escher 0.2.1 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ba40c7a7b12bb5aec126c7151b4a8cf81eaa3f51
-  data.tar.gz: 3fa09ffdec0d12b2bb7deaaf9aa30cecc23dfe63
+  metadata.gz: a08450345302a7c0e0b1d789ef7a23850151f234
+  data.tar.gz: ff3bfb71fba27c558bc3abd9e96331dc8bd1c354
 SHA512:
-  metadata.gz: b5060b34740b6300e7f9abef1ee5ef32c4470336dbf956d74047a9e9048e5990b9755738f650221db734493d3a0ad27101905c669111edbda9e9b52f9dbce555
-  data.tar.gz: 4fdcfda5426410a5ba9b465099630d626a72ce105bffdd968765ac284bdbfe79057a594f942822cbb2b9c351a72c94a702f86ad4134de81a965cf56f839ec07d
+  metadata.gz: 2b68ae2a96d4ccfa0ad1fbbb2966056e316872e140ee984cd8d38eef474faee7c7b4f81b0e33ea654fce0aaa7f3785589fc53b8200b7ad24eb629b58d8ff5138
+  data.tar.gz: 8ada366ab04fc7895aca5026dcb8a2fc08603cdd604e74979ecb1ad238436b64fc9a07d23fd1d53b23f4c7bdf7b37c3c672abe7205c647ebf10acbd496a84686

data/escher.gemspec

@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
   spec.email         = ["andras.barthazi@emarsys.com"]
   spec.summary       = %q{Library for HTTP request signing (Ruby implementation)}
   spec.description   = %q{Escher helps you creating secure HTTP requests (for APIs) by signing HTTP(s) requests.}
-  spec.homepage      = "https://github.com/emartech/escher-ruby"
+  spec.homepage      = "http://escherauth.io/"
   spec.license       = "MIT"
 
   spec.files         = `git ls-files -z`.split("\x0")
@@ -18,9 +18,13 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
+  spec.required_ruby_version = '>= 1.9'
+
   spec.add_development_dependency "bundler", "~> 1.6"
   spec.add_development_dependency "rake", "~> 10"
   spec.add_development_dependency "rspec", "~> 2"
 
+  spec.add_development_dependency "rack"
+
   spec.add_runtime_dependency "addressable", "~> 2.3"
 end

