escher 0.3.7 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b1c99900670a9017bfe4565037cffade7ea2b9a1
-  data.tar.gz: e3e74a858ff3b42decd6367bfbf4e14ee92a80ee
+  metadata.gz: 3d4de4f3f3b3d16060cff1ca9157b781a2d5039a
+  data.tar.gz: a6982455c5ad1c086f4fbf99466dae4272e12f30
 SHA512:
-  metadata.gz: 759ac6e2e5e05b4db8c084e7dcd2a337d785193e0ee76d4abef20b5076cc3e6f382927cc53fc35b9ae4486f5fae69b6b07689c2f9ea9716a52d06c7fb4934179
-  data.tar.gz: d23ffaceb2d89564d48fad3f2e361c66d38c695d579b1c282dff0ba4470d4b30467e957b043a812867bf1f5dbdbaf26e319cffccec96c7c71512de3aa38816ba
+  metadata.gz: 0234c0322a91d4787e82945ba4ec4831cd2158829192d779773282b49fe51999328c1998fb349d1e336e655373af95b5861ab0cfc42bd91b67358511af8b16d1
+  data.tar.gz: 5c1e6281e2608991d4691565d1397a3db070cb4e565e6223ed28e8e2e1e7798176c07bd8297a6341fbe5887c1762f59d1d56d3423174e8aa2e3348e7175239c3

data/.gitignore

@@ -10,6 +10,7 @@ Gemfile.lock
 # Ignore all logfiles and tempfiles.
 /log/*.log
 /tmp
+/spec/emarsys_test_suite/
 
 .env
 .ruby-version

data/.travis.yml

@@ -1,5 +1,5 @@
 language: ruby
 rvm:
-  - 1.9.3
-  - 2.1.2
-  - 2.2.1
+  - 2.2.3
+  - 2.3.0
+before_script: ./scripts/checkout_test_suite.sh

data/Rakefile

@@ -9,3 +9,8 @@ RSpec::Core::RakeTask.new :spec do |task|
 end
 
 task :default => :spec
+
+desc "Check out centralised test suite into spec/emarsys_test_suite."
+task :checkout_test_suite do
+  `scripts/checkout_test_suite.sh`
+end

data/escher.gemspec

@@ -27,6 +27,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rspec", "~> 2"
 
   spec.add_development_dependency "rack"
+  spec.add_development_dependency "plissken"
 
   spec.add_runtime_dependency "addressable", "~> 2.3"
 end

data/lib/escher/auth.rb

@@ -9,7 +9,7 @@ module Escher
       @current_time = options[:current_time] || Time.now
       @auth_header_name = options[:auth_header_name] || 'X-Escher-Auth'
       @date_header_name = options[:date_header_name] || 'X-Escher-Date'
-      @clock_skew = options[:clock_skew] || 900
+      @clock_skew = options[:clock_skew] || 300
       @algo = create_algo
       @algo_id = @algo_prefix + '-HMAC-' + @hash_algo
     end
@@ -22,7 +22,7 @@ module Escher
       request = wrap_request req
       raise EscherError, 'The host header is missing' unless request.has_header? 'host'
 
-      request.set_header(@date_header_name, format_date_for_header) unless request.has_header? @date_header_name
+      request.set_header(@date_header_name.downcase, format_date_for_header) unless request.has_header? @date_header_name
 
       signature = generate_signature(client[:api_secret], request.body, request.headers, request.method, headers_to_sign, request.path, request.query_values)
       request.set_header(@auth_header_name, "#{@algo_id} Credential=#{client[:api_key_id]}/#{short_date(@current_time)}/#{@credential_scope}, SignedHeaders=#{prepare_headers_to_sign headers_to_sign}, Signature=#{signature}")
@@ -43,7 +43,7 @@ module Escher
 
 
 
-    def authenticate(req, key_db)
+    def authenticate(req, key_db, mandatory_signed_headers = nil)
       request = wrap_request req
       method = request.method
       body = request.body
@@ -54,7 +54,7 @@ module Escher
       signature_from_query = get_signing_param('Signature', query_parts)
 
