date"
+            end
+          end
+      
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:hmac_header, Warden::Strategies::HMAC::Header)

data/lib/hmac/strategies/query.rb

@@ -0,0 +1,57 @@
+require_relative 'base'
+
+module Warden
+  module Strategies
+    module HMAC
+      # Implements query-based hmac authentication for warden. The strategy is registered as
+      # `:hmac_query` in the warden strategy list.
+      #
+      # @author Felix Gilcher <felix.gilcher@asquera.de>
+      class Warden::Strategies::HMAC::Query < Warden::Strategies::HMAC::Base
+  
+        # Checks that this strategy applies. Tests that the required
+        # authentication information was given.
+        #
+        # @return [Bool] true if all required authentication information is available in the request
+        # @see https://github.com/hassox/warden/wiki/Strategies
+        def valid?
+          valid = auth_info.include? "signature"
+          valid = valid && has_timestamp? if check_ttl?
+          valid = valid && has_nonce? if nonce_required?
+          valid
+        end
+
+        # Check that the signature given in the request is valid.
+        #
+        # @return [Bool] true if the request is valid
+        def signature_valid?
+          hmac.validate_url_signature(request.url, secret)
+        end
+  
+        # retrieve the authentication information from the request
+        #
+        # @return [Hash] the authentication info in the request
+        def auth_info
+          params[auth_param] || {}
+        end
+  
+        # retrieve the nonce from the request
+        #
+        # @return [String] The nonce or an empty string if no nonce was given in the request
+        def nonce
+          auth_info["nonce"] || ""
+        end
+  
+        # retrieve the request timestamp as string
+        #
+        # @return [String] The request timestamp or an empty string if no timestamp was given in the request
+        def request_timestamp
+          auth_info["date"] || ""
+        end
+      
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:hmac_query, Warden::Strategies::HMAC::Query)

data/lib/hmac/string/jruby.rb

@@ -0,0 +1,33 @@
+# this is a ruby workaround for jruby issue http://jira.codehaus.org/browse/JRUBY-5338
+
+if defined?(JRUBY_VERSION) && RUBY_VERSION =~ /^1\.9/
+  class KeyError < IndexError
+  end
+
+  class String
+    alias_method :old_format, :%
+    def %(replacements)
+      split_re = /(?<!%)(%{[^}]+})/
+      replace_re = /(?<!%)%{([^}]+)}/
+      if ! replacements.is_a? Hash 
+        if split_re.match self
+          raise ArgumentError, "one hash required"
+        else
+          return self.old_format replacements
+        end
+      end
+      segments = self.split split_re
+      segments.each_index do |i; md, key|
+        md = replace_re.match(segments[i])
+        if ! md.nil?
+          key = md.captures[0].to_sym
+          raise KeyError, "key[#{key}] not found" unless replacements.has_key?(key)
+          segments[i] = replacements[key]
+        else
+          segments[i] = segments[i].gsub "%%", "%"
+        end
+      end
+      segments.join
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: warden-hmac-authentication
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
   prerelease: 
 platform: ruby
 authors:
@@ -10,12 +10,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-07-16 00:00:00.000000000 +02:00
-default_executable: 
+date: 2011-12-13 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
-  requirement: &10322600 !ruby/object:Gem::Requirement
+  requirement: &2152266240 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -23,10 +22,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *10322600
+  version_requirements: *2152266240
 - !ruby/object:Gem::Dependency
   name: rack
-  requirement: &10322100 !ruby/object:Gem::Requirement
+  requirement: &2152265520 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -34,10 +33,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *10322100
+  version_requirements: *2152265520
 - !ruby/object:Gem::Dependency
   name: trollop
-  requirement: &10321580 !ruby/object:Gem::Requirement
+  requirement: &2152265000 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -45,10 +44,43 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *10321580
+  version_requirements: *2152265000
 - !ruby/object:Gem::Dependency
-  name: yard
-  requirement: &10321140 !ruby/object:Gem::Requirement
+  name: warden
+  requirement: &2152264180 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *2152264180
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: &2152263320 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2152263320
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: &2152262180 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2152262180
+- !ruby/object:Gem::Dependency
+  name: riot
+  requirement: &2152261120 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -56,10 +88,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *10321140
+  version_requirements: *2152261120
 - !ruby/object:Gem::Dependency
-  name: rdiscount
-  requirement: &10320640 !ruby/object:Gem::Requirement
+  name: timecop
+  requirement: &2152228000 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -67,10 +99,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *10320640
+  version_requirements: *2152228000
 - !ruby/object:Gem::Dependency
   name: simplecov
-  requirement: &10320200 !ruby/object:Gem::Requirement
+  requirement: &2152227480 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -78,10 +110,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *10320200
+  version_requirements: *2152227480
 - !ruby/object:Gem::Dependency
   name: simplecov-html
-  requirement: &10319660 !ruby/object:Gem::Requirement
+  requirement: &2152226940 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -89,7 +121,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *10319660
+  version_requirements: *2152226940
 description: ! "This gem provides request authentication via [HMAC](http://en.wikipedia.org/wiki/Hmac).
