api_signature 0.1.5 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: ec6eb5396b10ed59fb91d79b2163a7baab9f74c7
-  data.tar.gz: 1faac38e423e0c420a6d5f4c46a1096341e270af
+SHA256:
+  metadata.gz: f97c890250e1a784f8e590ec6fc803e23c15a77ad9d2cb374f2418d629aacb1f
+  data.tar.gz: a7ed8c86f5d82b7b5e8577df62a150cdbfd9ec9c63c831f70e9315c2e4cf2dc2
 SHA512:
-  metadata.gz: ac924e7bebbfb969e93b2e1ac8f0616200b89bb1910faac04c3d820095ac5965eb56a01d2e525b071eaa74d9226dad31c03c0daeae532e19cd08a2c12de45e37
-  data.tar.gz: c8f83d915efef5e558789aefb76aa5b27bf6da531a6e4ba6ad18e59c84c5a93ea93982cd586cdb44258f7fc241409b5943a6ff2bc49c02968c898a209679ba8e
+  metadata.gz: c1a20884bdb0b2c91bc6a6ecfc40354e0fa89ea11badcea7445b3b95bd309a13c35d2e301bee619cffbe431b32e77447d44b2f46ff3c3f5e645473b890999177
+  data.tar.gz: 021a30a6039154f1509235aa5d01cd666d101b1ee617a1e828ceb2de11b25bb5422ecfe44bec314062aaa947b73c32839487e776f75e2c48004a5726732d109a

data/.rubocop.yml

@@ -1,5 +1,5 @@
 AllCops:
-  TargetRubyVersion: 2.4.4
+  TargetRubyVersion: 2.5.5
   Exclude:
     - "bin/*"
     - "Guardfile"
@@ -32,14 +32,3 @@ Metrics/BlockLength:
 
 Metrics/MethodLength:
   Max: 15
-
-##################### Rails ##################################
-
-Rails:
-  Enabled: true
-
-Rails/SkipsModelValidations:
-  Enabled: false
-
-Rails/InverseOf:
-  Enabled: false

data/.ruby-version

@@ -0,0 +1 @@
+2.5.5

data/README.md

@@ -4,7 +4,7 @@
 
 # ApiSignature
 
-Simple HMAC-SHA1 authentication via headers
+Simple HMAC-SHA1 authentication via headers. Impressed by [AWS Requests with Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html)
 
 This gem will generate signature for the client requests and verify that signature on the server side
 
@@ -16,101 +16,92 @@ Add this line to your application's Gemfile:
 gem 'api_signature'
 ```
 
-And then execute:
-
-    $ bundle
-
 ## Usage
 
-### Server side
-
-Implement warden strategy:
-```ruby
-module MyApplication
-  module API
-    class ClientAuthenticatable < Warden::Strategies::Base
-      delegate :valid?, to: :api_request
+The usage is pretty simple. To sign a request use ApiSignature::Signer and for validation use ApiSignature::Validator.
 
-      def authenticate!
-        # Find client in database by public api_key
-        resource = Client.find_for_token_authentication(api_request.access_key)
-        return fail!(:not_found_in_database) unless resource
+### Create signature
 
-        # Check request signature
-        return unless api_request.correct?(resource.api_key, resource.api_secret)
+Sign a request with 'authorization' header. You can change header name, see Configuration section.
 
-        # Perform some after_authentication callbacks
-        resource.after_authentication
+```ruby
+api_access_key = 'access_key'
+api_secret_key = 'secret_key'
+
+request = {
+  http_method: 'POST',
+  url: 'https://example.com/posts',
+  headers: {
+    'User-Agent' => 'Test agent'
+  },
+  body: 'body'
+}
 
-        # Tell warden that authentication was successful
-        success!(resource)
-      end
+# Sign your request
+signature = ApiSignature::Signer.new(api_access_key, api_secret_key).sign_request(request)
 
-      private
+# Now apply signed headers to your real request
+signature.headers
 
-      def api_request
-        @api_request ||= ::ApiSignature::Request.new(env)
-      end
-    end
-  end
-end
+# signature.headers looks like:
+{
+  "host"=>"example.com",
+  "x-datetime"=>"2020-01-02T10:24:59.837+0000",
+  "authorization"=>"API-HMAC-SHA256 Credential=access_key/20200102/web/api_request, SignedHeaders=host;user-agent;x-datetime, Signature=032fc0b7defd66d86ef43ced8e6c3ee351ede21deca6bf1f89b9145f7a9105c1"
+}
 ```
 
