hawk-auth 0.1.0 → 0.2.0

data/.travis.yml

@@ -1,5 +1,6 @@
 language: ruby
 rvm:
+  - 2.0.0
   - 1.9.3
   - 1.9.2
   - rbx-19mode

data/README.md

@@ -30,7 +30,7 @@ $ irb
 >   },
 >   :ts => 1365898519,
 >   :method => 'POST',
->   :path => '/somewhere/over/the/rainbow',
+>   :request_uri => '/somewhere/over/the/rainbow',
 >   :host => 'example.net',
 >   :port => 80,
 >   :payload => 'something to write about',
@@ -48,7 +48,7 @@ Hawk id="123456", ts="1365898519", nonce="Ygvqdz", hash="LjRmtkSKTW0ObTUyZ7N+vjC
 >   },
 >   :ts => 1365899773,
 >   :method => "POST",
->   :path => "/somewhere/over/the/rainbow",
+>   :request_uri => "/somewhere/over/the/rainbow",
 >   :host => "example.net",
 >   :port => 80,
 >   :payload => "something to write about",
@@ -68,7 +68,7 @@ Hawk id="123456", ts="1365898519", nonce="Ygvqdz", hash="LjRmtkSKTW0ObTUyZ7N+vjC
 > Hawk::Server.authenticate(
 >   %(Hawk id="123456", ts="1365900371", nonce="Ygvqdz", hash="9LxQVpfaAgyiyNeOgD8TEKP6RnM=", mac="lv54INsJZym8wnME0nQAu5jW6BA="),
 >   :method => "POST",
->   :path => "/somewhere/over/the/rainbow",
+>   :request_uri => "/somewhere/over/the/rainbow",
 >   :host => "example.net",
 >   :port => 80,
 >   :content_type => "text/plain",
@@ -81,7 +81,7 @@ Hawk id="123456", ts="1365898519", nonce="Ygvqdz", hash="LjRmtkSKTW0ObTUyZ7N+vjC
 > res = Hawk::Server.authenticate(
 >   %(Hawk id="123456", ts="1365901299", mac="zTu3FSTmdsdSaLHd/DrpeQRkuYzcb0snYYKOmwDwP3w="),
 >   :method => "POST",
->   :path => "/somewhere/over/the/rainbow",
+>   :request_uri => "/somewhere/over/the/rainbow",
 >   :host => "example.net",
 >   :port => 80,
 >   :content_type => "text/plain",
@@ -100,7 +100,7 @@ Hawk ts="1365901388", tsm="6mdH5DT66UeWlkBC9x2QD7Upt0eYnud9dB7y7xKoEoU=", error=
 >   },
 >   :ts => 1365900682,
 >   :method => "POST",
->   :path => "/somewhere/over/the/rainbow",
+>   :request_uri => "/somewhere/over/the/rainbow",
 >   :host => "example.net",
 >   :port => 80,
 >   :ext => "Bazinga!",

data/lib/hawk/authorization_header.rb

@@ -2,11 +2,13 @@ module Hawk
   module AuthorizationHeader
     extend self
 
-    REQUIRED_OPTIONS = [:method, :path, :host, :port].freeze
+    REQUIRED_OPTIONS = [:method, :request_uri, :host, :port].freeze
     REQUIRED_CREDENTIAL_MEMBERS = [:id, :key, :algorithm].freeze
     SUPPORTED_ALGORITHMS = ['sha256', 'sha1'].freeze
     HEADER_PARTS = [:id, :ts, :nonce, :hash, :ext, :mac].freeze
 
+    DEFAULT_TIMESTAMP_SKEW = 60.freeze # ±60 seconds
+
     MissingOptionError = Class.new(StandardError)
     InvalidCredentialsError = Class.new(StandardError)
     InvalidAlgorithmError = Class.new(StandardError)
@@ -41,7 +43,7 @@ module Hawk
         :nonce => options[:nonce],
         :mac => mac
       }
-      parts[:hash] = hash if options.has_key?(:payload)
+      parts[:hash] = hash if options.has_key?(:payload) && !options[:payload].nil?
       parts[:ext] = options[:ext] if options.has_key?(:ext)
 
