grape_api_signature 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: ea25995d332c08dbd8b0843504808eb5b277e2c5
+  data.tar.gz: 4901ff5161b4be67a5c60f9e4b18d729c1002425
+SHA512:
+  metadata.gz: 914c187ed3d3b2c26fa8e001a26bbc745b293c985d30d2918bd30a33392228a673eb2decc29fad555ab8657786a8e88db1b9b735e61ca490c57b1fb291f0c19a
+  data.tar.gz: f837467539c385f898aadd2522607b21fda9bb71f583a4bc6a9177c46bd3908a34c299084cc4ea91c7a7139073893b81c99b5f9ea2c4cec350e03994845f0c87

data/.consolerc

@@ -0,0 +1,3 @@
+# This file is automatically loaded when `bundle console` is run. You can add
+# fixtures and/or initialization code here to make experimenting with your gem
+# easier.

data/.gitignore

@@ -0,0 +1,23 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+.idea

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.rubocop.yml

@@ -0,0 +1,21 @@
+inherit_from: .rubocop_todo.yml
+
+
+LineLength:
+  Max: 160
+
+Documentation:
+  Enabled: false
+
+ParameterLists:
+  Max: 15
+
+MethodLength:
+  Max: 50
+
+# @see http://www.rubytapas.com/episodes/24-Incidental-Change
+TrailingComma:
+  Enabled: false
+
+RegexpLiteral:
+  Enabled: false

data/.travis.yml

@@ -0,0 +1,6 @@
+language: ruby
+rvm:
+  - 2.1
+  - 2.0
+script: bundle exec rake spec rubocop
+cache: bundler

data/.versions.conf

@@ -0,0 +1,4 @@
+ruby=ruby-2.1.0
+ruby-gemset=gem_grape_api_signature
+#ruby-gem-install=bundler rake
+#ruby-bundle-install=true

data/Gemfile

@@ -0,0 +1,13 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in grape_api_signature.gemspec
+gemspec
+
+gem 'simplecov', require:  false, group: :test
+gem 'coveralls', require: false
+gem 'rubocop', require: false
+
+gem 'grape', github: 'intridea/grape'
+gem 'grape-entity', github: 'intridea/grape-entity'
+
+