-```ruby
-module MyApplication
-  module API
-    module Authentication
-      extend ActiveSupport::Concern
-
-      protected
-
-      def warden
-        @warden ||= request.env['warden']
-      end
-
-      def current_client
-        @current_client ||= warden.user(:client)
-      end
+### Validate signature
 
-      def authenticate_client!
-        warden.authenticate!(:client_authenticatable, scope: :client)
-      end
-    end
-  end
-end
-```
+Validate the request on the client-side. Note, that access_key can be extracted from the request.
 
 ```ruby
-class Api::BaseController < ActionController::API do
-  abstract!
+# the request to validate
+request = {
+  :http_method=>"POST",
+  :url=>"https://example.com/posts",
+  :headers=>{
+    "User-Agent"=>"Test agent",
+    "host"=>"example.com",
+    "x-datetime"=>"2020-01-02T10:24:59.837+0000",
+    "authorization"=>"API-HMAC-SHA256 Credential=access_key/20200102/web/api_request, SignedHeaders=host;user-agent;x-datetime, Signature=032fc0b7defd66d86ef43ced8e6c3ee351ede21deca6bf1f89b9145f7a9105c1"
+  },
+  :body=>"body"
+}
 
-  include MyApplication::API::Authentication
+# initialize validator with a request to validate
+validator = ApiSignature::Validator.new(request)
 
-  before_action :authenticate_client!
-end
-```
+# get access key from request headers (String)
+validator.access_key
 
-### On client side:
+# validate the request (Boolean)
+validator.valid?('your secret key here')
 
-```ruby
-options = {
-  request_method: 'GET',
-  path: '/api/v1/some_path'
-  access_key: 'client public api_key',
-  timestamp: Time.now.utc.to_i
-}
-
-signature = ApiSignature::Generator.new(options).generate_signature('api_secret')
+# get only signed headers (Hash)
+validator.signed_headers
 ```
 
-By default, the generated signature will be valid for 2 hours
+## Configuration
+
+By default, the generated signature will be valid for 5 minutes
 This could be changed via initializer:
 
 ```ruby
 # config/initializers/api_signature.rb
 
 ApiSignature.setup do |config|
-  config.signature_ttl = 1.minute
+  # Time to live, by default 5 minutes
+  config.signature_ttl = 5 * 60
+
+  # Datetime format, by default iso8601
+  config.datetime_format = '%Y-%m-%dT%H:%M:%S.%L%z'
+
+  # Header name, by default authorization
+  config.signature_header = 'authorization'
+
+  # Service name, by default web
+  config.service = 'web'
 end
 ```
 

data/api_signature.gemspec

@@ -21,12 +21,8 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_development_dependency 'bundler', '~> 1.15'
   spec.add_development_dependency 'guard-rspec', '~> 4.7', '>= 4.7.3'
   spec.add_development_dependency 'rake', '~> 10.0'
   spec.add_development_dependency 'rb-fsevent', '0.9.8'
   spec.add_development_dependency 'rspec', '~> 3.0'
-
-  spec.add_dependency 'activesupport', '>= 4.0'
-  spec.add_dependency 'rack', '>= 1.6'
 end

data/lib/api_signature.rb

@@ -1,19 +1,27 @@
 # frozen_string_literal: true
 
 require 'api_signature/version'
-require 'active_support/time'
-require 'active_support/core_ext/class'
-require 'active_support/core_ext/object/try'
+require 'api_signature/configuration'
 
 module ApiSignature
   autoload :Builder, 'api_signature/builder'
   autoload :Validator, 'api_signature/validator'
-  autoload :Generator, 'api_signature/generator'
-  autoload :Request, 'api_signature/request'
+  autoload :Signer, 'api_signature/signer'
+  autoload :Signature, 'api_signature/signature'
+  autoload :AuthHeader, 'api_signature/auth_header'
+  autoload :Utils, 'api_signature/utils'
 