       "Hawk " << (only || HEADER_PARTS).inject([]) { |memo, key|
@@ -52,10 +54,15 @@ module Hawk
     end
 
     def authenticate(header, options)
+      options = options.dup
+
       parts = parse(header)
+      options.delete(:payload) unless parts[:hash]
 
       now = Time.now.to_i
 
+      options[:timestamp_skew] ||= DEFAULT_TIMESTAMP_SKEW
+
       if options[:server_response]
         credentials = options[:credentials]
         parts.merge!(
@@ -67,7 +74,7 @@ module Hawk
           return AuthenticationFailure.new(:id, "Unidentified id")
         end
 
-        if (now - parts[:ts].to_i > 1000) || (parts[:ts].to_i - now > 1000)
+        if (now - parts[:ts].to_i > options[:timestamp_skew]) || (parts[:ts].to_i - now > options[:timestamp_skew])
           # Stale timestamp
           return AuthenticationFailure.new(:ts, "Stale ts", :credentials => credentials)
         end
@@ -86,7 +93,9 @@ module Hawk
         :credentials => credentials,
         :ts => parts[:ts],
         :nonce => parts[:nonce],
-        :ext => parts[:ext]
+        :ext => parts[:ext],
+        :app => options[:app] || parts[:app],
+        :dig => options[:dig] || parts[:dig]
       ))
       unless expected_mac == parts[:mac]
         return AuthenticationFailure.new(:mac, "Invalid mac")

data/lib/hawk/client.rb

@@ -5,7 +5,7 @@ module Hawk
     extend self
 
     def authenticate(authorization_header, options)
-      Hawk::AuthorizationHeader.authenticate(authorization_header, { :server_response => true }.merge(options))
+      Hawk::AuthorizationHeader.authenticate(authorization_header, { :server_response => true, :type => 'response' }.merge(options))
     end
 
     def build_authorization_header(options)

data/lib/hawk/crypto.rb

@@ -34,27 +34,34 @@ module Hawk
     end
 
     def normalized_string(options)
+      options = options.dup
+      if !options[:hash] && options.has_key?(:payload) && !options[:payload].nil?
+        options[:hash] = hash(options)
+      end
+
       parts = []
 
       parts << "hawk.1.#{options[:type] || 'header'}"
       parts << options[:ts]
       parts << options[:nonce]
       parts << options[:method].to_s.upcase
-      parts << options[:path]
+      parts << options[:request_uri]
       parts << options[:host]
       parts << options[:port]
       parts << options[:hash]
       parts << options[:ext]
+
+      if options[:app]
+        parts << options[:app]
+        parts << options[:dig]
+      end
+
       parts << nil # trailing newline
 
       parts.join("\n")
     end
 
     def mac(options)
-      if !options[:hash] && options.has_key?(:payload)
-        options[:hash] = hash(options)
-      end
-
       Base64.encode64(
         OpenSSL::HMAC.digest(
           openssl_digest(options[:credentials][:algorithm]).new,

data/lib/hawk/server.rb

@@ -21,7 +21,7 @@ module Hawk
       expected_bewit = Crypto.bewit(
         :credentials => credentials,
         :host => options[:host],
-        :path => remove_bewit_param_from_path(options[:path]),
+        :request_uri => remove_bewit_param_from_path(options[:request_uri]),
         :port => options[:port],
         :method => options[:method],
         :ts => timestamp,
@@ -29,7 +29,13 @@ module Hawk
       )
 
       unless expected_bewit == bewit
-        return AuthenticationFailure.new(:bewit, "Invalid signature")
+        if options[:request_uri].to_s =~ /\Ahttp/
+          return authenticate_bewit(bewit, options.merge(
+            :request_uri => options[:request_uri].sub(%r{\Ahttps?://[^/]+}, '')
+          ))
+        else
+          return AuthenticationFailure.new(:bewit, "Invalid signature")
+        end
       end
 
       credentials

data/lib/hawk/version.rb

@@ -1,3 +1,3 @@
 module Hawk
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/spec/client_spec.rb

