cerner-oauth1a 2.4.0 → 2.5.4

data/lib/cerner/oauth1a/access_token_agent.rb

@@ -5,10 +5,12 @@ require 'cerner/oauth1a/access_token'
 require 'cerner/oauth1a/keys'
 require 'cerner/oauth1a/oauth_error'
 require 'cerner/oauth1a/cache'
+require 'cerner/oauth1a/internal'
 require 'cerner/oauth1a/protocol'
+require 'cerner/oauth1a/signature'
 require 'cerner/oauth1a/version'
 require 'json'
-require 'net/https'
+require 'net/http'
 require 'securerandom'
 require 'uri'
 
@@ -70,9 +72,11 @@ module Cerner
       #                                    realm that's extracted from :access_token_url. If nil,
       #                                    this will be initalized with the DEFAULT_REALM_ALIASES.
       #                                    (optional, default: nil)
+      #             :signature_method    - A String to set the signature method to use. MUST be
+      #                                    PLAINTEXT or HMAC-SHA1. (optional, default: 'PLAINTEXT')
       #
       # Raises ArgumentError if access_token_url, consumer_key or consumer_key is nil; if
-      #                      access_token_url is an invalid URI.
+      #                      access_token_url is an invalid URI; if signature_method is invalid.
       def initialize(
         access_token_url:,
         consumer_key:,
@@ -81,7 +85,8 @@ module Cerner
         read_timeout: 5,
         cache_keys: true,
         cache_access_tokens: true,
-        realm_aliases: nil
+        realm_aliases: nil,
+        signature_method: 'PLAINTEXT'
       )
         raise ArgumentError, 'consumer_key is nil' unless consumer_key
         raise ArgumentError, 'consumer_secret is nil' unless consumer_secret
@@ -89,7 +94,7 @@ module Cerner
         @consumer_key = consumer_key
         @consumer_secret = consumer_secret
 
-        @access_token_url = convert_to_http_uri(access_token_url)
+        @access_token_url = Internal.convert_to_http_uri(url: access_token_url, name: 'access_token_url')
         @realm = Protocol.realm_for(@access_token_url)
         @realm_aliases = realm_aliases
         @realm_aliases ||= DEFAULT_REALM_ALIASES[@realm]
@@ -99,6 +104,9 @@ module Cerner
 
         @keys_cache = cache_keys ? Cache.instance : nil
         @access_token_cache = cache_access_tokens ? Cache.instance : nil
+
+        @signature_method = signature_method || 'PLAINTEXT'
+        raise ArgumentError, 'signature_method is invalid' unless Signature::METHODS.include?(@signature_method)
       end
 
       # Public: Retrieves the service provider keys from the configured Access Token service endpoint
@@ -107,7 +115,7 @@ module Cerner
       #
       # keys_version - The version identifier of the keys to retrieve. This corresponds to the
       #                KeysVersion parameter of the oauth_token.
-      # keywords     - The additional, optional keyword arguments for this method
+      # keywords     - The keyword arguments:
       #               :ignore_cache - A flag for indicating that the cache should be ignored and a
       #                               new Access Token should be retrieved.
       #
@@ -135,7 +143,7 @@ module Cerner
       # This method will use the #generate_accessor_secret, #generate_nonce and #generate_timestamp methods to
       # interact with the service, which can be overridden via a sub-class, if desired.
       #
-      # keywords - The additional, optional keyword arguments for this method
+      # keywords - The keyword arguments:
       #            :principal    - An optional principal identifier, which is passed via the
       #                            xoauth_principal protocol parameter.
       #            :ignore_cache - A flag for indicating that the cache should be ignored and a new
@@ -147,19 +155,20 @@ module Cerner
       # Raises StandardError sub-classes for any issues interacting with the service, such as networking issues.
       def retrieve(principal: nil, ignore_cache: false)
         cache_key = "#{@consumer_key}&#{principal}"
+
         if @access_token_cache && !ignore_cache
           cache_entry = @access_token_cache.get('cerner-oauth1a/access-tokens', cache_key)
           return cache_entry.value if cache_entry
         end
 
         # generate token request info
-        nonce = generate_nonce
         timestamp = generate_timestamp
         accessor_secret = generate_accessor_secret
 
