pax_global_header00006660000000000000000000000064120442005730014507gustar00rootroot0000000000000052 comment=6bca3c03826560bbd69e1c94d2ada8e97623feae ruby-httpauth-0.2.0/000077500000000000000000000000001204420057300143265ustar00rootroot00000000000000ruby-httpauth-0.2.0/LICENSE000066400000000000000000000021631204420057300153350ustar00rootroot00000000000000Copyright (C) 2006-2011 Manfred Stienstra , Fingertips, Tim Olsen Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ruby-httpauth-0.2.0/README.md000066400000000000000000000034551204420057300156140ustar00rootroot00000000000000HTTPauth ====== HTTPauth is a library supporting the full HTTP Authentication protocol as specified in RFC 2617; both Digest Authentication and Basic Authentication. We aim to make HTTPAuth as compliant as possible. HTTPAuth is built to be completely agnostic of the HTTP implementation. If you have access to your webserver's headers you can use this library to implement authentication. This project is currently under development, don't use it in mission critical applications. ## Getting started If you want to implement authentication for your application you should probably start by looking at the various examples. In the examples directory is an implementation of an HTTP client and server, you can use these to test your implementation. The examples are basic implementations of the protocol. ## Limitations Currently the library doesn't check for consistency of the directives in the various headers, this means that implementations using this library can be vulnerable to request replay attacks. This will obviously be addressed before the final release. ## Plugins ### Ruby on Rails A plugin for Ruby on Rails can be found here: https://fngtps.com/svn/rails-plugins/trunk/digest_authentication ## Known client implementation issues ### Safari Safari doesn't understand and parse the algorithm and qop directives correctly. For instance: it sends qop=auth as qop="auth" and when multiple qop values are suggested by the server, no authentication is triggered. ### Internet Explorer The qop and algorithm bug quoting bugs are also present in IE. IE doesn't use the full URI for digest calculation, it chops off the query parameters. So a request on /script?q=a will response with uri='/script'. ## Known server implementation issues Apache 2.0 sends Authorization-Info headers without a nextnonce directive.ruby-httpauth-0.2.0/lib/000077500000000000000000000000001204420057300150745ustar00rootroot00000000000000ruby-httpauth-0.2.0/lib/httpauth.rb000066400000000000000000000001551204420057300172630ustar00rootroot00000000000000require 'httpauth/constants' require 'httpauth/exceptions' require 'httpauth/basic' require 'httpauth/digest'ruby-httpauth-0.2.0/lib/httpauth/000077500000000000000000000000001204420057300167355ustar00rootroot00000000000000ruby-httpauth-0.2.0/lib/httpauth/basic.rb000066400000000000000000000115031204420057300203430ustar00rootroot00000000000000%w(base64 httpauth/exceptions httpauth/constants).each { |l| require l } module HTTPAuth # = Basic # # The Basic class provides a number of methods to handle HTTP Basic Authentication. In Basic Authentication # the server sends a challenge and the client has to respond to that with the correct credentials. These # credentials will have to be sent with every request from that point on. # # == On the server # # On the server you will have to check the headers for the 'Authorization' header. When you find one unpack # it and check it against your database of credentials. If the credentials are wrong you have to return a # 401 status message and a challenge, otherwise proceed as normal. The code is meant as an example, not as # runnable code. # # def check_authentication(request, response) # credentials = HTTPAuth::Basic.unpack_authorization(request['Authorization']) # if ['admin', 'secret'] == credentials # response.status = 200 # return true # else # response.status = 401 # response['WWW-Authenticate'] = HTTPAuth::Basic.pack_challenge('Admin Pages') # return false # end # end # # == On the client # # On the client you have to detect the WWW-Authenticate header sent from the server. Once you find one you _should_ # send credentials for that resource any resource 'deeper in the URL space'. You _may_ send the credentials for # every request without a WWW-Authenticate challenge. Note that credentials are valid for a realm, a server can # use