   The main usage is request based, noninteractive\n  authentication for API implementations.
   Two strategies are supported that differ mainly in how the authentication information
@@ -109,12 +141,12 @@ files:
 - README.md
 - Rakefile
 - LICENSE
-- lib/strategies/hmac_query_strategy.rb
-- lib/strategies/hmac_header_strategy.rb
-- lib/strategies/base.rb
-- lib/hmac_signer.rb
+- lib/hmac/signer.rb
+- lib/hmac/strategies/base.rb
+- lib/hmac/strategies/header.rb
+- lib/hmac/strategies/query.rb
+- lib/hmac/string/jruby.rb
 - bin/warden-hmac-authentication
-has_rdoc: true
 homepage: https://github.com/Asquera/warden-hmac-authentication
 licenses: []
 post_install_message: 
@@ -135,8 +167,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.6.2
+rubygems_version: 1.8.6
 signing_key: 
 specification_version: 3
 summary: Provides request based, non-interactive authentication for APIs
 test_files: []
+has_rdoc: 

data/lib/hmac_signer.rb

@@ -1,234 +0,0 @@
-require 'addressable/uri'
-require 'openssl'
-require 'rack/utils'
-
-
-# Helper class that provides signing capabilites for the hmac strategies.
-#
-# @author Felix Gilcher <felix.gilcher@asquera.de>
-class HMACSigner
-  attr_accessor :secret, :algorithm, :default_opts
-
-  # create a new HMAC instance
-  #
-  # @param [String] algorithm   The hashing-algorithm to use. See the openssl documentation for valid values.
-  # @param [Hash] default_opts  The default options for all calls that take opts
-  #
-  # @option default_opts [String]             :auth_scheme ('HMAC')   The name of the authorization scheme used in the Authorization header and to construct various header-names
-  # @option default_opts [String]             :auth_param ('auth')   The name of the authentication param to use for query based authentication
-  # @option default_opts [String]             :auth_header ('Authorization') The name of the authorization header to use
-  # @option default_opts [String]             :auth_header_format ('%{auth_scheme} %{signature}') The format of the authorization header. Will be interpolated with the given options and the signature.