-        request = retrieve_prepare_request(timestamp, nonce, accessor_secret, principal)
+        request = retrieve_prepare_request(timestamp: timestamp, accessor_secret: accessor_secret, principal: principal)
         response = http_client.request(request)
-        access_token = retrieve_handle_response(response, timestamp, nonce, accessor_secret)
+        access_token =
+          retrieve_handle_response(response: response, timestamp: timestamp, accessor_secret: accessor_secret)
         @access_token_cache&.put('cerner-oauth1a/access-tokens', cache_key, Cache::AccessTokenEntry.new(access_token))
         access_token
       end
@@ -175,14 +184,14 @@ module Cerner
       #
       # Returns a String containing the nonce.
       def generate_nonce
-        SecureRandom.hex
+        Internal.generate_nonce
       end
 
       # Public: Generate a Timestamp for invocations of the Access Token service.
       #
       # Returns an Integer representing the number of seconds since the epoch.
       def generate_timestamp
-        Time.now.to_i
+        Internal.generate_timestamp
       end
 
       # Public: Determines if the passed realm is equivalent to the configured
@@ -224,46 +233,41 @@ module Cerner
         http
       end
 
-      # Internal: Convert an Access Token URL into a URI with some verification checks
-      #
-      # access_token_url - A String URL or a URI instance
-      # Returns a URI::HTTP or URI::HTTPS
-      #
-      # Raises ArgumentError if access_token_url is nil, invalid or not an HTTP/HTTPS URI
-      def convert_to_http_uri(access_token_url)
-        raise ArgumentError, 'access_token_url is nil' unless access_token_url
-
-        if access_token_url.is_a?(URI)
-          uri = access_token_url
-        else
-          begin
-            uri = URI(access_token_url)
-          rescue URI::InvalidURIError
-            # raise argument error with cause
-            raise ArgumentError, 'access_token_url is invalid'
-          end
-        end
-
-        raise ArgumentError, 'access_token_url must be an HTTP or HTTPS URI' unless uri.is_a?(URI::HTTP)
-
-        uri
-      end
-
       # Internal: Prepare a request for #retrieve
-      def retrieve_prepare_request(timestamp, nonce, accessor_secret, principal)
+      def retrieve_prepare_request(accessor_secret:, timestamp:, principal: nil)
         # construct a POST request
         request = Net::HTTP::Post.new(@access_token_url)
         # setup the data to construct the POST's message
-        params = [
-          [:oauth_consumer_key, @consumer_key],
-          [:oauth_signature_method, 'PLAINTEXT'],
-          [:oauth_version, '1.0'],
-          [:oauth_timestamp, timestamp],
-          [:oauth_nonce, nonce],
-          [:oauth_signature, "#{@consumer_secret}&"],
-          [:oauth_accessor_secret, accessor_secret]
-        ]
-        params << [:xoauth_principal, principal.to_s] if principal
+        params = {
+          oauth_consumer_key: Protocol.percent_encode(@consumer_key),
+          oauth_signature_method: @signature_method,
+          oauth_version: '1.0',
+          oauth_accessor_secret: accessor_secret
+        }
+        params[:xoauth_principal] = principal.to_s if principal
+
+        if @signature_method == 'PLAINTEXT'
+          sig = Signature.sign_via_plaintext(client_shared_secret: @consumer_secret, token_shared_secret: '')
+        elsif @signature_method == 'HMAC-SHA1'
+          params[:oauth_timestamp] = timestamp
+          params[:oauth_nonce] = generate_nonce
+          signature_base_string =
+            Signature.build_signature_base_string(
+              http_method: 'POST', fully_qualified_url: @access_token_url, params: params
+            )
+          sig =
+            Signature.sign_via_hmacsha1(
+              client_shared_secret: @consumer_secret,
+              token_shared_secret: '',
+              signature_base_string: signature_base_string
+            )
+        else
+          raise OAuthError.new('signature_method is invalid', nil, 'signature_method_rejected', nil, @realm)
+        end
+
+        params[:oauth_signature] = sig
+
+        params = params.map { |n, v| [n, v] }
         # set the POST's body as a URL form-encoded string
         request.set_form(params, MIME_WWW_FORM_URL_ENCODED, charset: 'UTF-8')
         request['Accept'] = MIME_WWW_FORM_URL_ENCODED
@@ -273,22 +277,22 @@ module Cerner
       end
 