multiple realms for different resources. The code is meant as an example, not as runnable code. # # def get_credentials_from_user_for(realm) # if realm == 'Admin Pages' # return ['admin', 'secret'] # else # return [nil, nil] # end # end # # def handle_authentication(response, request) # unless response['WWW-Authenticate'].nil? # realm = HTTPAuth::Basic.unpack_challenge(response['WWW-Authenticate]) # @credentials[realm] ||= get_credentials_from_user_for(realm) # @last_realm = realm # end # unless @last_realm.nil? # request['Authorization'] = HTTPAuth::Basic.pack_authorization(*@credentials[@last_realm]) # end # end class Basic class << self # Unpacks the HTTP Basic 'Authorization' credential header # # * authorization: The contents of the Authorization header # * Returns a list with two items: the username and password def unpack_authorization(authorization) d = authorization.split ' ' raise ArgumentError.new("HTTPAuth::Basic can only unpack Basic Authentication headers") unless d[0] == 'Basic' Base64.decode64(d[1]).split(':')[0..1] end # Packs HTTP Basic credentials to an 'Authorization' header # # * username: A string with the username # * password: A string with the password def pack_authorization(username, password) "Basic %s" % Base64.encode64("#{username}:#{password}").gsub("\n", '') end # Returns contents for the WWW-authenticate header # # * realm: A string with a recognizable title for the restricted resource def pack_challenge(realm) "Basic realm=\"%s\"" % realm.gsub('"', '') end # Returns the name of the realm in a WWW-Authenticate header # # * authenticate: The contents of the WWW-Authenticate header def unpack_challenge(authenticate) if authenticate =~ /Basic\srealm=\"([^\"]*)\"/ return $1 else if authenticate =~ /^Basic/ raise UnwellformedHeader.new("Can't parse the WWW-Authenticate header, it's probably not well formed") else raise ArgumentError.new("HTTPAuth::Basic can only unpack Basic Authentication headers") end end end # Finds and unpacks the authorization credentials in a hash with the CGI enviroment. Returns [nil,nil] if no # credentials were found. See HTTPAuth::CREDENTIAL_HEADERS for supported variable names. # # _Note for Apache_: normally the Authorization header can be found in the HTTP_AUTHORIZATION env variable, # but Apache's mod_auth removes the variable from the enviroment. You can work around this by renaming # the variable in your apache configuration (or .htaccess if allowed). For example: rewrite the variable # for every request on /admin/*. # # RewriteEngine on # RewriteRule ^admin/ - [E=X-HTTP-AUTHORIZATION:%{HTTP:Authorization}] def get_credentials(env) d = HTTPAuth::CREDENTIAL_HEADERS.inject(false) { |d,h| env[h] || d } return unpack_authorization(d) unless !d or d.nil? or d.empty? [nil, nil] end end end endruby-httpauth-0.2.0/lib/httpauth/constants.rb000066400000000000000000000011521204420057300212750ustar00rootroot00000000000000# HTTPAuth holds a number of classes and constants to implement HTTP Authentication with. See Basic or Digest for # details on how to implement authentication using this library. # # For more information see RFC 2617 (http://www.ietf.org/rfc/rfc2617.txt) module HTTPAuth VERSION = '0.2' CREDENTIAL_HEADERS = %w{REDIRECT_X_HTTP_AUTHORIZATION X-HTTP-AUTHORIZATION X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION} SUPPORTED_SCHEMES = { :basic => 'Basic', :digest => 'Digest' } SUPPORTED_QOPS = ['auth', 'auth-int'] SUPPORTED_ALGORITHMS = ['MD5', 'MD5-sess'] PREFERRED_QOP = 'auth' PREFERRED_ALGORITHM = 'MD5' endruby-httpauth-0.2.0/lib/httpauth/digest.rb000066400000000000000000000631721204420057300205520ustar00rootroot00000000000000%w(tmpdir digest/md5 base64 httpauth/exceptions httpauth/constants).each { |l| require l } module HTTPAuth # = Digest # # The Digest class provides a number of methods to handle HTTP Digest Authentication. Generally the server # sends a challenge to the client a resource that needs authorization and the client tries to respond with # the correct credentials. Digest authentication rapidly becomes more complicated after that, if you want to # build an implementation I suggest you at least skim RFC 2617 (http://www.ietf.org/rfc/rfc2617.txt). # # == Examples # # Digest authentication examples are too large to include in source documentation. Please consult the examples # directory for client and server implementations. # # The classes and code of the