api-auth 1.5.0 → 2.6.0

data/lib/api_auth/request_drivers/rest_client.rb

@@ -1,12 +1,9 @@
 # give access to RestClient @processed_headers
-module RestClient;class Request;attr_accessor :processed_headers;end;end
+module RestClient; class Request; attr_accessor :processed_headers; end; end
 
 module ApiAuth
-
   module RequestDrivers # :nodoc:
-
     class RestClientRequest # :nodoc:
-
       include ApiAuth::Helpers
 
       def initialize(request)
@@ -16,31 +13,31 @@ module ApiAuth
       end
 
       def set_auth_header(header)
-        @request.headers.merge!({ "Authorization" => header })
+        @request.headers['Authorization'] = header
         save_headers # enforce update of processed_headers based on last updated headers
         @request
       end
 
-      def calculated_md5
+      def calculated_hash
         if @request.payload
           body = @request.payload.read
           @request.payload.instance_variable_get(:@stream).seek(0)
         else
           body = ''
         end
-        md5_base64digest(body)
+        sha256_base64digest(body)
       end
 
-      def populate_content_md5
-        if [:post, :put].include?(@request.method)
-          @request.headers["Content-MD5"] = calculated_md5
-          save_headers
-        end
+      def populate_content_hash
+        return unless %w[post put].include?(@request.method.to_s)
+
+        @request.headers['X-Authorization-Content-SHA256'] = calculated_hash
+        save_headers
       end
 
-      def md5_mismatch?
-        if [:post, :put].include?(@request.method)
-          calculated_md5 != content_md5
+      def content_hash_mismatch?
+        if %w[post put].include?(@request.method.to_s)
+          calculated_hash != content_hash
         else
           false
         end
@@ -55,13 +52,15 @@ module ApiAuth
       end
 
       def content_type
-        value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
-        value.nil? ? "": value
+        find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        value = find_header(%w(CONTENT-MD5 CONTENT_MD5))
-        value.nil? ? "" : value
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
+      end
+
+      def original_uri
+        find_header(%w[X-ORIGINAL-URI X_ORIGINAL_URI HTTP_X_ORIGINAL_URI])
       end
 
       def request_uri
@@ -69,32 +68,28 @@ module ApiAuth
       end
 
       def set_date
-        @request.headers.merge!({ "DATE" => Time.now.utc.httpdate })
+        @request.headers['DATE'] = Time.now.utc.httpdate
         save_headers
       end
 
       def timestamp
-        value = find_header(%w(DATE HTTP_DATE))
-        value.nil? ? "" : value
+        find_header(%w[DATE HTTP_DATE])
       end
 
       def authorization_header
-        find_header %w(Authorization AUTHORIZATION HTTP_AUTHORIZATION)
+        find_header %w[Authorization AUTHORIZATION HTTP_AUTHORIZATION]
       end
 
-    private
+      private
 
       def find_header(keys)
-        keys.map {|key| @headers[key] }.compact.first
+        keys.map { |key| @headers[key] }.compact.first
       end
 
       def save_headers
         @request.processed_headers = @request.make_headers(@request.headers)
         @headers = fetch_headers
       end
-
     end
-
   end
-
 end

data/lib/api_auth.rb

@@ -1,5 +1,6 @@
 require 'openssl'
 require 'base64'
+require 'time'
 
 require 'api_auth/errors'
 require 'api_auth/helpers'
@@ -8,10 +9,13 @@ require 'api_auth/request_drivers/net_http'
 require 'api_auth/request_drivers/curb'
 require 'api_auth/request_drivers/rest_client'
 require 'api_auth/request_drivers/action_controller'
+require 'api_auth/request_drivers/grape_request'
 require 'api_auth/request_drivers/action_dispatch'
 require 'api_auth/request_drivers/rack'
 require 'api_auth/request_drivers/httpi'
 require 'api_auth/request_drivers/faraday'
+require 'api_auth/request_drivers/faraday_env'
+require 'api_auth/request_drivers/http'
 
 require 'api_auth/headers'
 require 'api_auth/base'

data/lib/faraday/api_auth/middleware.rb

@@ -0,0 +1,35 @@
+require 'api_auth'
+
+module Faraday
+  module ApiAuth
+    # Request middleware for Faraday. It takes the same arguments as ApiAuth.sign!.
+    #
+    # You will usually need to include it after the other middlewares since ApiAuth needs to hash
+    # the final request.
+    #
+    # Usage:
+    #
+    # ```ruby
+    # require 'faraday/api_auth'
+    #
+    # conn = Faraday.new do |f|
+    #   f.request :api_auth, access_id, secret_key
+    #   # Alternatively:
+    #   # f.use Faraday::ApiAuth::Middleware, access_id, secret_key
+    # end
+    # ```
+    #
+    class Middleware < Faraday::Middleware
+      def initialize(app, access_id, secret_key, options = {})
+        super(app)
+        @access_id = access_id
+        @secret_key = secret_key
+        @options = options
+      end
+
+      def on_request(env)
+        ::ApiAuth.sign!(env, @access_id, @secret_key, @options)
+      end
+    end
+  end
+end

