api-auth 2.3.1 → 2.5.1

data/lib/api_auth/headers.rb

@@ -61,7 +61,7 @@ module ApiAuth
 
       canonical_array = [request_method.upcase,
                          @request.content_type,
-                         @request.content_md5,
+                         @request.content_hash,
                          parse_uri(@request.original_uri || @request.request_uri),
                          @request.timestamp]
 
@@ -81,15 +81,15 @@ module ApiAuth
       @request.set_date if @request.timestamp.nil?
     end
 
-    def calculate_md5
-      @request.populate_content_md5 if @request.content_md5.nil?
+    def calculate_hash
+      @request.populate_content_hash if @request.content_hash.nil?
     end
 
-    def md5_mismatch?
-      if @request.content_md5.nil?
+    def content_hash_mismatch?
+      if @request.content_hash.nil?
         false
       else
-        @request.md5_mismatch?
+        @request.content_hash_mismatch?
       end
     end
 

data/lib/api_auth/helpers.rb

@@ -4,8 +4,8 @@ module ApiAuth
       Base64.strict_encode64(string)
     end
 
-    def md5_base64digest(string)
-      Digest::MD5.base64digest(string)
+    def sha256_base64digest(string)
+      Digest::SHA256.base64digest(string)
     end
 
     # Capitalizes the keys of a hash

data/lib/api_auth/railtie.rb

@@ -13,7 +13,11 @@ module ApiAuth
         end
       end
 
-      ActionController::Base.send(:include, ControllerMethods::InstanceMethods) if defined?(ActionController::Base)
+      if defined?(ActiveSupport)
+        ActiveSupport.on_load(:action_controller) do
+          ActionController::Base.include(ControllerMethods::InstanceMethods)
+        end
+      end
     end # ControllerMethods
 
     module ActiveResourceExtension # :nodoc:
@@ -69,7 +73,9 @@ module ApiAuth
             tmp = "Net::HTTP::#{method.to_s.capitalize}".constantize.new(path, h)
             tmp.body = arguments[0] if arguments.length > 1
             ApiAuth.sign!(tmp, hmac_access_id, hmac_secret_key, api_auth_options)
-            arguments.last['Content-MD5'] = tmp['Content-MD5'] if tmp['Content-MD5']
+            if tmp['X-Authorization-Content-SHA256']
+              arguments.last['X-Authorization-Content-SHA256'] = tmp['X-Authorization-Content-SHA256']
+            end
             arguments.last['DATE'] = tmp['DATE']
             arguments.last['Authorization'] = tmp['Authorization']
           end
@@ -78,9 +84,11 @@ module ApiAuth
         end
       end # Connection
 
-      if defined?(ActiveResource)
-        ActiveResource::Base.send(:include, ActiveResourceApiAuth)
-        ActiveResource::Connection.send(:include, Connection)
+      if defined?(ActiveSupport)
+        ActiveSupport.on_load(:active_resource) do
+          ActiveResource::Base.include(ActiveResourceApiAuth)
+          ActiveResource::Connection.include(Connection)
+        end
       end
     end # ActiveResourceExtension
   end # Rails

data/lib/api_auth/request_drivers/action_controller.rb

@@ -15,21 +15,21 @@ module ApiAuth
         @request
       end
 
-      def calculated_md5
+      def calculated_hash
         body = @request.raw_post
-        md5_base64digest(body)
+        sha256_base64digest(body)
       end
 
-      def populate_content_md5
+      def populate_content_hash
         return unless @request.put? || @request.post?
 
