duo_api 1.3.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b5cd10981ae6386d4aaaa0784cf89af0bb5bdd108f3c56a23c2360fd061c4e51
-  data.tar.gz: 7afea77b115e547d19bdc57ccafc71041dfcdf0aa20248692574fb9180833797
+  metadata.gz: 83307a3ad328ddd423760e517cb7450656253fedb3d2bc513cab405a2c37206c
+  data.tar.gz: 8ec8965d2e8405e7909652275f7cab0a1ff06e10976a86b0d88590d6e81c10bb
 SHA512:
-  metadata.gz: faa3962d46a4c1644793f594b851e4dfd621221cee3ef60b23b48b9c28cbb0f591597b0b6e3625db20a194cb699b60211b3f691abe71bd483b8bc84e256b3869
-  data.tar.gz: 2b062c1ea82883dd8bfd75c1deeda2723d88ebd1a8d3349703c8af68ee8b6e55e2f0597fdd41ad681b73f98724b98be9835a106aeed7b2237df75a98a16b37c2
+  metadata.gz: d0b38b626b9a891665eb6850be2e924a8ab01746d7697d6b3b04ca51c7bed6cc84608ef8b6b437b506f59463229e7138380579ce29c2eaa88e0d4f4b272fdc16
+  data.tar.gz: 57abcf5b82835915ce3e6ea847efc0144257fabfc42e58ac22a3b53d3ab4b7a042f89d54e2ecbcece470c14a1e86712a4292cce6e611eee2fa90cffb13325e1b

data/lib/duo_api.rb

@@ -1,4 +1,5 @@
 require 'erb'
+require 'json'
 require 'openssl'
 require 'net/https'
 require 'time'
@@ -10,6 +11,12 @@ require 'uri'
 class DuoApi
   attr_accessor :ca_file
 
+  if Gem.loaded_specs['duo_api']
+    VERSION = Gem.loaded_specs['duo_api'].version
+  else
+    VERSION = '0.0.0'
+  end
+
   # Constants for handling rate limit backoff
   MAX_BACKOFF_WAIT_SECS = 32
   INITIAL_BACKOFF_WAIT_SECS = 1
@@ -32,26 +39,40 @@ class DuoApi
       ]
     end
     @ca_file = ca_file ||
-               File.join(File.dirname(__FILE__), '..', 'ca_certs.pem')
+      File.join(File.dirname(__FILE__), '..', 'ca_certs.pem')
   end
 
-  def request(method, path, params = nil)
+  def request(method, path, params = {}, additional_headers = nil)
+    params_go_in_body = %w[POST PUT PATCH].include?(method)
+    if params_go_in_body
+      body = canon_json(params)
+      params = {}
+    else
+      body = ''
+    end
+
     uri = request_uri(path, params)
-    current_date, signed = sign(method, uri.host, path, params)
+    current_date, signed = sign(method, uri.host, path, params, body, additional_headers)
 
     request = Net::HTTP.const_get(method.capitalize).new uri.to_s
     request.basic_auth(@ikey, signed)
     request['Date'] = current_date
-    request['User-Agent'] = 'duo_api_ruby/1.3.0'
+    request['User-Agent'] = "duo_api_ruby/#{VERSION}"
+    if params_go_in_body
+      request['Content-Type'] = 'application/json'
+      request.body = body
+    end
 
-    Net::HTTP.start(uri.host, uri.port, *@proxy,
-                    use_ssl: true, ca_file: @ca_file,
-                    verify_mode: OpenSSL::SSL::VERIFY_PEER) do |http|
+    Net::HTTP.start(
+      uri.host, uri.port, *@proxy,
+      use_ssl: true, ca_file: @ca_file,
+      verify_mode: OpenSSL::SSL::VERIFY_PEER
+    ) do |http|
       wait_secs = INITIAL_BACKOFF_WAIT_SECS
       while true do
         resp = http.request(request)
         if resp.code != RATE_LIMITED_RESP_CODE or wait_secs > MAX_BACKOFF_WAIT_SECS
-            return resp
+          return resp
         end
         random_offset = rand()
         sleep(wait_secs + random_offset)
@@ -69,7 +90,7 @@ class DuoApi
     key + '=' + value
   end
 
