ey_api_hmac 0.4.5 → 0.4.6

Sign up to get free protection for your applications and to get access to all the features.
@@ -61,6 +61,7 @@ module EY
61
61
  @app, @auth_id, @auth_key, @quiet = app, auth_id, auth_key, quiet
62
62
  end
63
63
  def call(env)
64
+ env['HTTP_DATE'] ||= Time.now.httpdate
64
65
  ApiHMAC.sign!(env, @auth_id, @auth_key)
65
66
  tuple = @app.call(env)
66
67
  if !@quiet && tuple.first.to_i == 401
@@ -15,6 +15,31 @@ module EY
15
15
  uri.to_s
16
16
  end
17
17
 
18
+ def self.authenticate!(url, &lookup)
19
+ uri = URI.parse(url)
20
+ unless uri.query
21
+ raise HmacAuthFail, "Url has no query"
22
+ end
23
+ parameters = CGI.parse(uri.query)
24
+ signature = parameters["signature"]
25
+ unless signature
26
+ raise HmacAuthFail, "Url has no signature"
27
+ end
28
+ return false unless signature
29
+ signature = signature.first
30
+ if md = Regexp.new("AuthHMAC ([^:]+):(.+)$").match(signature)
31
+ access_key_id = md[1]
32
+ hmac = md[2]
33
+ secret = lookup.call(access_key_id)
34
+ unless authenticated?(url, access_key_id, secret)
35
+ raise HmacAuthFail, "Authentication failed for #{access_key_id}"
36
+ end
37
+ access_key_id
38
+ else
39
+ raise HmacAuthFail, "Incorrect signature"
40
+ end
41
+ end
42
+
18
43
  def self.authenticated?(url, auth_id, auth_key)
19
44
  uri = URI.parse(url)
20
45
  return false unless uri.query
@@ -1,5 +1,5 @@
1
1
  module EY
2
2
  module ApiHMAC
3
- VERSION = "0.4.5"
3
+ VERSION = "0.4.6"
4
4
  end
5
5
  end
data/spec/sso_spec.rb CHANGED
@@ -35,6 +35,39 @@ describe EY::ApiHMAC do
35
35
  EY::ApiHMAC::SSO.authenticated?(signed_url + 'a', @auth_id, @auth_key).should be_false
36
36
  end
37
37
 
38
+ describe "extracting auth_id and validating in the same call" do
39
+ before do
40
+ @auth_key_lookup = Proc.new do |auth_id|
41
+ (auth_id == @auth_id) && @auth_key
42
+ end
43
+ end
44
+ it "works" do
45
+ signed_url = EY::ApiHMAC::SSO.sign(@url, @parameters, @auth_id, @auth_key)
46
+ EY::ApiHMAC::SSO.authenticate!(signed_url, &@auth_key_lookup).should eq @auth_id
47
+ end
48
+
49
+ it "unauthorized when url is tainted" do
50
+ signed_url = EY::ApiHMAC::SSO.sign(@url, @parameters, @auth_id, @auth_key)
51
+ signed_url.gsub!("bar","baz")
52
+ lambda{
53
+ EY::ApiHMAC::SSO.authenticate!(signed_url, &@auth_key_lookup).should be_false
54
+ }.should raise_error(EY::ApiHMAC::HmacAuthFail)
55
+ end
56
+
57
+ it "unauthorized with crappy urls" do
58
+ lambda{
59
+ EY::ApiHMAC::SSO.authenticate!("http://example.com/sign_test", &@auth_key_lookup)
60
+ }.should raise_error(EY::ApiHMAC::HmacAuthFail)
61
+ lambda{
62
+ EY::ApiHMAC::SSO.authenticate!("http://example.com/sign_test?foo=bar", &@auth_key_lookup)
63
+ }.should raise_error(EY::ApiHMAC::HmacAuthFail)
64
+ lambda{
65
+ EY::ApiHMAC::SSO.authenticate!("http://example.com/sign_test?signature=baz", &@auth_key_lookup)
66
+ }.should raise_error(EY::ApiHMAC::HmacAuthFail)
67
+ end
68
+
69
+ end
70
+
38
71
  it "can verify requests with no query as invalid" do
39
72
  EY::ApiHMAC::SSO.authenticated?("http://example.com/sign_test", @auth_id, @auth_key).should be_false
40
73
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ey_api_hmac
3
3
  version: !ruby/object:Gem::Version
4
- hash: 5
4
+ hash: 3
5
5
  prerelease:
6
6
  segments:
7
7
  - 0
8
8
  - 4
9
- - 5
10
- version: 0.4.5
9
+ - 6
10
+ version: 0.4.6
11
11
  platform: ruby
12
12
  authors:
13
13
  - "Jacob Burkhart & Thorben Schr\xC3\xB6der & David Calavera & others"
@@ -15,7 +15,7 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2012-03-23 00:00:00 Z
18
+ date: 2012-06-21 00:00:00 Z
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
21
21
  name: rack-client