       (['Host'] + (signature_from_query ? [] : [@auth_header_name, @date_header_name])).each do |header|
-        raise EscherError, 'The ' + header + ' header is missing' unless request.header header
+        raise EscherError, 'The ' + header.downcase + ' header is missing' unless request.header header
       end
 
       if method == 'GET' && signature_from_query
@@ -76,11 +76,20 @@ module Escher
       api_secret = key_db[api_key_id]
 
       raise EscherError, 'Invalid Escher key' unless api_secret
-      raise EscherError, 'Only SHA256 and SHA512 hash algorithms are allowed' unless %w(SHA256 SHA512).include?(algorithm)
-      raise EscherError, 'The ' + @auth_header_name + ' header\'s shortDate does not match with the request date' unless short_date(date) == short_date
+      raise EscherError, 'Invalid hash algorithm, only SHA256 and SHA512 are allowed' unless %w(SHA256 SHA512).include?(algorithm)
+      raise EscherError, 'The request method is invalid' unless valid_request_method?(method)
+      raise EscherError, "The request body shouldn't be empty if the request method is POST" if (method.upcase == 'POST' && body.empty?)
+      raise EscherError, "The request url shouldn't contains http or https" if path.match /^https?:\/\//
+      raise EscherError, 'Invalid date in authorization header, it should equal with date header' unless short_date(date) == short_date
       raise EscherError, 'The request date is not within the accepted time range' unless is_date_within_range?(date, expires)
-      raise EscherError, 'The credential scope is invalid' unless credential_scope == @credential_scope
+      raise EscherError, 'Invalid Credential Scope' unless credential_scope == @credential_scope
+      raise EscherError, 'The mandatorySignedHeaders parameter must be undefined or array of strings' unless mandatory_signed_headers_valid?(mandatory_signed_headers)
       raise EscherError, 'The host header is not signed' unless signed_headers.include? 'host'
+      unless mandatory_signed_headers.nil?
+        mandatory_signed_headers.each do |header|
+          raise EscherError, "The #{header} header is not signed" unless signed_headers.include? header
+        end
+      end
       raise EscherError, 'Only the host header should be signed' if signature_from_query && signed_headers != ['host']
       raise EscherError, 'The date header is not signed' if !signature_from_query && !signed_headers.include?(@date_header_name.downcase)
 
@@ -163,7 +172,7 @@ module Escher
     def get_auth_parts_from_header(auth_header)
       m = /#{@algo_prefix}-HMAC-(?<algo>[A-Z0-9\,]+) Credential=(?<api_key_id>[A-Za-z0-9\-_]+)\/(?<short_date>[0-9]{8})\/(?<credentials>[A-Za-z0-9\-_ \/]+), SignedHeaders=(?<signed_headers>[A-Za-z\-;]+), Signature=(?<signature>[0-9a-f]+)$/
       .match auth_header
-      raise EscherError, 'Could not parse auth header' unless m && m['credentials']
+      raise EscherError, 'Invalid auth header format' unless m && m['credentials']
       return m['algo'], m['api_key_id'], m['short_date'], m['credentials'], m['signed_headers'].split(';'), m['signature'], 0
     end
 
@@ -215,7 +224,7 @@ module Escher
 
 
     def prepare_headers_to_sign(headers_to_sign)
-      headers_to_sign.sort.uniq.join(';')
+      headers_to_sign.sort.uniq.join(';').downcase
     end
 
 
@@ -272,6 +281,25 @@ module Escher
 
 
 
+    def valid_request_method?(method)
+      %w(OPTIONS GET HEAD POST PUT DELETE TRACE PATCH CONNECT).include? method.upcase
+    end
+
+
+
+    def mandatory_signed_headers_valid?(mandatory_signed_headers)
+      if mandatory_signed_headers.nil?
+        return true
+      else
+        return false unless mandatory_signed_headers.is_a? Array
+        return false unless mandatory_signed_headers.all? { |header| header.is_a? String }
+      end
+
+      true
+    end
+
+
+
     def parse_algo(algorithm)
       m = /^#{@algo_prefix}-HMAC-(?<algo>[A-Z0-9\,]+)$/.match(algorithm)
       m && m['algo']
@@ -308,7 +336,7 @@ module Escher
 
     def normalize_white_spaces(value)
       value.strip.split('"', -1).map.with_index { |piece, index|
-        is_inside_of_quotes = (index % 2 === 1)
+        is_inside_of_quotes = (index % 2 == 1)
         is_inside_of_quotes ? piece : piece.gsub(/\s+/, ' ')
       }.join '"'
     end

data/lib/escher/request/hash_request.rb

@@ -10,7 +10,6 @@ module Escher
 
       def initialize(request)
         super request
-        @uri = parse_uri request[:uri]
       end
 
 
@@ -41,27 +40,16 @@ module Escher
 
 
       def path
-        @uri.path
+        request[:uri].match(URI_REGEXP)[1]
       end
 
