api-auth 1.5.0 → 2.6.0

data/lib/api_auth/headers.rb

@@ -1,17 +1,15 @@
 module ApiAuth
-
   # Builds the canonical string given a request object.
   class Headers
-
     include RequestDrivers
 
-    def initialize(request)
+    def initialize(request, authorize_md5: false)
       @original_request = request
-      @request = initialize_request_driver(request)
+      @request = initialize_request_driver(request, authorize_md5: authorize_md5)
       true
     end
 
-    def initialize_request_driver(request)
+    def initialize_request_driver(request, authorize_md5: false)
       new_request =
         case request.class.to_s
         when /Net::HTTP/
@@ -28,54 +26,52 @@ module ApiAuth
           else
             ActionControllerRequest.new(request)
           end
+        when /Grape::Request/
+          GrapeRequest.new(request)
         when /ActionDispatch::Request/
-          ActionDispatchRequest.new(request)
+          ActionDispatchRequest.new(request, authorize_md5: authorize_md5)
         when /ActionController::CgiRequest/
           ActionControllerRequest.new(request)
         when /HTTPI::Request/
           HttpiRequest.new(request)
         when /Faraday::Request/
           FaradayRequest.new(request)
-        else
-          nil
+        when /Faraday::Env/
+          FaradayEnv.new(request)
+        when /HTTP::Request/
+          HttpRequest.new(request)
         end
 
       return new_request if new_request
-      return RackRequest.new(request) if request.kind_of?(Rack::Request)
-      raise UnknownHTTPRequest, "#{request.class.to_s} is not yet supported."
+      return RackRequest.new(request) if request.is_a?(Rack::Request)
+
+      raise UnknownHTTPRequest, "#{request.class} is not yet supported."
     end
     private :initialize_request_driver
 
     # Returns the request timestamp
     def timestamp
-       @request.timestamp
+      @request.timestamp
     end
 
-    # Returns the canonical string computed from the request's headers
-    def canonical_string_without_http_method
-      [ @request.content_type,
-        @request.content_md5,
-        parse_uri(@request.request_uri),
-        @request.timestamp
-      ].join(",")
-    end
+    def canonical_string(override_method = nil, headers_to_sign = [])
+      request_method = override_method || @request.http_method
 
-    # temp backwards compatibility
-    alias_method :canonical_string, :canonical_string_without_http_method
+      raise ArgumentError, 'unable to determine the http method from the request, please supply an override' if request_method.nil?
 
-    def canonical_string_with_http_method(override_method = nil)
-      request_method = override_method || @request.http_method
+      headers = @request.fetch_headers
+
+      canonical_array = [request_method.upcase,
+                         @request.content_type,
+                         @request.content_hash,
+                         parse_uri(@request.original_uri || @request.request_uri),
+                         @request.timestamp]
 
-      if request_method.nil?
-        raise ArgumentError, "unable to determine the http method from the request, please supply an override"
+      if headers_to_sign.is_a?(Array) && headers_to_sign.any?
+        headers_to_sign.each { |h| canonical_array << headers[h] if headers[h].present? }
       end
 
-      [ request_method.upcase,
-        @request.content_type,
-        @request.content_md5,
-        parse_uri(@request.request_uri),
-        @request.timestamp
-      ].join(",")
+      canonical_array.join(',')
     end
 
     # Returns the authorization header from the request's headers
@@ -84,18 +80,18 @@ module ApiAuth
     end
 
     def set_date
-      @request.set_date if @request.timestamp.empty?
+      @request.set_date if @request.timestamp.nil?
     end
 
-    def calculate_md5
-      @request.populate_content_md5 if @request.content_md5.empty?
+    def calculate_hash
+      @request.populate_content_hash if @request.content_hash.nil?
     end
 
-    def md5_mismatch?
-      if @request.content_md5.empty?
+    def content_hash_mismatch?
+      if @request.content_hash.nil?
         false
       else
-        @request.md5_mismatch?
+        @request.content_hash_mismatch?
       end
     end
 
