api-auth 1.0.1 → 1.0.2

data/.gitignore

@@ -1,3 +1,5 @@
+.rvmrc
+
 # rcov generated
 coverage
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    api-auth (1.0.1)
+    api-auth (1.0.2)
 
 GEM
   remote: http://rubygems.org/

data/VERSION

@@ -1 +1 @@
-1.0.1
+1.0.2

data/lib/api_auth.rb

@@ -9,6 +9,7 @@ require 'api_auth/request_drivers/curb'
 require 'api_auth/request_drivers/rest_client'
 require 'api_auth/request_drivers/action_controller'
 require 'api_auth/request_drivers/action_dispatch'
+require 'api_auth/request_drivers/rack'
 
 require 'api_auth/headers'
 require 'api_auth/base'

data/lib/api_auth/base.rb

@@ -60,7 +60,7 @@ module ApiAuth
     def request_too_old?(request)
       headers = Headers.new(request)
       # 900 seconds is 15 minutes
-      Time.parse(headers.timestamp).utc < (Time.current.utc - 900)
+      Time.parse(headers.timestamp).utc < (Time.now.utc - 900)
     end
 
     def md5_mismatch?(request)

data/lib/api_auth/headers.rb

@@ -25,6 +25,8 @@ module ApiAuth
         end
       when /ActionDispatch::Request/
         @request = ActionDispatchRequest.new(request)
+      when /Rack::Request/
+        @request = RackRequest.new(request)
       else
         raise UnknownHTTPRequest, "#{request.class.to_s} is not yet supported."
       end

data/lib/api_auth/request_drivers/rack.rb

@@ -0,0 +1,85 @@
+module ApiAuth
+
+  module RequestDrivers # :nodoc:
+
+    class RackRequest # :nodoc:
+
+      include ApiAuth::Helpers
+
+      def initialize(request)
+        @request = request
+        @headers = fetch_headers
+        true
+      end
+
+      def set_auth_header(header)
+        @request.env.merge!({ "Authorization" => header })
+        @headers = fetch_headers
+        @request
+      end
+
+      def calculated_md5
+        if @request.body
+          body = @request.body.read
+        else
+          body = ''
+        end
+        Digest::MD5.base64digest(body)
+      end
+
+      def populate_content_md5
+        if ['POST', 'PUT'].include?(@request.request_method)
+          @request.env["Content-MD5"] = calculated_md5
+        end
+      end
+
+      def md5_mismatch?
+        if ['POST', 'PUT'].include?(@request.request_method)
+          calculated_md5 != content_md5
+        else
+          false
+        end
+      end
+
+      def fetch_headers
+        capitalize_keys @request.env
+      end
+
+      def content_type
+        value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
+        value.nil? ? "" : value
+      end
+
+      def content_md5
+        value = find_header(%w(CONTENT-MD5 CONTENT_MD5))
+        value.nil? ? "" : value
+      end
+
+      def request_uri
+        @request.url
+      end
+
+      def set_date
+        @request.env.merge!({ "DATE" => Time.now.utc.httpdate })
+      end
+
+      def timestamp
+        value = find_header(%w(DATE HTTP_DATE))
+        value.nil? ? "" : value
+      end
+
+      def authorization_header
+        find_header %w(Authorization AUTHORIZATION HTTP_AUTHORIZATION)
+      end
+
+    private
+
+      def find_header(keys)
+        keys.map {|key| @headers[key] }.compact.first
+      end
+
+    end
+
+  end
+
+end

