ey-hmac 2.3.0 → 2.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 780a6fcc90418a0389166a31e520337dced06873038bb0a9e71a6f3b70996835
-  data.tar.gz: 073f26a6c11bd06036e23a49b50e8ffea15ca70c608d05e0e7be1a0b7547cda7
+  metadata.gz: 1ea57d603aa108a1bf510fcf6e61aa45b1d1d0fca0ba7aa1b97681396fae9a7c
+  data.tar.gz: 7ad6caf49126be2b2a4b75acbc97ecf9d1898307a896f909493850be26d8261e
 SHA512:
-  metadata.gz: f0b5f2b1827e7a180b35ffa2d3b2e2918a470d008735dbb5b5b79430ac2201c7d58a5abcf124f5ee69119ab83b2b882f9802b70e0f00208df130f9974fc82e2f
-  data.tar.gz: 8d5b959e371034a6a436f7bfec4602e4e477a9830b6d67a6fc2e23378d5002fb2fbbd3714a635b8efe579bcf4f07316176be42ae90985317a86f72e2d7c57a15
+  metadata.gz: 6c790db93637c36fe752759cdb1aac1a70d3f1378ca5c2ae6b4132b8115d97b5e75b15e75de7dc069800980846d83524dbbe58903d9fd4b2006499e0ff8f9826
+  data.tar.gz: 6d8745e27b9c8d01d01d9f6bc608eba2f6fd6f8476a28eba9097dda9765944b8d5ba535be0901f151e69f4b66b9e1a2d022bdd29cbc38fc68a3ec9cacfaf2500

data/.github/workflows/codeql-analysis.yml

@@ -0,0 +1,70 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '36 16 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'ruby' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

data/.github/workflows/ruby.yml

@@ -31,5 +31,7 @@ jobs:
       with:
         ruby-version: ${{ matrix.ruby-version }}
         bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+    - name: Lint
+      run: bundle exec rubocop -D
     - name: Run tests
       run: bundle exec rspec

data/.rubocop.yml

@@ -0,0 +1,31 @@
+inherit_from: .rubocop_todo.yml
+
+# The behavior of RuboCop can be controlled via the .rubocop.yml
+# configuration file. It makes it possible to enable/disable
+# certain cops (checks) and to alter their behavior if they accept
+# any parameters. The file can be placed either in your home
+# directory or in some project directory.
+#
+# RuboCop will start looking for the configuration file in the directory
+# where the inspected file is and continue its way up to the root directory.
+#
+# See https://docs.rubocop.org/rubocop/configuration
+AllCops:
+  SuggestExtensions: false
+  NewCops: 'disable'
+require:
+  - rubocop-rspec
+Metrics/BlockLength:
+  Enabled: false
+Metrics/AbcSize:
+  Enabled: false
+Style/ClassAndModuleChildren:
+  EnforcedStyle: compact
+Metrics/MethodLength:
+  Enabled: false
+Metrics/ClassLength:
+  Enabled: false
+RSpec/ExampleLength:
+  Enabled: false
+RSpec/MultipleExpectations:
+  Enabled: false

