escher 1.0.0 → 2.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: f5d7892a58786fb9802e66a734ddc2f7f84a4b42
-  data.tar.gz: 18bf4433e019a4581eb6980f9819f2b336c3495a
+SHA256:
+  metadata.gz: e01dd40666cb6ea783bc477f97f8ae673d5208ac8db7a5bba3ef569c95d3061d
+  data.tar.gz: 953b4c5dab4d7e8e832bd7bc80204f2d324114f893ae4f31df8c4d8ebf01c189
 SHA512:
-  metadata.gz: 006d627eddd82e86ef6e803019bee58183314d85b299a82a62da7e2579b069bd11e247d20d444822dd87acba7276612d19af415f608d5f55ccb88e532bdc36e4
-  data.tar.gz: 6d7cabbbaba10921751b255dcd9865f9bdc6abb08b1a7114190aac257f168f1118f9ea40b8399ac6502530ae3f04b38ebc7ef43cdc044eedf9f5eee9c4fcc71b
+  metadata.gz: 31219982da52121cc942e0bbfe7c18b0d868129c6e55c0cc46be53734d1e6c8886758ed08dba11c7b87234085e5b28c6a073612e2d811633d7196c1b54f688e1
+  data.tar.gz: 7c56ef27d72cf2cd80c190dabb973d5355a87eebf8860972217d521c4810086e8d8610f9a49f3d469cbe2cb674182ecb0da90f37db742b5d27e46bb5fb30f3eb

data/.github/workflows/ruby.yml

@@ -0,0 +1,33 @@
+name: Ruby
+
+on: [push]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-versions: ['2.6', '2.7', '3.0']
+
+    steps:
+    - uses: actions/checkout@v2
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-versions }}
+    - name: Checkout testsuite
+      run: ./scripts/checkout_test_suite.sh
+    - name: Install dependencies
+      run: bundle install
+    - name: Run tests
+      run: bundle exec rake
+    - name: Deploy
+      if : github.event_name == 'push' && startsWith(github.ref, 'refs/tags') && matrix.ruby-versions == '3.0'
+      run: |
+          mkdir -p $HOME/.gem
+          touch $HOME/.gem/credentials
+          chmod 0600 $HOME/.gem/credentials
+          printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
+          gem build *.gemspec
+          gem push *.gem
+      env:
+        GEM_HOST_API_KEY: "${{secrets.RUBYGEMS_AUTH_TOKEN}}"

data/escher.gemspec

@@ -20,14 +20,14 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = '>= 1.9'
 
-  spec.add_development_dependency "bundler", "~> 1.6"
+  spec.add_development_dependency "bundler", "~> 2.2.20"
   spec.add_development_dependency "rails"
 
-  spec.add_development_dependency "rake", "~> 10"
-  spec.add_development_dependency "rspec", "~> 2"
+  spec.add_development_dependency "rake", "~> 13.0.6"
+  spec.add_development_dependency "rspec", "~> 3"
 
   spec.add_development_dependency "rack"
   spec.add_development_dependency "plissken"
 
-  spec.add_runtime_dependency "addressable", "~> 2.3"
+  spec.add_runtime_dependency "addressable", "~> 2.8.0"
 end

data/lib/escher/auth.rb

@@ -6,7 +6,7 @@ module Escher
       @algo_prefix = options[:algo_prefix] || 'ESR'
       @vendor_key = options[:vendor_key] || 'Escher'
       @hash_algo = options[:hash_algo] || 'SHA256'
-      @current_time = options[:current_time] || Time.now
+      @current_time = options[:current_time]
       @auth_header_name = options[:auth_header_name] || 'X-Escher-Auth'
       @date_header_name = options[:date_header_name] || 'X-Escher-Date'
       @clock_skew = options[:clock_skew] || 300
@@ -17,15 +17,17 @@ module Escher
 
 
     def sign!(req, client, headers_to_sign = [])
+      current_time = @current_time || Time.now
+
       headers_to_sign |= [@date_header_name.downcase, 'host']
 
       request = wrap_request req
       raise EscherError, 'The host header is missing' unless request.has_header? 'host'
 
-      request.set_header(@date_header_name.downcase, format_date_for_header) unless request.has_header? @date_header_name
+      request.set_header(@date_header_name.downcase, format_date_for_header(current_time)) unless request.has_header? @date_header_name
 
