galetahub-api-sigv2 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 52becac90c26c1d17bd80aaf90908b1fc2e0b04f5c8b47cc51d2a8ce519f7c98
+  data.tar.gz: 8b8d28cc1f3c97d2e5a0dbc093b48563f7a03c99ad8477a768333fb5a8fc3996
+SHA512:
+  metadata.gz: 32085ab3aa761531c2e85676a4346a63eddbd33b1fdfc05300dbb06cc79c671eb61b03c5e58a38f48791c524096240d5696d5046bbef46d491e2881a60d6ebb0
+  data.tar.gz: abf526249bab793a86bfd26203a24d4f389d4a12b57655512652860ab8ced50bc50155f0c436261fb5f4d726614d1e39e851919cbbac9e29832f74b086e3bec3

data/.gitignore

@@ -0,0 +1,12 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.rubocop.yml

@@ -0,0 +1,34 @@
+AllCops:
+  TargetRubyVersion: 2.5.5
+  Exclude:
+    - "bin/*"
+    - "Guardfile"
+
+##################### Styles ##################################
+
+Style/Documentation:
+  Enabled: false
+
+Style/SymbolArray:
+  Enabled: false
+
+##################### Metrics ##################################
+
+Metrics/LineLength:
+  Max: 110
+
+Metrics/ClassLength:
+  Max: 200
+
+Metrics/ModuleLength:
+  Max: 200
+  Exclude:
+    - "**/*_spec.rb"
+
+Metrics/BlockLength:
+  Max: 50
+  Exclude:
+    - "**/*_spec.rb"
+
+Metrics/MethodLength:
+  Max: 15

data/.ruby-version

@@ -0,0 +1 @@
+2.5.5

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.4.4
+before_install: gem install bundler -v 1.15.4

data/Gemfile

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in api_sigv2.gemspec
+gemspec

data/Guardfile

@@ -0,0 +1,70 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+## Uncomment and set this to only include directories you want to watch
+# directories %w(app lib config test spec features) \
+#  .select{|d| Dir.exists?(d) ? d : UI.warning("Directory #{d} does not exist")}
+
+## Note: if you are using the `directories` clause above and you are not
+## watching the project directory ('.'), then you will want to move
+## the Guardfile to a watched dir and symlink it back, e.g.
+#
+#  $ mkdir config
+#  $ mv Guardfile config/
+#  $ ln -s config/Guardfile .
+#
+# and, you'll have to watch "config/Guardfile" instead of "Guardfile"
+
+# Note: The cmd option is now required due to the increasing number of ways
+#       rspec may be run, below are examples of the most common uses.
+#  * bundler: 'bundle exec rspec'
+#  * bundler binstubs: 'bin/rspec'
+#  * spring: 'bin/rspec' (This will use spring if running and you have
+#                          installed the spring binstubs per the docs)
+#  * zeus: 'zeus rspec' (requires the server to be started separately)
+#  * 'just' rspec: 'rspec'
+
+guard :rspec, cmd: "bundle exec rspec" do
+  require "guard/rspec/dsl"
+  dsl = Guard::RSpec::Dsl.new(self)
+
+  # Feel free to open issues for suggestions and improvements
+
+  # RSpec files
+  rspec = dsl.rspec
+  watch(rspec.spec_helper) { rspec.spec_dir }
+  watch(rspec.spec_support) { rspec.spec_dir }
+  watch(rspec.spec_files)
+
+  # Ruby files
+  ruby = dsl.ruby
+  dsl.watch_spec_files_for(ruby.lib_files)
+
+  # Rails files
+  rails = dsl.rails(view_extensions: %w(erb haml slim))
+  dsl.watch_spec_files_for(rails.app_files)
+  dsl.watch_spec_files_for(rails.views)
+
+  watch(rails.controllers) do |m|
+    [
+      rspec.spec.call("routing/#{m[1]}_routing"),
+      rspec.spec.call("controllers/#{m[1]}_controller"),
+      rspec.spec.call("acceptance/#{m[1]}")
+    ]
+  end
+
+  # Rails config changes
+  watch(rails.spec_helper)     { rspec.spec_dir }
+  watch(rails.routes)          { "#{rspec.spec_dir}/routing" }
+  watch(rails.app_controller)  { "#{rspec.spec_dir}/controllers" }
+
+  # Capybara features specs
+  watch(rails.view_dirs)     { |m| rspec.spec.call("features/#{m[1]}") }
+  watch(rails.layouts)       { |m| rspec.spec.call("features/#{m[1]}") }
+
+  # Turnip features and steps
+  watch(%r{^spec/acceptance/(.+)\.feature$})
+  watch(%r{^spec/acceptance/steps/(.+)_steps\.rb$}) do |m|
+    Dir[File.join("**/#{m[1]}.feature")][0] || "spec/acceptance"
+  end
+end