@@ -110,12 +106,12 @@ module ApiAuth
 
     private
 
-    URI_WITHOUT_HOST_REGEXP = %r{https?://[^,?/]*}
-
     def parse_uri(uri)
-      uri_without_host = uri.gsub(URI_WITHOUT_HOST_REGEXP, '')
-      return '/' if uri_without_host.empty?
-      uri_without_host
+      parsed_uri = URI.parse(uri)
+
+      return parsed_uri.request_uri if parsed_uri.respond_to?(:request_uri)
+
+      uri.empty? ? '/' : uri
     end
   end
 end

data/lib/api_auth/helpers.rb

@@ -1,31 +1,22 @@
 module ApiAuth
-
   module Helpers # :nodoc:
-
     def b64_encode(string)
-      if Base64.respond_to?(:strict_encode64)
-        Base64.strict_encode64(string)
-      else
-        # Fall back to stripping out newlines on Ruby 1.8.
-        Base64.encode64(string).gsub(/\n/, '')
-      end
+      Base64.strict_encode64(string)
+    end
+
+    def sha256_base64digest(string)
+      Digest::SHA256.base64digest(string)
     end
 
     def md5_base64digest(string)
-      if Digest::MD5.respond_to?(:base64digest)
-        Digest::MD5.base64digest(string)
-      else
-        b64_encode(Digest::MD5.digest(string))
-      end
+      Digest::MD5.base64digest(string)
     end
 
     # Capitalizes the keys of a hash
     def capitalize_keys(hsh)
       capitalized_hash = {}
-      hsh.each_pair {|k,v| capitalized_hash[k.to_s.upcase] = v }
+      hsh.each_pair { |k, v| capitalized_hash[k.to_s.upcase] = v }
       capitalized_hash
     end
-
   end
-
 end

data/lib/api_auth/railtie.rb

@@ -1,13 +1,9 @@
 module ApiAuth
-
   # Integration with Rails
   #
   class Rails # :nodoc:
-
     module ControllerMethods # :nodoc:
-
       module InstanceMethods # :nodoc:
-
         def get_api_access_id_from_request
           ApiAuth.access_id(request)
         end
@@ -15,85 +11,59 @@ module ApiAuth
         def api_authenticated?(secret_key)
           ApiAuth.authentic?(request, secret_key)
         end
-
       end
 
-      unless defined?(ActionController)
-        begin
-          require 'rubygems'
-          gem 'actionpack'
-          gem 'activesupport'
-          require 'action_controller'
-          require 'active_support'
-        rescue LoadError
-          nil
+      if defined?(ActiveSupport)
+        ActiveSupport.on_load(:action_controller) do
+          ActionController::Base.include(ControllerMethods::InstanceMethods)
         end
       end
+    end
 
-      if defined?(ActionController::Base)
-        ActionController::Base.send(:include, ControllerMethods::InstanceMethods)
-      end
-
-    end # ControllerMethods
-
-    module ActiveResourceExtension  # :nodoc:
-
+    module ActiveResourceExtension # :nodoc:
       module ActiveResourceApiAuth # :nodoc:
-
         def self.included(base)
           base.extend(ClassMethods)
-
-          if base.respond_to?('class_attribute')
-            base.class_attribute :hmac_access_id
-            base.class_attribute :hmac_secret_key
-            base.class_attribute :use_hmac
-            base.class_attribute :sign_with_http_method
-          else
-            base.class_inheritable_accessor :hmac_access_id
-            base.class_inheritable_accessor :hmac_secret_key
-            base.class_inheritable_accessor :use_hmac
-            base.class_inheritable_accessor :sign_with_http_method
-          end
-
+          base.class_attribute :hmac_access_id
+          base.class_attribute :hmac_secret_key
+          base.class_attribute :use_hmac
+          base.class_attribute :api_auth_options
         end
 
