api-auth 2.0.0 → 2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a0fd8e9563fd57370a49c2c3b909432df2047bca
-  data.tar.gz: 4e3ca050145a2e8271e904f852ac43ad608dd5e9
+  metadata.gz: 92c46c40ca59ec931c02893f62155ea3efdfba48
+  data.tar.gz: ac4c5514140b61f5df1b81408898413aef553cf7
 SHA512:
-  metadata.gz: 717a5e94e609715659eb3355c062436962ba93fb0352d05041fe85604fb4cd7bbd3d4c460595c944c7a14fba2705960637026b2d66d8b5d63a328c845c96e9b8
-  data.tar.gz: 8edeaa5acf7c890900531441ea137bbf59264ec99862896bd2f168232899b9451d34930813a21bfbe50d761ad1e41f84eb431ead00d5620fc56e1aaffa042632
+  metadata.gz: 38370d16d830ae325f862f972b20d267da8135750e923520df5902662cae46b4244a79d1520ec15b9ca4722f76018f88bfbb874bc4b64fd44f70b36f8402d018
+  data.tar.gz: c3a16015aa11cd3da2b296d5729b3c7f0fccdea1e5a8005a98a4b7465e95944a951afdb9a474f182e1ff3df996d5d36e369f37f2cc60ed9e9eaf6c9e82c04985

data/.travis.yml

@@ -4,8 +4,9 @@ cache: bundler
 rvm:
   - 1.8.7-p374
   - 1.9.3
-  - 2.1.5
-  - 2.2.1
+  - 2.1.9
+  - 2.2.5
+  - 2.3.1
 gemfile:
   - gemfiles/rails_23.gemfile
   - gemfiles/rails_30.gemfile
@@ -14,6 +15,13 @@ gemfile:
   - gemfiles/rails_4.gemfile
   - gemfiles/rails_41.gemfile
   - gemfiles/rails_42.gemfile
+  - gemfiles/rails_5.gemfile
+env:
+  - TEST_SUITE=rake
+
+script:
+  - bundle exec $TEST_SUITE
+
 matrix:
   exclude:
     - rvm: 1.8.7-p374
@@ -22,20 +30,38 @@ matrix:
       gemfile: gemfiles/rails_41.gemfile
     - rvm: 1.8.7-p374
       gemfile: gemfiles/rails_42.gemfile
-    - rvm: 2.1.5
+    - rvm: 1.8.7-p374
+      gemfile: gemfiles/rails_5.gemfile
+    - rvm: 1.9.3
+      gemfile: gemfiles/rails_5.gemfile
+    - rvm: 2.1.9
       gemfile: gemfiles/rails_23.gemfile
-    - rvm: 2.1.5
+    - rvm: 2.1.9
       gemfile: gemfiles/rails_30.gemfile
-    - rvm: 2.1.5
+    - rvm: 2.1.9
       gemfile: gemfiles/rails_31.gemfile
-    - rvm: 2.2.1
+    - rvm: 2.1.9
+      gemfile: gemfiles/rails_5.gemfile
+    - rvm: 2.2.5
+      gemfile: gemfiles/rails_23.gemfile
+    - rvm: 2.2.5
+      gemfile: gemfiles/rails_30.gemfile
+    - rvm: 2.2.5
+      gemfile: gemfiles/rails_31.gemfile
+    - rvm: 2.2.5
+      gemfile: gemfiles/rails_32.gemfile
+    - rvm: 2.3.1
       gemfile: gemfiles/rails_23.gemfile
-    - rvm: 2.2.1
+    - rvm: 2.3.1
       gemfile: gemfiles/rails_30.gemfile
-    - rvm: 2.2.1
+    - rvm: 2.3.1
       gemfile: gemfiles/rails_31.gemfile
-    - rvm: 2.2.1
+    - rvm: 2.3.1
       gemfile: gemfiles/rails_32.gemfile
+  include:
+    - rvm: 2.3.1
+      gemfile: gemfiles/rails_5.gemfile
+      env: TEST_SUITE="rubocop lib/ spec/"
 
 notifications:
   email: false

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+# 2.0.1 (2016-07-25)
+- Support of `api_auth_options` in ActiveResource integration (#102 fwininger)
+- Replace use of `#blank?` with `#nil?` to not depend on ActiveSupport (#114 packrat386)
+- Fix Auth header matching to not match invalid SHA algorithms (#115 packrat386)
+- Replace `alias_method_chain` with `alias_method` in the railtie since
+  alias_method_chain is deprecated in Rails 5 (#118 mlarraz)
+
 # 2.0.0 (2016-05-11)
 - IMPORTANT: 2.0.0 is backwards incompatible with the default settings of v1.x
   v2.0.0 always includes the http method in the canonical string.