-  # Time to live for generated signature
-  mattr_accessor :signature_ttl
-  self.signature_ttl = 2.hours
+  class << self
+    attr_writer :configuration
+  end
+
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  def self.reset
+    @configuration = Configuration.new
+  end
 
   # @example
   #   ApiSignature.setup do |config|
@@ -21,6 +29,6 @@ module ApiSignature
   #   end
   #
   def self.setup
-    yield self
+    yield configuration
   end
 end

data/lib/api_signature/auth_header.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module ApiSignature
+  class AuthHeader
+    attr_reader :authorization
+
+    TOKEN_REGEX = /^(API-HMAC-SHA256)\s+/.freeze
+    AUTHN_PAIR_DELIMITERS = /(?:,|\t+)/.freeze
+
+    def initialize(authorization)
+      @authorization = authorization.to_s
+    end
+
+    def credential
+      data[0]
+    end
+
+    def signature
+      options['Signature']
+    end
+
+    def signed_headers
+      return [] unless options['SignedHeaders']
+
+      @signed_headers ||= options['SignedHeaders'].split(/;\s?/).map(&:strip)
+    end
+
+    def options
+      @options ||= (data[1] || {})
+    end
+
+    private
+
+    def data
+      @data ||= (parse_token_with_options || [])
+    end
+
+    def parse_token_with_options
+      return unless authorization[TOKEN_REGEX]
+
+      params = token_params_from authorization
+      [params.shift[1], Hash[params]]
+    end
+
+    def token_params_from(auth)
+      rewrite_param_values params_array_from raw_params(auth)
+    end
+
+    def raw_params(auth)
+      auth.sub(TOKEN_REGEX, '').split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+    end
+
+    def params_array_from(raw_params)
+      raw_params.map { |param| param.split(/=(.+)?/) }
+    end
+
+    def rewrite_param_values(array_params)
+      array_params.each { |param| (param[1] || +'').gsub!(/^"|"$/, '') }
+    end
+  end
+end

data/lib/api_signature/builder.rb

@@ -1,51 +1,119 @@
 # frozen_string_literal: true
 
-require 'active_support/hash_with_indifferent_access'
-require 'ostruct'
+require 'uri'
 
 module ApiSignature
   class Builder
-    OPTIONS_KEYS = [
-      :access_key, :secret, :request_method, :path, :timestamp
-    ].freeze
+    attr_reader :settings
 
-    delegate(*OPTIONS_KEYS, to: :@settings)
-    delegate :expired?, to: :signature_generator
+    SPLITTER = "\n"
 
-    def initialize(settings = {})
-      settings = HashWithIndifferentAccess.new(settings)
+    def initialize(settings = {}, unsigned_headers = [])
+      @settings = settings
+      @unsigned_headers = unsigned_headers
+    end
+
+    def http_method
+      @http_method ||= extract_http_method
+    end
 
-      settings['timestamp'] ||= Time.now.utc.to_i.to_s
-      settings['request_method'] = (settings['request_method'] || settings['method']).upcase
+    def uri
+      @uri ||= extract_uri
+    end
 
-      @settings = OpenStruct.new(settings.select { |k, _v| OPTIONS_KEYS.include?(k.to_sym) })
+    def host
+      @host ||= extract_host_from_uri
     end
 
     def headers
-      {
-        'X-Access-Key' => options[:access_key],
-        'X-Timestamp' => options[:timestamp],
-        'X-Signature' => signature
-      }
+      @headers ||= Utils.normalize_keys(settings[:headers])
+    end
+
+    def datetime
+      @datetime ||= extract_datetime
+    end
+
+    def date
+      @date ||= datetime.to_s.scan(/\d/).take(8).join
+    end
+
+    def content_sha256
+      @content_sha256 ||= Utils.sha256_hexdigest(body)
+    end
+
+    def body
+      @body ||= (settings[:body] || '')
     end
 