         module ClassMethods
-
           def with_api_auth(access_id, secret_key, options = {})
-            sign_with_http_method = options[:sign_with_http_method] || false
-
             self.hmac_access_id = access_id
             self.hmac_secret_key = secret_key
-            self.sign_with_http_method = sign_with_http_method
             self.use_hmac = true
+            self.api_auth_options = options
 
             class << self
-              alias_method_chain :connection, :auth
+              alias_method :connection_without_auth, :connection
+              alias_method :connection,              :connection_with_auth
             end
           end
 
           def connection_with_auth(refresh = false)
             c = connection_without_auth(refresh)
-            c.hmac_access_id = self.hmac_access_id
-            c.hmac_secret_key = self.hmac_secret_key
-            c.use_hmac = self.use_hmac
-            c.sign_with_http_method = self.sign_with_http_method
+            c.hmac_access_id = hmac_access_id
+            c.hmac_secret_key = hmac_secret_key
+            c.use_hmac = use_hmac
+            c.api_auth_options = api_auth_options
             c
           end
-
-        end # class methods
+        end
 
         module InstanceMethods
         end
-
-      end # BaseApiAuth
+      end
 
       module Connection
-
         def self.included(base)
-          base.send :alias_method_chain, :request, :auth
+          base.send :alias_method, :request_without_auth, :request
+          base.send :alias_method, :request,              :request_with_auth
+
           base.class_eval do
-            attr_accessor :hmac_secret_key, :hmac_access_id, :use_hmac, :sign_with_http_method
+            attr_accessor :hmac_secret_key, :hmac_access_id, :use_hmac, :api_auth_options
           end
         end
 
@@ -102,34 +72,24 @@ module ApiAuth
             h = arguments.last
             tmp = "Net::HTTP::#{method.to_s.capitalize}".constantize.new(path, h)
             tmp.body = arguments[0] if arguments.length > 1
-            ApiAuth.sign!(tmp, hmac_access_id, hmac_secret_key, {:with_http_method => (sign_with_http_method || false)})
-            arguments.last['Content-MD5'] = tmp['Content-MD5'] if tmp['Content-MD5']
+            ApiAuth.sign!(tmp, hmac_access_id, hmac_secret_key, api_auth_options)
+            if tmp['X-Authorization-Content-SHA256']
+              arguments.last['X-Authorization-Content-SHA256'] = tmp['X-Authorization-Content-SHA256']
+            end
             arguments.last['DATE'] = tmp['DATE']
             arguments.last['Authorization'] = tmp['Authorization']
           end
 
           request_without_auth(method, path, *arguments)
         end
-
-      end # Connection
-
-      unless defined?(ActiveResource)
-        begin
-          require 'rubygems'
-          gem 'activeresource'
-          require 'active_resource'
-        rescue LoadError
-          nil
-        end
       end
 
-      if defined?(ActiveResource)
-        ActiveResource::Base.send(:include, ActiveResourceApiAuth)
-        ActiveResource::Connection.send(:include, Connection)
+      if defined?(ActiveSupport)
+        ActiveSupport.on_load(:active_resource) do
+          ActiveResource::Base.include(ActiveResourceApiAuth)
+          ActiveResource::Connection.include(Connection)
+        end
       end
-
-    end # ActiveResourceExtension
-
-  end # Rails
-
-end # ApiAuth
+    end
+  end
+end

data/lib/api_auth/request_drivers/action_controller.rb

@@ -1,38 +1,38 @@
 module ApiAuth
-
   module RequestDrivers # :nodoc:
-
     class ActionControllerRequest # :nodoc:
-
       include ApiAuth::Helpers
 
-      def initialize(request)
+      def initialize(request, authorize_md5: false)
         @request = request
+        @authorize_md5 = authorize_md5
         fetch_headers
         true
       end
 
       def set_auth_header(header)
-        @request.env["Authorization"] = header
+        @request.env['Authorization'] = header
         fetch_headers
         @request
       end
 
