RubyGems - aliquot - Versions diffs - 0.12.0 → 2.0.0 - Mend

aliquot 0.12.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a327bbbe5f475b924454c120979cb3bc965c5363c2740366a9f1abea19a59707
-  data.tar.gz: 044dd4f0c2daa2d72685133fbd27408247281449276c0e36cba1141778d98176
+  metadata.gz: b4b575c575e5104e23692cbf9ddf45fd40555862d306a88995d33c7c2fa2085b
+  data.tar.gz: b2be001378fea01010ae490230d8cd14c0767b6fec3155a7a4d6c24c95262c7d
 SHA512:
-  metadata.gz: f25a55664501aa93322675512975d3471c4586112855d2d30f32b0f61fcad6240fdd3750d36e418feaa415f3a49ee752271f2d7c1dc5fe28cd6615fc5d16811b
-  data.tar.gz: e48a4d748adc053caa2e8a7770d5ef580fee0867497fa2d98dfac8cfc202a8183e3e8c900b56bac1cd121a95fadc4d8699511442263e93076d10e95ce53407af
+  metadata.gz: 41e6616072916a6bf54baa76e62e8e9ccd07afc5056f7bcbf3886292d941f66c451f434924837e667592543184c91089f7032b25a1bb9daf646d9a69ef647529
+  data.tar.gz: adfe0fe58146dd4824c1677a482e948b4405973d6c18b7bcd31f516d446921f3b6266b8600148ec05b7c03ba78650c7f33de39f100e93eed8587abcee28999c2

data/lib/aliquot/error.rb CHANGED

@@ -28,4 +28,7 @@ module Aliquot
   # When shared_secret is invalid
   class InvalidSharedSecretError < Error; end
+  # When recipient_id is invalid
+  class InvalidRecipientIDError < Error; end
 end