data/spec/api_auth_spec.rb

@@ -329,6 +329,79 @@ describe "ApiAuth" do
 
     end
 
+    describe "with Rack::Request" do
+
+      before(:each) do
+        headers = { 'Content-MD5' => "1B2M2Y8AsgTpgAmY7PhCfg==",
+                    'Content-Type' => "text/plain",
+                    'Date' => Time.now.utc.httpdate }
+        @request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put).merge!(headers))
+        @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
+      end
+
+      it "should return a Rack::Request object after signing it" do
+        ApiAuth.sign!(@request, @access_id, @secret_key).class.to_s.should match("Rack::Request")
+      end
+
+      describe "md5 header" do
+        context "not already provided" do
+          it "should calculate for empty string" do
+            headers = { 'Content-Type' => "text/plain",
+                        'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
+            request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put).merge!(headers))
+            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+            signed_request.env['Content-MD5'].should == Digest::MD5.base64digest('')
+          end
+
+          it "should calculate for real content" do
+            headers = { 'Content-Type' => "text/plain",
+                        'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
+            request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put, :input => "hellow\nworld").merge!(headers))
+            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+            signed_request.env['Content-MD5'].should == Digest::MD5.base64digest("hellow\nworld")
+          end
+        end
+
+        it "should leave the content-md5 alone if provided" do
+          @signed_request.env['Content-MD5'].should == "1B2M2Y8AsgTpgAmY7PhCfg=="
+        end
+      end
+
+      it "should sign the request" do
+        @signed_request.env['Authorization'].should == "APIAuth 1044:#{hmac(@secret_key, @request)}"
+      end
+
+      it "should authenticate a valid request" do
+        ApiAuth.authentic?(@signed_request, @secret_key).should be_true
+      end
+
+      it "should NOT authenticate a non-valid request" do
+        ApiAuth.authentic?(@signed_request, @secret_key+'j').should be_false
+      end
+
+      it "should NOT authenticate a mismatched content-md5 when body has changed" do
+        headers = { 'Content-Type' => "text/plain",
+                    'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
+        request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put, :input => "hellow\nworld").merge!(headers))
+        signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+        changed_request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put, :input => "goodbye").merge!(headers))
+        signed_request.env['rack.input'] = changed_request.env['rack.input']
+        signed_request.env['CONTENT_LENGTH'] = changed_request.env['CONTENT_LENGTH']
+        ApiAuth.authentic?(signed_request, @secret_key).should be_false
+      end
+
+      it "should NOT authenticate an expired request" do
+        @request.env['Date'] = 16.minutes.ago.utc.httpdate
+        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
+        ApiAuth.authentic?(signed_request, @secret_key).should be_false
+      end
+      
+      it "should retrieve the access_id" do
+        ApiAuth.access_id(@signed_request).should == "1044"
+      end
+
+    end
+
   end
 
 end

data/spec/headers_spec.rb

@@ -182,4 +182,42 @@ describe "ApiAuth::Headers" do
     end
   end
 
+  describe "with Rack::Request" do
+
+    before(:each) do
+      headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+                  'Content-Type' => "text/plain",
+                  'Date' => "Mon, 23 Jan 1984 03:29:56 GMT"
+                  }
+      @request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put).merge!(headers))
+      @headers = ApiAuth::Headers.new(@request)
+    end
+
+    it "should generate the proper canonical string" do
+      @headers.canonical_string.should == "text/plain,e59ff97941044f85df5297e1c302d260,http://example.org/resource.xml?foo=bar&bar=foo,Mon, 23 Jan 1984 03:29:56 GMT"
+    end
+
+    it "should set the authorization header" do
+      @headers.sign_header("alpha")
+      @headers.authorization_header.should == "alpha"
+    end
+
+    it "should set the DATE header if one is not already present" do
+      headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+                  'Content-Type' => "text/plain" }
+      @request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put).merge!(headers))
+      ApiAuth.sign!(@request, "some access id", "some secret key")
+      @request.env['DATE'].should_not be_nil
+    end
+
+    it "should not set the DATE header just by asking for the canonical_string" do
+      headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+                  'Content-Type' => "text/plain" }
+      request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put).merge!(headers))
+      headers = ApiAuth::Headers.new(request)
+      headers.canonical_string
+      request.env['DATE'].should be_nil
+    end
+  end
+
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: api-auth
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-11-30 00:00:00.000000000 Z
+date: 2013-02-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -166,6 +166,7 @@ files:
 - lib/api_auth/request_drivers/action_dispatch.rb
 - lib/api_auth/request_drivers/curb.rb
 - lib/api_auth/request_drivers/net_http.rb
+- lib/api_auth/request_drivers/rack.rb
 - lib/api_auth/request_drivers/rest_client.rb
 - spec/api_auth_spec.rb
 - spec/application_helper.rb
@@ -188,7 +189,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -1454681296772684747
+      hash: 3429846398106267766
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -197,7 +198,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -1454681296772684747
+      hash: 3429846398106267766
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.24