 
 
       def query_values
-        @uri.query_values(Array) or []
-      end
-
-
-
-      private
-
-      def parse_uri(uri)
-        uri.match URI_REGEXP do |match_data|
-          Addressable::URI.new({:path => match_data[1],
-                                :query => match_data[3]})
-        end
+        query = request[:uri].match(URI_REGEXP)[3]
+        (Addressable::URI.new query: query).query_values(Array) or []
       end
 
     end
-
   end
 end

data/lib/escher/version.rb

@@ -1,3 +1,3 @@
 module Escher
-  VERSION = '0.3.7'
+  VERSION = '0.4.0'
 end

data/scripts/checkout_test_suite.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+rm -rf ./spec/emarsys_test_suite
+svn export https://github.com/emartech/escher-test-suite/trunk/test_cases spec/emarsys_test_suite

data/spec/emarsys_test_suite_spec.rb

@@ -0,0 +1,45 @@
+require 'spec_helper'
+
+module Escher
+  describe Auth, :emarsys_test_suite do
+
+    authentication_error_test_files.each do |test_case|
+      it "#{test_case[:title]}" do
+        expect { test_case.escher.authenticate(test_case[:request], test_case.key, test_case[:mandatory_signed_headers]) }
+          .to raise_error(EscherError, test_case[:expected][:error])
+      end
+    end
+
+
+    authentication_valid_test_files.each do |test_case|
+      it "#{test_case[:title]}" do
+        expect { test_case.escher.authenticate(test_case[:request], test_case.key) }.not_to raise_error
+      end
+    end
+
+
+    presign_url_test_files.each do |test_case|
+      it "#{test_case[:title]}" do
+        expect(test_case.escher.generate_signed_url(test_case[:request][:uri], test_case[:config], test_case[:request][:expires]))
+          .to eq(test_case[:expected][:url])
+      end
+    end
+
+
+    sign_request_valid_test_files.each do |test_case|
+      it "#{test_case[:title]}" do
+        request = test_case.escher.sign! test_case[:request], test_case[:config], test_case[:headers_to_sign]
+        request[:url] = request.delete :uri
+        request.each { |_, v| v.sort! if v.class.method_defined? :sort! }
+
+        expect(request).to eq(test_case.expected_request)
+      end
+    end
+
+
+    xspecify "every case in the test suite is being used" do
+      expect(::EmarsysTestSuiteHelpers::TestSuite.in_use_size).to eq ::EmarsysTestSuiteHelpers::TestSuite.size
+    end
+
+  end
+end

data/spec/escher/auth_spec.rb

@@ -417,7 +417,7 @@ module Escher
           ['Date', 'Mon, 09 Sep 2011 23:36:00 GMT'],
           ['Authorization', 'AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-ea st-1/host/aws4_request, SignedHeaders=date;host, Signature=b27ccfbfa7df52a200ff74193ca6e32d4b48b8856fab7ebf1c595d0670a7e470'],
       ]
-      expect { call_validate(headers) }.to raise_error(EscherError, 'The credential scope is invalid')
+      expect { call_validate(headers) }.to raise_error(EscherError, 'Invalid Credential Scope')
     end
 
 
@@ -431,17 +431,6 @@ module Escher
     end
 
 
-    it 'should detect if dates are not on the same day' do
-      yesterday = '08'
-      headers = [
-        %w(Host host.foo.com),
-        ['Date', "Mon, #{yesterday} Sep 2011 23:36:00 GMT"],
-        ['Authorization', GOOD_AUTH_HEADER],
-      ]
-      expect { call_validate(headers) }.to raise_error(EscherError, 'The Authorization header\'s shortDate does not match with the request date')
-    end
-
-
     it 'should detect if date is not within the 15 minutes range' do
       long_ago = '00'
       headers = [
@@ -453,40 +442,13 @@ module Escher
     end
 
 
-    it 'should detect missing host header' do
-      headers = [
-        ['Date', 'Mon, 09 Sep 2011 23:36:00 GMT'],
-        ['Authorization', GOOD_AUTH_HEADER],
-      ]
-      expect { call_validate(headers) }.to raise_error(EscherError, 'The Host header is missing')
-    end
-
-
-    it 'should detect missing date header' do
-      headers = [
-        %w(Host host.foo.com),
-        ['Authorization', GOOD_AUTH_HEADER],
-      ]
-      expect { call_validate(headers) }.to raise_error(EscherError, 'The Date header is missing')
-    end
-
-
-    it 'should detect missing auth header' do
-      headers = [
-        %w(Host host.foo.com),
-        ['Date', 'Mon, 09 Sep 2011 23:36:00 GMT'],
-      ]
-      expect { call_validate(headers) }.to raise_error(EscherError, 'The Authorization header is missing')
-    end
-
-
     it 'should detect malformed auth header' do
       headers = [
         %w(Host host.foo.com),
         ['Date', 'Mon, 09 Sep 2011 23:36:00 GMT'],
         ['Authorization', 'AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=UNPARSABLE'],
       ]
-      expect { call_validate(headers) }.to raise_error(EscherError, 'Could not parse auth header')
+      expect { call_validate(headers) }.to raise_error(EscherError, 'Invalid auth header format')
     end
 