library are set up to be as transparent as possible so integrating the library # with any implementation talking HTTP, either trough CGI or directly should be possible. # # == The 'Digest' # # In Digest authentication the client's credentials are never sent in plain text over HTTP. You don't even have # to store the passwords in plain text on the server to authenticate clients. The library doesn't force you to # use the digest mechanism, it also works by specifying the username, password and realm. If you do decided to # use digests you can generate them in the following way: # # H(username + ':' + realm + ':' + password) # # Where H returns the MD5 hexdigest of the string. The Utils class defines a method to calculate the digest. # # HTTPAuth::Digest::Utils.htdigest(username, realm, password) # # The format of this digest is the same in most implementations. Apache's htdigest tool for instance # stores the digests in a textfile like this: # # username:realm:digest # # == Security # # Digest authentication is quite a bit more secure than Basic authentication, but it isn't as secure as SSL. # The biggest difference between Basic and Digest authentication is that Digest authentication doesn't send # clear text passwords, but only an MD5 digest. Recent developments in password cracking and mathematics have # found several ways to create collisions with MD5 hashes and it's not infinitely secure. However, it currently # still takes a lot of computing power to crack MD5 digests. Checking for brute force attacks in your applications # and routinely changing the user credentials and maybe even the realm makes it a lot harder for a cracker to # abuse your application. module Digest # Utils contains all sort of conveniance methods for the header container classes. Implementations shouldn't have # to call any methods on Utils. class Utils class << self # Encodes a hash with digest directives to send in a header. # # * h: The directives specified in a hash # * variant: Specifies whether the directives are for an Authorize header (:credentials), # for a WWW-Authenticate header (:challenge) or for a Authentication-Info header (:auth_info). def encode_directives(h, variant) encode = {:domain => :list_to_space_quoted_string, :algorithm => false, :stale => :bool_to_str, :nc => :int_to_hex} if [:credentials, :auth].include? variant encode.merge! :qop => false elsif variant == :challenge encode.merge! :qop => :list_to_comma_quoted_string else raise ArgumentError.new("#{variant} is not a valid value for `variant' use :auth, :credentials or :challenge") end (variant == :auth ? '' : 'Digest ') + h.collect do |directive, value| '' << directive.to_s << '=' << if encode[directive] begin Conversions.send encode[directive], value rescue NoMethodError, ArgumentError raise ArgumentError.new("Can't encode #{directive}(#{value.inspect}) with #{encode[directive]}") end elsif encode[directive].nil? begin Conversions.quote_string value rescue NoMethodError, ArgumentError raise ArgumentError.new("Can't encode #{directive}(#{value.inspect}) with quote_string") end else value end end.join(", ") end # Decodes digest directives from a header. Returns a hash with directives. # # * directives: The directives # * variant: Specifies whether the directives are for an Authorize header (:credentials), # for a WWW-Authenticate header (:challenge) or for a Authentication-Info header (:auth_info). def decode_directives(directives, variant) raise HTTPAuth::UnwellformedHeader.new("Can't decode directives which are nil") if directives.nil? decode = {:domain => :space_quoted_string_to_list, :algorithm => false, :stale => :str_to_bool, :nc => :hex_to_int} if [:credentials, :auth].include? variant decode.merge! :qop => false elsif variant == :challenge decode.merge! :qop => :comma_quoted_string_to_list else raise ArgumentError.new("#{variant} is not a valid value for `variant' use :auth, :credentials or :challenge") end start = 0 unless variant == :auth # The first six characters are 'Digest ' start = 6 scheme = directives[0..6].strip raise HTTPAuth::UnwellformedHeader.new("Scheme should be Digest, server responded with `#{directives}'") unless scheme == 'Digest' end # The rest are the directives # TODO: split is ugly, I want a real parser (: directives[start..-1].split(',').inject({}) do |h,part| parts = part.split('=') name = parts[0].strip.intern value = parts[1..