authograph 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 2fa21ab9df699ee62947bfb58d37e05d55ae3eef
+  data.tar.gz: 64eacefff4e51281f71126ff9d89faa2ce0ad4c8
+SHA512:
+  metadata.gz: 498b424873a5b7d2aaefc8f0d4c2990bde82e0219cbccb6cffc039b8549b9370bc696c805e7b6825669b605d25a69fe6ed4319064d0c593b33fbd47ee63730ba
+  data.tar.gz: 7c08538b13cbe9ab33ef66f9df03721b195825950126868252e49be754d6dd214182c7d7253fae3fb7cdccfd7787d925969522c662ea029cf2ff4d2b3a8bb3c5

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.3.1
+before_install: gem install bundler -v 1.12.4

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,49 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all people who
+contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic
+  addresses, without explicit permission
+* Other unethical or unprofessional conduct
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+By adopting this Code of Conduct, project maintainers commit themselves to
+fairly and consistently applying these principles to every aspect of managing
+this project. Project maintainers who do not follow or enforce the Code of
+Conduct may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting a project maintainer at iobaixas@gmail.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. Maintainers are
+obligated to maintain confidentiality with regard to the reporter of an
+incident.
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.3.0, available at
+[http://contributor-covenant.org/version/1/3/0/][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/3/0/

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in authograph.gemspec
+gemspec

data/Guardfile

@@ -0,0 +1,10 @@
+watch ("Guardfile") do
+  UI.info "Exiting because Guard must be restarted for changes to take effect"
+  exit 0
+end
+
+guard :rspec, cmd: 'bundle exec rspec' do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/authograph/(.+)\.rb$}) { |m| "spec/lib/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+end

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Ignacio Baixas
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,93 @@
+# Authograph
+
+Flexible HTTP request HMAC signing and validation utility.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'authograph'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install authograph
+
+## Usage
+
+To sign a request just will first need to generate a new secret key
+
+```ruby
+my_secret = SecureRandom.base64(64)
+```
+
+Now that you have a secret key, create a new instance of the signer
+
+```ruby
+signer = Authograph.signer # initialize a time signer with default options
+```
+
+And the call `sign` passing the request you need to sign and the secret
+
+```ruby
+signer.sign(my_request, my_secret) # this will add the X-Signature header to the request
+```
+
+Yo can later validate the request by using `authentic?`
+
+```ruby
+signer.authentic?(my_request, my_secret) # this will check the signature and the date by default
+```
+
+
+### Signer options
+
+**IMPORTANT** Remember to always configure both the signer-signer and the validator-signer using the same paremeters.
+
+The following parameters are available when calling `Authograph.signer`:
+
+* `digest`: which digest algorithm to use (`'sha384'` by default).
+* `header`: header key to store signature in (`'X-Signature'` by default).
+* `sign_headers`: array of additional headers to include in the signing process. (`[]` by default).
+* `sign_date`: whether to include and validate the date (`true` by default).
+* `date_header`: header key to store date in (`'X-Date'` by default).
+* `date_max_skew`: maximum difference (in secs) between request time and validaton (`'600'` by default).
+
+
+### Generated signature structure
+
+The signature is generated by building a canonical payload with the following structure:
+
+```
+<request method (uppercase), ex: GET>
+<request full path, ex: /some/path?sure>
+<content type, ex: application/json>
+<body md5 as base64>
+<header #1 content>
+<header #2 content>
+...
+```
+
+And then applying the HMAC-SHA384 hashing function to it to get the signature. The signature is then written to the request header using the following format:
+
+```
+HMAC-SHA384 <base64(signature)>
+```
+
+When using date validation an additiona `X-Date` header is added to the request.
+
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/SurBTC/authograph. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/authograph.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'authograph/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "authograph"
+  spec.version       = Authograph::VERSION
+  spec.authors       = ["Ignacio Baixas"]
+  spec.email         = ["ignacio@platan.us"]
+
+  spec.summary       = "Flexible HTTP request HMAC signing and validation"
+  spec.description   = "
+HTTP request signing and validation library with support for header signing and multiple backends.
+"
+  spec.homepage      = "https://github.com/SurBTC/authograph"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.12"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "guard", "~> 2.14"
+  spec.add_development_dependency "guard-rspec", "~> 4.7"
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "authograph"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/authograph.rb

@@ -0,0 +1,9 @@
+require "authograph/version"
+require "authograph/adapters/base"
+require "authograph/signer"
+
+module Authograph
+  def self.signer(*_args)
+    Signer.new(*_args)
+  end
+end

data/lib/authograph/adapters/base.rb

@@ -0,0 +1,5 @@
+module Authograph::Adapters
+  class Base
+    # nothing for now
+  end
+end

data/lib/authograph/adapters/faraday.rb

@@ -0,0 +1,31 @@
+module Authograph::Adapters
+  class Faraday < Base
+    def initialize(_request)
+      @request = _request
+    end
+
+    def get_header(_header)
+      @request.headers[_header]
+    end
+
+    def set_header(_header, _value)
+      @request.headers[_header] = _value
+    end
+
+    def method
+      @request.method.to_s.upcase
+    end
+
+    def path
+      URI(@request.path).request_uri
+    end
+
+    def content_type
+      @request.headers['Content-Type'] || ''
+    end
+
+    def body
+      @request.body
+    end
+  end
+end

data/lib/authograph/adapters/http.rb

@@ -0,0 +1,34 @@
+module Authograph::Adapters
+  class Http < Base
+    def initialize(_request)
+      @request = _request
+    end
+
+    def get_header(_header)
+      @request[_header]
+    end
+
+    def set_header(_header, _value)
+      @request[_header] = _value
+    end
+
+    def method
+      @request.method.to_s.upcase
+    end
+
+    def path
+      @request.path
+    end
+
+    def content_type
+      @request['Content-Type'] || ''
+    end
+
+    def body
+      return '' unless @request.body_stream
+      data = @request.body_stream.read
+      @request.body_stream.rewind
+      data
+    end
+  end
+end

