api-auth 2.2.1 → 2.5.0

data/VERSION

@@ -1 +1 @@
-2.2.1
+2.5.0

data/api_auth.gemspec

@@ -1,4 +1,4 @@
-$LOAD_PATH.push File.expand_path('../lib', __FILE__)
+$LOAD_PATH.push File.expand_path('lib', __dir__)
 
 Gem::Specification.new do |s|
   s.name = 'api-auth'
@@ -9,22 +9,24 @@ Gem::Specification.new do |s|
   s.authors = ['Mauricio Gomes']
   s.email = 'mauricio@edge14.com'
 
-  s.required_ruby_version = '>= 2.1.0'
+  s.required_ruby_version = '>= 2.5.0'
 
-  s.add_development_dependency 'actionpack', '< 6.0', '> 4.0'
+  s.add_development_dependency 'actionpack', '< 6.2', '> 5.0'
   s.add_development_dependency 'activeresource', '>= 4.0'
-  s.add_development_dependency 'activesupport', '< 6.0', '> 4.0'
+  s.add_development_dependency 'activesupport', '< 6.2', '> 5.0'
   s.add_development_dependency 'amatch'
   s.add_development_dependency 'appraisal'
   s.add_development_dependency 'curb', '~> 0.8'
-  s.add_development_dependency 'faraday', '>= 0.10'
+  s.add_development_dependency 'faraday', '>= 1.1.0'
   s.add_development_dependency 'http'
   s.add_development_dependency 'httpi'
   s.add_development_dependency 'multipart-post', '~> 2.0'
   s.add_development_dependency 'pry'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'rest-client', '~> 2.0'
+  s.add_development_dependency 'grape', '~> 1.1.0'
   s.add_development_dependency 'rspec', '~> 3.4'
+  s.add_development_dependency 'rexml'
 
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")

data/gemfiles/http4.gemfile

@@ -1,7 +1,7 @@
 # This file was generated by Appraisal
 
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-gem "http", github: "httprb/http"
+gem 'http', '~> 4.0'
 
-gemspec :path => "../"
+gemspec path: '../'

data/gemfiles/rails_52.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source 'https://rubygems.org'
+
+gem 'actionpack', '~> 5.2.1'
+gem 'activeresource', '~> 5.1.0'
+gem 'activesupport', '~> 5.2.1'
+
+gemspec path: '../'

data/gemfiles/rails_60.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source 'https://rubygems.org'
+
+gem 'actionpack', '~> 6.0.0'
+gem 'activeresource', '~> 5.1.0'
+gem 'activesupport', '~> 6.0.0'
+
+gemspec path: '../'

data/gemfiles/rails_61.gemfile

@@ -0,0 +1,11 @@
+# This file was generated by Appraisal
+
+source 'https://rubygems.org'
+
+gem 'actionpack', '~> 6.1.0'
+gem 'activeresource', '~> 5.1.0'
+gem 'activesupport', '~> 6.1.0'
+
+gem 'rubocop'
+
+gemspec path: '../'

data/lib/api_auth.rb

@@ -9,6 +9,7 @@ require 'api_auth/request_drivers/net_http'
 require 'api_auth/request_drivers/curb'
 require 'api_auth/request_drivers/rest_client'
 require 'api_auth/request_drivers/action_controller'
+require 'api_auth/request_drivers/grape_request'
 require 'api_auth/request_drivers/action_dispatch'
 require 'api_auth/request_drivers/rack'
 require 'api_auth/request_drivers/httpi'

data/lib/api_auth/base.rb

@@ -22,7 +22,7 @@ module ApiAuth
     def sign!(request, access_id, secret_key, options = {})
       options = { override_http_method: nil, digest: 'sha1' }.merge(options)
       headers = Headers.new(request)
-      headers.calculate_md5
+      headers.calculate_hash
       headers.set_date
       headers.sign_header auth_header(headers, access_id, secret_key, options)
     end
@@ -39,7 +39,7 @@ module ApiAuth
       # 900 seconds is 15 minutes
       clock_skew = options.fetch(:clock_skew, 900)
 
-      if headers.md5_mismatch?
+      if headers.content_hash_mismatch?
         false
       elsif !signatures_match?(headers, secret_key, options)
         false
@@ -71,7 +71,7 @@ module ApiAuth
 
     private
 
-    AUTH_HEADER_PATTERN = /APIAuth(?:-HMAC-(MD5|SHA(?:1|224|256|384|512)?))? ([^:]+):(.+)$/
+    AUTH_HEADER_PATTERN = /APIAuth(?:-HMAC-(MD5|SHA(?:1|224|256|384|512)?))? ([^:]+):(.+)$/.freeze
 
     def request_within_time_window?(headers, clock_skew)
       Time.httpdate(headers.timestamp).utc > (Time.now.utc - clock_skew) &&
@@ -105,7 +105,7 @@ module ApiAuth
     end
 
