faraday-middlewares-build_service 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 92109b8060adcc56c966e338975c922d8949fe84441fad5966b402f15d50eeeb
+  data.tar.gz: 8694e818cf0ac7ea9e3883c20bb924599c029bd34784c4347a3471272059c6e4
+SHA512:
+  metadata.gz: 385406c99d67586cf0d0f5ee44c393df80c3bef79e1dbfdd984b13f6747887cd6a566ed735841a9561e90ea4b8f2f1e08f8746fa4e970fb76a0b44f7798a1d72
+  data.tar.gz: f551de118fa165f3a4dd74aa0d016807bfa9faa0da05660ed5f43c3e6e388248b8ec911385c2a0b9a5b916794dfc72024c47b6933e25a46ecdaa57a48a7c97af

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.standard.yml

@@ -0,0 +1,3 @@
+# For available configuration options, see:
+#   https://github.com/testdouble/standard
+ruby_version: 2.6

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2023-11-27
+
+- Initial release

data/Gemfile

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gemspec
+
+gem "rake", "~> 13.0"
+
+group :development do
+  gem "standard", "~> 1.3"
+  gem "byebug"
+end
+
+group :test do
+  gem "webmock"
+  gem "rspec", "~> 3.0"
+  gem "rspec-github", require: false
+end

data/Gemfile.lock

@@ -0,0 +1,123 @@
+PATH
+  remote: .
+  specs:
+    faraday-middlewares-build_service (0.1.0)
+      faraday (~> 1.10)
+      http-cookie (~> 1.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.8.5)
+      public_suffix (>= 2.0.2, < 6.0)
+    ast (2.4.2)
+    byebug (11.1.3)
+    crack (0.4.5)
+      rexml
+    diff-lcs (1.5.0)
+    domain_name (0.6.20231109)
+    faraday (1.10.3)
+      faraday-em_http (~> 1.0)
+      faraday-em_synchrony (~> 1.0)
+      faraday-excon (~> 1.1)
+      faraday-httpclient (~> 1.0)
+      faraday-multipart (~> 1.0)
+      faraday-net_http (~> 1.0)
+      faraday-net_http_persistent (~> 1.0)
+      faraday-patron (~> 1.0)
+      faraday-rack (~> 1.0)
+      faraday-retry (~> 1.0)
+      ruby2_keywords (>= 0.0.4)
+    faraday-em_http (1.0.0)
+    faraday-em_synchrony (1.0.0)
+    faraday-excon (1.1.0)
+    faraday-httpclient (1.0.1)
+    faraday-multipart (1.0.4)
+      multipart-post (~> 2)
+    faraday-net_http (1.0.1)
+    faraday-net_http_persistent (1.2.0)
+    faraday-patron (1.0.0)
+    faraday-rack (1.0.0)
+    faraday-retry (1.0.3)
+    hashdiff (1.0.1)
+    http-cookie (1.0.5)
+      domain_name (~> 0.5)
+    json (2.6.3)
+    language_server-protocol (3.17.0.3)
+    lint_roller (1.1.0)
+    multipart-post (2.3.0)
+    parallel (1.23.0)
+    parser (3.2.2.4)
+      ast (~> 2.4.1)
+      racc
+    public_suffix (5.0.4)
+    racc (1.7.3)
+    rainbow (3.1.1)
+    rake (13.1.0)
+    regexp_parser (2.8.2)
+    rexml (3.2.6)
+    rspec (3.12.0)
+      rspec-core (~> 3.12.0)
+      rspec-expectations (~> 3.12.0)
+      rspec-mocks (~> 3.12.0)
+    rspec-core (3.12.2)
+      rspec-support (~> 3.12.0)
+    rspec-expectations (3.12.3)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.12.0)
+    rspec-github (2.4.0)
+      rspec-core (~> 3.0)
+    rspec-mocks (3.12.6)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.12.0)
+    rspec-support (3.12.1)
+    rubocop (1.57.2)
+      json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
+      parallel (~> 1.10)
+      parser (>= 3.2.2.4)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.28.1, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 3.0)
+    rubocop-ast (1.30.0)
+      parser (>= 3.2.1.0)
+    rubocop-performance (1.19.1)
+      rubocop (>= 1.7.0, < 2.0)
+      rubocop-ast (>= 0.4.0)
+    ruby-progressbar (1.13.0)
+    ruby2_keywords (0.0.5)
+    standard (1.32.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.0)
+      rubocop (~> 1.57.2)
+      standard-custom (~> 1.0.0)
+      standard-performance (~> 1.2)
+    standard-custom (1.0.2)
+      lint_roller (~> 1.0)
+      rubocop (~> 1.50)
+    standard-performance (1.2.1)
+      lint_roller (~> 1.1)
+      rubocop-performance (~> 1.19.1)
+    unicode-display_width (2.5.0)
+    webmock (3.19.1)
+      addressable (>= 2.8.0)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  byebug
+  faraday-middlewares-build_service!
+  rake (~> 13.0)
+  rspec (~> 3.0)
+  rspec-github
+  standard (~> 1.3)
+  webmock
+
+BUNDLED WITH
+   2.4.10

