grape_api_signature 0.0.1

data/lib/grape_api_signature/aws_digester.rb

@@ -0,0 +1,27 @@
+# encoding: UTF-8
+require 'openssl'
+require 'time'
+require 'uri'
+require 'pathname'
+
+module GrapeAPISignature
+  module AWSDigester
+    module_function
+
+    def hexdigest(value)
+      Digest::SHA256.new.update(value).hexdigest
+    end
+
+    def hmac(key, value)
+      OpenSSL::HMAC.digest(digest, key, value)
+    end
+
+    def hexhmac(key, value)
+      OpenSSL::HMAC.hexdigest(digest, key, value)
+    end
+
+    def digest
+      OpenSSL::Digest.new('sha256')
+    end
+  end
+end

data/lib/grape_api_signature/aws_request.rb

@@ -0,0 +1,63 @@
+# encoding: UTF-8
+require 'openssl'
+require 'time'
+require 'uri'
+require 'pathname'
+
+module GrapeAPISignature
+  class AWSRequest
+    RFC8601BASIC = '%Y%m%dT%H%M%SZ'
+
+    attr_accessor :method, :uri, :headers, :body, :service, :digester
+
+    def self.formatted_time(time)
+      time.utc.strftime(RFC8601BASIC)
+    end
+
+    def initialize(method, uri, headers, body, digester = GrapeAPISignature::AWSDigester)
+      self.method = method.upcase
+      self.uri = uri
+      self.headers = headers.each_with_object({}) { |(key, value), result_hash| result_hash[key.downcase] = value.strip }
+      self.body = body
+      self.service = uri.host.split('.', 2)[0]
+      self.digester = digester
+    end
+
+    def canonical_request
+      [
+        method,
+        clean_path,
+        query_string,
+        headers_as_str + "\n",
+        headers.keys.sort.join(';'),
+        digester.hexdigest(body || '')
+      ].join("\n")
+    end
+
+    def datetime
+      date_header = headers['date'] || headers['x-amz-date']
+      self.class.formatted_time(date_header ? Time.parse(date_header) : Time.now)
+    end
+
+    def date
+      datetime[0, 8]
+    end
+
+    protected
+
+    def headers_as_str
+      headers.sort.map { |k, v| [k, v].join(':') }.join("\n")
+    end
+
+    def clean_path
+      path = Pathname.new(uri.path).cleanpath.to_s
+      path << '/' if uri.path.end_with?('/') && !path.end_with?('/')
+      path
+    end
+
+    def query_string
+      return nil if uri.query.nil?
+      uri.query.split('&').sort.join('&')
+    end
+  end
+end

data/lib/grape_api_signature/aws_signer.rb

@@ -0,0 +1,76 @@
+# encoding: UTF-8
+require 'openssl'
+require 'time'
+require 'uri'
+require 'pathname'
+
+module GrapeAPISignature
+  class AWSSigner
+    attr_accessor :access_key, :secret_key, :region, :digester
+    attr_accessor :request
+
+    def initialize(config)
+      self.access_key = config[:access_key]
+      self.secret_key = config[:secret_key]
+      self.region = config[:region]
+      self.digester = config[:digester] || AWSDigester
+    end
+
+    def setup_aws_request(method, uri, headers, body)
+      self.request = AWSRequest.new(method, uri, headers, body, digester)
+    end
+
+    def sign(method, uri, headers, body)
+      setup_aws_request(method, uri, headers, body)
+
+      signed = headers.dup
+      signed['Authorization'] = authorization(headers)
+      signed
+    end
+
+    def signature_only(method, uri, headers, body)
+      setup_aws_request(method, uri, headers, body)
+      signature
+    end
+
+    def authorization(headers)
+      AWSAuthorization.new(access_key, credential_string, signed_headers(headers), signature).to_s
+    end
+
+    def signed_headers(headers)
+      to_sign = headers.keys.map(&:to_s).map(&:downcase)
+      to_sign.delete('authorization')
+      to_sign
+    end
+
+    def signature
+      digester.hexhmac(derived_key, string_to_sign)
+    end
+
+    def derived_key
+      k_date = digester.hmac('AWS4' + secret_key, request.date)
+      k_region = digester.hmac(k_date, region)
+      k_service = digester.hmac(k_region, request.service)
+
+      digester.hmac(k_service, 'aws4_request')
+    end
+
+    def string_to_sign
+      [
+        'AWS4-HMAC-SHA256',
+        request.datetime,
+        credential_string,
+        digester.hexdigest(request.canonical_request)
+      ].join("\n")
+    end
+
+    def credential_string
+      [
+        request.date,
+        region,
+        request.service,
+        'aws4_request'
+      ].join('/')
+    end
+  end
+end