       # Internal: Handle a response for #retrieve
-      def retrieve_handle_response(response, timestamp, nonce, accessor_secret)
+      def retrieve_handle_response(response:, timestamp:, accessor_secret:)
         case response
         when Net::HTTPSuccess
           # Parse the HTTP response and convert it into a Symbol-keyed Hash
           tuples = Protocol.parse_url_query_string(response.body)
           # Use the parsed response to construct the AccessToken
-          access_token = AccessToken.new(
-            accessor_secret: accessor_secret,
-            consumer_key: @consumer_key,
-            expires_at: timestamp + tuples[:oauth_expires_in].to_i,
-            nonce: nonce,
-            timestamp: timestamp,
-            token: tuples[:oauth_token],
-            token_secret: tuples[:oauth_token_secret],
-            realm: @realm
-          )
+          access_token =
+            AccessToken.new(
+              accessor_secret: accessor_secret,
+              consumer_key: @consumer_key,
+              expires_at: timestamp + tuples[:oauth_expires_in].to_i,
+              token: tuples[:oauth_token],
+              token_secret: tuples[:oauth_token_secret],
+              signature_method: @signature_method,
+              realm: @realm
+            )
           access_token
         else
           # Extract any OAuth Problems reported in the response
@@ -300,10 +304,11 @@ module Cerner
 
       # Internal: Prepare a request for #retrieve_keys
       def retrieve_keys_prepare_request(keys_version)
-        request = Net::HTTP::Get.new(URI("#{@access_token_url}/keys/#{keys_version}"))
+        keys_url = URI("#{@access_token_url}/keys/#{keys_version}")
+        request = Net::HTTP::Get.new(keys_url)
         request['Accept'] = 'application/json'
         request['User-Agent'] = user_agent_string
-        request['Authorization'] = retrieve.authorization_header
+        request['Authorization'] = retrieve.authorization_header(fully_qualified_url: keys_url)
         request
       end
 
@@ -319,9 +324,7 @@ module Cerner
           raise OAuthError.new('RSA public key retrieved was invalid', nil, nil, nil, @realm) unless rsa_key
 
           Keys.new(
-            version: keys_version,
-            aes_secret_key: Base64.decode64(aes_key),
-            rsa_public_key: Base64.decode64(rsa_key)
+            version: keys_version, aes_secret_key: Base64.decode64(aes_key), rsa_public_key: Base64.decode64(rsa_key)
           )
         else
           # Extract any OAuth Problems reported in the response

data/lib/cerner/oauth1a/cache.rb

@@ -6,17 +6,17 @@ module Cerner
     class Cache
       @cache_instance_lock = Mutex.new
 
+      # Internal: Sets the singleton instance.
       def self.instance=(cache_impl)
         raise ArgumentError, 'cache_impl must not be nil' unless cache_impl
 
-        @cache_instance_lock.synchronize do
-          @cache_instance = cache_impl
-        end
+        @cache_instance_lock.synchronize { @cache_instance = cache_impl }
       end
 
+      # Internal: Gets the singleton instance.
       def self.instance
         @cache_instance_lock.synchronize do
-          return @cache_instance if @cache_instance
+          return @cache_instance if instance_variable_defined?(:@cache_instance) && @cache_instance
 
           @cache_instance = DefaultCache.new(max: 50)
         end
@@ -27,12 +27,14 @@ module Cerner
         attr_reader :value
         attr_reader :expires_in
 
+        # Internal: Constructs an instance.
         def initialize(keys, expires_in)
           @value = keys
           @expires_in = expires_in
           @expires_at = Time.now.utc.to_i + @expires_in
         end
 
+        # Internal: Check if the entry is expired.
         def expired?(now)
           @expires_at <= now
         end
@@ -42,25 +44,29 @@ module Cerner
       class AccessTokenEntry
         attr_reader :value
 
+        # Internal: Constructs an instance.
         def initialize(access_token)
           @value = access_token
         end
 
