RubyGems - escher - Versions diffs - 0.0.1 → 0.0.2 - Mend

escher 0.0.1 → 0.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

data/lib/escher.rb CHANGED Viewed

@@ -2,69 +2,95 @@ require 'time'
 require 'uri'
 require 'digest'
+class EscherError < RuntimeError
+end
 module Escher
-  VERSION = '0.0.1'
+  VERSION = '0.0.2'
   def self.default_options
     {:auth_header_name => 'X-Ems-Auth', :date_header_name => 'X-Ems-Date', :vendor_prefix => 'EMS'}
   end
-  def self.validate_request(method, url, body, headers, options = {})
+  def self.validate_request(method, request_uri, body, headers, key_db, accepted_credentials, current_time = Time.now, options = {})
     options = default_options.merge(options)
-    auth_header = get_header(options[:auth_header_name], headers)
+    host = get_header('host', headers)
     date = get_header(options[:date_header_name], headers)
+    auth_header = get_header(options[:auth_header_name], headers)
     algo, api_key_id, short_date, credential_scope, signed_headers, signature = parse_auth_header auth_header, options[:vendor_prefix]
-    api_secret = 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY'
+    raise EscherError, 'Host header is not signed' unless signed_headers.include? 'host'
+    raise EscherError, 'Date header is not signed' unless signed_headers.include? options[:date_header_name].downcase
+    raise EscherError, 'Invalid request date' unless short_date(date) == short_date && within_range(current_time, date)
+    # TODO validate host header
+    raise EscherError, 'Invalid credentials' unless credential_scope == accepted_credentials
+    api_secret = key_db[api_key_id]
-    signature == generate_signature(algo, api_secret, body, credential_scope, date, headers, method, signed_headers, url, options[:vendor_prefix], options[:auth_header_name], options[:date_header_name])
+    signature == generate_signature(algo, api_secret, body, credential_scope.join('/'), date, headers, method, signed_headers, host, request_uri, options[:vendor_prefix], options[:auth_header_name], options[:date_header_name])
+  end
+  def self.short_date(date)
+    long_date(date)[0..7]
+  end
+  def self.within_range(current_time, date)
+    (current_time - 900 .. current_time + 900).cover?(Time.parse date)
   end
   def self.get_header(header_name, headers)
-    (headers.detect { |header| header[0].downcase == header_name.downcase })[1]
+    header = (headers.detect { |header| header[0].downcase == header_name.downcase })
+    raise EscherError, "Missing header: #{header_name.downcase}" unless header
+    header[1]
   end
   def self.parse_auth_header(auth_header, vendor_prefix)
-    m = /#{vendor_prefix.upcase}-HMAC-(?<algo>[A-Z0-9\,]+) Credential=(?<credentials>[A-Za-z0-9\/\-_]+), SignedHeaders=(?<signed_headers>[A-Za-z\-;]+), Signature=(?<signature>[0-9a-f]+)$/
+    m = /#{vendor_prefix.upcase}-HMAC-(?<algo>[A-Z0-9\,]+) Credential=(?<api_key_id>[A-Za-z0-9\-_]+)\/(?<short_date>[0-9]{8})\/(?<credentials>[A-Za-z0-9\-_\/]+), SignedHeaders=(?<signed_headers>[A-Za-z\-;]+), Signature=(?<signature>[0-9a-f]+)$/
     .match auth_header
+    raise EscherError, 'Malformed authorization header' unless m && m['credentials']
     [
         m['algo'],
-    ] + m['credentials'].split('/', 3) + [
+        m['api_key_id'],
+        m['short_date'],
+        m['credentials'].split('/'),
         m['signed_headers'].split(';'),
         m['signature'],
     ]
   end
-  def self.get_auth_header(client, method, url, body, headers, headers_to_sign, date = Time.now.utc.rfc2822, algo = 'SHA256', options = {})
+  def self.generate_auth_header(client, method, host, request_uri, body, headers, headers_to_sign, date = Time.now.utc.rfc2822, algo = 'SHA256', options = {})
     options = default_options.merge options
-    signature = generate_signature(algo, client[:api_secret], body, client[:credential_scope], date, headers, method, headers_to_sign, url, options[:vendor_prefix], options[:auth_header_name], options[:date_header_name])
-    "#{algo_id(options[:vendor_prefix], algo)} Credential=#{client[:api_key_id]}/#{long_date(date)[0..7]}/#{client[:credential_scope]}, SignedHeaders=#{headers_to_sign.uniq.join ';'}, Signature=#{signature}"
+    signature = generate_signature(algo, client[:api_secret], body, credential_scope_as_string(client), date, headers, method, headers_to_sign, host, request_uri, options[:vendor_prefix], options[:auth_header_name], options[:date_header_name])
+    "#{algo_id(options[:vendor_prefix], algo)} Credential=#{client[:api_key_id]}/#{short_date(date)}/#{credential_scope_as_string(client)}, SignedHeaders=#{headers_to_sign.uniq.join ';'}, Signature=#{signature}"
+  end
+  def self.credential_scope_as_string(client)
+    client[:credential_scope].join '/'
   end
-  def self.generate_signature(algo, api_secret, body, credential_scope, date, headers, method, signed_headers, url, vendor_prefix, auth_header_name, date_header_name)
-    canonicalized_request = canonicalize method, url, body, date, headers, signed_headers, algo, auth_header_name, date_header_name
+  def self.generate_signature(algo, api_secret, body, credential_scope, date, headers, method, signed_headers, host, request_uri, vendor_prefix, auth_header_name, date_header_name)
+    canonicalized_request = canonicalize method, host, request_uri, body, date, headers, signed_headers, algo, auth_header_name, date_header_name
     string_to_sign = get_string_to_sign credential_scope, canonicalized_request, date, vendor_prefix, algo
-    signing_key = calculate_signing_key(api_secret, date, vendor_prefix, credential_scope, algo)
-    signature = calculate_signature(algo, signing_key, string_to_sign)
+    signing_key = calculate_signing_key api_secret, date, vendor_prefix, credential_scope, algo
+    calculate_signature algo, signing_key, string_to_sign
   end
   def self.calculate_signature(algo, signing_key, string_to_sign)
     Digest::HMAC.hexdigest(string_to_sign, signing_key, create_algo(algo))
   end
-  def self.canonicalize(method, url, body, date, headers, headers_to_sign, algo, auth_header_name, date_header_name)
-    url, query = url.split '?', 2 # URI#parse cannot parse unicode characters in query string TODO use Adressable
-    uri = URI.parse(url)
+  def self.canonicalize(method, host, request_uri, body, date, headers, headers_to_sign, algo, auth_header_name, date_header_name)
+    path, query = request_uri.split '?', 2
     ([
         method.upcase,
-        canonicalize_path(uri),
+        canonicalize_path(path),
         canonicalize_query(query),
-    ] + canonicalize_headers(date, uri, headers, auth_header_name, date_header_name) + [
+    ] + canonicalize_headers(date, host, headers, auth_header_name, date_header_name) + [
         '',
-        (headers_to_sign | %w(date host)).join(';'),
+        (headers_to_sign | [date_header_name.downcase, 'host']).join(';'),
         request_body_hash(body, algo)
     ]).join "\n"
   end
@@ -88,7 +114,7 @@ module Escher
       when 'SHA512'
         return Digest::SHA512
       else
-        raise('Unidentified hash algorithm')
+        raise EscherError, 'Unidentified hash algorithm'
     end
   end
@@ -102,20 +128,21 @@ module Escher
   def self.calculate_signing_key(api_secret, date, vendor_prefix, credential_scope, algo)
     signing_key = vendor_prefix + api_secret
-    for data in [long_date(date)[0..7]] + credential_scope.split('/') do
+    for data in [short_date(date)] + credential_scope.split('/') do
       signing_key = Digest::HMAC.digest(data, signing_key, create_algo(algo))
     end
     signing_key
   end
-  def self.canonicalize_path(uri)
-    path = uri.path
+  def self.canonicalize_path(path)
     while path.gsub!(%r{([^/]+)/\.\./?}) { |match| $1 == '..' ? match : '' } do end
-    path = path.gsub(%r{/\./}, '/').sub(%r{/\.\z}, '/').gsub(/\/+/, '/')
+    path.gsub(%r{/\./}, '/').sub(%r{/\.\z}, '/').gsub(/\/+/, '/')
   end
-  def self.canonicalize_headers(date, uri, raw_headers, auth_header_name, date_header_name)
-    collect_headers(raw_headers, auth_header_name).merge({date_header_name.downcase => [date], 'host' => [uri.host]}).map { |k, v| k + ':' + (v.sort_by { |x| x }).join(',').gsub(/\s+/, ' ').strip }
+  def self.canonicalize_headers(date, host, raw_headers, auth_header_name, date_header_name)
+    collect_headers(raw_headers, auth_header_name).merge({date_header_name.downcase => [date], 'host' => [host]})
+      .sort
+      .map { |k, v| k + ':' + (v.sort_by { |x| x }).join(',').gsub(/\s+/, ' ').strip }
   end
   def self.collect_headers(raw_headers, auth_header_name)