-      signature = generate_signature(client[:api_secret], request.body, request.headers, request.method, headers_to_sign, request.path, request.query_values)
-      request.set_header(@auth_header_name, "#{@algo_id} Credential=#{client[:api_key_id]}/#{short_date(@current_time)}/#{@credential_scope}, SignedHeaders=#{prepare_headers_to_sign headers_to_sign}, Signature=#{signature}")
+      signature = generate_signature(client[:api_secret], request.body, request.headers, request.method, headers_to_sign, request.path, request.query_values, current_time)
+      request.set_header(@auth_header_name, "#{@algo_id} Credential=#{client[:api_key_id]}/#{short_date(current_time)}/#{@credential_scope}, SignedHeaders=#{prepare_headers_to_sign headers_to_sign}, Signature=#{signature}")
 
       request.request
     end
@@ -44,6 +46,7 @@ module Escher
 
 
     def authenticate(req, key_db, mandatory_signed_headers = nil)
+      current_time = @current_time || Time.now
       request = wrap_request req
       method = request.method
       body = request.body
@@ -78,10 +81,9 @@ module Escher
       raise EscherError, 'Invalid Escher key' unless api_secret
       raise EscherError, 'Invalid hash algorithm, only SHA256 and SHA512 are allowed' unless %w(SHA256 SHA512).include?(algorithm)
       raise EscherError, 'The request method is invalid' unless valid_request_method?(method)
-      raise EscherError, "The request body shouldn't be empty if the request method is POST" if (method.upcase == 'POST' && body.empty?)
       raise EscherError, "The request url shouldn't contains http or https" if path.match /^https?:\/\//
       raise EscherError, 'Invalid date in authorization header, it should equal with date header' unless short_date(date) == short_date
-      raise EscherError, 'The request date is not within the accepted time range' unless is_date_within_range?(date, expires)
+      raise EscherError, 'The request date is not within the accepted time range' unless is_date_within_range?(date, expires, current_time)
       raise EscherError, 'Invalid Credential Scope' unless credential_scope == @credential_scope
       raise EscherError, 'The mandatorySignedHeaders parameter must be undefined or array of strings' unless mandatory_signed_headers_valid?(mandatory_signed_headers)
       raise EscherError, 'The host header is not signed' unless signed_headers.include? 'host'
@@ -94,7 +96,7 @@ module Escher
       raise EscherError, 'The date header is not signed' if !signature_from_query && !signed_headers.include?(@date_header_name.downcase)
 
       escher = reconfig(algorithm, credential_scope, date)
-      expected_signature = escher.generate_signature(api_secret, body, headers, method, signed_headers, path, query_parts)
+      expected_signature = escher.generate_signature(api_secret, body, headers, method, signed_headers, path, query_parts, date)
       raise EscherError, 'The signatures do not match' unless signature == expected_signature
       api_key_id
     end
@@ -116,6 +118,7 @@ module Escher
 
 
     def generate_signed_url(url_to_sign, client, expires = 86400)
+      current_time = @current_time || Time.now
       uri = Addressable::URI.parse(url_to_sign)
 
       if (not uri.port.nil?) && (uri.port != uri.default_port)
@@ -137,13 +140,13 @@ module Escher
       body = 'UNSIGNED-PAYLOAD'
       query_parts += [
         ['Algorithm', @algo_id],
-        ['Credentials', "#{client[:api_key_id]}/#{short_date(@current_time)}/#{@credential_scope}"],
-        ['Date', long_date(@current_time)],
+        ['Credentials', "#{client[:api_key_id]}/#{short_date(current_time)}/#{@credential_scope}"],
+        ['Date', long_date(current_time)],
         ['Expires', expires.to_s],
         ['SignedHeaders', headers_to_sign.join(';')],
       ].map { |k, v| query_pair(k, v) }
 
-      signature = generate_signature(client[:api_secret], body, headers, 'GET', headers_to_sign, path, query_parts)
+      signature = generate_signature(client[:api_secret], body, headers, 'GET', headers_to_sign, path, query_parts, current_time)
       query_parts_with_signature = (query_parts.map { |k, v| [uri_encode(k), uri_encode(v)] } << query_pair('Signature', signature))
       "#{uri.scheme}://#{host}#{path}?#{query_parts_with_signature.map { |k, v| k + '=' + v }.join('&')}#{(fragment === nil ? '' : '#' + fragment)}"
     end
@@ -189,11 +192,11 @@ module Escher
 
 
 
-    def generate_signature(api_secret, body, headers, method, signed_headers, path, query_parts)
+    def generate_signature(api_secret, body, headers, method, signed_headers, path, query_parts, current_time)
       canonicalized_request = canonicalize(method, path, query_parts, body, headers, signed_headers.uniq)
-      string_to_sign = get_string_to_sign(canonicalized_request)
+      string_to_sign = get_string_to_sign(canonicalized_request, current_time)
 
-      signing_key = OpenSSL::HMAC.digest(@algo, @algo_prefix + api_secret, short_date(@current_time))
+      signing_key = OpenSSL::HMAC.digest(@algo, @algo_prefix + api_secret, short_date(current_time))
       @credential_scope.split('/').each { |data|
         signing_key = OpenSSL::HMAC.digest(@algo, signing_key, data)
       }
@@ -203,8 +206,8 @@ module Escher
 
 
 