data/lib/grape_api_signature/middleware/auth.rb

@@ -0,0 +1,105 @@
+require 'uri'
+require 'rack/auth/abstract/handler'
+require 'rack/auth/abstract/request'
+require 'rack/request'
+
+module GrapeAPISignature
+  module Middleware
+    class Auth < Rack::Auth::AbstractHandler
+      attr_accessor :app, :max_request_age, :authenticator, :env
+
+      def self.default_authenticator(&block)
+        @default_authenticator = block if block_given?
+
+        @default_authenticator
+      end
+
+      def initialize(app, max_request_age = 900, &authenticator)
+        self.app = app
+        self.authenticator = authenticator || self.class.default_authenticator
+        self.max_request_age = max_request_age
+      end
+
+      def call(env)
+        dup._call(env)
+      end
+
+      def _call(env)
+        self.env = env
+
+        @auth_request = nil
+        @auth = nil
+        @authenticator_result = nil
+
+        return unauthorized unless auth_request.provided?
+
+        return bad_request unless auth_request.aws4?
+
+        if valid?
+          on_valid
+        else
+          unauthorized
+        end
+      end
+
+      protected
+
+      def on_valid
+        env['REMOTE_USER'] = auth.user_id
+        app.call(env)
+      end
+
+      def auth
+        @auth ||= Authorization.new(request.request_method,
+                                    auth_request.headers.merge('Content-Type' => request.content_type),
+                                    URI(request.url),
+                                    auth_request.body,
+                                    max_request_age)
+      end
+
+      def auth_request
+        @auth_request ||= AuthRequest.new(env)
+      end
+
+      def  request
+        auth_request.request
+      end
+
+      def challenge
+        'AWS4-HMAC-SHA256'
+      end
+
+      def valid?
+        secret_key && auth.authentic?(secret_key)
+      end
+
+      def secret_key
+        authenticator_result
+      end
+
+      def authenticator_result
+        @authenticator_result ||= @authenticator.call(auth.user_id, auth.region, auth.service)
+      end
+
+      class AuthRequest < Rack::Auth::AbstractRequest
+        def aws4?
+          'AWS4-HMAC-SHA256'.downcase == scheme.downcase
+        end
+
+        def headers
+          @headers ||= @env.each_with_object({}) do |(key, value), result_hash|
+            key = key.upcase
+            next unless key.to_s.start_with?('HTTP_') && (key.to_s != 'HTTP_VERSION')
+
+            key = key[5..-1].gsub('_', '-').downcase.gsub(/^.|[-_\s]./) { |x| x.upcase }
+            result_hash[key] = value
+          end
+        end
+
+        def body
+          @body ||= request.body.read.tap { request.body.rewind }
+        end
+      end
+    end
+  end
+end

data/lib/grape_api_signature/middleware/grape_auth.rb

@@ -0,0 +1,44 @@
+require 'uri'
+require 'rack/auth/abstract/handler'
+require 'rack/auth/abstract/request'
+require 'rack/request'
+
+module GrapeAPISignature
+  module Middleware
+    class GrapeAuth < GrapeAPISignature::Middleware::Auth
+      attr_accessor :user_setter
+
+      def initialize(app, max_request_age = 900, user_setter = :'current_user=', &authenticator)
+        super(app, max_request_age, &authenticator)
+        self.user_setter = user_setter
+      end
+
+      protected
+
+      def endpoint
+        env['api.endpoint']
+      end
+
+      def on_valid
+        endpoint.send(user_setter, user) if user_setter
+        super
+      end
+
+      def secret_key
+        authenticator_result[:secret_key]
+      end
+
+      def user
+        authenticator_result[:user]
+      end
+
+      def unauthorized(www_authenticate = challenge)
+        endpoint.error!({ error: 'Unauthorized' }, 401,  'WWW-Authenticate' => www_authenticate.to_s)
+      end
+
+      def bad_request
+        endpoint.error!({ error: 'Bad Request' }, 400)
+      end
+    end
+  end
+end