metadata CHANGED Viewed

@@ -1,7 +1,8 @@
 --- !ruby/object:Gem::Specification
 name: escher
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
+  prerelease:
 platform: ruby
 authors:
 - Andras Barthazi
@@ -13,43 +14,49 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: codeclimate-test-reporter
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - '>='
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0'
 description: For Emarsys API
@@ -62,25 +69,26 @@ files:
 homepage: http://emarsys.com
 licenses:
 - MIT
-metadata: {}
 post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
-  - - '>='
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
-  - - '>='
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.0.7
+rubygems_version: 1.8.23
 signing_key:
-specification_version: 4
+specification_version: 3
 summary: Escher - Emarsys request signing library
 test_files: []

checksums.yaml DELETED Viewed

@@ -1,7 +0,0 @@
----
-SHA1:
-  metadata.gz: 981338fcbb72266308f87b15a3d9bc95a26d78cd
-  data.tar.gz: 8523d44bcaabc7165ce430ab469e0684fec5980d
-SHA512:
-  metadata.gz: 6f74fc90792b502604a30b1056b2d3fd9ee13f7ec00982ec45b1aa75da387d7c69b5a51790734cbe8f124c36434f09ca407a3be1d24f14b67aa581ad3d2470ee
-  data.tar.gz: ee4a26a105765b9ed62e5feeb0aab7e6392b8cfba21dad5765e3c376d77bb3d86c4a0b4b8915dc6b23d99d81f44ee9779f68710b3c2bb043b9a5d62bd88f02ca