-      def calculated_md5
+      def calculated_hash
         body = @request.raw_post
-        md5_base64digest(body)
+        hashes = [sha256_base64digest(body)]
+        hashes << md5_base64digest(body) if @authorize_md5
+        hashes
       end
 
-      def populate_content_md5
-        if @request.put? || @request.post?
-          @request.env["Content-MD5"] = calculated_md5
-          fetch_headers
-        end
+      def populate_content_hash
+        return unless @request.put? || @request.post?
+
+        @request.env['X-AUTHORIZATION-CONTENT-SHA256'] = calculated_hash
+        fetch_headers
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if @request.put? || @request.post?
-          calculated_md5 != content_md5
+          !calculated_hash.include?(content_hash)
         else
           false
         end
@@ -47,13 +47,17 @@ module ApiAuth
       end
 
       def content_type
-        value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
-        value.nil? ? "" : value
+        find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
+      end
+
+      def content_hash
+        headers = %w[X-AUTHORIZATION-CONTENT-SHA256 X_AUTHORIZATION_CONTENT_SHA256 HTTP_X_AUTHORIZATION_CONTENT_SHA256]
+        headers += %w[CONTENT-MD5 CONTENT_MD5 HTTP_CONTENT_MD5] if @authorize_md5
+        find_header(headers)
       end
 
-      def content_md5
-        value = find_header(%w(CONTENT-MD5 CONTENT_MD5 HTTP_CONTENT_MD5))
-        value.nil? ? "" : value
+      def original_uri
+        find_header(%w[X-ORIGINAL-URI X_ORIGINAL_URI HTTP_X_ORIGINAL_URI])
       end
 
       def request_uri
@@ -66,22 +70,18 @@ module ApiAuth
       end
 
       def timestamp
-        value = find_header(%w(DATE HTTP_DATE))
-        value.nil? ? "" : value
+        find_header(%w[DATE HTTP_DATE])
       end
 
       def authorization_header
-        find_header %w(Authorization AUTHORIZATION HTTP_AUTHORIZATION)
+        find_header %w[Authorization AUTHORIZATION HTTP_AUTHORIZATION]
       end
 
-    private
+      private
 
       def find_header(keys)
-        keys.map {|key| @headers[key] }.compact.first
+        keys.map { |key| @headers[key] }.compact.first
       end
-
     end
-
   end
-
 end

data/lib/api_auth/request_drivers/action_dispatch.rb

@@ -1,15 +1,9 @@
 module ApiAuth
-
   module RequestDrivers # :nodoc:
-
     class ActionDispatchRequest < ActionControllerRequest # :nodoc:
-
       def request_uri
         @request.fullpath
       end
-
     end
-
   end
-
 end

data/lib/api_auth/request_drivers/curb.rb

@@ -1,9 +1,6 @@
 module ApiAuth
-
   module RequestDrivers # :nodoc:
-
     class CurbRequest # :nodoc:
-
       include ApiAuth::Helpers
 
       def initialize(request)
@@ -13,16 +10,16 @@ module ApiAuth
       end
 
       def set_auth_header(header)
-        @request.headers.merge!({ "Authorization" => header })
+        @request.headers['Authorization'] = header
         fetch_headers
         @request
       end
 
-      def populate_content_md5
-        nil #doesn't appear to be possible
+      def populate_content_hash
+        nil # doesn't appear to be possible
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         false
       end
 
