api_signature 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e907dd2adc3e3558f0f5fc7a00131ccac6d71aac
+  data.tar.gz: 7db50a3800bc9c2e77eea7d7a543a1054d40073c
+SHA512:
+  metadata.gz: 527fd053ef63b32c5ce09cfa0e020c7dbc9a125e52b8332703e4bc2b20380e44557e6e51f30fbc64565238236daef9db38716f738c49c23fb2e05bcadece8fb1
+  data.tar.gz: fb6449eb2de6530c14175f8faa775ba0a62466ac8581714255b9f62134d007525a3cc9f3aef62ad2d65402aea39f9f569e13dc748c7c4277fc4a2872e455356b

data/.gitignore

@@ -0,0 +1,12 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.rubocop.yml

@@ -0,0 +1,45 @@
+AllCops:
+  TargetRubyVersion: 2.4.4
+  Exclude:
+    - "bin/*"
+    - "Guardfile"
+
+##################### Styles ##################################
+
+Style/Documentation:
+  Enabled: false
+
+Style/SymbolArray:
+  Enabled: false
+
+##################### Metrics ##################################
+
+Metrics/LineLength:
+  Max: 110
+
+Metrics/ClassLength:
+  Max: 200
+
+Metrics/ModuleLength:
+  Max: 200
+  Exclude:
+    - "**/*_spec.rb"
+
+Metrics/BlockLength:
+  Max: 50
+  Exclude:
+    - "**/*_spec.rb"
+
+Metrics/MethodLength:
+  Max: 15
+
+##################### Rails ##################################
+
+Rails:
+  Enabled: true
+
+Rails/SkipsModelValidations:
+  Enabled: false
+
+Rails/InverseOf:
+  Enabled: false

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.4.4
+before_install: gem install bundler -v 1.15.4

data/Gemfile

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in api_signature.gemspec
+gemspec

data/Guardfile

@@ -0,0 +1,70 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+## Uncomment and set this to only include directories you want to watch
+# directories %w(app lib config test spec features) \
+#  .select{|d| Dir.exists?(d) ? d : UI.warning("Directory #{d} does not exist")}
+
+## Note: if you are using the `directories` clause above and you are not
+## watching the project directory ('.'), then you will want to move
+## the Guardfile to a watched dir and symlink it back, e.g.
+#
+#  $ mkdir config
+#  $ mv Guardfile config/
+#  $ ln -s config/Guardfile .
+#
+# and, you'll have to watch "config/Guardfile" instead of "Guardfile"
+
+# Note: The cmd option is now required due to the increasing number of ways
+#       rspec may be run, below are examples of the most common uses.
+#  * bundler: 'bundle exec rspec'
+#  * bundler binstubs: 'bin/rspec'
+#  * spring: 'bin/rspec' (This will use spring if running and you have
+#                          installed the spring binstubs per the docs)
+#  * zeus: 'zeus rspec' (requires the server to be started separately)
+#  * 'just' rspec: 'rspec'
+
+guard :rspec, cmd: "bundle exec rspec" do
+  require "guard/rspec/dsl"
+  dsl = Guard::RSpec::Dsl.new(self)
+
+  # Feel free to open issues for suggestions and improvements
+
+  # RSpec files
+  rspec = dsl.rspec
+  watch(rspec.spec_helper) { rspec.spec_dir }
+  watch(rspec.spec_support) { rspec.spec_dir }
+  watch(rspec.spec_files)
+
+  # Ruby files
+  ruby = dsl.ruby
+  dsl.watch_spec_files_for(ruby.lib_files)
+
+  # Rails files
+  rails = dsl.rails(view_extensions: %w(erb haml slim))
+  dsl.watch_spec_files_for(rails.app_files)
+  dsl.watch_spec_files_for(rails.views)
+
+  watch(rails.controllers) do |m|
+    [
+      rspec.spec.call("routing/#{m[1]}_routing"),
+      rspec.spec.call("controllers/#{m[1]}_controller"),
+      rspec.spec.call("acceptance/#{m[1]}")
+    ]
+  end
+
+  # Rails config changes
+  watch(rails.spec_helper)     { rspec.spec_dir }
+  watch(rails.routes)          { "#{rspec.spec_dir}/routing" }
+  watch(rails.app_controller)  { "#{rspec.spec_dir}/controllers" }
+
+  # Capybara features specs
+  watch(rails.view_dirs)     { |m| rspec.spec.call("features/#{m[1]}") }
+  watch(rails.layouts)       { |m| rspec.spec.call("features/#{m[1]}") }
+
+  # Turnip features and steps
+  watch(%r{^spec/acceptance/(.+)\.feature$})
+  watch(%r{^spec/acceptance/steps/(.+)_steps\.rb$}) do |m|
+    Dir[File.join("**/#{m[1]}.feature")][0] || "spec/acceptance"
+  end
+end