-1].join('=').strip # --- HACK # IE and Safari qoute qop values # IE also quotes algorithm values if variant != :challenge and [:qop, :algorithm].include?(name) and value =~ /^\"[^\"]+\"$/ value = Conversions.unquote_string(value) end # --- END HACK if decode[name] h[name] = Conversions.send decode[name], value elsif decode[name].nil? h[name] = Conversions.unquote_string value else h[name] = value end h end end # Concat arguments the way it's done frequently in the Digest spec. # # digest_concat('a', 'b') #=> "a:b" # digest_concat('a', 'b', c') #=> "a:b:c" def digest_concat(*args); args.join ':'; end # Calculate the MD5 hexdigest for the string data def digest_h(data); ::Digest::MD5.hexdigest data; end # Calculate the KD value of a secret and data as explained in the RFC. def digest_kd(secret, data); digest_h digest_concat(secret, data); end # Calculate the Digest for the credentials def htdigest(username, realm, password) digest_h digest_concat(username, realm, password) end # Calculate the H(A1) as explain in the RFC. If h[:digest] is set, it's used instead # of calculating H(username ":" realm ":" password). def digest_a1(h, s) # TODO: check for known algorithm values (look out for the IE algorithm quote bug) if h[:algorithm] == 'MD5-sess' digest_h digest_concat( h[:digest] || htdigest(h[:username], h[:realm], h[:password]), h[:nonce], h[:cnonce] ) else h[:digest] || htdigest(h[:username], h[:realm], h[:password]) end end # Calculate the H(A2) for the Authorize header as explained in the RFC. def request_digest_a2(h) # TODO: check for known qop values (look out for the safari qop quote bug) if h[:qop] == 'auth-int' digest_h digest_concat(h[:method], h[:uri], digest_h(h[:request_body])) else digest_h digest_concat(h[:method], h[:uri]) end end # Calculate the H(A2) for the Authentication-Info header as explained in the RFC. def response_digest_a2(h) if h[:qop] == 'auth-int' digest_h ':' + digest_concat(h[:uri], digest_h(h[:response_body])) else digest_h ':' + h[:uri] end end # Calculate the digest value for the directives as explained in the RFC. # # * variant: Either :request or :response, as seen from the server. def calculate_digest(h, s, variant) raise ArgumentError.new("Variant should be either :request or :response, not #{variant}") unless [:request, :response].include?(variant) # Compatability with RFC 2069 if h[:qop].nil? digest_kd digest_a1(h, s), digest_concat( h[:nonce], send("#{variant}_digest_a2".intern, h) ) else digest_kd digest_a1(h, s), digest_concat( h[:nonce], Conversions.int_to_hex(h[:nc]), h[:cnonce], h[:qop], send("#{variant}_digest_a2".intern, h) ) end end # Return a hash with the keys in keys found in h. # # Example # # filter_h_on({1=>1,2=>2}, [1]) #=> {1=>1} # filter_h_on({1=>1,2=>2}, [1, 2]) #=> {1=>1,2=>2} def filter_h_on(h, keys) h.inject({}) { |r,l| keys.include?(l[0]) ? r.merge({l[0]=>l[1]}) : r } end # Create a nonce value of the time and a salt. The nonce is created in such a # way that the issuer can check the age of the nonce. # # * salt: A reasonably long passphrase known only to the issuer. def create_nonce(salt) now = Time.now time = now.strftime("%Y-%m-%d %H:%M:%S").to_s + ':' + now.usec.to_s Base64.encode64( digest_concat( time, digest_h(digest_concat(time, salt)) ) ).gsub("\n", '')[0..-3] end # Create a 32 character long opaque string with a 'random' value def create_opaque s = []; 16.times { s << rand(127).chr } digest_h s.join end end end # Superclass for all the header container classes class AbstractHeader # holds directives and values for digest calculation attr_reader :h # Redirects attribute messages to the internal directives # # Example: # # class Credentials < AbstractHeader # def initialize # @h = { :username => 'Ben' } # end # end # # c = Credentials.new # c.username #=> 'Ben' # c.username = 'Mary' # c.username #=> 'Mary' def method_missing(m, *a) if ((m.to_s =~ /^(.*)=$/) == 0) and @h.keys.include?