api-auth 2.2.1 → 2.5.0

data/lib/api_auth/request_drivers/http.rb

@@ -12,18 +12,19 @@ module ApiAuth
         @request
       end
 
-      def calculated_md5
-        md5_base64digest(body)
+      def calculated_hash
+        sha256_base64digest(body)
       end
 
-      def populate_content_md5
+      def populate_content_hash
         return unless %w[POST PUT].include?(http_method)
-        @request['Content-MD5'] = calculated_md5
+
+        @request['X-Authorization-Content-SHA256'] = calculated_hash
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if %w[POST PUT].include?(http_method)
-          calculated_md5 != content_md5
+          calculated_hash != content_hash
         else
           false
         end
@@ -37,8 +38,8 @@ module ApiAuth
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
       def original_uri
@@ -71,6 +72,10 @@ module ApiAuth
         end
       end
 
+      def fetch_headers
+        capitalize_keys @request.headers.to_h
+      end
+
       private
 
       def find_header(keys)

data/lib/api_auth/request_drivers/httpi.rb

@@ -15,19 +15,20 @@ module ApiAuth
         @request
       end
 
-      def calculated_md5
-        md5_base64digest(@request.body || '')
+      def calculated_hash
+        sha256_base64digest(@request.body || '')
       end
 
-      def populate_content_md5
+      def populate_content_hash
         return unless @request.body
-        @request.headers['Content-MD5'] = calculated_md5
+
+        @request.headers['X-Authorization-Content-SHA256'] = calculated_hash
         fetch_headers
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if @request.body
-          calculated_md5 != content_md5
+          calculated_hash != content_hash
         else
           false
         end
@@ -45,8 +46,8 @@ module ApiAuth
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
       def original_uri

data/lib/api_auth/request_drivers/net_http.rb

@@ -15,7 +15,7 @@ module ApiAuth
         @request
       end
 
-      def calculated_md5
+      def calculated_hash
         if @request.respond_to?(:body_stream) && @request.body_stream
           body = @request.body_stream.read
           @request.body_stream.rewind
@@ -23,17 +23,18 @@ module ApiAuth
           body = @request.body
         end
 
-        md5_base64digest(body || '')
+        sha256_base64digest(body || '')
       end
 
-      def populate_content_md5
+      def populate_content_hash
         return unless @request.class::REQUEST_HAS_BODY
-        @request['Content-MD5'] = calculated_md5
+
+        @request['X-Authorization-Content-SHA256'] = calculated_hash
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if @request.class::REQUEST_HAS_BODY
-          calculated_md5 != content_md5
+          calculated_hash != content_hash
         else
           false
         end
@@ -51,8 +52,8 @@ module ApiAuth
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-Authorization-Content-SHA256])
       end
 
       def original_uri

data/lib/api_auth/request_drivers/rack.rb

@@ -15,25 +15,26 @@ module ApiAuth
         @request
       end
 
-      def calculated_md5
+      def calculated_hash
         if @request.body
           body = @request.body.read
           @request.body.rewind
         else
           body = ''
         end
-        md5_base64digest(body)
+        sha256_base64digest(body)
       end
 
-      def populate_content_md5
+      def populate_content_hash
         return unless %w[POST PUT].include?(@request.request_method)
-        @request.env['Content-MD5'] = calculated_md5
+
+        @request.env['X-Authorization-Content-SHA256'] = calculated_hash
         fetch_headers
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if %w[POST PUT].include?(@request.request_method)
-          calculated_md5 != content_md5
+          calculated_hash != content_hash
         else
           false
         end
@@ -51,8 +52,8 @@ module ApiAuth
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5 HTTP-CONTENT-MD5 HTTP_CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
       def original_uri

data/lib/api_auth/request_drivers/rest_client.rb

@@ -18,25 +18,26 @@ module ApiAuth
         @request
       end
 
-      def calculated_md5
+      def calculated_hash
         if @request.payload
           body = @request.payload.read
           @request.payload.instance_variable_get(:@stream).seek(0)
         else
           body = ''
         end
-        md5_base64digest(body)
+        sha256_base64digest(body)
       end
 
-      def populate_content_md5
+      def populate_content_hash
         return unless %w[post put].include?(@request.method.to_s)
-        @request.headers['Content-MD5'] = calculated_md5
+
+        @request.headers['X-Authorization-Content-SHA256'] = calculated_hash
         save_headers
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if %w[post put].include?(@request.method.to_s)
-          calculated_md5 != content_md5
+          calculated_hash != content_hash
         else
           false
         end
@@ -54,8 +55,8 @@ module ApiAuth
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
       def original_uri

data/spec/api_auth_spec.rb

@@ -1,4 +1,4 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require 'spec_helper'
 
 describe 'ApiAuth' do
   describe 'generating secret keys' do
@@ -36,9 +36,9 @@ describe 'ApiAuth' do
       ApiAuth.sign!(request, 'abc', '123')
     end
 
