api-auth 1.5.0 → 2.6.0

data/lib/api_auth/request_drivers/faraday_env.rb

@@ -0,0 +1,102 @@
+module ApiAuth
+  module RequestDrivers # :nodoc:
+    # Internally, Faraday uses the class Faraday::Env to represent requests. The class is not meant
+    # to be directly exposed to users, but this is what Faraday middlewares work with. See
+    # <https://lostisland.github.io/faraday/middleware/>.
+    class FaradayEnv
+      include ApiAuth::Helpers
+
+      def initialize(env)
+        @env = env
+      end
+
+      def set_auth_header(header)
+        @env.request_headers['Authorization'] = header
+        @env
+      end
+
+      def calculated_hash
+        sha256_base64digest(body)
+      end
+
+      def populate_content_hash
+        return unless %w[POST PUT PATCH].include?(http_method)
+
+        @env.request_headers['X-Authorization-Content-SHA256'] = calculated_hash
+      end
+
+      def content_hash_mismatch?
+        if %w[POST PUT PATCH].include?(http_method)
+          calculated_hash != content_hash
+        else
+          false
+        end
+      end
+
+      def http_method
+        @env.method.to_s.upcase
+      end
+
+      def content_type
+        type = find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
+
+        # When sending a body-less POST request, the Content-Type is set at the last minute by the
+        # Net::HTTP adapter, which states in the documentation for Net::HTTP#post:
+        #
+        # > You should set Content-Type: header field for POST. If no Content-Type: field given,
+        # > this method uses “application/x-www-form-urlencoded” by default.
+        #
+        # The same applies to PATCH and PUT. Hopefully the other HTTP adapters behave similarly.
+        #
+        type ||= 'application/x-www-form-urlencoded' if %w[POST PATCH PUT].include?(http_method)
+
+        type
+      end
+
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
+      end
+
+      def original_uri
+        find_header(%w[X-ORIGINAL-URI X_ORIGINAL_URI HTTP_X_ORIGINAL_URI])
+      end
+
+      def request_uri
+        @env.url.request_uri
+      end
+
+      def set_date
+        @env.request_headers['Date'] = Time.now.utc.httpdate
+      end
+
+      def timestamp
+        find_header(%w[DATE HTTP_DATE])
+      end
+
+      def authorization_header
+        find_header(%w[Authorization AUTHORIZATION HTTP_AUTHORIZATION])
+      end
+
+      def body
+        body_source = @env.request_body
+        if body_source.respond_to?(:read)
+          result = body_source.read
+          body_source.rewind
+          result
+        else
+          body_source.to_s
+        end
+      end
+
+      def fetch_headers
+        capitalize_keys @env.request_headers
+      end
+
+      private
+
+      def find_header(keys)
+        keys.map { |key| @env.request_headers[key] }.compact.first
+      end
+    end
+  end
+end

data/lib/api_auth/request_drivers/grape_request.rb

@@ -0,0 +1,87 @@
+module ApiAuth
+  module RequestDrivers # :nodoc:
+    class GrapeRequest # :nodoc:
+      include ApiAuth::Helpers
+
+      def initialize(request)
+        @request = request
+        save_headers
+        true
+      end
+
+      def set_auth_header(header)
+        @request.env['HTTP_AUTHORIZATION'] = header
+        save_headers # enforce update of processed_headers based on last updated headers
+        @request
+      end
+
+      def calculated_hash
+        body = @request.body.read
+        @request.body.rewind
+        sha256_base64digest(body)
+      end
+
+      def populate_content_hash
+        return if !@request.put? && !@request.post?
+
+        @request.env['HTTP_X_AUTHORIZATION_CONTENT_SHA256'] = calculated_hash
+        save_headers
+      end
+
+      def content_hash_mismatch?
+        if @request.put? || @request.post?
+          calculated_hash != content_hash
+        else
+          false
+        end
+      end
+
+      def fetch_headers
+        capitalize_keys @request.env
+      end
+
+      def http_method
+        @request.request_method.upcase
+      end
+
+      def content_type
+        find_header %w[HTTP_X_HMAC_CONTENT_TYPE HTTP_X_CONTENT_TYPE CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE]
+      end
+
+      def content_hash
+        find_header %w[HTTP_X_AUTHORIZATION_CONTENT_SHA256]
+      end
+
+      def original_uri
+        find_header %w[HTTP_X_HMAC_ORIGINAL_URI HTTP_X_ORIGINAL_URI X-ORIGINAL-URI X_ORIGINAL_URI]
+      end
+
+      def request_uri
+        @request.url
+      end
+
+      def set_date
+        @request.env['HTTP_DATE'] = Time.now.utc.httpdate
+        save_headers
+      end
+
+      def timestamp
+        find_header %w[HTTP_X_HMAC_DATE HTTP_X_DATE DATE HTTP_DATE]
+      end
+
+      def authorization_header
+        find_header %w[HTTP_X_HMAC_AUTHORIZATION HTTP_X_AUTHORIZATION Authorization AUTHORIZATION HTTP_AUTHORIZATION]
+      end
+
+      private
+
+      def find_header(keys)
+        keys.map { |key| @headers[key] }.compact.first
+      end
+
+      def save_headers
+        @headers = fetch_headers
+      end
+    end
+  end
+end