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 SUSE
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,67 @@
+# Faraday::Middlewares::BuildService
+
+Provides a Faraday Middleware to interact with the [Open Build Service][obs].
+
+It'll automatically retry a request with the authentication mechanism requested by the Build Service.
+
+## Installation
+
+Install the gem and add to the application's Gemfile by executing:
+
+```bash
+$ bundle add faraday-middlewares-bs-auth
+```
+
+If bundler is not being used to manage dependencies, install the gem by executing:
+
+```bash
+$ gem install faraday-middlewares-bs-auth
+```
+
+## Requirements
+
+- `openssh` (for the `ssh-keygen` command).
+
+## Usage
+
+```ruby
+# For Basic Authentication
+credentials = {
+    username: 'my-user',
+    password: 'my-password'
+}
+
+# For SSH Signature authentication
+credentials = {
+    username: 'my-user',
+    ssh_key: '--- BEGIN ... KEY --- ...'
+}
+
+base_url = "https://build.opensuse.org/"
+
+client = Faraday.new(url: base_url) do |faraday|
+    faraday.use FaradayMiddleware::FollowRedirects
+    faraday.use Faraday::BuildService::Authentication, credentials: credentials
+end
+
+# then use faraday as usual:
+response = client.get('/about')
+puts response.headers
+puts response.body
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/SUSE/faraday-middlewares-build_service. This project is intended to be a safe, welcoming space for collaboration.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+[obs]: https://openbuildservice.org/

data/Rakefile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+require "standard/rake"
+
+task default: %i[spec standard]

data/faraday-middlewares-build_service.gemspec

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require_relative "lib/faraday/middlewares/build_service/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "faraday-middlewares-build_service"
+  spec.version = Faraday::Middlewares::BuildService::VERSION
+  spec.authors = ["Jose D. Gomez R."]
+  spec.email = ["jose.gomez@suse.com"]
+
+  spec.summary = "Plug-and-play authentication for requests against Build Service"
+  spec.description = <<~DESC
+    Faraday middleware to automatically negotiate authentication with Build Service instances.
+
+    It can handle: No, Basic, and, Signature authentication.
+  DESC
+  spec.homepage = "https://github.com/SUSE/faraday-middlewares-bs-auth"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 2.6.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = spec.homepage
+  spec.metadata["changelog_uri"] = "#{spec.homepage}/blob/master/CHANGELOG.md"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (File.expand_path(f) == __FILE__) || f.start_with?(*%w[bin/ test/ spec/ features/ .git .circleci appveyor])
+    end
+  end
+  spec.bindir = "exe"
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "faraday", "~> 1.10"
+  spec.add_dependency "http-cookie", "~> 1.0"
+end

