api-auth 2.4.1 → 2.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 60f6b22c31a0167767c8aa90d9e831bde874fd6831798d1c1a5104849005a4f4
-  data.tar.gz: 9be6acbac2c38e6fc0d0af33d6ba9fd6f9bc4ca0dc5dc6050fee1a8e139d94b5
+  metadata.gz: 232d1199b2fd74328e77ba9dd3362789798585b3d88df7c6d4688cf843475190
+  data.tar.gz: 879689b7f0b691212e0c14a80e087a041769241221b7a88f094c1003b29cfa9c
 SHA512:
-  metadata.gz: 30f33a8543297ceb7e99bb028cca8377e5af639957d9edc06e36f1968d252a0012357030e726d9ff7024ebc99da30e9a1bb324eba686ffb6c784931ac2063620
-  data.tar.gz: 00b796d683a878643d152f8bad511f38d92fcf6182e941eff490609b5f122b301b08c8820af7229b9a5b744414ded4069054523244bba571a1bc408da6b4ba06
+  metadata.gz: 2cb0fbdf6f5984f7334bdfa8a16309837c35b146eab39cd723203cd6861c9ce1e51d66fa2f73a3bb6a9490eaec2af0e3c73b34a03726d26360fc664aa7095f32
+  data.tar.gz: 9a1e90785610686db8c1a84943d138f9528dd5ce28965774cfe3112ea74850d898694a7a2bd458ef513f0fd48db56015b8662c53ec78ec38d714080b6f59ed68

data/.github/workflows/main.yml

@@ -0,0 +1,67 @@
+name: main
+on:
+  - push
+  - pull_request
+jobs:
+  rspec:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby-version:
+          - 2.5
+          - 2.6
+          - 2.7
+          - 3.0
+        gemfile:
+          - rails_52.gemfile
+          - rails_60.gemfile
+          - rails_61.gemfile
+        exclude:
+          - ruby-version: [ 2.6, 2.7, 3.0 ]
+            gemfile: rails_52.gemfile
+          - ruby-version: 3.0
+            gemfile: rails_60.gemfile
+    steps:
+      - name: Install packages required for `curb` gem
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libcurl4 libcurl3-gnutls libcurl4-openssl-dev
+
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Install Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby-version }}
+          bundler-cache: true
+
+      - name: Install required gems
+        run: BUNDLE_GEMFILE=gemfiles/${{ matrix.gemfile }} bundle install
+
+      - name: Run rspec tests
+        run: BUNDLE_GEMFILE=gemfiles/${{ matrix.gemfile }} bundle exec rspec
+
+  rubocop:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install packages required for `curb` gem
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libcurl4 libcurl3-gnutls libcurl4-openssl-dev
+
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Install Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.0
+          bundler-cache: true
+
+      - name: Install required gems
+        run: bundle install
+
+      - name: Run rubocop
+        run: bundle exec rubocop

data/.gitignore

@@ -8,4 +8,6 @@
 /doc
 /.yardoc
 gemfiles/*.lock
+gemfiles/.bundle/
 /.idea
+*.gem

data/.rubocop.yml

@@ -1,10 +1,11 @@
 inherit_from: .rubocop_todo.yml
 
 AllCops:
-  TargetRubyVersion: 2.4
+  NewCops: enable
+  TargetRubyVersion: 2.5
 
 Metrics/AbcSize:
-  Max: 25
+  Max: 28
 
 # Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns.
 # URISchemes: http, https
@@ -14,9 +15,21 @@ Layout/LineLength:
 Metrics/MethodLength:
   Max: 40
 
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/**/*.rb'
+    - 'api_auth.gemspec'
+
 Naming/FileName:
   Exclude:
     - 'lib/api-auth.rb'
 
 Style/FrozenStringLiteralComment:
   Enabled: false
+
+Style/StringLiterals:
+  Exclude:
+    - 'gemfiles/*.gemfile'
+
+Lint/DuplicateBranch:
+  Enabled: false

data/.rubocop_todo.yml

@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2018-10-22 20:30:52 +0700 using RuboCop version 0.59.2.
+# on 2021-03-26 22:04:17 UTC using RuboCop version 1.12.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -8,7 +8,7 @@
 
 # Offense count: 1
 # Cop supports --auto-correct.
-# Configuration parameters: Include, TreatCommentsAsGroupSeparators.
+# Configuration parameters: TreatCommentsAsGroupSeparators, ConsiderPunctuation, Include.
 # Include: **/*.gemspec
 Gemspec/OrderedDependencies:
   Exclude:
@@ -20,6 +20,13 @@ Lint/AssignmentInCondition:
   Exclude:
     - 'lib/api_auth/base.rb'
 