-    def options
-      {
-        timestamp: timestamp,
-        request_method: request_method,
-        path: path,
-        access_key: access_key
+    def build_sign_headers(apply_checksum_header = false)
+      @sign_headers = {
+        'host' => host,
+        'x-datetime' => datetime
       }
+      @sign_headers['x-content-sha256'] = content_sha256 if apply_checksum_header
+      @sign_headers
+    end
+
+    def full_headers
+      @full_headers ||= merge_sign_with_origin_headers
+    end
+
+    def signed_headers
+      @signed_headers ||= full_headers.reject { |key, _value| @unsigned_headers.include?(key) }
+    end
+
+    def signed_headers_names
+      @signed_headers_names ||= signed_headers.keys.sort.join(';')
     end
 
-    def signature
-      @signature ||= signature_generator.generate_signature(secret)
+    def canonical_request(path)
+      [
+        http_method,
+        path,
+        Utils.normalized_querystring(uri.query),
+        canonical_headers + SPLITTER,
+        signed_headers_names,
+        content_sha256
+      ].join(SPLITTER)
     end
 
     private
 
-    def signature_generator
-      @signature_generator ||= Generator.new(options)
+    def extract_http_method
+      raise ArgumentError, 'missing required option :http_method' unless settings[:http_method]
+
+      settings[:http_method].to_s.upcase
+    end
+
+    def extract_uri
+      raise ArgumentError, 'missing required option :url' unless settings[:url]
+
+      URI.parse(settings[:url].to_s)
+    end
+
+    def extract_host_from_uri
+      if Utils.standard_port?(uri)
+        uri.host
+      else
+        "#{uri.host}:#{uri.port}"
+      end
+    end
+
+    def extract_datetime
+      headers['x-datetime'] || Time.now.utc.strftime(ApiSignature.configuration.datetime_format)
+    end
+
+    def merge_sign_with_origin_headers
+      raise ArgumentError, 'missing required variable sign_headers' unless @sign_headers
+
+      # merge so we do not modify given headers hash
+      headers.merge(@sign_headers)
+    end
+
+    def canonical_headers
+      signed_headers.sort_by(&:first)
+                    .map { |k, v| "#{k}:#{Utils.canonical_header_value(v.to_s)}" }
+                    .join(SPLITTER)
     end
   end
 end

data/lib/api_signature/configuration.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module ApiSignature
+  class Configuration
+    attr_accessor :signature_ttl, :signature_header, :datetime_format, :service
+
+    def initialize
+      @signature_ttl = 5 * 60
+      @datetime_format = '%Y-%m-%dT%H:%M:%S.%L%z'
+      @signature_header = 'authorization'
+      @service = 'web'
+    end
+  end
+end

data/lib/api_signature/signature.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module ApiSignature
+  class Signature
+    # @return [Hash<String,String>] A hash of headers that should
+    #   be applied to the HTTP request. Header keys are lower
+    #   cased strings and may include the following:
+    #
+    #   * 'host'
+    #   * 'x-date'
+    #   * 'x-content-sha256'
+    #   * 'authorization'
+    #
+    attr_reader :headers
+
+    # @return [String] For debugging purposes.
+    attr_reader :canonical_request
+
+    # @return [String] For debugging purposes.
+    attr_reader :string_to_sign
+
+    # @return [String] For debugging purposes.
+    attr_reader :content_sha256
+
+    # @return [String] For debugging purposes.
+    attr_reader :signature
+
+    def initialize(attributes)
+      attributes.each do |key, value|
+        instance_variable_set("@#{key}", value)
+      end
+    end
+  end
+end