data/lib/grape_api_signature/rails/engine.rb

@@ -0,0 +1,6 @@
+module GrapeAPISignature
+  module Rails
+    class Engine < ::Rails::Engine
+    end
+  end
+end

data/lib/grape_api_signature/rspec.rb

@@ -0,0 +1,49 @@
+module GrapeAPISignature
+  module RSpec
+    # remember the diff request spec vs. controller spec
+    # a controller spec offers a request object, a request spec
+    # doesn't why ever
+    def post_with_auth(path, parameters = nil, headers_or_env = {})
+      headers_or_env.merge! sign_request('POST', path, parameters)
+
+      # convert the body or ActionDispatch::Integration::RequestHelpers
+      # enforces content type application/x-www-form-urlencoded
+      # https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/testing/integration.rb#L286
+      body = parameters.to_json
+      post path, body, headers_or_env.merge('Content-Type' => 'application/json')
+    end
+
+    def get_with_auth(path, parameters = nil, headers_or_env = {})
+      headers_or_env.merge! sign_request('GET', path, parameters)
+      get path, parameters, headers_or_env # .merge('Content-Type' => 'application/json')
+    end
+
+    def sign_request(method, path, parameters = nil)
+      if parameters.present?
+        body = parameters.to_json
+      else
+        body = ''
+      end
+
+      headers_or_env = {
+        'x-amz-date' => ::GrapeAPISignature::AWSRequest.formatted_time(Time.now),
+        'ACCEPT' => 'application/json'
+      }
+
+      signer = ::GrapeAPISignature::AWSSigner.new(
+          access_key: access_key,
+          secret_key: secret_key,
+          region: 'europe'
+      )
+
+      (hostname, port) = host.split(':')
+
+      uri = URI(path)
+      uri.host ||= hostname
+      uri.scheme ||= https? ? 'https' : 'http'
+      uri.port ||= (port || (https? ? 443 : 80)).to_i
+
+      signer.sign(method, uri, headers_or_env, body).each_with_object({}) { |(k, v), new_h| new_h["HTTP_#{k.upcase}"] = v  }
+    end
+  end
+end

data/lib/grape_api_signature/version.rb

@@ -0,0 +1,3 @@
+module GrapeAPISignature
+  VERSION = '0.0.1'
+end

data/lib/grape_api_signature.rb

@@ -0,0 +1,21 @@
+require 'grape_api_signature/version'
+
+require 'active_support'
+require 'active_support/core_ext'
+
+module GrapeAPISignature
+  require 'grape_api_signature/aws_digester'
+  require 'grape_api_signature/aws_request'
+  require 'grape_api_signature/aws_auth_parser'
+  require 'grape_api_signature/aws_signer'
+  require 'grape_api_signature/aws_authorization'
+  require 'grape_api_signature/authorization'
+
+  require 'grape_api_signature/middleware/auth'
+  require 'grape_api_signature/middleware/grape_auth'
+
+  if defined?(Rails)
+    require 'grape_api_signature/rails/engine'
+  end
+
+end

data/spec/acceptance/lib/grape_api_signature/aws_request_spec.rb

@@ -0,0 +1,39 @@
+require 'acceptance_spec_helper'
+require 'thin'
+
+module GrapeAPISignature
+  describe AWSRequest, :aws_helpers do
+
+    Dir[File.join(Spec::Support::AWSHelper.suite_dir, '*.req')].each do |f|
+
+      filename = File.basename(f, '.req')
+
+      let(:id) { 'AKIDEXAMPLE' }
+      let(:region) { 'us-east-1' }
+      let(:host) { 'host' }
+
+      let(:subject) { GrapeAPISignature::AWSRequest.new(request.request_method, uri, headers, body) }
+
+      describe "testcase #{filename}" do
+        let(:request_str) { File.read(f).gsub('http/1', 'HTTP/1') }
+        let(:request) { request_for_str(request_str) }
+        let(:canonical_request) { File.read(File.join(Spec::Support::AWSHelper.suite_dir, "#{filename}.creq")).gsub("\r\n", "\n") }
+
+        let(:uri) do
+          begin
+            URI(request.url)
+          rescue URI::InvalidURIError
+            URI(URI.encode(request.url))
+          end
+        end
+        let(:headers) { headers_from_env(request.env) }
+        let(:body) { request.body.read }
+
+        it 'creates the expected canonical_request' do
+          expect(subject.canonical_request).to eq canonical_request
+        end
+
+      end
+    end
+  end
+end

