api-auth 1.3.2 → 1.4.0

data/gemfiles/rails_31.gemfile

@@ -6,4 +6,4 @@ gem "actionpack", "~> 3.1.0"
 gem "activeresource", "~> 3.1.0"
 gem "activesupport", "~> 3.1.0"
 
-gemspec :path=>"../"
+gemspec :path => "../"

data/gemfiles/rails_31.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../
   specs:
-    api-auth (1.3.2)
+    api-auth (1.4.0)
 
 GEM
   remote: https://rubygems.org/
@@ -33,7 +33,7 @@ GEM
       rake
     builder (3.0.4)
     curb (0.8.6)
-    diff-lcs (1.1.3)
+    diff-lcs (1.2.5)
     erubis (2.7.0)
     faraday (0.9.1)
       multipart-post (>= 1.2, < 3)
@@ -55,14 +55,19 @@ GEM
     rake (10.1.1)
     rest-client (1.6.7)
       mime-types (>= 1.16)
-    rspec (2.4.0)
-      rspec-core (~> 2.4.0)
-      rspec-expectations (~> 2.4.0)
-      rspec-mocks (~> 2.4.0)
-    rspec-core (2.4.0)
-    rspec-expectations (2.4.0)
-      diff-lcs (~> 1.1.2)
-    rspec-mocks (2.4.0)
+    rspec (3.4.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+    rspec-core (3.4.0)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-mocks (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-support (3.4.0)
     rubyntlm (0.3.4)
     sprockets (2.0.4)
       hike (~> 1.2)
@@ -87,4 +92,7 @@ DEPENDENCIES
   multipart-post (~> 2.0)
   rake
   rest-client (~> 1.6.0)
-  rspec (~> 2.4.0)
+  rspec (~> 3.4)
+
+BUNDLED WITH
+   1.10.6

data/gemfiles/rails_32.gemfile

@@ -6,4 +6,4 @@ gem "actionpack", "~> 3.2.17"
 gem "activeresource", "~> 3.2.17"
 gem "activesupport", "~> 3.2.17"
 
-gemspec :path=>"../"
+gemspec :path => "../"

data/gemfiles/rails_32.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../
   specs:
-    api-auth (1.3.2)
+    api-auth (1.4.0)
 
 GEM
   remote: https://rubygems.org/
@@ -32,7 +32,7 @@ GEM
       rake
     builder (3.0.4)
     curb (0.8.6)
-    diff-lcs (1.1.3)
+    diff-lcs (1.2.5)
     erubis (2.7.0)
     faraday (0.9.1)
       multipart-post (>= 1.2, < 3)
@@ -53,14 +53,19 @@ GEM
     rake (10.1.1)
     rest-client (1.6.7)
       mime-types (>= 1.16)
-    rspec (2.4.0)
-      rspec-core (~> 2.4.0)
-      rspec-expectations (~> 2.4.0)
-      rspec-mocks (~> 2.4.0)
-    rspec-core (2.4.0)
-    rspec-expectations (2.4.0)
-      diff-lcs (~> 1.1.2)
-    rspec-mocks (2.4.0)
+    rspec (3.4.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+    rspec-core (3.4.0)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-mocks (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-support (3.4.0)
     rubyntlm (0.3.4)
     sprockets (2.2.2)
       hike (~> 1.2)
@@ -86,4 +91,7 @@ DEPENDENCIES
   multipart-post (~> 2.0)
   rake
   rest-client (~> 1.6.0)
-  rspec (~> 2.4.0)
+  rspec (~> 3.4)
+
+BUNDLED WITH
+   1.10.6

data/gemfiles/rails_4.gemfile

@@ -6,4 +6,4 @@ gem "actionpack", "~> 4.0.4"
 gem "activeresource", "~> 4.0.0"
 gem "activesupport", "~> 4.0.4"
 
-gemspec :path=>"../"
+gemspec :path => "../"

data/gemfiles/rails_4.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../
   specs:
-    api-auth (1.3.2)
+    api-auth (1.4.0)
 
 GEM
   remote: https://rubygems.org/
@@ -33,7 +33,7 @@ GEM
     atomic (1.1.16)
     builder (3.1.4)
     curb (0.8.6)
-    diff-lcs (1.1.3)
+    diff-lcs (1.2.5)
     erubis (2.7.0)
     faraday (0.9.1)
       multipart-post (>= 1.2, < 3)
@@ -53,14 +53,19 @@ GEM
     rake (10.1.1)
     rest-client (1.6.7)
       mime-types (>= 1.16)
-    rspec (2.4.0)
-      rspec-core (~> 2.4.0)
-      rspec-expectations (~> 2.4.0)
-      rspec-mocks (~> 2.4.0)
-    rspec-core (2.4.0)
-    rspec-expectations (2.4.0)
-      diff-lcs (~> 1.1.2)
-    rspec-mocks (2.4.0)
+    rspec (3.4.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+    rspec-core (3.4.0)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-mocks (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-support (3.4.0)
     rubyntlm (0.3.4)
     thread_safe (0.2.0)
       atomic (>= 1.1.7, < 2)
@@ -83,4 +88,7 @@ DEPENDENCIES
   multipart-post (~> 2.0)
   rake
   rest-client (~> 1.6.0)
-  rspec (~> 2.4.0)
+  rspec (~> 3.4)
+
+BUNDLED WITH
+   1.10.6

data/gemfiles/rails_41.gemfile

@@ -6,4 +6,4 @@ gem "actionpack", "~> 4.1.0"
 gem "activeresource", "~> 4.0.0"
 gem "activesupport", "~> 4.1.0"
 
-gemspec :path=>"../"
+gemspec :path => "../"

data/gemfiles/rails_41.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../
   specs:
-    api-auth (1.3.2)
+    api-auth (1.4.0)
 
 GEM
   remote: https://rubygems.org/
@@ -36,7 +36,7 @@ GEM
       thor (>= 0.14.0)
     builder (3.2.2)
     curb (0.8.6)
-    diff-lcs (1.1.3)
+    diff-lcs (1.2.5)
     erubis (2.7.0)
     faraday (0.9.1)
       multipart-post (>= 1.2, < 3)
@@ -56,14 +56,19 @@ GEM
     rake (10.3.2)
     rest-client (1.6.7)
       mime-types (>= 1.16)
-    rspec (2.4.0)
-      rspec-core (~> 2.4.0)
-      rspec-expectations (~> 2.4.0)
-      rspec-mocks (~> 2.4.0)
-    rspec-core (2.4.0)
-    rspec-expectations (2.4.0)
-      diff-lcs (~> 1.1.2)
-    rspec-mocks (2.4.0)
+    rspec (3.4.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+    rspec-core (3.4.0)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-mocks (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-support (3.4.0)
     rubyntlm (0.3.4)
     thor (0.19.1)
     thread_safe (0.3.3)
@@ -87,4 +92,7 @@ DEPENDENCIES
   multipart-post (~> 2.0)
   rake
   rest-client (~> 1.6.0)
-  rspec (~> 2.4.0)
+  rspec (~> 3.4)
+
+BUNDLED WITH
+   1.10.6

data/gemfiles/rails_42.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "actionpack", "~> 4.2.0"
+gem "activeresource", "~> 4.0.0"
+gem "activesupport", "~> 4.2.0"
+
+gemspec :path => "../"

data/gemfiles/rails_42.gemfile.lock

@@ -0,0 +1,115 @@
+PATH
+  remote: ../
+  specs:
+    api-auth (1.4.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionpack (4.2.5)
+      actionview (= 4.2.5)
+      activesupport (= 4.2.5)
+      rack (~> 1.6)
+      rack-test (~> 0.6.2)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (4.2.5)
+      activesupport (= 4.2.5)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    activemodel (4.2.5)
+      activesupport (= 4.2.5)
+      builder (~> 3.1)
+    activeresource (4.0.0)
+      activemodel (~> 4.0)
+      activesupport (~> 4.0)
+      rails-observers (~> 0.1.1)
+    activesupport (4.2.5)
+      i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.3, >= 0.3.4)
+      tzinfo (~> 1.1)
+    amatch (0.3.0)
+      tins (~> 1.0)
+    appraisal (1.0.0)
+      bundler
+      rake
+      thor (>= 0.14.0)
+    builder (3.2.2)
+    curb (0.8.6)
+    diff-lcs (1.2.5)
+    erubis (2.7.0)
+    faraday (0.9.1)
+      multipart-post (>= 1.2, < 3)
+    httpi (2.1.0)
+      rack
+      rubyntlm (~> 0.3.2)
+    i18n (0.7.0)
+    json (1.8.3)
+    loofah (2.0.3)
+      nokogiri (>= 1.5.9)
+    mime-types (2.6.2)
+    mini_portile (0.6.2)
+    minitest (5.8.2)
+    multipart-post (2.0.0)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
+    rack (1.6.4)
+    rack-test (0.6.3)
+      rack (>= 1.0)
+    rails-deprecated_sanitizer (1.0.3)
+      activesupport (>= 4.2.0.alpha)
+    rails-dom-testing (1.0.7)
+      activesupport (>= 4.2.0.beta, < 5.0)
+      nokogiri (~> 1.6.0)
+      rails-deprecated_sanitizer (>= 1.0.1)
+    rails-html-sanitizer (1.0.2)
+      loofah (~> 2.0)
+    rails-observers (0.1.2)
+      activemodel (~> 4.0)
+    rake (10.4.2)
+    rest-client (1.6.7)
+      mime-types (>= 1.16)
+    rspec (3.4.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+    rspec-core (3.4.0)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-mocks (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-support (3.4.0)
+    rubyntlm (0.3.4)
+    thor (0.19.1)
+    thread_safe (0.3.5)
+    tins (1.6.0)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  actionpack (~> 4.2.0)
+  activeresource (~> 4.0.0)
+  activesupport (~> 4.2.0)
+  amatch
+  api-auth!
+  appraisal
+  curb (~> 0.8.1)
+  faraday
+  httpi
+  multipart-post (~> 2.0)
+  rake
+  rest-client (~> 1.6.0)
+  rspec (~> 3.4)
+
+BUNDLED WITH
+   1.10.6

data/lib/api_auth/base.rb

@@ -22,19 +22,30 @@ module ApiAuth
     # access_id: The public unique identifier for the client
     #
     # secret_key: assigned secret key that is known to both parties
-    def sign!(request, access_id, secret_key)
+    def sign!(request, access_id, secret_key, options = {})
+      options = { :override_http_method => nil, :with_http_method => false }.merge(options)
       headers = Headers.new(request)
       headers.calculate_md5
       headers.set_date
-      headers.sign_header auth_header(request, access_id, secret_key)
+      headers.sign_header auth_header(headers, access_id, secret_key, options)
     end
 
     # Determines if the request is authentic given the request and the client's
     # secret key. Returns true if the request is authentic and false otherwise.
-    def authentic?(request, secret_key)
+    def authentic?(request, secret_key, options = {})
       return false if secret_key.nil?
+      options = { :override_http_method => nil }.merge(options)
 
-      return !md5_mismatch?(request) && signatures_match?(request, secret_key) && !request_too_old?(request)
+      headers = Headers.new(request)
+      if headers.md5_mismatch?
+        false
+      elsif !signatures_match?(headers, secret_key, options)
+        false
+      elsif request_too_old?(headers)
+        false
+      else
+        true
+      end
     end
 
     # Returns the access id from the request's authorization header
@@ -58,8 +69,9 @@ module ApiAuth
 
   private
 
-    def request_too_old?(request)
-      headers = Headers.new(request)
+    AUTH_HEADER_PATTERN = /APIAuth ([^:]+):(.+)$/
+
+    def request_too_old?(headers)
       # 900 seconds is 15 minutes
       begin
         Time.httpdate(headers.timestamp).utc < (Time.now.utc - 900)
@@ -68,33 +80,35 @@ module ApiAuth
       end
     end
 
-    def md5_mismatch?(request)
-      headers = Headers.new(request)
-      headers.md5_mismatch?
-    end
+    def signatures_match?(headers, secret_key, options)
+      match_data = parse_auth_header(headers.authorization_header)
+      return false unless match_data
 
-    def signatures_match?(request, secret_key)
-      headers = Headers.new(request)
-      if match_data = parse_auth_header(headers.authorization_header)
-        hmac = match_data[2]
-        return hmac == hmac_signature(request, secret_key)
-      end
-      false
+      options = options.merge(:with_http_method => true)
+
+      header_sig = match_data[2]
+      calculated_sig_no_http = hmac_signature(headers, secret_key, {})
+      calculated_sig_with_http = hmac_signature(headers, secret_key, options)
+
+      header_sig == calculated_sig_with_http || header_sig == calculated_sig_no_http
     end
 
-    def hmac_signature(request, secret_key)
-      headers = Headers.new(request)
-      canonical_string = headers.canonical_string
+    def hmac_signature(headers, secret_key, options)
+      if options[:with_http_method]
+        canonical_string = headers.canonical_string_with_http_method(options[:override_http_method])
+      else
+        canonical_string = headers.canonical_string
+      end
       digest = OpenSSL::Digest.new('sha1')
       b64_encode(OpenSSL::HMAC.digest(digest, secret_key, canonical_string))
     end
 
-    def auth_header(request, access_id, secret_key)
-      "APIAuth #{access_id}:#{hmac_signature(request, secret_key)}"
+    def auth_header(headers, access_id, secret_key, options)
+      "APIAuth #{access_id}:#{hmac_signature(headers, secret_key, options)}"
     end
 
     def parse_auth_header(auth_header)
-      Regexp.new("APIAuth ([^:]+):(.+)$").match(auth_header)
+      AUTH_HEADER_PATTERN.match(auth_header)
     end
 
   end # class methods