api-auth 1.0.0 → 1.0.1

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    api-auth (1.0.0)
+    api-auth (1.0.1)
 
 GEM
   remote: http://rubygems.org/
@@ -12,10 +12,13 @@ GEM
     activeresource (2.3.14)
       activesupport (= 2.3.14)
     activesupport (2.3.14)
+    amatch (0.2.10)
+      tins (~> 0.3)
     curb (0.8.1)
     diff-lcs (1.1.3)
     mime-types (1.17.2)
     rack (1.1.3)
+    rake (0.9.2.2)
     rest-client (1.6.7)
       mime-types (>= 1.16)
     rspec (2.4.0)
@@ -26,6 +29,7 @@ GEM
     rspec-expectations (2.4.0)
       diff-lcs (~> 1.1.2)
     rspec-mocks (2.4.0)
+    tins (0.5.5)
 
 PLATFORMS
   ruby
@@ -34,7 +38,9 @@ DEPENDENCIES
   actionpack (~> 2.3.2)
   activeresource (~> 2.3.2)
   activesupport (~> 2.3.2)
+  amatch
   api-auth!
   curb (~> 0.8.1)
+  rake
   rest-client (~> 1.6.0)
   rspec (~> 2.4.0)

data/README.md

@@ -36,7 +36,8 @@ SHA1 HMAC, using the client's private secret key.
 request headers and the client's secret key, which is known to only
 the client and the server but can be looked up on the server using the client's
 access id that was attached in the header. The access id can be any integer or
-string that uniquely identifies the client.
+string that uniquely identifies the client. The signed request expires after 15
+minutes in order to avoid replay attacks.
 
 
 ## References ##

data/VERSION

@@ -1 +1 @@
-1.0.0
+1.0.1

data/api_auth.gemspec

@@ -5,11 +5,13 @@ Gem::Specification.new do |s|
   s.name = %q{api-auth}
   s.summary = %q{Simple HMAC authentication for your APIs}
   s.description = %q{Full HMAC auth implementation for use in your gems and Rails apps.}
-  s.homepage = %q{http://github.com/geminisbs/api-auth}
+  s.homepage = %q{https://github.com/mgomes/api_auth}
   s.version = File.read(File.join(File.dirname(__FILE__), 'VERSION'))
   s.authors = ["Mauricio Gomes"]
   s.email = "mauricio@edge14.com"
 
+  s.add_development_dependency "rake"
+  s.add_development_dependency "amatch"
   s.add_development_dependency "rspec", "~> 2.4.0"
   s.add_development_dependency "actionpack", "~> 2.3.2"
   s.add_development_dependency "activesupport", "~> 2.3.2"

data/lib/api_auth/base.rb

@@ -1,81 +1,97 @@
 # api-auth is Ruby gem designed to be used both in your client and server
-# HTTP-based applications. It implements the same authentication methods (HMAC) 
+# HTTP-based applications. It implements the same authentication methods (HMAC)
 # used by Amazon Web Services.
 