+# Offense count: 4
+# Configuration parameters: AllowedMethods.
+# AllowedMethods: enums
+Lint/ConstantDefinitionInBlock:
+  Exclude:
+    - 'spec/railtie_spec.rb'
+
 # Offense count: 9
 # Configuration parameters: CheckForMethodsWithNoSideEffects.
 Lint/Void:
@@ -35,19 +42,21 @@ Lint/Void:
     - 'lib/api_auth/request_drivers/rest_client.rb'
 
 # Offense count: 1
-# Configuration parameters: CountComments, ExcludedMethods.
-# ExcludedMethods: refine
+# Configuration parameters: IgnoredMethods, CountRepeatedAttributes.
+Metrics/AbcSize:
+  Max: 28
+
+# Offense count: 1
+# Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
+# IgnoredMethods: refine
 Metrics/BlockLength:
   Max: 27
 
-# Offense count: 1
+# Offense count: 2
+# Configuration parameters: IgnoredMethods.
 Metrics/CyclomaticComplexity:
   Max: 15
 
-# Offense count: 1
-Metrics/PerceivedComplexity:
-  Max: 8
-
 # Offense count: 10
 Naming/AccessorMethodName:
   Exclude:
@@ -64,29 +73,30 @@ Naming/AccessorMethodName:
 
 # Offense count: 3
 # Configuration parameters: MinNameLength, AllowNamesEndingInNumbers, AllowedNames, ForbiddenNames.
-# AllowedNames: io, id, to, by, on, in, at, ip, db
+# AllowedNames: at, by, db, id, in, io, ip, of, on, os, pp, to
 Naming/MethodParameterName:
   Exclude:
     - 'lib/api_auth/base.rb'
     - 'spec/railtie_spec.rb'
 
-# Offense count: 1
-# Configuration parameters: EnforcedStyle.
-# SupportedStyles: inline, group
-Style/AccessModifierDeclarations:
-  Exclude:
-    - 'lib/api_auth/headers.rb'
-
 # Offense count: 9
+# Cop supports --auto-correct.
 Style/CommentedKeyword:
   Exclude:
     - 'lib/api_auth/base.rb'
     - 'lib/api_auth/railtie.rb'
 
-# Offense count: 4
+# Offense count: 3
+# Configuration parameters: AllowedConstants.
 Style/Documentation:
   Exclude:
     - 'spec/**/*'
     - 'test/**/*'
     - 'lib/api_auth/railtie.rb'
-    - 'lib/api_auth/request_drivers/rest_client.rb'
+
+# Offense count: 1
+# Configuration parameters: AllowedMethods.
+# AllowedMethods: respond_to_missing?
+Style/OptionalBooleanParameter:
+  Exclude:
+    - 'lib/api_auth/railtie.rb'

data/Appraisals

@@ -1,23 +1,17 @@
-appraise 'rails-5' do
-  gem 'actionpack', '~> 5.0.2'
-  gem 'activeresource', '~> 5.0.2'
-  gem 'activesupport', '~> 5.0.2'
+appraise 'rails-52' do
+  gem 'actionpack', '~> 5.2'
+  gem 'activeresource', '~> 5.1'
+  gem 'activesupport', '~> 5.2'
 end
 
-appraise 'rails-42' do
-  gem 'actionpack', '~> 4.2.0'
-  gem 'activeresource', '~> 4.0.0'
-  gem 'activesupport', '~> 4.2.0'
+appraise 'rails-60' do
+  gem 'actionpack', '~> 6.0'
+  gem 'activeresource', '~> 5.1'
+  gem 'activesupport', '~> 6.0'
 end
 
-appraise 'rails-41' do
-  gem 'actionpack', '~> 4.1.0'
-  gem 'activeresource', '~> 4.0.0'
-  gem 'activesupport', '~> 4.1.0'
-end
-
-appraise 'rails-4' do
-  gem 'actionpack', '~> 4.0.4'
-  gem 'activeresource', '~> 4.0.0'
-  gem 'activesupport', '~> 4.0.4'
+appraise 'rails-61' do
+  gem 'actionpack', '~> 6.1'
+  gem 'activeresource', '~> 5.1'
+  gem 'activesupport', '~> 6.1'
 end