data/lib/escher/auth.rb

@@ -0,0 +1,341 @@
+module Escher
+  class Auth
+
+    def initialize(credential_scope, options = {})
+      @credential_scope = credential_scope
+      @algo_prefix = options[:algo_prefix] || 'ESR'
+      @vendor_key = options[:vendor_key] || 'Escher'
+      @hash_algo = options[:hash_algo] || 'SHA256'
+      @current_time = options[:current_time] || Time.now
+      @auth_header_name = options[:auth_header_name] || 'X-Escher-Auth'
+      @date_header_name = options[:date_header_name] || 'X-Escher-Date'
+      @clock_skew = options[:clock_skew] || 900
+      @algo = create_algo
+      @algo_id = @algo_prefix + '-HMAC-' + @hash_algo
+    end
+
+
+
+    def sign!(req, client, headers_to_sign = [])
+      headers_to_sign |= [@date_header_name.downcase, 'host']
+
+      request = wrap_request req
+      raise EscherError, 'Missing header: Host' unless request.has_header? 'host'
+
+      request.set_header(@date_header_name, format_date_for_header) unless request.has_header? @date_header_name
+
+      signature = generate_signature(client[:api_secret], request.body, request.headers, request.method, headers_to_sign, request.path, request.query_values)
+      request.set_header(@auth_header_name, "#{@algo_id} Credential=#{client[:api_key_id]}/#{short_date(@current_time)}/#{@credential_scope}, SignedHeaders=#{prepare_headers_to_sign headers_to_sign}, Signature=#{signature}")
+
+      request.request
+    end
+
+
+
+    def is_valid?(*args)
+      begin
+        authenticate(*args)
+        return true
+      rescue
+        return false
+      end
+    end
+
+
+
+    def authenticate(req, key_db)
+      request = wrap_request req
+      method = request.method
+      body = request.body
+      headers = request.headers
+      path = request.path
+      query_parts = request.query_values
+
+      signature_from_query = get_signing_param('Signature', query_parts)
+
+      (['Host'] + (signature_from_query ? [] : [@auth_header_name, @date_header_name])).each do |header|
+        raise EscherError, 'Missing header: ' + header unless request.header header
+      end
+
+      if method == 'GET' && signature_from_query
+        raw_date = get_signing_param('Date', query_parts)
+        algorithm, api_key_id, short_date, credential_scope, signed_headers, signature, expires = get_auth_parts_from_query(query_parts)
+
+        body = 'UNSIGNED-PAYLOAD'
+        query_parts.delete [query_key_for('Signature'), signature]
+        query_parts = query_parts.map { |k, v| [uri_decode(k), uri_decode(v)] }
+      else
+        raw_date = request.header @date_header_name
+        auth_header = request.header @auth_header_name
+        algorithm, api_key_id, short_date, credential_scope, signed_headers, signature, expires = get_auth_parts_from_header(auth_header)
+      end
+
+      date = Time.parse(raw_date)
+      api_secret = key_db[api_key_id]
+
+      raise EscherError, 'Invalid API key' unless api_secret
+      raise EscherError, 'Only SHA256 and SHA512 hash algorithms are allowed' unless %w(SHA256 SHA512).include?(algorithm)
+      raise EscherError, 'Invalid request date' unless short_date(date) == short_date
+      raise EscherError, 'The request date is not within the accepted time range' unless is_date_within_range?(date, expires)
+      raise EscherError, 'Invalid credentials' unless credential_scope == @credential_scope
+      raise EscherError, 'Host header is not signed' unless signed_headers.include? 'host'
+      raise EscherError, 'Only the host header should be signed' if signature_from_query && signed_headers != ['host']
+      raise EscherError, 'Date header is not signed' if !signature_from_query && !signed_headers.include?(@date_header_name.downcase)
+
+      escher = reconfig(algorithm, credential_scope, date)
+      expected_signature = escher.generate_signature(api_secret, body, headers, method, signed_headers, path, query_parts)
+      raise EscherError, 'The signatures do not match' unless signature == expected_signature
+      api_key_id
+    end
+
+
+
+    def reconfig(algorithm, credential_scope, date)
+      self.class.new(
+        credential_scope,
+        algo_prefix: @algo_prefix,
+        vendor_key: @vendor_key,
+        hash_algo: algorithm,
+        auth_header_name: @auth_header_name,
+        date_header_name: @date_header_name,
+        current_time: date
+      )
+    end
+
+
+
+    def generate_signed_url(url_to_sign, client, expires = 86400)
+      uri = Addressable::URI.parse(url_to_sign)
+      host = uri.host
+      path = uri.path
+      query_parts = (uri.query || '')
+      .split('&', -1)
+      .map { |pair| pair.split('=', -1) }
+      .map { |k, v| (k.include? ' ') ? [k.str(/\S+/), ''] : [k, v] }
+
+      headers = [['host', host]]
+      headers_to_sign = ['host']
+      body = 'UNSIGNED-PAYLOAD'
+      query_parts += [
+        ['Algorithm', @algo_id],
+        ['Credentials', "#{client[:api_key_id]}/#{short_date(@current_time)}/#{@credential_scope}"],
+        ['Date', long_date(@current_time)],
+        ['Expires', expires.to_s],
+        ['SignedHeaders', headers_to_sign.join(';')],
+      ].map { |k, v| query_pair(k, v) }
+
+      signature = generate_signature(client[:api_secret], body, headers, 'GET', headers_to_sign, path, query_parts)
+      query_parts_with_signature = (query_parts.map { |k, v| [uri_encode(k), uri_encode(v)] } << query_pair('Signature', signature))
+
+      uri.scheme + '://' + host + path + '?' + query_parts_with_signature.map { |k, v| k + '=' + v }.join('&')
+    end
+
+
+
+    def query_pair(k, v)