-# The gem will sign your requests on the client side and authenticate that 
-# signature on the server side. If your server resources are implemented as a 
-# Rails ActiveResource, it will integrate with that. It will even generate the 
+# The gem will sign your requests on the client side and authenticate that
+# signature on the server side. If your server resources are implemented as a
+# Rails ActiveResource, it will integrate with that. It will even generate the
 # secret keys necessary for your clients to sign their requests.
 module ApiAuth
-  
+
   class << self
-    
+
     include Helpers
-    
+
     # Signs an HTTP request using the client's access id and secret key.
     # Returns the HTTP request object with the modified headers.
     #
-    # request: The request can be a Net::HTTP, ActionController::Request, 
+    # request: The request can be a Net::HTTP, ActionController::Request,
     # Curb (Curl::Easy) or a RestClient object.
     #
     # access_id: The public unique identifier for the client
     #
-    # secret_key: assigned secret key that is known to both parties 
+    # secret_key: assigned secret key that is known to both parties
     def sign!(request, access_id, secret_key)
       headers = Headers.new(request)
+      headers.calculate_md5
+      headers.set_date
       headers.sign_header auth_header(request, access_id, secret_key)
     end
-    
+
     # Determines if the request is authentic given the request and the client's
     # secret key. Returns true if the request is authentic and false otherwise.
     def authentic?(request, secret_key)
       return false if secret_key.nil?
-      
-      headers = Headers.new(request)
-      if match_data = parse_auth_header(headers.authorization_header)
-        hmac = match_data[2]
-        return hmac == hmac_signature(request, secret_key)
-      end
-      
-      false
+
+      return !md5_mismatch?(request) && signatures_match?(request, secret_key) && !request_too_old?(request)
     end
-    
+
     # Returns the access id from the request's authorization header
     def access_id(request)
       headers = Headers.new(request)
       if match_data = parse_auth_header(headers.authorization_header)
         return match_data[1]
       end
-      
+
       nil
     end
-    
+
     # Generates a Base64 encoded, randomized secret key
     #
-    # Store this key along with the access key that will be used for 
+    # Store this key along with the access key that will be used for
     # authenticating the client
     def generate_secret_key
       random_bytes = OpenSSL::Random.random_bytes(512)
       b64_encode(Digest::SHA2.new(512).digest(random_bytes))
     end
-    
+
   private
-  
+
+    def request_too_old?(request)
+      headers = Headers.new(request)
+      # 900 seconds is 15 minutes
+      Time.parse(headers.timestamp).utc < (Time.current.utc - 900)
+    end
+
+    def md5_mismatch?(request)
+      headers = Headers.new(request)
+      headers.md5_mismatch?
+    end
+
+    def signatures_match?(request, secret_key)
+      headers = Headers.new(request)
+      if match_data = parse_auth_header(headers.authorization_header)
+        hmac = match_data[2]
+        return hmac == hmac_signature(request, secret_key)
+      end
+      false
+    end
+
     def hmac_signature(request, secret_key)
       headers = Headers.new(request)
       canonical_string = headers.canonical_string
       digest = OpenSSL::Digest::Digest.new('sha1')
       b64_encode(OpenSSL::HMAC.digest(digest, secret_key, canonical_string))
     end
-    
+
     def auth_header(request, access_id, secret_key)
-      "APIAuth #{access_id}:#{hmac_signature(request, secret_key)}"      
+      "APIAuth #{access_id}:#{hmac_signature(request, secret_key)}"
     end
-    
+
     def parse_auth_header(auth_header)
       Regexp.new("APIAuth ([^:]+):(.+)$").match(auth_header)
     end
-    
+
   end # class methods
-  
+
 end # ApiAuth

data/lib/api_auth/headers.rb

@@ -1,13 +1,13 @@
 module ApiAuth
-  
+
   # Builds the canonical string given a request object.
   class Headers
-    
+
     include RequestDrivers
-    
+
     def initialize(request)
       @original_request = request
-      
+
       case request.class.to_s
       when /Net::HTTP/
         @request = NetHttpRequest.new(request)
@@ -31,6 +31,11 @@ module ApiAuth
       true
     end
     
+    # Returns the request timestamp
+    def timestamp
+       @request.timestamp 
+    end
+
     # Returns the canonical string computed from the request's headers
     def canonical_string
       [ @request.content_type,
@@ -39,12 +44,28 @@ module ApiAuth
         @request.timestamp
       ].join(",")
     end
-    
+
     # Returns the authorization header from the request's headers
     def authorization_header
       @request.authorization_header
     end
-    
+
+    def set_date
+      @request.set_date if @request.timestamp.blank?
+    end
+
+    def calculate_md5
+      @request.populate_content_md5 if @request.content_md5.blank?
+    end
+
+    def md5_mismatch?
+      if @request.content_md5.blank?
+        false
+      else
+        @request.md5_mismatch?
+      end
+    end
+
     # Sets the request's authorization header with the passed in value.
     # The header should be the ApiAuth HMAC signature.
     #
@@ -53,7 +74,7 @@ module ApiAuth
     def sign_header(header)
       @request.set_auth_header header
     end
-    
+
   end
-  
+
 end

data/lib/api_auth/request_drivers/action_controller.rb

@@ -1,9 +1,9 @@
 module ApiAuth
-  
+
   module RequestDrivers # :nodoc:
-  
+
     class ActionControllerRequest # :nodoc:
-      
+
       include ApiAuth::Helpers
 
