aliquot 1.0.0 → 2.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0cdd20926e96b21c0fb8c494b13fe34995c59646285d71416c33045e907b830a
-  data.tar.gz: 32d7e64f5ef20f37404bcc5293672dbaa43f6d299bd0701e49b859ad2e9c1a25
+  metadata.gz: de89d0021775b3047c345d9d41bdb90855fe9fac9e1a663b83e5f865fc407edf
+  data.tar.gz: ac219aa43dc4924729d1f29013e25d1cedd616c3f086734607bc35006182be8e
 SHA512:
-  metadata.gz: 1b555a97041aaaf6e4cd3e3aaf82c17a94112627f36cc3e0835a4708c28eef8e8f6a4f20e51b978876cc77a1ced87b6a4b6066a7effd52e2a027c5d152a78995
-  data.tar.gz: ee081263c8ad3869eaa53127ec7ed300f9bba4c67619c548ed83099932cf0978cf3e0ec48dbca47e054a01f79f747c261a0e96eb84d26e9665846dbfed5a2025
+  metadata.gz: 05102ee3be01374cd0b58d3dab85ddc6428d16df25a7dc7262989a3108691ab5c3c7e94b128f544c7d66be8f70cb428f8babc22d2fe805a31c1efb84912fcacc
+  data.tar.gz: 98a9aa9ae43295d177ed42c1d77f4e785f5eff0751c87fbf500fb52f48c98f684a9e9f331ad14e89dfd393b464585a61dc6b8c2377b2ebea7fa075b1f859fb59

data/lib/aliquot/error.rb

@@ -29,5 +29,6 @@ module Aliquot
   # When shared_secret is invalid
   class InvalidSharedSecretError < Error; end
 
-  class InvalidMerchantIDError < Error; end
+  # When recipient_id is invalid
+  class InvalidRecipientIDError < Error; end
 end

data/lib/aliquot/payment.rb

@@ -10,16 +10,16 @@ module Aliquot
   ##
   # A Payment represents a single payment using Google Pay.
   # It is used to verify/decrypt the supplied token by using the shared secret,
-  # thus avoiding having knowledge of merchant primary keys.
+  # thus avoiding having knowledge of any private keys involved.
   class Payment
     SUPPORTED_PROTOCOL_VERSIONS = %w[ECv1 ECv2].freeze
     ##
     # Parameters:
     # token_string::  Google Pay token (JSON string)
     # shared_secret:: Base64 encoded shared secret
-    # merchant_id::   Google Pay merchant ID
+    # recipient_id::   Google Pay recipient ID
     # signing_keys::  Signing keys fetched from Google
-    def initialize(token_string, shared_secret, merchant_id,
+    def initialize(token_string, shared_secret, recipient_id,
                    signing_keys: ENV['GOOGLE_SIGNING_KEYS'])
 
       begin
@@ -32,7 +32,7 @@ module Aliquot
       @token = validation.output
 
       @shared_secret = shared_secret
-      @merchant_id   = merchant_id
+      @recipient_id   = recipient_id
       @signing_keys  = signing_keys
     end
 
@@ -43,7 +43,7 @@ module Aliquot
         raise Error, "supported protocol versions are #{SUPPORTED_PROTOCOL_VERSIONS.join(', ')}"
       end
 
-      @recipient_id = validate_merchant_id
+      @recipient_id = validate_recipient_id
 
       check_shared_secret
 
@@ -102,9 +102,10 @@ module Aliquot
       @intermediate_key[:keyExpiration].to_i < cur_millis
     end
 