data/Gemfile

@@ -1,5 +1,7 @@
 source 'https://rubygems.org'
 gemspec
 
-gem "rake", "< 11.0", :platforms => :ruby_18
-gem "tins", "< 1.7",  :platforms => :ruby_19 # amatch dependency
+gem 'rake', '< 11.0', :platforms => :ruby_18
+gem 'tins', '< 1.7',  :platforms => :ruby_19 # amatch dependency
+
+gem 'rubocop', :platforms => [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23]

data/VERSION

@@ -1 +1 @@
-2.0.0
+2.0.1

data/gemfiles/rails_5.gemfile

@@ -0,0 +1,11 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "actionpack", "~> 5.0.0"
+gem "activeresource", "~> 5.0.0", git: 'https://github.com/rails/activeresource.git'
+gem "activesupport", "~> 5.0.0"
+
+gem "rubocop"
+
+gemspec :path => "../"

data/lib/api_auth/base.rb

@@ -69,7 +69,7 @@ module ApiAuth
 
     private
 
-    AUTH_HEADER_PATTERN = /APIAuth(?:-HMAC-(MD[245]|SHA(?:1|224|256|384|512)*))? ([^:]+):(.+)$/
+    AUTH_HEADER_PATTERN = /APIAuth(?:-HMAC-(MD[245]|SHA(?:1|224|256|384|512)?))? ([^:]+):(.+)$/
 
     def request_too_old?(headers)
       # 900 seconds is 15 minutes
@@ -83,7 +83,7 @@ module ApiAuth
       match_data = parse_auth_header(headers.authorization_header)
       return false unless match_data
 
-      digest = match_data[1].blank? ? 'SHA1' : match_data[1].upcase
+      digest = match_data[1].nil? ? 'SHA1' : match_data[1].upcase
       raise InvalidRequestDigest if !options[:digest].nil? && !options[:digest].casecmp(digest).zero?
 
       options = { :digest => digest }.merge(options)

data/lib/api_auth/headers.rb

@@ -58,8 +58,7 @@ module ApiAuth
        @request.content_type,
        @request.content_md5,
        parse_uri(@request.request_uri),
-       @request.timestamp
-      ].join(',')
+       @request.timestamp].join(',')
     end
 
     # Returns the authorization header from the request's headers

data/lib/api_auth/railtie.rb

@@ -27,10 +27,12 @@ module ApiAuth
             base.class_attribute :hmac_access_id
             base.class_attribute :hmac_secret_key
             base.class_attribute :use_hmac
+            base.class_attribute :api_auth_options
           else
             base.class_inheritable_accessor :hmac_access_id
             base.class_inheritable_accessor :hmac_secret_key
             base.class_inheritable_accessor :use_hmac
+            base.class_inheritable_accessor :api_auth_options
           end
         end
 
@@ -39,9 +41,11 @@ module ApiAuth
             self.hmac_access_id = access_id
             self.hmac_secret_key = secret_key
             self.use_hmac = true
+            self.api_auth_options = options
 
             class << self
-              alias_method_chain :connection, :auth
+              alias_method :connection_without_auth, :connection
+              alias_method :connection,              :connection_with_auth
             end
           end
 
@@ -50,6 +54,7 @@ module ApiAuth
             c.hmac_access_id = hmac_access_id
             c.hmac_secret_key = hmac_secret_key
             c.use_hmac = use_hmac
+            c.api_auth_options = api_auth_options
             c
           end
         end # class methods
@@ -60,9 +65,11 @@ module ApiAuth
 
       module Connection
         def self.included(base)
-          base.send :alias_method_chain, :request, :auth
+          base.send :alias_method, :request_without_auth, :request
+          base.send :alias_method, :request,              :request_with_auth
+
           base.class_eval do
-            attr_accessor :hmac_secret_key, :hmac_access_id, :use_hmac
+            attr_accessor :hmac_secret_key, :hmac_access_id, :use_hmac, :api_auth_options
           end
         end
 
@@ -71,7 +78,7 @@ module ApiAuth
             h = arguments.last
             tmp = "Net::HTTP::#{method.to_s.capitalize}".constantize.new(path, h)
             tmp.body = arguments[0] if arguments.length > 1
-            ApiAuth.sign!(tmp, hmac_access_id, hmac_secret_key)
+            ApiAuth.sign!(tmp, hmac_access_id, hmac_secret_key, api_auth_options)
             arguments.last['Content-MD5'] = tmp['Content-MD5'] if tmp['Content-MD5']
             arguments.last['DATE'] = tmp['DATE']
             arguments.last['Authorization'] = tmp['Authorization']

data/lib/api_auth/request_drivers/action_controller.rb

@@ -21,10 +21,9 @@ module ApiAuth
       end
 
       def populate_content_md5
-        if @request.put? || @request.post?
-          @request.env['Content-MD5'] = calculated_md5
-          fetch_headers
-        end
+        return unless @request.put? || @request.post?
+        @request.env['Content-MD5'] = calculated_md5
+        fetch_headers
       end
 
       def md5_mismatch?