       def initialize(request)
@@ -11,13 +11,36 @@ module ApiAuth
         @headers = fetch_headers
         true
       end
-      
+
       def set_auth_header(header)
         @request.env["Authorization"] = header
         @headers = fetch_headers
         @request
       end
-      
+
+      def calculated_md5
+        if @request.body
+          body = @request.body.read
+        else
+          body = ''
+        end
+        Digest::MD5.base64digest(body)
+      end
+
+      def populate_content_md5
+        if @request.put? || @request.post?
+          @request.env["Content-MD5"] = calculated_md5
+        end
+      end
+
+      def md5_mismatch?
+        if @request.put? || @request.post?
+          calculated_md5 != content_md5
+        else
+          false
+        end
+      end
+
       def fetch_headers
         capitalize_keys @request.env
       end
@@ -28,7 +51,7 @@ module ApiAuth
       end
 
       def content_md5
-        value = find_header(%w(CONTENT-MD5 CONTENT_MD5))
+        value = find_header(%w(CONTENT-MD5 CONTENT_MD5 HTTP_CONTENT_MD5))
         value.nil? ? "" : value
       end
 
@@ -36,13 +59,13 @@ module ApiAuth
         @request.request_uri
       end
 
+      def set_date
+        @request.env['DATE'] = Time.now.utc.httpdate
+      end
+
       def timestamp
         value = find_header(%w(DATE HTTP_DATE))
-        if value.nil?
-          value = Time.now.utc.httpdate
-          @request.env['DATE'] = value
-        end
-        value
+        value.nil? ? "" : value
       end
 
       def authorization_header
@@ -56,7 +79,7 @@ module ApiAuth
       end
 
     end
-    
+
   end
-  
-end
+
+end

data/lib/api_auth/request_drivers/curb.rb

@@ -1,9 +1,9 @@
 module ApiAuth
-  
+
   module RequestDrivers # :nodoc:
-  
+
     class CurbRequest # :nodoc:
-      
+
       include ApiAuth::Helpers
 
       def initialize(request)
@@ -11,13 +11,21 @@ module ApiAuth
         @headers = fetch_headers
         true
       end
-      
+
       def set_auth_header(header)
         @request.headers.merge!({ "Authorization" => header })
         @headers = fetch_headers
         @request
       end
-      
+
+      def populate_content_md5
+        nil #doesn't appear to be possible
+      end
+
+      def md5_mismatch?
+        false
+      end
+
       def fetch_headers
         capitalize_keys @request.headers
       end
@@ -36,13 +44,13 @@ module ApiAuth
         @request.url
       end
 
+      def set_date
+        @request.headers.merge!({ "DATE" => Time.now.utc.httpdate })
+      end
+
       def timestamp
         value = find_header(%w(DATE HTTP_DATE))
-        if value.nil?
-          value = Time.now.utc.httpdate
-          @request.headers.merge!({ "DATE" => value })
-        end
-        value
+        value.nil? ? "" : value
       end
 
       def authorization_header
@@ -56,7 +64,7 @@ module ApiAuth
       end
 
     end
-    
+
   end
-  
-end
+
+end

data/lib/api_auth/request_drivers/net_http.rb

@@ -1,7 +1,7 @@
 module ApiAuth
-  
+
   module RequestDrivers # :nodoc:
-  
+
     class NetHttpRequest # :nodoc:
 
       def initialize(request)
@@ -9,13 +9,31 @@ module ApiAuth
         @headers = fetch_headers
         true
       end
-      
+
       def set_auth_header(header)
         @request["Authorization"] = header
         @headers = fetch_headers
         @request
       end
-      
+
+      def calculated_md5
+        Digest::MD5.base64digest(@request.body || '')
+      end
+
+      def populate_content_md5
+        if @request.class::REQUEST_HAS_BODY
+          @request["Content-MD5"] = calculated_md5
+        end
+      end
+
+      def md5_mismatch?
+        if @request.class::REQUEST_HAS_BODY
+          calculated_md5 != content_md5
+        else
+          false
+        end
+      end
+
       def fetch_headers
         @request
       end
@@ -34,13 +52,13 @@ module ApiAuth
         @request.path
       end
 