+        # Internal: Returns the number of seconds until the entry expires.
         def expires_in
           @value.expires_at.to_i - Time.now.utc.to_i
         end
 
+        # Internal: Check if the entry is expired.
         def expired?(now)
           @value.expired?(now: now)
         end
       end
 
-      ONE_HOUR = 3600
+      ONE_HOUR = 3_600
       TWENTY_FOUR_HOURS = 24 * ONE_HOUR
 
       # Internal: The default implementation of the Cerner::OAuth1a::Cache interface.
       # This implementation just maintains a capped list of entries in memory.
       class DefaultCache < Cerner::OAuth1a::Cache
+        # Internal: Constructs an instance.
         def initialize(max:)
           super()
           @max = max
@@ -68,6 +74,7 @@ module Cerner
           @entries = {}
         end
 
+        # Internal: Puts an entry into the cache.
         def put(namespace, key, entry)
           @lock.synchronize do
             now = Time.now.utc.to_i
@@ -77,6 +84,7 @@ module Cerner
           end
         end
 
+        # Internal: Gets an entry from the cache.
         def get(namespace, key)
           @lock.synchronize do
             prune_expired(Time.now.utc.to_i)

data/lib/cerner/oauth1a/cache_rails.rb

@@ -19,6 +19,7 @@ module Cerner
       #
       # rails_cache - An instance of ActiveSupport::Cache::Store.
       def initialize(rails_cache)
+        super()
         @cache = rails_cache
       end
 
@@ -28,13 +29,7 @@ module Cerner
       # key       - The key for the cache entries, which is qualified by namespace.
       # entry     - The entry to be stored in the cache.
       def put(namespace, key, entry)
-        @cache.write(
-          key,
-          entry,
-          namespace: namespace,
-          expires_in: entry.expires_in,
-          race_condition_ttl: 5
-        )
+        @cache.write(key, entry, namespace: namespace, expires_in: entry.expires_in, race_condition_ttl: 5)
       end
 
       # Internal: Retrieves the entry, if available, from the cache store.

data/lib/cerner/oauth1a/internal.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+require 'uri'
+
+module Cerner
+  module OAuth1a
+    # Internal: Internal utility methods
+    module Internal
+      # Internal: Convert a time value into a Time instance.
+      #
+      # keywords - The keyword arguments:
+      #            :time - Time or any object with a #to_i that returns an Integer.
+      #            :name - The parameter name of the data for invoking methods.
+      #
+      # Returns a Time instance in the UTC time zone.
+      def self.convert_to_time(time:, name: 'time')
+        raise ArgumentError, "#{name} is nil" unless time
+
+        time.is_a?(Time) ? time.utc : Time.at(time.to_i).utc
+      end
+
+      # Internal: Convert an fully qualified URL String into a URI with some verification checks
+      #
+      # keywords - The keyword arguments:
+      #            :url  - A String or a URI instance to convert to a URI instance.
+      #            :name - The parameter name of the URL for invoking methods.
+      #
+      # Returns a URI::HTTP or URI::HTTPS
+      #
+      # Raises ArgumentError if url is nil, invalid or not an HTTP/HTTPS URI
+      def self.convert_to_http_uri(url:, name: 'url')
+        raise ArgumentError, "#{name} is nil" unless url
+
+        if url.is_a?(URI)
+          uri = url
+        else
+          begin
+            uri = URI(url)
+          rescue URI::InvalidURIError
+            # raise argument error with cause
+            raise ArgumentError, "#{name} is invalid"
+          end
+        end
+
+        raise ArgumentError, "#{name} must be an HTTP or HTTPS URI" unless uri.is_a?(URI::HTTP)
+
+        uri
+      end
+
+      # Internal: Generate a Nonce for invocations of the Access Token service.
+      #
+      # Returns a String containing the nonce.
+      def self.generate_nonce
+        SecureRandom.hex
+      end
+
+      # Internal: Generate a Timestamp for invocations of the Access Token service.
+      #
+      # Returns an Integer representing the number of seconds since the epoch.
+      def self.generate_timestamp
+        Time.now.to_i
+      end
+
+      # Internal: Compares two Strings using a constant time algorithm to protect against timing
+      # attacks.
+      #
+      # left  - The left String
+      # right - The right String
+      #
+      # Return true if left and right match, false otherwise.
+      def self.constant_time_compare(left, right)
+        max_size = [left.bytesize, right.bytesize].max
+        # convert left and right to array of bytes (Integer)
+        left = left.unpack('C*')
+        right = right.unpack('C*')
+
+        # if either array is not the max size, expand it with zeros
+        # having equal arrays keeps the algorithm execution time constant
+        left = left.fill(0, left.size, max_size - left.size) if left.size < max_size
+        right = right.fill(0, right.size, max_size - right.size) if right.size < max_size
+
+        result = 0
+        left.each_with_index do |left_value, i|
+          # XOR the two bytes, if equal, the operation is 0
+          # OR the XOR operation with the previous result
+          result |= left_value ^ right[i]
+        end
+
+        # if every comparison resuled in 0, then left and right are equal
+        result.zero?
+      end
+    end
+  end
+end