data/lib/faraday/middlewares/build_service/authentication.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+require "faraday"
+require "http-cookie"
+
+module Faraday
+  module Middlewares
+    module BuildService
+      class Authentication < Faraday::Middleware
+        include BuildService::HttpHelpers
+
+        # @param env [Faraday::Env]
+        # @param credentials [Hash]
+        def initialize(app, credentials: {})
+          super(app)
+
+          @username = credentials[:username]
+          @password = credentials[:password]
+          @ssh_key = credentials[:ssh_key]
+
+          reset!
+        end
+
+        def reset!
+          @cookie_jar = ::HTTP::CookieJar.new
+          @authorization = nil
+        end
+
+        # @param env [Faraday::Env]
+        def call(env)
+          request_body = env[:body]
+          super(env)
+        rescue BuildService::RetryWithAuthError
+          # after failure env[:body] is set to the response body
+          # see https://github.com/lostisland/faraday-retry/blob/main/lib/faraday/retry/middleware.rb
+          env[:body] = request_body
+          # retry only once
+          super(env)
+        end
+
+        # @param env [Faraday::Env]
+        def on_request(env)
+          # If we have a cookie, use it and skip setting any other header.
+          if (cookie = @cookie_jar.cookies(env.url) && cookie&.any?)
+            env.request_headers["cookie"] = ::HTTP::Cookie.cookie_value(cookie)
+            return
+          end
+
+          env.request_headers["Authorization"] = @authorization if @authorization
+        end
+
+        # @param env [Faraday::Env]
+        def on_complete(env)
+          # If we have get cookie, we just save it, nothing else to do.
+          if (cookie = env[:response_headers]["set-cookie"])
+            @cookie_jar.parse(cookie, env[:url]) and return
+          end
+
+          # if there's no challenge response, means we're good
+          return unless env[:response_headers]["www-authenticate"]
+
+          challenges = parse_authorization_header(env[:response_headers]["www-authenticate"])
+          # If there's a challenge response AND we did authorization, then we failed.
+          # Stop here and let the failure bubble up.
+          return if @authorization
+
+          # Do the authorization challenges
+          challenges.each do |type, details|
+            next do_basic_auth!(env, details) if type.to_s.casecmp("basic").zero?
+            next do_signature_auth!(env, details) if type.to_s.casecmp("signature").zero?
+
+            raise UnknownChallengeError.new("Unknown challenge #{type}: #{details.inspect}")
+          end
+
+          # Signal to #call that we need to retry the request.
+          raise BuildService::RetryWithAuthError.new("Retry!")
+        end
+
+        # @param env [Faraday::Env]
+        # @param _details [Hash]
+        def do_basic_auth!(_env, _details)
+          raise MissingCredentialsError.new("Missing Username / Password") unless @username || @password
+
+          # Build an HTTP Basic Auth header
+          value = Base64.encode64([@username, @password].join(":"))
+          value.delete!("\n")
+          @authorization = "Basic #{value}"
+        end
+
+        # @param env [Faraday::Env]
+        # @param _details [Hash]
+        def do_signature_auth!(env, details)
+          raise MissingCredentialsError.new("Missing Username / SSH Key") unless @username || @ssh_key
+
+          # Build an HTTP Signature Auth header
+          payload = SshSigner.new(details, env[:response_headers], credentials: {
+            username: @username,
+            password: @password,
+            ssh_key: @ssh_key
+          }).generate
+          @authorization = "Signature #{payload}"
+        end
+      end
+    end
+  end
+end

data/lib/faraday/middlewares/build_service/base_error.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Faraday
+  module Middlewares
+    module BuildService
+      class BaseError < StandardError; end
+    end
+  end
+end