data/lib/api_signature/signer.rb

@@ -0,0 +1,150 @@
+# frozen_string_literal: true
+
+require 'set'
+
+module ApiSignature
+  # The signer requires secret key.
+  #
+  #     signer = ApiSignature::Signer.new('access key', 'secret key', uri_escape_path: true)
+  #
+  class Signer
+    NAME = 'API-HMAC-SHA256'
+
+    # Options:
+    # @option options [Array<String>] :unsigned_headers ([]) A list of
+    #   headers that should not be signed. This is useful when a proxy
+    #   modifies headers, such as 'User-Agent', invalidating a signature.
+    #
+    # @option options [Boolean] :uri_escape_path (true) When `true`,
+    #   the request URI path is uri-escaped as part of computing the canonical
+    #   request string.
+    #
+    # @option options [Boolean] :apply_checksum_header (false) When `true`,
+    #   the computed content checksum is returned in the hash of signature
+    #   headers.
+    #
+    # @option options [String] :signature_header (authorization) Header name
+    #   for signature
+    #
+    # @option options [String] :service (web) Service name
+    #
+    def initialize(access_key, secret_key, options = {})
+      @access_key = access_key
+      @secret_key = secret_key
+      @options = options
+    end
+
+    # Computes a signature. Returns the resultant
+    # signature as a hash of headers to apply to your HTTP request. The given
+    # request is not modified.
+    #
+    #     signature = signer.sign_request(
+    #       http_method: 'PUT',
+    #       url: 'https://domain.com',
+    #       headers: {
+    #         'Abc' => 'xyz',
+    #       },
+    #       body: 'body' # String or IO object
+    #     )
+    # @param [Hash] request
+    #
+    # @option request [required, String] :http_method One of
+    #   'GET', 'HEAD', 'PUT', 'POST', 'PATCH', or 'DELETE'
+    #
+    # @option request [required, String, URI::HTTPS, URI::HTTP] :url
+    #   The request URI. Must be a valid HTTP or HTTPS URI.
+    #
+    # @option request [optional, Hash] :headers ({}) A hash of headers
+    #   to sign. If the 'X-Amz-Content-Sha256' header is set, the `:body`
+    #   is optional and will not be read.
+    #
+    # @option request [optional, String, IO] :body ('') The HTTP request body.
+    #   A sha256 checksum is computed of the body unless the
+    #   'X-Amz-Content-Sha256' header is set.
+    #
+    # @return [Signature] Return an instance of {Signature} that has
+    #   a `#headers` method. The headers must be applied to your request.
+    def sign_request(request)
+      builder = Builder.new(request, unsigned_headers)
+      sig_headers = builder.build_sign_headers(apply_checksum_header?)
+      data = build_signature(builder)
+
+      # apply signature
+      sig_headers[signature_header_name] = data[:header]
+
+      # Returning the signature components.
+      Signature.new(data.merge!(headers: sig_headers))
+    end
+
+    private
+
+    def uri_escape_path?
+      @options[:uri_escape_path] == true || !@options.key?(:uri_escape_path)
+    end
+
+    def apply_checksum_header?
+      @options[:apply_checksum_header] == true
+    end
+
+    def signature_header_name
+      @options[:signature_header] || ApiSignature.configuration.signature_header
+    end
+
+    def service
+      @options[:service] || ApiSignature.configuration.service
+    end
+
+    def unsigned_headers
+      @unsigned_headers ||= build_unsigned_headers
+    end
+
+    def build_unsigned_headers
+      Set.new(@options.fetch(:unsigned_headers, []).map(&:downcase)) << signature_header_name
+    end
+
+    def build_signature(builder)
+      path = Utils.url_path(builder.uri.path, uri_escape_path?)
+
+      # compute signature parts
+      creq = builder.canonical_request(path)
+      sts = string_to_sign(builder.datetime, creq)
+      sig = signature(builder.date, sts)
+
+      {
+        header: build_signature_header(builder, sig),
+        content_sha256: builder.content_sha256,
+        string_to_sign: sts,
+        canonical_request: creq,
+        signature: sig
+      }
+    end
+
+    def build_signature_header(builder, signature)
+      [
+        "#{NAME} Credential=#{credential(builder.date)}",
+        "SignedHeaders=#{builder.signed_headers_names}",
+        "Signature=#{signature}"
+      ].join(', ')
+    end
+
+    def string_to_sign(datetime, canonical_request)
+      [
+        NAME,
+        datetime,
+        Utils.sha256_hexdigest(canonical_request)
+      ].join(Builder::SPLITTER)
+    end
+
+    def signature(date, string_to_sign)
+      k_date = Utils.hmac("API#{@secret_key}", date)
+      k_service = Utils.hmac(k_date, service)
+      k_credentials = Utils.hmac(k_service, 'api_request')
+
+      Utils.hexhmac(k_credentials, string_to_sign)
+    end
+
+    def credential(date)
+      "#{@access_key}/#{date}/#{service}/api_request"
+    end
+  end
+end

data/lib/api_signature/spec_support/helper.rb

@@ -33,11 +33,16 @@ module ApiSignature
       private
 
       def with_signature(http_method, api_key, secret, action_name, params = {})
+        custom_headers = (params.delete(:headers) || {})
         path = PathBuilder.new(controller, action_name, params).path
-        headers = HeadersBuilder.new(api_key, secret, http_method, path).headers
-        custom_headers = params.delete(:headers) || {}
 