+      def set_date
+        @request["DATE"] = Time.now.utc.httpdate
+      end
+
       def timestamp
         value = find_header(%w(DATE HTTP_DATE))
-        if value.nil?
-          value = Time.now.utc.httpdate
-          @request["DATE"] = value
-        end  
-        value
+        value.nil? ? "" : value
       end
 
       def authorization_header
@@ -54,7 +72,7 @@ module ApiAuth
       end
 
     end
-    
+
   end
-  
-end
+
+end

data/lib/api_auth/request_drivers/rest_client.rb

@@ -1,9 +1,9 @@
 module ApiAuth
-  
+
   module RequestDrivers # :nodoc:
-  
+
     class RestClientRequest # :nodoc:
-      
+
       include ApiAuth::Helpers
 
       def initialize(request)
@@ -11,13 +11,36 @@ module ApiAuth
         @headers = fetch_headers
         true
       end
-      
+
       def set_auth_header(header)
         @request.headers.merge!({ "Authorization" => header })
         @headers = fetch_headers
         @request
       end
-      
+
+      def calculated_md5
+        if @request.payload
+          body = @request.payload.read
+        else
+          body = ''
+        end
+        Digest::MD5.base64digest(body)
+      end
+
+      def populate_content_md5
+        if [:post, :put].include?(@request.method)
+          @request.headers["Content-MD5"] = calculated_md5
+        end
+      end
+
+      def md5_mismatch?
+        if [:post, :put].include?(@request.method)
+          calculated_md5 != content_md5
+        else
+          false
+        end
+      end
+
       def fetch_headers
         capitalize_keys @request.headers
       end
@@ -36,13 +59,13 @@ module ApiAuth
         @request.url
       end
 
+      def set_date
+        @request.headers.merge!({ "DATE" => Time.now.utc.httpdate })
+      end
+
       def timestamp
         value = find_header(%w(DATE HTTP_DATE))
-        if value.nil?
-          value = Time.now.utc.httpdate
-          @request.headers.merge!({ "DATE" => value })
-        end  
-        value
+        value.nil? ? "" : value
       end
 
       def authorization_header
@@ -56,7 +79,7 @@ module ApiAuth
       end
 
     end
-    
+
   end
-  
-end
+
+end

data/spec/api_auth_spec.rb

@@ -1,52 +1,77 @@
 require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
 
 describe "ApiAuth" do
-  
+
   describe "generating secret keys" do
-  
+
     it "should generate secret keys" do
       ApiAuth.generate_secret_key
     end
-  
+
     it "should generate secret keys that are 89 characters" do
       ApiAuth.generate_secret_key.size.should be(89)
     end
-  
+
     it "should generate keys that have a Hamming Distance of at least 65" do
       key1 = ApiAuth.generate_secret_key
       key2 = ApiAuth.generate_secret_key
       Amatch::Hamming.new(key1).match(key2).should be > 65
     end
-    
+
   end
-  
+
   describe "signing requests" do
-    
+
     def hmac(secret_key, request)
       canonical_string = ApiAuth::Headers.new(request).canonical_string
       digest = OpenSSL::Digest::Digest.new('sha1')
       ApiAuth.b64_encode(OpenSSL::HMAC.digest(digest, secret_key, canonical_string))
     end
-    
+
     before(:all) do
       @access_id = "1044"
       @secret_key = ApiAuth.generate_secret_key
     end
-    
+
     describe "with Net::HTTP" do
-      
+
       before(:each) do
         @request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo", 
           'content-type' => 'text/plain', 
-          'content-md5' => 'e59ff97941044f85df5297e1c302d260', 
-          'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
+          'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+          'date' => Time.now.utc.httpdate)
         @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
       end
-      
+
       it "should return a Net::HTTP object after signing it" do
         ApiAuth.sign!(@request, @access_id, @secret_key).class.to_s.should match("Net::HTTP")
       end
-      
+
+      describe "md5 header" do
+        context "not already provided" do
+          it "should calculate for empty string" do
+            request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+              'content-type' => 'text/plain',
+              'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
+            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+            signed_request['Content-MD5'].should == Digest::MD5.base64digest('')
+          end
+
+          it "should calculate for real content" do
+            request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+              'content-type' => 'text/plain',
+              'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
+            request.body = "hello\nworld"
+            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+            signed_request['Content-MD5'].should == Digest::MD5.base64digest("hello\nworld")
+          end
+        end
+
+        it "should leave the content-md5 alone if provided" do
+          @signed_request['Content-MD5'].should == '1B2M2Y8AsgTpgAmY7PhCfg=='
+        end
+      end
+
       it "should sign the request" do
         @signed_request['Authorization'].should == "APIAuth 1044:#{hmac(@secret_key, @request)}"
       end
@@ -54,33 +79,78 @@ describe "ApiAuth" do
       it "should authenticate a valid request" do
         ApiAuth.authentic?(@signed_request, @secret_key).should be_true
       end
-      
+
       it "should NOT authenticate a non-valid request" do
         ApiAuth.authentic?(@signed_request, @secret_key+'j').should be_false
       end
+
+      it "should NOT authenticate a mismatched content-md5 when body has changed" do
+        request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+          'content-type' => 'text/plain',
+          'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
+        request.body = "hello\nworld"
+        signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+        signed_request.body = "goodbye"
+        ApiAuth.authentic?(signed_request, @secret_key).should be_false
+      end
+
+      it "should NOT authenticate an expired request" do
+        @request['Date'] = 16.minutes.ago.utc.httpdate
+        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
+        ApiAuth.authentic?(signed_request, @secret_key).should be_false
+      end
       