-        @request.env['Content-MD5'] = calculated_md5
+        @request.env['X-AUTHORIZATION-CONTENT-SHA256'] = calculated_hash
         fetch_headers
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if @request.put? || @request.post?
-          calculated_md5 != content_md5
+          calculated_hash != content_hash
         else
           false
         end
@@ -47,8 +47,8 @@ module ApiAuth
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5 HTTP_CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256 X_AUTHORIZATION_CONTENT_SHA256 HTTP_X_AUTHORIZATION_CONTENT_SHA256])
       end
 
       def original_uri

data/lib/api_auth/request_drivers/curb.rb

@@ -15,11 +15,11 @@ module ApiAuth
         @request
       end
 
-      def populate_content_md5
+      def populate_content_hash
         nil # doesn't appear to be possible
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         false
       end
 
@@ -35,8 +35,8 @@ module ApiAuth
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
       def original_uri

data/lib/api_auth/request_drivers/faraday.rb

@@ -15,21 +15,21 @@ module ApiAuth
         @request
       end
 
-      def calculated_md5
+      def calculated_hash
         body = @request.body || ''
-        md5_base64digest(body)
+        sha256_base64digest(body)
       end
 
-      def populate_content_md5
-        return unless %w[POST PUT].include?(@request.method.to_s.upcase)
+      def populate_content_hash
+        return unless %w[POST PUT].include?(@request.http_method.to_s.upcase)
 
-        @request.headers['Content-MD5'] = calculated_md5
+        @request.headers['X-Authorization-Content-SHA256'] = calculated_hash
         fetch_headers
       end
 
-      def md5_mismatch?
-        if %w[POST PUT].include?(@request.method.to_s.upcase)
-          calculated_md5 != content_md5
+      def content_hash_mismatch?
+        if %w[POST PUT].include?(@request.http_method.to_s.upcase)
+          calculated_hash != content_hash
         else
           false
         end
@@ -40,15 +40,15 @@ module ApiAuth
       end
 
       def http_method
-        @request.method.to_s.upcase
+        @request.http_method.to_s.upcase
       end
 
       def content_type
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5 HTTP-CONTENT-MD5 HTTP_CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
       def original_uri

data/lib/api_auth/request_drivers/grape_request.rb

@@ -15,22 +15,22 @@ module ApiAuth
         @request
       end
 
-      def calculated_md5
+      def calculated_hash
         body = @request.body.read
         @request.body.rewind
-        md5_base64digest(body)
+        sha256_base64digest(body)
       end
 
-      def populate_content_md5
+      def populate_content_hash
         return if !@request.put? && !@request.post?
 
-        @request.env['HTTP_CONTENT_MD5'] = calculated_md5
+        @request.env['HTTP_X_AUTHORIZATION_CONTENT_SHA256'] = calculated_hash
         save_headers
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if @request.put? || @request.post?
-          calculated_md5 != content_md5
+          calculated_hash != content_hash
         else
           false
         end
@@ -48,8 +48,8 @@ module ApiAuth
         find_header %w[HTTP_X_HMAC_CONTENT_TYPE HTTP_X_CONTENT_TYPE CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE]
       end
 
-      def content_md5
-        find_header %w[HTTP_X_HMAC_CONTENT_MD5 HTTP_X_CONTENT_MD5 CONTENT-MD5 CONTENT_MD5 HTTP_CONTENT_MD5]
+      def content_hash
+        find_header %w[HTTP_X_AUTHORIZATION_CONTENT_SHA256]
       end
 
       def original_uri

data/lib/api_auth/request_drivers/http.rb

@@ -12,19 +12,19 @@ module ApiAuth
         @request
       end
 
-      def calculated_md5
-        md5_base64digest(body)
+      def calculated_hash
+        sha256_base64digest(body)
       end
 
-      def populate_content_md5
+      def populate_content_hash
         return unless %w[POST PUT].include?(http_method)
 
-        @request['Content-MD5'] = calculated_md5
+        @request['X-Authorization-Content-SHA256'] = calculated_hash
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if %w[POST PUT].include?(http_method)
-          calculated_md5 != content_md5
+          calculated_hash != content_hash
         else
           false
         end
@@ -38,8 +38,8 @@ module ApiAuth
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
       def original_uri

data/lib/api_auth/request_drivers/httpi.rb

@@ -15,20 +15,20 @@ module ApiAuth
         @request
       end
 
-      def calculated_md5
-        md5_base64digest(@request.body || '')
+      def calculated_hash
+        sha256_base64digest(@request.body || '')
       end
 