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 FABER Lotto GmbH & Co. KG
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,146 @@
+[![Gem Version](https://badge.fury.io/rb/grape_api_signature.svg)](http://badge.fury.io/rb/grape_api_signature)
+[![Build Status](https://travis-ci.org/faber-lotto/grape_api_signature.svg?branch=master)](https://travis-ci.org/faber-lotto/grape_api_signature)
+[![Code Climate](https://codeclimate.com/github/faber-lotto/grape_api_signature.png)](https://codeclimate.com/github/faber-lotto/grape_api_signature)
+[![Coverage Status](https://coveralls.io/repos/faber-lotto/grape_api_signature/badge.png?branch=master)](https://coveralls.io/r/faber-lotto/grape_api_signature?branch=master)
+
+# GrapeAPISignature
+
+`GrapeAPISignature` provides a [AWS 4 style](http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) 
+Authentication middleware to be used with [grape](https://github.com/intridea/grape).
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'grape_api_signature'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install grape_api_signature
+
+## Usage
+
+### In your API
+
+Example usage:
+
+```ruby
+ 
+  class YourAPI < Grape::API
+    Grape::Middleware::Auth::Strategies.add(:aws4_auth,
+                                            GrapeAPISignature::Middleware::GrapeAuth,
+                                            ->(options) { [options[:max_request_age] || 900, options[:user_setter]] })
+     
+    GrapeAPISignature::Middleware::GrapeAuth.default_authenticator do |_access_key, _region, _service|
+     user = ... # find the user, this block is executed in the context of your Endpoint
+     { user: user, secret_key: user.key }
+    end
+    
+    helpers do
+      attr_accessor :current_user
+    end
+    
+    auth :aws4_auth,
+        max_request_age: 100,
+        user_setter: :'current_user=',
+        &GrapeAPISignature::Middleware::GrapeAuth.default_authenticator
+    
+    get '/aws4_authorized' do
+     'DONE'
+    end
+  end
+  
+ ```
+ 
+Options: 
+ 
+ * `max_request_age` => Time in seconds how long a request is valid
+ * `user_setter` => When provided this is be used to set the user on your Endtpoint instance if the validations was 
+ successful 
+ 
+If the validation was successful `env['REMOTE_USER']` is set to the access_key.
+ 
+If the validation was not successful HTTP-Status 401 is set via `Grape#error!` 
+when the signature was wrong and 400 if `Scheme` does not match 'AWS4-HMAC-SHA256'
+ 
+### In your rspecs
+ 
+ The following code only supports 'application/json' as Content-Type.
+ 
+ ```ruby
+ 
+ # spec_helper.rb
+ 
+ require 'grape_api_signature/rspec'
+ 
+ # in your spec
+ 
+ describe 'your wishes' do
+   include GrapeAPISignature::RSpec
+   
+   let(:secret_key) { 'SUPERSUPERSUPERSECRET' }
+   let(:access_key) { 'MyUser' }
+   
+   
+   # if you don't use Rails
+   let(:hostname) { Rack::Test::DEFAULT_HOST }
+   let(:port) { 80 }
+   let(:host) { "#{hostname}:#{port}" }
+   
+   def https?
+     port == 443
+   end
+   
+   it 'should do' do
+      get_with_auth '/'
+   end
+   
+   it 'should also do' do
+     post_with_auth '/', request_params
+   end
+   
+ end
+ 
+ ```
+ 
+### In your Rails-App
+
+This gem provides a coffee script to authenticate swagger demo requests via AWS 4.
+
+```ruby
+
+# application.js.coffee
+
+#= require aws-signature
+
+```
+
+```html
+# your swagger index.html, or what you use
+
+<div id="header">
+  <div class="swagger-ui-wrap">
+    <form id="api_selector">
+      <div class="input">
+        <input type="text" placeholder="Username" id="input_apiUser" name="user">
+      </div>
+      <div class="input">
+        <input type="password" placeholder="Password" id="input_apiPassword" name="password">
+      </div>
+    </form>
+   </div>
+</div>
+
+```
+
+## Contributing
+
+1. Fork it ( https://github.com/faber-lotto/grape_api_signature/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,14 @@
+require 'bundler/gem_tasks'
+require 'rubocop/rake_task'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+RuboCop::RakeTask.new
+