data/lib/cerner/oauth1a/protocol.rb

@@ -6,6 +6,18 @@ module Cerner
   module OAuth1a
     # Public: OAuth 1.0a protocol utilities.
     module Protocol
+      # Public: Encodes the passed text using the percent encoding variant described in the OAuth
+      # 1.0a specification.
+      #
+      # Reference: https://tools.ietf.org/html/rfc5849#section-3.6
+      #
+      # text - A String containing the text to encode.
+      #
+      # Returns a String that has been encoded.
+      def self.percent_encode(text)
+        URI.encode_www_form_component(text).gsub('+', '%20')
+      end
+
       # Public: Parses a URL-encoded query string into a Hash with symbolized keys.
       #
       # query - String containing a URL-encoded query string to parse.
@@ -37,6 +49,10 @@ module Cerner
       #   Cerner::OAuth1a::Protocol.parse_www_authenticate_header(header)
       #   # => {:realm=>"https://test.host", :oauth_problem=>"token_expired"}
       #
+      #   header = 'OAuth realm="https://test.host", oauth_problem=token_expired'
+      #   Cerner::OAuth1a::Protocol.parse_www_authenticate_header(header)
+      #   # => {:realm=>"https://test.host", :oauth_problem=>"token_expired"}
+      #
       # Returns a Hash with symbolized keys of all of the parameters.
       def self.parse_authorization_header(value)
         params = {}
@@ -45,10 +61,18 @@ module Cerner
         value = value.strip
         return params unless value.size > 6 && value[0..5].casecmp?('OAuth ')
 
-        value.scan(/([^,\s=]*)=\"([^\"]*)\"/).each do |pair|
-          k = URI.decode_www_form_component(pair[0])
-          v = URI.decode_www_form_component(pair[1])
-          params[k.to_sym] = v
+        # trim off 'OAuth ' prefix
+        value = value[6..-1]
+
+        # split value on comma separators
+        value.split(/,\s*/).each do |kv_part|
+          # split each part on '=' separator
+          key, value = kv_part.split('=')
+          key = URI.decode_www_form_component(key)
+          # trim off surrounding double quotes, if they exist
+          value = value[1..-2] if value.start_with?('"') && value.end_with?('"')
+          value = URI.decode_www_form_component(value)
+          params[key.to_sym] = value
         end
 
         params
@@ -73,17 +97,12 @@ module Cerner
       #
       # Returns the String containing the generated value or nil if params is nil or empty.
       def self.generate_authorization_header(params)
-        return nil unless params && !params.empty?
+        return unless params && !params.empty?
 
         realm = "realm=\"#{params.delete(:realm)}\"" if params[:realm]
-        realm += ', ' if realm && !params.empty?
-
-        encoded_params =
-          params.map do |k, v|
-            k = URI.encode_www_form_component(k).gsub('+', '%20')
-            v = URI.encode_www_form_component(v).gsub('+', '%20')
-            "#{k}=\"#{v}\""
-          end
+        realm += ',' if realm && !params.empty?
+
+        encoded_params = params.map { |k, v| "#{percent_encode(k)}=\"#{percent_encode(v)}\"" }
 
         "OAuth #{realm}#{encoded_params.join(',')}"
       end