-      def populate_content_md5
+      def populate_content_hash
         return unless @request.body
 
-        @request.headers['Content-MD5'] = calculated_md5
+        @request.headers['X-Authorization-Content-SHA256'] = calculated_hash
         fetch_headers
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if @request.body
-          calculated_md5 != content_md5
+          calculated_hash != content_hash
         else
           false
         end
@@ -46,8 +46,8 @@ module ApiAuth
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
       def original_uri

data/lib/api_auth/request_drivers/net_http.rb

@@ -15,7 +15,7 @@ module ApiAuth
         @request
       end
 
-      def calculated_md5
+      def calculated_hash
         if @request.respond_to?(:body_stream) && @request.body_stream
           body = @request.body_stream.read
           @request.body_stream.rewind
@@ -23,18 +23,18 @@ module ApiAuth
           body = @request.body
         end
 
-        md5_base64digest(body || '')
+        sha256_base64digest(body || '')
       end
 
-      def populate_content_md5
+      def populate_content_hash
         return unless @request.class::REQUEST_HAS_BODY
 
-        @request['Content-MD5'] = calculated_md5
+        @request['X-Authorization-Content-SHA256'] = calculated_hash
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if @request.class::REQUEST_HAS_BODY
-          calculated_md5 != content_md5
+          calculated_hash != content_hash
         else
           false
         end
@@ -52,8 +52,8 @@ module ApiAuth
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-Authorization-Content-SHA256])
       end
 
       def original_uri

data/lib/api_auth/request_drivers/rack.rb

@@ -15,26 +15,26 @@ module ApiAuth
         @request
       end
 
-      def calculated_md5
+      def calculated_hash
         if @request.body
           body = @request.body.read
           @request.body.rewind
         else
           body = ''
         end
-        md5_base64digest(body)
+        sha256_base64digest(body)
       end
 
-      def populate_content_md5
+      def populate_content_hash
         return unless %w[POST PUT].include?(@request.request_method)
 
-        @request.env['Content-MD5'] = calculated_md5
+        @request.env['X-Authorization-Content-SHA256'] = calculated_hash
         fetch_headers
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if %w[POST PUT].include?(@request.request_method)
-          calculated_md5 != content_md5
+          calculated_hash != content_hash
         else
           false
         end
@@ -52,8 +52,8 @@ module ApiAuth
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5 HTTP-CONTENT-MD5 HTTP_CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
       def original_uri

data/lib/api_auth/request_drivers/rest_client.rb

@@ -18,26 +18,26 @@ module ApiAuth
         @request
       end
 
-      def calculated_md5
+      def calculated_hash
         if @request.payload
           body = @request.payload.read
           @request.payload.instance_variable_get(:@stream).seek(0)
         else
           body = ''
         end
-        md5_base64digest(body)
+        sha256_base64digest(body)
       end
 
-      def populate_content_md5
+      def populate_content_hash
         return unless %w[post put].include?(@request.method.to_s)
 
-        @request.headers['Content-MD5'] = calculated_md5
+        @request.headers['X-Authorization-Content-SHA256'] = calculated_hash
         save_headers
       end
 
-      def md5_mismatch?
+      def content_hash_mismatch?
         if %w[post put].include?(@request.method.to_s)
-          calculated_md5 != content_md5
+          calculated_hash != content_hash
         else
           false
         end
@@ -55,8 +55,8 @@ module ApiAuth
         find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
       end
 
-      def content_md5
-        find_header(%w[CONTENT-MD5 CONTENT_MD5])
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
       end
 
       def original_uri

data/spec/api_auth_spec.rb

@@ -1,4 +1,4 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require 'spec_helper'
 
 describe 'ApiAuth' do
   describe 'generating secret keys' do
@@ -36,9 +36,9 @@ describe 'ApiAuth' do
       ApiAuth.sign!(request, 'abc', '123')
     end
 