-        send(http_method, path, params, headers.merge(custom_headers))
+        signature = Signer.new(api_key, secret).sign_request(
+          http_method: http_method.to_s.upcase,
+          url: path,
+          headers: custom_headers
+        )
+
+        send(http_method, path, params, signature.headers)
       end
     end
   end

data/lib/api_signature/utils.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'digest/sha1'
+require 'tempfile'
+require 'date'
+
+module ApiSignature
+  module Utils
+    # @param [File, Tempfile, IO#read, String] value
+    # @return [String<SHA256 Hexdigest>]
+    #
+    def self.sha256_hexdigest(value)
+      if (File === value || Tempfile === value) && !value.path.nil? && File.exist?(value.path)
+        OpenSSL::Digest::SHA256.file(value).hexdigest
+      elsif value.respond_to?(:read)
+        sha256 = OpenSSL::Digest::SHA256.new
+
+        while chunk = value.read(1024 * 1024, buffer ||= '') # 1MB
+          sha256.update(chunk)
+        end
+
+        value.rewind
+        sha256.hexdigest
+      else
+        OpenSSL::Digest::SHA256.hexdigest(value)
+      end
+    end
+
+    # @param [URI] uri
+    # @return [true/false]
+    #
+    def self.standard_port?(uri)
+      (uri.scheme == 'http' && uri.port == 80) ||
+        (uri.scheme == 'https' && uri.port == 443)
+    end
+
+    def self.url_path(path, uri_escape_path = false)
+      path = '/' if path == ''
+
+      if uri_escape_path
+        uri_escape_path(path)
+      else
+        path
+      end
+    end
+
+    def self.uri_escape_path(path)
+      path.gsub(/[^\/]+/) { |part| uri_escape(part) }
+    end
+
+    # @api private
+    def self.uri_escape(string)
+      if string.nil?
+        nil
+      else
+        CGI.escape(string.encode('UTF-8')).gsub('+', '%20').gsub('%7E', '~')
+      end
+    end
+
+    def self.normalized_querystring(querystring)
+      return unless querystring
+
+      params = querystring.split('&')
+      params = params.map { |p| p.match(/=/) ? p : p + '=' }
+      # We have to sort by param name and preserve order of params that
+      # have the same name. Default sort <=> in JRuby will swap members
+      # occasionally when <=> is 0 (considered still sorted), but this
+      # causes our normalized query string to not match the sent querystring.
+      # When names match, we then sort by their original order
+      params.each.with_index.sort do |a, b|
+        a, a_offset = a
+        a_name = a.split('=')[0]
+        b, b_offset = b
+        b_name = b.split('=')[0]
+        if a_name == b_name
+          a_offset <=> b_offset
+        else
+          a_name <=> b_name
+        end
+      end.map(&:first).join('&')
+    end
+
+    def self.canonical_header_value(value)
+      value.match(/^".*"$/) ? value : value.gsub(/\s+/, ' ').strip
+    end
+
+    def self.hmac(key, value)
+      OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, value)
+    end
+
+    def self.hexhmac(key, value)
+      OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, value)
+    end
+
+    def self.normalize_keys(hash)
+      return {} unless hash
+
+      hash.transform_keys { |key| key.to_s.downcase }
+    end
+
+    # constant-time comparison algorithm to prevent timing attacks
+    def self.secure_compare(string_a, string_b)
+      return false if string_a.nil? || string_b.nil? || string_a.bytesize != string_b.bytesize
+
+      l = string_a.unpack "C#{string_a.bytesize}"
+
+      res = 0
+      string_b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+
+    def self.safe_parse_datetime(value, format = nil)
+      format ||= ApiSignature.configuration.datetime_format
+      DateTime.strptime(value, format)
+    rescue ArgumentError => _e
+      nil
+    end
+  end
+end