data/lib/api_auth/request_drivers/http.rb

@@ -0,0 +1,96 @@
+module ApiAuth
+  module RequestDrivers # :nodoc:
+    class HttpRequest # :nodoc:
+      include ApiAuth::Helpers
+
+      def initialize(request)
+        @request = request
+      end
+
+      def set_auth_header(header)
+        @request['Authorization'] = header
+        @request
+      end
+
+      def calculated_hash
+        sha256_base64digest(body)
+      end
+
+      def populate_content_hash
+        return unless %w[POST PUT].include?(http_method)
+
+        @request['X-Authorization-Content-SHA256'] = calculated_hash
+      end
+
+      def content_hash_mismatch?
+        if %w[POST PUT].include?(http_method)
+          calculated_hash != content_hash
+        else
+          false
+        end
+      end
+
+      def http_method
+        @request.verb.to_s.upcase
+      end
+
+      def content_type
+        find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
+      end
+
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
+      end
+
+      def original_uri
+        find_header(%w[X-ORIGINAL-URI X_ORIGINAL_URI HTTP_X_ORIGINAL_URI])
+      end
+
+      def request_uri
+        @request.uri.request_uri
+      end
+
+      def set_date
+        @request['Date'] = Time.now.utc.httpdate
+      end
+
+      def timestamp
+        find_header(%w[DATE HTTP_DATE])
+      end
+
+      def authorization_header
+        find_header %w[Authorization AUTHORIZATION HTTP_AUTHORIZATION]
+      end
+
+      def body
+        if body_source.respond_to?(:read)
+          result = body_source.read
+          body_source.rewind
+          result
+        else
+          body_source.to_s
+        end
+      end
+
+      def fetch_headers
+        capitalize_keys @request.headers.to_h
+      end
+
+      private
+
+      def find_header(keys)
+        keys.map { |key| @request[key] }.compact.first
+      end
+
+      def body_source
+        body = @request.body
+
+        if defined?(::HTTP::Request::Body)
+          body.respond_to?(:source) ? body.source : body.instance_variable_get(:@body)
+        else
+          body
+        end
+      end
+    end
+  end
+end

data/lib/api_auth/request_drivers/httpi.rb

@@ -1,9 +1,6 @@
 module ApiAuth
-
   module RequestDrivers # :nodoc:
-
     class HttpiRequest # :nodoc:
-
       include ApiAuth::Helpers
 
       def initialize(request)
@@ -13,25 +10,25 @@ module ApiAuth
       end
 
       def set_auth_header(header)
-        @request.headers["Authorization"] = header
+        @request.headers['Authorization'] = header
         fetch_headers
         @request
       end
 
-      def calculated_md5
-        md5_base64digest(@request.body || '')
+      def calculated_hash
+        sha256_base64digest(@request.body || '')
       end
 
-      def populate_content_md5
-        if @request.body
-          @request.headers["Content-MD5"] = calculated_md5
-          fetch_headers
-        end
+      def populate_content_hash
+        return unless @request.body
+
+        @request.headers['X-Authorization-Content-SHA256'] = calculated_hash
+        fetch_headers
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if @request.body
-          calculated_md5 != content_md5
+          calculated_hash != content_hash
         else
           false
         end
@@ -46,13 +43,15 @@ module ApiAuth
       end
 
       def content_type
-        value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
-        value.nil? ? "" : value
+        find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
+      end
+
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
-      def content_md5
-        value = find_header(%w(CONTENT-MD5 CONTENT_MD5))
-        value.nil? ? "" : value
+      def original_uri
+        find_header(%w[X-ORIGINAL-URI X_ORIGINAL_URI HTTP_X_ORIGINAL_URI])
       end
 
       def request_uri
@@ -60,27 +59,23 @@ module ApiAuth
       end
 
       def set_date
-        @request.headers["DATE"] = Time.now.utc.httpdate
+        @request.headers['DATE'] = Time.now.utc.httpdate
         fetch_headers
       end
 
       def timestamp
-        value = find_header(%w(DATE HTTP_DATE))
-        value.nil? ? "" : value
+        find_header(%w[DATE HTTP_DATE])
       end
 
       def authorization_header
-        find_header %w(Authorization AUTHORIZATION HTTP_AUTHORIZATION)
+        find_header %w[Authorization AUTHORIZATION HTTP_AUTHORIZATION]
       end
 
-    private
+      private
 
       def find_header(keys)
-        keys.map {|key| @headers[key] }.compact.first
+        keys.map { |key| @headers[key] }.compact.first
       end
-
     end
-
   end
-
 end

data/lib/api_auth/request_drivers/net_http.rb

@@ -1,9 +1,6 @@
 module ApiAuth
-
   module RequestDrivers # :nodoc:
-
     class NetHttpRequest # :nodoc:
-
       include ApiAuth::Helpers
 
       def initialize(request)
@@ -13,12 +10,12 @@ module ApiAuth
       end
 
       def set_auth_header(header)
-        @request["Authorization"] = header
+        @request['Authorization'] = header
         @headers = fetch_headers
         @request
       end
 