-    it 'generates content-md5 header before signing' do
+    it 'generates X-Authorization-Content-SHA256 header before signing' do
       expect(ApiAuth::Headers).to receive(:new).and_return(headers)
-      expect(headers).to receive(:calculate_md5).ordered
+      expect(headers).to receive(:calculate_hash).ordered
       expect(headers).to receive(:sign_header).ordered
 
       ApiAuth.sign!(request, 'abc', '123')
@@ -58,7 +58,7 @@ describe 'ApiAuth' do
       let(:request) do
         Net::HTTP::Put.new('/resource.xml?foo=bar&bar=foo',
                            'content-type' => 'text/plain',
-                           'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+                           'content-hash' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
                            'date' => Time.now.utc.httpdate)
       end
 
@@ -76,7 +76,7 @@ describe 'ApiAuth' do
     let(:request) do
       Net::HTTP::Put.new('/resource.xml?foo=bar&bar=foo',
                          'content-type' => 'text/plain',
-                         'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+                         'X-Authorization-Content-SHA256' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
                          'date' => Time.now.utc.httpdate)
     end
 
@@ -94,8 +94,8 @@ describe 'ApiAuth' do
       expect(ApiAuth.authentic?(signed_request, '456')).to eq false
     end
 
-    it 'fails to validate non matching md5' do
-      request['content-md5'] = '12345'
+    it 'fails to validate non matching hash' do
+      request['X-Authorization-Content-SHA256'] = '12345'
       expect(ApiAuth.authentic?(signed_request, '123')).to eq false
     end
 
@@ -125,7 +125,7 @@ describe 'ApiAuth' do
       let(:request) do
         new_request = Net::HTTP::Put.new('/resource.xml?foo=bar&bar=foo',
                                          'content-type' => 'text/plain',
-                                         'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+                                         'X-Authorization-Content-SHA256' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
                                          'date' => Time.now.utc.httpdate)
         canonical_string = ApiAuth::Headers.new(new_request).canonical_string
         signature = hmac('123', new_request, canonical_string, 'sha256')

data/spec/headers_spec.rb

@@ -1,4 +1,4 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require 'spec_helper'
 
 describe ApiAuth::Headers do
   describe '#canonical_string' do
@@ -53,7 +53,7 @@ describe ApiAuth::Headers do
         before do
           allow(driver).to receive(:http_method).and_return 'GET'
           allow(driver).to receive(:content_type).and_return 'text/html'
-          allow(driver).to receive(:content_md5).and_return '12345'
+          allow(driver).to receive(:content_hash).and_return '12345'
           allow(driver).to receive(:request_uri).and_return '/foo'
           allow(driver).to receive(:timestamp).and_return 'Mon, 23 Jan 1984 03:29:56 GMT'
         end
@@ -83,7 +83,7 @@ describe ApiAuth::Headers do
         before do
           allow(driver).to receive(:http_method).and_return nil
           allow(driver).to receive(:content_type).and_return 'text/html'
-          allow(driver).to receive(:content_md5).and_return '12345'
+          allow(driver).to receive(:content_hash).and_return '12345'
           allow(driver).to receive(:request_uri).and_return '/foo'
           allow(driver).to receive(:timestamp).and_return 'Mon, 23 Jan 1984 03:29:56 GMT'
         end
@@ -115,7 +115,7 @@ describe ApiAuth::Headers do
 
         before do
           allow(driver).to receive(:content_type).and_return 'text/html'
-          allow(driver).to receive(:content_md5).and_return '12345'
+          allow(driver).to receive(:content_hash).and_return '12345'
           allow(driver).to receive(:timestamp).and_return 'Mon, 23 Jan 1984 03:29:56 GMT'
         end
 
@@ -140,7 +140,7 @@ describe ApiAuth::Headers do
 
         before do
           allow(driver).to receive(:content_type).and_return 'text/html'
-          allow(driver).to receive(:content_md5).and_return '12345'
+          allow(driver).to receive(:content_hash).and_return '12345'
           allow(driver).to receive(:timestamp).and_return 'Mon, 23 Jan 1984 03:29:56 GMT'
         end
 