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+# 2.5.0 (2021-05-11)
+- Add support for Ruby 3.0 (#194 fwininger)
+- Add support for Rails 6.1 (#194 fwininger)
+- Drop support for Ruby 2.4 (#193 fwininger)
+- Drop support for Rails 5.0 (#194 fwininger)
+- Drop support for Rails 5.1 (#194 fwininger)
+- Fix Faraday warning: `WARNING: Faraday::Request#method is deprecated` (#191 fwininger)
+
 # 2.4.1 (2020-06-23)
 - Fix inadvertant ActiveSupport dependecy (#189 taylorthurlow)
 

data/Gemfile

@@ -1,4 +1,2 @@
 source 'https://rubygems.org'
 gemspec
-
-gem 'rubocop'

data/README.md

@@ -1,6 +1,6 @@
 # ApiAuth
 
-[![Build Status](https://travis-ci.org/mgomes/api_auth.svg?branch=master)](https://travis-ci.org/mgomes/api_auth)
+[![Build Status](https://github.com/mgomes/api_auth/actions/workflows/main.yml/badge.svg?branch=master)](https://github.com/mgomes/api_auth/actions)
 [![Gem Version](https://badge.fury.io/rb/api-auth.svg)](https://badge.fury.io/rb/api-auth)
 
 Logins and passwords are for humans. Communication between applications need to
@@ -21,16 +21,18 @@ have to be written in the same language as the clients.
 ## How it works
 
 1. A canonical string is first created using your HTTP headers containing the
-content-type, content-MD5, request path and the date/time stamp. If content-type or
-content-MD5 are not present, then a blank string is used in their place. If the
-timestamp isn't present, a valid HTTP date is automatically added to the
-request. The canonical string is computed as follows:
+`content-type`, `X-Authorization-Content-SHA256`, request path and the date/time stamp.
+If `content-type` or `X-Authorization-Content-SHA256` are not present, then a blank
+string is used in their place. If the timestamp isn't present, a valid HTTP date is
+automatically added to the request. The canonical string is computed as follows:
 
+```ruby
+canonical_string = "#{http method},#{content-type},#{X-Authorization-Content-SHA256},#{request URI},#{timestamp}"
 ```
-canonical_string = "#{http method},#{content-type},#{content-MD5},#{request URI},#{timestamp}"
 
 e.g.,
 
+```ruby
 canonical_string = 'POST,application/json,,request_path,Tue, 30 May 2017 03:51:43 GMT'
 ```
 
@@ -39,13 +41,13 @@ SHA1 HMAC, using the client's private secret key.
 
 3. This signature is then added as the `Authorization` HTTP header in the form:
 
-```
+```ruby
 Authorization = APIAuth "#{client access id}:#{signature from step 2}"
 ```
 
 A cURL request would look like:
 
-```
+```sh
 curl -X POST --header 'Content-Type: application/json' --header "Date: Tue, 30 May 2017 03:51:43 GMT" --header "Authorization: ${AUTHORIZATION}"  http://my-app.com/request_path`
 ```
 
@@ -56,7 +58,6 @@ access id that was attached in the header. The access id can be any integer or
 string that uniquely identifies the client. The signed request expires after 15
 minutes in order to avoid replay attacks.
 
-
 ## References
 
 * [Hash functions](http://en.wikipedia.org/wiki/Cryptographic_hash_function)
@@ -66,7 +67,7 @@ minutes in order to avoid replay attacks.
 
 ## Requirement
 
-This gem require Ruby >= 2.3 and Rails >= 4.0 if you use rails.
+This gem require Ruby >= 2.5 and Rails >= 5.1 if you use rails.
 
 For older version of Ruby or Rails, please use ApiAuth v2.1 and older.
 
@@ -77,7 +78,7 @@ For older version of Ruby or Rails, please use ApiAuth v2.1 and older.
 The gem doesn't have any dependencies outside of having a working OpenSSL
 configuration for your Ruby VM. To install:
 
-```bash
+```sh
 [sudo] gem install api-auth
 ```
 
@@ -104,15 +105,15 @@ Here's a sample implementation of signing a request created with RestClient.
 
 Assuming you have a client access id and secret as follows:
 
-``` ruby
+```ruby
 @access_id = "1044"
 @secret_key = ApiAuth.generate_secret_key
 ```
 
 A typical RestClient PUT request may look like:
 
-``` ruby
-headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+```ruby
+headers = { 'X-Authorization-Content-SHA256' => "dWiCWEMZWMxeKM8W8Yuh/TbI29Hw5xUSXZWXEJv63+Y=",
   'Content-Type' => "text/plain",
   'Date' => "Mon, 23 Jan 1984 03:29:56 GMT"
 }
@@ -126,7 +127,7 @@ headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
 
 To sign that request, simply call the `sign!` method as follows:
 