@@ -21,7 +21,7 @@ describe Hawk::Client do
     let(:input) do
       _input = {
         :method => 'POST',
-        :path => '/somewhere/over/the/rainbow',
+        :request_uri => '/somewhere/over/the/rainbow',
         :host => 'example.net',
         :port => 80,
         :content_type => 'text/plain',
@@ -35,6 +35,7 @@ describe Hawk::Client do
 
     let(:client_input) do
       _input = input
+      _input[:type] = 'response'
       _input[:ext] = ext if ext
       _input
     end
@@ -81,7 +82,7 @@ describe Hawk::Client do
         :credentials => credentials,
         :ts => timestamp,
         :method => 'POST',
-        :path => '/somewhere/over/the/rainbow',
+        :request_uri => '/somewhere/over/the/rainbow',
         :host => 'example.net',
         :port => 80,
         :payload => 'something to write about',

data/spec/crypto_spec.rb

@@ -26,7 +26,7 @@ describe Hawk::Crypto do
         :ts => 1353809207,
         :nonce => 'Ygvqdz',
         :method => 'POST',
-        :path => '/somewhere/over/the/rainbow',
+        :request_uri => '/somewhere/over/the/rainbow',
         :host => 'example.net',
         :port => 80,
         :payload => 'something to write about',
@@ -62,7 +62,7 @@ describe Hawk::Crypto do
         {
           :credentials => credentials,
           :method => 'GET',
-          :path => '/resource/4?a=1&b=2',
+          :request_uri => '/resource/4?a=1&b=2',
           :host => 'example.com',
           :port => 80,
           :ext => 'some-app-data',
@@ -91,7 +91,7 @@ describe Hawk::Crypto do
         :ts => 1353809207,
         :nonce => 'Ygvqdz',
         :method => 'POST',
-        :path => '/somewhere/over/the/rainbow',
+        :request_uri => '/somewhere/over/the/rainbow',
         :host => 'example.net',
         :port => 80,
         :payload => 'something to write about',
@@ -140,25 +140,66 @@ describe Hawk::Crypto do
         :ts => 1365701514,
         :nonce => '5b4e',
         :method => 'GET',
-        :path => "/path/to/foo?bar=baz",
+        :request_uri => "/path/to/foo?bar=baz",
         :host => 'example.com',
         :port => 8080
       }
     end
 
     let(:expected_output) do
-      %(hawk.1.header\n#{input[:ts]}\n#{input[:nonce]}\n#{input[:method]}\n#{input[:path]}\n#{input[:host]}\n#{input[:port]}\n\n\n)
+      %(hawk.1.header\n#{input[:ts]}\n#{input[:nonce]}\n#{input[:method]}\n#{input[:request_uri]}\n#{input[:host]}\n#{input[:port]}\n\n\n)
     end
 
     it_behaves_like "an input normalization method"
 
+    context "with app" do
+      let(:input) do
+        {
+          :ts => 1365701514,
+          :nonce => '5b4e',
+          :method => 'GET',
+          :request_uri => '/path/to/foo?bar=baz',
+          :host => 'example.com',
+          :port => 8080,
+          :app => 'some app id'
+        }
+      end
+
+      let(:expected_output) do
+        %(hawk.1.header\n#{input[:ts]}\n#{input[:nonce]}\n#{input[:method]}\n#{input[:request_uri]}\n#{input[:host]}\n#{input[:port]}\n\n\n#{input[:app]}\n\n)
+      end
+
+      it_behaves_like "an input normalization method"
+    end
+
+    context "with app and dig" do
+      let(:input) do
+        {
+          :ts => 1365701514,
+          :nonce => '5b4e',
+          :method => 'GET',
+          :request_uri => '/path/to/foo?bar=baz',
+          :host => 'example.com',
+          :port => 8080,
+          :app => 'some app id',
+          :dig => 'some dig'
+        }
+      end
+
+      let(:expected_output) do
+        %(hawk.1.header\n#{input[:ts]}\n#{input[:nonce]}\n#{input[:method]}\n#{input[:request_uri]}\n#{input[:host]}\n#{input[:port]}\n\n\n#{input[:app]}\n#{input[:dig]}\n)
+      end
+
+      it_behaves_like "an input normalization method"
+    end
+
     context "with ext" do
       let(:input) do
         {
           :ts => 1365701514,
           :nonce => '5b4e',
           :method => 'GET',
-          :path => '/path/to/foo?bar=baz',
+          :request_uri => '/path/to/foo?bar=baz',
           :host => 'example.com',
           :port => 8080,
           :ext => 'this is some app data'
@@ -166,7 +207,7 @@ describe Hawk::Crypto do
       end
 