     def hmac_signature(headers, secret_key, options)
-      canonical_string = headers.canonical_string(options[:override_http_method])
+      canonical_string = headers.canonical_string(options[:override_http_method], options[:headers_to_sign])
       digest = OpenSSL::Digest.new(options[:digest])
       b64_encode(OpenSSL::HMAC.digest(digest, secret_key, canonical_string))
     end

data/lib/api_auth/headers.rb

@@ -26,6 +26,8 @@ module ApiAuth
           else
             ActionControllerRequest.new(request)
           end
+        when /Grape::Request/
+          GrapeRequest.new(request)
         when /ActionDispatch::Request/
           ActionDispatchRequest.new(request)
         when /ActionController::CgiRequest/
@@ -40,6 +42,7 @@ module ApiAuth
 
       return new_request if new_request
       return RackRequest.new(request) if request.is_a?(Rack::Request)
+
       raise UnknownHTTPRequest, "#{request.class} is not yet supported."
     end
     private :initialize_request_driver
@@ -49,16 +52,24 @@ module ApiAuth
       @request.timestamp
     end
 
-    def canonical_string(override_method = nil)
+    def canonical_string(override_method = nil, headers_to_sign = [])
       request_method = override_method || @request.http_method
 
       raise ArgumentError, 'unable to determine the http method from the request, please supply an override' if request_method.nil?
 
-      [request_method.upcase,
-       @request.content_type,
-       @request.content_md5,
-       parse_uri(@request.original_uri || @request.request_uri),
-       @request.timestamp].join(',')
+      headers = @request.fetch_headers
+
+      canonical_array = [request_method.upcase,
+                         @request.content_type,
+                         @request.content_hash,
+                         parse_uri(@request.original_uri || @request.request_uri),
+                         @request.timestamp]
+
+      if headers_to_sign.is_a?(Array) && headers_to_sign.any?
+        headers_to_sign.each { |h| canonical_array << headers[h] if headers[h].present? }
+      end
+
+      canonical_array.join(',')
     end
 
     # Returns the authorization header from the request's headers
@@ -70,15 +81,15 @@ module ApiAuth
       @request.set_date if @request.timestamp.nil?
     end
 
-    def calculate_md5
-      @request.populate_content_md5 if @request.content_md5.nil?
+    def calculate_hash
+      @request.populate_content_hash if @request.content_hash.nil?
     end
 
-    def md5_mismatch?
-      if @request.content_md5.nil?
+    def content_hash_mismatch?
+      if @request.content_hash.nil?
         false
       else
-        @request.md5_mismatch?
+        @request.content_hash_mismatch?
       end
     end
 

data/lib/api_auth/helpers.rb

@@ -4,8 +4,8 @@ module ApiAuth
       Base64.strict_encode64(string)
     end
 
-    def md5_base64digest(string)
-      Digest::MD5.base64digest(string)
+    def sha256_base64digest(string)
+      Digest::SHA256.base64digest(string)
     end
 
     # Capitalizes the keys of a hash

data/lib/api_auth/railtie.rb

@@ -13,7 +13,11 @@ module ApiAuth
         end
       end
 
-      ActionController::Base.send(:include, ControllerMethods::InstanceMethods) if defined?(ActionController::Base)
+      if defined?(ActiveSupport)
+        ActiveSupport.on_load(:action_controller) do
+          ActionController::Base.include(ControllerMethods::InstanceMethods)
+        end
+      end
     end # ControllerMethods
 
     module ActiveResourceExtension # :nodoc:
@@ -69,7 +73,9 @@ module ApiAuth
             tmp = "Net::HTTP::#{method.to_s.capitalize}".constantize.new(path, h)
             tmp.body = arguments[0] if arguments.length > 1
             ApiAuth.sign!(tmp, hmac_access_id, hmac_secret_key, api_auth_options)
-            arguments.last['Content-MD5'] = tmp['Content-MD5'] if tmp['Content-MD5']
+            if tmp['X-Authorization-Content-SHA256']
+              arguments.last['X-Authorization-Content-SHA256'] = tmp['X-Authorization-Content-SHA256']
+            end
             arguments.last['DATE'] = tmp['DATE']
             arguments.last['Authorization'] = tmp['Authorization']
           end
@@ -78,9 +84,11 @@ module ApiAuth
         end
       end # Connection
 
-      if defined?(ActiveResource)
-        ActiveResource::Base.send(:include, ActiveResourceApiAuth)
-        ActiveResource::Connection.send(:include, Connection)
+      if defined?(ActiveSupport)
+        ActiveSupport.on_load(:active_resource) do
+          ActiveResource::Base.include(ActiveResourceApiAuth)
+          ActiveResource::Connection.include(Connection)
+        end
       end
     end # ActiveResourceExtension
   end # Rails

data/lib/api_auth/request_drivers/action_controller.rb

@@ -15,20 +15,21 @@ module ApiAuth
         @request
       end
 
-      def calculated_md5
+      def calculated_hash
         body = @request.raw_post
-        md5_base64digest(body)
+        sha256_base64digest(body)
       end
 