data/spec/acceptance/lib/grape_api_signature/aws_signer_spec.rb

@@ -0,0 +1,54 @@
+require 'acceptance_spec_helper'
+require 'thin'
+
+module GrapeAPISignature
+  describe AWSSigner, :aws_helpers do
+
+    Dir[File.join(Spec::Support::AWSHelper.suite_dir, '*.req')].each do |f|
+
+      filename = File.basename(f, '.req')
+
+      let(:secret_key) { 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY' }
+      let(:id) { 'AKIDEXAMPLE' }
+      let(:region) { 'us-east-1' }
+      let(:host) { 'host' }
+
+      let(:subject)do
+        GrapeAPISignature::AWSSigner.new(
+           access_key: id,
+           secret_key: secret_key,
+           region: region
+        )
+      end
+
+      describe "testcase #{filename}" do
+        let(:request_str) { File.read(f).gsub('http/1', 'HTTP/1') }
+        let(:str_to_sign) { File.read(File.join(Spec::Support::AWSHelper.suite_dir, "#{filename}.sts")).gsub("\r\n", "\n") }
+        let(:auth_header) { File.read(File.join(Spec::Support::AWSHelper.suite_dir, "#{filename}.authz")) }
+
+        let(:request) { request_for_str(request_str) }
+
+        let(:uri) do
+          begin
+            URI(request.url)
+          rescue URI::InvalidURIError
+            URI(URI.encode(request.url))
+          end
+        end
+        let(:headers) { headers_from_env(request.env) }
+        let(:body) { request.body.read }
+
+        it 'creates the expected string to sign' do
+          subject.setup_aws_request(request.request_method, uri, headers, body)
+          expect(subject.string_to_sign).to eq str_to_sign
+        end
+
+        it 'creates the expected signature' do
+          signature = subject.sign(request.request_method, uri, headers, body)
+          expect(signature['Authorization']).to eq auth_header
+        end
+
+      end
+    end
+  end
+end

data/spec/acceptance/lib/grape_api_signature/middleware/auth_spec.rb

@@ -0,0 +1,60 @@
+require 'acceptance_spec_helper'
+require 'rack/test'
+
+feature 'Authorize a request' do
+  include Rack::Test::Methods
+  include GrapeAPISignature::RSpec
+
+  let(:base_app) { ->(env) { [200, env, 'app'] } }
+
+  let(:app) do
+    app = base_app
+    key = secret_key
+    Rack::Builder.app do
+      use GrapeAPISignature::Middleware::Auth do |*|
+        key
+      end
+      run app
+    end
+  end
+
+  let(:secret_key) { '12345678' }
+  let(:access_key) { 'MyUser' }
+
+  let(:hostname) { Rack::Test::DEFAULT_HOST }
+  let(:port) { 80 }
+  let(:host) { "#{hostname}:#{port}" }
+
+  def https?
+    port == 443
+  end
+
+  scenario 'authentication valid' do
+    get_with_auth '/'
+
+    expect(last_response.status).to eq 200
+    expect(last_response.body).to eq 'app'
+  end
+
+  scenario 'authentication not provided' do
+    get '/'
+
+    expect(last_response.status).to eq 401
+    expect(last_response.headers).to have_key 'WWW-Authenticate'
+    expect(last_response.headers['WWW-Authenticate']).to eq 'AWS4-HMAC-SHA256'
+  end
+
+  scenario 'wrong schema' do
+    get '/', nil, 'HTTP_AUTHORIZATION' => 'Basic'
+
+    expect(last_response.status).to eq 400
+  end
+
+  scenario 'wrong signature' do
+    get '/', nil, 'HTTP_AUTHORIZATION' => 'AWS4-HMAC-SHA256 Credential='
+
+    expect(last_response.status).to eq 401
+    expect(last_response.headers).to have_key 'WWW-Authenticate'
+    expect(last_response.headers['WWW-Authenticate']).to eq 'AWS4-HMAC-SHA256'
+  end
+end

