• self rebase #01

    Published by on February 20th, 2010 12:53 pm under Emerging Technology

    No Comments

    Taken from the rebase concept of git which is also used by GitHub to show they newsworthy and notable projects, I’m using the post to do the same with bunch of Open Source, shared, hacking projects I’ll be doing lately.

    Since 2010 started, I didn’t blogged that often, but there were a couple of projects that I’ve been working lately. Throughout this post, I’ll describe each one and the futures.

    Every piece of feedback will be welcome, as every other contribution too.

    Enjoy the ride,
    ~johnny

    Rack::Auth::WRAP, the OAuth WRAP Middleware

    Yesterday, with Juan Pablo, we published our first version of Rack::Auth::WRAP the first version of the Rack. If you are familiar with the protocol, you can skip the next section if not, take a look at it. Extracted from the read me at github.com.

    What the heck is WRAP?

    Web Resource Authorization Protocol (WRAP) is a profile of OAuth, also called OAuth WRAP. While similar in pattern to OAuth 1.0A, the WRAP profile(s) have a number of important capabilities that were not available previously in OAuth. This specification is being contributed to the IETF OAuth WG.

    Also this same group owns the specification for the SWT (Simple-Web-Token), for more information read wiki.oauth.net/OAuth-WRAP or visit the groups.google.com/group/oauth-wrap-wg.

    The latest specification for the complete protocol can be found at Google Group as HTML (RFC properly formatted) on groups.google.com/group/oauth-wrap-wg/attach/981df73f2839b8ef/draft-hardt-oauth-wrap-01.html?part=5

    Creating your first protected resource

    As you might be thinking, our first resource will be a Sinatra application.

    First of all we need to install the gem, as

    [sudo] gem install rack-oauth-wrap

    To make the sample easier let’s create our own shared key, we can all share this for demo purpose NjkzNTczOTAtMDA2MC0wMTJkLTQ1M2YtMDAyMzMyYjFmYWY4\n

    So let’s start by creating the protected resource

    require 'rubygems'
    require 'sinatra'
    require 'rack/auth/wrap'
    
    use Rack::Auth::WRAP, :shared_secret =>t; "NjkzNTczOTAtMDA2MC0wMTJkLTQ1M2YtMDAyMzMyYjFmYWY4",
                          :audiences =>; "http://localhost:4567",
                          :trusted_issuers =>; "urn:demo-issuer"
    
    get "/" do
        if @env["REMOTE_USER"]
            return "You are authenticated as #{@env["REMOTE_USER"]['Email']}"
        else
            return "You are an unauthenticated user"
        end
    end

    Now we can start this on a Terminal (cmd, or whatever) and let’s jump to the consumer, but first if you try it without sending a token, and using the client we are going to build, you will get:

    ?> curl http://localhost:45678
    You are unauthenticated

    Now lets create a client trying to access a protected resource with a token on the header (requires restclient)

    require 'rubygems'
    require 'cgi'
    require 'base64'
    require 'restclient'
    require 'hmac/sha2'
    
    SHARED_SECRET = "NjkzNTczOTAtMDA2MC0wMTJkLTQ1M2YtMDAyMzMyYjFmYWY4\n"
    
    simple_web_token = {'Audience' =>; "http://localhost:4567",
                        'Issuer' =>; "urn:demo-issuer",
                        'ExpiresOn' =>; (Time.now.to_i + 60).to_s,
                        'Email' =>; 'johnny.halife@sample.com'}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")
    
    signature = Base64.encode64(HMAC::SHA256.new(Base64.decode64(SHARED_SECRET)).update(simple_web_token.toutf8).digest).strip
    simple_web_token += "&HMACSHA256=#{CGI.escape(signature)}"
    
    puts RestClient.get("http://localhost:4567/", "Authorization" =>; "WRAP access_token=#{CGI.escape(simple_web_token)}")

    Now let’s try our client, and see if there’s any difference with the curl request:

    ?> ruby client.rb
    You are authenticated as johnny.halife@sample.com

    As you can see, we have our first end to end, Rack::Auth::WRAP Sample.

    DISCLAIMER: On a real world application you won’t generate your own token as we are doing on the client code. We are doing it for demo purposed, but probably on you app you will get a token from an authorization server.

    Both snippets are available as gits on github: Protected Resource / Client. We are assuming that this is running on localhost:4567

    TODO’s and futures

    On the upcoming days/weeks/months we are going to get on the middleware support for the other ways of getting the token, like Query String and/or method body. Also we would like to implement the Web Profile of WRAP, so stay tuned.

    You can read the freshly published documentation at http://rack-oauth-wrap.heroku.com

    Source Code available at: http://github.com/johnnyhalife/rack-oauth-wrap

    OAuth WRAP 0.9 for Tcl

    First of all, if you aren’t familiar with Tcl it’s “originally from “Tool Command Language”, but conventionally
    rendered as Tcl is a scripting language created by John Ousterhout”. I encourage you to test it and also if you are interested read Where’s Tcl hiding?.

    This project was born after half an hour spiking on how hard it will be to parse a token on a bare linux distro that only has Tcl. After we noticed that Tcl is really straightforward language for design, prototype and is fun to write, we packed this lib and make it available for anyone interested.

    Here’s an snippet of the intended usage of the lib

    package require ::oauth::wrap
    
    set rawToken "access_token=something&other_parameters_to_ignore" #=> the token from the IP
    
    # => creates a configuration dictionary for the values
    dict set configuration signingKey {valid_key} # => signing key used by the Identity Provider
    dict set configuration issuer {valid_issuer} # => the identity provider URI
    dict set configuration audience {valid_audience}  # => my application audience URI
    
    # this will return the token when it's valid else it will return false
    set token [oauth::wrap::authenticate $configuration $rawToken]
    
    # at this point if the token valid you can mess around with its claims
    # that are returned on a dictionary form
    set name [dict get $token name]

    It’s fun to give it a shot, check out the source code at http://github.com/johnnyhalife/tcl-oauth-wrap

    Windows Azure Storage for Ruby v1.0

    On the 4th February, 2010 I’ve published the version 1.0 of ruby gem I wrote for Windows Azure Storage. This time it has the great contribution of my friend Juan Pablo Garcia Dalolla who has implemented the Windows Azure Tables support.

    This version of the gem also includes support for the version 2009-09-19.

    Here’re are some code snippets from the Windows Azure Tables support

    require 'waz-storage'
    require 'waz-tables'
    
    # The same connection of Windows Azure Storage Core (Queues, Blobs) can be reused
    WAZ::Storage::Base.establish_connection!(:account_name =>; account_name,
                                             :access_key =>; access_key)
    
    # Grab the service instance
    service = WAZ::Tables::Table.service_instance
    
    # Query the customer table
    service.query('customer_table', {:expression =>; "(PartitionKey eq 'customer') and (Age eq 23)", :top =>; 15} )
    
    # Insert something into the customer table
    serivce.query('customer_table', {:row_key =>; 'my_custom_id', :name =>; 'johnny'})

    There’s also a DataMapper adapter effort going on for Windows Azure Storage Tables, I recommend you to check out Juan Pablo’s post about Windows Azure Tables Adapter for Datamapper

    Source Code available at: http://github.com/johnnyhalife/waz-storage

    RDoc available at: http://github.com/johnnyhalife/waz-storage