-      def populate_content_md5
+      def populate_content_hash
         return unless @request.put? || @request.post?
-        @request.env['Content-MD5'] = calculated_md5
+
+        @request.env['X-AUTHORIZATION-CONTENT-SHA256'] = calculated_hash
         fetch_headers
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if @request.put? || @request.post?
-          calculated_md5 != content_md5
+          calculated_hash != content_hash
         else
           false
         end
@@ -46,8 +47,8 @@ module ApiAuth
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5 HTTP_CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
       def original_uri

data/lib/api_auth/request_drivers/curb.rb

@@ -15,11 +15,11 @@ module ApiAuth
         @request
       end
 
-      def populate_content_md5
+      def populate_content_hash
         nil # doesn't appear to be possible
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         false
       end
 
@@ -35,8 +35,8 @@ module ApiAuth
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
       def original_uri

data/lib/api_auth/request_drivers/faraday.rb

@@ -15,20 +15,21 @@ module ApiAuth
         @request
       end
 
-      def calculated_md5
-        body = @request.body ? @request.body : ''
-        md5_base64digest(body)
+      def calculated_hash
+        body = @request.body || ''
+        sha256_base64digest(body)
       end
 
-      def populate_content_md5
-        return unless %w[POST PUT].include?(@request.method.to_s.upcase)
-        @request.headers['Content-MD5'] = calculated_md5
+      def populate_content_hash
+        return unless %w[POST PUT].include?(@request.http_method.to_s.upcase)
+
+        @request.headers['X-Authorization-Content-SHA256'] = calculated_hash
         fetch_headers
       end
 
-      def md5_mismatch?
-        if %w[POST PUT].include?(@request.method.to_s.upcase)
-          calculated_md5 != content_md5
+      def content_hash_mismatch?
+        if %w[POST PUT].include?(@request.http_method.to_s.upcase)
+          calculated_hash != content_hash
         else
           false
         end
@@ -39,15 +40,15 @@ module ApiAuth
       end
 
       def http_method
-        @request.method.to_s.upcase
+        @request.http_method.to_s.upcase
       end
 
       def content_type
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5 HTTP-CONTENT-MD5 HTTP_CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
       def original_uri

data/lib/api_auth/request_drivers/grape_request.rb

@@ -0,0 +1,87 @@
+module ApiAuth
+  module RequestDrivers # :nodoc:
+    class GrapeRequest # :nodoc:
+      include ApiAuth::Helpers
+
+      def initialize(request)
+        @request = request
+        save_headers
+        true
+      end
+
+      def set_auth_header(header)
+        @request.env['HTTP_AUTHORIZATION'] = header
+        save_headers # enforce update of processed_headers based on last updated headers
+        @request
+      end
+
+      def calculated_hash
+        body = @request.body.read
+        @request.body.rewind
+        sha256_base64digest(body)
+      end
+
+      def populate_content_hash
+        return if !@request.put? && !@request.post?
+
+        @request.env['HTTP_X_AUTHORIZATION_CONTENT_SHA256'] = calculated_hash
+        save_headers
+      end
+
+      def content_hash_mismatch?
+        if @request.put? || @request.post?
+          calculated_hash != content_hash
+        else
+          false
+        end
+      end
+
+      def fetch_headers
+        capitalize_keys @request.env
+      end
+
+      def http_method
+        @request.request_method.upcase
+      end
+
+      def content_type
+        find_header %w[HTTP_X_HMAC_CONTENT_TYPE HTTP_X_CONTENT_TYPE CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE]
+      end
+
+      def content_hash
+        find_header %w[HTTP_X_AUTHORIZATION_CONTENT_SHA256]
+      end
+
+      def original_uri
+        find_header %w[HTTP_X_HMAC_ORIGINAL_URI HTTP_X_ORIGINAL_URI X-ORIGINAL-URI X_ORIGINAL_URI]
+      end
+
+      def request_uri
+        @request.url
+      end
+
+      def set_date
+        @request.env['HTTP_DATE'] = Time.now.utc.httpdate
+        save_headers
+      end
+
+      def timestamp
+        find_header %w[HTTP_X_HMAC_DATE HTTP_X_DATE DATE HTTP_DATE]
+      end
+
+      def authorization_header
+        find_header %w[HTTP_X_HMAC_AUTHORIZATION HTTP_X_AUTHORIZATION Authorization AUTHORIZATION HTTP_AUTHORIZATION]
+      end
+
+      private
+
+      def find_header(keys)
+        keys.map { |key| @headers[key] }.compact.first
+      end
+
+      def save_headers
+        @headers = fetch_headers
+      end
+    end
+  end
+end