ey_api_hmac 0.0.1

data/Gemfile

@@ -0,0 +1,10 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in ey_api_hmac.gemspec
+gemspec
+
+gem 'rake'
+
+group :test, :development do
+  gem 'halorgium-auth-hmac'
+end

data/Gemfile.lock

@@ -0,0 +1,32 @@
+PATH
+  remote: .
+  specs:
+    ey_api_hmac (0.0.1)
+      rack-client
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    diff-lcs (1.1.2)
+    halorgium-auth-hmac (1.1.1.2010100601)
+    rack (1.3.2)
+    rack-client (0.4.0)
+      rack (>= 1.0.0)
+    rake (0.9.2)
+    rspec (2.6.0)
+      rspec-core (~> 2.6.0)
+      rspec-expectations (~> 2.6.0)
+      rspec-mocks (~> 2.6.0)
+    rspec-core (2.6.4)
+    rspec-expectations (2.6.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.6.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  ey_api_hmac!
+  halorgium-auth-hmac
+  rake
+  rspec

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2011 Engine Yard
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,10 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+desc 'Default: run specs.'
+task :default => :spec
+
+desc "Run specs"
+RSpec::Core::RakeTask.new do |t|
+  t.rspec_opts = '--format documentation --color'
+end

data/ey_api_hmac.gemspec

@@ -0,0 +1,23 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "ey_api_hmac/version"
+
+Gem::Specification.new do |s|
+  s.name        = "ey_api_hmac"
+  s.version     = EY::ApiHMAC::VERSION
+  s.authors     = ["Jacob Burkhart & Thorben Schröder & David Calavera & others"]
+  s.email       = ["jacob@engineyard.com"]
+  s.homepage    = ""
+  s.summary     = %q{HMAC Rack basic implementation for Engine Yard services}
+  s.description = %q{basic wrapper for rack-client + middlewares for HMAC auth + helpers for SSO auth}
+
+  s.rubyforge_project = "ey_api_hmac"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_dependency 'rack-client'
+  s.add_development_dependency "rspec"
+end

data/lib/ey_api_hmac.rb

@@ -0,0 +1,94 @@
+require 'ey_api_hmac/base_connection'
+require 'ey_api_hmac/api_auth'
+
+module EY
+  module ApiHMAC
+    require 'openssl'
+
+    def self.sign_for_sso(url, parameters, auth_id, auth_key)
+      uri = URI.parse(url)
+      raise ArgumentError, "use parameters argument, got query: '#{uri.query}'" if uri.query
+      uri.query = parameters.sort.map {|e| e.map{|str| CGI.escape(str.to_s)}.join '='}.join '&'
+      signature = CGI.escape(base64digest(uri.query.to_s, auth_key))
+      uri.query += "&signature=#{signature}"
+      uri.to_s
+    end
+
+    def self.verify_for_sso(url, auth_id, auth_key)
+      uri = URI.parse(url)
+      signature = CGI.unescape(uri.query.match(/&signature=(.*)$/)[1])
+      signed_string = uri.query.gsub(/&signature=(.*)$/,"")
+      base64digest(signed_string.to_s, auth_key) == signature
+    end
+
+    def self.sign!(env, key_id, secret, strict = false)
+      env["HTTP_AUTHORIZATION"] = "AuthHMAC #{key_id}:#{signature(env, secret, strict)}"
+    end
+
+    def self.canonical_string(env, strict = false)
+      parts = []
+      adder = Proc.new do |var|
+        unless env[var]
+          raise HmacAuthFail, "'#{var}' header missing and required in #{env.inspect}"
+        end
+        parts << env[var]
+      end
+      adder["REQUEST_METHOD"]
+      adder["CONTENT_TYPE"]
+      if env["HTTP_CONTENT_MD5"]
+        adder["HTTP_CONTENT_MD5"]
+      else
+        parts << generated_md5(env)
+      end
+      adder["HTTP_DATE"]
+      adder["PATH_INFO"]
+      parts.join("\n")
+    end
+
+    def self.signature(env, secret, strict = false)
+      base64digest(canonical_string(env, strict), secret)
+    end
+
+    def self.base64digest(data,secret)
+      digest = OpenSSL::Digest::Digest.new('sha1')
+      [OpenSSL::HMAC.digest(digest, secret, data)].pack('m').strip
+    end
+
+    class HmacAuthFail < StandardError; end
+
+    def self.authenticate!(env, &lookup)
+      rx = Regexp.new("AuthHMAC ([^:]+):(.+)$")
+      if md = rx.match(env["HTTP_AUTHORIZATION"])
+        access_key_id = md[1]
+        hmac = md[2]
+        secret = lookup.call(access_key_id)
+        unless secret
+          raise HmacAuthFail, "couldn't find auth for #{access_key_id}"
+        end
+        unless hmac == signature(env, secret)
+          raise HmacAuthFail, "signature mismatch"
+        end
+      else
+        raise HmacAuthFail, "no authorization header"
+      end
+    end
+
+    def self.authenticated?(env, &lookup)
+      begin
+        authenticate!(env, &lookup)
+        true
+      rescue HmacAuthFail => e
+        false
+      end
+    end
+
+    private
+
+    def self.generated_md5(env)
+      request_body = env["rack.input"].read
+      env["rack.input"].rewind
+      OpenSSL::Digest::MD5.hexdigest(request_body)
+    end
+
+  end
+end