data/lib/aliquot/payment.rb CHANGED

@@ -10,29 +10,29 @@ module Aliquot
   ##
   # A Payment represents a single payment using Google Pay.
   # It is used to verify/decrypt the supplied token by using the shared secret,
-  # thus avoiding having knowledge of merchant primary keys.
+  # thus avoiding having knowledge of any private keys involved.
   class Payment
     SUPPORTED_PROTOCOL_VERSIONS = %w[ECv1 ECv2].freeze
     ##
     # Parameters:
     # token_string::  Google Pay token (JSON string)
     # shared_secret:: Base64 encoded shared secret
-    # merchant_id::   Google Pay merchant ID ("merchant:<SOMETHING>")
+    # recipient_id::   Google Pay recipient ID
     # signing_keys::  Signing keys fetched from Google
-    def initialize(token_string, shared_secret, merchant_id,
+    def initialize(token_string, shared_secret, recipient_id,
                    signing_keys: ENV['GOOGLE_SIGNING_KEYS'])
       begin
         validation = Aliquot::Validator::Token.new(JSON.parse(token_string))
         validation.validate
       rescue JSON::JSONError => e
-        raise InputError, "token JSON invalid, #{e.message}"
+        raise InputError, "token JSON is invalid, #{e.message}"
       end
       @token = validation.output
       @shared_secret = shared_secret
-      @merchant_id   = merchant_id
+      @recipient_id   = recipient_id
       @signing_keys  = signing_keys
     end
@@ -43,13 +43,15 @@ module Aliquot
         raise Error, "supported protocol versions are #{SUPPORTED_PROTOCOL_VERSIONS.join(', ')}"
       end
+      @recipient_id = validate_recipient_id
+      check_shared_secret
       if protocol_version == 'ECv2'
         @intermediate_key = validate_intermediate_key
-        raise InvalidSignatureError, 'intermediate certificate expired' if intermediate_key_expired?
+        raise InvalidSignatureError, 'intermediate certificate is expired' if intermediate_key_expired?
       end
-      check_shared_secret
       check_signature
       @signed_message = validate_signed_message
@@ -57,22 +59,22 @@ module Aliquot
       begin
         aes_key, mac_key = derive_keys(@signed_message[:ephemeralPublicKey], @shared_secret, 'Google')
       rescue => e
-        raise KeyDerivationError, "unable to derive keys, #{e.message}"
+        raise KeyDerivationError, "cannot derive keys, #{e.message}"
       end
-      raise InvalidMacError unless valid_mac?(mac_key)
+      raise InvalidMacError, 'MAC does not match' unless valid_mac?(mac_key)
       begin
         @message = JSON.parse(decrypt(aes_key, @signed_message[:encryptedMessage]))
       rescue JSON::JSONError => e
-        raise InputError, "encryptedMessage JSON invalid, #{e.message}"
+        raise InputError, "encryptedMessage JSON is invalid, #{e.message}"
       rescue => e
         raise DecryptionError, "decryption failed, #{e.message}"
       end
       @message = validate_message
-      raise TokenExpiredError if expired?
+      raise TokenExpiredError, 'token is expired' if expired?
       @message
     end
@@ -100,6 +102,12 @@ module Aliquot
       @intermediate_key[:keyExpiration].to_i < cur_millis
     end
+    def validate_recipient_id
+      raise InvalidRecipientIDError, 'recipient_id must be alphanumeric and punctuation' unless /\A[[:graph:]]+\z/ =~ @recipient_id
+      @recipient_id
+    end
     def check_shared_secret
       begin
         decoded = Base64.strict_decode64(@shared_secret)
@@ -111,7 +119,7 @@ module Aliquot
     end
     def check_signature
-      signed_string_message = ['Google', @merchant_id, protocol_version, @token[:signedMessage]].map do |str|
+      signed_string_message = ['Google', @recipient_id, protocol_version, @token[:signedMessage]].map do |str|
         [str.length].pack('V') + str
       end.join
       message_signature = Base64.strict_decode64(@token[:signature])
@@ -126,7 +134,7 @@ module Aliquot
             key.verify(new_digest, message_signature, signed_string_message)
           end.any?
-        raise InvalidSignatureError unless success
+        raise InvalidSignatureError, 'signature of signedMessage does not match' unless success
       when 'ECv2'
         signed_key_signature = ['Google', 'ECv2', @token[:intermediateSigningKey][:signedKey]].map do |str|
           [str.length].pack('V') + str
@@ -134,7 +142,7 @@ module Aliquot
         # Check that the intermediate key signed the message
         pkey = OpenSSL::PKey::EC.new(Base64.strict_decode64(@intermediate_key[:keyValue]))
-        raise InvalidSignatureError, 'intermediate did not sign message' unless pkey.verify(new_digest, message_signature, signed_string_message)
+        raise InvalidSignatureError, 'signature of signedMessage does not match' unless pkey.verify(new_digest, message_signature, signed_string_message)
         intermediate_signatures = @token[:intermediateSigningKey][:signatures]
@@ -145,12 +153,12 @@ module Aliquot
           signed_key_signature
         )
-        raise InvalidSignatureError, 'intermediate not signed' unless success
+        raise InvalidSignatureError, 'no valid signature of intermediate key' unless success
       end
     rescue OpenSSL::PKey::PKeyError => e
       # Catches problems with verifying signature. Can be caused by signature
       # being valid ASN1 but having invalid structure.
-      raise InvalidSignatureError, e.message
+      raise InvalidSignatureError, "error verifying signature, #{e.message}"
     end
     def root_keys