+task default: :spec
+
+desc 'Run RSpec with code coverage'
+task :coverage do
+  ENV['SIMPLE_COVERAGE'] = 'true'
+  Rake::Task['spec'].execute
+end

data/app/assets/javascripts/aws-signature.js.coffee

@@ -0,0 +1,177 @@
+# Place all the behaviors and hooks related to the matching controller here.
+# All this logic will automatically be available in application.js.
+# You can use CoffeeScript in this file: http://coffeescript.org/
+
+#=require hmac-sha256
+
+root = exports ? this
+
+do ($=jQuery) ->
+  $ ->
+    class AWS4Authorization
+      constructor: (@name) ->
+        @algorithm = 'AWS4-HMAC-SHA256'
+
+      apply: (obj, authorizations) ->
+        @password = $('#input_apiPassword')[0].value
+        @access_key_id = $('#input_apiUser')[0].value
+
+        @datetime = @dateStamp()
+        @region = 'europe'
+        @url = new URL(obj.url)
+        @service = @url.hostname.split('.',2)[0]
+        @pathname = @url.pathname
+        @search = @query_sorted(@url.searchParams.toString())
+        @method = obj.method.toUpperCase()
+        @req_headers = $.extend({}, obj.headers)
+        @body = obj.body ? ''
+
+        @req_headers['X-Amz-Date'] = @datetime
+
+        obj.headers["Authorization"] = @authorization()
+        obj.headers['X-Amz-Date'] = @datetime
+        obj.headers['X-Amz-Algorithm'] = @algorithm
+        obj.headers['X-Amz-SignedHeaders'] =  @signed_headers()
+
+        console.log "String to sign #{@string_to_sign()}"
+        console.log "Canonical string #{@canonical_string()}"
+
+        hash = @signature_key(@password, @datetime, @region, @service)
+
+        console.log 'key: ' + hash.toString(CryptoJS.enc.Hex)
+
+
+      authorization:  ->
+        parts = []
+        cred_string = @credential_string(@datetime)
+        parts.push(@algorithm + ' Credential=' +
+                   @access_key_id + '/' + cred_string);
+        parts.push('SignedHeaders=' + @signed_headers())
+        parts.push('Signature=' + @signature())
+
+        parts.join(', ')
+
+      signature: ->
+        hash = @signature_key(@password, @datetime, @region, @service)
+        hmac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA256, hash)
+        hmac.update @string_to_sign()
+
+        hash= hmac.finalize()
+        # hash = CryptoJS.HmacSHA256(@string_to_sign(), key)
+        hash.toString(CryptoJS.enc.Hex)
+
+      string_to_sign: () ->
+        parts = []
+        parts.push('AWS4-HMAC-SHA256')
+        parts.push(@datetime)
+        parts.push(@credential_string())
+        parts.push(@hex_encoded_hash(@canonical_string()))
+        parts.join('\n')
+
+      credential_string: () ->
+        parts = []
+        parts.push(@datetime.substr(0, 8))
+        parts.push(@region)
+        parts.push(@service)
+        parts.push('aws4_request')
+        parts.join('/')
+
+      canonical_string: ->
+        parts = []
+
+        req_headers = @req_headers
+
+        parts.push(@method)
+        parts.push(@pathname)
+        parts.push(@search)
+        parts.push(@canonical_headers() + '\n')
+        parts.push(@signed_headers())
+        parts.push(@hex_encoded_body_hash())
+        parts.join('\n')
+
+      canonical_headers: () ->
+        headers = []
+        for header, item of @req_headers
+          header = header.toLowerCase()
+
+          if @is_signable_header(header)
+            item = @canonical_header_values(item.toString())
+            headers.push(header + ':' + item)
+
+        headers.sort((a, b) ->
+          if (a.toLowerCase() < b.toLowerCase()) == true
+            -1
+          else
+             1
+        )
+
+        headers.join('\n')
+
+      query_sorted: (query_str) ->
+        queries = query_str.split('&')
+
+        queries.sort((a, b) ->
+          if (a.toLowerCase() < b.toLowerCase()) == true
+            -1
+          else
+            1
+        )
+
+        queries.join('&')
+
+
+      canonical_header_values: (value) ->
+        value.replace(/\s+/g, ' ').replace(/^\s+|\s+$/g, '')
+
+      hex_encoded_body_hash: ->
+        @hex_encoded_hash(@body)
+
+      hex_encoded_hash: (msg)->