-    def validate_merchant_id
-      raise InvalidMerchantIDError unless /\A[[:graph:]]+\z/ =~ @merchant_id
-      "merchant:#{@merchant_id}"
+    def validate_recipient_id
+      raise InvalidRecipientIDError, 'recipient_id must be alphanumeric and punctuation' unless /\A[[:graph:]]+\z/ =~ @recipient_id
+
+      @recipient_id
     end
 
     def check_shared_secret
@@ -209,8 +210,8 @@ module Aliquot
 
     def decrypt(key, encrypted)
       c = new_cipher
-      c.key = key
       c.decrypt
+      c.key = key
 
       c.update(Base64.strict_decode64(encrypted)) + c.final
     end

data/lib/aliquot/validator.rb

@@ -9,143 +9,221 @@ module Aliquot
   module Validator
     # Verified according to:
     # https://developers.google.com/pay/api/web/guides/resources/payment-data-cryptography#payment-method-token-structure
-    module Predicates
-      include Dry::Logic::Predicates
-
-      CUSTOM_PREDICATE_ERRORS = {
-        base64?:          'must be Base64',
-        pan?:             'must be a pan',
-        ec_public_key?:   'must be an EC public key',
-        eci?:             'must be an ECI',
-        json_string?:     'must be valid JSON',
-        integer_string?:  'must be string encoded integer',
-        month?:           'must be a month (1..12)',
-        year?:            'must be a year (2000..3000)',
-        base64_asn1?:     'must be base64 encoded asn1 value',
-        json_object?:     'must be a JSON object',
-
-        authMethodCryptogram3DS: 'authMethod CRYPTOGRAM_3DS requires eciIndicator',
-        authMethodCard:          'eciIndicator/cryptogram must be omitted when PAN_ONLY',
-      }.freeze
-
-      # Support Ruby 2.3, but use the faster #match? when available.
-      match_b = ''.respond_to?(:match?) ? ->(s, re) { s.match?(re) } : ->(s, re) { !!(s =~ re) }
-
-      def self.to_bool(lbd)
-        lbd.call
-        true
-      rescue
-        false
-      end
 
-      predicate(:base64?) do |x|
-        str?(x) &&
-          match_b.call(x, /\A[=A-Za-z0-9+\/]*\z/) && # allowable chars
-          x.length.remainder(4).zero? && # multiple of 4
-          !match_b.call(x, /=[^$=]/) && # may only end with ='s
-          !match_b.call(x, /===/) # at most 2 ='s
-      end
+    CUSTOM_ERRORS = {
+      base64?:         'must be Base64',
+      pan?:            'must be a PAN',
+      ec_public_key?:  'must be an EC public key',
+      eci?:            'must be an ECI',
+      integer_string?: 'must be string encoded integer',
+      month?:          'must be a month (1..12)',
+      year?:           'must be a year (2000..3000)',
+      base64_asn1?:    'must be base64-encoded ANS.1 value',
+      json?:           'must be valid JSON',
+
+      is_authMethodCryptogram3DS: 'authMethod CRYPTOGRAM_3DS requires eciIndicator',
+      is_authMethodCard:          'eciIndicator/cryptogram must be omitted when PAN_ONLY',
+    }.freeze
+
+    def self.base64_check(value)
+      /\A[=A-Za-z0-9+\/]*\z/.match?(value) && # allowable chars
+        value.length.remainder(4).zero? && # multiple of 4
+        !/=[^$=]/.match?(value) && # may only end with ='s
+        !/===/.match?(value) # at most 2 ='s
+    end
 
-      # We should figure out how strict we should be. Hopefully we can discard
-      # the above Base64? predicate and use the following simpler one:
-      #predicate(:strict_base64?) { |x| !!Base64.strict_decode64(x) rescue false }
+    Dry::Validation.register_macro(:base64?) do
+      if key?
+        unless Aliquot::Validator.base64_check(value)
+          key.failure(CUSTOM_ERRORS[:base64?])
+        end
+      end
+    end
 
-      predicate(:pan?) { |x| match_b.call(x, /\A[1-9][0-9]{11,18}\z/) }
+    def self.ans1_check(value)
+      OpenSSL::ASN1.decode(Base64.strict_decode64(value)) rescue false
+    end
 
-      predicate(:eci?) { |x| str?(x) && match_b.call(x, /\A\d{1,2}\z/) }
+    Dry::Validation.register_macro(:base64_asn1?) do
+      if key?
+        unless Aliquot::Validator.ans1_check(value)
+          key.failure(CUSTOM_ERRORS[:base64_asn1?])
+        end
+      end
+    end
 