data/lib/faraday/middlewares/build_service/http_helpers.rb

@@ -0,0 +1,160 @@
+# frozen_string_literal: true
+
+module Faraday
+  module Middlewares
+    module BuildService
+      # Collection of low level HTTP Helpers
+      module HttpHelpers
+        # Convert a list of pairs into signature string format
+        #
+        # @param pairs   [Array of [String, String]] String pairs to format
+        #
+        # As per the last part of
+        # https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-12#section-2.3
+        # the format is:
+        #
+        # header: value -- for static http headers
+        def pairs_to_payload(pairs)
+          pairs.map { |k, v| "#{k}: #{v}" }.join("\n")
+        end
+
+        # Convert a list of pairs into signature string format
+        #
+        # @param pairs   [Array of [String, String]] String pairs to format
+        #
+        # As per the last part of
+        # https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-12#section-2.3
+        # the format is:
+        #
+        # header: value -- for static http headers
+        def pairs_to_quoted_string(pairs)
+          pairs.map do |key, value|
+            value = value.to_s.gsub('"', '\\"') # escape inner quotes
+            %(#{key}="#{value}")
+          end.join(",")
+        end
+
+        # Parse an http header list into a ruby list. This is not a regexable (at
+        # least not a simple regex can do it so far) since the quoted values can
+        # have commas. Is written as a tokenizer for this reason.
+        #
+        # @param list_string [String] HTTP List string
+        #
+        # example input: 'Signature realm="Use your developer account",headers="(created)", Basic realm="somerealm"'
+        #
+        # example output: ['Signature realm="Use your developer account"', 'headers="(created)"', 'Basic realm="somerealm"']
+        def parse_list_header(list_string)
+          res = []
+          part = ""
+          escape = quote = false
+
+          list_string.each_char do |char|
+            # if in escape mode, add the escaped character and reset
+            # the escape flag.
+            if escape
+              part += char
+              escape = false
+              next
+            end
+
+            # if in quote mode
+            if quote
+              case char
+              # check for a escape sequence and skip the escape character
+              when "\\"
+                escape = true
+                next
+              # check a quote and disable quote mode
+              when '"'
+                quote = false
+              end
+
+              # add the character to the part but don't process anything further
+              # quoted commas are meant to be kept as values
+              part += char
+              next
+            end
+
+            # in normal case
+            case char
+            # comma is a signal for a new item, save the current part & reset.
+            when ","
+              res << part
+              part = ""
+              next
+            # quote enables quote mode
+            when '"'
+              quote = true
+            end
+
+            # add the character to the part
+            part += char
+          end
+
+          # if there's any pending part, add it to the final result
+          if part
+            res << part
+          end
+
+          # strip the surrounding spaces & remove the empty items
+          res.map(&:strip).reject(&:empty?)
+        end
+
+        # Parse an WWW-Authenticate Header a hash of challenges
+        #
+        # @param header [String] WWW-Authenticate Header
+        #
+        # The WWW-Authenticate grammar is defined in
+        # https://datatracker.ietf.org/doc/html/rfc7235#section-4.1
+        #
+        # given this input: 'Signature realm="yourealm",headers="abcdef"'
+        # it returns
+        # { Signature: {realm: "yourealm", headers: "abcdef"} }
+        #
+        # This implementation is generic enough to get information about multiple
+        # challenges as long as they're not the same.
+        def parse_authorization_header(header)
+          result = {}
+          current_section = nil
+
+          parse_list_header(header).each do |item|
+            result[item] = nil and next unless item.include?("=")
+
+            name, value = item.split("=", 2)
+
+            if name.include?(" ")
+              current_section, name = name.split(" ", 2)
+            end
+
+            if value[0] == value[-1] && value[0] == '"'
+              value = unquote(value[1..])
+            end
+
+            (result[current_section.to_sym] ||= {})[name.to_sym] = value
+          end
+
+          result
+        end
+
+        # Remove quotes from string
+        #
+        # @param string [String] String to be unquoted
+        def unquote(string)
+          s = string.dup
+
+          case string[0, 1]
+          when "'", '"', "`"
+            s[0] = ""
+          end
+
+          case string[-1, 1]
+          when "'", '"', "`"
+            s[-1] = ""
+          end
+
+          s
+        end
+      end
+    end
+  end
+end