data/spec/acceptance/lib/grape_api_signature/middleware/grape_auth_spec.rb

@@ -0,0 +1,83 @@
+require 'acceptance_spec_helper'
+require 'rack/test'
+require 'grape'
+
+feature 'Authorize a grape api request' do
+  include Rack::Test::Methods
+  include GrapeAPISignature::RSpec
+
+  def https?
+    port == 443
+  end
+
+  let(:api) do
+    key = secret_key
+
+    Class.new(Grape::API) do
+      Grape::Middleware::Auth::Strategies.add(:aws4_auth,
+                                              GrapeAPISignature::Middleware::GrapeAuth,
+                                              ->(options) { [options[:max_request_age] || 900, options[:user_setter]] })
+
+      GrapeAPISignature::Middleware::GrapeAuth.default_authenticator do |_user_id, _region, _service|
+        { user: 'its me', secret_key: key }
+      end
+
+      helpers do
+        attr_accessor :current_user
+      end
+
+      auth :aws4_auth,
+           max_request_age: 100,
+           user_setter: :'current_user=',
+           &GrapeAPISignature::Middleware::GrapeAuth.default_authenticator
+
+      get '/aws4_authorized' do
+        'DONE'
+      end
+    end
+
+  end
+
+  let(:app) do
+    api
+  end
+
+  let(:secret_key) { '12345678' }
+  let(:access_key) { 'MyUser' }
+
+  let(:hostname) { Rack::Test::DEFAULT_HOST }
+  let(:port) { 80 }
+  let(:host) { "#{hostname}:#{port}" }
+
+  scenario 'authentication valid' do
+    get_with_auth '/aws4_authorized'
+
+    expect(last_response.status).to eq 200
+    expect(last_response.body).to eq '"DONE"'
+  end
+
+  scenario 'authentication not provided' do
+    get '/aws4_authorized'
+
+    expect(last_response.status).to eq 401
+    expect(last_response.headers).to have_key 'WWW-Authenticate'
+    expect(last_response.headers['WWW-Authenticate']).to eq 'AWS4-HMAC-SHA256'
+    expect(last_response.body).to eq({ error: 'Unauthorized' }.to_json)
+  end
+
+  scenario 'wrong schema' do
+    get '/aws4_authorized', nil, 'HTTP_AUTHORIZATION' => 'Basic'
+
+    expect(last_response.status).to eq 400
+    expect(last_response.body).to eq({ error: 'Bad Request' }.to_json)
+  end
+
+  scenario 'wrong signature' do
+    get '/aws4_authorized', nil, 'HTTP_AUTHORIZATION' => 'AWS4-HMAC-SHA256 Credential='
+
+    expect(last_response.status).to eq 401
+    expect(last_response.headers).to have_key 'WWW-Authenticate'
+    expect(last_response.headers['WWW-Authenticate']).to eq 'AWS4-HMAC-SHA256'
+    expect(last_response.body).to eq({ error: 'Unauthorized' }.to_json)
+  end
+end

data/spec/acceptance/support/api.rb

@@ -0,0 +1,5 @@
+require 'grape_api_signature/rspec'
+
+RSpec.configure do |config|
+  config.include GrapeAPISignature::RSpec, type: :request, file_path: /spec\/acceptance\/api/
+end

data/spec/acceptance/support/aws_helper.rb

@@ -0,0 +1,30 @@
+module Spec
+  module Support
+    module AWSHelper
+      def headers_from_env(env)
+        headers = {}
+        headers['CONTENT-TYPE'] = env['CONTENT_TYPE'] if env.key?('CONTENT_TYPE')
+
+        env.each_with_object(headers) do |(key, value), result_hash|
+          next unless key.to_s.start_with?('HTTP_') && (key.to_s != 'HTTP_VERSION')
+
+          key = key[5..-1].gsub('_', '-').downcase.gsub(/^.|[-_\s]./) { |x| x.upcase }
+          result_hash[key] = value
+        end
+      end
+
+      def request_for_str(str)
+        thin_req = Thin::Request.new.tap { |r| r.parse(str) }
+        Rack::Request.new(thin_req.env)
+      end
+
+      def self.suite_dir
+        File.join(File.expand_path(__dir__), '../../fixtures/aws4_test_suite/pass')
+      end
+    end
+  end
+end
+
+RSpec.configure do |config|
+  config.include Spec::Support::AWSHelper, :aws_helpers
+end