api-auth 2.2.1 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 74847c2470f870ce0206badfda86189773a6bb96b109d0fca6ab276f5bb70523
-  data.tar.gz: 5b24a84ec9a7617b3dfe33e9c97cccf5edc7caa627b51b76b3044f2952e32e80
+  metadata.gz: 92c94ba421b1f15829f9b16eb5bcbeb55c773298023134786011282639cba630
+  data.tar.gz: e14ce2ddf081464504b55a8aecd44afbc9526945a89c27e5a96d8bf500c1fa52
 SHA512:
-  metadata.gz: 507f3c7f5e1570c9014e953179a42c13c5502ea50483172fd7650a6b9853297e9220cb096599c4498a95f1873bf06d37852355cb2bc566481c2b93c61a4a9cb6
-  data.tar.gz: 05515f1bd95793f5c0497e2d3e0ea9cd65d9d14015f8f2abe151aa40ea0dfb849250505f0a132ba6b161d31d0839ebaec6adb7e8cef91dc286d123f7b04a1f37
+  metadata.gz: d392d56ebd5dd7592a363d623c51fe00750d97fc212114d37d6c79a650bc3c0c7bfa020bf6e4c2f207f6c2dd71ac67cabf6affbbe28d4c7b6c1d757c67abc90a
+  data.tar.gz: f88c2d4d14dc61b5f9e867aecf4c3680e117ef6194617447963ddea1b6f93e5d3de7e414bc2da12e4c251d5803a4a2d28e91f5d817f29809aa7cc260d299af16

data/.rubocop.yml

@@ -1,5 +1,8 @@
 inherit_from: .rubocop_todo.yml
 
+AllCops:
+  TargetRubyVersion: 2.3
+
 Metrics/AbcSize:
   Max: 25
 
@@ -14,3 +17,6 @@ Metrics/MethodLength:
 Naming/FileName:
   Exclude:
     - 'lib/api-auth.rb'
+
+Style/FrozenStringLiteralComment:
+  Enabled: false

data/.rubocop_todo.yml

@@ -1,50 +1,82 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2018-02-12 13:27:16 +0300 using RuboCop version 0.52.1.
+# on 2018-10-22 20:30:52 +0700 using RuboCop version 0.59.2.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
+# Offense count: 1
+# Cop supports --auto-correct.
+# Configuration parameters: Include, TreatCommentsAsGroupSeparators.
+# Include: **/*.gemspec
+Gemspec/OrderedDependencies:
+  Exclude:
+    - 'api_auth.gemspec'
+
 # Offense count: 1
 # Configuration parameters: AllowSafeAssignment.
 Lint/AssignmentInCondition:
   Exclude:
     - 'lib/api_auth/base.rb'
 
-# Offense count: 8
+# Offense count: 9
+# Configuration parameters: CheckForMethodsWithNoSideEffects.
 Lint/Void:
   Exclude:
     - 'lib/api_auth/headers.rb'
     - 'lib/api_auth/request_drivers/action_controller.rb'
     - 'lib/api_auth/request_drivers/curb.rb'
     - 'lib/api_auth/request_drivers/faraday.rb'
+    - 'lib/api_auth/request_drivers/grape_request.rb'
     - 'lib/api_auth/request_drivers/httpi.rb'
     - 'lib/api_auth/request_drivers/net_http.rb'
     - 'lib/api_auth/request_drivers/rack.rb'
     - 'lib/api_auth/request_drivers/rest_client.rb'
 
+# Offense count: 1
+# Configuration parameters: CountComments, ExcludedMethods.
+# ExcludedMethods: refine
+Metrics/BlockLength:
+  Max: 27
+
 # Offense count: 1
 Metrics/CyclomaticComplexity:
-  Max: 14
+  Max: 15
 
 # Offense count: 1
 Metrics/PerceivedComplexity:
   Max: 8
 
-# Offense count: 9
+# Offense count: 10
 Naming/AccessorMethodName:
   Exclude:
     - 'lib/api_auth/railtie.rb'
     - 'lib/api_auth/request_drivers/action_controller.rb'
     - 'lib/api_auth/request_drivers/curb.rb'
     - 'lib/api_auth/request_drivers/faraday.rb'
+    - 'lib/api_auth/request_drivers/grape_request.rb'
     - 'lib/api_auth/request_drivers/http.rb'
     - 'lib/api_auth/request_drivers/httpi.rb'
     - 'lib/api_auth/request_drivers/net_http.rb'
     - 'lib/api_auth/request_drivers/rack.rb'
     - 'lib/api_auth/request_drivers/rest_client.rb'
 