data/lib/faraday/middlewares/build_service/missing_credentials_error.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Faraday
+  module Middlewares
+    module BuildService
+      class MissingCredentialsError < BaseError; end
+    end
+  end
+end

data/lib/faraday/middlewares/build_service/retry_with_auth_error.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Faraday
+  module Middlewares
+    module BuildService
+      class RetryWithAuthError < BaseError; end
+    end
+  end
+end

data/lib/faraday/middlewares/build_service/ssh_signer.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: true
+
+require "open3"
+module Faraday
+  module Middlewares
+    module BuildService
+      class SshSigner
+        include HttpHelpers
+        # Initalizes the signer
+        #
+        # @param challenge_params   [Hash] WWW-Authenticate header parameters.
+        # @param headers            [Hash] Request headers
+        # @param credentials        [Hash] Credentials to sign the request
+        #                                    Is expected to have :username & :ssh_key.
+        # @param challenge_context  [String] Additional context headers for the challenge.
+        #
+        #     challenge_params keys are:
+        #       :realm => The realm to perform authentication on.
+        #       :headers => a string list of headers to be used.
+        def initialize(challenge_params, headers, credentials: {}, challenge_context: {})
+          @headers = headers
+          @credentials = credentials
+          # The challenge is formatted according to RFC7235 section 4.1
+          # https://datatracker.ietf.org/doc/html/rfc7235#section-4.1
+          # www-authenticate: 'Signature realm="Use your developer account",headers="(created)"'
+          #
+          # This signer does only process Signature challenge
+          @challenge_params = challenge_params
+
+          created = Time.now.to_i
+          # funny tip: you can bucket requests into 5 min blocks and the signature
+          # will still be constant & valid.
+          # created = created - (created % 300)
+          @challenge_context = {
+            created: created
+          }.update(challenge_context)
+
+          # As per RFC Signing HTTP Messages draft-cavage-http-signatures-12 section
+          # 2.3. At the very least `(created)` header (and `(request-target)` but Build
+          # Service implementation doesn't include it) should be provided to the
+          # signature string.
+
+          # (created) represents a unix timestamp that must be provided into the
+          # final signature for the server to validate.
+        end
+
+        # Generate Signature
+        #
+        # as per https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-12#section-2.1
+        #
+        # a `signing_string` is created based on the headers that the challenge demands
+        # the format for such signing_string (also referred as payload) is:
+        #
+        # (calculated header): %value%\n
+        # host: your.host
+        #
+        # the \n is to show that a newline is needed there. Then this full string is
+        # passed to the signing algorithm, in the build service case is:
+        #
+        # ssh-keygen -Y sign -f "%path-to-privk%" -n "%realm%" -q <<< "signing string"
+        #
+        # the result of that signature is in OpenSSH Signature format. Delimiters are
+        # removed & newlines stripped.
+        #
+        # This final result along with the parameters used to generate the signature
+        # are concatenated in an HTTP List format and returned to the caller to use.
+        def generate
+          # first listify the headers in the challenge. As the spec
+          @challenge_params[:headers] ||= "(created)"
+
+          headers = @challenge_params[:headers].split
+
+          # Iterate through it to build the singing string
+          payload_pairs = headers.map do |header|
+            value = if header.include?("(")
+              # if it's a calculated header (surrounded by parenthesis), look for it
+              # in the challenge_context
+              @challenge_context[header.tr("()", "").to_sym]
+            else
+              # else look for it in the given headers
+              @headers[header]
+            end
+
+            [header, value]
+          end
+
+          # Build the signing string
+          signing_string = pairs_to_payload(payload_pairs)
+
+          # remove parenthesis from the headers to append to the signature parameters
+          payload_pairs = payload_pairs.map do |key, value|
+            key = key.tr("()", "")
+            [key, value]
+          end
+
+          # sign with the provided realm (or empty if not present)
+          signature = ssh_sign(signing_string, @challenge_params[:realm] || "", @credentials[:ssh_key])
+
+          # Build all signature parameters
+          signature_parameters = [
+            ["keyId", @credentials[:username]],
+            ["algorithm", "ssh"],
+            ["signature", signature],
+            ["headers", @challenge_params[:headers]],
+            *payload_pairs
+          ]
+
+          # build the HTTP quoted list & return
+          pairs_to_quoted_string(signature_parameters)
+        end
+
+        # Sign a given payload pertaining to a specific realm
+        #
+        # @param payload [String] Payload to sign
+        # @param realm   [String] Realm or Purpose (see man ssh-keygen section -Y sign)
+        # @param ssh_key [Hash] SSH Private key to use in the singing
+        #
+        # The SSH Privatekey will briefly be materialized as a file in the filesystem
+        # for SSH to be able to pick it up and sign the payload.
+        #
+        # Then it'll be removed
+        def ssh_sign(payload, realm, ssh_key)
+          Tempfile.create("ssh-key", Rails.root.join("tmp/")) do |file|
+            file.write(ssh_key)
+            file.flush # force IO flush
+
+            cmd = ["ssh-keygen", "-Y", "sign", "-f", file.path.to_s, "-q", "-n", realm]
+            stdout, stderr, process_status = Open3.capture3({}, *cmd, stdin_data: payload)
+            raise "cannot sign: #{stderr}" unless process_status.to_i.zero?
+
+            # remove the surrounding --- blocks & join in one single line
+            signature = stdout.split("\n").slice(1..-2).join.presence
+
+            # this should never happen, ssh-keygen ALWAYS returns an armored format or fail
+            unless signature
+              raise "cannot sign: bad output"
+            end
+
+            signature
+          end
+        end
+      end
+    end
+  end
+end