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Igor Malinovskiy
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,177 @@
+# ApiSigv2
+
+Simple HMAC-SHA1 authentication via headers. Impressed by [AWS Requests with Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html)
+
+This gem will generate signature for the client requests and verify that signature on the server side
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'api_sigv2'
+```
+
+## Usage
+
+The usage is pretty simple. To sign a request use ApiSigv2::Signer and for validation use ApiSigv2::Validator.
+
+### Create signature
+
+Sign a request with 'authorization' header. You can change header name, see Configuration section.
+
+```ruby
+api_access_key = 'access_key'
+api_secret_key = 'secret_key'
+
+request = {
+  http_method: 'POST',
+  url: 'https://example.com/posts',
+  headers: {
+    'User-Agent' => 'Test agent'
+  },
+  body: 'body'
+}
+
+# Sign your request
+signature = ApiSigv2::Signer.new(api_access_key, api_secret_key).sign_request(request)
+
+# Now apply signed headers to your real request
+signature.headers
+
+# signature.headers looks like:
+{
+  "host"=>"example.com",
+  "x-datetime"=>"2020-01-02T10:24:59.837+0000",
+  "authorization"=>"API-HMAC-SHA256 Credential=access_key/20200102/web/api_request, SignedHeaders=host;user-agent;x-datetime, Signature=032fc0b7defd66d86ef43ced8e6c3ee351ede21deca6bf1f89b9145f7a9105c1"
+}
+```
+
+### Validate signature
+
+Validate the request on the client-side. Note, that access_key can be extracted from the request.
+
+```ruby
+# the request to validate
+request = {
+  :http_method=>"POST",
+  :url=>"https://example.com/posts",
+  :headers=>{
+    "User-Agent"=>"Test agent",
+    "host"=>"example.com",
+    "x-datetime"=>"2020-01-02T10:24:59.837+0000",
+    "authorization"=>"API-HMAC-SHA256 Credential=access_key/20200102/web/api_request, SignedHeaders=host;user-agent;x-datetime, Signature=032fc0b7defd66d86ef43ced8e6c3ee351ede21deca6bf1f89b9145f7a9105c1"
+  },
+  :body=>"body"
+}
+
+# initialize validator with a request to validate
+validator = ApiSigv2::Validator.new(request)
+
+# get access key from request headers (String)
+validator.access_key
+
+# validate the request (Boolean)
+validator.valid?('your secret key here')
+
+# get only signed headers (Hash)
+validator.signed_headers
+```
+
+## Configuration
+
+By default, the generated signature will be valid for 5 minutes
+This could be changed via initializer:
+
+```ruby
+# config/initializers/api_sigv2.rb
+
+ApiSigv2.setup do |config|
+  # Time to live, by default 5 minutes
+  config.signature_ttl = 5 * 60
+
+  # Datetime format, by default iso8601
+  config.datetime_format = '%Y-%m-%dT%H:%M:%S.%L%z'
+
+  # Header name, by default authorization
+  config.signature_header = 'authorization'
+
+  # Service name, by default web
+  config.service = 'web'
+end
+```
+
+## Testing
+
+In your `rails_helper.rb`:
+
+```ruby
+require 'api_sigv2/spec_support/helper'
+
+RSpec.configure do |config|
+  config.include ApiSigv2::SpecSupport::Helper, type: :controller
+end
+```
+
+This will enable the following methods in controller tests:
+
+* get_with_signature(client, action_name, params = {})
+* post_with_signature(client, action_name, params = {})
+* put_with_signature(client, action_name, params = {})
+* patch_with_signature(client, action_name, params = {})
+* delete_with_signature(client, action_name, params = {})
+
+`client` object should respond to `#api_key` and `#api_secret`
+
+Example usage:
+
+```ruby
+RSpec.describe Api::V1::OrdersController do
+  let(:client) { FactoryBot.create(:client) }
+  # or any object, that responds to #api_key and #api_secret
+  # let(:client) { OpenStruct.new(api_key: 'some_key', api_secret: 'some_api_secret') }
+
+  it 'should filter orders by state' do
+    get_with_signature client, :index, state: :paid
+
+    expect(last_response.status).to eq 200
+    expect(last_response.body).to have_node(:orders)
+    expect(last_response.body).to have_node(:state).with('paid')
+  end
+
+  let(:order_attributes) { FactoryBot.attributes_for(:order) }
+
+  it 'should create new order' do
+    post_with_signature client, :create, order: order_attributes
+  end
+end
+```
+
+For nested resources path can be specified explicitly using `path` parameter:
+
+```ruby
+# path: /api/v1/orders/:order_id/comments
+
+RSpec.describe Api::V1::CommentsController do
+  let(:client) { OpenStruct.new(api_key: 'some_key', api_secret: 'some_api_secret') }
+  let(:order) { FactoryBot.create(:order) }
+
+  it 'should update comment for order' do
+    put_with_signature client, :update, path: { order_id: order.id }, comment: { content: 'Some value' }
+  end
+end
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/api_sigv2.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/api_sigv2.gemspec