data/lib/faraday/api_auth.rb

@@ -0,0 +1,8 @@
+require_relative 'api_auth/middleware'
+
+module Faraday
+  # Integrate ApiAuth into Faraday.
+  module ApiAuth
+    Faraday::Request.register_middleware(api_auth: Middleware)
+  end
+end

data/spec/api_auth_spec.rb

@@ -1,170 +1,209 @@
-# encoding: UTF-8
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require 'spec_helper'
 
-describe "ApiAuth" do
-
-  describe "generating secret keys" do
-
-    it "should generate secret keys" do
+describe 'ApiAuth' do
+  describe 'generating secret keys' do
+    it 'should generate secret keys' do
       ApiAuth.generate_secret_key
     end
 
-    it "should generate secret keys that are 88 characters" do
+    it 'should generate secret keys that are 88 characters' do
       expect(ApiAuth.generate_secret_key.size).to be(88)
     end
 
-    it "should generate keys that have a Hamming Distance of at least 65" do
+    it 'should generate keys that have a Hamming Distance of at least 65' do
       key1 = ApiAuth.generate_secret_key
       key2 = ApiAuth.generate_secret_key
       expect(Amatch::Hamming.new(key1).match(key2)).to be > 65
     end
-
   end
 
-  def hmac(secret_key, request, canonical_string = nil)
+  def hmac(secret_key, request, canonical_string = nil, digest = 'sha1')
     canonical_string ||= ApiAuth::Headers.new(request).canonical_string
-    digest = OpenSSL::Digest.new('sha1')
+    digest = OpenSSL::Digest.new(digest)
     ApiAuth.b64_encode(OpenSSL::HMAC.digest(digest, secret_key, canonical_string))
   end
 
-  describe ".sign!" do
-    let(:request){ RestClient::Request.new(:url => "http://google.com", :method => :get) }
-    let(:headers){ ApiAuth::Headers.new(request) }
+  describe '.sign!' do
+    let(:request) { RestClient::Request.new(url: 'https://google.com', method: :get) }
+    let(:headers) { ApiAuth::Headers.new(request) }
 
-    it "generates date header before signing" do
+    it 'generates date header before signing' do
       expect(ApiAuth::Headers).to receive(:new).and_return(headers)
 
       expect(headers).to receive(:set_date).ordered
       expect(headers).to receive(:sign_header).ordered
 
-      ApiAuth.sign!(request, "abc", "123")
+      ApiAuth.sign!(request, 'abc', '123')
     end
 
-    it "generates content-md5 header before signing" do
+    it 'generates X-Authorization-Content-SHA256 header before signing' do
       expect(ApiAuth::Headers).to receive(:new).and_return(headers)
-      expect(headers).to receive(:calculate_md5).ordered
+      expect(headers).to receive(:calculate_hash).ordered
       expect(headers).to receive(:sign_header).ordered
 
-      ApiAuth.sign!(request, "abc", "123")
+      ApiAuth.sign!(request, 'abc', '123')
     end
 
-    it "returns the same request object back" do
-      expect(ApiAuth.sign!(request, "abc", "123")).to be request
+    it 'returns the same request object back' do
+      expect(ApiAuth.sign!(request, 'abc', '123')).to be request
     end
 
-    it "calculates the hmac_signature as expected" do
-      ApiAuth.sign!(request, "1044", "123")
-      signature = hmac("123", request)
+    it 'calculates the hmac_signature as expected' do
+      ApiAuth.sign!(request, '1044', '123')
+      signature = hmac('123', request)
       expect(request.headers['Authorization']).to eq("APIAuth 1044:#{signature}")
     end
 
-    context "when passed the with_http_method option" do
-      let(:request){
-        Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
-          'content-type' => 'text/plain',
-          'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
-          'date' => Time.now.utc.httpdate
-        )
-      }
+    context 'when passed the hmac digest option' do
+      let(:request) do
+        Net::HTTP::Put.new('/resource.xml?foo=bar&bar=foo',
+                           'content-type' => 'text/plain',
+                           'content-hash' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
+                           'date' => Time.now.utc.httpdate)
+      end
 