-      predicate(:ec_public_key?) { |x| base64?(x) && OpenSSL::PKey::EC.new(Base64.decode64(x)).check_key rescue false }
+    Dry::Validation.register_macro(:pan?) do
+      if key?
+        unless /\A[1-9][0-9]{11,18}\z/.match?(value)
+          key.failure(CUSTOM_ERRORS[:pan?])
+        end
+      end
+    end
 
-      predicate(:json_string?) { |x| !!JSON.parse(x) rescue false }
+    Dry::Validation.register_macro(:ec_public_key?) do
+      if key?
+        begin
+          OpenSSL::PKey::EC.new(Base64.decode64(value)).check_key
+        rescue
+          key.failure(CUSTOM_ERRORS[:ec_public_key?])
+        end
+      end
+    end
 
-      predicate(:integer_string?) { |x| str?(x) && match_b.call(x, /\A\d+\z/) }
+    Dry::Validation.register_macro(:eci?) do
+      if key?
+        unless /\A\d{1,2}\z/.match?(value)
+          key.failure(CUSTOM_ERRORS[:eci?])
+        end
+      end
+    end
 
-      predicate(:month?) { |x| x.between?(1, 12) }
+    Dry::Validation.register_macro(:integer_string?) do
+      if key?
+        unless /\A\d+\z/.match?(value)
+          key.failure(CUSTOM_ERRORS[:integer_string?])
+        end
+      end
+    end
 
-      predicate(:year?) { |x| x.between?(2000, 3000) }
+    Dry::Validation.register_macro(:json?) do
+      if key?
+        json = JSON.parse(value) rescue false
+        key.failure(CUSTOM_ERRORS[:json?]) unless json
+      end
+    end
 
-      predicate(:base64_asn1?) { |x| OpenSSL::ASN1.decode(Base64.strict_decode64(x)) rescue false }
+    Dry::Validation.register_macro(:month?) do
+      if key?
+        unless value.between?(1, 12)
+          key.failure(CUSTOM_ERRORS[:month?])
+        end
+      end
+    end
 
-      predicate(:json_object?) { |x| hash?(x) }
+    Dry::Validation.register_macro(:year?) do
+      if key?
+        unless value.between?(2000, 3000)
+          key.failure(CUSTOM_ERRORS[:year?])
+        end
+      end
     end
 
-    # Base for DRY-Validation schemas used in Aliquot.
-    class BaseSchema < Dry::Validation::Schema::JSON
-      predicates(Predicates)
-      def self.messages
-        super.merge(en: { errors: Predicates::CUSTOM_PREDICATE_ERRORS })
+    class SignedKeyContract < Dry::Validation::Contract
+      json do
+        required(:keyExpiration).filled(:str?)
+        required(:keyValue).filled(:str?)
       end
+      rule(:keyExpiration).validate(:integer_string?)
+      rule(:keyValue).validate(:ec_public_key?)
     end
 
-    # Schema used for the 'intermediateSigningKey' hash included in ECv2.
-    IntermediateSigningKeySchema = Dry::Validation.Schema(BaseSchema) do
-      required(:signedKey).filled(:str?, :json_string?)
+    SignedKeySchema = SignedKeyContract.new
 
-      required(:signatures).filled(:array?) { each { base64? & base64_asn1? } }
+    # Schema used for the 'intermediateSigningKey' hash included in ECv2.
+    class IntermediateSigningKeyContract < Dry::Validation::Contract
+      json do
+        required(:signedKey).filled(:str?)
+        required(:signatures).array(:str?)
+      end
+      rule(:signedKey).validate(:json?)
+      rule(:signatures).each do
+        key.failure('must be Base64') unless Aliquot::Validator.base64_check(value) &&
+          Aliquot::Validator.ans1_check(value)
+      end
     end
 