data/lib/ey_api_hmac/api_auth.rb

@@ -0,0 +1,49 @@
+module EY
+  module ApiHMAC
+    module ApiAuth
+      CONSUMER = "ey_api_hmac.consumer_id"
+
+      #a Server middleware to validate requests, setup with a block to lookup the auth_key based on auth_id
+      class LookupServer
+        def initialize(app, &lookup)
+          @app, @lookup = app, lookup
+        end
+
+        #TODO: rescue HmacAuthFail and return 403?
+        def call(env)
+          ApiHMAC.authenticate!(env) do |auth_id|
+            @lookup.call(env, auth_id)
+          end
+          @app.call(env)
+        end
+      end
+
+      #a Server middleware to validate requests, setup with a class that responds_to :find_by_auth_id, :id, :auth_key
+      class Server < LookupServer
+        def initialize(app, klass)
+          lookup = Proc.new do |env, auth_id|
+            if consumer = klass.find_by_auth_id(auth_id)
+              env[CONSUMER] = consumer.id
+              consumer.auth_key
+            else
+              raise "no #{klass} consumer #{auth_id.inspect}"
+            end
+          end
+          super(app, &lookup)
+        end
+      end
+
+      #the Client middleware that's used to add authentication to requests
+      class Client
+        def initialize(app, auth_id, auth_key)
+          @app, @auth_id, @auth_key = app, auth_id, auth_key
+        end
+        def call(env)
+          ApiHMAC.sign!(env, @auth_id, @auth_key)
+          @app.call(env)
+        end
+      end
+
+    end
+  end
+end

data/lib/ey_api_hmac/base_connection.rb

@@ -0,0 +1,103 @@
+require 'rack/client'
+require 'json'
+
+module EY
+  module ApiHMAC
+    class BaseConnection
+      attr_reader :auth_id, :auth_key
+
+      def initialize(auth_id, auth_key, user_agent = nil)
+        @auth_id = auth_id
+        @auth_key = auth_key
+        @standard_headers = {
+            'CONTENT_TYPE' => 'application/json',
+            'Accept'=> 'application/json', 
+            "Date" => Time.now.to_s, #TODO: what is the right way to format this header?
+            'USER_AGENT' => user_agent || default_user_agent
+        }
+      end
+
+      class NotFound < StandardError
+        def initialize(url)
+          super("#{url} not found")
+        end
+      end
+
+      class ValidationError < StandardError
+        attr_reader :error_messages
+
+        def initialize(response)
+          json_response = JSON.parse(response.body)
+          @error_messages = json_response["error_messages"]
+          super("error: #{@error_messages.join("\n")}")
+        rescue => e
+          @error_messages = []
+          super("error: #{response.body}")
+        end
+      end
+
+      class UnknownError < StandardError
+        def initialize(response)
+          super("unknown error(#{response.status}): #{response.body}")
+        end
+      end
+
+      attr_writer :backend
+      def backend
+        @backend ||= Rack::Client::Handler::NetHTTP
+      end
+
+      def post(url, body, &block)
+        request(:post, url, body, &block)
+      end
+      
+      def put(url, body, &block)
+        request(:put, url, body, &block)
+      end
+      
+      def delete(url, &block)
+        request(:delete, url, &block)
+      end
+
+      def get(url, &block)
+        request(:get, url, &block)
+      end
+
+      protected
+
+      def client
+        bak = self.backend
+        #damn you scope!
+        auth_id_arg = auth_id
+        auth_key_arg = auth_key
+        @client ||= Rack::Client.new do
+          use EY::ApiHMAC::ApiAuth::Client, auth_id_arg, auth_key_arg
+          run bak
+        end
+      end
+
+      def request(method, url, body = nil, &block)
+        if body
+          response = client.send(method, url, @standard_headers, body.to_json)
+        else
+          response = client.send(method, url, @standard_headers)
+        end
+        handle_response(url, response, &block)
+      end
+
+      def handle_response(url, response)
+        case response.status
+        when 200, 201
+          json_body = JSON.parse(response.body)
+          yield json_body, response["Location"] if block_given?
+        when 404
+          raise NotFound.new(url)
+        when 400
+          raise ValidationError.new(response)
+        else
+          raise UnknownError.new(response)
+        end
+      end
+    end
+  end
+end