data/.rubocop_todo.yml

@@ -0,0 +1,82 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config --auto-gen-only-exclude`
+# on 2022-02-08 03:20:19 UTC using RuboCop version 1.25.1.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+# Configuration parameters: Include.
+# Include: **/*.gemspec
+Gemspec/RequiredRubyVersion:
+  Exclude:
+    - 'ey-hmac.gemspec'
+
+# Offense count: 1
+# Configuration parameters: ExpectMatchingDefinition, CheckDefinitionPathHierarchy, CheckDefinitionPathHierarchyRoots, Regex, IgnoreExecutableScripts, AllowedAcronyms.
+# CheckDefinitionPathHierarchyRoots: lib, spec, test, src
+# AllowedAcronyms: CLI, DSL, ACL, API, ASCII, CPU, CSS, DNS, EOF, GUID, HTML, HTTP, HTTPS, ID, IP, JSON, LHS, QPS, RAM, RHS, RPC, SLA, SMTP, SQL, SSH, TCP, TLS, TTL, UDP, UI, UID, UUID, URI, URL, UTF8, VM, XML, XMPP, XSRF, XSS
+Naming/FileName:
+  Exclude:
+    - 'lib/ey-hmac.rb'
+
+# Offense count: 2
+# Configuration parameters: MinNameLength, AllowNamesEndingInNumbers, AllowedNames, ForbiddenNames.
+# AllowedNames: at, by, db, id, in, io, ip, of, on, os, pp, to
+Naming/MethodParameterName:
+  Exclude:
+    - 'lib/ey-hmac/adapter.rb'
+
+# Offense count: 2
+RSpec/BeforeAfterAll:
+  Exclude:
+    - 'spec/spec_helper.rb'
+    - 'spec/rails_helper.rb'
+    - 'spec/support/**/*.rb'
+    - 'spec/faraday_spec.rb'
+    - 'spec/rack_spec.rb'
+
+# Offense count: 2
+# Configuration parameters: IgnoredMetadata.
+RSpec/DescribeClass:
+  Exclude:
+    - '**/spec/features/**/*'
+    - '**/spec/requests/**/*'
+    - '**/spec/routing/**/*'
+    - '**/spec/system/**/*'
+    - '**/spec/views/**/*'
+    - 'spec/faraday_spec.rb'
+    - 'spec/rack_spec.rb'
+
+# Offense count: 1
+RSpec/LetSetup:
+  Exclude:
+    - 'spec/faraday_spec.rb'
+
+# Offense count: 4
+# Configuration parameters: AllowedConstants.
+Style/Documentation:
+  Exclude:
+    - 'spec/**/*'
+    - 'test/**/*'
+    - 'lib/ey-hmac.rb'
+    - 'lib/ey-hmac/adapter/faraday.rb'
+    - 'lib/ey-hmac/adapter/rack.rb'
+    - 'lib/ey-hmac/faraday.rb'
+
+# Offense count: 3
+# Configuration parameters: MinBodyLength.
+Style/GuardClause:
+  Exclude:
+    - 'lib/ey-hmac/adapter.rb'
+    - 'lib/ey-hmac/adapter/faraday.rb'
+    - 'lib/ey-hmac/adapter/rack.rb'
+
+# Offense count: 2
+# Cop supports --auto-correct.
+# Configuration parameters: Max, AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns.
+# URISchemes: http, https
+Layout/LineLength:
+  Exclude:
+    - 'lib/ey-hmac/adapter.rb'

data/Gemfile

@@ -5,6 +5,9 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in ey-hmac.gemspec
 gemspec
 
+gem 'rubocop', require: false
+gem 'rubocop-rspec', require: false
+
 group(:test) do
   gem 'pry-nav'
   gem 'rspec', '~> 3.3'
@@ -17,6 +20,6 @@ group(:rack) do
 end
 
 group(:faraday) do
-  gem 'faraday', '~> 1.3'
+  gem 'faraday', '>= 1.3'
   gem 'faraday_middleware'
 end

data/Rakefile

@@ -1 +1,3 @@
-require "bundler/gem_tasks"
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'

data/lib/ey-hmac/adapter/faraday.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Ey::Hmac::Adapter::Faraday < Ey::Hmac::Adapter
   def method
     request[:method].to_s.upcase
@@ -5,13 +7,13 @@ class Ey::Hmac::Adapter::Faraday < Ey::Hmac::Adapter
 
   def content_type
     @content_type ||= find_header(
-      *%w[CONTENT-TYPE CONTENT_TYPE Content-Type Content_Type]
+      'CONTENT-TYPE', 'CONTENT_TYPE', 'Content-Type', 'Content_Type'
     )
   end
 
   def content_digest
     @content_digest ||= find_header(
-      *%w[CONTENT-DIGEST CONTENT_DIGEST Content-Digest Content_Digest]
+      'CONTENT-DIGEST', 'CONTENT_DIGEST', 'Content-Digest', 'Content_Digest'
     )
   end
 
@@ -25,25 +27,21 @@ class Ey::Hmac::Adapter::Faraday < Ey::Hmac::Adapter
                    body.to_s
                  end
 
-    if digestable && digestable != ""
+    if digestable && digestable != ''
       @content_digest = request[:request_headers]['Content-Digest'] = Digest::MD5.hexdigest(digestable)
     end
   end
 
   def body
-    if request[:body] && request[:body].to_s != ""
-      request[:body]
-    end
+    request[:body] if request[:body] && request[:body].to_s != ''
   end
 
   def date
-    find_header(*%w[DATE Date])
+    find_header('DATE', 'Date')
   end
 
   def set_date
-    unless date
-      request[:request_headers]['Date'] = Time.now.httpdate
-    end
+    request[:request_headers]['Date'] = Time.now.httpdate unless date
   end
 
   def path
@@ -54,15 +52,13 @@ class Ey::Hmac::Adapter::Faraday < Ey::Hmac::Adapter
     set_content_digest
     set_date
 