+            hash = CryptoJS.SHA256(msg)
+            hash.toString(CryptoJS.enc.Hex)
+
+      signed_headers: ()->
+        keys = []
+        for header, item of @req_headers
+          header = header.toLowerCase()
+          if @is_signable_header(header)
+            keys.push(header)
+
+        keys.sort().join(';')
+
+      is_signable_header: (header)->
+        not_signable_headers = ['authorization', 'content-length', 'user-agent']
+        not_signable_headers.indexOf(header) < 0
+
+      dateStamp: ->
+         (new Date()).toISOString().replace(/[:\-]|\.\d{3}/g, '')
+
+      signature_key: (key, dateStamp, regionName, serviceName) ->
+        dateStamp = dateStamp.substr(0, 8)
+        keyWords = CryptoJS.enc.Utf8.parse("AWS4" + key)
+
+        hmac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA256, keyWords)
+        hmac.update dateStamp
+        hash= hmac.finalize()
+
+        console.log "Date: #{dateStamp} #{hash.toString(CryptoJS.enc.Hex)}"
+
+        hmac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA256, hash)
+        hmac.update regionName
+        hash= hmac.finalize()
+
+        console.log "Region: #{regionName} #{hash.toString(CryptoJS.enc.Hex)}"
+
+        hmac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA256, hash)
+        hmac.update serviceName
+        hash= hmac.finalize()
+
+        console.log "Service: #{serviceName} #{hash.toString(CryptoJS.enc.Hex)}"
+
+        hmac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA256, hash)
+        hmac.update "aws4_request"
+
+        hmac.finalize()
+
+
+    root.authorizations.add("aws4_authorization", new AWS4Authorization("aws4_authorization"))

data/grape_api_signature.gemspec

@@ -0,0 +1,54 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'grape_api_signature/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'grape_api_signature'
+  spec.version       = GrapeAPISignature::VERSION
+  spec.authors       = ['Dieter Späth']
+  spec.email         = ['d.spaeth@faber.de']
+  spec.summary       = "Add AWS Signature 4 style authentication to grape API's."
+  spec.description   = "Add AWS Signature 4 style authentication to grape API's."
+  spec.homepage      = ''
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+
+  spec.require_paths = ['lib']
+
+  spec.add_runtime_dependency 'rack', '>= 1.3.0'
+  spec.add_runtime_dependency 'rack-mount'
+  spec.add_runtime_dependency 'rack-accept'
+  spec.add_runtime_dependency 'activesupport', '>=4.1.0'
+
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake'
+
+  spec.add_development_dependency 'grape'
+  spec.add_development_dependency 'grape-entity'
+
+  spec.add_development_dependency 'thin'
+  spec.add_development_dependency 'rack-test'
+
+  spec.add_development_dependency 'rspec', '3.0'
+  # show nicely how many specs have to be run
+  spec.add_development_dependency 'fuubar'
+  # extended console
+  spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'pry-remote'
+  # https://github.com/pry/pry-stack_explorer
+  spec.add_development_dependency 'pry-stack_explorer'
+  # https://github.com/deivid-rodriguez/pry-byebug
+  # pre-debugger / debugger does not work with ruby 2.x
+  spec.add_development_dependency 'pry-byebug'
+
+  # automatic execute tasks on file changes
+  spec.add_development_dependency 'guard'
+  spec.add_development_dependency 'guard-rspec'
+  spec.add_development_dependency 'guard-bundler'
+  spec.add_development_dependency 'rb-fsevent'
+
+end

data/lib/grape_api_signature/authorization.rb

@@ -0,0 +1,79 @@
+module GrapeAPISignature
+  class Authorization
+    attr_accessor :request_method, :headers, :body, :auth_header,
+                  :uri, :secret_key, :authorization, :max_request_age_in_sec
+
+    def initialize(request_method, headers, uri, body, max_request_age_in_sec = 900)
+      self.request_method = request_method.upcase
+      self.headers = headers.each_with_object({}) { |(key, value), result_hash| result_hash[key.downcase] = value }
+      self.body = body
+      self.auth_header = {}
+      self.uri = uri
+      self.max_request_age_in_sec = max_request_age_in_sec