       it "should retrieve the access_id" do
         ApiAuth.access_id(@signed_request).should == "1044"
       end
-      
+
     end
-    
+
     describe "with RestClient" do
-      
+
       before(:each) do
-        headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+        headers = { 'Content-MD5' => "1B2M2Y8AsgTpgAmY7PhCfg==",
                     'Content-Type' => "text/plain",
-                    'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
+                    'Date' => Time.now.utc.httpdate }
         @request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo", 
           :headers => headers,
           :method => :put)
         @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
       end
-      
+
       it "should return a RestClient object after signing it" do
         ApiAuth.sign!(@request, @access_id, @secret_key).class.to_s.should match("RestClient")
       end
-      
+
+      describe "md5 header" do
+        context "not already provided" do
+          it "should calculate for empty string" do
+            headers = { 'Content-Type' => "text/plain",
+                        'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
+            request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
+              :headers => headers,
+              :method => :put)
+            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+            signed_request.headers['Content-MD5'].should == Digest::MD5.base64digest('')
+          end
+
+          it "should calculate for real content" do
+            headers = { 'Content-Type' => "text/plain",
+                        'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
+            request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
+              :headers => headers,
+              :method => :put,
+              :payload => "hellow\nworld")
+            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+            signed_request.headers['Content-MD5'].should == Digest::MD5.base64digest("hellow\nworld")
+          end
+        end
+
+        it "should leave the content-md5 alone if provided" do
+          @signed_request.headers['Content-MD5'].should == "1B2M2Y8AsgTpgAmY7PhCfg=="
+        end
+      end
+
       it "should sign the request" do
         @signed_request.headers['Authorization'].should == "APIAuth 1044:#{hmac(@secret_key, @request)}"
       end
@@ -88,33 +158,67 @@ describe "ApiAuth" do
       it "should authenticate a valid request" do
         ApiAuth.authentic?(@signed_request, @secret_key).should be_true
       end
-      
+
       it "should NOT authenticate a non-valid request" do
         ApiAuth.authentic?(@signed_request, @secret_key+'j').should be_false
       end
+
+      it "should NOT authenticate a mismatched content-md5 when body has changed" do
+        headers = { 'Content-Type' => "text/plain",
+                    'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
+        request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
+          :headers => headers,
+          :method => :put,
+          :payload => "hello\nworld")
+        signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+        signed_request.instance_variable_set("@payload", RestClient::Payload.generate('goodbye'))
+        ApiAuth.authentic?(signed_request, @secret_key).should be_false
+      end
+
+      it "should NOT authenticate an expired request" do
+        @request.headers['Date'] = 16.minutes.ago.utc.httpdate
+        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
+        ApiAuth.authentic?(signed_request, @secret_key).should be_false
+      end
       