+      [query_key_for(k), v]
+    end
+
+
+
+    def query_key_for(key)
+      "X-#{@vendor_key}-#{key}"
+    end
+
+
+
+    def get_signing_param(key, query_parts)
+      the_param = (query_parts.detect { |param| param[0] === query_key_for(key) })
+      the_param ? uri_decode(the_param[1]) : nil
+    end
+
+
+
+    def get_auth_parts_from_header(auth_header)
+      m = /#{@algo_prefix}-HMAC-(?<algo>[A-Z0-9\,]+) Credential=(?<api_key_id>[A-Za-z0-9\-_]+)\/(?<short_date>[0-9]{8})\/(?<credentials>[A-Za-z0-9\-_\/]+), SignedHeaders=(?<signed_headers>[A-Za-z\-;]+), Signature=(?<signature>[0-9a-f]+)$/
+      .match auth_header
+      raise EscherError, 'Malformed authorization header' unless m && m['credentials']
+      return m['algo'], m['api_key_id'], m['short_date'], m['credentials'], m['signed_headers'].split(';'), m['signature'], 0
+    end
+
+
+
+    def get_auth_parts_from_query(query_parts)
+      expires = get_signing_param('Expires', query_parts).to_i
+      api_key_id, short_date, credential_scope = get_signing_param('Credentials', query_parts).split('/', 3)
+      signed_headers = get_signing_param('SignedHeaders', query_parts).split ';'
+      algorithm = parse_algo(get_signing_param('Algorithm', query_parts))
+      signature = get_signing_param('Signature', query_parts)
+      return algorithm, api_key_id, short_date, credential_scope, signed_headers, signature, expires
+    end
+
+
+
+    def generate_signature(api_secret, body, headers, method, signed_headers, path, query_parts)
+      canonicalized_request = canonicalize(method, path, query_parts, body, headers, signed_headers.uniq)
+      string_to_sign = get_string_to_sign(canonicalized_request)
+
+      signing_key = Digest::HMAC.digest(short_date(@current_time), @algo_prefix + api_secret, @algo)
+      @credential_scope.split('/').each { |data|
+        signing_key = Digest::HMAC.digest(data, signing_key, @algo)
+      }
+
+      Digest::HMAC.hexdigest(string_to_sign, signing_key, @algo)
+    end
+
+
+
+    def format_date_for_header
+      @date_header_name.downcase == 'date' ? @current_time.utc.rfc2822.sub('-0000', 'GMT') : long_date(@current_time)
+    end
+
+
+
+    def canonicalize(method, path, query_parts, body, headers, headers_to_sign)
+      [
+        method,
+        canonicalize_path(path),
+        canonicalize_query(query_parts),
+        canonicalize_headers(headers, headers_to_sign).join("\n"),
+        '',
+        prepare_headers_to_sign(headers_to_sign),
+        @algo.new.hexdigest(body)
+      ].join "\n"
+    end
+
+
+
+    def prepare_headers_to_sign(headers_to_sign)
+      headers_to_sign.sort.uniq.join(';')
+    end
+
+
+
+    def parse_uri(request_uri)
+      path, query = request_uri.split '?', 2
+      return path, (query || '')
+      .split('&', -1)
+      .map { |pair| pair.split('=', -1) }
+      .map { |k, v| (k.include? ' ') ? [k.str(/\S+/), ''] : [k, v] }
+    end
+
+
+
+    def get_string_to_sign(canonicalized_request)
+      [
+        @algo_id,
+        long_date(@current_time),
+        short_date(@current_time) + '/' + @credential_scope,
+        @algo.new.hexdigest(canonicalized_request)
+      ].join("\n")
+    end
+
+
+
+    def create_algo
+      case @hash_algo
+        when 'SHA256'
+          @algo = Digest::SHA2.new(256)
+        when 'SHA512'
+          @algo = Digest::SHA2.new(512)
+        else
+          raise EscherError, 'Unidentified hash algorithm'
+      end
+    end
+
+
+
+    def long_date(date)
+      date.utc.strftime('%Y%m%dT%H%M%SZ')
+    end
+
+
+
+    def short_date(date)
+      date.utc.strftime('%Y%m%d')
+    end
+
+
+
+    def is_date_within_range?(request_date, expires)
+      (request_date - @clock_skew .. request_date + expires + @clock_skew).cover? @current_time
+    end
+
+
+
+    def parse_algo(algorithm)
+      m = /^#{@algo_prefix}-HMAC-(?<algo>[A-Z0-9\,]+)$/.match(algorithm)
+      m && m['algo']
+    end
+
+
+
+    def canonicalize_path(path)
+      while path.gsub!(%r{([^/]+)/\.\./?}) { |match| $1 == '..' ? match : '' } do
+      end
+      path.gsub(%r{/\./}, '/').sub(%r{/\.\z}, '/').gsub(/\/+/, '/')
+    end
+
+
+
+    def canonicalize_headers(raw_headers, headers_to_sign)
+      headers = {}
+      raw_headers.each do |raw_header|
+        if raw_header[0].downcase != @auth_header_name.downcase
+          if headers[raw_header[0].downcase]
+            headers[raw_header[0].downcase] << raw_header[1]
+          else
+            headers[raw_header[0].downcase] = [raw_header[1]]
+          end
+        end
+      end
+      headers
+      .sort
+      .select { |h| headers_to_sign.include?(h[0]) }
+      .map { |k, v| k + ':' + v.map { |piece| normalize_white_spaces piece }.join(',') }
+    end
+
+
+
+    def normalize_white_spaces(value)
+      value.strip.split('"', -1).map.with_index { |piece, index|
+        is_inside_of_quotes = (index % 2 === 1)
+        is_inside_of_quotes ? piece : piece.gsub(/\s+/, ' ')
+      }.join '"'
+    end
+
+
+
+    def canonicalize_query(query_parts)
+      query_parts
+      .map { |k, v| uri_encode(k.gsub('+', ' ')) + '=' + uri_encode(v || '') }
+      .sort.join '&'
+    end
+
+
+
+    def uri_encode(component)
+      Addressable::URI.encode_component(component, Addressable::URI::CharacterClasses::UNRESERVED)
+    end
+
+
+
+    def uri_decode(component)
+      Addressable::URI.unencode_component(component)
+    end
+
+
+
+    private
+
+    def wrap_request(request)
+      Escher::Request::Factory.from_request request
+    end
+
+  end
+
+
+  class EscherError < RuntimeError
+  end
+
+end