+      self.authorization = GrapeAPISignature::AWSAuthParser.parse(self.headers['authorization']) if auth_header?
+    end
+
+    def user_id
+      authorization.access_key
+    end
+
+    def region
+      authorization.region
+    end
+
+    def service
+      authorization.service
+    end
+
+    def datetime
+      (headers['date'] || headers['x-amz-date'] || max_request_age - 1).to_time
+    end
+
+    def signed_headers
+      return {} unless authorization.signed_headers.present?
+      headers.slice(*authorization.signed_headers)
+    end
+
+    def calculated_signature(secret_key)
+      signer = GrapeAPISignature::AWSSigner.new(
+          access_key: user_id,
+          secret_key: secret_key,
+          region: authorization.region
+      )
+
+      signer.signature_only(request_method, uri, signed_headers, body)
+    end
+
+    def auth_header?
+      headers['authorization'].present?
+    end
+
+    def authentic?(secret_key)
+      return false if secret_key.nil?
+
+      auth_header? && signatures_match?(secret_key) && !request_too_old?
+    end
+
+    def signatures_match?(secret_key)
+      authorization.signature.present? && secure_compare(calculated_signature(secret_key), authorization.signature)
+    end
+
+    def request_too_old?
+      datetime.utc < max_request_age
+    end
+
+    def max_request_age
+      Time.now.utc - max_request_age_in_sec
+    end
+
+    def secure_compare(a, b)
+      return false unless a.to_s.bytesize == b.to_s.bytesize
+
+      l = a.unpack 'C*'
+
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+  end
+end

data/lib/grape_api_signature/aws_auth_parser.rb

@@ -0,0 +1,57 @@
+module GrapeAPISignature
+  class AWSAuthParser
+    attr_accessor :str, :authorization
+
+    def self.parse(str)
+      new(str).parse
+    end
+
+    def initialize(str)
+      self.str = str
+    end
+
+    def parse
+      self.authorization = AWSAuthorization.new(access_key, credential, signed_headers, signature)
+    end
+
+    def access_key
+      credential_str.split('/', 2)[0]
+    end
+
+    def credential
+      credential_str.split('/', 2)[1]
+    end
+
+    def signed_headers
+      (params['SignedHeaders'] || '').split(';').map(&:strip)
+    end
+
+    def signature
+      params['Signature'] || 'NOT_PROVIDED'
+    end
+
+    def credential_str
+      params['Credential'] || 'NOT_PROVIDED/NOT_PROVIDED/NOT_PROVIDED/NOT_PROVIDED/NOT_PROVIDED'
+    end
+
+    def params
+      @params ||= parse_params
+    end
+
+    def parse_params
+      param_str.split(',').each_with_object({}) do |data, result|
+        (key, value) = data.split('=')
+        value ||= ''
+        result[key.strip] = value.strip
+      end
+    end
+
+    def sig_type
+      @sig_type ||= str.split(' ', 2)[0]
+    end
+
+    def param_str
+      @param_str ||= str.split(' ', 2)[1]
+    end
+  end
+end

data/lib/grape_api_signature/aws_authorization.rb

@@ -0,0 +1,40 @@
+module GrapeAPISignature
+  class AWSAuthorization
+    attr_accessor :access_key,
+                  :credential_string,
+                  :signed_headers,
+                  :signature
+
+    attr_reader :date,
+                :region,
+                :service
+
+    def initialize(access_key, credential_string, signed_headers, signature)
+      self.access_key = access_key
+      self.credential_string = credential_string
+      self.signed_headers = signed_headers
+      self.signature = signature
+    end
+
+    def to_s
+      [
+        "AWS4-HMAC-SHA256 Credential=#{access_key}/#{credential_string}",
+        "SignedHeaders=#{signed_headers_str}",
+        "Signature=#{signature}"
+      ].join(', ')
+    end
+
+    def signed_headers=(signed_headers)
+      @signed_headers = signed_headers.map(&:to_s).map(&:downcase).sort
+    end
+
+    def credential_string=(credential_string)
+      @credential_string = credential_string || (['NOT_PROVIDED'] * 4).join('/')
+      (@date, @region, @service, _) = @credential_string.split('/', 4)
+    end
+
+    def signed_headers_str
+      signed_headers.join(';')
+    end
+  end
+end