       it "should retrieve the access_id" do
         ApiAuth.access_id(@signed_request).should == "1044"
       end
-      
+
     end
-    
+
     describe "with Curb" do
-      
+
       before(:each) do
         headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
                     'Content-Type' => "text/plain",
-                    'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
+                    'Date' => Time.now.utc.httpdate }
         @request = Curl::Easy.new("/resource.xml?foo=bar&bar=foo") do |curl|
           curl.headers = headers
         end
         @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
       end
-      
+
       it "should return a Curl::Easy object after signing it" do
         ApiAuth.sign!(@request, @access_id, @secret_key).class.to_s.should match("Curl::Easy")
       end
-      
+
+      describe "md5 header" do
+        it "should not calculate and add the content-md5 header if not provided" do
+          headers = { 'Content-Type' => "text/plain",
+                      'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
+          request = Curl::Easy.new("/resource.xml?foo=bar&bar=foo") do |curl|
+            curl.headers = headers
+          end
+          signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+          signed_request.headers['Content-MD5'].should == nil
+        end
+
+        it "should leave the content-md5 alone if provided" do
+          @signed_request.headers['Content-MD5'].should == "e59ff97941044f85df5297e1c302d260"
+        end
+      end
+
       it "should sign the request" do
         @signed_request.headers['Authorization'].should == "APIAuth 1044:#{hmac(@secret_key, @request)}"
       end
@@ -122,17 +226,23 @@ describe "ApiAuth" do
       it "should authenticate a valid request" do
         ApiAuth.authentic?(@signed_request, @secret_key).should be_true
       end
-      
+
       it "should NOT authenticate a non-valid request" do
         ApiAuth.authentic?(@signed_request, @secret_key+'j').should be_false
       end
+
+      it "should NOT authenticate an expired request" do
+        @request.headers['Date'] = 16.minutes.ago.utc.httpdate
+        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
+        ApiAuth.authentic?(signed_request, @secret_key).should be_false
+      end
       
       it "should retrieve the access_id" do
         ApiAuth.access_id(@signed_request).should == "1044"
       end
-      
+
     end
-    
+
     describe "with ActionController" do
 
       before(:each) do
@@ -140,9 +250,9 @@ describe "ApiAuth" do
           'PATH_INFO' => '/resource.xml',
           'QUERY_STRING' => 'foo=bar&bar=foo',
           'REQUEST_METHOD' => 'PUT',
-          'CONTENT_MD5' => 'e59ff97941044f85df5297e1c302d260',
+          'CONTENT_MD5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
           'CONTENT_TYPE' => 'text/plain',
-          'HTTP_DATE' => 'Mon, 23 Jan 1984 03:29:56 GMT')
+          'HTTP_DATE' => Time.now.utc.httpdate)
         @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
       end
 
@@ -150,6 +260,38 @@ describe "ApiAuth" do
         ApiAuth.sign!(@request, @access_id, @secret_key).class.to_s.should match("ActionController::Request")
       end
 
+      describe "md5 header" do
+        context "not already provided" do
+          it "should calculate for empty string" do
+            request = ActionController::Request.new(
+              'PATH_INFO' => '/resource.xml',
+              'QUERY_STRING' => 'foo=bar&bar=foo',
+              'REQUEST_METHOD' => 'PUT',
+              'CONTENT_TYPE' => 'text/plain',
+              'HTTP_DATE' => 'Mon, 23 Jan 1984 03:29:56 GMT')
+            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+            signed_request.env['Content-MD5'].should == Digest::MD5.base64digest('')
+          end
+
+          it "should calculate for real content" do
+            request = ActionController::Request.new(
+              'PATH_INFO' => '/resource.xml',
+              'QUERY_STRING' => 'foo=bar&bar=foo',
+              'REQUEST_METHOD' => 'PUT',
+              'CONTENT_TYPE' => 'text/plain',
+              'HTTP_DATE' => 'Mon, 23 Jan 1984 03:29:56 GMT',
+              'rack.input' => StringIO.new("hello\nworld"))
+            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+            signed_request.env['Content-MD5'].should == Digest::MD5.base64digest("hello\nworld")
+          end
+
+        end
+
+        it "should leave the content-md5 alone if provided" do
+          @signed_request.env['CONTENT_MD5'].should == '1B2M2Y8AsgTpgAmY7PhCfg=='
+        end
+      end
+
       it "should sign the request" do
         @signed_request.env['Authorization'].should == "APIAuth 1044:#{hmac(@secret_key, @request)}"
       end
@@ -162,6 +304,25 @@ describe "ApiAuth" do
         ApiAuth.authentic?(@signed_request, @secret_key+'j').should be_false
       end
 