+# Offense count: 3
+# Configuration parameters: MinNameLength, AllowNamesEndingInNumbers, AllowedNames, ForbiddenNames.
+# AllowedNames: io, id, to, by, on, in, at, ip, db
+Naming/UncommunicativeMethodParamName:
+  Exclude:
+    - 'lib/api_auth/base.rb'
+    - 'spec/railtie_spec.rb'
+
+# Offense count: 1
+# Configuration parameters: EnforcedStyle.
+# SupportedStyles: inline, group
+Style/AccessModifierDeclarations:
+  Exclude:
+    - 'lib/api_auth/headers.rb'
+
 # Offense count: 9
 Style/CommentedKeyword:
   Exclude:

data/.travis.yml

@@ -2,17 +2,16 @@ language: ruby
 sudo: false
 cache: bundler
 rvm:
-  - 2.1.10
-  - 2.2.9
   - 2.3.6
   - 2.4.3
-  - 2.5.0
+  - 2.5.3
 gemfile:
   - gemfiles/rails_4.gemfile
   - gemfiles/rails_41.gemfile
   - gemfiles/rails_42.gemfile
   - gemfiles/rails_5.gemfile
   - gemfiles/rails_51.gemfile
+  - gemfiles/rails_52.gemfile
   - gemfiles/http2.gemfile
   - gemfiles/http3.gemfile
   - gemfiles/http4.gemfile
@@ -26,19 +25,8 @@ script:
   - bundle exec $TEST_SUITE
 
 matrix:
-  exclude:
-    - rvm: 2.1.10
-      gemfile: gemfiles/rails_5.gemfile
-    - rvm: 2.1.10
-      gemfile: gemfiles/rails_51.gemfile
-    - rvm: 2.1.9
-      gemfile: gemfiles/http2.gemfile
-    - rvm: 2.1.9
-      gemfile: gemfiles/http3.gemfile
-    - rvm: 2.1.9
-      gemfile: gemfiles/http4.gemfile
   include:
-    - rvm: 2.5.0
+    - rvm: 2.5.3
       gemfile: gemfiles/rails_5.gemfile
       env: TEST_SUITE="rubocop lib/ spec/"
 

data/CHANGELOG.md

@@ -1,3 +1,20 @@
+# 2.3.0 (2018-10-23)
+- Added support for Grape API (#169 phuongnd08 & dunghuynh)
+- Added option for specifying customer headers to sign via new `headers_to_sign`
+  argument (#170 fakenine)
+- Fix tests and drop support for Ruby < 2.3 (#171 fwininger)
+
+# 2.2.0 (2018-03-12)
+- Drop support ruby 1.x, rails 2.x, rails 3.x (#141 fwininger)
+- Add http.rb request driver (#164 tycooon)
+- Fix POST and PUT requests in RestClient (#151 fwininger)
+- Allow clock skew to be user-defined (#136 mlarraz)
+- Adds #original_uri method to all request drivers (#137 iMacTia)
+- Rubocop and test fixes (fwininger & nicolasleger)
+- Changed return type for request #content_md5 #timestamp #content_type (fwininger)
+- Fix URI edge case where a URI contains another URI (zfletch)
+- Updates to the README (zfletch)
+
 # 2.1.0 (2016-12-22)
 - Fixed a NoMethodError that might occur when using the NetHttp Driver (#130 grahamkenville)
 - More securely compare signatures in a way that prevents timing attacks (#56 leishman, #133 will0)

data/README.md

@@ -51,9 +51,9 @@ minutes in order to avoid replay attacks.
 
 ## Requirement
 
-v3.X require Ruby >= 2.1 and Rails >= 4.0 if you use rails.
+This gem require Ruby >= 2.3 and Rails >= 4.0 if you use rails.
 
-For older version of Ruby or Rails, please use ApiAuth v2.X.
+For older version of Ruby or Rails, please use ApiAuth v2.1 and older.
 