-    if options[:version]
-      request[:request_headers]['X-Signature-Version'] = options[:version]
-    end
+    request[:request_headers]['X-Signature-Version'] = options[:version] if options[:version]
 
     request[:request_headers][authorization_header] = authorization(key_id, key_secret)
   end
 
   def authorization_signature
-    find_header(*%w[Authorization AUTHORIZATION])
+    find_header('Authorization', 'AUTHORIZATION')
   end
 
   private

data/lib/ey-hmac/adapter/rack.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rack'
 
 class Ey::Hmac::Adapter::Rack < Ey::Hmac::Adapter
@@ -19,18 +21,15 @@ class Ey::Hmac::Adapter::Rack < Ey::Hmac::Adapter
   end
 
   def set_content_digest
-    if body
-      request.env['HTTP_CONTENT_DIGEST'] = Digest::MD5.hexdigest(body)
-    end
+    request.env['HTTP_CONTENT_DIGEST'] = Digest::MD5.hexdigest(body) if body
   end
 
   def body
-    if request.env["rack.input"]
-      request.env["rack.input"].rewind
-      body = request.env["rack.input"].read
-      request.env["rack.input"].rewind
-      body == "" ? nil : body
-    else nil
+    if request.env['rack.input']
+      request.env['rack.input'].rewind
+      body = request.env['rack.input'].read
+      request.env['rack.input'].rewind
+      body == '' ? nil : body
     end
   end
 
@@ -50,9 +49,7 @@ class Ey::Hmac::Adapter::Rack < Ey::Hmac::Adapter
     set_date
     set_content_digest
 
-    if options[:version]
-      request.env['HTTP_X_SIGNATURE_VERSION'] = options[:version]
-    end
+    request.env['HTTP_X_SIGNATURE_VERSION'] = options[:version] if options[:version]
 
     request.env["HTTP_#{authorization_header.to_s.upcase}"] = authorization(key_id, key_secret)
   end

data/lib/ey-hmac/adapter.rb

@@ -1,12 +1,22 @@
+# frozen_string_literal: true
+
 # This class is responsible for forming the canonical string to used to sign requests
 # @abstract override methods {#method}, {#path}, {#body}, {#content_type} and {#content_digest}
 class Ey::Hmac::Adapter
-  AUTHORIZATION_REGEXP = /\w+ ([^:]+):(.+)$/
+  AUTHORIZATION_REGEXP = /\w+ ([^:]+):(.+)$/.freeze
+  DEFAULT_CANONICALIZE_WITH = %i[method content_type content_digest date path].freeze
 
-  autoload :Rack, "ey-hmac/adapter/rack"
-  autoload :Faraday, "ey-hmac/adapter/faraday"
+  autoload :Rack, 'ey-hmac/adapter/rack'
+  autoload :Faraday, 'ey-hmac/adapter/faraday'
 
-  attr_reader :request, :options, :authorization_header, :service, :sign_with, :accept_digests
+  attr_reader :request,
+              :options,
+              :authorization_header,
+              :service,
+              :sign_with,
+              :accept_digests,
+              :include_query_string,
+              :canonicalize_with
 
   # @param [Object] request signer-specific request implementation
   # @option options [Integer] :version signature version
@@ -14,15 +24,21 @@ class Ey::Hmac::Adapter
   # @option options [String] :authorization_header ('Authorization') Authorization header key.
   # @option options [String] :server ('EyHmac') service name prefixed to {#authorization}. set to {#service}
   # @option options [Symbol] :sign_with (:sha_256) outgoing signature digest algorithm. See {OpenSSL::Digest#new}
+  # @option options [Symbol] :include_query_string (false) canonicalize with the request query string.
   # @option options [Array] :accepted_digests ([:sha_256]) accepted incoming signature digest algorithm. See {OpenSSL::Digest#new}
-  def initialize(request, options={})
-    @request, @options = request, options
+  def initialize(request, options = {})
+    @request = request
+    @options = options
 
     @ttl                  = options[:ttl]
     @authorization_header = options[:authorization_header] || 'Authorization'
     @service              = options[:service] || 'EyHmac'
     @sign_with            = options[:sign_with] || :sha256
-    @accept_digests       = Array(options[:accept_digests] || :sha256)
+    @include_query_string = options.fetch(:include_query_string, false)
+    @accept_digests = Array(options[:accept_digests] || :sha256)
+
+    @canonicalize_with = DEFAULT_CANONICALIZE_WITH
+    @canonicalize_with += :query_string if include_query_string
   end
 
   # In order for the server to correctly authorize the request, the client and server MUST AGREE on this format
@@ -30,16 +46,18 @@ class Ey::Hmac::Adapter
   # default canonical string formation is '{#method}\\n{#content_type}\\n{#content_digest}\\n{#date}\\n{#path}'
   # @return [String] canonical string used to form the {#signature}
   def canonicalize
-    [method, content_type, content_digest, date, path].join("\n")
+    canonicalize_with.map { |message| public_send(message) }.join("\n")
   end
 
   # @param [String] key_secret private HMAC key
   # @param [String] signature digest hash function. Defaults to #sign_with
   # @return [String] HMAC signature of {#request}
-  def signature(key_secret, digest = self.sign_with)
+  def signature(key_secret, digest = sign_with)
     Base64.strict_encode64(
       OpenSSL::HMAC.digest(
-        OpenSSL::Digest.new(digest.to_s), key_secret, canonicalize)).strip
+        OpenSSL::Digest.new(digest.to_s), key_secret, canonicalize
+      )
+    ).strip
   end
 