@@ -35,13 +32,15 @@ module ApiAuth
       end
 
       def content_type
-        value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
-        value.nil? ? "" : value
+        find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
+      end
+
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
-      def content_md5
-        value = find_header(%w(CONTENT-MD5 CONTENT_MD5))
-        value.nil? ? "" : value
+      def original_uri
+        find_header(%w[X-ORIGINAL-URI X_ORIGINAL_URI HTTP_X_ORIGINAL_URI])
       end
 
       def request_uri
@@ -49,27 +48,23 @@ module ApiAuth
       end
 
       def set_date
-        @request.headers.merge!({ "DATE" => Time.now.utc.httpdate })
+        @request.headers['DATE'] = Time.now.utc.httpdate
         fetch_headers
       end
 
       def timestamp
-        value = find_header(%w(DATE HTTP_DATE))
-        value.nil? ? "" : value
+        find_header(%w[DATE HTTP_DATE])
       end
 
       def authorization_header
-        find_header %w(Authorization AUTHORIZATION HTTP_AUTHORIZATION)
+        find_header %w[Authorization AUTHORIZATION HTTP_AUTHORIZATION]
       end
 
-    private
+      private
 
       def find_header(keys)
-        keys.map {|key| @headers[key] }.compact.first
+        keys.map { |key| @headers[key] }.compact.first
       end
-
     end
-
   end
-
 end

data/lib/api_auth/request_drivers/faraday.rb

@@ -1,9 +1,6 @@
 module ApiAuth
-
   module RequestDrivers # :nodoc:
-
     class FaradayRequest # :nodoc:
-
       include ApiAuth::Helpers
 
       def initialize(request)
@@ -13,30 +10,26 @@ module ApiAuth
       end
 
       def set_auth_header(header)
-        @request.headers.merge!({ "Authorization" => header })
+        @request.headers['Authorization'] = header
         fetch_headers
         @request
       end
 
-      def calculated_md5
-        if @request.body
-          body = @request.body
-        else
-          body = ''
-        end
-        md5_base64digest(body)
+      def calculated_hash
+        body = @request.body || ''
+        sha256_base64digest(body)
       end
 
-      def populate_content_md5
-        if ['POST', 'PUT'].include?(@request.method.to_s.upcase)
-          @request.headers["Content-MD5"] = calculated_md5
-          fetch_headers
-        end
+      def populate_content_hash
+        return unless %w[POST PUT].include?(@request.http_method.to_s.upcase)
+
+        @request.headers['X-Authorization-Content-SHA256'] = calculated_hash
+        fetch_headers
       end
 
-      def md5_mismatch?
-        if ['POST', 'PUT'].include?(@request.method.to_s.upcase)
-          calculated_md5 != content_md5
+      def content_hash_mismatch?
+        if %w[POST PUT].include?(@request.http_method.to_s.upcase)
+          calculated_hash != content_hash
         else
           false
         end
@@ -47,17 +40,19 @@ module ApiAuth
       end
 
       def http_method
-        @request.method.to_s.upcase
+        @request.http_method.to_s.upcase
       end
 
       def content_type
-        value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
-        value.nil? ? "" : value
+        find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
+      end
+
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
-      def content_md5
-        value = find_header(%w(CONTENT-MD5 CONTENT_MD5 HTTP-CONTENT-MD5 HTTP_CONTENT_MD5))
-        value.nil? ? "" : value
+      def original_uri
+        find_header(%w[X-ORIGINAL-URI X_ORIGINAL_URI HTTP_X_ORIGINAL_URI])
       end
 
       def request_uri
@@ -68,27 +63,23 @@ module ApiAuth
       end
 
       def set_date
-        @request.headers.merge!({ "DATE" => Time.now.utc.httpdate })
+        @request.headers['DATE'] = Time.now.utc.httpdate
         fetch_headers
       end
 
       def timestamp
-        value = find_header(%w(DATE HTTP_DATE))
-        value.nil? ? "" : value
+        find_header(%w[DATE HTTP_DATE])
       end
 
       def authorization_header
-        find_header %w(Authorization AUTHORIZATION HTTP_AUTHORIZATION)
+        find_header %w[Authorization AUTHORIZATION HTTP_AUTHORIZATION]
       end
 
-    private
+      private
 
       def find_header(keys)
-        keys.map {|key| @headers[key] }.compact.first
+        keys.map { |key| @headers[key] }.compact.first
       end
-
     end
-
   end
-
 end