api-auth 1.1.0 → 1.2.0

data/gemfiles/rails_32.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "actionpack", "~> 3.2.17"
+gem "activeresource", "~> 3.2.17"
+gem "activesupport", "~> 3.2.17"
+
+gemspec :path=>"../"

data/gemfiles/rails_32.gemfile.lock

@@ -0,0 +1,84 @@
+PATH
+  remote: ../
+  specs:
+    api-auth (1.1.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionpack (3.2.17)
+      activemodel (= 3.2.17)
+      activesupport (= 3.2.17)
+      builder (~> 3.0.0)
+      erubis (~> 2.7.0)
+      journey (~> 1.0.4)
+      rack (~> 1.4.5)
+      rack-cache (~> 1.2)
+      rack-test (~> 0.6.1)
+      sprockets (~> 2.2.1)
+    activemodel (3.2.17)
+      activesupport (= 3.2.17)
+      builder (~> 3.0.0)
+    activeresource (3.2.17)
+      activemodel (= 3.2.17)
+      activesupport (= 3.2.17)
+    activesupport (3.2.17)
+      i18n (~> 0.6, >= 0.6.4)
+      multi_json (~> 1.0)
+    amatch (0.2.11)
+      tins (~> 0.3)
+    appraisal (0.5.2)
+      bundler
+      rake
+    builder (3.0.4)
+    curb (0.8.5)
+    diff-lcs (1.1.3)
+    erubis (2.7.0)
+    hike (1.2.3)
+    httpi (2.1.0)
+      rack
+      rubyntlm (~> 0.3.2)
+    i18n (0.6.9)
+    journey (1.0.4)
+    mime-types (1.25.1)
+    multi_json (1.9.2)
+    rack (1.4.5)
+    rack-cache (1.2)
+      rack (>= 0.4)
+    rack-test (0.6.2)
+      rack (>= 1.0)
+    rake (10.1.1)
+    rest-client (1.6.7)
+      mime-types (>= 1.16)
+    rspec (2.4.0)
+      rspec-core (~> 2.4.0)
+      rspec-expectations (~> 2.4.0)
+      rspec-mocks (~> 2.4.0)
+    rspec-core (2.4.0)
+    rspec-expectations (2.4.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.4.0)
+    rubyntlm (0.3.4)
+    sprockets (2.2.2)
+      hike (~> 1.2)
+      multi_json (~> 1.0)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    tilt (1.4.1)
+    tins (0.13.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  actionpack (~> 3.2.17)
+  activeresource (~> 3.2.17)
+  activesupport (~> 3.2.17)
+  amatch
+  api-auth!
+  appraisal
+  curb (~> 0.8.1)
+  httpi
+  rake
+  rest-client (~> 1.6.0)
+  rspec (~> 2.4.0)

data/gemfiles/rails_4.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "actionpack", "~> 4.0.4"
+gem "activeresource", "~> 4.0.0"
+gem "activesupport", "~> 4.0.4"
+
+gemspec :path=>"../"

