ey_api_hmac 0.4.5 → 0.4.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/lib/ey_api_hmac/api_auth.rb +1 -0
- data/lib/ey_api_hmac/sso.rb +25 -0
- data/lib/ey_api_hmac/version.rb +1 -1
- data/spec/sso_spec.rb +33 -0
- metadata +4 -4
data/lib/ey_api_hmac/api_auth.rb
CHANGED
data/lib/ey_api_hmac/sso.rb
CHANGED
@@ -15,6 +15,31 @@ module EY
|
|
15
15
|
uri.to_s
|
16
16
|
end
|
17
17
|
|
18
|
+
def self.authenticate!(url, &lookup)
|
19
|
+
uri = URI.parse(url)
|
20
|
+
unless uri.query
|
21
|
+
raise HmacAuthFail, "Url has no query"
|
22
|
+
end
|
23
|
+
parameters = CGI.parse(uri.query)
|
24
|
+
signature = parameters["signature"]
|
25
|
+
unless signature
|
26
|
+
raise HmacAuthFail, "Url has no signature"
|
27
|
+
end
|
28
|
+
return false unless signature
|
29
|
+
signature = signature.first
|
30
|
+
if md = Regexp.new("AuthHMAC ([^:]+):(.+)$").match(signature)
|
31
|
+
access_key_id = md[1]
|
32
|
+
hmac = md[2]
|
33
|
+
secret = lookup.call(access_key_id)
|
34
|
+
unless authenticated?(url, access_key_id, secret)
|
35
|
+
raise HmacAuthFail, "Authentication failed for #{access_key_id}"
|
36
|
+
end
|
37
|
+
access_key_id
|
38
|
+
else
|
39
|
+
raise HmacAuthFail, "Incorrect signature"
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
18
43
|
def self.authenticated?(url, auth_id, auth_key)
|
19
44
|
uri = URI.parse(url)
|
20
45
|
return false unless uri.query
|
data/lib/ey_api_hmac/version.rb
CHANGED
data/spec/sso_spec.rb
CHANGED
@@ -35,6 +35,39 @@ describe EY::ApiHMAC do
|
|
35
35
|
EY::ApiHMAC::SSO.authenticated?(signed_url + 'a', @auth_id, @auth_key).should be_false
|
36
36
|
end
|
37
37
|
|
38
|
+
describe "extracting auth_id and validating in the same call" do
|
39
|
+
before do
|
40
|
+
@auth_key_lookup = Proc.new do |auth_id|
|
41
|
+
(auth_id == @auth_id) && @auth_key
|
42
|
+
end
|
43
|
+
end
|
44
|
+
it "works" do
|
45
|
+
signed_url = EY::ApiHMAC::SSO.sign(@url, @parameters, @auth_id, @auth_key)
|
46
|
+
EY::ApiHMAC::SSO.authenticate!(signed_url, &@auth_key_lookup).should eq @auth_id
|
47
|
+
end
|
48
|
+
|
49
|
+
it "unauthorized when url is tainted" do
|
50
|
+
signed_url = EY::ApiHMAC::SSO.sign(@url, @parameters, @auth_id, @auth_key)
|
51
|
+
signed_url.gsub!("bar","baz")
|
52
|
+
lambda{
|
53
|
+
EY::ApiHMAC::SSO.authenticate!(signed_url, &@auth_key_lookup).should be_false
|
54
|
+
}.should raise_error(EY::ApiHMAC::HmacAuthFail)
|
55
|
+
end
|
56
|
+
|
57
|
+
it "unauthorized with crappy urls" do
|
58
|
+
lambda{
|
59
|
+
EY::ApiHMAC::SSO.authenticate!("http://example.com/sign_test", &@auth_key_lookup)
|
60
|
+
}.should raise_error(EY::ApiHMAC::HmacAuthFail)
|
61
|
+
lambda{
|
62
|
+
EY::ApiHMAC::SSO.authenticate!("http://example.com/sign_test?foo=bar", &@auth_key_lookup)
|
63
|
+
}.should raise_error(EY::ApiHMAC::HmacAuthFail)
|
64
|
+
lambda{
|
65
|
+
EY::ApiHMAC::SSO.authenticate!("http://example.com/sign_test?signature=baz", &@auth_key_lookup)
|
66
|
+
}.should raise_error(EY::ApiHMAC::HmacAuthFail)
|
67
|
+
end
|
68
|
+
|
69
|
+
end
|
70
|
+
|
38
71
|
it "can verify requests with no query as invalid" do
|
39
72
|
EY::ApiHMAC::SSO.authenticated?("http://example.com/sign_test", @auth_id, @auth_key).should be_false
|
40
73
|
end
|
metadata
CHANGED
@@ -1,13 +1,13 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ey_api_hmac
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
hash:
|
4
|
+
hash: 3
|
5
5
|
prerelease:
|
6
6
|
segments:
|
7
7
|
- 0
|
8
8
|
- 4
|
9
|
-
-
|
10
|
-
version: 0.4.
|
9
|
+
- 6
|
10
|
+
version: 0.4.6
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- "Jacob Burkhart & Thorben Schr\xC3\xB6der & David Calavera & others"
|
@@ -15,7 +15,7 @@ autorequire:
|
|
15
15
|
bindir: bin
|
16
16
|
cert_chain: []
|
17
17
|
|
18
|
-
date: 2012-
|
18
|
+
date: 2012-06-21 00:00:00 Z
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|
21
21
|
name: rack-client
|