ey_api_hmac 0.4.5 → 0.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -61,6 +61,7 @@ module EY
61
61
  @app, @auth_id, @auth_key, @quiet = app, auth_id, auth_key, quiet
62
62
  end
63
63
  def call(env)
64
+ env['HTTP_DATE'] ||= Time.now.httpdate
64
65
  ApiHMAC.sign!(env, @auth_id, @auth_key)
65
66
  tuple = @app.call(env)
66
67
  if !@quiet && tuple.first.to_i == 401
@@ -15,6 +15,31 @@ module EY
15
15
  uri.to_s
16
16
  end
17
17
 
18
+ def self.authenticate!(url, &lookup)
19
+ uri = URI.parse(url)
20
+ unless uri.query
21
+ raise HmacAuthFail, "Url has no query"
22
+ end
23
+ parameters = CGI.parse(uri.query)
24
+ signature = parameters["signature"]
25
+ unless signature
26
+ raise HmacAuthFail, "Url has no signature"
27
+ end
28
+ return false unless signature
29
+ signature = signature.first
30
+ if md = Regexp.new("AuthHMAC ([^:]+):(.+)$").match(signature)
31
+ access_key_id = md[1]
32
+ hmac = md[2]
33
+ secret = lookup.call(access_key_id)
34
+ unless authenticated?(url, access_key_id, secret)
35
+ raise HmacAuthFail, "Authentication failed for #{access_key_id}"
36
+ end
37
+ access_key_id
38
+ else
39
+ raise HmacAuthFail, "Incorrect signature"
40
+ end
41
+ end
42
+
18
43
  def self.authenticated?(url, auth_id, auth_key)
19
44
  uri = URI.parse(url)
20
45
  return false unless uri.query
@@ -1,5 +1,5 @@
1
1
  module EY
2
2
  module ApiHMAC
3
- VERSION = "0.4.5"
3
+ VERSION = "0.4.6"
4
4
  end
5
5
  end
data/spec/sso_spec.rb CHANGED
@@ -35,6 +35,39 @@ describe EY::ApiHMAC do
35
35
  EY::ApiHMAC::SSO.authenticated?(signed_url + 'a', @auth_id, @auth_key).should be_false
36
36
  end
37
37
 
38
+ describe "extracting auth_id and validating in the same call" do
39
+ before do
40
+ @auth_key_lookup = Proc.new do |auth_id|
41
+ (auth_id == @auth_id) && @auth_key
42
+ end
43
+ end
44
+ it "works" do
45
+ signed_url = EY::ApiHMAC::SSO.sign(@url, @parameters, @auth_id, @auth_key)
46
+ EY::ApiHMAC::SSO.authenticate!(signed_url, &@auth_key_lookup).should eq @auth_id
47
+ end
48
+
49
+ it "unauthorized when url is tainted" do
50
+ signed_url = EY::ApiHMAC::SSO.sign(@url, @parameters, @auth_id, @auth_key)
51
+ signed_url.gsub!("bar","baz")
52
+ lambda{
53
+ EY::ApiHMAC::SSO.authenticate!(signed_url, &@auth_key_lookup).should be_false
54
+ }.should raise_error(EY::ApiHMAC::HmacAuthFail)
55
+ end
56
+
57
+ it "unauthorized with crappy urls" do
58
+ lambda{
59
+ EY::ApiHMAC::SSO.authenticate!("http://example.com/sign_test", &@auth_key_lookup)
60
+ }.should raise_error(EY::ApiHMAC::HmacAuthFail)
61
+ lambda{
62
+ EY::ApiHMAC::SSO.authenticate!("http://example.com/sign_test?foo=bar", &@auth_key_lookup)
63
+ }.should raise_error(EY::ApiHMAC::HmacAuthFail)
64
+ lambda{
65
+ EY::ApiHMAC::SSO.authenticate!("http://example.com/sign_test?signature=baz", &@auth_key_lookup)
66
+ }.should raise_error(EY::ApiHMAC::HmacAuthFail)
67
+ end
68
+
69
+ end
70
+
38
71
  it "can verify requests with no query as invalid" do
39
72
  EY::ApiHMAC::SSO.authenticated?("http://example.com/sign_test", @auth_id, @auth_key).should be_false
40
73
  end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ey_api_hmac
3
3
  version: !ruby/object:Gem::Version
4
- hash: 5
4
+ hash: 3
5
5
  prerelease:
6
6
  segments:
7
7
  - 0
8
8
  - 4
9
- - 5
10
- version: 0.4.5
9
+ - 6
10
+ version: 0.4.6
11
11
  platform: ruby
12
12
  authors:
13
13
  - "Jacob Burkhart & Thorben Schr\xC3\xB6der & David Calavera & others"
@@ -15,7 +15,7 @@ autorequire:
15
15
  bindir: bin
16
16
  cert_chain: []
17
17
 
18
- date: 2012-03-23 00:00:00 Z
18
+ date: 2012-06-21 00:00:00 Z
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
21
21
  name: rack-client