packages feed

dsc (empty) → 0.1.0

raw patch · 6 files changed

+170/−0 lines, 6 filesdep +QuickCheckdep +SimpleAESdep +basesetup-changed

Dependencies added: QuickCheck, SimpleAES, base, base64-bytestring, bytestring, hspec, string-conversions

Files

+ LICENSE view
@@ -0,0 +1,30 @@+Copyright Author name here (c) 2017++All rights reserved.++Redistribution and use in source and binary forms, with or without+modification, are permitted provided that the following conditions are met:++    * Redistributions of source code must retain the above copyright+      notice, this list of conditions and the following disclaimer.++    * Redistributions in binary form must reproduce the above+      copyright notice, this list of conditions and the following+      disclaimer in the documentation and/or other materials provided+      with the distribution.++    * Neither the name of Author name here nor the names of other+      contributors may be used to endorse or promote products derived+      from this software without specific prior written permission.++THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ Setup.hs view
@@ -0,0 +1,2 @@+import Distribution.Simple+main = defaultMain
+ dsc.cabal view
@@ -0,0 +1,57 @@+-- This file has been generated from package.yaml by hpack version 0.17.0.+--+-- see: https://github.com/sol/hpack++name:                dsc+version:             0.1.0+synopsis:            Helper functions for setting up Double Submit Cookie defense for forms+description:         See README at <https://github.com/qoelet/dsc#readme>+homepage:            https://github.com/qoelet/storeviva-login#readme+bug-reports:         https://github.com/qoelet/storeviva-login/issues+license:             MIT+license-file:        LICENSE+maintainer:          Kenny Shen <kenny@machinesung.com>+category:            Web+build-type:          Simple+cabal-version:       >= 1.10++source-repository head+  type: git+  location: https://github.com/qoelet/storeviva-login++library+  hs-source-dirs:+      src+  ghc-options: -Wall+  exposed-modules:+      Web.Csrf+  other-modules:+      Paths_dsc+  build-depends:+      base >= 4.7 && < 5+    , base64-bytestring+    , bytestring+    , SimpleAES+    , string-conversions+  default-language: Haskell2010++test-suite spec+  type: exitcode-stdio-1.0+  main-is: Spec.hs+  hs-source-dirs:+      test+      src+  ghc-options: -Wall+  cpp-options: -DTEST+  build-depends:+      base >= 4.7 && < 5+    , base64-bytestring+    , bytestring+    , SimpleAES+    , string-conversions+    , hspec == 2.*+    , QuickCheck+  other-modules:+      CsrfSpec+      Web.Csrf+  default-language: Haskell2010
+ src/Web/Csrf.hs view
@@ -0,0 +1,44 @@+module Web.Csrf (+  Csrf (..)+, CsrfCheckResult (..)+, mkCsrf+, getCsrf+, runCheck+) where++import           Codec.Crypto.SimpleAES+import           Data.ByteString+import           Data.ByteString.Base64+import           Data.String.Conversions++newtype Token = MkToken ByteString+  deriving (Eq, Show)++data CsrfCheckResult = Invalid | Valid+  deriving (Eq, Show)++data Csrf = Csrf {+  cookie :: Token+, formToken :: Token+, validationResult :: Maybe CsrfCheckResult+} deriving (Eq, Show)++runCheck :: Key -> Csrf -> Csrf+runCheck key csrf@(Csrf (MkToken c) (MkToken t) _) = csrf { validationResult = Just result }+  where+    result = case (decode c, decode t) of+      (Right c', Right t') ->+        if decryptMsg ECB key (cs c') == decryptMsg ECB key (cs t')+          then Valid+          else Invalid+      _ -> Invalid++getCsrf :: Key -> IO Csrf+getCsrf key = do+  secret <- randomKey+  c <- encryptMsg ECB key (cs secret)+  t <- encryptMsg ECB key (cs secret)+  return $ Csrf (MkToken (encode . cs $ c)) (MkToken (encode . cs $ t)) Nothing++mkCsrf :: Key -> ByteString -> ByteString -> Csrf+mkCsrf key c t = runCheck key (Csrf (MkToken c) (MkToken t) Nothing)
+ test/CsrfSpec.hs view
@@ -0,0 +1,36 @@+{-# LANGUAGE OverloadedStrings #-}++module CsrfSpec where++import           Codec.Crypto.SimpleAES+import           Data.ByteString.Base64+import           Data.String.Conversions+import           Test.Hspec+import           Test.QuickCheck+import           Test.QuickCheck.Monadic as Q++import           Web.Csrf++spec :: Spec+spec = do+  describe "getCsrf" $+    it "should generating matching tokens" $+      property propGetCsrfShouldAlwaysBeValid+  describe "runCheck" $+    it "should invalidate if csrf tokens do not match" $+      property propTokenMisMatchShouldBeInvalid++propGetCsrfShouldAlwaysBeValid :: Property+propGetCsrfShouldAlwaysBeValid = Q.monadicIO $ do+  testKey <- Q.run randomKey+  myCsrf <- Q.run (getCsrf testKey)+  Q.assert $ validationResult (runCheck testKey myCsrf) == Just Valid++propTokenMisMatchShouldBeInvalid :: Property+propTokenMisMatchShouldBeInvalid = Q.monadicIO $ do+  testKey <- Q.run randomKey+  secret <- Q.run randomKey+  cookieToken <- Q.run $ encryptMsg ECB testKey (cs secret)+  let badToken = "Foo"+      myCsrf = mkCsrf testKey (encode . cs $ cookieToken) badToken+  Q.assert $ validationResult (runCheck testKey myCsrf) == Just Invalid
+ test/Spec.hs view
@@ -0,0 +1,1 @@+{-# OPTIONS_GHC -F -pgmF hspec-discover #-}