aliquot 0.10.0 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 80203d2d0e3ce4ee09bc59e1e784ea432c1716573187c1fd8ff9822a59a48e48
-  data.tar.gz: 7b07ed3fcaad21506b32e3f9cd78f5424ac3ab9f71d920f2f36e32dd1fb21b31
+  metadata.gz: 4ba838f9284bf05a6b396005bf21c4bbecefe36432457b4b5dfb48c76997353e
+  data.tar.gz: 96a202458e4bb76634375857f4af9c3a1f0f3529d0e2089e64b295345590778e
 SHA512:
-  metadata.gz: b4c7699b95ea4af8ce4b30cebebdd530acd3139835c7cd3833953498181ee737bf3db4737f36b759eb58c085770e5d6b104000f7bcaa7e2f74a2a8074f07ffec
-  data.tar.gz: 3b3ade2e3c20127c49e33f5957cd502ba6f6e2b0f4388c2f0f924b0ed5dc1830bd04618949b103683ff74b105fd897499330409a9f5e97c1f43cd704d0ddaaf1
+  metadata.gz: 6607632c5489062965cc3a95eb66b2a572af1821f0b4506d2e5e20ea23ba974741beb6091dfc16de78b3ba53ccab62a87c16a183dbf1d4f8b6ae9b01d6bde94c
+  data.tar.gz: d39edb966edf213869963edfaf753893a11dbe13b8f72af130be3ffb0c12da3a1dbf65b21448492500be9d63abfb8fffbfb7fdd5087dd9fbce292cd1dbe66bd0

data/lib/aliquot/error.rb

@@ -2,8 +2,17 @@ module Aliquot
   # Base class for all errors thrown in Aliquot
   class Error < StandardError; end
 
+  # Error in the input
+  class InputError < Error; end
+
+  # Errors in decryption. Might not be possible to provoke
+  class DecryptionError < Error; end
+
+  # When key derivation fails. Might not be possible to provoke
+  class KeyDerivationError < Error; end
+
   # Thrown if the token is expired
-  class ExpiredException < Error; end
+  class TokenExpiredError < Error; end
 
   # Thrown if the signature is invalid
   class InvalidSignatureError < Error; end
@@ -13,4 +22,10 @@ module Aliquot
 
   # Thrown if there was an error validating the input data
   class ValidationError < Error; end
+
+  # Thrown if JSON is invalid.
+  class FormatError < Error; end
+
+  # When shared_secret is invalid
+  class InvalidSharedSecretError < Error; end
 end

data/lib/aliquot/payment.rb

@@ -21,8 +21,12 @@ module Aliquot
     def initialize(token_string, shared_secret, merchant_id,
                    signing_keys: ENV['GOOGLE_SIGNING_KEYS'])
 
-      validation = Aliquot::Validator::Token.new(JSON.parse(token_string))
-      validation.validate
+      begin
+        validation = Aliquot::Validator::Token.new(JSON.parse(token_string))
+        validation.validate
+      rescue JSON::JSONError => e
+        raise InputError, "token JSON invalid, #{e.message}"
+      end
 
       @token = validation.output
 
@@ -38,19 +42,31 @@ module Aliquot
         raise Error, 'only ECv1 protocolVersion is supported'
       end
 
+      check_shared_secret
+
       raise InvalidSignatureError unless valid_signature?
 
       validator = Aliquot::Validator::SignedMessage.new(JSON.parse(@token[:signedMessage]))
       validator.validate
       signed_message = validator.output
 
-      aes_key, mac_key = derive_keys(signed_message[:ephemeralPublicKey], @shared_secret, 'Google')
+      begin
+        aes_key, mac_key = derive_keys(signed_message[:ephemeralPublicKey], @shared_secret, 'Google')
+      rescue => e
+        raise KeyDerivationError, "unable to derive keys, #{e.message}"
+      end
 
       unless self.class.valid_mac?(mac_key, signed_message[:encryptedMessage], signed_message[:tag])
         raise InvalidMacError
       end
 
-      @message = JSON.parse(self.class.decrypt(aes_key, signed_message[:encryptedMessage]))
+      begin
+        @message = JSON.parse(self.class.decrypt(aes_key, signed_message[:encryptedMessage]))
+      rescue JSON::JSONError => e
+        raise InputError, "encryptedMessage JSON invalid, #{e.message}"
+      rescue => e
+        raise DecryptionError, "decryption failed, #{e.message}"
+      end
 
       message_validator = Aliquot::Validator::EncryptedMessageValidator.new(@message)
       message_validator.validate
@@ -58,7 +74,7 @@ module Aliquot
       # Output is hashed with symbolized keys.
       @message = message_validator.output
 
-      raise ExpiredException if expired?
+      raise TokenExpiredError if expired?
 
       @message
     end
@@ -137,5 +153,15 @@ module Aliquot
 
       [key_bytes[0..15], key_bytes[16..32]]
     end
+
+    def check_shared_secret
+      begin
+        decoded = Base64.strict_decode64(@shared_secret)
+      rescue
+        raise InvalidSharedSecretError, 'shared_secret must be base64'
+      end
+
+      raise InvalidSharedSecretError, 'shared_secret must be 32 bytes when base64 decoded' unless decoded.length == 32
+    end
   end
 end

data/lib/aliquot/validator.rb

@@ -125,7 +125,7 @@ module Aliquot
         @validation ||= @schema.call(@input)
         @output = @validation.output
         return true if @validation.success?
-        raise Aliquot::ValidationError, "validation error: #{errors_formatted}"
+        raise Aliquot::ValidationError, "validation error(s), #{errors_formatted}"
       end
 
       def valid?

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aliquot
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.11.0
 platform: ruby
 authors:
 - Clearhaus
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-07 00:00:00.000000000 Z
+date: 2019-01-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dry-validation
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.0
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement