api-auth 1.5.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 79cbdc86c27b9748d521ca8e0efe2038efa0641b
-  data.tar.gz: 2cc39d41382118e60496a8c9ca9693fb6a4baf02
+  metadata.gz: a0fd8e9563fd57370a49c2c3b909432df2047bca
+  data.tar.gz: 4e3ca050145a2e8271e904f852ac43ad608dd5e9
 SHA512:
-  metadata.gz: f6f7a9271d443ffc86bb0cbb3f674febbe860832429e677a54c7e03cea418597768b746b8ce90f51789be20f21f97011be1e6ff50f1ba4ec3e665cc4351c6da7
-  data.tar.gz: 28873d74e56b7e7cb9b8aee01811841971a79a2d3fa459ca399ac28088495e9e29f26d35216369db5fd626e9f8917877dbcc53d40cb08a23c66bb48f5a6f4975
+  metadata.gz: 717a5e94e609715659eb3355c062436962ba93fb0352d05041fe85604fb4cd7bbd3d4c460595c944c7a14fba2705960637026b2d66d8b5d63a328c845c96e9b8
+  data.tar.gz: 8edeaa5acf7c890900531441ea137bbf59264ec99862896bd2f168232899b9451d34930813a21bfbe50d761ad1e41f84eb431ead00d5620fc56e1aaffa042632

data/.gitignore

@@ -1,44 +1,10 @@
-.rvmrc
-
-# rcov generated
-coverage
-
-# rdoc generated
-rdoc
-
-# yard generated
-doc
-.yardoc
-
-# bundler
-.bundle
-
-# jeweler generated
-pkg
-
-# Have editor/IDE/OS specific files you need to ignore? Consider using a global gitignore: 
-#
-# * Create a file at ~/.gitignore
-# * Include files you want ignored
-# * Run: git config --global core.excludesfile ~/.gitignore
-#
-# After doing this, these files will be ignored in all your git projects,
-# saving you from having to 'pollute' every project you touch with them
-#
-# Not sure what to needs to be ignored for particular editors/OSes? Here's some ideas to get you started. (Remember, remove the leading # of the line)
-#
-# For MacOS:
-#
-#.DS_Store
-#
-# For TextMate
-#*.tmproj
-#tmtags
-#
-# For emacs:
-#*~
-#\#*
-#.\#*
-#
-# For vim:
-#*.swp
+/.bundle
+/.ruby-version
+/.rvmrc
+/Gemfile.lock
+/rdoc
+/pkg
+/coverage
+/doc
+/.yardoc
+gemfiles/*.lock

data/.rubocop.yml

@@ -0,0 +1,102 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2016-02-10 17:06:30 +0100 using RuboCop version 0.37.1.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+# Configuration parameters: AllowSafeAssignment.
+Lint/AssignmentInCondition:
+  Exclude:
+    - 'lib/api_auth/base.rb'
+
+# Offense count: 1
+Lint/UselessAssignment:
+  Exclude:
+    - 'spec/request_drivers/rest_client_spec.rb'
+
+# Offense count: 2
+Metrics/AbcSize:
+  Max: 25
+
+# Offense count: 2
+Metrics/CyclomaticComplexity:
+  Max: 13
+
+# Offense count: 74
+# Configuration parameters: AllowHeredoc, AllowURI, URISchemes.
+# URISchemes: http, https
+Metrics/LineLength:
+  Max: 137
+
+# Offense count: 4
+# Configuration parameters: CountComments.
+Metrics/MethodLength:
+  Max: 30
+
+# Offense count: 1
+Metrics/PerceivedComplexity:
+  Max: 8
+
+# Offense count: 8
+Style/AccessorMethodName:
+  Exclude:
+    - 'lib/api_auth/railtie.rb'
+    - 'lib/api_auth/request_drivers/action_controller.rb'
+    - 'lib/api_auth/request_drivers/curb.rb'
+    - 'lib/api_auth/request_drivers/faraday.rb'
+    - 'lib/api_auth/request_drivers/httpi.rb'
+    - 'lib/api_auth/request_drivers/net_http.rb'
+    - 'lib/api_auth/request_drivers/rack.rb'
+    - 'lib/api_auth/request_drivers/rest_client.rb'
+
+# Offense count: 4
+Style/Documentation:
+  Exclude:
+    - 'spec/**/*'
+    - 'test/**/*'
+    - 'lib/api_auth/railtie.rb'
+    - 'lib/api_auth/request_drivers/rest_client.rb'
+
+# Offense count: 1
+# Cop supports --auto-correct.
+# Configuration parameters: AllowForAlignment, ForceEqualSignAlignment.
+Style/ExtraSpacing:
+  Exclude:
+    - 'lib/api_auth/railtie.rb'
+
+# Offense count: 1
+# Configuration parameters: ExpectMatchingDefinition, Regex, IgnoreExecutableScripts.
+Style/FileName:
+  Exclude:
+    - 'lib/api-auth.rb'
+
+# Offense count: 110
+# Cop supports --auto-correct.
+# Configuration parameters: SupportedStyles, UseHashRocketsWithSymbolValues.
+# SupportedStyles: ruby19, ruby19_no_mixed_keys, hash_rockets
+Style/HashSyntax:
+  EnforcedStyle: hash_rockets
+
+# Offense count: 4
+# Cop supports --auto-correct.
+# Configuration parameters: PreferredDelimiters.
+Style/PercentLiteralDelimiters:
+  Exclude:
+    - 'api_auth.gemspec'
+
+# Offense count: 1
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+# SupportedStyles: use_perl_names, use_english_names
+Style/SpecialGlobalVars:
+  Enabled: false
+
+# Offense count: 4
+# Cop supports --auto-correct.
+Style/UnneededPercentQ:
+  Exclude:
+    - 'api_auth.gemspec'
+