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Igor Malinovskiy
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,129 @@
+[![Build Status](https://semaphoreci.com/api/v1/igormalinovskiy/api_signature/branches/master/shields_badge.svg)](https://semaphoreci.com/igormalinovskiy/api_signature)
+[![Code Climate](https://codeclimate.com/github/psyipm/api_signature/badges/gpa.svg)](https://codeclimate.com/github/psyipm/api_signature)
+[![Gem Version](https://badge.fury.io/rb/api_signature.svg)](https://badge.fury.io/rb/api_signature)
+
+# ApiSignature
+
+Simple HMAC-SHA1 authentication via headers
+
+This gem will generate signature for the client requests and verify that signature on the server side
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'api_signature'
+```
+
+And then execute:
+
+    $ bundle
+
+## Usage
+
+### Server side
+
+Implement warden strategy:
+```ruby
+module MyApplication
+  module API
+    class ClientAuthenticatable < Warden::Strategies::Base
+      delegate :valid?, to: :api_request
+
+      def authenticate!
+        # Find client in database by public api_key
+        resource = Client.find_for_token_authentication(api_request.access_key)
+        return fail!(:not_found_in_database) unless resource
+
+        # Check request signature
+        return unless api_request.correct?(resource.api_key, resource.api_secret)
+
+        # Perform some after_authentication callbacks
+        resource.after_authentication
+
+        # Tell warden that authentication was successful
+        success!(resource)
+      end
+
+      private
+
+      def api_request
+        @api_request ||= ::ApiSignature::Request.new(env)
+      end
+    end
+  end
+end
+```
+
+```ruby
+module MyApplication
+  module API
+    module Authentication
+      extend ActiveSupport::Concern
+
+      protected
+
+      def warden
+        @warden ||= request.env['warden']
+      end
+
+      def current_client
+        @current_client ||= warden.user(:client)
+      end
+
+      def authenticate_client!
+        warden.authenticate!(:client_authenticatable, scope: :client)
+      end
+    end
+  end
+end
+```
+
+```ruby
+class Api::BaseController < ActionController::API do
+  abstract!
+
+  include MyApplication::API::Authentication
+
+  before_action :authenticate_client!
+end
+```
+
+### On client side:
+
+```ruby
+options = {
+  request_method: 'GET',
+  path: '/api/v1/some_path'
+  access_key: 'client public api_key',
+  timestamp: Time.zone.now.to_i
+}
+
+signature = ApiSignature::Generator.new(options).generate_signatute('api_secret')
+```
+
+By default, the generated signature will be valid for 2 hours
+This could be changed via initializer:
+
+```ruby
+# config/initializers/api_signature.rb
+
+ApiSignature.setup do |config|
+  config.signature_ttl = 1.minute
+end
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/api_signature.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/api_signature.gemspec

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'api_signature/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'api_signature'
+  spec.version       = ApiSignature::VERSION
+  spec.authors       = ['Igor Galeta', 'Igor Malinovskiy']
+  spec.email         = ['igor.malinovskiy@netfix.xyz']
+
+  spec.summary       = 'Sign API requests with HMAC signature'
+  spec.homepage      = 'https://github.com/psyipm/api_signature'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 1.15'
+  spec.add_development_dependency 'guard-rspec', '~> 4.7', '>= 4.7.3'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rb-fsevent', '0.9.8'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+
+  spec.add_dependency 'activesupport', '>= 4.0'
+  spec.add_dependency 'rack', '~> 2.0', '>= 2.0.5'
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "api_signature"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/api_signature/builder.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'active_support/hash_with_indifferent_access'
+require 'ostruct'
+
+module ApiSignature
+  class Builder
+    OPTIONS_KEYS = [
+      :access_key, :secret, :request_method, :scheme, :host, :port, :path, :params, :timestamp
+    ].freeze
+
+    delegate(*OPTIONS_KEYS, to: :@settings)
+    delegate :expired?, to: :signature_generator
+
+    def initialize(settings = {})
+      settings = HashWithIndifferentAccess.new(settings)
+
+      settings['timestamp'] ||= Time.now.utc.to_i.to_s
+      settings['request_method'] = (settings['request_method'] || settings['method']).upcase
+
+      @settings = OpenStruct.new(settings.select { |k, _v| OPTIONS_KEYS.include?(k.to_sym) })
+    end
+
+    def headers
+      {
+        'X-Access-Key' => options[:access_key],
+        'X-Timestamp' => options[:timestamp],
+        'X-Signature' => signature
+      }
+    end
+
+    def string_headers
+      headers.map { |key, value| "#{key}:#{value}" }.join(' ')
+    end
+
+    def options
+      {
+        timestamp: timestamp,
+        request_method: request_method,
+        path: path,
+        access_key: access_key
+      }
+    end
+
+    def signature
+      @signature ||= signature_generator.generate_signature(secret)
+    end
+
+    def url
+      klass = scheme.try(:downcase) == 'https' ? URI::HTTPS : URI::HTTP
+      klass.build(host: host, port: port, path: options[:path])
+    end
+
+    private
+
+    def signature_generator
+      @signature_generator ||= Generator.new(options)
+    end
+  end
+end