-    def format_date_for_header
-      @date_header_name.downcase == 'date' ? @current_time.utc.rfc2822.sub('-0000', 'GMT') : long_date(@current_time)
+    def format_date_for_header(current_time)
+      @date_header_name.downcase == 'date' ? current_time.utc.rfc2822.sub('-0000', 'GMT') : long_date(current_time)
     end
 
 
@@ -239,11 +242,11 @@ module Escher
 
 
 
-    def get_string_to_sign(canonicalized_request)
+    def get_string_to_sign(canonicalized_request, current_time)
       [
         @algo_id,
-        long_date(@current_time),
-        short_date(@current_time) + '/' + @credential_scope,
+        long_date(current_time),
+        short_date(current_time) + '/' + @credential_scope,
         @algo.new.hexdigest(canonicalized_request)
       ].join("\n")
     end
@@ -255,7 +258,7 @@ module Escher
         when 'SHA256'
           @algo = OpenSSL::Digest::SHA256.new
         when 'SHA512'
-          @algo = OpenSSL::Digest::SHA521.new
+          @algo = OpenSSL::Digest::SHA512.new
         else
           raise EscherError, 'Unidentified hash algorithm'
       end
@@ -275,8 +278,8 @@ module Escher
 
 
 
-    def is_date_within_range?(request_date, expires)
-      (request_date - @clock_skew .. request_date + expires + @clock_skew).cover? @current_time
+    def is_date_within_range?(request_date, expires, current_time)
+      (request_date - @clock_skew .. request_date + expires + @clock_skew).cover? current_time
     end
 
 

data/lib/escher/version.rb

@@ -1,3 +1,3 @@
 module Escher
-  VERSION = '1.0.0'
+  VERSION = '2.0.3'
 end

data/repo-info.json

@@ -0,0 +1,7 @@
+{
+   "is_in_production": false,
+   "is_scannable": true,
+   "is_critical": false,
+   "contact": "G-GSUITE-Security@emarsys.com",
+   "hosted": null
+}

data/spec/emarsys_test_suite_spec.rb

@@ -35,11 +35,5 @@ module Escher
         expect(request).to eq(test_case.expected_request)
       end
     end
-
-
-    xspecify "every case in the test suite is being used" do
-      expect(::EmarsysTestSuiteHelpers::TestSuite.in_use_size).to eq ::EmarsysTestSuiteHelpers::TestSuite.size
-    end
-
   end
 end

data/spec/escher/auth_spec.rb

@@ -101,7 +101,7 @@ module Escher
           headers_to_sign = headers.map { |k| k[0].downcase }
           path, query_parts = escher.parse_uri(request_uri)
           canonicalized_request = escher.canonicalize(method, path, query_parts, body, headers, headers_to_sign)
-          string_to_sign = escher.get_string_to_sign(canonicalized_request)
+          string_to_sign = escher.get_string_to_sign(canonicalized_request, Time.parse(date))
           expect(string_to_sign).to eq(fixture(suite, test, 'sts'))
         end
       end
@@ -484,7 +484,7 @@ module Escher
 
     it 'should convert dates' do
       date_str = 'Fri, 09 Sep 2011 23:36:00 GMT'
-      expect(described_class.new('irrelevant', date_header_name: 'date', current_time: Time.parse(date_str)).format_date_for_header).to eq date_str
+      expect(described_class.new('irrelevant', date_header_name: 'date', current_time: Time.parse(date_str)).format_date_for_header(Time.parse(date_str))).to eq date_str
     end
 
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: escher
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 2.0.3
 platform: ruby
 authors:
 - Andras Barthazi
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-01-23 00:00:00.000000000 Z
+date: 2021-08-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: 2.2.20
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: 2.2.20
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -44,28 +44,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10'
+        version: 13.0.6
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10'
+        version: 13.0.6
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: 2.8.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: 2.8.0
 description: Escher helps you creating secure HTTP requests (for APIs) by signing
   HTTP(s) requests.
 email:
@@ -116,8 +116,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/ruby.yml"
 - ".gitignore"
-- ".travis.yml"
 - Gemfile
 - LICENSE
 - README.md
@@ -135,6 +135,7 @@ files:
 - lib/escher/request/legacy_request.rb
 - lib/escher/request/rack_request.rb
 - lib/escher/version.rb
+- repo-info.json
 - scripts/checkout_test_suite.sh
 - spec/aws4_testsuite/get-header-key-duplicate.authz
 - spec/aws4_testsuite/get-header-key-duplicate.creq
@@ -340,8 +341,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 3.2.22
 signing_key: 
 specification_version: 4
 summary: Library for HTTP request signing (Ruby implementation)

data/.travis.yml

@@ -1,5 +0,0 @@
-language: ruby
-rvm:
-  - 2.2.3
-  - 2.3.0
-before_script: ./scripts/checkout_test_suite.sh