-    it 'generates content-md5 header before signing' do
+    it 'generates X-Authorization-Content-SHA256 header before signing' do
       expect(ApiAuth::Headers).to receive(:new).and_return(headers)
-      expect(headers).to receive(:calculate_md5).ordered
+      expect(headers).to receive(:calculate_hash).ordered
       expect(headers).to receive(:sign_header).ordered
 
       ApiAuth.sign!(request, 'abc', '123')
@@ -58,7 +58,7 @@ describe 'ApiAuth' do
       let(:request) do
         Net::HTTP::Put.new('/resource.xml?foo=bar&bar=foo',
                            'content-type' => 'text/plain',
-                           'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+                           'content-hash' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
                            'date' => Time.now.utc.httpdate)
       end
 
@@ -76,7 +76,7 @@ describe 'ApiAuth' do
     let(:request) do
       Net::HTTP::Put.new('/resource.xml?foo=bar&bar=foo',
                          'content-type' => 'text/plain',
-                         'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+                         'X-Authorization-Content-SHA256' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
                          'date' => Time.now.utc.httpdate)
     end
 
@@ -94,8 +94,8 @@ describe 'ApiAuth' do
       expect(ApiAuth.authentic?(signed_request, '456')).to eq false
     end
 
-    it 'fails to validate non matching md5' do
-      request['content-md5'] = '12345'
+    it 'fails to validate non matching hash' do
+      request['X-Authorization-Content-SHA256'] = '12345'
       expect(ApiAuth.authentic?(signed_request, '123')).to eq false
     end
 
@@ -125,7 +125,7 @@ describe 'ApiAuth' do
       let(:request) do
         new_request = Net::HTTP::Put.new('/resource.xml?foo=bar&bar=foo',
                                          'content-type' => 'text/plain',
-                                         'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+                                         'X-Authorization-Content-SHA256' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
                                          'date' => Time.now.utc.httpdate)
         canonical_string = ApiAuth::Headers.new(new_request).canonical_string
         signature = hmac('123', new_request, canonical_string, 'sha256')
@@ -169,6 +169,13 @@ describe 'ApiAuth' do
         expect(ApiAuth.authentic?(signed_request, '123', clock_skew: 60.seconds)).to eq false
       end
     end
+
+    context 'when passed the headers_to_sign option' do
+      it 'validates the request' do
+        request['X-Forwarded-For'] = '192.168.1.1'
+        expect(ApiAuth.authentic?(signed_request, '123', headers_to_sign: %w[HTTP_X_FORWARDED_FOR])).to eq true
+      end
+    end
   end
 
   describe '.access_id' do

data/spec/headers_spec.rb

@@ -1,4 +1,4 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require 'spec_helper'
 
 describe ApiAuth::Headers do
   describe '#canonical_string' do
@@ -53,7 +53,7 @@ describe ApiAuth::Headers do
         before do
           allow(driver).to receive(:http_method).and_return 'GET'
           allow(driver).to receive(:content_type).and_return 'text/html'
-          allow(driver).to receive(:content_md5).and_return '12345'
+          allow(driver).to receive(:content_hash).and_return '12345'
           allow(driver).to receive(:request_uri).and_return '/foo'
           allow(driver).to receive(:timestamp).and_return 'Mon, 23 Jan 1984 03:29:56 GMT'
         end
@@ -83,7 +83,7 @@ describe ApiAuth::Headers do
         before do
           allow(driver).to receive(:http_method).and_return nil
           allow(driver).to receive(:content_type).and_return 'text/html'
-          allow(driver).to receive(:content_md5).and_return '12345'
+          allow(driver).to receive(:content_hash).and_return '12345'
           allow(driver).to receive(:request_uri).and_return '/foo'
           allow(driver).to receive(:timestamp).and_return 'Mon, 23 Jan 1984 03:29:56 GMT'
         end
@@ -115,7 +115,7 @@ describe ApiAuth::Headers do
 
         before do
           allow(driver).to receive(:content_type).and_return 'text/html'
-          allow(driver).to receive(:content_md5).and_return '12345'
+          allow(driver).to receive(:content_hash).and_return '12345'
           allow(driver).to receive(:timestamp).and_return 'Mon, 23 Jan 1984 03:29:56 GMT'
         end
 