data/lib/api_auth/request_drivers/faraday.rb

@@ -21,10 +21,9 @@ module ApiAuth
       end
 
       def populate_content_md5
-        if %w(POST PUT).include?(@request.method.to_s.upcase)
-          @request.headers['Content-MD5'] = calculated_md5
-          fetch_headers
-        end
+        return unless %w(POST PUT).include?(@request.method.to_s.upcase)
+        @request.headers['Content-MD5'] = calculated_md5
+        fetch_headers
       end
 
       def md5_mismatch?

data/lib/api_auth/request_drivers/httpi.rb

@@ -20,10 +20,9 @@ module ApiAuth
       end
 
       def populate_content_md5
-        if @request.body
-          @request.headers['Content-MD5'] = calculated_md5
-          fetch_headers
-        end
+        return unless @request.body
+        @request.headers['Content-MD5'] = calculated_md5
+        fetch_headers
       end
 
       def md5_mismatch?

data/lib/api_auth/request_drivers/net_http.rb

@@ -27,9 +27,8 @@ module ApiAuth
       end
 
       def populate_content_md5
-        if @request.class::REQUEST_HAS_BODY
-          @request['Content-MD5'] = calculated_md5
-        end
+        return unless @request.class::REQUEST_HAS_BODY
+        @request['Content-MD5'] = calculated_md5
       end
 
       def md5_mismatch?

data/lib/api_auth/request_drivers/rack.rb

@@ -26,10 +26,9 @@ module ApiAuth
       end
 
       def populate_content_md5
-        if %w(POST PUT).include?(@request.request_method)
-          @request.env['Content-MD5'] = calculated_md5
-          fetch_headers
-        end
+        return unless %w(POST PUT).include?(@request.request_method)
+        @request.env['Content-MD5'] = calculated_md5
+        fetch_headers
       end
 
       def md5_mismatch?

data/lib/api_auth/request_drivers/rest_client.rb

@@ -29,10 +29,9 @@ module ApiAuth
       end
 
       def populate_content_md5
-        if [:post, :put].include?(@request.method)
-          @request.headers['Content-MD5'] = calculated_md5
-          save_headers
-        end
+        return unless [:post, :put].include?(@request.method)
+        @request.headers['Content-MD5'] = calculated_md5
+        save_headers
       end
 
       def md5_mismatch?

data/spec/api_auth_spec.rb

@@ -60,8 +60,7 @@ describe 'ApiAuth' do
         Net::HTTP::Put.new('/resource.xml?foo=bar&bar=foo',
                            'content-type' => 'text/plain',
                            'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
-                           'date' => Time.now.utc.httpdate
-                          )
+                           'date' => Time.now.utc.httpdate)
       end
 
       let(:canonical_string) { ApiAuth::Headers.new(request).canonical_string }
@@ -79,8 +78,7 @@ describe 'ApiAuth' do
       new_request = Net::HTTP::Put.new('/resource.xml?foo=bar&bar=foo',
                                        'content-type' => 'text/plain',
                                        'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
-                                       'date' => Time.now.utc.httpdate
-                                      )
+                                       'date' => Time.now.utc.httpdate)
 
       signature = hmac('123', new_request)
       new_request['Authorization'] = "APIAuth 1044:#{signature}"
@@ -106,11 +104,10 @@ describe 'ApiAuth' do
     end
 
     it 'fails to validate if the date is invalid' do
-      request['date'] = "٢٠١٤-٠٩-٠٨ ١٦:٣١:١٤ +٠٣٠٠"
+      request['date'] = '٢٠١٤-٠٩-٠٨ ١٦:٣١:١٤ +٠٣٠٠'
       expect(ApiAuth.authentic?(request, '123')).to eq false
     end
 
-
     it 'fails to validate if the request method differs' do
       canonical_string = ApiAuth::Headers.new(request).canonical_string('POST')
       signature = hmac('123', request, canonical_string)
@@ -123,20 +120,35 @@ describe 'ApiAuth' do
         new_request = Net::HTTP::Put.new('/resource.xml?foo=bar&bar=foo',
                                          'content-type' => 'text/plain',
                                          'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
-                                         'date' => Time.now.utc.httpdate
-                                        )
+                                         'date' => Time.now.utc.httpdate)
         canonical_string = ApiAuth::Headers.new(new_request).canonical_string
         signature = hmac('123', new_request, canonical_string, 'sha256')
-        new_request['Authorization'] = "APIAuth-HMAC-SHA256 1044:#{signature}"
+        new_request['Authorization'] = "APIAuth-HMAC-#{digest} 1044:#{signature}"
         new_request
       end
 