+      it "should NOT authenticate a mismatched content-md5 when body has changed" do
+        request = ActionController::Request.new(
+          'PATH_INFO' => '/resource.xml',
+          'QUERY_STRING' => 'foo=bar&bar=foo',
+          'REQUEST_METHOD' => 'PUT',
+          'CONTENT_TYPE' => 'text/plain',
+          'HTTP_DATE' => 'Mon, 23 Jan 1984 03:29:56 GMT',
+          'rack.input' => StringIO.new("hello\nworld"))
+        signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
+        signed_request.instance_variable_get("@env")["rack.input"] = StringIO.new("goodbye")
+        ApiAuth.authentic?(signed_request, @secret_key).should be_false
+      end
+
+      it "should NOT authenticate an expired request" do
+        @request.env['HTTP_DATE'] = 16.minutes.ago.utc.httpdate
+        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
+        ApiAuth.authentic?(signed_request, @secret_key).should be_false
+      end
+
       it "should retrieve the access_id" do
         ApiAuth.access_id(@signed_request).should == "1044"
       end
@@ -169,5 +330,5 @@ describe "ApiAuth" do
     end
 
   end
-  
+
 end

data/spec/headers_spec.rb

@@ -1,73 +1,100 @@
 require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
 
 describe "ApiAuth::Headers" do
-  
+
   CANONICAL_STRING = "text/plain,e59ff97941044f85df5297e1c302d260,/resource.xml?foo=bar&bar=foo,Mon, 23 Jan 1984 03:29:56 GMT"
 
   describe "with Net::HTTP" do
-  
+
     before(:each) do
-      @request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo", 
-        'content-type' => 'text/plain', 
+      @request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+        'content-type' => 'text/plain',
         'content-md5' => 'e59ff97941044f85df5297e1c302d260',
         'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
       @headers = ApiAuth::Headers.new(@request)
     end
-    
+
     it "should generate the proper canonical string" do
       @headers.canonical_string.should == CANONICAL_STRING
     end
-    
+
     it "should set the authorization header" do
       @headers.sign_header("alpha")
       @headers.authorization_header.should == "alpha"
     end
-    
+
     it "should set the DATE header if one is not already present" do
-      @request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo", 
-        'content-type' => 'text/plain', 
+      @request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+        'content-type' => 'text/plain',
         'content-md5' => 'e59ff97941044f85df5297e1c302d260')
       ApiAuth.sign!(@request, "some access id", "some secret key")
       @request['DATE'].should_not be_nil
     end
-  
+
+    it "should not set the DATE header just by asking for the canonical_string" do
+      request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+        'content-type' => 'text/plain',
+        'content-md5' => 'e59ff97941044f85df5297e1c302d260')
+      headers = ApiAuth::Headers.new(request)
+      headers.canonical_string
+      request['DATE'].should be_nil
+    end
+
+    context "md5_mismatch?" do
+      it "is false if no md5 header is present" do
+        request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+        'content-type' => 'text/plain')
+        headers = ApiAuth::Headers.new(request)
+        headers.md5_mismatch?.should be_false
+      end
+    end
   end
-  
+
   describe "with RestClient" do
-  
+
     before(:each) do
       headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
                   'Content-Type' => "text/plain",
                   'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
-      @request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo", 
+      @request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
         :headers => headers,
         :method => :put)
       @headers = ApiAuth::Headers.new(@request)
     end
-    
+
     it "should generate the proper canonical string" do
       @headers.canonical_string.should == CANONICAL_STRING
     end
-    
+
     it "should set the authorization header" do
       @headers.sign_header("alpha")
       @headers.authorization_header.should == "alpha"
     end
-    
+
     it "should set the DATE header if one is not already present" do
       headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
                   'Content-Type' => "text/plain" }
-      @request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo", 
+      @request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
         :headers => headers,
         :method => :put)
       ApiAuth.sign!(@request, "some access id", "some secret key")
       @request.headers['DATE'].should_not be_nil
     end
-  
+
+    it "should not set the DATE header just by asking for the canonical_string" do
+      headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+                  'Content-Type' => "text/plain" }
+      request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
+        :headers => headers,
+        :method => :put)
+      headers = ApiAuth::Headers.new(request)
+      headers.canonical_string
+      request.headers['DATE'].should be_nil
+    end
   end
-  
+
   describe "with Curb" do
-  
+
     before(:each) do
       headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
                   'Content-Type' => "text/plain",
@@ -77,16 +104,16 @@ describe "ApiAuth::Headers" do
       end
       @headers = ApiAuth::Headers.new(@request)
     end
-    
+
     it "should generate the proper canonical string" do
       @headers.canonical_string.should == CANONICAL_STRING
     end
-    
+
     it "should set the authorization header" do
       @headers.sign_header("alpha")
       @headers.authorization_header.should == "alpha"
     end
-    
+
     it "should set the DATE header if one is not already present" do
       headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
                   'Content-Type' => "text/plain" }
@@ -96,9 +123,19 @@ describe "ApiAuth::Headers" do
       ApiAuth.sign!(@request, "some access id", "some secret key")
       @request.headers['DATE'].should_not be_nil
     end
-  
+
+    it "should not set the DATE header just by asking for the canonical_string" do
+      headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+                  'Content-Type' => "text/plain" }
+      request = Curl::Easy.new("/resource.xml?foo=bar&bar=foo") do |curl|
+        curl.headers = headers
+      end
+      headers = ApiAuth::Headers.new(request)
+      headers.canonical_string
+      request.headers['DATE'].should be_nil
+    end
   end
-  
+
   describe "with ActionController" do
 