 
@@ -496,7 +458,7 @@ module Escher
         ['Date', 'Mon, 09 Sep 2011 23:36:00 GMT'],
         ['Authorization', 'AWS4-HMAC-SHA256 Credential=BAD-CREDENTIAL-SCOPE, SignedHeaders=date;host, Signature=b27ccfbfa7df52a200ff74193ca6e32d4b48b8856fab7ebf1c595d0670a7e470'],
       ]
-      expect { call_validate(headers) }.to raise_error(EscherError, 'Could not parse auth header')
+      expect { call_validate(headers) }.to raise_error(EscherError, 'Invalid auth header format')
     end
 
 
@@ -520,26 +482,6 @@ module Escher
     end
 
 
-    it 'should check algorithm' do
-      headers = [
-        %w(Host host.foo.com),
-        ['Date', 'Mon, 09 Sep 2011 23:36:00 GMT'],
-        ['Authorization', 'AWS4-HMAC-INVALID Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=b27ccfbfa7df52a200ff74193ca6e32d4b48b8856fab7ebf1c595d0670a7e470'],
-      ]
-      expect { call_validate(headers) }.to raise_error(EscherError, 'Only SHA256 and SHA512 hash algorithms are allowed')
-    end
-
-
-    it 'should check credential scope' do
-      headers = [
-        %w(Host host.foo.com),
-        ['Date', 'Mon, 09 Sep 2011 23:36:00 GMT'],
-        ['Authorization', 'AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/INVALID/aws4_request, SignedHeaders=date;host, Signature=b27ccfbfa7df52a200ff74193ca6e32d4b48b8856fab7ebf1c595d0670a7e470'],
-      ]
-      expect { call_validate(headers) }.to raise_error(EscherError, 'The credential scope is invalid')
-    end
-
-
     it 'should convert dates' do
       date_str = 'Fri, 09 Sep 2011 23:36:00 GMT'
       expect(described_class.new('irrelevant', date_header_name: 'date', current_time: Time.parse(date_str)).format_date_for_header).to eq date_str

data/spec/helpers/emarsys_test_suite/test_case.rb

@@ -0,0 +1,43 @@
+module EmarsysTestSuiteHelpers
+  class TestCase
+
+    def initialize(test_file)
+      @test_data = ::JSON.parse(File.read(test_file), symbolize_names: true).to_snake_keys
+      convert_naming
+    end
+
+
+
+    def [](arg)
+      @test_data[arg]
+    end
+
+
+
+    def key
+      {@test_data[:key_db].first[0] => @test_data[:key_db].first[1]}
+    end
+
+
+
+    def escher
+      @test_data[:config][:current_time] = Time.parse(@test_data[:config].delete :date)
+      @escher ||= ::Escher::Auth.new(@test_data[:config][:credential_scope], @test_data[:config])
+    end
+
+
+
+    def expected_request
+      @test_data[:expected][:request].each { |_, v| v.sort! if v.class.method_defined? :sort! }
+    end
+
+
+
+    private
+    def convert_naming
+      @test_data[:request][:uri] = @test_data[:request].delete :url
+      @test_data[:config][:api_key_id] = @test_data[:config].delete :access_key_id
+    end
+
+  end
+end

data/spec/helpers/emarsys_test_suite/test_suite.rb

@@ -0,0 +1,18 @@
+module EmarsysTestSuiteHelpers
+  class TestSuite
+
+    def self.size
+      Dir.glob('./spec/emarsys_test_suite/*').size
+    end
+
+
+
+    def self.in_use_size
+      size = Dir.glob('./spec/emarsys_test_suite/authenticate-error-*').size
+      size += Dir.glob('./spec/emarsys_test_suite/authenticate-valid-*').size
+      size += Dir.glob('./spec/emarsys_test_suite/presignurl-*').size
+      size + Dir.glob('./spec/emarsys_test_suite/signrequest-*').reject { |c| c.include? 'error' }.size
+    end
+
+  end
+end