($1.intern) @h[$1.intern] = a[0] elsif @h.keys.include? m @h[m] else raise NameError.new("undefined method `#{m}' for #{self}") end end end # The Credentials class handlers the Authorize header. The Authorize header is sent by a client who wants to # let the server know he has the credentials needed to access a resource. # # See the Digest module for examples class Credentials < AbstractHeader # Holds an explanation why validate returned false. attr_reader :reason # Parses the information from an Authorize header and creates a new Credentials instance with the information. # The options hash allows you to specify additional information. # # * authorization: The contents of the Authorize header # See initialize for valid options. def self.from_header(authorization, options={}) new Utils.decode_directives(authorization, :credentials), options end # Creates a new Credential instance based on a Challenge instance. # # * challenge: A Challenge instance # See initialize for valid options. def self.from_challenge(challenge, options={}) credentials = new challenge.h credentials.update_from_challenge! options credentials end def self.load(filename, options={}) h = nil File.open(filename, 'r') do |f| h = Marshal.load f end new h, options end # Create a new instance. # # * h: A Hash with directives, normally this is filled with the directives coming from a Challenge instance. # * options: Used to set or override data from the Authorize header and add additional parameters. # * :username: Mostly set by a client to send the username # * :password: Mostly set by a client to send the password, set either this or the digest # * :digest: Mostly set by a client to send a digest, set either this or the digest. For more # information about digests see Digest. # * :uri: Mostly set by the client to send the uri # * :method: The HTTP Method used by the client to send the request, this should be an uppercase string # with the name of the verb. def initialize(h, options={}) @h = h @h.merge! options session = Session.new h[:opaque], :tmpdir => options[:tmpdir] @s = session.load @reason = 'There has been no validation yet' end # Convenience method, basically an alias for validate(options.merge(:password => password)) def validate_password(password, options={}) options[:password] = password validate(options) end # Convenience method, basically an alias for validate(options.merge(:digest => digest)) def validate_digest(digest, options={}) options[:digest] = digest validate(options) end # Validates the credential information stored in the Credentials instance. Returns true or # false. You can read the ue # # * options: The extra options needed to validate the credentials. A server implementation should # provide the :method and a :password or :digest. # * :method: The HTTP Verb in uppercase, ie. GET or POST. # * :password: The password for the sent username and realm, either a password or digest should be # provided. # * :digest: The digest for the specified username and realm, either a digest or password should be # provided. def validate(options) ho = @h.merge(options) raise ArgumentError.new("You have to set the :request_body value if you want to use :qop => 'auth-int'") if @h[:qop] == 'auth-int' and ho[:request_body].nil? raise ArgumentError.new("Please specify the request method :method (ie. GET)") if ho[:method].nil? calculated_response = Utils.calculate_digest(ho, @s, :request) if ho[:response] == calculated_response @reason = '' return true else @reason = "Response isn't the same as computed response #{ho[:response]} != #{calculated_response} for #{ho.inspect}" end false end # Encodeds directives and returns a string that can be used in the Authorize header def to_header Utils.encode_directives Utils.filter_h_on(@h, [:username, :realm, :nonce, :uri, :response, :algorithm, :cnonce, :opaque, :qop, :nc]), :credentials end # Updates @h from options, generally called after an instance was created with from_challenge. def update_from_challenge!(options) # TODO: integrity checks @h[:username] = options[:username] @h[:password] = options[:password] @h[:digest] = options[:digest] @h[:uri] = options[:uri] @h[:method] = options[:method] @h[:request_body] = options[:request_body] unless @h[:qop].nil? # Determine the QOP if !options[:qop].nil? and @h[:qop].include?(options[:qop]) @h[:qop] = options[:qop] elsif @h[:qop].include?