 **IMPORTANT: v2.0.0 is backwards incompatible with the default settings of v1.x to address a security vulnerability. See [CHANGELOG.md](/CHANGELOG.md) for security update information.**
 
@@ -138,6 +138,14 @@ to:
 
     Authorization = APIAuth-HMAC-DIGEST_NAME 'client access id':'signature'
 
+If you want to sign custom headers, you can pass them as an array of strings in the options like so:
+
+``` ruby
+    @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key, headers_to_sign: %w[HTTP_HEADER_NAME])
+```
+
+With the specified headers values being at the end of the canonical string in the same order.
+
 ### ActiveResource Clients
 
 ApiAuth can transparently protect your ActiveResource communications with a

data/VERSION

@@ -1 +1 @@
-2.2.1
+2.3.0

data/api_auth.gemspec

@@ -1,4 +1,4 @@
-$LOAD_PATH.push File.expand_path('../lib', __FILE__)
+$LOAD_PATH.push File.expand_path('lib', __dir__)
 
 Gem::Specification.new do |s|
   s.name = 'api-auth'
@@ -9,7 +9,7 @@ Gem::Specification.new do |s|
   s.authors = ['Mauricio Gomes']
   s.email = 'mauricio@edge14.com'
 
-  s.required_ruby_version = '>= 2.1.0'
+  s.required_ruby_version = '>= 2.3.0'
 
   s.add_development_dependency 'actionpack', '< 6.0', '> 4.0'
   s.add_development_dependency 'activeresource', '>= 4.0'
@@ -24,6 +24,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'pry'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'rest-client', '~> 2.0'
+  s.add_development_dependency 'grape', '~> 1.1.0'
   s.add_development_dependency 'rspec', '~> 3.4'
 
   s.files         = `git ls-files`.split("\n")

data/gemfiles/http2.gemfile

@@ -1,7 +1,7 @@
 # This file was generated by Appraisal
 
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-gem "http", "~> 2.0"
+gem 'http', '~> 2.0'
 
-gemspec :path => "../"
+gemspec path: '../'

data/gemfiles/http3.gemfile

@@ -1,7 +1,7 @@
 # This file was generated by Appraisal
 
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-gem "http", "~> 3.0"
+gem 'http', '~> 3.0'
 
-gemspec :path => "../"
+gemspec path: '../'

data/gemfiles/http4.gemfile

@@ -1,7 +1,7 @@
 # This file was generated by Appraisal
 
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-gem "http", github: "httprb/http"
+gem 'http', github: 'httprb/http'
 
-gemspec :path => "../"
+gemspec path: '../'

data/gemfiles/rails_4.gemfile

@@ -1,11 +1,11 @@
 # This file was generated by Appraisal
 
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-gem "rake", "< 11.0", :platforms => :ruby_18
-gem "tins", "< 1.7", :platforms => :ruby_19
-gem "actionpack", "~> 4.0.4"
-gem "activeresource", "~> 4.0.0"
-gem "activesupport", "~> 4.0.4"
+gem 'actionpack', '~> 4.0.4'
+gem 'activeresource', '~> 4.0.0'
+gem 'activesupport', '~> 4.0.4'
+gem 'rake', '< 11.0', platforms: :ruby_18
+gem 'tins', '< 1.7', platforms: :ruby_19
 
-gemspec :path => "../"
+gemspec path: '../'

data/gemfiles/rails_41.gemfile

@@ -1,11 +1,11 @@
 # This file was generated by Appraisal
 
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-gem "rake", "< 11.0", :platforms => :ruby_18
-gem "tins", "< 1.7", :platforms => :ruby_19
-gem "actionpack", "~> 4.1.0"
-gem "activeresource", "~> 4.0.0"
-gem "activesupport", "~> 4.1.0"
+gem 'actionpack', '~> 4.1.0'
+gem 'activeresource', '~> 4.0.0'
+gem 'activesupport', '~> 4.1.0'
+gem 'rake', '< 11.0', platforms: :ruby_18
+gem 'tins', '< 1.7', platforms: :ruby_19
 
