An SDK for the delegated recovery specfication
Перейти к файлу
Neil Matatall 859878e822
no rubocop (yet)
2020-02-20 13:48:16 -10:00
.github/workflows no rubocop (yet) 2020-02-20 13:48:16 -10:00
config don't pass self to pub key methods 2017-08-18 10:02:29 -10:00
controllers add ability to set options byte when countersigning 2017-10-05 11:31:37 -10:00
db update migrations to be more friendly with modern rails 2019-05-13 10:56:32 -10:00
fixtures/vcr_cassettes/delegated_account_recovery initial commit 2017-04-14 06:58:44 -10:00
lib make the faraday callback a global config 2019-05-15 08:51:27 -10:00
logos save as png not tiff 2017-06-29 10:33:49 -10:00
models initial commit 2017-04-14 06:58:44 -10:00
script initial commit 2017-04-14 06:58:44 -10:00
spec green? 2020-02-20 13:45:10 -10:00
views initial commit 2017-04-14 06:58:44 -10:00
.codeclimate.yml better code climate config 2017-04-18 18:28:11 -10:00
.gitignore ignore 2017-08-02 13:13:11 -10:00
.rspec initial commit 2017-04-14 06:58:44 -10:00
.rubocop.yml add codeclimate/rubocop config 2017-04-18 18:23:32 -10:00
.ruby-version more modern ruby 2019-05-13 10:57:11 -10:00
CODE_OF_CONDUCT.md initial commit 2017-04-14 06:58:44 -10:00
CONTRIBUTING.md un-namespace things 2017-04-29 14:57:00 -07:00
Gemfile get this to pass on a jruby hopefully 2017-04-18 07:47:54 -10:00
Guardfile make encryptor config/use per provider 2017-08-16 12:15:13 -10:00
LICENSE initial commit 2017-04-14 06:58:44 -10:00
Procfile initial commit 2017-04-14 06:58:44 -10:00
README.md make encryptor config/use per provider 2017-08-16 12:15:13 -10:00
Rakefile initial commit 2017-04-14 06:58:44 -10:00
app.rb initial commit 2017-04-14 06:58:44 -10:00
config.ru initial commit 2017-04-14 06:58:44 -10:00
darrrr.gemspec bump to include https://github.com/github/darrrr/pull/16 2019-05-15 10:00:05 -10:00

README.md

Build Status Code Climate

The Delegated Account Recovery Rigid Reusable Ruby (aka D.a.r.r.r.r. or "Darrrr") library is meant to be used as the fully-complete plumbing in your Rack application when implementing the Delegated Account Recovery specification. This library is currently used for the implementation at GitHub.

Along with a fully featured library, a proof of concept application is provided in this repo.

Configuration

An account provider (e.g. GitHub) is someone who stores a token with someone else (a recovery provider e.g. Facebook) in order to grant access to an account.

In config/initializers or any location that is run during application setup, add a file. NOTE: procs are valid values for countersign_pubkeys_secp256r1 and tokensign_pubkeys_secp256r1

Darrrr.authority = "http://localhost:9292"
Darrrr.privacy_policy = "#{Darrrr.authority}/articles/github-privacy-statement/"
Darrrr.icon_152px = "#{Darrrr.authority}/icon.png"

# See script/setup for instructions on how to generate keys
Darrrr::AccountProvider.configure do |config|
  config.signing_private_key = ENV["ACCOUNT_PROVIDER_PRIVATE_KEY"]
  config.symmetric_key = ENV["TOKEN_DATA_AES_KEY"]
  config.tokensign_pubkeys_secp256r1 = [ENV["ACCOUNT_PROVIDER_PUBLIC_KEY"]] || lambda { |provider, context| "you wouldn't do this in real life but procs are supported for this value" }
  config.save_token_return = "#{Darrrr.authority}/account-provider/save-token-return"
  config.recover_account_return = "#{Darrrr.authority}/account-provider/recover-account-return"
end

Darrrr::RecoveryProvider.configure do |config|
  config.signing_private_key = ENV["RECOVERY_PROVIDER_PRIVATE_KEY"]
  config.countersign_pubkeys_secp256r1 = [ENV["RECOVERY_PROVIDER_PUBLIC_KEY"]] || lambda { |provider, context| "you wouldn't do this in real life but procs are supported for this value" }
  config.token_max_size = 8192
  config.save_token = "#{Darrrr.authority}/recovery-provider/save-token"
  config.recover_account = "#{Darrrr.authority}/recovery-provider/recover-account"
end

The delegated recovery spec depends on publicly available endpoints serving standard configs. These responses can be cached but are not by default. To configure your cache store, provide the reference:

Darrrr.cache = Dalli::Client.new('localhost:11211', options)

The spec disallows http URIs for basic security, but sometimes we don't have this setup locally.