-    SignedKeySchema = Dry::Validation.Schema(BaseSchema) do
-      required(:keyExpiration).filled(:integer_string?)
-      required(:keyValue).filled(:ec_public_key?)
-    end
+    IntermediateSigningKeySchema = IntermediateSigningKeyContract.new
 
     # DRY-Validation schema for Google Pay token
-    TokenSchema = Dry::Validation.Schema(BaseSchema) do
-      required(:signature).filled(:str?, :base64?, :base64_asn1?)
-
-      required(:protocolVersion).filled(:str?).when(eql?: 'ECv2') do
-        required(:intermediateSigningKey)
+    class TokenContract < Dry::Validation::Contract
+      json do
+        required(:signature).filled(:str?)
+        required(:signedMessage).filled(:str?)
+        required(:protocolVersion).filled(:str?)
+        optional(:intermediateSigningKey).hash(IntermediateSigningKeyContract.new.schema)
       end
+      rule(:signature).validate(:base64?, :base64_asn1?)
+      rule(:signedMessage).validate(:json?)
 
-      required(:signedMessage).filled(:str?, :json_string?)
-
-      optional(:intermediateSigningKey).value(:json_object?) { schema(IntermediateSigningKeySchema) }
+      rule(:intermediateSigningKey) do
+        key.failure('is missing') if 'ECv2'.eql?(values[:protocolVersion]) &&
+          values[:intermediateSigningKey].nil?
+      end
     end
 
+    TokenSchema = TokenContract.new
+
     # DRY-Validation schema for signedMessage component Google Pay token
-    SignedMessageSchema = Dry::Validation.Schema(BaseSchema) do
-      required(:encryptedMessage).filled(:str?, :base64?)
-      required(:ephemeralPublicKey).filled(:str?, :base64?)
-      required(:tag).filled(:str?, :base64?)
+    class SignedMessageContract < Dry::Validation::Contract
+      json do
+        required(:encryptedMessage).filled(:str?)
+        required(:ephemeralPublicKey).filled(:str?)
+        required(:tag).filled(:str?)
+      end
+      rule(:encryptedMessage).validate(:base64?)
+      rule(:ephemeralPublicKey).validate(:base64?)
+      rule(:tag).validate(:base64?)
     end
 
-    # DRY-Validation schema for paymentMethodDetails component Google Pay token
-    PaymentMethodDetailsSchema = Dry::Validation.Schema(BaseSchema) do
-      required(:pan).filled(:integer_string?, :pan?)
-      required(:expirationMonth).filled(:int?, :month?)
-      required(:expirationYear).filled(:int?, :year?)
-      required(:authMethod).filled(:str?, included_in?: %w[PAN_ONLY CRYPTOGRAM_3DS])
-
-      optional(:cryptogram).filled(:str?)
-      optional(:eciIndicator).filled(:str?, :eci?)
+    SignedMessageSchema = SignedMessageContract.new
 
-      rule(cryptogram: %i[authMethod cryptogram]) do |method, cryptogram|
-        method.eql?('CRYPTOGRAM_3DS') > required(:cryptogram)
+    # DRY-Validation schema for paymentMethodDetails component Google Pay token
+    class PaymentMethodDetailsContract < Dry::Validation::Contract
+      json do
+        required(:pan).filled(:str?)
+        required(:expirationMonth).filled(:int?)
+        required(:expirationYear).filled(:int?)
+        required(:authMethod).filled(:str?, included_in?: %w[PAN_ONLY CRYPTOGRAM_3DS])
+
+        optional(:cryptogram).filled(:str?)
+        optional(:eciIndicator).filled(:str?)
+      end
+      rule(:pan).validate(:integer_string?, :pan?)
+      rule(:expirationMonth).validate(:month?)
+      rule(:expirationYear).validate(:year?)
+      rule(:eciIndicator).validate(:eci?)
+
+      rule(:cryptogram) do
+        key.failure('is missing') if 'CRYPTOGRAM_3DS'.eql?(values[:authMethod]) &&
+          values[:cryptogram].nil?
       end
 