-gemspec :path => "../"
+gemspec path: '../'

data/gemfiles/rails_42.gemfile

@@ -1,11 +1,11 @@
 # This file was generated by Appraisal
 
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-gem "rake", "< 11.0", :platforms => :ruby_18
-gem "tins", "< 1.7", :platforms => :ruby_19
-gem "actionpack", "~> 4.2.0"
-gem "activeresource", "~> 4.0.0"
-gem "activesupport", "~> 4.2.0"
+gem 'actionpack', '~> 4.2.0'
+gem 'activeresource', '~> 4.0.0'
+gem 'activesupport', '~> 4.2.0'
+gem 'rake', '< 11.0', platforms: :ruby_18
+gem 'tins', '< 1.7', platforms: :ruby_19
 
-gemspec :path => "../"
+gemspec path: '../'

data/gemfiles/rails_5.gemfile

@@ -1,11 +1,11 @@
 # This file was generated by Appraisal
 
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-gem "actionpack", "~> 5.0.2"
-gem "activeresource", "~> 5.0.0", git: 'https://github.com/rails/activeresource.git'
-gem "activesupport", "~> 5.0.2"
+gem 'actionpack', '~> 5.0.2'
+gem 'activeresource', '~> 5.0.0', git: 'https://github.com/rails/activeresource.git'
+gem 'activesupport', '~> 5.0.2'
 
-gem "rubocop"
+gem 'rubocop'
 
-gemspec :path => "../"
+gemspec path: '../'

data/gemfiles/rails_51.gemfile

@@ -1,9 +1,9 @@
 # This file was generated by Appraisal
 
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-gem "actionpack", "~> 5.1.1"
-gem "activeresource", "~> 5.0.0", git: 'https://github.com/rails/activeresource.git'
-gem "activesupport", "~> 5.1.1"
+gem 'actionpack', '~> 5.1.1'
+gem 'activeresource', '~> 5.0.0', git: 'https://github.com/rails/activeresource.git'
+gem 'activesupport', '~> 5.1.1'
 
-gemspec :path => "../"
+gemspec path: '../'

data/gemfiles/rails_52.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source 'https://rubygems.org'
+
+gem 'actionpack', '~> 5.2.1'
+gem 'activeresource', '~> 5.0.0', git: 'https://github.com/rails/activeresource.git'
+gem 'activesupport', '~> 5.2.1'
+
+gemspec path: '../'

data/lib/api_auth.rb

@@ -9,6 +9,7 @@ require 'api_auth/request_drivers/net_http'
 require 'api_auth/request_drivers/curb'
 require 'api_auth/request_drivers/rest_client'
 require 'api_auth/request_drivers/action_controller'
+require 'api_auth/request_drivers/grape_request'
 require 'api_auth/request_drivers/action_dispatch'
 require 'api_auth/request_drivers/rack'
 require 'api_auth/request_drivers/httpi'

data/lib/api_auth/base.rb

@@ -105,7 +105,7 @@ module ApiAuth
     end
 
     def hmac_signature(headers, secret_key, options)
-      canonical_string = headers.canonical_string(options[:override_http_method])
+      canonical_string = headers.canonical_string(options[:override_http_method], options[:headers_to_sign])
       digest = OpenSSL::Digest.new(options[:digest])
       b64_encode(OpenSSL::HMAC.digest(digest, secret_key, canonical_string))
     end

data/lib/api_auth/headers.rb

@@ -26,6 +26,8 @@ module ApiAuth
           else
             ActionControllerRequest.new(request)
           end
+        when /Grape::Request/
+          GrapeRequest.new(request)
         when /ActionDispatch::Request/
           ActionDispatchRequest.new(request)
         when /ActionController::CgiRequest/
@@ -40,6 +42,7 @@ module ApiAuth
 
       return new_request if new_request
       return RackRequest.new(request) if request.is_a?(Rack::Request)
+
       raise UnknownHTTPRequest, "#{request.class} is not yet supported."
     end
     private :initialize_request_driver
@@ -49,16 +52,24 @@ module ApiAuth
       @request.timestamp
     end
 
-    def canonical_string(override_method = nil)
+    def canonical_string(override_method = nil, headers_to_sign = [])
       request_method = override_method || @request.http_method
 
       raise ArgumentError, 'unable to determine the http method from the request, please supply an override' if request_method.nil?
 