data/lib/api_signature/generator.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'digest/sha1'
+
+module ApiSignature
+  class Generator
+    SPLITTER = '|'
+    TTL = 2.hours
+
+    delegate :valid?, :expired?, :timestamp, to: :validator
+
+    def initialize(options = {})
+      @options = options
+    end
+
+    def generate_signature(secret)
+      hmac = OpenSSL::HMAC.digest(digest, secret, string_to_sign)
+      Base64.encode64(hmac).chomp
+    end
+
+    private
+
+    def validator
+      Validator.new(@options)
+    end
+
+    def digest
+      OpenSSL::Digest::SHA256.new
+    end
+
+    def string_to_sign
+      [
+        @options[:request_method],
+        @options[:path],
+        @options[:access_key],
+        timestamp.to_i
+      ].map(&:to_s).join(SPLITTER)
+    end
+  end
+end

data/lib/api_signature/request.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'rack/request'
+
+module ApiSignature
+  class Request < ::Rack::Request
+    HEADER_KEYS = {
+      access_key: 'HTTP_X_ACCESS_KEY',
+      signature:  'HTTP_X_SIGNATURE',
+      timestamp:  'HTTP_X_TIMESTAMP'
+    }.freeze
+
+    def correct?(token, secret)
+      access_key == token && validator.valid?(signature, secret)
+    end
+
+    def valid?
+      timestamp.present? && signature.present? && access_key.present?
+    end
+
+    def timestamp
+      @timestamp ||= @env[HEADER_KEYS[:timestamp]]
+    end
+
+    def signature
+      @signature ||= @env[HEADER_KEYS[:signature]]
+    end
+
+    def access_key
+      @access_key ||= @env[HEADER_KEYS[:access_key]]
+    end
+
+    private
+
+    def validator
+      @validator ||= Validator.new(validator_params)
+    end
+
+    def validator_params
+      {
+        request_method: request_method,
+        path: path,
+        access_key: access_key,
+        timestamp: timestamp
+      }
+    end
+  end
+end

data/lib/api_signature/validator.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module ApiSignature
+  class Validator
+    attr_reader :timestamp
+
+    def initialize(options)
+      @options = options
+      @timestamp = Time.zone.at(@options[:timestamp].to_i)
+    end
+
+    def valid?(signature, secret)
+      return false if signature.blank? || secret.blank? || expired?
+      generator.generate_signature(secret) == signature
+    end
+
+    def expired?
+      !alive?
+    end
+
+    private
+
+    def generator
+      @generator ||= Generator.new(@options)
+    end
+
+    def alive?
+      alive_timerange.cover?(timestamp)
+    end
+
+    def alive_timerange
+      @alive_timerange ||= (ttl.ago..ttl.from_now)
+    end
+
+    def ttl
+      ApiSignature.signature_ttl || TTL
+    end
+  end
+end

data/lib/api_signature/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module ApiSignature
+  VERSION = '0.1.0'
+end

data/lib/api_signature.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'api_signature/version'
+require 'active_support/time'
+require 'active_support/time_with_zone'
+require 'active_support/core_ext/class'
+require 'active_support/core_ext/object/try'
+
+module ApiSignature
+  autoload :Builder, 'api_signature/builder'
+  autoload :Validator, 'api_signature/validator'
+  autoload :Generator, 'api_signature/generator'
+  autoload :Request, 'api_signature/request'
+
+  # Time to live for generated signature
+  mattr_accessor :signature_ttl
+  self.signature_ttl = 2.hours
+
+  # @example
+  #   ApiSignature.setup do |config|
+  #     config.signature_ttl = 2.minutes
+  #   end
+  #
+  def self.setup
+    yield self
+  end
+end

metadata

@@ -0,0 +1,173 @@
+--- !ruby/object:Gem::Specification
+name: api_signature
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Igor Galeta
+- Igor Malinovskiy
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2018-06-22 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.15'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.15'
+- !ruby/object:Gem::Dependency
+  name: guard-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.7'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.7.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.7'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.7.3
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rb-fsevent
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.9.8
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.9.8
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.5
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.5
+description: 
+email:
+- igor.malinovskiy@netfix.xyz
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- Guardfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- api_signature.gemspec
+- bin/console
+- bin/setup
+- lib/api_signature.rb
+- lib/api_signature/builder.rb
+- lib/api_signature/generator.rb
+- lib/api_signature/request.rb
+- lib/api_signature/validator.rb
+- lib/api_signature/version.rb
+homepage: https://github.com/psyipm/api_signature
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.2
+signing_key: 
+specification_version: 4
+summary: Sign API requests with HMAC signature
+test_files: []