-``` ruby
+```ruby
 @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
 ```
 
@@ -140,26 +141,26 @@ If you are signing a request for a driver that doesn't support automatic http
 method detection (like Curb or httpi), you can pass the http method as an option
 into the sign! method like so:
 
-``` ruby
+```ruby
 @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key, :override_http_method => "PUT")
 ```
 
 If you want to use another digest existing in `OpenSSL::Digest`,
 you can pass the http method as an option into the sign! method like so:
 
-``` ruby
+```ruby
 @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key, :digest => 'sha256')
 ```
 
 With the `digest` option, the `Authorization` header will be change from:
 
-```
+```sh
 Authorization = APIAuth 'client access id':'signature'
 ```
 
 to:
 
-```
+```sh
 Authorization = APIAuth-HMAC-DIGEST_NAME 'client access id':'signature'
 ```
 
@@ -168,7 +169,7 @@ Authorization = APIAuth-HMAC-DIGEST_NAME 'client access id':'signature'
 ApiAuth can transparently protect your ActiveResource communications with a
 single configuration line:
 
-``` ruby
+```ruby
 class MyResource < ActiveResource::Base
   with_api_auth(access_id, secret_key)
 end
@@ -181,7 +182,7 @@ This will automatically sign all outgoing ActiveResource requests from your app.
 ApiAuth also works with [Flexirest](https://github.com/andyjeffries/flexirest) (used to be ActiveRestClient, but that is now unsupported) in a very similar way.
 Simply add this configuration to your Flexirest initializer in your app and it will automatically sign all outgoing requests.
 
-``` ruby
+```ruby
 Flexirest::Base.api_auth_credentials(@access_id, @secret_key)
 ```
 
@@ -192,20 +193,20 @@ clients as well as verifying incoming API requests.
 
 To generate a Base64 encoded API key for a client:
 
-``` ruby
+```ruby
 ApiAuth.generate_secret_key
 ```
 
 To validate whether or not a request is authentic:
 
-``` ruby
+```ruby
 ApiAuth.authentic?(signed_request, secret_key)
 ```
 
 The `authentic?` method uses the digest specified in the `Authorization` header.
 For example SHA256 for:
 
-```
+```sh
 Authorization = APIAuth-HMAC-SHA256 'client access id':'signature'
 ```
 
@@ -213,7 +214,7 @@ And by default SHA1 if the HMAC-DIGEST is not specified.
 
 If you want to force the usage of another digest method, you should pass it as an option parameter:
 
-``` ruby
+```ruby
 ApiAuth.authentic?(signed_request, secret_key, :digest => 'sha256')
 ```
 
@@ -272,13 +273,13 @@ To run the tests:
 
 Install the dependencies for a particular Rails version by specifying a gemfile in `gemfiles` directory:
 
-```
+```sh
 BUNDLE_GEMFILE=gemfiles/rails_5.gemfile bundle install
 ```
 
 Run the tests with those dependencies:
 
-```
+```sh
 BUNDLE_GEMFILE=gemfiles/rails_5.gemfile bundle exec rake
 ```
 
@@ -290,6 +291,7 @@ the public methods for each driver are required to be implemented by your driver
 
 * [Mauricio Gomes](http://github.com/mgomes)
 * [Kevin Glowacz](http://github.com/kjg)
+* [Florian Wininger](http://github.com/fwininger)
 
 ## Copyright
 

data/VERSION

@@ -1 +1 @@
-2.4.1
+2.5.1

data/api_auth.gemspec

@@ -8,16 +8,21 @@ Gem::Specification.new do |s|
   s.version = File.read(File.join(File.dirname(__FILE__), 'VERSION'))
   s.authors = ['Mauricio Gomes']
   s.email = 'mauricio@edge14.com'
+  s.license = 'MIT'
 
-  s.required_ruby_version = '>= 2.4.0'
+  s.metadata = {
+    'rubygems_mfa_required' => 'true'
+  }
 
-  s.add_development_dependency 'actionpack', '< 6.1', '> 4.0'
+  s.required_ruby_version = '>= 2.5.0'
+
+  s.add_development_dependency 'actionpack', '< 6.2', '> 5.0'
   s.add_development_dependency 'activeresource', '>= 4.0'
-  s.add_development_dependency 'activesupport', '< 6.1', '> 4.0'
+  s.add_development_dependency 'activesupport', '< 6.2', '> 5.0'
   s.add_development_dependency 'amatch'
   s.add_development_dependency 'appraisal'
   s.add_development_dependency 'curb', '~> 0.8'
-  s.add_development_dependency 'faraday', '>= 0.10'
+  s.add_development_dependency 'faraday', '>= 1.1.0'
   s.add_development_dependency 'http'
   s.add_development_dependency 'httpi'
   s.add_development_dependency 'multipart-post', '~> 2.0'
@@ -26,6 +31,8 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'rest-client', '~> 2.0'
   s.add_development_dependency 'grape', '~> 1.1.0'
   s.add_development_dependency 'rspec', '~> 3.4'
+  s.add_development_dependency 'rexml'
+  s.add_development_dependency 'rubocop'
 