data/lib/aliquot/validator.rb CHANGED

@@ -22,6 +22,7 @@ module Aliquot
         month?:           'must be a month (1..12)',
         year?:            'must be a year (2000..3000)',
         base64_asn1?:     'must be base64 encoded asn1 value',
+        json_object?:     'must be a JSON object',
         authMethodCryptogram3DS: 'authMethod CRYPTOGRAM_3DS requires eciIndicator',
         authMethodCard:          'eciIndicator/cryptogram must be omitted when PAN_ONLY',
@@ -64,6 +65,8 @@ module Aliquot
       predicate(:year?) { |x| x.between?(2000, 3000) }
       predicate(:base64_asn1?) { |x| OpenSSL::ASN1.decode(Base64.strict_decode64(x)) rescue false }
+      predicate(:json_object?) { |x| hash?(x) }
     end
     # Base for DRY-Validation schemas used in Aliquot.
@@ -78,7 +81,6 @@ module Aliquot
     IntermediateSigningKeySchema = Dry::Validation.Schema(BaseSchema) do
       required(:signedKey).filled(:str?, :json_string?)
-      # TODO: Check if elements of array are valid signatures
       required(:signatures).filled(:array?) { each { base64? & base64_asn1? } }
     end
@@ -91,21 +93,19 @@ module Aliquot
     TokenSchema = Dry::Validation.Schema(BaseSchema) do
       required(:signature).filled(:str?, :base64?, :base64_asn1?)
-      # Currently supposed to be ECv1, but may evolve.
-      required(:protocolVersion).filled(:str?)
-      required(:signedMessage).filled(:str?, :json_string?)
+      required(:protocolVersion).filled(:str?).when(eql?: 'ECv2') do
+        required(:intermediateSigningKey)
+      end
-      optional(:intermediateSigningKey).schema(IntermediateSigningKeySchema)
+      required(:signedMessage).filled(:str?, :json_string?)
-      rule('ECv2 implies intermediateSigningKey': %i[protocolVersion intermediateSigningKey]) do |version, intermediatekey|
-        version.eql?('ECv2') > intermediatekey.filled?
-      end
+      optional(:intermediateSigningKey).value(:json_object?) { schema(IntermediateSigningKeySchema) }
     end
     # DRY-Validation schema for signedMessage component Google Pay token
     SignedMessageSchema = Dry::Validation.Schema(BaseSchema) do
       required(:encryptedMessage).filled(:str?, :base64?)
-      required(:ephemeralPublicKey).filled(:str?, :base64?).value(size?: 44)
+      required(:ephemeralPublicKey).filled(:str?, :base64?)
       required(:tag).filled(:str?, :base64?)
     end
@@ -119,15 +119,15 @@ module Aliquot
       optional(:cryptogram).filled(:str?)
       optional(:eciIndicator).filled(:str?, :eci?)
-      rule('when authMethod is CRYPTOGRAM_3DS, cryptogram': %i[authMethod cryptogram]) do |method, cryptogram|
-        method.eql?('CRYPTOGRAM_3DS') > cryptogram.filled?
+      rule(cryptogram: %i[authMethod cryptogram]) do |method, cryptogram|
+        method.eql?('CRYPTOGRAM_3DS') > required(:cryptogram)
       end
-      rule('when authMethod is PAN_ONLY, eciIndicator': %i[authMethod eciIndicator]) do |method, eci|
+      rule(eciIndicator: %i[authMethod eciIndicator]) do |method, eci|
         method.eql?('PAN_ONLY').then(eci.none?)
       end
-      rule('when authMethod is PAN_ONLY, cryptogram': %i[authMethod cryptogram]) do |method, cryptogram|
+      rule(cryptogram: %i[authMethod cryptogram]) do |method, cryptogram|
         method.eql?('PAN_ONLY').then(cryptogram.none?)
       end
     end
@@ -137,7 +137,7 @@ module Aliquot
       required(:messageExpiration).filled(:str?, :integer_string?)
       required(:messageId).filled(:str?)
       required(:paymentMethod).filled(:str?, eql?: 'CARD')
-      required(:paymentMethodDetails).schema(PaymentMethodDetailsSchema)
+      required(:paymentMethodDetails).value(:json_object?) { schema PaymentMethodDetailsSchema }
     end
     module InstanceMethods

metadata CHANGED

@@ -1,71 +1,77 @@
 --- !ruby/object:Gem::Specification
 name: aliquot
 version: !ruby/object:Gem::Version
-  version: 0.12.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Clearhaus
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-01-11 00:00:00.000000000 Z
+date: 2020-09-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dry-validation
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.11.0
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.13'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.11.0
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.13'
 - !ruby/object:Gem::Dependency
   name: excon
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.71.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.71.0
 - !ruby/object:Gem::Dependency
   name: hkdf
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.3'
 - !ruby/object:Gem::Dependency
   name: aliquot-pay
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: 2.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -80,21 +86,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3'
-- !ruby/object:Gem::Dependency
-  name: pry
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0'
-description:
+description:
 email: hello@clearhaus.com
 executables: []
 extensions: []
@@ -108,7 +100,7 @@ homepage: https://github.com/clearhaus/aliquot
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -123,9 +115,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.7.7
-signing_key:
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Validates Google Pay tokens
 test_files: []