     before(:each) do
@@ -132,6 +169,17 @@ describe "ApiAuth::Headers" do
       @request.headers['DATE'].should_not be_nil
     end
 
+    it "should not set the DATE header just by asking for the canonical_string" do
+      request = ActionController::Request.new(
+        'PATH_INFO' => '/resource.xml',
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'REQUEST_METHOD' => 'PUT',
+        'CONTENT_MD5' => 'e59ff97941044f85df5297e1c302d260',
+        'CONTENT_TYPE' => 'text/plain')
+      headers = ApiAuth::Headers.new(request)
+      headers.canonical_string
+      request.headers['DATE'].should be_nil
+    end
   end
 
 end

data/spec/railtie_spec.rb

@@ -41,13 +41,22 @@ describe "Rails integration" do
     
     it "should permit a request with properly signed headers" do
       request = ActionController::TestRequest.new
-      request.env['DATE'] = "Mon, 23 Jan 1984 03:29:56 GMT"
+      request.env['DATE'] = Time.now.utc.httpdate
       request.action = 'index'
       request.path = "/index"
       ApiAuth.sign!(request, "1044", API_KEY_STORE["1044"])
       TestController.new.process(request, ActionController::TestResponse.new).code.should == "200"
     end
     
+    it "should forbid a request with properly signed headers but timestamp > 15 minutes" do
+      request = ActionController::TestRequest.new
+      request.env['DATE'] = "Mon, 23 Jan 1984 03:29:56 GMT"
+      request.action = 'index'
+      request.path = "/index"
+      ApiAuth.sign!(request, "1044", API_KEY_STORE["1044"])
+      TestController.new.process(request, ActionController::TestResponse.new).code.should == "401"
+    end
+    
     it "should insert a DATE header in the request when one hasn't been specified" do
       request = ActionController::TestRequest.new
       request.action = 'index'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: api-auth
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
   prerelease: 
 platform: ruby
 authors:
@@ -9,8 +9,40 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-09-24 00:00:00.000000000 Z
+date: 2012-11-30 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: amatch
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -142,7 +174,7 @@ files:
 - spec/railtie_spec.rb
 - spec/spec_helper.rb
 - spec/test_helper.rb
-homepage: http://github.com/geminisbs/api-auth
+homepage: https://github.com/mgomes/api_auth
 licenses: []
 post_install_message: 
 rdoc_options: []
@@ -154,12 +186,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: -1454681296772684747
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: -1454681296772684747
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.24