data/gemfiles/rails_4.gemfile.lock

@@ -0,0 +1,81 @@
+PATH
+  remote: ../
+  specs:
+    api-auth (1.1.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionpack (4.0.4)
+      activesupport (= 4.0.4)
+      builder (~> 3.1.0)
+      erubis (~> 2.7.0)
+      rack (~> 1.5.2)
+      rack-test (~> 0.6.2)
+    activemodel (4.0.4)
+      activesupport (= 4.0.4)
+      builder (~> 3.1.0)
+    activeresource (4.0.0)
+      activemodel (~> 4.0)
+      activesupport (~> 4.0)
+      rails-observers (~> 0.1.1)
+    activesupport (4.0.4)
+      i18n (~> 0.6, >= 0.6.9)
+      minitest (~> 4.2)
+      multi_json (~> 1.3)
+      thread_safe (~> 0.1)
+      tzinfo (~> 0.3.37)
+    amatch (0.2.11)
+      tins (~> 0.3)
+    appraisal (0.5.2)
+      bundler
+      rake
+    atomic (1.1.16)
+    builder (3.1.4)
+    curb (0.8.5)
+    diff-lcs (1.1.3)
+    erubis (2.7.0)
+    httpi (2.1.0)
+      rack
+      rubyntlm (~> 0.3.2)
+    i18n (0.6.9)
+    mime-types (2.2)
+    minitest (4.7.5)
+    multi_json (1.9.2)
+    rack (1.5.2)
+    rack-test (0.6.2)
+      rack (>= 1.0)
+    rails-observers (0.1.2)
+      activemodel (~> 4.0)
+    rake (10.1.1)
+    rest-client (1.6.7)
+      mime-types (>= 1.16)
+    rspec (2.4.0)
+      rspec-core (~> 2.4.0)
+      rspec-expectations (~> 2.4.0)
+      rspec-mocks (~> 2.4.0)
+    rspec-core (2.4.0)
+    rspec-expectations (2.4.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.4.0)
+    rubyntlm (0.3.4)
+    thread_safe (0.2.0)
+      atomic (>= 1.1.7, < 2)
+    tins (0.13.2)
+    tzinfo (0.3.39)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  actionpack (~> 4.0.4)
+  activeresource (~> 4.0.0)
+  activesupport (~> 4.0.4)
+  amatch
+  api-auth!
+  appraisal
+  curb (~> 0.8.1)
+  httpi
+  rake
+  rest-client (~> 1.6.0)
+  rspec (~> 2.4.0)

data/lib/api_auth.rb

@@ -10,6 +10,7 @@ require 'api_auth/request_drivers/rest_client'
 require 'api_auth/request_drivers/action_controller'
 require 'api_auth/request_drivers/action_dispatch'
 require 'api_auth/request_drivers/rack'
+require 'api_auth/request_drivers/httpi'
 
 require 'api_auth/headers'
 require 'api_auth/base'

data/lib/api_auth/base.rb

@@ -15,7 +15,7 @@ module ApiAuth
     # Signs an HTTP request using the client's access id and secret key.
     # Returns the HTTP request object with the modified headers.
     #
-    # request: The request can be a Net::HTTP, ActionController::Request,
+    # request: The request can be a Net::HTTP, ActionDispatch::Request,
     # Curb (Curl::Easy) or a RestClient object.
     #
     # access_id: The public unique identifier for the client

data/lib/api_auth/headers.rb

@@ -29,6 +29,10 @@ module ApiAuth
         @request = RackRequest.new(request)
       when /ActionController::CgiRequest/
         @request = ActionControllerRequest.new(request)
+      when /HTTPI::Request/
+        @request = HttpiRequest.new(request)
+      when /Sinatra::Request/
+          @request = RackRequest.new(request)
       else
         raise UnknownHTTPRequest, "#{request.class.to_s} is not yet supported."
       end

data/lib/api_auth/helpers.rb

@@ -1,18 +1,31 @@
 module ApiAuth
 
   module Helpers # :nodoc:
-    
+
     def b64_encode(string)
-      Base64.strict_encode64(string)
+      if Base64.respond_to?(:strict_encode64)
+        Base64.strict_encode64(string)
+      else
+        # Fall back to stripping out newlines on Ruby 1.8.
+        Base64.encode64(string).gsub(/\n/, '')
+      end
+    end
+
+    def md5_base64digest(string)
+      if Digest::MD5.respond_to?(:base64digest)
+        Digest::MD5.base64digest(string)
+      else
+        b64_encode(Digest::MD5.digest(string))
+      end
     end
-    
+
     # Capitalizes the keys of a hash
     def capitalize_keys(hsh)
       capitalized_hash = {}
       hsh.each_pair {|k,v| capitalized_hash[k.to_s.upcase] = v }
       capitalized_hash
     end
-    
+
   end
-  
+
 end

data/lib/api_auth/request_drivers/action_controller.rb

@@ -24,7 +24,7 @@ module ApiAuth
         else
           body = ''
         end
-        Digest::MD5.base64digest(body)
+        md5_base64digest(body)
       end
 
       def populate_content_md5
@@ -60,7 +60,7 @@ module ApiAuth
       end
 
       def set_date
-        @request.env['DATE'] = Time.now.utc.httpdate
+        @request.env['HTTP_DATE'] = Time.now.utc.httpdate
       end
 