-  # @option default_opts [String]             :nonce_header ('X-#{auth_scheme}-Nonce') The header name for the request nonce
-  # @option default_opts [String]             :alternate_date_header ('X-#{auth_scheme}-Date') The header name for the alternate date header
-  # @option default_opts [Bool]               :query_based (false) Whether to use query based authentication
-  # @option default_opts [Bool]               :use_alternate_date_header (false) Use the alternate date header instead of `Date`
-  #
-  def initialize(algorithm = "sha1", default_opts = {})
-    self.algorithm = algorithm
-    self.default_opts = {
-      :auth_scheme => "HMAC",
-      :auth_param => "auth",
-      :auth_header => "Authorization",
-      :auth_header_format => "%{auth_scheme} %{signature}",
-      :nonce_header => "X-%{scheme}-Nonce" % {:scheme => (default_opts[:auth_scheme] || "HMAC")},
-      :alternate_date_header => "X-%{scheme}-Date" % {:scheme => (default_opts[:auth_scheme] || "HMAC")},
-      :query_based => false,
-      :use_alternate_date_header => false
-    }.merge(default_opts)
-    
-  end
-  
-  # Generate the signature from a hash representation
-  #
-  # @param [Hash] params the parameters to create the representation with
-  # @option params [String] :secret The secret to generate the signature with
-  # @option params [String] :method The HTTP Verb of the request
-  # @option params [String] :date The date of the request as it was formatted in the request
-  # @option params [String] :nonce ('') The nonce given in the request
-  # @option params [String] :path The path portion of the request
-  # @option params [Hash]   :query ({}) The query parameters given in the request. Must not contain the auth param.
-  # @option params [Hash]   :headers ({}) All headers given in the request (optional and required)
-  # @option params [String]             :auth_scheme ('HMAC')   The name of the authorization scheme used in the Authorization header and to construct various header-names
-  # @option params [String]             :auth_param ('auth')   The name of the authentication param to use for query based authentication
-  # @option params [String]             :auth_header ('Authorization') The name of the authorization header to use
-  # @option params [String]             :auth_header_format ('%{auth_scheme} %{signature}') The format of the authorization header. Will be interpolated with the given options and the signature.
-  # @option params [String]             :nonce_header ('X-#{auth_scheme}-Nonce') The header name for the request nonce
-  # @option params [String]             :alternate_date_header ('X-#{auth_scheme}-Date') The header name for the alternate date header
-  # @option params [Bool]               :query_based (false) Whether to use query based authentication
-  # @option params [Bool]               :use_alternate_date_header (false) Use the alternate date header instead of `Date`
-  #
-  # @return [String] the signature
-  def generate_signature(params)
-    secret = params.delete(:secret)
-    OpenSSL::HMAC.hexdigest(algorithm, secret, canonical_representation(params))
-  end
-  
-  # compares the given signature with the signature created from a hash representation
-  #
-  # @param [String] signature the signature to compare with
-  # @param [Hash] params the parameters to create the representation with
-  # @option params [String] :secret The secret to generate the signature with
-  # @option params [String] :method The HTTP Verb of the request
-  # @option params [String] :date The date of the request as it was formatted in the request
-  # @option params [String] :nonce ('') The nonce given in the request
-  # @option params [String] :path The path portion of the request
-  # @option params [Hash]   :query ({}) The query parameters given in the request. Must not contain the auth param.
-  # @option params [Hash]   :headers ({}) All headers given in the request (optional and required)
-  # @option params [String]             :auth_scheme ('HMAC')   The name of the authorization scheme used in the Authorization header and to construct various header-names
-  # @option params [String]             :auth_param ('auth')   The name of the authentication param to use for query based authentication
-  # @option params [String]             :auth_header ('Authorization') The name of the authorization header to use
-  # @option params [String]             :auth_header_format ('%{auth_scheme} %{signature}') The format of the authorization header. Will be interpolated with the given options and the signature.