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'api_sigv2/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'galetahub-api-sigv2'
+  spec.version       = ApiSigv2::VERSION
+  spec.authors       = ['Igor Galeta']
+  spec.email         = ['galeta.igor@gmail.com']
+
+  spec.summary       = 'Sign API requests with HMAC signature'
+  spec.homepage      = 'https://github.com/galetahub/api_signature'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'guard-rspec', '~> 4.7', '>= 4.7.3'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rb-fsevent', '0.9.8'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "api_sigv2"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/api_sigv2.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'api_sigv2/version'
+require 'api_sigv2/configuration'
+
+module ApiSigv2
+  autoload :Builder, 'api_sigv2/builder'
+  autoload :Validator, 'api_sigv2/validator'
+  autoload :Signer, 'api_sigv2/signer'
+  autoload :Signature, 'api_sigv2/signature'
+  autoload :AuthHeader, 'api_sigv2/auth_header'
+  autoload :Utils, 'api_sigv2/utils'
+
+  class << self
+    attr_writer :configuration
+  end
+
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  def self.reset
+    @configuration = Configuration.new
+  end
+
+  # @example
+  #   ApiSigv2.setup do |config|
+  #     config.signature_ttl = 2.minutes
+  #   end
+  #
+  def self.setup
+    yield configuration
+  end
+end