-  def encode_params(params_hash = nil)
+  def canon_params(params_hash = nil)
     return '' if params_hash.nil?
     params_hash.sort.map do |k, v|
       # when it is an array, we want to add that as another param
@@ -82,30 +103,63 @@ class DuoApi
     end.join('&')
   end
 
-  def time
-    Time.now.rfc2822
+  def canon_json(params_hash = nil)
+    return '' if params_hash.nil?
+    JSON.generate(Hash[params_hash.sort])
+  end
+
+  def canon_x_duo_headers(additional_headers)
+    additional_headers ||= {}
+
+    if not additional_headers.select{|k,v| k.nil? or v.nil?}.empty?
+      raise 'Not allowed "nil" as a header name or value'
+    end
+
+    canon_list = []
+    added_headers = []
+    additional_headers.keys.sort.each do |header_name|
+      header_name_lowered = header_name.downcase
+      header_value = additional_headers[header_name]
+      validate_additional_header(header_name_lowered, header_value, added_headers)
+      canon_list.append(header_name_lowered, header_value)
+      added_headers.append(header_name_lowered)
+    end
+
+    canon = canon_list.join("\x00")
+    OpenSSL::Digest::SHA512.hexdigest(canon)
+  end
+
+  def validate_additional_header(header_name, value, added_headers)
+    raise 'Not allowed "Null" character in header name' if header_name.include?("\x00")
+    raise 'Not allowed "Null" character in header value' if value.include?("\x00")
+    raise 'Additional headers must start with \'X-Duo-\'' unless header_name.downcase.start_with?('x-duo-')
+    raise "Duplicate header passed, header=#{header_name}" if added_headers.include?(header_name.downcase)
   end
 
   def request_uri(path, params = nil)
     u = 'https://' + @host + path
-    u += '?' + encode_params(params) unless params.nil?
+    u += '?' + canon_params(params) unless params.nil?
     URI.parse(u)
   end
 
-  def canonicalize(method, host, path, params, options = {})
-    options[:date] ||= time
+  def canonicalize(method, host, path, params, body = '', additional_headers = nil, options: {})
+    # options[:date] being passed manually is specifically for tests
+    date = options[:date] || Time.now.rfc2822()
     canon = [
-      options[:date],
+      date,
       method.upcase,
       host.downcase,
       path,
-      encode_params(params)
+      canon_params(params),
+      OpenSSL::Digest::SHA512.hexdigest(body),
+      canon_x_duo_headers(additional_headers)
     ]
-    [options[:date], canon.join("\n")]
+    [date, canon.join("\n")]
   end
 
-  def sign(method, host, path, params, options = {})
-    date, canon = canonicalize(method, host, path, params, date: options[:date])
+  def sign(method, host, path, params, body = '', additional_headers = nil, options: {})
+    # options[:date] being passed manually is specifically for tests
+    date, canon = canonicalize(method, host, path, params, body, additional_headers, options: options)
     [date, OpenSSL::HMAC.hexdigest('sha512', @skey, canon)]
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: duo_api
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Duo Security
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-12-07 00:00:00.000000000 Z
+date: 2025-02-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -66,6 +66,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 1.8.0
+- !ruby/object:Gem::Dependency
+  name: ostruct
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.1.0
 description: A Ruby implementation of the Duo API.
 email: support@duo.com
 executables: []
@@ -78,7 +92,7 @@ homepage: https://github.com/duosecurity/duo_api_ruby
 licenses:
 - BSD-3-Clause
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -93,8 +107,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key: 
+rubygems_version: 3.4.19
+signing_key:
 specification_version: 4
 summary: Duo API Ruby
 test_files: []