ey_api_hmac 0.4.5 → 0.4.6

data/lib/ey_api_hmac/api_auth.rb

@@ -61,6 +61,7 @@ module EY
           @app, @auth_id, @auth_key, @quiet = app, auth_id, auth_key, quiet
         end
         def call(env)
+          env['HTTP_DATE'] ||= Time.now.httpdate
           ApiHMAC.sign!(env, @auth_id, @auth_key)
           tuple = @app.call(env)
           if !@quiet && tuple.first.to_i == 401

data/lib/ey_api_hmac/sso.rb

@@ -15,6 +15,31 @@ module EY
         uri.to_s
       end
 
+      def self.authenticate!(url, &lookup)
+        uri = URI.parse(url)
+        unless uri.query
+          raise HmacAuthFail, "Url has no query"
+        end
+        parameters = CGI.parse(uri.query)
+        signature = parameters["signature"]
+        unless signature
+          raise HmacAuthFail, "Url has no signature"
+        end
+        return false unless signature
+        signature = signature.first
+        if md = Regexp.new("AuthHMAC ([^:]+):(.+)$").match(signature)
+          access_key_id = md[1]
+          hmac = md[2]
+          secret = lookup.call(access_key_id)
+          unless authenticated?(url, access_key_id, secret)
+            raise HmacAuthFail, "Authentication failed for #{access_key_id}"
+          end
+          access_key_id
+        else
+          raise HmacAuthFail, "Incorrect signature"
+        end
+      end
+
       def self.authenticated?(url, auth_id, auth_key)
         uri = URI.parse(url)
         return false unless uri.query

data/lib/ey_api_hmac/version.rb

@@ -1,5 +1,5 @@
 module EY
   module ApiHMAC
-    VERSION = "0.4.5"
+    VERSION = "0.4.6"
   end
 end

data/spec/sso_spec.rb

@@ -35,6 +35,39 @@ describe EY::ApiHMAC do
       EY::ApiHMAC::SSO.authenticated?(signed_url + 'a',  @auth_id, @auth_key).should be_false
     end
 
+    describe "extracting auth_id and validating in the same call" do
+      before do
+        @auth_key_lookup = Proc.new do |auth_id|
+          (auth_id == @auth_id) && @auth_key
+        end
+      end
+      it "works" do
+        signed_url = EY::ApiHMAC::SSO.sign(@url, @parameters, @auth_id, @auth_key)
+        EY::ApiHMAC::SSO.authenticate!(signed_url, &@auth_key_lookup).should eq @auth_id
+      end
+
+      it "unauthorized when url is tainted" do
+        signed_url = EY::ApiHMAC::SSO.sign(@url, @parameters, @auth_id, @auth_key)
+        signed_url.gsub!("bar","baz")
+        lambda{
+          EY::ApiHMAC::SSO.authenticate!(signed_url, &@auth_key_lookup).should be_false
+        }.should raise_error(EY::ApiHMAC::HmacAuthFail)
+      end
+
+      it "unauthorized with crappy urls" do
+        lambda{
+          EY::ApiHMAC::SSO.authenticate!("http://example.com/sign_test", &@auth_key_lookup)
+        }.should raise_error(EY::ApiHMAC::HmacAuthFail)
+        lambda{
+          EY::ApiHMAC::SSO.authenticate!("http://example.com/sign_test?foo=bar", &@auth_key_lookup)
+        }.should raise_error(EY::ApiHMAC::HmacAuthFail)
+        lambda{
+          EY::ApiHMAC::SSO.authenticate!("http://example.com/sign_test?signature=baz", &@auth_key_lookup)
+        }.should raise_error(EY::ApiHMAC::HmacAuthFail)
+      end
+
+    end
+
     it "can verify requests with no query as invalid" do
       EY::ApiHMAC::SSO.authenticated?("http://example.com/sign_test",  @auth_id, @auth_key).should be_false
     end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: ey_api_hmac
 version: !ruby/object:Gem::Version 
-  hash: 5
+  hash: 3
   prerelease: 
   segments: 
   - 0
   - 4
-  - 5
-  version: 0.4.5
+  - 6
+  version: 0.4.6
 platform: ruby
 authors: 
 - "Jacob Burkhart & Thorben Schr\xC3\xB6der & David Calavera & others"
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-03-23 00:00:00 Z
+date: 2012-06-21 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: rack-client