data/lib/ey_api_hmac/version.rb

@@ -0,0 +1,5 @@
+module EY
+  module ApiHMAC
+    VERSION = "0.0.1"
+  end
+end

data/spec/api_auth_spec.rb

@@ -0,0 +1,131 @@
+require 'ey_api_hmac'
+require 'auth-hmac'
+
+describe EY::ApiHMAC::ApiAuth do
+
+  #TODO: reject requests with old dates?
+
+  describe "AuthHMAC working" do
+
+    before(:each) do
+      @env = {'PATH_INFO' => "/path/to/put",
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'CONTENT_TYPE' => 'text/plain', 
+        'HTTP_CONTENT_MD5' => 'blahblah', 
+        'REQUEST_METHOD' => "PUT",
+        'HTTP_DATE' => "Thu, 10 Jul 2008 03:29:56 GMT",
+        "rack.input" => StringIO.new}
+      @request = Rack::Request.new(@env)
+    end
+
+    describe ".canonical_string" do
+      it "should generate a canonical string using default method" do
+        expected = "PUT\ntext/plain\nblahblah\nThu, 10 Jul 2008 03:29:56 GMT\n/path/to/put"
+        AuthHMAC.canonical_string(@request).should == expected
+        EY::ApiHMAC.canonical_string(@env).should == expected
+      end
+    end
+
+    describe ".signature" do
+      it "should generate a valid signature string for a secret" do
+        expected = "71wAJM4IIu/3o6lcqx/tw7XnAJs="
+        AuthHMAC.signature(@request, 'secret').should == expected
+        EY::ApiHMAC.signature(@env, 'secret').should == expected
+      end
+    end
+
+    describe "sign!" do
+      before do
+        @expected = "AuthHMAC my-key-id:71wAJM4IIu/3o6lcqx/tw7XnAJs="
+      end
+
+      it "signs as expected with AuthHMAC" do
+       AuthHMAC.sign!(@request, "my-key-id", "secret")
+       @request['Authorization'].should == @expected
+      end
+
+      it "signs as expected with ApiAuth" do
+        EY::ApiHMAC.sign!(@env, 'my-key-id', 'secret')
+        @env["HTTP_AUTHORIZATION"].should == @expected
+      end
+
+    end
+
+    describe "authenticated?" do
+      describe "request signed by AuthHMAC" do
+        before do
+          AuthHMAC.sign!(@request, 'access key 1', 'secret')
+          @env["HTTP_AUTHORIZATION"] = @request["Authorization"]
+        end
+
+        it "verifies by ApiAuth" do
+          @lookup = Proc.new{ |key| 'secret' if key == 'access key 1' }
+          EY::ApiHMAC.authenticated?(@env, &@lookup).should be_true
+        end
+
+        it "verifies by AuthHMAC" do
+          @authhmac = AuthHMAC.new({"access key 1" => 'secret'})
+          @authhmac.authenticated?(@request).should be_true
+        end
+      end
+      describe "request signed by ApiAuth" do
+        before do
+          EY::ApiHMAC.sign!(@env, 'access key 1', 'secret')
+        end
+
+        it "verifies by ApiAuth" do
+          @lookup = Proc.new{ |key| 'secret' if key == 'access key 1' }
+          EY::ApiHMAC.authenticated?(@env, &@lookup).should be_true
+        end
+
+        it "verifies by AuthHMAC" do
+          @authhmac = AuthHMAC.new({"access key 1" => 'secret'})
+          @authhmac.authenticated?(@request).should be_true
+        end
+      end
+    end
+
+  end
+
+  describe "without CONTENT_MD5" do
+    before do
+      @env = {'PATH_INFO' => "/path/to/put",
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'CONTENT_TYPE' => 'text/plain', 
+        'REQUEST_METHOD' => "PUT",
+        'HTTP_DATE' => "Thu, 10 Jul 2008 03:29:56 GMT",
+        "rack.input" => StringIO.new("something, something?")}
+      @request = Rack::Request.new(@env)
+    end
+
+    describe "sign!" do
+      before do
+        @expected = "AuthHMAC my-key-id:YzKgetuk8Tkz19c4eUqbfg4QrFg="
+      end
+
+      it "signs as expected with AuthHMAC" do
+       AuthHMAC.sign!(@request, "my-key-id", "secret")
+       @request['Authorization'].should == @expected
+      end
+
+      it "signs as expected with ApiAuth" do
+        EY::ApiHMAC.sign!(@env, 'my-key-id', 'secret')
+        @env["HTTP_AUTHORIZATION"].should == @expected
+      end
+
+    end
+
+  end
+
+  it "complains when there is no HTTP_DATE" do
+    env = {'PATH_INFO' => "/path/to/put",
+      'QUERY_STRING' => 'foo=bar&bar=foo',
+      'CONTENT_TYPE' => 'text/plain',
+      'REQUEST_METHOD' => "PUT",
+      "rack.input" => StringIO.new}
+    lambda{
+      EY::ApiHMAC.sign!(env, 'my-key-id', 'secret', true)
+    }.should raise_error(/'HTTP_DATE' header missing and required/)
+  end
+
+end