-      rule(eciIndicator: %i[authMethod eciIndicator]) do |method, eci|
-        method.eql?('PAN_ONLY').then(eci.none?)
+      rule(:cryptogram) do
+        key.failure('cannot be defined') if 'PAN_ONLY'.eql?(values[:authMethod]) &&
+          !values[:cryptogram].nil?
       end
 
-      rule(cryptogram: %i[authMethod cryptogram]) do |method, cryptogram|
-        method.eql?('PAN_ONLY').then(cryptogram.none?)
+      rule(:eciIndicator) do
+        key.failure('cannot be defined') if 'PAN_ONLY'.eql?(values[:authMethod]) &&
+          !values[:eciIndicator].nil?
       end
     end
 
+    PaymentMethodDetailsSchema = PaymentMethodDetailsContract.new
+
     # DRY-Validation schema for encryptedMessage component Google Pay token
-    EncryptedMessageSchema = Dry::Validation.Schema(BaseSchema) do
-      required(:messageExpiration).filled(:str?, :integer_string?)
-      required(:messageId).filled(:str?)
-      required(:paymentMethod).filled(:str?, eql?: 'CARD')
-      required(:paymentMethodDetails).value(:json_object?) { schema PaymentMethodDetailsSchema }
+    class EncryptedMessageContract < Dry::Validation::Contract
+      json do
+        required(:messageExpiration).filled(:str?)
+        required(:messageId).filled(:str?)
+        required(:paymentMethod).filled(:str?)
+        required(:paymentMethodDetails).filled(:hash).schema(PaymentMethodDetailsContract.schema)
+      end
+      rule(:messageExpiration).validate(:integer_string?)
+      rule(:paymentMethod) do
+        key.failure('must be equal to CARD') unless 'CARD'.eql?(value)
+      end
     end
 
+    EncryptedMessageSchema = EncryptedMessageContract.new
+
     module InstanceMethods
       attr_reader :output
 
       def validate
         @validation ||= @schema.call(@input)
-        @output = @validation.output
+        @output = @validation.to_h
         return true if @validation.success?
         raise Aliquot::ValidationError, "validation error(s), #{errors_formatted}"
       end
@@ -176,7 +254,9 @@ module Aliquot
     # Class for validating a Google Pay token
     class Token
       include InstanceMethods
+
       class Error < ::Aliquot::Error; end
+
       def initialize(input)
         @input = input
         @schema = TokenSchema
@@ -186,7 +266,9 @@ module Aliquot
     # Class for validating the SignedMessage component of a Google Pay token
     class SignedMessage
       include InstanceMethods
+
       class Error < ::Aliquot::Error; end
+
       def initialize(input)
         @input = input
         @schema = SignedMessageSchema
@@ -196,7 +278,9 @@ module Aliquot
     # Class for validating the encryptedMessage component of a Google Pay token
     class EncryptedMessageValidator
       include InstanceMethods
+
       class Error < ::Aliquot::Error; end
+
       def initialize(input)
         @input = input
         @schema = EncryptedMessageSchema
@@ -205,7 +289,9 @@ module Aliquot
 
     class SignedKeyValidator
       include InstanceMethods
+
       class Error < ::Aliquot::Error; end
+
       def initialize(input)
         @input = input
         @schema = SignedKeySchema

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aliquot
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 2.1.2
 platform: ruby
 authors:
 - Clearhaus
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-02-18 00:00:00.000000000 Z
+date: 2022-09-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dry-validation
@@ -16,56 +16,56 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.8'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.8'
 - !ruby/object:Gem::Dependency
   name: excon
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.71.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.71.0
 - !ruby/object:Gem::Dependency
   name: hkdf
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.3'
 - !ruby/object:Gem::Dependency
   name: aliquot-pay
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 2.1.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 2.1.1
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -80,6 +80,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.14.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.14.1
 description: 
 email: hello@clearhaus.com
 executables: []
@@ -100,16 +114,16 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - "~>"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.7'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.2
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: Validates Google Pay tokens