(HTTPAuth::PREFERRED_QOP) @h[:qop] = HTTPAuth::PREFERRED_QOP else qop = @h[:qop].detect { |qop| HTTPAuth::SUPPORTED_QOPS.include? qop } unless qop.nil? @h[:qop] = qop else raise UnsupportedError.new("HTTPAuth doesn't support any of the proposed qop values: #{@h[:qop].inspect}") end end @h[:cnonce] ||= Utils.create_nonce options[:salt] @h[:nc] ||= 1 unless @h[:qop].nil? end @h[:response] = Utils.calculate_digest(@h, @s, :request) end def dump_sans_creds(filename) File.open(filename, 'w') do |f| Marshal.dump(Utils.filter_h_on(@h, [:username, :realm, :nonce, :algorithm, :cnonce, :opaque, :qop, :nc]), f) end end end # The Challenge class handlers the WWW-Authenticate header. The WWW-Authenticate header is sent by a server when # accessing a resource without credentials is prohibided. The header should always be sent together with a 401 # status. # # See the Digest module for examples class Challenge < AbstractHeader # Parses the information from a WWW-Authenticate header and creates a new WWW-Authenticate instance with this # data. # # * challenge: The contents of a WWW-Authenticate header # See initialize for valid options. def self.from_header(challenge, options={}) new Utils.decode_directives(challenge, :challenge), options end # Create a new instance. # # * h: A Hash with directives, normally this is filled with directives coming from a Challenge instance. # * options: Use to set of override data from the WWW-Authenticate header # * :realm: The name of the realm the client should authenticate for. The RFC suggests to use a string # like 'admin@yourhost.domain.com'. Be sure to use a reasonably long string to avoid brute force attacks. # * :qop: A list with supported qop values. For example: ['auth-int']. This will default # to ['auth']. Although this implementation supports both auth and auth-int, most # implementations don't. Some implementations get confused when they receive anything but 'auth'. For # maximum compatibility you should leave this setting alone. # * :algorithm: The preferred algorithm for calculating the digest. For # example: 'MD5-sess'. This will default to 'MD5'. For # maximum compatibility you should leave this setting alone. # def initialize(h, options={}) @h = h @h.merge! options end # Encodes directives and returns a string that can be used as the WWW-Authenticate header def to_header @h[:nonce] ||= Utils.create_nonce @h[:salt] @h[:opaque] ||= Utils.create_opaque @h[:algorithm] ||= HTTPAuth::PREFERRED_ALGORITHM @h[:qop] ||= [HTTPAuth::PREFERRED_QOP] Utils.encode_directives Utils.filter_h_on(@h, [:realm, :domain, :nonce, :opaque, :stale, :algorithm, :qop]), :challenge end end # The AuthenticationInfo class handles the Authentication-Info header. Sending Authentication-Info headers will # allow the client to check the integrity of the response, but it isn't compulsory and will get in the way of # pipelined retrieval of resources. # # See the Digest module for examples class AuthenticationInfo < AbstractHeader # Parses the information from a Authentication-Info header and creates a new AuthenticationInfo instance with # this data. # # * auth_info: The contents of the Authentication-Info header # See initialize for valid options. def self.from_header(auth_info, options={}) new Utils.decode_directives(auth_info, :auth), options end # Creates a new AuthenticationInfo instance based on the information from Credentials instance. # # * credentials: A Credentials instance # See initialize for valid options. def self.from_credentials(credentials, options={}) auth_info = new credentials.h auth_info.update_from_credentials! options auth_info end # Create a new instance. # # * h: A Hash with directives, normally this is filled with the directives coming from a # Credentials instance. # * options: Used to set or override data from the Authentication-Info header # * :digest: The digest for the specified username and realm. # * :response_body The body of the response that's going to be sent to the client. This is a # compulsory option if the qop directive is 'auth-int'. def initialize(h, options={}) @h = h @h.merge! options end # Encodes directives and returns a string that can be used as the AuthorizationInfo header def to_header Utils.encode_directives Utils.filter_h_on(@h, [:nextnonce, :qop, :rspauth, :cnonce, :nc]), :auth end # Updates @h from options, generally called after an instance was created with from_credentials. def update_from_credentials!