Merge pull request #3250 from betagouv/kill-libsodium

Refactor SignatureService to remove RbNaCl
This commit is contained in:
Pierre de La Morinerie 2019-01-03 17:56:34 +01:00 committed by GitHub
commit 24e3b92897
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 20 additions and 24 deletions

View file

@ -57,7 +57,6 @@ gem 'activestorage-openstack', git: 'https://github.com/fredZen/activestorage-op
gem 'pg'
gem 'rbnacl-libsodium'
gem 'bcrypt'
gem 'rgeo-geojson'

View file

@ -463,10 +463,6 @@ GEM
rb-fsevent (0.10.3)
rb-inotify (0.9.10)
ffi (>= 0.5.0, < 2)
rbnacl (5.0.0)
ffi
rbnacl-libsodium (1.0.16)
rbnacl (>= 3.0.1)
regexp_parser (1.3.0)
request_store (1.4.1)
rack (>= 1.4)
@ -720,7 +716,6 @@ DEPENDENCIES
rails-controller-testing
rails-i18n
rake-progressbar
rbnacl-libsodium
rest-client
rgeo-geojson
rspec-rails

View file

@ -1,28 +1,22 @@
class SignatureService
class << self
def generate
RbNaCl::Util.bin2hex(RbNaCl::SigningKey.generate)
end
def verify(signature, message)
message = Base64.urlsafe_encode64(message)
begin
signing_key.verify_key
.verify(RbNaCl::Util.hex2bin(signature), message)
rescue RbNaCl::BadSignatureError, RbNaCl::LengthError
decoded_message = verifier.verify(signature)
return message == decoded_message
rescue ActiveSupport::MessageVerifier::InvalidSignature
return false
end
end
def sign(message)
message = Base64.urlsafe_encode64(message)
RbNaCl::Util.bin2hex(signing_key.sign(message))
verifier.generate(message)
end
private
def signing_key
@@signing_key ||= RbNaCl::SigningKey.new(RbNaCl::Util.hex2bin(Rails.application.secrets.signing_key))
def verifier
@@verifier ||= ActiveSupport::MessageVerifier.new(Rails.application.secrets.signing_key)
end
end
end

View file

@ -3,14 +3,22 @@ require 'spec_helper'
describe SignatureService do
let(:service) { SignatureService }
let(:message) { { hello: 'World!' }.to_json }
let(:message2) { { hello: 'World' }.to_json }
let(:tampered_message) { { hello: 'Tampered' }.to_json }
it "sign and verify" do
it 'sign and verify' do
signature = service.sign(message)
signature2 = service.sign(message2)
expect(service.verify(signature, message)).to eq(true)
expect(service.verify(signature2, message)).to eq(false)
expect(service.verify(signature, message2)).to eq(false)
end
it 'fails the verification if the message changed' do
signature = service.sign(message)
expect(service.verify(signature, tampered_message)).to eq(false)
end
it 'fails the verification if the signature changed' do
other_signature = service.sign(tampered_message)
expect(service.verify(nil, message)).to eq(false)
expect(service.verify('', message)).to eq(false)
expect(service.verify(other_signature, message)).to eq(false)
end
end