-      it 'validates for sha256 digest' do
-        expect(ApiAuth.authentic?(request, '123', :digest => 'sha256')).to eq true
+      context 'valid request digest' do
+        let(:digest) { 'SHA256' }
+
+        context 'matching client digest' do
+          it 'validates matching digest' do
+            expect(ApiAuth.authentic?(request, '123', :digest => 'sha256')).to eq true
+          end
+        end
+
+        context 'different client digest' do
+          it 'raises an exception' do
+            expect { ApiAuth.authentic?(request, '123', :digest => 'sha512') }.to raise_error(ApiAuth::InvalidRequestDigest)
+          end
+        end
       end
 
-      it 'validates exception with wrong client digest' do
-        expect { ApiAuth.authentic?(request, '123', :digest => 'sha512') }.to raise_error(ApiAuth::InvalidRequestDigest)
+      context 'invalid request digest' do
+        let(:digest) { 'SHA111' }
+
+        it 'fails validation' do
+          expect(ApiAuth.authentic?(request, '123', :digest => 'sha111')).to eq false
+        end
       end
     end
   end

data/spec/railtie_spec.rb

@@ -62,7 +62,11 @@ describe 'Rails integration' do
     end
 
     it 'should permit a request with properly signed headers' do
-      request = ActionController::TestRequest.new
+      request = if ActionController::TestRequest.respond_to?(:create)
+                  ActionController::TestRequest.create
+                else
+                  ActionController::TestRequest.new
+                end
       request.env['DATE'] = Time.now.utc.httpdate
       ApiAuth.sign!(request, '1044', API_KEY_STORE['1044'])
       response = generated_response(request, :index)
@@ -70,7 +74,11 @@ describe 'Rails integration' do
     end
 
     it 'should forbid a request with properly signed headers but timestamp > 15 minutes' do
-      request = ActionController::TestRequest.new
+      request = if ActionController::TestRequest.respond_to?(:create)
+                  ActionController::TestRequest.create
+                else
+                  ActionController::TestRequest.new
+                end
       request.env['DATE'] = 'Mon, 23 Jan 1984 03:29:56 GMT'
       ApiAuth.sign!(request, '1044', API_KEY_STORE['1044'])
       response = generated_response(request, :index)
@@ -78,26 +86,42 @@ describe 'Rails integration' do
     end
 
     it "should insert a DATE header in the request when one hasn't been specified" do
-      request = ActionController::TestRequest.new
+      request = if ActionController::TestRequest.respond_to?(:create)
+                  ActionController::TestRequest.create
+                else
+                  ActionController::TestRequest.new
+                end
       ApiAuth.sign!(request, '1044', API_KEY_STORE['1044'])
       expect(request.headers['DATE']).not_to be_nil
     end
 
     it 'should forbid an unsigned request to a protected controller action' do
-      request = ActionController::TestRequest.new
+      request = if ActionController::TestRequest.respond_to?(:create)
+                  ActionController::TestRequest.create
+                else
+                  ActionController::TestRequest.new
+                end
       response = generated_response(request, :index)
       expect(response.code).to eq('401')
     end
 
     it 'should forbid a request with a bogus signature' do
-      request = ActionController::TestRequest.new
+      request = if ActionController::TestRequest.respond_to?(:create)
+                  ActionController::TestRequest.create
+                else
+                  ActionController::TestRequest.new
+                end
       request.env['Authorization'] = 'APIAuth bogus:bogus'
       response = generated_response(request, :index)
       expect(response.code).to eq('401')
     end
 
     it 'should allow non-protected controller actions to function as before' do
-      request = ActionController::TestRequest.new
+      request = if ActionController::TestRequest.respond_to?(:create)
+                  ActionController::TestRequest.create
+                else
+                  ActionController::TestRequest.new
+                end
       response = generated_response(request, :public)
       expect(response.code).to eq('200')
     end
@@ -122,7 +146,7 @@ describe 'Rails integration' do
                  },
                  { :id => '1' }.to_xml(:root => 'test_resource')
       end
-      expect(ApiAuth).to receive(:sign!).with(anything, '1044', API_KEY_STORE['1044']).and_call_original
+      expect(ApiAuth).to receive(:sign!).with(anything, '1044', API_KEY_STORE['1044'], {}).and_call_original
       TestResource.find(1)
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: api-auth
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.0.1
 platform: ruby
 authors:
 - Mauricio Gomes
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-05-11 00:00:00.000000000 Z
+date: 2016-07-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -216,6 +216,7 @@ files:
 - gemfiles/rails_4.gemfile
 - gemfiles/rails_41.gemfile
 - gemfiles/rails_42.gemfile
+- gemfiles/rails_5.gemfile
 - lib/api-auth.rb
 - lib/api_auth.rb
 - lib/api_auth/base.rb