Darrrr.allow_unsafe_urls = true

Provider registration

In order to allow a site to act as a provider, it must be "registered" on boot to prevent unauthorized providers from managing tokens.

# Only configure this if you are acting as a recovery provider
Darrrr.register_account_provider("https://github.com")

# Only configure this if you are acting as an account provider
Darrrr.register_recovery_provider("https://www.facebook.com")

Custom crypto

Create a module that responds to Module.sign, Module.verify, Module.decrypt, and Module.encrypt. You can use the template below. I recommend leaving the #verify method as is unless you have a compelling reason to override it.

Global config

Set Darrrr.this_account_provider.custom_encryptor = MyCustomEncryptor Set Darrrr.this_recovery_provider.custom_encryptor = MyCustomEncryptor

On-demand

Darrrr.with_encryptor(MyCustomEncryptor) do
  # perform DAR actions using MyCustomEncryptor as the crypto provider
  recovery_token, sealed_token = Darrrr.this_account_provider.generate_recovery_token(data: "foo", audience: recovery_provider, context: { user: current_user })
end
module MyCustomEncryptor
  class << self
    # Encrypts the data in an opaque way
    #
    # data: the secret to be encrypted
    #
    # returns a byte array representation of the data
    def encrypt(data)

    end

    # Decrypts the data
    #
    # ciphertext: the byte array to be decrypted
    #
    # returns a string
    def decrypt(ciphertext)

    end

    # payload: binary serialized recovery token (to_binary_s).
    #
    # key: the private EC key used to sign the token
    #
    # returns signature in ASN.1 DER r + s sequence
    def sign(payload, key)

    end

    # payload: token in binary form
    # signature: signature of the binary token
    # key: the EC public key used to verify the signature
    #
    # returns true if signature validates the payload
    def verify(payload, signature, key)
      # typically, the default verify function should be used to ensure compatibility
      Darrrr::DefaultEncryptor.verify(payload, signature, key)
    end
  end
end

Example implementation

I strongly suggest you read the specification, specifically section 3.1 (save-token) and 3.5 (recover account) as they contain the most dangerous operations.

NOTE: this is NOT meant to be a complete implementation, it is just the starting point. Crucial aspects such as authentication, audit logging, out of band notifications, and account provider persistence are not implemented.

Specifically, the gem exposes the following APIs for manipulating tokens.

Development

Local development assumes a Mac OS environment with homebrew available. Postgres and phantom JS will be installed.

Run ./script/bootstrap then run ./script/server

  • Visit http://localhost:9292/account-provider
  • You'll see some debug information on the page.
    • Click "setup recovery".
  • If recovery setup was successful, click "Recovery Setup Successful"
  • Click the "recover now?" link
  • You'll see an intermediate page, where more debug information is presented. Click "recover token"
  • You should be sent back to your host
    • And see something like Recovered data: <the secret from step 1>

Tests

Run ./script/test to run all tests.

Deploying to heroku

Use heroku config:set to set the environment variables listed in script/setup. Additionally, run:

heroku config:set HOST_URL=$(heroku info -s | grep web_url | cut -d= -f2)

Push your app to heroku:

git push heroku <branch-name>:master

Migrate the database:

heroku run rake db:migrate

Use the app!

heroku restart
heroku open

Roadmap

  • Add support for token-status endpoints as defined by the spec
  • Add async API as defined by the spec
  • Implement token binding as part of the async API

Don't want to run ./script entries?

See script/setup for the environment variables that need to be set.

Contributions

See CONTRIBUTING.md

License

darrrr is licensed under the MIT license.

The MIT license grant is not for GitHub's trademarks, which include the logo designs. GitHub reserves all trademark and copyright rights in and to all GitHub trademarks. GitHub's logos include, for instance, the stylized designs that include "logo" in the file title in the following folder: logos.

GitHub® and its stylized versions and the Invertocat mark are GitHub's Trademarks or registered Trademarks. When using GitHub's logos, be sure to follow the GitHub logo guidelines.