(options) # TODO: update @h after nonce invalidation [:digest, :username, :realm, :password].each do |k| @h[k] = options[k] if options.include? k end @h[:response_body] = options[:response_body] @h[:nextnonce] = Utils.create_nonce @h[:salt] @h[:rspauth] = Utils.calculate_digest(@h, nil, :response) end # Validates rspauth. Returns true or false # # * options: The extra options needed to validate rspauth. # * :digest: The H(a1) digest # * :uri: request uri # * :nonce:nonce def validate(options) ho = @h.merge(options) return @h[:rspauth] == Utils.calculate_digest(ho, @s, :response) end end # Conversion for a number of internal data structures to and from directives in the headers. Implementations # shouldn't have to call any methods on Conversions. class Conversions class << self # Adds quotes around the string def quote_string(str) "\"#{str.gsub(/\"/, '')}\"" end # Removes quotes from around a string def unquote_string(str) str =~ /^\"([^\"]*)\"$/ ? $1 : str end # Creates an int value from hex values def hex_to_int(str) "0x#{str}".hex end # Creates a hex value in a string from an integer def int_to_hex(i) i.to_s(16).rjust 8, '0' end # Creates a boolean value from a string => true or false def str_to_bool(str) str == 'true' end # Creates a string value from a boolean => 'true' or 'false' def bool_to_str(bool) bool ? 'true' : 'false' end # Creates a quoted string with space separated items from a list def list_to_space_quoted_string(list) quote_string list.join(' ') end # Creates a list from a quoted space separated string of items def space_quoted_string_to_list(string) unquote_string(string).split ' ' end # Creates a quoted string with comma separated items from a list def list_to_comma_quoted_string(list) quote_string list.join(',') end # Create a list from a quoted comma separated string of items def comma_quoted_string_to_list(string) unquote_string(string).split ',' end end end # Session is a file-based session implementation for storing details about the Digest authentication session # between requests. class Session attr_accessor :opaque attr_accessor :options # Initializes the new Session object. # # * opaque - A string to identify the session. This would normally be the opaque sent by the # client, but it could also be an identifier sent through a different mechanism. # * options - Additional options # * :tmpdir A tempory directory for storing the session data. Dir::tmpdir is the default. def initialize(opaque, options={}) self.opaque = opaque self.options = options end # Associates the new data to the session and removes the old def save(data) File.open(filename, 'w') do |f| f.write Marshal.dump(data) end end # Returns the data from this session def load begin File.open(filename, 'r') do |f| Marshal.load f.read end rescue Errno::ENOENT {} end end protected # The filename from which the session will be saved and read from def filename "#{options[:tmpdir] || Dir::tmpdir}/ruby_digest_cache.#{self.opaque}" end end end end ruby-httpauth-0.2.0/lib/httpauth/exceptions.rb000066400000000000000000000007131204420057300214440ustar00rootroot00000000000000module HTTPAuth # Raised when the library finds data that doesn't conform to the standard class UnwellformedHeader < ArgumentError; end # Raised when the library finds data that is not strictly forbidden but doesn't know how to handle. class UnsupportedError < ArgumentError; end # Raise when validation on the request failed, most of the times this means that someone is trying to do replay attacks. class ValidationError < ArgumentError; end endruby-httpauth-0.2.0/metadata.yml000066400000000000000000000026121204420057300166320ustar00rootroot00000000000000--- !ruby/object:Gem::Specification name: httpauth version: !ruby/object:Gem::Version hash: 23 prerelease: segments: - 0 - 2 - 0 version: 0.2.0 platform: ruby authors: - Manfred Stienstra autorequire: bindir: bin cert_chain: [] date: 2012-09-25 00:00:00 Z dependencies: [] description: Library for the HTTP Authentication protocol (RFC 2617) email: manfred@fngtpspec.com executables: [] extensions: [] extra_rdoc_files: - README.md - LICENSE files: - README.md - LICENSE - lib/httpauth/basic.rb - lib/httpauth/constants.rb - lib/httpauth/digest.rb - lib/httpauth/exceptions.rb - lib/httpauth.rb homepage: https://github.com/Manfred/HTTPauth licenses: [] post_install_message: rdoc_options: - --charset=utf-8 require_paths: - lib required_ruby_version: !ruby/object:Gem::Requirement none: false requirements: - - ">=" - !ruby/object:Gem::Version hash: 3 segments: - 0 version: "0" required_rubygems_version: !ruby/object:Gem::Requirement none: false requirements: - - ">=" - !ruby/object:Gem::Version hash: 3 segments: - 0 version: "0" requirements: [] rubyforge_project: rubygems_version: 1.8.18 signing_key: specification_version: 3 summary: HTTPauth is a library supporting the full HTTP Authentication protocol as specified in RFC 2617; both Digest Authentication and Basic Authentication. test_files: []