data/lib/api_sigv2/auth_header.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module ApiSigv2
+  class AuthHeader
+    attr_reader :authorization
+
+    TOKEN_REGEX = /^(API-HMAC-SHA256)\s+/.freeze
+    AUTHN_PAIR_DELIMITERS = /(?:,|\t+)/.freeze
+
+    def initialize(authorization)
+      @authorization = authorization.to_s
+    end
+
+    def credential
+      data[0]
+    end
+
+    def signature
+      options['Signature']
+    end
+
+    def signed_headers
+      return [] unless options['SignedHeaders']
+
+      @signed_headers ||= options['SignedHeaders'].split(/;\s?/).map(&:strip)
+    end
+
+    def options
+      @options ||= (data[1] || {})
+    end
+
+    private
+
+    def data
+      @data ||= (parse_token_with_options || [])
+    end
+
+    def parse_token_with_options
+      return unless authorization[TOKEN_REGEX]
+
+      params = token_params_from authorization
+      [params.shift[1], Hash[params]]
+    end
+
+    def token_params_from(auth)
+      rewrite_param_values params_array_from raw_params(auth)
+    end
+
+    def raw_params(auth)
+      auth.sub(TOKEN_REGEX, '').split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+    end
+
+    def params_array_from(raw_params)
+      raw_params.map { |param| param.split(/=(.+)?/) }
+    end
+
+    def rewrite_param_values(array_params)
+      array_params.each { |param| (param[1] || +'').gsub!(/^"|"$/, '') }
+    end
+  end
+end

data/lib/api_sigv2/builder.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require 'uri'
+
+module ApiSigv2
+  class Builder
+    attr_reader :settings
+
+    SPLITTER = "\n"
+
+    def initialize(settings = {}, unsigned_headers = [])
+      @settings = settings
+      @unsigned_headers = unsigned_headers
+    end
+
+    def http_method
+      @http_method ||= extract_http_method
+    end
+
+    def uri
+      @uri ||= extract_uri
+    end
+
+    def host
+      @host ||= extract_host_from_uri
+    end
+
+    def headers
+      @headers ||= Utils.normalize_keys(settings[:headers])
+    end
+
+    def datetime
+      @datetime ||= extract_datetime
+    end
+
+    def date
+      @date ||= datetime.to_s.scan(/\d/).take(8).join
+    end
+
+    def content_sha256
+      @content_sha256 ||= Utils.sha256_hexdigest(body)
+    end
+
+    def body
+      @body ||= (settings[:body] || '')
+    end
+
+    def build_sign_headers(apply_checksum_header = false)
+      @sign_headers = {
+        'host' => host,
+        'x-datetime' => datetime
+      }
+      @sign_headers['x-content-sha256'] = content_sha256 if apply_checksum_header
+      @sign_headers
+    end
+
+    def full_headers
+      @full_headers ||= merge_sign_with_origin_headers
+    end
+
+    def signed_headers
+      @signed_headers ||= full_headers.reject { |key, _value| @unsigned_headers.include?(key) }
+    end
+
+    def signed_headers_names
+      @signed_headers_names ||= signed_headers.keys.sort.join(';')
+    end
+
+    def canonical_request(path)
+      [
+        http_method,
+        path,
+        Utils.normalized_querystring(uri.query),
+        canonical_headers + SPLITTER,
+        signed_headers_names,
+        content_sha256
+      ].join(SPLITTER)
+    end
+
+    private
+
+    def extract_http_method
+      raise ArgumentError, 'missing required option :http_method' unless settings[:http_method]
+
+      settings[:http_method].to_s.upcase
+    end
+
+    def extract_uri
+      raise ArgumentError, 'missing required option :url' unless settings[:url]
+
+      URI.parse(settings[:url].to_s)
+    end
+
+    def extract_host_from_uri
+      if Utils.standard_port?(uri)
+        uri.host
+      else
+        "#{uri.host}:#{uri.port}"
+      end
+    end
+
+    def extract_datetime
+      headers['x-datetime'] || Time.now.utc.strftime(ApiSigv2.configuration.datetime_format)
+    end
+
+    def merge_sign_with_origin_headers
+      raise ArgumentError, 'missing required variable sign_headers' unless @sign_headers
+
+      # merge so we do not modify given headers hash
+      headers.merge(@sign_headers)
+    end
+
+    def canonical_headers
+      signed_headers.sort_by(&:first)
+                    .map { |k, v| "#{k}:#{Utils.canonical_header_value(v.to_s)}" }
+                    .join(SPLITTER)
+    end
+  end
+end