data/.travis.yml

@@ -1,5 +1,6 @@
 language: ruby
 sudo: false
+cache: bundler
 rvm:
   - 1.8.7-p374
   - 1.9.3

data/Appraisals

@@ -20,22 +20,30 @@ appraise "rails-32" do
   gem "actionpack", "~> 3.2.17"
   gem "activeresource", "~> 3.2.17"
   gem "activesupport", "~> 3.2.17"
+  gem "httpi", "< 2.3"
+  gem "i18n", "< 0.7.0"
+  gem "rack-cache", "< 1.3"
 end
 
 appraise "rails-31" do
   gem "actionpack", "~> 3.1.0"
   gem "activeresource", "~> 3.1.0"
   gem "activesupport", "~> 3.1.0"
+  gem "httpi", "< 2.3"
+  gem "i18n", "< 0.7.0"
+  gem "rack-cache", "< 1.3"
 end
 
 appraise "rails-30" do
   gem "actionpack", "~> 3.0.20"
   gem "activeresource", "~> 3.0.20"
   gem "activesupport", "~> 3.0.20"
+  gem "httpi", "< 2.3"
 end
 
 appraise "rails-23" do
   gem "actionpack", "~> 2.3.2"
   gem "activeresource", "~> 2.3.2"
   gem "activesupport", "~> 2.3.2"
+  gem "httpi", "< 2.3"
 end

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+# 2.0.0 (2016-05-11)
+- IMPORTANT: 2.0.0 is backwards incompatible with the default settings of v1.x
+  v2.0.0 always includes the http method in the canonical string.
+  You can use the upgrade strategy in v1.4.x and above to migrate to v2.0.0
+  without any down time. Please see the 1.4.0 release nodes for more info
+- Added support for other digest algorithms like SHA-256 (#98 fwininger)
+
 # 1.5.0 (2016-01-21)
 - Added a sign_with_http_method configuration option to the ActiveResource
   rails tie to correspond to passing the `:with_http_method => true` into
@@ -7,7 +14,7 @@
 - Fixed an issue where getters wouldn't immediately have the correct value after
   setting a date or content md5 in some of the request drivers (#91)
 
-# 1.4 (2015-12-16)
+# 1.4.0 (2015-12-16)
 
 ## IMPORTANT SECURITY FIX (with backwards compatible fallback)
 

data/Gemfile

@@ -1,2 +1,5 @@
 source 'https://rubygems.org'
 gemspec
+
+gem "rake", "< 11.0", :platforms => :ruby_18
+gem "tins", "< 1.7",  :platforms => :ruby_19 # amatch dependency

data/README.md

@@ -2,7 +2,7 @@
 
 [![Build Status](https://travis-ci.org/mgomes/api_auth.png?branch=master)](https://travis-ci.org/mgomes/api_auth)
 
-## IMPORTANT: See [CHANGELOG.md](/CHANGELOG.md) for security update information
+## IMPORTANT: v2.0.0 is backwards incompatible with the default settings of v1.x to address a security vulnerability. See [CHANGELOG.md](/CHANGELOG.md) for security update information.
 
