self rebase #01

Taken from the rebase concept of git which is also used by GitHub to show they newsworthy and notable projects, I’m using the post to do the same with bunch of Open Source, shared, hacking projects I’ll be doing lately.

Since 2010 started, I didn’t blogged that often, but there were a couple of projects that I’ve been working lately. Throughout this post, I’ll describe each one and the futures.

Every piece of feedback will be welcome, as every other contribution too.

Enjoy the ride,
~johnny

Rack::Auth::WRAP, the OAuth WRAP Middleware

Yesterday, with Juan Pablo, we published our first version of Rack::Auth::WRAP the first version of the Rack. If you are familiar with the protocol, you can skip the next section if not, take a look at it. Extracted from the read me at github.com.

What the heck is WRAP?

Web Resource Authorization Protocol (WRAP) is a profile of OAuth, also called OAuth WRAP. While similar in pattern to OAuth 1.0A, the WRAP profile(s) have a number of important capabilities that were not available previously in OAuth. This specification is being contributed to the IETF OAuth WG.

Also this same group owns the specification for the SWT (Simple-Web-Token), for more information read wiki.oauth.net/OAuth-WRAP or visit the groups.google.com/group/oauth-wrap-wg.

The latest specification for the complete protocol can be found at Google Group as HTML (RFC properly formatted) on groups.google.com/group/oauth-wrap-wg/attach/981df73f2839b8ef/draft-hardt-oauth-wrap-01.html?part=5

Creating your first protected resource

As you might be thinking, our first resource will be a Sinatra application.

First of all we need to install the gem, as

[sudo] gem install rack-oauth-wrap

To make the sample easier let’s create our own shared key, we can all share this for demo purpose NjkzNTczOTAtMDA2MC0wMTJkLTQ1M2YtMDAyMzMyYjFmYWY4n

So let’s start by creating the protected resource

require 'rubygems'
require 'sinatra'
require 'rack/auth/wrap'

use Rack::Auth::WRAP, :shared_secret =>t; "NjkzNTczOTAtMDA2MC0wMTJkLTQ1M2YtMDAyMzMyYjFmYWY4",
                      :audiences =>; "http://localhost:4567",
                      :trusted_issuers =>; "urn:demo-issuer"

get "/" do
    if @env["REMOTE_USER"]
        return "You are authenticated as #{@env["REMOTE_USER"]['Email']}"
    else
        return "You are an unauthenticated user"
    end
end

Now we can start this on a Terminal (cmd, or whatever) and let’s jump to the consumer, but first if you try it without sending a token, and using the client we are going to build, you will get:

?> curl http://localhost:45678
You are unauthenticated

Now lets create a client trying to access a protected resource with a token on the header (requires restclient)

require 'rubygems'
require 'cgi'
require 'base64'
require 'restclient'
require 'hmac/sha2'

SHARED_SECRET = "NjkzNTczOTAtMDA2MC0wMTJkLTQ1M2YtMDAyMzMyYjFmYWY4n"

simple_web_token = {'Audience' =>; "http://localhost:4567",
                    'Issuer' =>; "urn:demo-issuer",
                    'ExpiresOn' =>; (Time.now.to_i + 60).to_s,
                    'Email' =>; 'johnny.halife@sample.com'}.map{|k, v| "#{k}=#{CGI.escape(v)}"}.join("&")

signature = Base64.encode64(HMAC::SHA256.new(Base64.decode64(SHARED_SECRET)).update(simple_web_token.toutf8).digest).strip
simple_web_token += "&HMACSHA256=#{CGI.escape(signature)}"

puts RestClient.get("http://localhost:4567/", "Authorization" =>; "WRAP access_token=#{CGI.escape(simple_web_token)}")

Now let’s try our client, and see if there’s any difference with the curl request:

?> ruby client.rb
You are authenticated as johnny.halife@sample.com

As you can see, we have our first end to end, Rack::Auth::WRAP Sample.

DISCLAIMER: On a real world application you won’t generate your own token as we are doing on the client code. We are doing it for demo purposed, but probably on you app you will get a token from an authorization server.

Both snippets are available as gits on github: Protected Resource / Client. We are assuming that this is running on localhost:4567

TODO’s and futures

On the upcoming days/weeks/months we are going to get on the middleware support for the other ways of getting the token, like Query String and/or method body. Also we would like to implement the Web Profile of WRAP, so stay tuned.

You can read the freshly published documentation at http://rack-oauth-wrap.heroku.com

Source Code available at: http://github.com/johnnyhalife/rack-oauth-wrap

OAuth WRAP 0.9 for Tcl

First of all, if you aren’t familiar with Tcl it’s “originally from “Tool Command Language”, but conventionally
rendered as Tcl is a scripting language created by John Ousterhout”. I encourage you to test it and also if you are interested read Where’s Tcl hiding?.

This project was born after half an hour spiking on how hard it will be to parse a token on a bare linux distro that only has Tcl. After we noticed that Tcl is really straightforward language for design, prototype and is fun to write, we packed this lib and make it available for anyone interested.

Here’s an snippet of the intended usage of the lib

package require ::oauth::wrap

set rawToken "access_token=something&other_parameters_to_ignore" #=> the token from the IP

# => creates a configuration dictionary for the values
dict set configuration signingKey {valid_key} # => signing key used by the Identity Provider
dict set configuration issuer {valid_issuer} # => the identity provider URI
dict set configuration audience {valid_audience}  # => my application audience URI

# this will return the token when it's valid else it will return false
set token [oauth::wrap::authenticate $configuration $rawToken]

# at this point if the token valid you can mess around with its claims
# that are returned on a dictionary form
set name [dict get $token name]

It’s fun to give it a shot, check out the source code at http://github.com/johnnyhalife/tcl-oauth-wrap

Windows Azure Storage for Ruby v1.0

On the 4th February, 2010 I’ve published the version 1.0 of ruby gem I wrote for Windows Azure Storage. This time it has the great contribution of my friend Juan Pablo Garcia Dalolla who has implemented the Windows Azure Tables support.

This version of the gem also includes support for the version 2009-09-19.

Here’re are some code snippets from the Windows Azure Tables support

require 'waz-storage'
require 'waz-tables'

# The same connection of Windows Azure Storage Core (Queues, Blobs) can be reused
WAZ::Storage::Base.establish_connection!(:account_name =>; account_name,
                                         :access_key =>; access_key)

# Grab the service instance
service = WAZ::Tables::Table.service_instance

# Query the customer table
service.query('customer_table', {:expression =>; "(PartitionKey eq 'customer') and (Age eq 23)", :top =>; 15} )

# Insert something into the customer table
serivce.query('customer_table', {:row_key =>; 'my_custom_id', :name =>; 'johnny'})

There’s also a DataMapper adapter effort going on for Windows Azure Storage Tables, I recommend you to check out Juan Pablo’s post about Windows Azure Tables Adapter for Datamapper

Source Code available at: http://github.com/johnnyhalife/waz-storage

RDoc available at: http://github.com/johnnyhalife/waz-storage



Leave a Reply