data/lib/api_signature/validator.rb

@@ -1,39 +1,98 @@
 # frozen_string_literal: true
 
 module ApiSignature
+  # Validate a request
+  #
+  #     request = {
+  #       http_method: 'PUT',
+  #       url: 'https://domain.com',
+  #       headers: {
+  #         'Authorization' => 'API-HMAC-SHA256 Credential=access_key/20191227/api_request...',
+  #         'Host' => 'example.com,
+  #         'X-Content-Sha256' => '...',
+  #         'X-Datetime' => '2019-12-27T09:13:14.873+0000'
+  #       },
+  #       body: 'body'
+  #     }
+  #     validator = ApiSignature::Validator.new(request, uri_escape_path: true)
+  #     validator.access_key # get key from request headers
+  #     validator.valid?('secret_key')
+  #
   class Validator
-    attr_reader :timestamp
+    attr_reader :request
 
-    def initialize(options)
+    def initialize(request, options = {})
+      @request = request
       @options = options
-      @timestamp = Time.at(@options[:timestamp].to_i).utc
     end
 
-    def valid?(signature, secret)
-      return false if signature.blank? || secret.blank? || expired?
-      generator.generate_signature(secret) == signature
+    def access_key
+      return unless valid_credential?
+
+      @access_key ||= auth_header.credential.split('/')[0]
+    end
+
+    def signed_headers
+      @signed_headers ||= headers.slice(*auth_header.signed_headers)
+    end
+
+    # Validate a signature. Returns boolean
+    #
+    #     validator.valid?('secret_key_here')
+    #
+    # @param [String] secret key
+    #
+    def valid?(secret_key)
+      valid_authorization? && valid_timestamp? && valid_signature?(secret_key)
+    end
+
+    def valid_authorization?
+      valid_credential? && !auth_header.signature.nil?
+    end
+
+    def valid_credential?
+      !auth_header.credential.nil?
+    end
+
+    def valid_timestamp?
+      timestamp && ttl_range.cover?(timestamp.to_time)
     end
 
-    def expired?
-      !alive?
+    def valid_signature?(secret_key)
+      return false unless secret_key
+
+      signer = Signer.new(access_key, secret_key, @options)
+      data = signer.sign_request(request)
+
+      Utils.secure_compare(
+        auth_header.signature,
+        data.signature
+      )
     end
 
     private
 
-    def generator
-      @generator ||= Generator.new(@options)
+    def auth_header
+      @auth_header ||= AuthHeader.new(headers[signature_header_name])
+    end
+
+    def signature_header_name
+      @options[:signature_header] || ApiSignature.configuration.signature_header
     end
 
-    def alive?
-      alive_timerange.cover?(timestamp)
+    def timestamp
+      @timestamp ||= Utils.safe_parse_datetime(headers['x-datetime'])
     end
 
-    def alive_timerange
-      @alive_timerange ||= (ttl.ago..ttl.from_now)
+    def headers
+      @headers ||= Utils.normalize_keys(request[:headers])
     end
 
-    def ttl
-      ApiSignature.signature_ttl
+    def ttl_range
+      to = Time.now.utc
+      from = to - ApiSignature.configuration.signature_ttl
+
+      from..to
     end
   end
 end