@@ -125,14 +125,40 @@ describe ApiAuth::Headers do
           end
         end
       end
+
+      context 'when headers to sign are provided' do
+        let(:request) do
+          Faraday::Request.create('GET') do |req|
+            req.options = Faraday::RequestOptions.new(Faraday::FlatParamsEncoder)
+            req.params = Faraday::Utils::ParamsHash.new
+            req.url('/resource.xml?foo=bar&bar=foo')
+            req.headers = { 'X-Forwarded-For' => '192.168.1.1' }
+          end
+        end
+        subject(:headers) { described_class.new(request) }
+        let(:driver) { headers.instance_variable_get('@request') }
+
+        before do
+          allow(driver).to receive(:content_type).and_return 'text/html'
+          allow(driver).to receive(:content_hash).and_return '12345'
+          allow(driver).to receive(:timestamp).and_return 'Mon, 23 Jan 1984 03:29:56 GMT'
+        end
+
+        context 'the driver uses the original_uri' do
+          it 'constructs the canonical_string with the original_uri' do
+            expect(headers.canonical_string(nil, %w[X-FORWARDED-FOR]))
+              .to eq 'GET,text/html,12345,/resource.xml?bar=foo&foo=bar,Mon, 23 Jan 1984 03:29:56 GMT,192.168.1.1'
+          end
+        end
+      end
     end
   end
 
-  describe '#calculate_md5' do
+  describe '#calculate_hash' do
     subject(:headers) { described_class.new(request) }
     let(:driver) { headers.instance_variable_get('@request') }
 
-    context 'no md5 already calculated' do
+    context 'no content hash already calculated' do
       let(:request) do
         RestClient::Request.new(
           url: 'http://google.com',
@@ -141,55 +167,55 @@ describe ApiAuth::Headers do
         )
       end
 
-      it 'populates the md5 header' do
-        expect(driver).to receive(:populate_content_md5)
-        headers.calculate_md5
+      it 'populates the content hash header' do
+        expect(driver).to receive(:populate_content_hash)
+        headers.calculate_hash
       end
     end
 
-    context 'md5 already calculated' do
+    context 'hash already calculated' do
       let(:request) do
         RestClient::Request.new(
           url: 'http://google.com',
           method: :post,
           payload: "hello\nworld",
-          headers: { content_md5: 'abcd' }
+          headers: { 'X-Authorization-Content-SHA256' => 'abcd' }
         )
       end
 
-      it "doesn't populate the md5 header" do
-        expect(driver).not_to receive(:populate_content_md5)
-        headers.calculate_md5
+      it "doesn't populate the X-Authorization-Content-SHA256 header" do
+        expect(driver).not_to receive(:populate_content_hash)
+        headers.calculate_hash
       end
     end
   end
 
-  describe '#md5_mismatch?' do
+  describe '#content_hash_mismatch?' do
     let(:request) { RestClient::Request.new(url: 'http://google.com', method: :get) }
     subject(:headers) { described_class.new(request) }
     let(:driver) { headers.instance_variable_get('@request') }
 
-    context 'when request has md5 header' do
+    context 'when request has X-Authorization-Content-SHA256 header' do
       it 'asks the driver' do
-        allow(driver).to receive(:content_md5).and_return '1234'
+        allow(driver).to receive(:content_hash).and_return '1234'
 
-        expect(driver).to receive(:md5_mismatch?).and_call_original
-        headers.md5_mismatch?
+        expect(driver).to receive(:content_hash_mismatch?).and_call_original
+        headers.content_hash_mismatch?
       end
     end
 
-    context 'when request has no md5' do
+    context 'when request has no content hash' do
       it "doesn't ask the driver" do
-        allow(driver).to receive(:content_md5).and_return nil
+        allow(driver).to receive(:content_hash).and_return nil
 
-        expect(driver).not_to receive(:md5_mismatch?).and_call_original
-        headers.md5_mismatch?
+        expect(driver).not_to receive(:content_hash_mismatch?).and_call_original
+        headers.content_hash_mismatch?
       end
 
       it 'returns false' do
-        allow(driver).to receive(:content_md5).and_return nil
+        allow(driver).to receive(:content_hash).and_return nil
 
-        expect(headers.md5_mismatch?).to be false
+        expect(headers.content_hash_mismatch?).to be false
       end
     end
   end

data/spec/helpers_spec.rb

@@ -1,4 +1,4 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require 'spec_helper'
 
 describe 'ApiAuth::Helpers' do
   it 'should strip the new line character on a Base64 encoding' do

data/spec/railtie_spec.rb

@@ -1,4 +1,4 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require 'spec_helper'
 
 describe 'Rails integration' do
   API_KEY_STORE = { '1044' => 'l16imAXie1sRMcJODpOG7UwC1VyoqvO13jejkfpKWX4Z09W8DC9IrU23DvCwMry7pgSFW6c5S1GIfV0OY6F/vUA==' }.freeze
@@ -8,8 +8,8 @@ describe 'Rails integration' do
       private
 
       def require_api_auth
-        if (access_id = get_api_access_id_from_request)
-          return true if api_authenticated?(API_KEY_STORE[access_id])
+        if (access_id = get_api_access_id_from_request) && api_authenticated?(API_KEY_STORE[access_id])
+          return true
         end
 
         respond_to do |format|