 Logins and passwords are for humans. Communication between applications need to
 be protected through different means.
@@ -115,6 +115,21 @@ into the sign! method like so:
     @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key, :override_http_method => "PUT")
 ```
 
+If you want to use another digest existing in `OpenSSL::Digest`,
+you can pass the http method as an option into the sign! method like so:
+
+``` ruby
+    @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key, :digest => 'sha256')
+```
+
+With the `digest` option, the `Authorization` header will be change from:
+
+    Authorization = APIAuth 'client access id':'signature'
+
+to:
+
+    Authorization = APIAuth-HMAC-DIGEST_NAME 'client access id':'signature'
+
 ### ActiveResource Clients
 
 ApiAuth can transparently protect your ActiveResource communications with a
@@ -128,13 +143,13 @@ single configuration line:
 
 This will automatically sign all outgoing ActiveResource requests from your app.
 
-### Active Rest Client
+### Flexirest
 
-ApiAuth also works with [ActiveRestClient](https://github.com/whichdigital/active-rest-client) in a very similar way.
-Simply add this configuration to your ActiveRestClient initializer in your app and it will automatically sign all outgoing requests.
+ApiAuth also works with [Flexirest](https://github.com/andyjeffries/flexirest) (used to be ActiveRestClient, but that is now unsupported) in a very similar way.
+Simply add this configuration to your Flexirest initializer in your app and it will automatically sign all outgoing requests.
 
 ``` ruby
-ActiveRestClient::Base.api_auth_credentials(@access_id, @secret_key)
+Flexirest::Base.api_auth_credentials(@access_id, @secret_key)
 ```
 
 ## Server
@@ -154,6 +169,19 @@ To validate whether or not a request is authentic:
     ApiAuth.authentic?(signed_request, secret_key)
 ```
 
+The `authentic?` method uses the digest specified in the `Authorization` header.
+For exemple SHA256 for:
+
+    Authorization = APIAuth-HMAC-SHA256 'client access id':'signature'
+
+And by default SHA1 if the HMAC-DIGEST is not specified.
+
+If you want to force the usage of another digest method, you should pass it as an option parameter:
+
+``` ruby
+    ApiAuth.authentic?(signed_request, secret_key, :digest => 'sha256')
+```
+
 If your server is a Rails app, the signed request will be the `request` object.
 
 In order to obtain the secret key for the client, you first need to look up the

data/VERSION

@@ -1 +1 @@
-1.5.0
+2.0.0

data/api_auth.gemspec

@@ -1,5 +1,5 @@
 # -*- encoding: utf-8 -*-
-$:.push File.expand_path("../lib", __FILE__)
+$:.push File.expand_path('../lib', __FILE__)
 
 Gem::Specification.new do |s|
   s.name = %q{api-auth}
@@ -7,24 +7,24 @@ Gem::Specification.new do |s|
   s.description = %q{Full HMAC auth implementation for use in your gems and Rails apps.}
   s.homepage = %q{https://github.com/mgomes/api_auth}
   s.version = File.read(File.join(File.dirname(__FILE__), 'VERSION'))
-  s.authors = ["Mauricio Gomes"]
-  s.email = "mauricio@edge14.com"
+  s.authors = ['Mauricio Gomes']
+  s.email = 'mauricio@edge14.com'
 