data/spec/helpers/emarsys_test_suite_helpers.rb

@@ -0,0 +1,41 @@
+require 'json'
+require 'plissken'
+require 'escher'
+
+module EmarsysTestSuiteHelpers
+
+  autoload :TestCase, 'helpers/emarsys_test_suite/test_case'
+  autoload :TestSuite, 'helpers/emarsys_test_suite/test_suite'
+
+
+
+  def create_test_case
+    ->(t) { TestCase.new t }
+  end
+
+
+
+  def authentication_error_test_files
+    Dir.glob('./spec/emarsys_test_suite/authenticate-error-*').map &create_test_case
+  end
+
+
+
+  def authentication_valid_test_files
+    Dir.glob('./spec/emarsys_test_suite/authenticate-valid-*').map &create_test_case
+  end
+
+
+
+  def presign_url_test_files
+    Dir.glob('./spec/emarsys_test_suite/presignurl-*').map &create_test_case
+  end
+
+
+
+  def sign_request_valid_test_files
+    files = Dir.glob('./spec/emarsys_test_suite/signrequest-*').reject { |c| c.include? 'error' }
+    files.map &create_test_case
+  end
+
+end

data/spec/spec_helper.rb

@@ -1,3 +1,10 @@
 lib = File.expand_path('../../lib', __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'escher'
+require 'escher'
+
+
+autoload :EmarsysTestSuiteHelpers, 'helpers/emarsys_test_suite_helpers'
+RSpec.configure do |c|
+  c.treat_symbols_as_metadata_keys_with_true_values = true
+  c.extend EmarsysTestSuiteHelpers, :emarsys_test_suite
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: escher
 version: !ruby/object:Gem::Version
-  version: 0.3.7
+  version: 0.4.0
 platform: ruby
 authors:
 - Andras Barthazi
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-10-14 00:00:00.000000000 Z
+date: 2016-02-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -80,6 +80,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: plissken
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: addressable
   requirement: !ruby/object:Gem::Requirement
@@ -122,6 +136,7 @@ files:
 - lib/escher/request/legacy_request.rb
 - lib/escher/request/rack_request.rb
 - lib/escher/version.rb
+- scripts/checkout_test_suite.sh
 - spec/aws4_testsuite/get-header-key-duplicate.authz
 - spec/aws4_testsuite/get-header-key-duplicate.creq
 - spec/aws4_testsuite/get-header-key-duplicate.req
@@ -273,6 +288,7 @@ files:
 - spec/aws4_testsuite/post-x-www-form-urlencoded.req
 - spec/aws4_testsuite/post-x-www-form-urlencoded.sreq
 - spec/aws4_testsuite/post-x-www-form-urlencoded.sts
+- spec/emarsys_test_suite_spec.rb
 - spec/emarsys_testsuite/get-header-key-duplicate.authz
 - spec/emarsys_testsuite/get-header-key-duplicate.creq
 - spec/emarsys_testsuite/get-header-key-duplicate.req
@@ -303,6 +319,9 @@ files:
 - spec/escher/request/factory_spec.rb
 - spec/escher/request/hash_request_spec.rb
 - spec/escher/request/rack_request_spec.rb
+- spec/helpers/emarsys_test_suite/test_case.rb
+- spec/helpers/emarsys_test_suite/test_suite.rb
+- spec/helpers/emarsys_test_suite_helpers.rb
 - spec/spec_helper.rb
 homepage: http://escherauth.io/
 licenses:
@@ -324,7 +343,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
 summary: Library for HTTP request signing (Ruby implementation)
@@ -480,6 +499,7 @@ test_files:
 - spec/aws4_testsuite/post-x-www-form-urlencoded.req
 - spec/aws4_testsuite/post-x-www-form-urlencoded.sreq
 - spec/aws4_testsuite/post-x-www-form-urlencoded.sts
+- spec/emarsys_test_suite_spec.rb
 - spec/emarsys_testsuite/get-header-key-duplicate.authz
 - spec/emarsys_testsuite/get-header-key-duplicate.creq
 - spec/emarsys_testsuite/get-header-key-duplicate.req
@@ -510,4 +530,7 @@ test_files:
 - spec/escher/request/factory_spec.rb
 - spec/escher/request/hash_request_spec.rb
 - spec/escher/request/rack_request_spec.rb
+- spec/helpers/emarsys_test_suite/test_case.rb
+- spec/helpers/emarsys_test_suite/test_suite.rb
+- spec/helpers/emarsys_test_suite_helpers.rb
 - spec/spec_helper.rb