-      [request_method.upcase,
-       @request.content_type,
-       @request.content_md5,
-       parse_uri(@request.original_uri || @request.request_uri),
-       @request.timestamp].join(',')
+      headers = @request.fetch_headers
+
+      canonical_array = [request_method.upcase,
+                         @request.content_type,
+                         @request.content_md5,
+                         parse_uri(@request.original_uri || @request.request_uri),
+                         @request.timestamp]
+
+      if headers_to_sign.is_a?(Array) && headers_to_sign.any?
+        headers_to_sign.each { |h| canonical_array << headers[h] if headers[h].present? }
+      end
+
+      canonical_array.join(',')
     end
 
     # Returns the authorization header from the request's headers

data/lib/api_auth/request_drivers/action_controller.rb

@@ -22,6 +22,7 @@ module ApiAuth
 
       def populate_content_md5
         return unless @request.put? || @request.post?
+
         @request.env['Content-MD5'] = calculated_md5
         fetch_headers
       end

data/lib/api_auth/request_drivers/faraday.rb

@@ -16,12 +16,13 @@ module ApiAuth
       end
 
       def calculated_md5
-        body = @request.body ? @request.body : ''
+        body = @request.body || ''
         md5_base64digest(body)
       end
 
       def populate_content_md5
         return unless %w[POST PUT].include?(@request.method.to_s.upcase)
+
         @request.headers['Content-MD5'] = calculated_md5
         fetch_headers
       end

data/lib/api_auth/request_drivers/grape_request.rb

@@ -0,0 +1,87 @@
+module ApiAuth
+  module RequestDrivers # :nodoc:
+    class GrapeRequest # :nodoc:
+      include ApiAuth::Helpers
+
+      def initialize(request)
+        @request = request
+        save_headers
+        true
+      end
+
+      def set_auth_header(header)
+        @request.env['HTTP_AUTHORIZATION'] = header
+        save_headers # enforce update of processed_headers based on last updated headers
+        @request
+      end
+
+      def calculated_md5
+        body = @request.body.read
+        @request.body.rewind
+        md5_base64digest(body)
+      end
+
+      def populate_content_md5
+        return if !@request.put? && !@request.post?
+
+        @request.env['HTTP_CONTENT_MD5'] = calculated_md5
+        save_headers
+      end
+
+      def md5_mismatch?
+        if @request.put? || @request.post?
+          calculated_md5 != content_md5
+        else
+          false
+        end
+      end
+
+      def fetch_headers
+        capitalize_keys @request.env
+      end
+
+      def http_method
+        @request.request_method.upcase
+      end
+
+      def content_type
+        find_header %w[HTTP_X_HMAC_CONTENT_TYPE HTTP_X_CONTENT_TYPE CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE]
+      end
+
+      def content_md5
+        find_header %w[HTTP_X_HMAC_CONTENT_MD5 HTTP_X_CONTENT_MD5 CONTENT-MD5 CONTENT_MD5 HTTP_CONTENT_MD5]
+      end
+
+      def original_uri
+        find_header %w[HTTP_X_HMAC_ORIGINAL_URI HTTP_X_ORIGINAL_URI X-ORIGINAL-URI X_ORIGINAL_URI]
+      end
+
+      def request_uri
+        @request.url
+      end
+
+      def set_date
+        @request.env['HTTP_DATE'] = Time.now.utc.httpdate
+        save_headers
+      end
+
+      def timestamp
+        find_header %w[HTTP_X_HMAC_DATE HTTP_X_DATE DATE HTTP_DATE]
+      end
+
+      def authorization_header
+        find_header %w[HTTP_X_HMAC_AUTHORIZATION HTTP_X_AUTHORIZATION Authorization AUTHORIZATION HTTP_AUTHORIZATION]
+      end
+
+      private
+
+      def find_header(keys)
+        keys.map { |key| @headers[key] }.compact.first
+      end
+
+      def save_headers
+        @headers = fetch_headers
+      end
+    end
+  end
+end

data/lib/api_auth/request_drivers/http.rb

@@ -18,6 +18,7 @@ module ApiAuth
 
       def populate_content_md5
         return unless %w[POST PUT].include?(http_method)
+
         @request['Content-MD5'] = calculated_md5
       end
 