data/lib/api_sigv2/configuration.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module ApiSigv2
+  class Configuration
+    attr_accessor :signature_ttl, :signature_header, :datetime_format, :service
+
+    def initialize
+      @signature_ttl = 5 * 60
+      @datetime_format = '%Y-%m-%dT%H:%M:%S.%L%z'
+      @signature_header = 'authorization'
+      @service = 'web'
+    end
+  end
+end

data/lib/api_sigv2/signature.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module ApiSigv2
+  class Signature
+    # @return [Hash<String,String>] A hash of headers that should
+    #   be applied to the HTTP request. Header keys are lower
+    #   cased strings and may include the following:
+    #
+    #   * 'host'
+    #   * 'x-date'
+    #   * 'x-content-sha256'
+    #   * 'authorization'
+    #
+    attr_reader :headers
+
+    # @return [String] For debugging purposes.
+    attr_reader :canonical_request
+
+    # @return [String] For debugging purposes.
+    attr_reader :string_to_sign
+
+    # @return [String] For debugging purposes.
+    attr_reader :content_sha256
+
+    # @return [String] For debugging purposes.
+    attr_reader :signature
+
+    def initialize(attributes)
+      attributes.each do |key, value|
+        instance_variable_set("@#{key}", value)
+      end
+    end
+  end
+end

data/lib/api_sigv2/signer.rb

@@ -0,0 +1,150 @@
+# frozen_string_literal: true
+
+require 'set'
+
+module ApiSigv2
+  # The signer requires secret key.
+  #
+  #     signer = ApiSigv2::Signer.new('access key', 'secret key', uri_escape_path: true)
+  #
+  class Signer
+    NAME = 'API-HMAC-SHA256'
+
+    # Options:
+    # @option options [Array<String>] :unsigned_headers ([]) A list of
+    #   headers that should not be signed. This is useful when a proxy
+    #   modifies headers, such as 'User-Agent', invalidating a signature.
+    #
+    # @option options [Boolean] :uri_escape_path (true) When `true`,
+    #   the request URI path is uri-escaped as part of computing the canonical
+    #   request string.
+    #
+    # @option options [Boolean] :apply_checksum_header (false) When `true`,
+    #   the computed content checksum is returned in the hash of signature
+    #   headers.
+    #
+    # @option options [String] :signature_header (authorization) Header name
+    #   for signature
+    #
+    # @option options [String] :service (web) Service name
+    #
+    def initialize(access_key, secret_key, options = {})
+      @access_key = access_key
+      @secret_key = secret_key
+      @options = options
+    end
+
+    # Computes a signature. Returns the resultant
+    # signature as a hash of headers to apply to your HTTP request. The given
+    # request is not modified.
+    #
+    #     signature = signer.sign_request(
+    #       http_method: 'PUT',
+    #       url: 'https://domain.com',
+    #       headers: {
+    #         'Abc' => 'xyz',
+    #       },
+    #       body: 'body' # String or IO object
+    #     )
+    # @param [Hash] request
+    #
+    # @option request [required, String] :http_method One of
+    #   'GET', 'HEAD', 'PUT', 'POST', 'PATCH', or 'DELETE'
+    #
+    # @option request [required, String, URI::HTTPS, URI::HTTP] :url
+    #   The request URI. Must be a valid HTTP or HTTPS URI.
+    #
+    # @option request [optional, Hash] :headers ({}) A hash of headers
+    #   to sign. If the 'X-Amz-Content-Sha256' header is set, the `:body`
+    #   is optional and will not be read.
+    #
+    # @option request [optional, String, IO] :body ('') The HTTP request body.
+    #   A sha256 checksum is computed of the body unless the
+    #   'X-Amz-Content-Sha256' header is set.
+    #
+    # @return [Signature] Return an instance of {Signature} that has
+    #   a `#headers` method. The headers must be applied to your request.
+    def sign_request(request)
+      builder = Builder.new(request, unsigned_headers)
+      sig_headers = builder.build_sign_headers(apply_checksum_header?)
+      data = build_signature(builder)
+
+      # apply signature
+      sig_headers[signature_header_name] = data[:header]
+
+      # Returning the signature components.
+      Signature.new(data.merge!(headers: sig_headers))
+    end
+
+    private
+
+    def uri_escape_path?
+      @options[:uri_escape_path] == true || !@options.key?(:uri_escape_path)
+    end
+
+    def apply_checksum_header?
+      @options[:apply_checksum_header] == true
+    end
+
+    def signature_header_name
+      @options[:signature_header] || ApiSigv2.configuration.signature_header
+    end
+
+    def service
+      @options[:service] || ApiSigv2.configuration.service
+    end
+
+    def unsigned_headers
+      @unsigned_headers ||= build_unsigned_headers
+    end
+
+    def build_unsigned_headers
+      Set.new(@options.fetch(:unsigned_headers, []).map(&:downcase)) << signature_header_name
+    end
+
+    def build_signature(builder)
+      path = Utils.url_path(builder.uri.path, uri_escape_path?)
+
+      # compute signature parts
+      creq = builder.canonical_request(path)
+      sts = string_to_sign(builder.datetime, creq)
+      sig = signature(builder.date, sts)
+
+      {
+        header: build_signature_header(builder, sig),
+        content_sha256: builder.content_sha256,
+        string_to_sign: sts,
+        canonical_request: creq,
+        signature: sig
+      }
+    end
+
+    def build_signature_header(builder, signature)
+      [
+        "#{NAME} Credential=#{credential(builder.date)}",
+        "SignedHeaders=#{builder.signed_headers_names}",
+        "Signature=#{signature}"
+      ].join(', ')
+    end
+
+    def string_to_sign(datetime, canonical_request)
+      [
+        NAME,
+        datetime,
+        Utils.sha256_hexdigest(canonical_request)
+      ].join(Builder::SPLITTER)
+    end
+
+    def signature(date, string_to_sign)
+      k_date = Utils.hmac("API#{@secret_key}", date)
+      k_service = Utils.hmac(k_date, service)
+      k_credentials = Utils.hmac(k_service, 'api_request')
+
+      Utils.hexhmac(k_credentials, string_to_sign)
+    end
+
+    def credential(date)
+      "#{@access_key}/#{date}/#{service}/api_request"
+    end
+  end
+end