       def timestamp

data/lib/api_auth/request_drivers/httpi.rb

@@ -0,0 +1,80 @@
+module ApiAuth
+
+  module RequestDrivers # :nodoc:
+
+    class HttpiRequest # :nodoc:
+
+      include ApiAuth::Helpers
+
+      def initialize(request)
+        @request = request
+        @headers = fetch_headers
+        true
+      end
+
+      def set_auth_header(header)
+        @request.headers["Authorization"] = header
+        @headers = fetch_headers
+        @request
+      end
+
+      def calculated_md5
+        md5_base64digest(@request.body || '')
+      end
+
+      def populate_content_md5
+        if @request.body
+          @request.headers["Content-MD5"] = calculated_md5
+        end
+      end
+
+      def md5_mismatch?
+        if @request.body
+          calculated_md5 != content_md5
+        else
+          false
+        end
+      end
+
+      def fetch_headers
+        capitalize_keys @request.headers
+      end
+
+      def content_type
+        value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
+        value.nil? ? "" : value
+      end
+
+      def content_md5
+        value = find_header(%w(CONTENT-MD5 CONTENT_MD5))
+        value.nil? ? "" : value
+      end
+
+      def request_uri
+        @request.url.request_uri
+      end
+
+      def set_date
+        @request.headers["DATE"] = Time.now.utc.httpdate
+      end
+
+      def timestamp
+        value = find_header(%w(DATE HTTP_DATE))
+        value.nil? ? "" : value
+      end
+
+      def authorization_header
+        find_header %w(Authorization AUTHORIZATION HTTP_AUTHORIZATION)
+      end
+
+    private
+
+      def find_header(keys)
+        keys.map {|key| @headers[key] }.compact.first
+      end
+
+    end
+
+  end
+
+end

data/lib/api_auth/request_drivers/net_http.rb

@@ -4,6 +4,8 @@ module ApiAuth
 
     class NetHttpRequest # :nodoc:
 
+      include ApiAuth::Helpers
+
       def initialize(request)
         @request = request
         @headers = fetch_headers
@@ -17,7 +19,7 @@ module ApiAuth
       end
 
       def calculated_md5
-        Digest::MD5.base64digest(@request.body || '')
+        md5_base64digest(@request.body || '')
       end
 
       def populate_content_md5

data/lib/api_auth/request_drivers/rack.rb

@@ -25,7 +25,7 @@ module ApiAuth
         else
           body = ''
         end
-        Digest::MD5.base64digest(body)
+        md5_base64digest(body)
       end
 
       def populate_content_md5

data/lib/api_auth/request_drivers/rest_client.rb

@@ -17,7 +17,6 @@ module ApiAuth
 
       def set_auth_header(header)
         @request.headers.merge!({ "Authorization" => header })
-        @headers = fetch_headers
         save_headers # enforce update of processed_headers based on last updated headers
         @request
       end
@@ -29,7 +28,7 @@ module ApiAuth
         else
           body = ''
         end
-        Digest::MD5.base64digest(body)
+        md5_base64digest(body)
       end
 
       def populate_content_md5
@@ -47,7 +46,7 @@ module ApiAuth
       end
 
       def fetch_headers
-        capitalize_keys @request.headers
+        capitalize_keys @request.processed_headers
       end
 
       def content_type
@@ -84,7 +83,8 @@ module ApiAuth
       end
 
       def save_headers
-        @request.processed_headers = @request.make_headers(@headers)
+        @request.processed_headers = @request.make_headers(@request.headers)
+        @headers = fetch_headers
       end
 
     end

data/spec/api_auth_spec.rb

@@ -36,8 +36,8 @@ describe "ApiAuth" do
     describe "with Net::HTTP" do
 
       before(:each) do
-        @request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo", 
-          'content-type' => 'text/plain', 
+        @request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+          'content-type' => 'text/plain',
           'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
           'date' => Time.now.utc.httpdate)
         @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
@@ -54,7 +54,7 @@ describe "ApiAuth" do
               'content-type' => 'text/plain',
               'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
             signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request['Content-MD5'].should == Digest::MD5.base64digest('')
+            signed_request['Content-MD5'].should == "1B2M2Y8AsgTpgAmY7PhCfg=="
           end
 
           it "should calculate for real content" do
@@ -63,7 +63,7 @@ describe "ApiAuth" do
               'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
             request.body = "hello\nworld"
             signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request['Content-MD5'].should == Digest::MD5.base64digest("hello\nworld")
+            signed_request['Content-MD5'].should == "kZXQvrKoieG+Be1rsZVINw=="
           end
         end
 