-  # @option params [String]             :nonce_header ('X-#{auth_scheme}-Nonce') The header name for the request nonce
-  # @option params [String]             :alternate_date_header ('X-#{auth_scheme}-Date') The header name for the alternate date header
-  # @option params [Bool]               :query_based (false) Whether to use query based authentication
-  # @option params [Bool]               :use_alternate_date_header (false) Use the alternate date header instead of `Date`
-  #
-  # @return [Bool] true if the signature matches
-  def validate_signature(signature, params)
-    signature == generate_signature(params)
-  end
-  
-  # convienience method to check the signature of a url with query-based authentication
-  #
-  # @param [String] url the url to test
-  # @param [String] secret the secret used to sign the url
-  # @param [Hash] opts Options controlling the singature generation
-  #
-  # @option opts [String]             :auth_param ('auth')   The name of the authentication param to use for query based authentication
-  #
-  # @return [Bool] true if the signature is valid
-  def validate_url_signature(url, secret, opts = {})
-    opts = default_opts.merge(opts)
-    opts[:query_based] = true
-    
-    uri = Addressable::URI.parse(url)
-    query_values = uri.query_values
-    auth_params = query_values.delete(opts[:auth_param])
-    
-    date = auth_params["date"]
-    nonce = auth_params["nonce"]
-    validate_signature(auth_params["signature"], :secret => secret, :method => "GET", :path => uri.path, :date => date, :nonce => nonce, :query => query_values, :headers => {})
-  end
-  
-  # generates the canonical representation for a given request
-  # 
-  # @param [Hash] params the parameters to create the representation with
-  # @option params [String] :method The HTTP Verb of the request
-  # @option params [String] :date The date of the request as it was formatted in the request
-  # @option params [String] :nonce ('') The nonce given in the request
-  # @option params [String] :path The path portion of the request
-  # @option params [Hash]   :query ({}) The query parameters given in the request. Must not contain the auth param.
-  # @option params [Hash]   :headers ({}) All headers given in the request (optional and required)
-  # @option params [String] :auth_scheme ('HMAC')   The name of the authorization scheme used in the Authorization header and to construct various header-names
-  # @option params [String] :auth_param ('auth')   The name of the authentication param to use for query based authentication
-  # @option params [String] :auth_header ('Authorization') The name of the authorization header to use
-  # @option params [String] :auth_header_format ('%{auth_scheme} %{signature}') The format of the authorization header. Will be interpolated with the given options and the signature.
-  # @option params [String] :nonce_header ('X-#{auth_scheme}-Nonce') The header name for the request nonce
-  # @option params [String] :alternate_date_header ('X-#{auth_scheme}-Date') The header name for the alternate date header
-  # @option params [Bool]   :query_based (false) Whether to use query based authentication
-  # @option params [Bool]   :use_alternate_date_header (false) Use the alternate date header instead of `Date`
-  #
-  # @return [String] the canonical representation
-  def canonical_representation(params)
-    rep = ""
-    
-    rep << "#{params[:method].upcase}\n" 
-    rep << "date:#{params[:date]}\n"
-    rep << "nonce:#{params[:nonce]}\n"
-    
-    (params[:headers] || {}).sort.each do |pair|
-      name,value = *pair
-      rep << "#{name.downcase}:#{value}\n"
-    end
-    
-    rep << params[:path]
-    
-    p = (params[:query] || {}).dup
-    
-    if !p.empty?
-      query = p.sort.map do |key, value|
-        "%{key}=%{value}" % {
-          :key => Rack::Utils.unescape(key.to_s),
-          :value => Rack::Utils.unescape(value.to_s)
-        }
-      end.join("&")
-      rep << "?#{query}"
-    end
-    
-    rep
-  end
-  
-  # sign the given request
-  #
-  # @param [String] url     The url of the request
-  # @param [String] secret  The shared secret for the signature
-  # @param [Hash]   opts    Options for the signature generation
-  #
-  # @option opts [String]             :nonce ('')           The nonce to use in the signature
-  # @option opts [String, #strftime]  :date (Time.now)      The date to use in the signature
-  # @option opts [Hash]               :headers ({})         A list of optional headers to include in the signature
-  #                                   
-  # @option opts [String]             :auth_scheme ('HMAC')   The name of the authorization scheme used in the Authorization header and to construct various header-names
-  # @option opts [String]             :auth_param ('auth')   The name of the authentication param to use for query based authentication
-  # @option opts [String]             :auth_header ('Authorization') The name of the authorization header to use
-  # @option opts [String]             :auth_header_format ('%{auth_scheme} %{signature}') The format of the authorization header. Will be interpolated with the given options and the signature.