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")

data/gemfiles/rails_52.gemfile

@@ -1,9 +1,9 @@
 # This file was generated by Appraisal
 
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
-gem 'actionpack', '~> 5.2.1'
-gem 'activeresource', '~> 5.1.0'
-gem 'activesupport', '~> 5.2.1'
+gem "actionpack", "~> 5.2"
+gem "activeresource", "~> 5.1"
+gem "activesupport", "~> 5.2"
 
-gemspec path: '../'
+gemspec path: "../"

data/gemfiles/rails_60.gemfile

@@ -1,11 +1,9 @@
 # This file was generated by Appraisal
 
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
-gem 'actionpack', '~> 6.0.0'
-gem 'activeresource', '~> 5.1.0'
-gem 'activesupport', '~> 6.0.0'
+gem "actionpack", "~> 6.0"
+gem "activeresource", "~> 5.1"
+gem "activesupport", "~> 6.0"
 
-gem 'rubocop'
-
-gemspec path: '../'
+gemspec path: "../"

data/gemfiles/rails_61.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "actionpack", "~> 6.1"
+gem "activeresource", "~> 5.1"
+gem "activesupport", "~> 6.1"
+
+gemspec path: "../"

data/lib/api_auth/base.rb

@@ -22,7 +22,7 @@ module ApiAuth
     def sign!(request, access_id, secret_key, options = {})
       options = { override_http_method: nil, digest: 'sha1' }.merge(options)
       headers = Headers.new(request)
-      headers.calculate_md5
+      headers.calculate_hash
       headers.set_date
       headers.sign_header auth_header(headers, access_id, secret_key, options)
     end
@@ -39,7 +39,7 @@ module ApiAuth
       # 900 seconds is 15 minutes
       clock_skew = options.fetch(:clock_skew, 900)
 
-      if headers.md5_mismatch?
+      if headers.content_hash_mismatch?
         false
       elsif !signatures_match?(headers, secret_key, options)
         false

data/lib/api_auth/headers.rb

@@ -61,7 +61,7 @@ module ApiAuth
 
       canonical_array = [request_method.upcase,
                          @request.content_type,
-                         @request.content_md5,
+                         @request.content_hash,
                          parse_uri(@request.original_uri || @request.request_uri),
                          @request.timestamp]
 
@@ -81,15 +81,15 @@ module ApiAuth
       @request.set_date if @request.timestamp.nil?
     end
 
-    def calculate_md5
-      @request.populate_content_md5 if @request.content_md5.nil?
+    def calculate_hash
+      @request.populate_content_hash if @request.content_hash.nil?
     end
 
-    def md5_mismatch?
-      if @request.content_md5.nil?
+    def content_hash_mismatch?
+      if @request.content_hash.nil?
         false
       else
-        @request.md5_mismatch?
+        @request.content_hash_mismatch?
       end
     end
 

data/lib/api_auth/helpers.rb

@@ -4,8 +4,8 @@ module ApiAuth
       Base64.strict_encode64(string)
     end
 
-    def md5_base64digest(string)
-      Digest::MD5.base64digest(string)
+    def sha256_base64digest(string)
+      Digest::SHA256.base64digest(string)
     end
 
     # Capitalizes the keys of a hash

data/lib/api_auth/railtie.rb

@@ -73,7 +73,9 @@ module ApiAuth
             tmp = "Net::HTTP::#{method.to_s.capitalize}".constantize.new(path, h)
             tmp.body = arguments[0] if arguments.length > 1
             ApiAuth.sign!(tmp, hmac_access_id, hmac_secret_key, api_auth_options)
-            arguments.last['Content-MD5'] = tmp['Content-MD5'] if tmp['Content-MD5']
+            if tmp['X-Authorization-Content-SHA256']
+              arguments.last['X-Authorization-Content-SHA256'] = tmp['X-Authorization-Content-SHA256']
+            end
             arguments.last['DATE'] = tmp['DATE']
             arguments.last['Authorization'] = tmp['Authorization']
           end