-      let(:canonical_string){ ApiAuth::Headers.new(request).canonical_string_with_http_method }
+      let(:canonical_string) { ApiAuth::Headers.new(request).canonical_string }
 
-      it "calculates the hmac_signature with http method" do
-        ApiAuth.sign!(request, "1044", "123", { :with_http_method => true })
-        signature = hmac("123", request, canonical_string)
-        expect(request['Authorization']).to eq("APIAuth 1044:#{signature}")
+      it 'calculates the hmac_signature with http method' do
+        ApiAuth.sign!(request, '1044', '123', digest: 'sha256')
+        signature = hmac('123', request, canonical_string, 'sha256')
+        expect(request['Authorization']).to eq("APIAuth-HMAC-SHA256 1044:#{signature}")
       end
     end
   end
 
-  describe ".authentic?" do
-    let(:request){
-      new_request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
-        'content-type' => 'text/plain',
-        'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
-        'date' => Time.now.utc.httpdate
-      )
+  describe '.authentic?' do
+    let(:request) do
+      Net::HTTP::Put.new('/resource.xml?foo=bar&bar=foo',
+                         'content-type' => 'text/plain',
+                         'X-Authorization-Content-SHA256' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
+                         'date' => Time.now.utc.httpdate)
+    end
 
-      signature = hmac("123", new_request)
-      new_request["Authorization"] = "APIAuth 1044:#{signature}"
-      new_request
-    }
+    let(:signed_request) do
+      signature = hmac('123', request)
+      request['Authorization'] = "APIAuth 1044:#{signature}"
+      request
+    end
 
-    it "validates that the signature in the request header matches the way we sign it" do
-      expect(ApiAuth.authentic?(request, "123")).to eq true
+    it 'validates that the signature in the request header matches the way we sign it' do
+      expect(ApiAuth.authentic?(signed_request, '123')).to eq true
     end
 
-    it "fails to validate a non matching signature" do
-      expect(ApiAuth.authentic?(request, "456")).to eq false
+    it 'fails to validate a non matching signature' do
+      expect(ApiAuth.authentic?(signed_request, '456')).to eq false
     end
 
-    it "fails to validate non matching md5" do
-      request['content-md5'] = '12345'
-      expect(ApiAuth.authentic?(request, "123")).to eq false
+    it 'fails to validate non matching hash' do
+      request['X-Authorization-Content-SHA256'] = '12345'
+      expect(ApiAuth.authentic?(signed_request, '123')).to eq false
     end
 
-    it "fails to validate expired requests" do
+    it 'fails to validate expired requests' do
       request['date'] = 16.minutes.ago.utc.httpdate
-      expect(ApiAuth.authentic?(request, "123")).to eq false
+      expect(ApiAuth.authentic?(signed_request, '123')).to eq false
     end
 
-    it "fails to validate if the date is invalid" do
-      request['date'] = "٢٠١٤-٠٩-٠٨ ١٦:٣١:١٤ +٠٣٠٠"
-      expect(ApiAuth.authentic?(request, "123")).to eq false
+    it 'fails to validate far future requests' do
+      request['date'] = 16.minutes.from_now.utc.httpdate
+      expect(ApiAuth.authentic?(signed_request, '123')).to eq false
     end
 
-    context "canonical string contains the http_method" do
-      let(:request){
-        new_request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
-          'content-type' => 'text/plain',
-          'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
-          'date' => Time.now.utc.httpdate
-        )
-        canonical_string = ApiAuth::Headers.new(new_request).canonical_string_with_http_method
-        signature = hmac("123", new_request, canonical_string)
-        new_request["Authorization"] = "APIAuth 1044:#{signature}"
+    it 'fails to validate if the date is invalid' do
+      request['date'] = '٢٠١٤-٠٩-٠٨ ١٦:٣١:١٤ +٠٣٠٠'
+      expect(ApiAuth.authentic?(signed_request, '123')).to eq false
+    end
+
+    it 'fails to validate if the request method differs' do
+      canonical_string = ApiAuth::Headers.new(request).canonical_string('POST')
+      signature = hmac('123', request, canonical_string)
+      request['Authorization'] = "APIAuth 1044:#{signature}"
+      expect(ApiAuth.authentic?(request, '123')).to eq false
+    end
+
+    context 'when passed the hmac digest option' do
+      let(:request) do
+        new_request = Net::HTTP::Put.new('/resource.xml?foo=bar&bar=foo',
+                                         'content-type' => 'text/plain',
+                                         'X-Authorization-Content-SHA256' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
+                                         'date' => Time.now.utc.httpdate)
+        canonical_string = ApiAuth::Headers.new(new_request).canonical_string
+        signature = hmac('123', new_request, canonical_string, 'sha256')
+        new_request['Authorization'] = "APIAuth-HMAC-#{digest} 1044:#{signature}"
         new_request
-      }
+      end
 