-  # @option opts [String]             :nonce_header ('X-#{auth_scheme}-Nonce') The header name for the request nonce
-  # @option opts [String]             :alternate_date_header ('X-#{auth_scheme}-Date') The header name for the alternate date header
-  # @option opts [Bool]               :query_based (false) Whether to use query based authentication
-  # @option opts [Bool]               :use_alternate_date_header (false) Use the alternate date header instead of `Date`
-  #
-  def sign_request(url, secret, opts = {})
-    opts = default_opts.merge(opts)
-    
-    uri = Addressable::URI.parse(url)
-    headers = opts[:headers] || {}
-    
-    date = opts[:date] || Time.now.gmtime
-    date = date.gmtime.strftime('%a, %e %b %Y %T GMT') if date.respond_to? :strftime
-    
-    signature = generate_signature(:secret => secret, :method => "GET", :path => uri.path, :date => date, :nonce => opts[:nonce], :query => uri.query_values, :headers => opts[:headers])
-      
-    if opts[:query_based]
-      auth_params = {
-        "date" => date,
-        "signature" => signature
-      }
-      auth_params[:nonce] = opts[:nonce] unless opts[:nonce].nil?
-      
-      query_values =  uri.query_values || {}
-      query_values[opts[:auth_param]] = auth_params
-      uri.query_values = query_values
-    else
-      headers[opts[:auth_header]]   = opts[:auth_header_format] % opts.merge({:signature => signature})
-      headers[opts[:nonce_header]]  = opts[:nonce] unless opts[:nonce].nil?
-      
-      if opts[:use_alternate_date_header] 
-        headers[opts[:alternate_date_header]] = date
-      else
-        headers["Date"] = date
-      end
-    end
-    
-    [headers, uri.to_s]
-  end
-  
-  # convienience method to sign a url for use with query-based authentication
-  #
-  # @param [String] url the url to sign
-  # @param [String] secret the secret used to sign the url
-  # @param [Hash] opts Options controlling the singature generation
-  #
-  # @option opts [String] :auth_param ('auth')   The name of the authentication param to use for query based authentication
-  #
-  # @return [String] The signed url
-  def sign_url(url, secret, opts = {})
-    opts = default_opts.merge(opts)
-    opts[:query_based] = true
-    
-    headers, url = *sign_request(url, secret, opts)
-    url  
-  end
-  
-  
-end
-

data/lib/strategies/base.rb

@@ -1,173 +0,0 @@
-require 'hmac_signer'
-require 'warden'
-
-
-# Base class for hmac authentication in warden. Provides shared methods such as config access
-# and various helpers.
-#
-# @author Felix Gilcher <felix.gilcher@asquera.de>
-class Warden::Strategies::HMACBase < Warden::Strategies::Base
-  
-
-  # Performs authentication. Calls success! if authentication was performed successfully and halt!
-  # if the authentication information is invalid.
-  #
-  # Delegates parts of the work to signature_valid? which must be implemented in child-strategies.
-  #
-  # @see https://github.com/hassox/warden/wiki/Strategies
-  def authenticate!
-    if "" == secret.to_s
-      debug("authentication attempt with an empty secret")
-      return fail!("Cannot authenticate with an empty secret")
-    end
-    
-    if check_ttl? && !timestamp_valid?
-      debug("authentication attempt with an invalid timestamp. Given was #{timestamp}, expected was #{Time.now.gmtime}")
-      return fail!("Invalid timestamp")  
-    end
-    
-    if signature_valid?
-      success!(retrieve_user)
-    else
-      debug("authentication attempt with an invalid signature.")
-      fail!("Invalid token passed")
-    end
-  end
-  
-  # Retrieve the current request method
-  #
-  # @return [String] The request method in capital letters
-  def request_method
-    env['REQUEST_METHOD'].upcase
-  end
-  
-  # Retrieve the request query parameters
-  #
-  # @return [Hash] The query parameters
-  def params
-    request.GET
-  end
-  
-  # Retrieve the request headers. Header names are normalized by this method by stripping
-  # the `HTTP_`-prefix and replacing underscores with dashes. `HTTP_X_Foo` is normalized to
-  # `X-Foo`.