data/lib/api_auth/request_drivers/httpi.rb

@@ -21,6 +21,7 @@ module ApiAuth
 
       def populate_content_md5
         return unless @request.body
+
         @request.headers['Content-MD5'] = calculated_md5
         fetch_headers
       end

data/lib/api_auth/request_drivers/net_http.rb

@@ -28,6 +28,7 @@ module ApiAuth
 
       def populate_content_md5
         return unless @request.class::REQUEST_HAS_BODY
+
         @request['Content-MD5'] = calculated_md5
       end
 

data/lib/api_auth/request_drivers/rack.rb

@@ -27,6 +27,7 @@ module ApiAuth
 
       def populate_content_md5
         return unless %w[POST PUT].include?(@request.request_method)
+
         @request.env['Content-MD5'] = calculated_md5
         fetch_headers
       end

data/lib/api_auth/request_drivers/rest_client.rb

@@ -30,6 +30,7 @@ module ApiAuth
 
       def populate_content_md5
         return unless %w[post put].include?(@request.method.to_s)
+
         @request.headers['Content-MD5'] = calculated_md5
         save_headers
       end

data/spec/api_auth_spec.rb

@@ -169,6 +169,13 @@ describe 'ApiAuth' do
         expect(ApiAuth.authentic?(signed_request, '123', clock_skew: 60.seconds)).to eq false
       end
     end
+
+    context 'when passed the headers_to_sign option' do
+      it 'validates the request' do
+        request['X-Forwarded-For'] = '192.168.1.1'
+        expect(ApiAuth.authentic?(signed_request, '123', headers_to_sign: %w[HTTP_X_FORWARDED_FOR])).to eq true
+      end
+    end
   end
 
   describe '.access_id' do

data/spec/headers_spec.rb

@@ -125,6 +125,32 @@ describe ApiAuth::Headers do
           end
         end
       end
+
+      context 'when headers to sign are provided' do
+        let(:request) do
+          Faraday::Request.create('GET') do |req|
+            req.options = Faraday::RequestOptions.new(Faraday::FlatParamsEncoder)
+            req.params = Faraday::Utils::ParamsHash.new
+            req.url('/resource.xml?foo=bar&bar=foo')
+            req.headers = { 'X-Forwarded-For' => '192.168.1.1' }
+          end
+        end
+        subject(:headers) { described_class.new(request) }
+        let(:driver) { headers.instance_variable_get('@request') }
+
+        before do
+          allow(driver).to receive(:content_type).and_return 'text/html'
+          allow(driver).to receive(:content_md5).and_return '12345'
+          allow(driver).to receive(:timestamp).and_return 'Mon, 23 Jan 1984 03:29:56 GMT'
+        end
+
+        context 'the driver uses the original_uri' do
+          it 'constructs the canonical_string with the original_uri' do
+            expect(headers.canonical_string(nil, %w[X-FORWARDED-FOR]))
+              .to eq 'GET,text/html,12345,/resource.xml?bar=foo&foo=bar,Mon, 23 Jan 1984 03:29:56 GMT,192.168.1.1'
+          end
+        end
+      end
     end
   end
 