-      it "validates for canonical_strings containing the http_method" do
-        expect(ApiAuth.authentic?(request, "123")).to eq true
+      context 'valid request digest' do
+        let(:digest) { 'SHA256' }
+
+        context 'matching client digest' do
+          it 'validates matching digest' do
+            expect(ApiAuth.authentic?(request, '123', digest: 'sha256')).to eq true
+          end
+        end
+
+        context 'different client digest' do
+          it 'raises an exception' do
+            expect { ApiAuth.authentic?(request, '123', digest: 'sha512') }.to raise_error(ApiAuth::InvalidRequestDigest)
+          end
+        end
       end
 
-      it "fails to validate if the request method differs" do
-        canonical_string = ApiAuth::Headers.new(request).canonical_string_with_http_method('POST')
-        signature = hmac("123", request, canonical_string)
-        request["Authorization"] = "APIAuth 1044:#{signature}"
-        expect(ApiAuth.authentic?(request, "123")).to eq false
+      context 'invalid request digest' do
+        let(:digest) { 'SHA111' }
+
+        it 'fails validation' do
+          expect(ApiAuth.authentic?(request, '123', digest: 'sha111')).to eq false
+        end
+      end
+    end
+
+    context 'when passed the clock_skew option' do
+      it 'fails to validate expired requests' do
+        request['date'] = 90.seconds.ago.utc.httpdate
+        expect(ApiAuth.authentic?(signed_request, '123', clock_skew: 60.seconds)).to eq false
+      end
+
+      it 'fails to validate far future requests' do
+        request['date'] = 90.seconds.from_now.utc.httpdate
+        expect(ApiAuth.authentic?(signed_request, '123', clock_skew: 60.seconds)).to eq false
+      end
+    end
+
+    context 'when passed the headers_to_sign option' do
+      it 'validates the request' do
+        request['X-Forwarded-For'] = '192.168.1.1'
+        expect(ApiAuth.authentic?(signed_request, '123', headers_to_sign: %w[HTTP_X_FORWARDED_FOR])).to eq true
       end
     end
   end
 
-  describe ".access_id" do
-    context "normal APIAuth Auth header" do
-      let(:request){
+  describe '.access_id' do
+    context 'normal APIAuth Auth header' do
+      let(:request) do
         RestClient::Request.new(
-          :url => "http://google.com",
-          :method => :get,
-          :headers => {:authorization => "APIAuth 1044:aGVsbG8gd29ybGQ="}
+          url: 'https://google.com',
+          method: :get,
+          headers: { authorization: 'APIAuth 1044:aGVsbG8gd29ybGQ=' }
         )
-      }
+      end
 
-      it "parses it from the Auth Header" do
-        expect(ApiAuth.access_id(request)).to eq("1044")
+      it 'parses it from the Auth Header' do
+        expect(ApiAuth.access_id(request)).to eq('1044')
       end
     end
 
-    context "Corporate prefixed APIAuth header" do
-      let(:request){
+    context 'Corporate prefixed APIAuth header' do
+      let(:request) do
         RestClient::Request.new(
-          :url => "http://google.com",
-          :method => :get,
-          :headers => {:authorization => "Corporate APIAuth 1044:aGVsbG8gd29ybGQ="}
+          url: 'https://google.com',
+          method: :get,
+          headers: { authorization: 'Corporate APIAuth 1044:aGVsbG8gd29ybGQ=' }
         )
-      }
+      end
 
-      it "parses it from the Auth Header" do
-        expect(ApiAuth.access_id(request)).to eq("1044")
+      it 'parses it from the Auth Header' do
+        expect(ApiAuth.access_id(request)).to eq('1044')
       end
     end
   end

data/spec/faraday_middleware_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+require 'faraday/api_auth'
+
+describe Faraday::ApiAuth::Middleware do
+  it 'adds the Authorization headers' do
+    conn = Faraday.new('http://localhost/') do |f|
+      f.request :api_auth, 'foo', 'secret', digest: 'sha256'
+      f.adapter :test do |stub|
+        stub.get('http://localhost/test') do |env|
+          [200, {}, env.request_headers['Authorization']]
+        end
+      end
+    end
+    response = conn.get('test', nil, { 'Date' => 'Tue, 02 Aug 2022 09:29:24 GMT' })
+    expect(response.body).to eq 'APIAuth-HMAC-SHA256 foo:Tn/lIZ9kphcO32DwG4wFHenqBt37miDEIkA5ykLgGiQ='
+  end
+end