-  s.add_development_dependency "appraisal"
-  s.add_development_dependency "rake"
-  s.add_development_dependency "amatch"
-  s.add_development_dependency "rspec", "~> 3.4"
-  s.add_development_dependency "actionpack", "< 5.0", "> 2.3.2"
-  s.add_development_dependency "activesupport", "< 5.0", "> 2.3.2"
-  s.add_development_dependency "activeresource", "~> 4.0"
-  s.add_development_dependency "rest-client", "~> 1.6.0"
-  s.add_development_dependency "curb", "~> 0.8.1"
-  s.add_development_dependency "httpi"
-  s.add_development_dependency "faraday"
-  s.add_development_dependency "multipart-post", "~> 2.0"
+  s.add_development_dependency 'appraisal'
+  s.add_development_dependency 'rake'
+  s.add_development_dependency 'amatch'
+  s.add_development_dependency 'rspec', '~> 3.4'
+  s.add_development_dependency 'actionpack', '< 5.0', '> 2.3.2'
+  s.add_development_dependency 'activesupport', '< 5.0', '> 2.3.2'
+  s.add_development_dependency 'activeresource', '~> 4.0'
+  s.add_development_dependency 'rest-client', '~> 1.6.0'
+  s.add_development_dependency 'curb', '~> 0.8.1'
+  s.add_development_dependency 'httpi'
+  s.add_development_dependency 'faraday'
+  s.add_development_dependency 'multipart-post', '~> 2.0'
 
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
-  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
-  s.require_paths = ["lib"]
+  s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
+  s.require_paths = ['lib']
 end

data/gemfiles/rails_23.gemfile

@@ -2,8 +2,11 @@
 
 source "https://rubygems.org"
 
+gem "rake", "< 11.0", :platforms => :ruby_18
+gem "tins", "< 1.7", :platforms => :ruby_19
 gem "actionpack", "~> 2.3.2"
 gem "activeresource", "~> 2.3.2"
 gem "activesupport", "~> 2.3.2"
+gem "httpi", "< 2.3"
 
 gemspec :path => "../"

data/gemfiles/rails_30.gemfile

@@ -2,8 +2,11 @@
 
 source "https://rubygems.org"
 
+gem "rake", "< 11.0", :platforms => :ruby_18
+gem "tins", "< 1.7", :platforms => :ruby_19
 gem "actionpack", "~> 3.0.20"
 gem "activeresource", "~> 3.0.20"
 gem "activesupport", "~> 3.0.20"
+gem "httpi", "< 2.3"
 
 gemspec :path => "../"

data/gemfiles/rails_31.gemfile

@@ -2,8 +2,13 @@
 
 source "https://rubygems.org"
 
+gem "rake", "< 11.0", :platforms => :ruby_18
+gem "tins", "< 1.7", :platforms => :ruby_19
 gem "actionpack", "~> 3.1.0"
 gem "activeresource", "~> 3.1.0"
 gem "activesupport", "~> 3.1.0"
+gem "httpi", "< 2.3"
+gem "i18n", "< 0.7.0"
+gem "rack-cache", "< 1.3"
 
 gemspec :path => "../"

data/gemfiles/rails_32.gemfile

@@ -2,8 +2,13 @@
 
 source "https://rubygems.org"
 
+gem "rake", "< 11.0", :platforms => :ruby_18
+gem "tins", "< 1.7", :platforms => :ruby_19
 gem "actionpack", "~> 3.2.17"
 gem "activeresource", "~> 3.2.17"
 gem "activesupport", "~> 3.2.17"
+gem "httpi", "< 2.3"
+gem "i18n", "< 0.7.0"
+gem "rack-cache", "< 1.3"
 
 gemspec :path => "../"

data/gemfiles/rails_4.gemfile

@@ -2,6 +2,8 @@
 
 source "https://rubygems.org"
 
+gem "rake", "< 11.0", :platforms => :ruby_18
+gem "tins", "< 1.7", :platforms => :ruby_19
 gem "actionpack", "~> 4.0.4"
 gem "activeresource", "~> 4.0.0"
 gem "activesupport", "~> 4.0.4"

data/gemfiles/rails_41.gemfile

@@ -2,6 +2,8 @@
 
 source "https://rubygems.org"
 
+gem "rake", "< 11.0", :platforms => :ruby_18
+gem "tins", "< 1.7", :platforms => :ruby_19
 gem "actionpack", "~> 4.1.0"
 gem "activeresource", "~> 4.0.0"
 gem "activesupport", "~> 4.1.0"

data/gemfiles/rails_42.gemfile

@@ -2,6 +2,8 @@
 
 source "https://rubygems.org"
 