@@ -154,11 +154,11 @@ describe ApiAuth::Headers do
     end
   end
 
-  describe '#calculate_md5' do
+  describe '#calculate_hash' do
     subject(:headers) { described_class.new(request) }
     let(:driver) { headers.instance_variable_get('@request') }
 
-    context 'no md5 already calculated' do
+    context 'no content hash already calculated' do
       let(:request) do
         RestClient::Request.new(
           url: 'http://google.com',
@@ -167,55 +167,55 @@ describe ApiAuth::Headers do
         )
       end
 
-      it 'populates the md5 header' do
-        expect(driver).to receive(:populate_content_md5)
-        headers.calculate_md5
+      it 'populates the content hash header' do
+        expect(driver).to receive(:populate_content_hash)
+        headers.calculate_hash
       end
     end
 
-    context 'md5 already calculated' do
+    context 'hash already calculated' do
       let(:request) do
         RestClient::Request.new(
           url: 'http://google.com',
           method: :post,
           payload: "hello\nworld",
-          headers: { content_md5: 'abcd' }
+          headers: { 'X-Authorization-Content-SHA256' => 'abcd' }
         )
       end
 
-      it "doesn't populate the md5 header" do
-        expect(driver).not_to receive(:populate_content_md5)
-        headers.calculate_md5
+      it "doesn't populate the X-Authorization-Content-SHA256 header" do
+        expect(driver).not_to receive(:populate_content_hash)
+        headers.calculate_hash
       end
     end
   end
 
-  describe '#md5_mismatch?' do
+  describe '#content_hash_mismatch?' do
     let(:request) { RestClient::Request.new(url: 'http://google.com', method: :get) }
     subject(:headers) { described_class.new(request) }
     let(:driver) { headers.instance_variable_get('@request') }
 
-    context 'when request has md5 header' do
+    context 'when request has X-Authorization-Content-SHA256 header' do
       it 'asks the driver' do
-        allow(driver).to receive(:content_md5).and_return '1234'
+        allow(driver).to receive(:content_hash).and_return '1234'
 
-        expect(driver).to receive(:md5_mismatch?).and_call_original
-        headers.md5_mismatch?
+        expect(driver).to receive(:content_hash_mismatch?).and_call_original
+        headers.content_hash_mismatch?
       end
     end
 
-    context 'when request has no md5' do
+    context 'when request has no content hash' do
       it "doesn't ask the driver" do
-        allow(driver).to receive(:content_md5).and_return nil
+        allow(driver).to receive(:content_hash).and_return nil
 
-        expect(driver).not_to receive(:md5_mismatch?).and_call_original
-        headers.md5_mismatch?
+        expect(driver).not_to receive(:content_hash_mismatch?).and_call_original
+        headers.content_hash_mismatch?
       end
 
       it 'returns false' do
-        allow(driver).to receive(:content_md5).and_return nil
+        allow(driver).to receive(:content_hash).and_return nil
 
-        expect(headers.md5_mismatch?).to be false
+        expect(headers.content_hash_mismatch?).to be false
       end
     end
   end

data/spec/helpers_spec.rb

@@ -1,4 +1,4 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require 'spec_helper'
 
 describe 'ApiAuth::Helpers' do
   it 'should strip the new line character on a Base64 encoding' do

data/spec/railtie_spec.rb

@@ -1,4 +1,4 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require 'spec_helper'
 
 describe 'Rails integration' do
   API_KEY_STORE = { '1044' => 'l16imAXie1sRMcJODpOG7UwC1VyoqvO13jejkfpKWX4Z09W8DC9IrU23DvCwMry7pgSFW6c5S1GIfV0OY6F/vUA==' }.freeze
@@ -8,8 +8,8 @@ describe 'Rails integration' do
       private
 
       def require_api_auth
-        if (access_id = get_api_access_id_from_request)
-          return true if api_authenticated?(API_KEY_STORE[access_id])
+        if (access_id = get_api_access_id_from_request) && api_authenticated?(API_KEY_STORE[access_id])
+          return true
         end
 
         respond_to do |format|