data/lib/escher/request/base.rb

@@ -0,0 +1,29 @@
+module Escher
+  module Request
+    class Base
+
+      attr_reader :request
+
+
+
+      def initialize(request)
+        @request = request
+      end
+
+
+
+      def has_header?(name)
+        not header(name).nil?
+      end
+
+
+
+      def header(name)
+        header = headers.find { |(header_name, _)| header_name.downcase == name.downcase }
+        return nil if header.nil?
+        header[1]
+      end
+
+    end
+  end
+end

data/lib/escher/request/factory.rb

@@ -0,0 +1,24 @@
+require_relative 'base'
+
+require_relative 'hash_request'
+require_relative 'legacy_request'
+require_relative 'rack_request'
+
+module Escher
+  module Request
+    class Factory
+
+      def self.from_request(request)
+        case request
+          when Hash
+            HashRequest.new request
+          when lambda { |request| request.class.ancestors.map(&:to_s).include? "Rack::Request" }
+            RackRequest.new request
+          else
+            Escher::Request::LegacyRequest.new request
+        end
+      end
+
+    end
+  end
+end

data/lib/escher/request/hash_request.rb

@@ -0,0 +1,67 @@
+module Escher
+  module Request
+    class HashRequest < Base
+
+      # Based on the example in RFC 3986, but scheme, user, password,
+      # host, port and fragment support removed, only path and query left
+      URI_REGEXP = /^([^?#]*)(\?(.*))?$/
+
+
+
+      def initialize(request)
+        super request
+        @uri = parse_uri request[:uri]
+      end
+
+
+
+      def headers
+        request[:headers].map { |(header_name, value)| [header_name.gsub('_', '-'), value] }
+      end
+
+
+
+      def set_header(name, value)
+        request[:headers] ||= []
+        request[:headers] << [name, value] unless has_header? name
+      end
+
+
+
+      def method
+        request[:method]
+      end
+
+
+
+      def body
+        request[:body] or ''
+      end
+
+
+
+      def path
+        @uri.path
+      end
+
+
+
+      def query_values
+        @uri.query_values(Array) or []
+      end
+
+
+
+      private
+
+      def parse_uri(uri)
+        uri.match URI_REGEXP do |match_data|
+          Addressable::URI.new({:path => match_data[1],
+                                :query => match_data[3]})
+        end
+      end
+
+    end
+
+  end
+end