+gem "rake", "< 11.0", :platforms => :ruby_18
+gem "tins", "< 1.7", :platforms => :ruby_19
 gem "actionpack", "~> 4.2.0"
 gem "activeresource", "~> 4.0.0"
 gem "activesupport", "~> 4.2.0"

data/lib/api-auth.rb

@@ -1,2 +1,2 @@
 # So you can require "api-auth" instead of "api_auth"
-require "api_auth"
+require 'api_auth'

data/lib/api_auth/base.rb

@@ -8,9 +8,7 @@
 # Rails ActiveResource, it will integrate with that. It will even generate the
 # secret keys necessary for your clients to sign their requests.
 module ApiAuth
-
   class << self
-
     include Helpers
 
     # Signs an HTTP request using the client's access id and secret key.
@@ -23,7 +21,7 @@ module ApiAuth
     #
     # secret_key: assigned secret key that is known to both parties
     def sign!(request, access_id, secret_key, options = {})
-      options = { :override_http_method => nil, :with_http_method => false }.merge(options)
+      options = { :override_http_method => nil, :digest => 'sha1' }.merge(options)
       headers = Headers.new(request)
       headers.calculate_md5
       headers.set_date
@@ -34,9 +32,11 @@ module ApiAuth
     # secret key. Returns true if the request is authentic and false otherwise.
     def authentic?(request, secret_key, options = {})
       return false if secret_key.nil?
+
       options = { :override_http_method => nil }.merge(options)
 
       headers = Headers.new(request)
+
       if headers.md5_mismatch?
         false
       elsif !signatures_match?(headers, secret_key, options)
@@ -52,7 +52,7 @@ module ApiAuth
     def access_id(request)
       headers = Headers.new(request)
       if match_data = parse_auth_header(headers.authorization_header)
-        return match_data[1]
+        return match_data[2]
       end
 
       nil
@@ -67,50 +67,46 @@ module ApiAuth
       b64_encode(Digest::SHA2.new(512).digest(random_bytes))
     end
 
-  private
+    private
 
-    AUTH_HEADER_PATTERN = /APIAuth ([^:]+):(.+)$/
+    AUTH_HEADER_PATTERN = /APIAuth(?:-HMAC-(MD[245]|SHA(?:1|224|256|384|512)*))? ([^:]+):(.+)$/
 
     def request_too_old?(headers)
       # 900 seconds is 15 minutes
-      begin
-        Time.httpdate(headers.timestamp).utc < (Time.now.utc - 900)
-      rescue ArgumentError
-        true
-      end
+
+      Time.httpdate(headers.timestamp).utc < (Time.now.utc - 900)
+    rescue ArgumentError
+      true
     end
 
     def signatures_match?(headers, secret_key, options)
       match_data = parse_auth_header(headers.authorization_header)
       return false unless match_data
 
-      options = options.merge(:with_http_method => true)
+      digest = match_data[1].blank? ? 'SHA1' : match_data[1].upcase
+      raise InvalidRequestDigest if !options[:digest].nil? && !options[:digest].casecmp(digest).zero?
+
+      options = { :digest => digest }.merge(options)
 
-      header_sig = match_data[2]
-      calculated_sig_no_http = hmac_signature(headers, secret_key, {})
-      calculated_sig_with_http = hmac_signature(headers, secret_key, options)
+      header_sig = match_data[3]
+      calculated_sig = hmac_signature(headers, secret_key, options)
 
-      header_sig == calculated_sig_with_http || header_sig == calculated_sig_no_http
+      header_sig == calculated_sig
     end
 
     def hmac_signature(headers, secret_key, options)
-      if options[:with_http_method]
-        canonical_string = headers.canonical_string_with_http_method(options[:override_http_method])
-      else
-        canonical_string = headers.canonical_string
-      end
-      digest = OpenSSL::Digest.new('sha1')
+      canonical_string = headers.canonical_string(options[:override_http_method])
+      digest = OpenSSL::Digest.new(options[:digest])
       b64_encode(OpenSSL::HMAC.digest(digest, secret_key, canonical_string))
     end
 
     def auth_header(headers, access_id, secret_key, options)
-      "APIAuth #{access_id}:#{hmac_signature(headers, secret_key, options)}"
+      hmac_string = "-HMAC-#{options[:digest].upcase}" unless options[:digest] == 'sha1'
+      "APIAuth#{hmac_string} #{access_id}:#{hmac_signature(headers, secret_key, options)}"
     end
 
     def parse_auth_header(auth_header)
       AUTH_HEADER_PATTERN.match(auth_header)
     end
-
   end # class methods
-
 end # ApiAuth