data/lib/api_signature/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ApiSignature
-  VERSION = '0.1.5'
+  VERSION = '1.0.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: api_signature
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 1.0.0
 platform: ruby
 authors:
 - Igor Galeta
@@ -9,22 +9,8 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-05-27 00:00:00.000000000 Z
+date: 2020-01-07 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.15'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.15'
 - !ruby/object:Gem::Dependency
   name: guard-rspec
   requirement: !ruby/object:Gem::Requirement
@@ -87,34 +73,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
-- !ruby/object:Gem::Dependency
-  name: activesupport
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '4.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '4.0'
-- !ruby/object:Gem::Dependency
-  name: rack
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.6'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.6'
 description: 
 email:
 - igor.malinovskiy@netfix.xyz
@@ -125,6 +83,7 @@ files:
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
+- ".ruby-version"
 - ".travis.yml"
 - Gemfile
 - Guardfile
@@ -135,12 +94,14 @@ files:
 - bin/console
 - bin/setup
 - lib/api_signature.rb
+- lib/api_signature/auth_header.rb
 - lib/api_signature/builder.rb
-- lib/api_signature/generator.rb
-- lib/api_signature/request.rb
-- lib/api_signature/spec_support/headers_builder.rb
+- lib/api_signature/configuration.rb
+- lib/api_signature/signature.rb
+- lib/api_signature/signer.rb
 - lib/api_signature/spec_support/helper.rb
 - lib/api_signature/spec_support/path_builder.rb
+- lib/api_signature/utils.rb
 - lib/api_signature/validator.rb
 - lib/api_signature/version.rb
 homepage: https://github.com/psyipm/api_signature
@@ -163,7 +124,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.14.1
+rubygems_version: 2.7.6.2
 signing_key: 
 specification_version: 4
 summary: Sign API requests with HMAC signature

data/lib/api_signature/generator.rb

@@ -1,42 +0,0 @@
-# frozen_string_literal: true
-
-require 'openssl'
-require 'digest/sha1'
-
-module ApiSignature
-  class Generator
-    SPLITTER = '|'
-
-    delegate :valid?, :expired?, :timestamp, to: :validator
-
-    attr_reader :options
-
-    def initialize(options = {})
-      @options = options
-    end
-
-    def generate_signature(secret)
-      hmac = OpenSSL::HMAC.digest(digest, secret, string_to_sign)
-      Base64.encode64(hmac).chomp
-    end
-
-    private
-
-    def validator
-      Validator.new(options)
-    end
-
-    def digest
-      OpenSSL::Digest::SHA256.new
-    end
-
-    def string_to_sign
-      [
-        options[:request_method],
-        options[:path],
-        options[:access_key],
-        timestamp.to_i
-      ].map(&:to_s).join(SPLITTER)
-    end
-  end
-end

data/lib/api_signature/request.rb

@@ -1,48 +0,0 @@
-# frozen_string_literal: true
-
-require 'rack/request'
-
-module ApiSignature
-  class Request < ::Rack::Request
-    HEADER_KEYS = {
-      access_key: 'HTTP_X_ACCESS_KEY',
-      signature:  'HTTP_X_SIGNATURE',
-      timestamp:  'HTTP_X_TIMESTAMP'
-    }.freeze
-
-    def correct?(token, secret)
-      access_key == token && validator.valid?(signature, secret)
-    end
-
-    def valid?
-      timestamp.present? && signature.present? && access_key.present?
-    end
-
-    def timestamp
-      @timestamp ||= @env[HEADER_KEYS[:timestamp]]
-    end
-
-    def signature
-      @signature ||= @env[HEADER_KEYS[:signature]]
-    end
-
-    def access_key
-      @access_key ||= @env[HEADER_KEYS[:access_key]]
-    end
-
-    private
-
-    def validator
-      @validator ||= Validator.new(validator_params)
-    end
-
-    def validator_params
-      {
-        request_method: request_method,
-        path: path,
-        access_key: access_key,
-        timestamp: timestamp
-      }
-    end
-  end
-end

data/lib/api_signature/spec_support/headers_builder.rb

@@ -1,39 +0,0 @@
-# frozen_string_literal: true
-
-module ApiSignature
-  module SpecSupport
-    class HeadersBuilder
-      attr_reader :access_key, :secret, :http_method, :path
-
-      def initialize(access_key, secret, http_method, path)
-        @access_key = access_key
-        @secret = secret
-        @http_method = http_method
-        @path = path
-      end
-
-      def headers
-        {
-          'HTTP_X_ACCESS_KEY' => access_key,
-          'HTTP_X_TIMESTAMP' => options[:timestamp],
-          'HTTP_X_SIGNATURE' => generator.generate_signature(secret)
-        }
-      end
-
-      private
-
-      def generator
-        @generator ||= ::ApiSignature::Generator.new(options)
-      end
-
-      def options
-        @options ||= {
-          request_method: http_method.to_s.upcase,
-          path: path,
-          access_key: access_key,
-          timestamp: Time.now.utc.to_i
-        }
-      end
-    end
-  end
-end