@@ -99,7 +99,7 @@ describe "ApiAuth" do
         signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
         ApiAuth.authentic?(signed_request, @secret_key).should be_false
       end
-      
+
       it "should retrieve the access_id" do
         ApiAuth.access_id(@signed_request).should == "1044"
       end
@@ -112,7 +112,7 @@ describe "ApiAuth" do
         headers = { 'Content-MD5' => "1B2M2Y8AsgTpgAmY7PhCfg==",
                     'Content-Type' => "text/plain",
                     'Date' => Time.now.utc.httpdate }
-        @request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo", 
+        @request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
           :headers => headers,
           :method => :put)
         @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
@@ -131,7 +131,7 @@ describe "ApiAuth" do
               :headers => headers,
               :method => :put)
             signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request.headers['Content-MD5'].should == Digest::MD5.base64digest('')
+            signed_request.headers['Content-MD5'].should == "1B2M2Y8AsgTpgAmY7PhCfg=="
           end
 
           it "should calculate for real content" do
@@ -142,7 +142,7 @@ describe "ApiAuth" do
               :method => :put,
               :payload => "hellow\nworld")
             signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request.headers['Content-MD5'].should == Digest::MD5.base64digest("hellow\nworld")
+            signed_request.headers['Content-MD5'].should == "G0grublI06013h58g9j8Vw=="
           end
         end
 
@@ -180,7 +180,7 @@ describe "ApiAuth" do
         signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
         ApiAuth.authentic?(signed_request, @secret_key).should be_false
       end
-      
+
       it "should retrieve the access_id" do
         ApiAuth.access_id(@signed_request).should == "1044"
       end
@@ -236,17 +236,19 @@ describe "ApiAuth" do
         signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
         ApiAuth.authentic?(signed_request, @secret_key).should be_false
       end
-      
+
       it "should retrieve the access_id" do
         ApiAuth.access_id(@signed_request).should == "1044"
       end
 
     end
 
-    describe "with ActionController" do
+    describe "with ActionController/ActionDispatch" do
+
+      let(:request_klass){ ActionDispatch::Request rescue ActionController::Request }
 
       before(:each) do
-        @request = ActionController::Request.new(
+        @request = request_klass.new(
           'PATH_INFO' => '/resource.xml',
           'QUERY_STRING' => 'foo=bar&bar=foo',
           'REQUEST_METHOD' => 'PUT',
@@ -256,25 +258,25 @@ describe "ApiAuth" do
         @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
       end
 
-      it "should return a ActionController::Request object after signing it" do
-        ApiAuth.sign!(@request, @access_id, @secret_key).class.to_s.should match("ActionController::Request")
+      it "should return a ActionDispatch::Request object after signing it" do
+        ApiAuth.sign!(@request, @access_id, @secret_key).class.to_s.should match(request_klass.to_s)
       end
 
       describe "md5 header" do
         context "not already provided" do
           it "should calculate for empty string" do
-            request = ActionController::Request.new(
+            request = request_klass.new(
               'PATH_INFO' => '/resource.xml',
               'QUERY_STRING' => 'foo=bar&bar=foo',
               'REQUEST_METHOD' => 'PUT',
               'CONTENT_TYPE' => 'text/plain',
               'HTTP_DATE' => 'Mon, 23 Jan 1984 03:29:56 GMT')
             signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request.env['Content-MD5'].should == Digest::MD5.base64digest('')
+            signed_request.env['Content-MD5'].should == "1B2M2Y8AsgTpgAmY7PhCfg=="
           end
 
           it "should calculate for real content" do
-            request = ActionController::Request.new(
+            request = request_klass.new(
               'PATH_INFO' => '/resource.xml',
               'QUERY_STRING' => 'foo=bar&bar=foo',
               'REQUEST_METHOD' => 'PUT',
@@ -282,7 +284,7 @@ describe "ApiAuth" do
               'HTTP_DATE' => 'Mon, 23 Jan 1984 03:29:56 GMT',
               'RAW_POST_DATA' => "hello\nworld")
             signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request.env['Content-MD5'].should == Digest::MD5.base64digest("hello\nworld")
+            signed_request.env['Content-MD5'].should == "kZXQvrKoieG+Be1rsZVINw=="
           end
 