data/lib/authograph/adapters/rack.rb

@@ -0,0 +1,40 @@
+module Authograph::Adapters
+  class Rack < Base
+    def initialize(_request)
+      @request = _request
+    end
+
+    def get_header(_header)
+      @request.env[normalize_header(_header)]
+    end
+
+    def set_header(_header, _value)
+      @request.env[normalize_header(_header)] = _value
+    end
+
+    def method
+      @request.request_method.upcase
+    end
+
+    def path
+      @request.fullpath
+    end
+
+    def content_type
+      @request.content_type
+    end
+
+    def body
+      return '' unless @request.body
+      data = @request.body.read
+      @request.body.rewind
+      data
+    end
+
+    private
+
+    def normalize_header(_header)
+      'HTTP_' + _header.underscore.upcase
+    end
+  end
+end

data/lib/authograph/signer.rb

@@ -0,0 +1,108 @@
+module Authograph
+  class Signer
+    DEFAULT_SIGN_HEADER = 'X-Signature'
+    DEFAULT_DATE_HEADER = 'X-Date'
+
+    def initialize(
+      digest: 'sha384',
+      header: DEFAULT_SIGN_HEADER,
+      sign_headers: [],
+      sign_date: true,
+      date_header: DEFAULT_DATE_HEADER,
+      date_max_skew: 600
+    )
+      @digest = digest
+      @header = header
+      @sign_headers = sign_headers
+
+      @sign_date = sign_date
+      @date_header = date_header
+      @date_max_skew = date_max_skew
+      @sign_headers << date_header if sign_date # ensure date header is signed too
+    end
+
+    def sign(_request, _key_secret)
+      _request = adapt _request
+
+      set_request_date(_request) if @sign_date
+      # TODO: set_hashed_content to discard invalid signatures before checking content?
+      set_request_authorization(_request, _key_secret)
+    end
+
+    def authentic?(_request, _key_secret)
+      _request = adapt _request
+
+      return false if !signatures_match? _request, _key_secret
+      return false if @sign_date && !request_within_time_window?(_request)
+      true
+    end
+
+    private
+
+    def adapt(_request) # rubocop:disable Metrics/MethodLength
+      return _request if _request.is_a? Adapters::Base
+
+      case _request.class.to_s
+      when 'ActionDispatch::Request'
+        require 'authograph/adapters/rack'
+        Adapters::Rack.new Rack::Request.new(_request.env)
+      when 'Rack::Request'
+        require 'authograph/adapters/rack'
+        Adapters::Rack.new _request
+      when /^Net::HTTP::.*/
+        require 'authograph/adapters/http'
+        Adapters::Http.new _request
+      when 'Faraday::Request'
+        require 'authograph/adapters/faraday'
+        Adapters::Faraday.new _request
+      else
+        raise ArgumentError, 'the given request type is not supported'
+      end
+    end
+
+    def set_request_date(_request)
+      _request.set_header @date_header, Time.now.utc.httpdate
+    end
+
+    def set_request_authorization(_request, _key_secret)
+      _request.set_header @header, calc_signature(_request, _key_secret)
+    end
+
+    def signatures_match?(_request, _key_secret)
+      calc_signature(_request, _key_secret) == _request.get_header(@header)
+    end
+
+    def request_within_time_window?(_request)
+      request_date = Time.httpdate(_request.get_header(@date_header)).utc
+      (request_date - Time.now.utc).abs <= @date_max_skew
+    rescue ArgumentError
+      false
+    end
+
+    def calc_signature(_request, _key_secret)
+      signature = OpenSSL::HMAC.digest(@digest, _key_secret, build_payload(_request))
+      "HMAC-#{@digest.upcase} #{[signature].pack('m0')}"
+    end
+
+    def build_payload(_request)
+      parts = [
+        _request.method,
+        _request.path,
+        _request.content_type || '',
+        body_md5(_request)
+      ]
+
+      # extra headers to be considered
+      @sign_headers.each { |h| parts << (_request.get_header(h) || '') }
+      parts.join "\n"
+    end
+
+    def body_md5(_request)
+      if %w[POST PUT].include?(_request.method)
+        Digest::MD5.base64digest _request.body
+      else
+        ''
+      end
+    end
+  end
+end

data/lib/authograph/version.rb

@@ -0,0 +1,3 @@
+module Authograph
+  VERSION = "1.0.0"
+end

metadata

@@ -0,0 +1,135 @@
+--- !ruby/object:Gem::Specification
+name: authograph
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Ignacio Baixas
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-07-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: guard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.14'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.14'
+- !ruby/object:Gem::Dependency
+  name: guard-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.7'
+description: |2
+
+  HTTP request signing and validation library with support for header signing and multiple backends.
+email:
+- ignacio@platan.us
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- CODE_OF_CONDUCT.md
+- Gemfile
+- Guardfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- authograph.gemspec
+- bin/console
+- bin/setup
+- lib/authograph.rb
+- lib/authograph/adapters/base.rb
+- lib/authograph/adapters/faraday.rb
+- lib/authograph/adapters/http.rb
+- lib/authograph/adapters/rack.rb
+- lib/authograph/signer.rb
+- lib/authograph/version.rb
+homepage: https://github.com/SurBTC/authograph
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.4
+signing_key: 
+specification_version: 4
+summary: Flexible HTTP request HMAC signing and validation
+test_files: []