data/spec/request_drivers/grape_request_spec.rb

@@ -0,0 +1,271 @@
+require 'spec_helper'
+
+describe ApiAuth::RequestDrivers::GrapeRequest do
+  let(:default_method) { 'PUT' }
+  let(:default_params) do
+    { 'message' => "hello\nworld" }
+  end
+  let(:default_options) do
+    {
+      method: method,
+      params: params
+    }
+  end
+  let(:default_env) do
+    Rack::MockRequest.env_for('/', options)
+  end
+  let(:method) { default_method }
+  let(:params) { default_params }
+  let(:options) { default_options.merge(request_headers) }
+  let(:env) { default_env }
+
+  let(:request) do
+    Grape::Request.new(env)
+  end
+
+  let(:timestamp) { Time.now.utc.httpdate }
+  let(:request_headers) do
+    {
+      'HTTP_X_HMAC_AUTHORIZATION' => 'APIAuth 1044:12345',
+      'HTTP_X_HMAC_CONTENT_MD5' => 'WEqCyXEuRBYZbohpZmUyAw==',
+      'HTTP_X_HMAC_CONTENT_TYPE' => 'text/plain',
+      'HTTP_X_HMAC_DATE' => timestamp
+    }
+  end
+
+  subject(:driven_request) { ApiAuth::RequestDrivers::GrapeRequest.new(request) }
+
+  describe 'getting headers correctly' do
+    it 'gets the content_type' do
+      expect(driven_request.content_type).to eq('text/plain')
+    end
+
+    it 'gets the content_md5' do
+      expect(driven_request.content_md5).to eq('WEqCyXEuRBYZbohpZmUyAw==')
+    end
+
+    it 'gets the request_uri' do
+      expect(driven_request.request_uri).to eq('http://example.org/')
+    end
+
+    it 'gets the timestamp' do
+      expect(driven_request.timestamp).to eq(timestamp)
+    end
+
+    it 'gets the authorization_header' do
+      expect(driven_request.authorization_header).to eq('APIAuth 1044:12345')
+    end
+
+    describe '#calculated_md5' do
+      it 'calculates md5 from the body' do
+        expect(driven_request.calculated_md5).to eq('WEqCyXEuRBYZbohpZmUyAw==')
+      end
+
+      context 'no body' do
+        let(:params) { {} }
+
+        it 'treats no body as empty string' do
+          expect(driven_request.calculated_md5).to eq('1B2M2Y8AsgTpgAmY7PhCfg==')
+        end
+      end
+    end
+
+    describe 'http_method' do
+      context 'when put request' do
+        let(:method) { 'put' }
+
+        it 'returns upcased put' do
+          expect(driven_request.http_method).to eq('PUT')
+        end
+      end
+
+      context 'when get request' do
+        let(:method) { 'get' }
+
+        it 'returns upcased get' do
+          expect(driven_request.http_method).to eq('GET')
+        end
+      end
+    end
+  end
+
+  describe 'setting headers correctly' do
+    let(:request_headers) do
+      {
+        'HTTP_X_HMAC_CONTENT_TYPE' => 'text/plain'
+      }
+    end
+
+    describe '#populate_content_md5' do
+      context 'when getting' do
+        let(:method) { 'get' }
+
+        it "doesn't populate content-md5" do
+          driven_request.populate_content_md5
+          expect(request.headers['Content-Md5']).to be_nil
+        end
+      end
+
+      context 'when posting' do
+        let(:method) { 'post' }
+
+        it 'populates content-md5' do
+          driven_request.populate_content_md5
+          expect(request.headers['Content-Md5']).to eq('WEqCyXEuRBYZbohpZmUyAw==')
+        end
+
+        it 'refreshes the cached headers' do
+          driven_request.populate_content_md5
+          expect(driven_request.content_md5).to eq('WEqCyXEuRBYZbohpZmUyAw==')
+        end
+      end
+
+      context 'when putting' do
+        let(:method) { 'put' }
+
+        it 'populates content-md5' do
+          driven_request.populate_content_md5
+          expect(request.headers['Content-Md5']).to eq('WEqCyXEuRBYZbohpZmUyAw==')
+        end
+
+        it 'refreshes the cached headers' do
+          driven_request.populate_content_md5
+          expect(driven_request.content_md5).to eq('WEqCyXEuRBYZbohpZmUyAw==')
+        end
+      end
+
+      context 'when deleting' do
+        let(:method) { 'delete' }
+
+        it "doesn't populate content-md5" do
+          driven_request.populate_content_md5
+          expect(request.headers['Content-Md5']).to be_nil
+        end
+      end
+    end
+
+    describe '#set_date' do
+      before do
+        allow(Time).to receive_message_chain(:now, :utc, :httpdate).and_return(timestamp)
+      end
+
+      it 'sets the date header of the request' do
+        allow(Time).to receive_message_chain(:now, :utc, :httpdate).and_return(timestamp)
+        driven_request.set_date
+        expect(request.headers['Date']).to eq(timestamp)
+      end
+
+      it 'refreshes the cached headers' do
+        driven_request.set_date
+        expect(driven_request.timestamp).to eq(timestamp)
+      end
+    end
+
+    describe '#set_auth_header' do
+      it 'sets the auth header' do
+        driven_request.set_auth_header('APIAuth 1044:54321')
+        expect(request.headers['Authorization']).to eq('APIAuth 1044:54321')
+      end
+    end
+  end
+
+  describe 'md5_mismatch?' do
+    context 'when getting' do
+      let(:method) { 'get' }
+
+      it 'is false' do
+        expect(driven_request.md5_mismatch?).to be false
+      end
+    end
+
+    context 'when posting' do
+      let(:method) { 'post' }
+
+      context 'when calculated matches sent' do
+        it 'is false' do
+          expect(driven_request.md5_mismatch?).to be false
+        end
+      end
+
+      context "when calculated doesn't match sent" do
+        let(:params) { { 'message' => 'hello only' } }
+
+        it 'is true' do
+          expect(driven_request.md5_mismatch?).to be true
+        end
+      end
+    end
+
+    context 'when putting' do
+      let(:method) { 'put' }
+
+      context 'when calculated matches sent' do
+        it 'is false' do
+          expect(driven_request.md5_mismatch?).to be false
+        end
+      end
+
+      context "when calculated doesn't match sent" do
+        let(:params) { { 'message' => 'hello only' } }
+        it 'is true' do
+          expect(driven_request.md5_mismatch?).to be true
+        end
+      end
+    end
+
+    context 'when deleting' do
+      let(:method) { 'delete' }
+
+      it 'is false' do
+        expect(driven_request.md5_mismatch?).to be false
+      end
+    end
+  end
+
+  describe 'authentics?' do
+    let(:request_headers) { {} }
+    let(:signed_request) do
+      ApiAuth.sign!(request, '1044', '123')
+    end
+
+    context 'when getting' do
+      let(:method) { 'get' }
+
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+
+    context 'when posting' do
+      let(:method) { 'post' }
+
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+
+    context 'when putting' do
+      let(:method) { 'put' }
+
+      let(:signed_request) do
+        ApiAuth.sign!(request, '1044', '123')
+      end
+
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+
+    context 'when deleting' do
+      let(:method) { 'delete' }
+
+      let(:signed_request) do
+        ApiAuth.sign!(request, '1044', '123')
+      end
+
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -16,6 +16,7 @@ require 'curb'
 require 'http'
 require 'httpi'
 require 'faraday'
+require 'grape'
 require 'net/http/post/multipart'
 