-      def calculated_md5
+      def calculated_hash
         if @request.respond_to?(:body_stream) && @request.body_stream
           body = @request.body_stream.read
           @request.body_stream.rewind
@@ -26,18 +23,18 @@ module ApiAuth
           body = @request.body
         end
 
-        md5_base64digest(body || '')
+        sha256_base64digest(body || '')
       end
 
-      def populate_content_md5
-        if @request.class::REQUEST_HAS_BODY
-          @request["Content-MD5"] = calculated_md5
-        end
+      def populate_content_hash
+        return unless @request.class::REQUEST_HAS_BODY
+
+        @request['X-Authorization-Content-SHA256'] = calculated_hash
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if @request.class::REQUEST_HAS_BODY
-          calculated_md5 != content_md5
+          calculated_hash != content_hash
         else
           false
         end
@@ -52,13 +49,15 @@ module ApiAuth
       end
 
       def content_type
-        value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
-        value.nil? ? "" : value
+        find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        value = find_header(%w(CONTENT-MD5 CONTENT_MD5))
-        value.nil? ? "" : value
+      def content_hash
+        find_header(%w[X-Authorization-Content-SHA256])
+      end
+
+      def original_uri
+        find_header(%w[X-ORIGINAL-URI X_ORIGINAL_URI HTTP_X_ORIGINAL_URI])
       end
 
       def request_uri
@@ -66,26 +65,22 @@ module ApiAuth
       end
 
       def set_date
-        @request["DATE"] = Time.now.utc.httpdate
+        @request['DATE'] = Time.now.utc.httpdate
       end
 
       def timestamp
-        value = find_header(%w(DATE HTTP_DATE))
-        value.nil? ? "" : value
+        find_header(%w[DATE HTTP_DATE])
       end
 
       def authorization_header
-        find_header %w(Authorization AUTHORIZATION HTTP_AUTHORIZATION)
+        find_header %w[Authorization AUTHORIZATION HTTP_AUTHORIZATION]
       end
 
-    private
+      private
 
       def find_header(keys)
-        keys.map {|key| @headers[key] }.compact.first
+        keys.map { |key| @headers[key] }.compact.first
       end
-
     end
-
   end
-
 end

data/lib/api_auth/request_drivers/rack.rb

@@ -1,9 +1,6 @@
 module ApiAuth
-
   module RequestDrivers # :nodoc:
-
     class RackRequest # :nodoc:
-
       include ApiAuth::Helpers
 
       def initialize(request)
@@ -13,31 +10,31 @@ module ApiAuth
       end
 
       def set_auth_header(header)
-        @request.env.merge!({ "Authorization" => header })
+        @request.env['Authorization'] = header
         fetch_headers
         @request
       end
 
-      def calculated_md5
+      def calculated_hash
         if @request.body
           body = @request.body.read
           @request.body.rewind
         else
           body = ''
         end
-        md5_base64digest(body)
+        sha256_base64digest(body)
       end
 
-      def populate_content_md5
-        if ['POST', 'PUT'].include?(@request.request_method)
-          @request.env["Content-MD5"] = calculated_md5
-          fetch_headers
-        end
+      def populate_content_hash
+        return unless %w[POST PUT].include?(@request.request_method)
+
+        @request.env['X-Authorization-Content-SHA256'] = calculated_hash
+        fetch_headers
       end
 
-      def md5_mismatch?
-        if ['POST', 'PUT'].include?(@request.request_method)
-          calculated_md5 != content_md5
+      def content_hash_mismatch?
+        if %w[POST PUT].include?(@request.request_method)
+          calculated_hash != content_hash
         else
           false
         end
@@ -52,13 +49,15 @@ module ApiAuth
       end
 
       def content_type
-        value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
-        value.nil? ? "" : value
+        find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        value = find_header(%w(CONTENT-MD5 CONTENT_MD5 HTTP-CONTENT-MD5 HTTP_CONTENT_MD5))
-        value.nil? ? "" : value
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
+      end
+
+      def original_uri
+        find_header(%w[X-ORIGINAL-URI X_ORIGINAL_URI HTTP_X_ORIGINAL_URI])
       end
 
       def request_uri
@@ -66,27 +65,23 @@ module ApiAuth
       end
 
       def set_date
-        @request.env.merge!({ "DATE" => Time.now.utc.httpdate })
+        @request.env['DATE'] = Time.now.utc.httpdate
         fetch_headers
       end
 
       def timestamp
-        value = find_header(%w(DATE HTTP_DATE))
-        value.nil? ? "" : value
+        find_header(%w[DATE HTTP_DATE])
       end
 
       def authorization_header
-        find_header %w(Authorization AUTHORIZATION HTTP_AUTHORIZATION)
+        find_header %w[Authorization AUTHORIZATION HTTP_AUTHORIZATION]
       end
 
-    private
+      private
 
       def find_header(keys)
-        keys.map {|key| @headers[key] }.compact.first
+        keys.map { |key| @headers[key] }.compact.first
       end
-
     end
-
   end
-
 end