         end
@@ -305,7 +307,7 @@ describe "ApiAuth" do
       end
 
       it "should NOT authenticate a mismatched content-md5 when body has changed" do
-        request = ActionController::Request.new(
+        request = request_klass.new(
           'PATH_INFO' => '/resource.xml',
           'QUERY_STRING' => 'foo=bar&bar=foo',
           'REQUEST_METHOD' => 'PUT',
@@ -350,7 +352,7 @@ describe "ApiAuth" do
                         'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
             request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put).merge!(headers))
             signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request.env['Content-MD5'].should == Digest::MD5.base64digest('')
+            signed_request.env['Content-MD5'].should == "1B2M2Y8AsgTpgAmY7PhCfg=="
           end
 
           it "should calculate for real content" do
@@ -358,7 +360,7 @@ describe "ApiAuth" do
                         'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
             request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put, :input => "hellow\nworld").merge!(headers))
             signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request.env['Content-MD5'].should == Digest::MD5.base64digest("hellow\nworld")
+            signed_request.env['Content-MD5'].should == "G0grublI06013h58g9j8Vw=="
           end
         end
 
@@ -395,13 +397,86 @@ describe "ApiAuth" do
         signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
         ApiAuth.authentic?(signed_request, @secret_key).should be_false
       end
-      
+
       it "should retrieve the access_id" do
         ApiAuth.access_id(@signed_request).should == "1044"
       end
 
     end
 
+    describe "with HTTPI" do
+      before(:each) do
+        @request = HTTPI::Request.new("http://localhost/resource.xml?foo=bar&bar=foo")
+        @request.headers.merge!({
+                                    'content-type' => 'text/plain',
+                                    'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+                                    'date' => Time.now.utc.httpdate
+                                })
+        @headers = ApiAuth::Headers.new(@request)
+        @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
+      end
+
+      it "should return a HTTPI object after signing it" do
+        ApiAuth.sign!(@request, @access_id, @secret_key).class.to_s.should match("HTTPI::Request")
+      end
+
+      describe "md5 header" do
+        context "not already provided" do
+          it "should calculate for empty string" do
+            request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+                                         'content-type' => 'text/plain',
+                                         'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
+            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+            signed_request['Content-MD5'].should == "1B2M2Y8AsgTpgAmY7PhCfg=="
+          end
+
+          it "should calculate for real content" do
+            request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+                                         'content-type' => 'text/plain',
+                                         'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
+            request.body = "hello\nworld"
+            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+            signed_request['Content-MD5'].should == "kZXQvrKoieG+Be1rsZVINw=="
+          end
+        end
+
+        it "should leave the content-md5 alone if provided" do
+          @signed_request.headers['Content-MD5'].should == '1B2M2Y8AsgTpgAmY7PhCfg=='
+        end
+      end
+
+      it "should sign the request" do
+        @signed_request.headers['Authorization'].should == "APIAuth 1044:#{hmac(@secret_key, @request)}"
+      end
+
+      it "should authenticate a valid request" do
+        ApiAuth.authentic?(@signed_request, @secret_key).should be_true
+      end
+
+      it "should NOT authenticate a non-valid request" do
+        ApiAuth.authentic?(@signed_request, @secret_key+'j').should be_false
+      end
+
+      it "should NOT authenticate a mismatched content-md5 when body has changed" do
+        request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+                                     'content-type' => 'text/plain',
+                                     'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
+        request.body = "hello\nworld"
+        signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+        signed_request.body = "goodbye"
+        ApiAuth.authentic?(signed_request, @secret_key).should be_false
+      end
+
+      it "should NOT authenticate an expired request" do
+        @request.headers['Date'] = 16.minutes.ago.utc.httpdate
+        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
+        ApiAuth.authentic?(signed_request, @secret_key).should be_false
+      end
+
+      it "should retrieve the access_id" do
+        ApiAuth.access_id(@signed_request).should == "1044"
+      end
+    end
   end
 
 end