data/lib/api_sigv2/spec_support/helper.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'api_sigv2/spec_support/path_builder'
+require 'api_sigv2/spec_support/headers_builder'
+
+module ApiSigv2
+  module SpecSupport
+    module Helper
+      include Rack::Test::Methods
+
+      def app
+        Rails.app_class
+      end
+
+      def get_with_signature(client, *args)
+        with_signature(:get, client.api_key, client.api_secret, *args)
+      end
+
+      def post_with_signature(client, *args)
+        with_signature(:post, client.api_key, client.api_secret, *args)
+      end
+
+      def put_with_signature(client, *args)
+        with_signature(:put, client.api_key, client.api_secret, *args)
+      end
+
+      alias patch_with_signature put_with_signature
+
+      def delete_with_signature(client, *args)
+        with_signature(:delete, client.api_key, client.api_secret, *args)
+      end
+
+      private
+
+      def with_signature(http_method, api_key, secret, action_name, params = {})
+        custom_headers = (params.delete(:headers) || {})
+        path = PathBuilder.new(controller, action_name, params).path
+
+        signature = Signer.new(api_key, secret).sign_request(
+          http_method: http_method.to_s.upcase,
+          url: path,
+          headers: custom_headers
+        )
+
+        send(http_method, path, params, signature.headers)
+      end
+    end
+  end
+end