-  #
-  # @return [Hash] The request headers
-  def headers
-    pairs = env.select {|k,v| k.start_with? 'HTTP_'}
-        .collect {|pair| [pair[0].sub(/^HTTP_/, '').gsub(/_/, '-'), pair[1]]}
-        .sort
-     headers = Hash[*pairs.flatten]
-     headers   
-  end
-  
-  # Retrieve a user from the database. Stub implementation that just returns true, needed for compat.
-  #
-  # @return [Bool] true
-  def retrieve_user
-    true
-  end
-  
-  # Log a debug message if a logger is available.
-  #
-  # @param [String] msg The message to log
-  def debug(msg)
-    if logger
-      logger.debug(msg)
-    end
-  end
-  
-  # Retrieve a logger. Current implementation can
-  # only handle Padrino loggers
-  #
-  # @return [Logger] the logger, nil if none is available
-  def logger
-    if defined? Padrino
-      Padrino.logger
-    end
-  end
-  
-  private
-    def config
-      env["warden"].config[:scope_defaults][scope][:hmac]
-    end
-    
-    def auth_param
-      config[:auth_param] || "auth"
-    end
-    
-    def auth_header
-      config[:auth_header] || "Authorization"
-    end
-    
-    def auth_scheme_name
-      config[:auth_scheme] || "HMAC"
-    end
-    
-    def nonce_header_name
-      config[:nonce_header] || "X-#{auth_scheme_name}-Nonce"
-    end
-    
-    def alternate_date_header_name
-      config[:alternate_date_header] || "X-#{auth_scheme_name}-Date"
-    end
-
-    def optional_headers
-      (config[:optional_headers] || []) + ["Content-MD5", "Content-Type"]
-    end
-    
-    def lowercase_headers
-
-      if @lowercase_headers.nil?
-        tmp = headers.map do |name,value|
-          [name.downcase, value]
-        end
-        @lowercase_headers = Hash[*tmp.flatten]
-      end
-
-      @lowercase_headers
-    end
-    
-    def hmac
-      HMACSigner.new(algorithm)
-    end
-    
-    def algorithm
-      config[:algorithm] || "sha1"
-    end
-    
-    def ttl
-      config[:ttl].to_i
-    end
-    
-    def check_ttl?
-      !config[:ttl].nil?
-    end
-
-    def timestamp
-      Time.strptime(request_timestamp, '%a, %e %b %Y %T %z') unless request_timestamp.nil?
-    end
-    
-    def has_timestamp?
-      !timestamp.nil?
-    end
-    
-    def timestamp_valid?
-      now = Time.now.gmtime.to_i
-      timestamp.to_i <= (now + clockskew) && timestamp.to_i >= (now - ttl)
-    end
-    
-    def nonce_required?
-      !!config[:require_nonce]
-    end
-    
-    def secret
-      @secret ||= config[:secret].respond_to?(:call) ? config[:secret].call(self) : config[:secret]
-    end
-    
-    def clockskew
-      (config[:clockskew] || 5)
-    end
-    
-    
-end

data/lib/strategies/hmac_header_strategy.rb

@@ -1,94 +0,0 @@
-require_relative 'base'
-
-# Implements header-based hmac authentication for warden. The strategy is registered as
-# `:hmac_header` in the warden strategy list.
-#
-# @author Felix Gilcher <felix.gilcher@asquera.de>
-class Warden::Strategies::HMACHeader < Warden::Strategies::HMACBase
-  
-  # Checks that this strategy applies. Tests that the required
-  # authentication information was given.
-  #
-  # @return [Bool] true if all required authentication information is available in the request
-  # @see https://github.com/hassox/warden/wiki/Strategies
-  def valid?