data/lib/faraday/middlewares/build_service/unknown_challenge_error.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Faraday
+  module Middlewares
+    module BuildService
+      class UnknownChallengeError < BaseError; end
+    end
+  end
+end

data/lib/faraday/middlewares/build_service/version.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Faraday
+  module Middlewares
+    module BuildService
+      VERSION = "0.1.0"
+    end
+  end
+end

data/lib/faraday/middlewares/build_service.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require_relative "build_service/version"
+
+require_relative "build_service/base_error"
+require_relative "build_service/missing_credentials_error"
+require_relative "build_service/retry_with_auth_error"
+require_relative "build_service/unknown_challenge_error"
+
+require_relative "build_service/http_helpers"
+require_relative "build_service/ssh_signer"
+
+require_relative "build_service/authentication"

metadata

@@ -0,0 +1,95 @@
+--- !ruby/object:Gem::Specification
+name: faraday-middlewares-build_service
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Jose D. Gomez R.
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2023-11-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: http-cookie
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+description: |
+  Faraday middleware to automatically negotiate authentication with Build Service instances.
+
+  It can handle: No, Basic, and, Signature authentication.
+email:
+- jose.gomez@suse.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- ".standard.yml"
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- faraday-middlewares-build_service.gemspec
+- lib/faraday/middlewares/build_service.rb
+- lib/faraday/middlewares/build_service/authentication.rb
+- lib/faraday/middlewares/build_service/base_error.rb
+- lib/faraday/middlewares/build_service/http_helpers.rb
+- lib/faraday/middlewares/build_service/missing_credentials_error.rb
+- lib/faraday/middlewares/build_service/retry_with_auth_error.rb
+- lib/faraday/middlewares/build_service/ssh_signer.rb
+- lib/faraday/middlewares/build_service/unknown_challenge_error.rb
+- lib/faraday/middlewares/build_service/version.rb
+homepage: https://github.com/SUSE/faraday-middlewares-bs-auth
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/SUSE/faraday-middlewares-bs-auth
+  source_code_uri: https://github.com/SUSE/faraday-middlewares-bs-auth
+  changelog_uri: https://github.com/SUSE/faraday-middlewares-bs-auth/blob/master/CHANGELOG.md
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.6.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.10
+signing_key: 
+specification_version: 4
+summary: Plug-and-play authentication for requests against Build Service
+test_files: []