 # Requires supporting files with custom matchers and macros, etc,

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: api-auth
 version: !ruby/object:Gem::Version
-  version: 2.2.1
+  version: 2.3.0
 platform: ruby
 authors:
 - Mauricio Gomes
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-12 00:00:00.000000000 Z
+date: 2018-10-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -204,6 +204,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: grape
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.0
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -246,6 +260,7 @@ files:
 - gemfiles/rails_42.gemfile
 - gemfiles/rails_5.gemfile
 - gemfiles/rails_51.gemfile
+- gemfiles/rails_52.gemfile
 - lib/api-auth.rb
 - lib/api_auth.rb
 - lib/api_auth/base.rb
@@ -257,6 +272,7 @@ files:
 - lib/api_auth/request_drivers/action_dispatch.rb
 - lib/api_auth/request_drivers/curb.rb
 - lib/api_auth/request_drivers/faraday.rb
+- lib/api_auth/request_drivers/grape_request.rb
 - lib/api_auth/request_drivers/http.rb
 - lib/api_auth/request_drivers/httpi.rb
 - lib/api_auth/request_drivers/net_http.rb
@@ -272,6 +288,7 @@ files:
 - spec/request_drivers/action_dispatch_spec.rb
 - spec/request_drivers/curb_spec.rb
 - spec/request_drivers/faraday_spec.rb
+- spec/request_drivers/grape_request_spec.rb
 - spec/request_drivers/http_spec.rb
 - spec/request_drivers/httpi_spec.rb
 - spec/request_drivers/net_http_spec.rb
@@ -289,7 +306,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.1.0
+      version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -297,7 +314,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.7
 signing_key: 
 specification_version: 4
 summary: Simple HMAC authentication for your APIs
@@ -311,6 +328,7 @@ test_files:
 - spec/request_drivers/action_dispatch_spec.rb
 - spec/request_drivers/curb_spec.rb
 - spec/request_drivers/faraday_spec.rb
+- spec/request_drivers/grape_request_spec.rb
 - spec/request_drivers/http_spec.rb
 - spec/request_drivers/httpi_spec.rb
 - spec/request_drivers/net_http_spec.rb