data/lib/api_sigv2/spec_support/path_builder.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module ApiSigv2
+  module SpecSupport
+    class PathBuilder
+      attr_reader :controller, :action_name, :params
+
+      PRIMARY_KEYS = [:id, :token].freeze
+
+      def initialize(controller, action_name, params = {})
+        @controller = controller
+        @action_name = action_name
+        @params = params
+      end
+
+      def path
+        if params[:path].present?
+          hash = params.delete(:path)
+          url_options.merge!(hash)
+          params.merge!(hash)
+        end
+
+        controller.url_for(url_options)
+      end
+
+      private
+
+      def url_options
+        @url_options ||= {
+          action: action_name,
+          controller: controller.controller_path,
+          only_path: true
+        }.merge(key_options || {})
+      end
+
+      def key_options
+        key = (params.keys.map(&:to_sym) & PRIMARY_KEYS).first
+        { key => params[key] } if params[key].present?
+      end
+    end
+  end
+end

data/lib/api_sigv2/utils.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'digest/sha1'
+require 'tempfile'
+require 'date'
+
+module ApiSigv2
+  module Utils
+    # @param [File, Tempfile, IO#read, String] value
+    # @return [String<SHA256 Hexdigest>]
+    #
+    def self.sha256_hexdigest(value)
+      if (File === value || Tempfile === value) && !value.path.nil? && File.exist?(value.path)
+        OpenSSL::Digest::SHA256.file(value).hexdigest
+      elsif value.respond_to?(:read)
+        sha256 = OpenSSL::Digest::SHA256.new
+
+        while chunk = value.read(1024 * 1024, buffer ||= '') # 1MB
+          sha256.update(chunk)
+        end
+
+        value.rewind
+        sha256.hexdigest
+      else
+        OpenSSL::Digest::SHA256.hexdigest(value)
+      end
+    end
+
+    # @param [URI] uri
+    # @return [true/false]
+    #
+    def self.standard_port?(uri)
+      (uri.scheme == 'http' && uri.port == 80) ||
+        (uri.scheme == 'https' && uri.port == 443)
+    end
+
+    def self.url_path(path, uri_escape_path = false)
+      path = '/' if path == ''
+
+      if uri_escape_path
+        uri_escape_path(path)
+      else
+        path
+      end
+    end
+
+    def self.uri_escape_path(path)
+      path.gsub(/[^\/]+/) { |part| uri_escape(part) }
+    end
+
+    # @api private
+    def self.uri_escape(string)
+      if string.nil?
+        nil
+      else
+        CGI.escape(string.encode('UTF-8')).gsub('+', '%20').gsub('%7E', '~')
+      end
+    end
+
+    def self.normalized_querystring(querystring)
+      return unless querystring
+
+      params = querystring.split('&')
+      params = params.map { |p| p.match(/=/) ? p : p + '=' }
+      # We have to sort by param name and preserve order of params that
+      # have the same name. Default sort <=> in JRuby will swap members
+      # occasionally when <=> is 0 (considered still sorted), but this
+      # causes our normalized query string to not match the sent querystring.
+      # When names match, we then sort by their original order
+      params.each.with_index.sort do |a, b|
+        a, a_offset = a
+        a_name = a.split('=')[0]
+        b, b_offset = b
+        b_name = b.split('=')[0]
+        if a_name == b_name
+          a_offset <=> b_offset
+        else
+          a_name <=> b_name
+        end
+      end.map(&:first).join('&')
+    end
+
+    def self.canonical_header_value(value)
+      value.match(/^".*"$/) ? value : value.gsub(/\s+/, ' ').strip
+    end
+
+    def self.hmac(key, value)
+      OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, value)
+    end
+
+    def self.hexhmac(key, value)
+      OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, value)
+    end
+
+    def self.normalize_keys(hash)
+      return {} unless hash
+
+      hash.transform_keys { |key| key.to_s.downcase }
+    end
+
+    # constant-time comparison algorithm to prevent timing attacks
+    def self.secure_compare(string_a, string_b)
+      return false if string_a.nil? || string_b.nil? || string_a.bytesize != string_b.bytesize
+
+      l = string_a.unpack "C#{string_a.bytesize}"
+
+      res = 0
+      string_b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+
+    def self.safe_parse_datetime(value, format = nil)
+      format ||= ApiSigv2.configuration.datetime_format
+      DateTime.strptime(value, format)
+    rescue ArgumentError => _e
+      nil
+    end
+  end
+end