   # @param [String] key_id public HMAC key
@@ -106,7 +124,7 @@ class Ey::Hmac::Adapter
   # @yieldparam key_id [String] public HMAC key
   # @return [Boolean] true if block yields matching private key and signature matches, else false
   # @see #authenticated!
-  def authenticated?(options={}, &block)
+  def authenticated?(_options = {}, &block)
     authenticated!(&block)
   rescue Ey::Hmac::Error
     false
@@ -119,18 +137,18 @@ class Ey::Hmac::Adapter
 
     unless key_secret
       raise Ey::Hmac::MissingSecret,
-        "Failed to find secret matching #{key_id.inspect}"
+            "Failed to find secret matching #{key_id.inspect}"
     end
 
     check_ttl!
 
-    calculated_signatures = accept_digests.map { |ad| signature(key_secret, ad) }
-    matching_signature = calculated_signatures.any? { |cs| secure_compare(signature_value, cs) }
+    matching_signature =
+      accept_digests
+      .lazy
+      .map { |ad| signature(key_secret, ad) }
+      .any? { |cs| secure_compare(signature_value, cs) }
 
-    unless matching_signature
-      raise Ey::Hmac::SignatureMismatch,
-        "Calculated signature #{signature_value} does not match #{calculated_signatures.inspect} using #{canonicalize.inspect}"
-    end
+    raise Ey::Hmac::SignatureMismatch unless matching_signature
 
     true
   end
@@ -143,11 +161,12 @@ class Ey::Hmac::Adapter
   def secure_compare(a, b)
     return false unless a.bytesize == b.bytesize
 
-    l = a.unpack("C*")
+    l = a.unpack('C*')
 
-    r, i = 0, -1
-    b.each_byte { |v| r |= v ^ l[i+=1] }
-    r == 0
+    r = 0
+    i = -1
+    b.each_byte { |v| r |= v ^ l[i += 1] }
+    r.zero?
   end
 
   def check_ttl!
@@ -157,7 +176,7 @@ class Ey::Hmac::Adapter
 
       unless expiry > current_time
         raise Ey::Hmac::ExpiredHmac,
-          "Signature has expired passed #{expiry}. Current time is #{current_time}"
+              "Signature has expired passed #{expiry}. Current time is #{current_time}"
       end
     end
   end
@@ -167,7 +186,7 @@ class Ey::Hmac::Adapter
 
     unless authorization_match
       raise Ey::Hmac::MissingAuthorization,
-        "Failed to parse authorization_signature #{authorization_signature}"
+            "Failed to parse authorization_signature #{authorization_signature}"
     end
 
     [authorization_match[1], authorization_match[2]]

data/lib/ey-hmac/faraday.rb

@@ -1,21 +1,24 @@
+# frozen_string_literal: true
+
 require 'ey-hmac'
 require 'faraday'
 
-class Ey::Hmac::Faraday < Faraday::Response::Middleware
-  dependency("ey-hmac")
+class Ey::Hmac::Faraday < Faraday::Middleware
+  dependency('ey-hmac') if respond_to?(:dependency)
 
   attr_reader :key_id, :key_secret, :options
 
   def initialize(app, key_id, key_secret, options = {})
     super(app)
-    @key_id, @key_secret = key_id, key_secret
+    @key_id = key_id
+    @key_secret = key_secret
     @options = options
   end
 
   def call(env)
-    Ey::Hmac.sign!(env, key_id, key_secret, {adapter: Ey::Hmac::Adapter::Faraday}.merge(options))
+    Ey::Hmac.sign!(env, key_id, key_secret, { adapter: Ey::Hmac::Adapter::Faraday }.merge(options))
     @app.call(env)
   end
 end
 
-Faraday::Middleware.register_middleware :hmac => Ey::Hmac::Faraday
+Faraday::Middleware.register_middleware hmac: Ey::Hmac::Faraday

data/lib/ey-hmac/rack.rb

@@ -1,10 +1,13 @@
+# frozen_string_literal: true
+
 # Request middleware that performs HMAC request signing
 class Ey::Hmac::Rack
   attr_reader :key_id, :key_secret, :options
 
   def initialize(app, key_id, key_secret, options = {})
     @app = app
-    @key_id, @key_secret = key_id, key_secret
+    @key_id = key_id
+    @key_secret = key_secret
     @options = options
   end
 

data/lib/ey-hmac/version.rb

@@ -1,5 +1,7 @@
-module Ey
+# frozen_string_literal: true
+
+module Ey # rubocop:disable Style/ClassAndModuleChildren
   module Hmac
-    VERSION = "2.3.0"
+    VERSION = '2.4.0'
   end
 end