data/lib/escher/request/legacy_request.rb

@@ -0,0 +1,157 @@
+module Escher
+  module Request
+    class LegacyRequest
+
+      # based on the example in RFC 3986, but scheme, user, password,
+      # host, port and fraement support removed, only path and query left
+      URIREGEX = /^([^?#]*)(\?(.*))?$/
+
+
+
+      def initialize(request)
+        @request = request
+        prepare_request_uri
+        prepare_request_headers
+      end
+
+
+
+      def prepare_request_uri
+        case @request.class.to_s
+          when 'Hash'
+            uri = @request[:uri]
+          else
+            uri = @request.uri
+        end
+        fragments = uri.scan(URIREGEX)[0]
+        @request_uri = Addressable::URI.new({
+                                              :path => fragments[0],
+                                              :query => fragments[2],
+                                            })
+        raise "Invalid request URI: #{@request_uri}" unless @request_uri
+      end
+
+
+
+      def prepare_request_headers
+        @request_headers = []
+        case @request.class.to_s
+          when 'Hash'
+            @request_headers = @request[:headers]
+          when 'Sinatra::Request' # TODO: not working yet
+            @request.env.each { |key, value|
+              if key.downcase[0, 5] == "http_"
+                @request_headers += [[key[5..-1].gsub("_", "-"), value]]
+              end
+            }
+          when 'WEBrick::HTTPRequest'
+            @request.header.each { |key, values|
+              values.each { |value|
+                @request_headers += [[key, value]]
+              }
+            }
+        end
+      end
+
+
+
+      def request
+        @request
+      end
+
+
+
+      def headers
+        @request_headers
+      end
+
+
+
+      def set_header(key, value)
+        found = false
+        @request_headers.each { |header|
+          if not found and header[0].downcase == key.downcase
+            header[1] = value
+            found = true
+          end
+        }
+        unless found
+          @request_headers += [[key, value]]
+        end
+        case @request.class.to_s
+          when 'Hash'
+            @request[:headers] = @request_headers
+          else
+            @request[key] = value
+        end
+      end
+
+
+
+      def has_header?(key)
+        @request_headers.each { |header|
+          if header[0].downcase == key.downcase
+            return true
+          end
+        }
+        return false
+      end
+
+
+
+      def method
+        case @request.class.to_s
+          when 'Hash'
+            @request[:method]
+          else
+            @request.request_method
+        end
+      end
+
+
+
+      # TODO: create a test for empty body (= nil)
+      def body
+        case @request.class.to_s
+          when 'Hash'
+            @request[:body] || ''
+          else
+            @request.body || ''
+        end
+      end
+
+
+
+      def host
+        @request_headers.each { |header|
+          if header[0].downcase == key.downcase
+            return header[1]
+          end
+        }
+        case @request.class.to_s
+          when 'Hash'
+            @request[:host]
+          else
+            begin
+              @request.host
+            rescue
+              ""
+            end
+        end
+      end
+
+
+
+      def path
+        @request_uri.path
+      end
+
+
+
+      def query_values
+        @request_uri.query_values(Array) || []
+      end
+
+    end
+  end
+end

data/lib/escher/request/rack_request.rb

@@ -0,0 +1,42 @@
+module Escher
+  module Request
+    class RackRequest < Base
+
+      def headers
+        request.env.
+          select { |header_name, _| header_name.start_with? "HTTP_" }.
+          map { |header_name, value| [header_name[5..-1].tr('_', '-'), value] }
+      end
+
+
+
+      def method
+        request.request_method
+      end
+
+
+
+      def body
+        request.body or ''
+      end
+
+
+
+      def path
+        request.env['REQUEST_PATH']
+      end
+
+
+
+      def query_values
+        Addressable::URI.new(:query => request.env['QUERY_STRING']).query_values(Array) or []
+      end
+
+
+
+      def set_header(header_name, value)
+      end
+
+    end
+  end
+end

data/lib/escher/version.rb

@@ -1,3 +1,3 @@
-class Escher
-  VERSION = '0.2.1'
+module Escher
+  VERSION = '0.3.1'
 end