-    valid = required_headers.all? { |h| headers.include?(h) } && headers.include?("Authorization") && has_timestamp?
-    valid = valid && scheme_valid?
-    valid
-  end
-  
-  # Check that the signature given in the request is valid.
-  #
-  # @return [Bool] true if the request is valid
-  def signature_valid?
-    
-    #:method => "GET",
-    #:date => "Mon, 20 Jun 2011 12:06:11 GMT",
-    #:nonce => "TESTNONCE",
-    #:path => "/example",
-    #:query => {
-    #  "foo" => "bar",
-    #  "baz" => "foobared"
-    #},
-    #:headers => {
-    #  "Content-Type" => "application/json;charset=utf8",
-    #  "Content-MD5" => "d41d8cd98f00b204e9800998ecf8427e"
-    #}
-    
-    hmac.validate_signature(given_signature, {
-      :secret => secret,
-      :method => request_method,
-      :date => request_timestamp,
-      :nonce => nonce,
-      :path => request.path,
-      :query => params,
-      :headers => headers.select {|name, value| optional_headers.include? name}
-    })
-  end
-
-  # retrieve the signature from the request
-  #
-  # @return [String] The signature from the request
-  def given_signature
-    headers[auth_header].split(" ")[1]
-  end
-
-  # retrieve the nonce from the request
-  #
-  # @return [String] The nonce or an empty string if no nonce was given in the request
-  def nonce
-    headers[nonce_header_name]
-  end
-
-  # retrieve the request timestamp as string
-  #
-  # @return [String] The request timestamp or an empty string if no timestamp was given in the request
-  def request_timestamp
-    headers[date_header]
-  end
-  
-  private
-    
-    def required_headers
-      headers = [auth_header]
-      headers += [nonce_header_name] if nonce_required? 
-      headers
-    end
-
-    def scheme_valid?
-      headers[auth_header].to_s.split(" ").first == auth_scheme_name
-    end
-    
-    def date_header
-      if headers.include? alternate_date_header_name
-        alternate_date_header_name
-      else
-        "Date"
-      end
-    end
-    
-
-      
-end
-
-Warden::Strategies.add(:hmac_header, Warden::Strategies::HMACHeader)

data/lib/strategies/hmac_query_strategy.rb

@@ -1,52 +0,0 @@
-require_relative 'base'
-
-
-# Implements query-based hmac authentication for warden. The strategy is registered as
-# `:hmac_query` in the warden strategy list.
-#
-# @author Felix Gilcher <felix.gilcher@asquera.de>
-class Warden::Strategies::HMACQuery < Warden::Strategies::HMACBase
-  
-  # Checks that this strategy applies. Tests that the required
-  # authentication information was given.
-  #
-  # @return [Bool] true if all required authentication information is available in the request
-  # @see https://github.com/hassox/warden/wiki/Strategies
-  def valid?
-    valid = auth_info.include? "signature"
-    valid = valid && has_timestamp? if check_ttl?
-    valid = valid && has_nonce? if nonce_required?
-    valid
-  end
-
-  # Check that the signature given in the request is valid.
-  #
-  # @return [Bool] true if the request is valid
-  def signature_valid?
-    hmac.validate_url_signature(request.url, secret)
-  end
-  
-  # retrieve the authentication information from the request
-  #
-  # @return [Hash] the authentication info in the request
-  def auth_info
-    params[auth_param] || {}
-  end
-  
-  # retrieve the nonce from the request
-  #
-  # @return [String] The nonce or an empty string if no nonce was given in the request
-  def nonce
-    auth_info["nonce"] || ""
-  end
-  
-  # retrieve the request timestamp as string
-  #
-  # @return [String] The request timestamp or an empty string if no timestamp was given in the request
-  def request_timestamp
-    auth_info["date"] || ""
-  end
-      
-end
-
-Warden::Strategies.add(:hmac_query, Warden::Strategies::HMACQuery)