data/spec/sso_spec.rb

@@ -0,0 +1,62 @@
+require 'ey_api_hmac'
+require 'cgi'
+
+
+describe EY::ApiHMAC do
+
+  describe "SSO" do
+    before do
+      @url = 'http://example.com/sign_test'
+      @parameters = {
+        "foo" => "bar",
+        "zarg" => "boot",
+        "xargs" => 5
+      }
+      @auth_id = "3243afed3242"
+      @auth_key = "987a87c98f78d9a8c798f7d89"
+    end
+
+    it "can sign sso calls" do
+      signed_url = EY::ApiHMAC.sign_for_sso(@url, @parameters, @auth_id, @auth_key)
+      uri = URI.parse(signed_url)
+
+      uri.scheme.should eq 'http'
+      uri.host.should eq 'example.com'
+      uri.path.should eq '/sign_test'
+
+      parameters = CGI::parse(uri.query)
+      parameters["signature"].first.should eq EY::ApiHMAC.base64digest("foo=bar&xargs=5&zarg=boot", @auth_key)
+    end
+
+    it "can verify signed requests" do
+      signed_url = EY::ApiHMAC.sign_for_sso(@url, @parameters, @auth_id, @auth_key)
+      EY::ApiHMAC.verify_for_sso(signed_url,  @auth_id, @auth_key).should be_true
+      EY::ApiHMAC.verify_for_sso(signed_url + 'a',  @auth_id, @auth_key).should be_false
+    end
+
+    #TODO: write a test that fails if we skip the CGI.unescape
+
+    #TODO: provide signature methods
+
+    #TODO: test that you get an error when you try to sign a url with any of the "Reserved" parameters (signature or timestamp)
+
+    #TODO: send the auth_id in the params too
+
+    #TODO: Rename "signature" to "ey_api_sso_hmac_signature"
+
+    #TODO: provide a time
+
+    #TODO: maybe an expiry time would be better
+
+    #TODO: should the other params be part of the gem?
+      # ey_user_id – the unique identifier for the user.
+      # ey_user_name – the full name of the user in plain text. Example: “John Doe”.
+      # access_level – either “owner” or “collaborator”.
+      # ey_return_to_url – the url to be used when sending the user back to EY.
+      # timestamp – time the signature was calculated, URL should be considered invalid is timestamp is more than 5 minutes off.
+      # signature_method – hash method used to generate the signature
+      # signature – HMAC digest of the other parameters and url (using the API secret)
+
+  end
+  
+end

metadata

@@ -0,0 +1,106 @@
+--- !ruby/object:Gem::Specification 
+name: ey_api_hmac
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: 
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- "Jacob Burkhart & Thorben Schr\xC3\xB6der & David Calavera & others"
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-08-15 00:00:00 -07:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rack-client
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id002
+description: basic wrapper for rack-client + middlewares for HMAC auth + helpers for SSO auth
+email: 
+- jacob@engineyard.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- Rakefile
+- ey_api_hmac.gemspec
+- lib/ey_api_hmac.rb
+- lib/ey_api_hmac/api_auth.rb
+- lib/ey_api_hmac/base_connection.rb
+- lib/ey_api_hmac/version.rb
+- spec/api_auth_spec.rb
+- spec/sso_spec.rb
+has_rdoc: true
+homepage: ""
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: ey_api_hmac
+rubygems_version: 1.5.2
+signing_key: 
+specification_version: 3
+summary: HMAC Rack basic implementation for Engine Yard services
+test_files: 
+- spec/api_auth_spec.rb
+- spec/sso_spec.rb