data/lib/api_sigv2/validator.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+module ApiSigv2
+  # Validate a request
+  #
+  #     request = {
+  #       http_method: 'PUT',
+  #       url: 'https://domain.com',
+  #       headers: {
+  #         'Authorization' => 'API-HMAC-SHA256 Credential=access_key/20191227/api_request...',
+  #         'Host' => 'example.com,
+  #         'X-Content-Sha256' => '...',
+  #         'X-Datetime' => '2019-12-27T09:13:14.873+0000'
+  #       },
+  #       body: 'body'
+  #     }
+  #     validator = ApiSigv2::Validator.new(request, uri_escape_path: true)
+  #     validator.access_key # get key from request headers
+  #     validator.valid?('secret_key')
+  #
+  class Validator
+    attr_reader :request
+
+    def initialize(request, options = {})
+      @request = request
+      @options = options
+    end
+
+    def access_key
+      return unless valid_credential?
+
+      @access_key ||= auth_header.credential.split('/')[0]
+    end
+
+    def signed_headers
+      @signed_headers ||= headers.slice(*auth_header.signed_headers)
+    end
+
+    # Validate a signature. Returns boolean
+    #
+    #     validator.valid?('secret_key_here')
+    #
+    # @param [String] secret key
+    #
+    def valid?(secret_key)
+      valid_authorization? && valid_timestamp? && valid_signature?(secret_key)
+    end
+
+    def valid_authorization?
+      valid_credential? && !auth_header.signature.nil?
+    end
+
+    def valid_credential?
+      !auth_header.credential.nil?
+    end
+
+    def valid_timestamp?
+      timestamp && ttl_range.cover?(timestamp.to_time)
+    end
+
+    def valid_signature?(secret_key)
+      return false unless secret_key
+
+      signer = Signer.new(access_key, secret_key, @options)
+      data = signer.sign_request(request)
+
+      Utils.secure_compare(
+        auth_header.signature,
+        data.signature
+      )
+    end
+
+    private
+
+    def auth_header
+      @auth_header ||= AuthHeader.new(headers[signature_header_name])
+    end
+
+    def signature_header_name
+      @options[:signature_header] || ApiSigv2.configuration.signature_header
+    end
+
+    def timestamp
+      @timestamp ||= Utils.safe_parse_datetime(headers['x-datetime'])
+    end
+
+    def headers
+      @headers ||= Utils.normalize_keys(request[:headers])
+    end
+
+    def ttl_range
+      to = Time.now.utc
+      from = to - ApiSigv2.configuration.signature_ttl
+
+      from..to
+    end
+  end
+end

data/lib/api_sigv2/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module ApiSigv2
+  VERSION = '1.0.0'
+end

metadata

@@ -0,0 +1,130 @@
+--- !ruby/object:Gem::Specification
+name: galetahub-api-sigv2
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Igor Galeta
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2020-01-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: guard-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.7'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.7.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.7'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.7.3
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rb-fsevent
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.9.8
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.9.8
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: 
+email:
+- galeta.igor@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".ruby-version"
+- ".travis.yml"
+- Gemfile
+- Guardfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- api_sigv2.gemspec
+- bin/console
+- bin/setup
+- lib/api_sigv2.rb
+- lib/api_sigv2/auth_header.rb
+- lib/api_sigv2/builder.rb
+- lib/api_sigv2/configuration.rb
+- lib/api_sigv2/signature.rb
+- lib/api_sigv2/signer.rb
+- lib/api_sigv2/spec_support/helper.rb
+- lib/api_sigv2/spec_support/path_builder.rb
+- lib/api_sigv2/utils.rb
+- lib/api_sigv2/validator.rb
+- lib/api_sigv2/version.rb
+homepage: https://github.com/galetahub/api_signature
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6.2
+signing_key: 
+specification_version: 4
+summary: Sign API requests with HMAC signature
+test_files: []