       let(:expected_output) do
-        %(hawk.1.header\n#{input[:ts]}\n#{input[:nonce]}\n#{input[:method]}\n#{input[:path]}\n#{input[:host]}\n#{input[:port]}\n\n#{input[:ext]}\n)
+        %(hawk.1.header\n#{input[:ts]}\n#{input[:nonce]}\n#{input[:method]}\n#{input[:request_uri]}\n#{input[:host]}\n#{input[:port]}\n\n#{input[:ext]}\n)
       end
 
       it_behaves_like "an input normalization method"
@@ -178,7 +219,7 @@ describe Hawk::Crypto do
           :ts => 1365701514,
           :nonce => '5b4e',
           :method => 'GET',
-          :path => '/path/to/foo?bar=baz',
+          :request_uri => '/path/to/foo?bar=baz',
           :host => 'example.com',
           :port => 8080,
           :hash => 'U4MKKSmiVxk37JCCrAVIjV/OhB3y+NdwoCr6RShbVkE=',
@@ -187,7 +228,7 @@ describe Hawk::Crypto do
       end
 
       let(:expected_output) do
-        %(hawk.1.header\n#{input[:ts]}\n#{input[:nonce]}\n#{input[:method]}\n#{input[:path]}\n#{input[:host]}\n#{input[:port]}\n#{input[:hash]}\n#{input[:ext]}\n)
+        %(hawk.1.header\n#{input[:ts]}\n#{input[:nonce]}\n#{input[:method]}\n#{input[:request_uri]}\n#{input[:host]}\n#{input[:port]}\n#{input[:hash]}\n#{input[:ext]}\n)
       end
 
       it_behaves_like "an input normalization method"

data/spec/server_spec.rb

@@ -28,10 +28,12 @@ describe Hawk::Server do
     let(:timestamp) { Time.now.to_i }
     let(:nonce) { 'Ygvqdz' }
 
+    let(:timestamp_skew) { Hawk::AuthorizationHeader::DEFAULT_TIMESTAMP_SKEW }
+
     let(:input) do
       _input = {
         :method => 'POST',
-        :path => '/somewhere/over/the/rainbow',
+        :request_uri => '/somewhere/over/the/rainbow',
         :host => 'example.net',
         :port => 80,
         :content_type => 'text/plain',
@@ -84,7 +86,7 @@ describe Hawk::Server do
 
       context "when stale timestamp" do
         context "when too old" do
-          let(:timestamp) { Time.now.to_i - 1001 }
+          let(:timestamp) { Time.now.to_i - timestamp_skew - 1 }
 
           it "returns error object" do
             actual = described_class.authenticate(authorization_header, input)
@@ -95,7 +97,7 @@ describe Hawk::Server do
         end
 
         context "when too far in the future" do
-          let(:timestamp) { Time.now.to_i + 1001 }
+          let(:timestamp) { Time.now.to_i + timestamp_skew + 1 }
 
           it "returns error object" do
             actual = described_class.authenticate(authorization_header, input)
@@ -184,7 +186,7 @@ describe Hawk::Server do
         :credentials => credentials,
         :ts => timestamp,
         :method => 'POST',
-        :path => '/somewhere/over/the/rainbow',
+        :request_uri => '/somewhere/over/the/rainbow',
         :host => 'example.net',
         :port => 80,
         :payload => 'something to write about',
@@ -220,6 +222,47 @@ describe Hawk::Server do
   end
 
   describe ".authenticate_bewit" do
+    shared_examples "authenticate_bewit" do
+      context "when valid" do
+        it "returns credentials" do
+          expect(described_class.authenticate_bewit(bewit, input)).to eql(credentials)
+        end
+      end
+
+      context "when invalid format" do
+        let(:bewit) { "invalid-bewit" }
+
+        it "returns error object" do
+          actual = described_class.authenticate_bewit(bewit, input)
+          expect(actual).to be_a(Hawk::AuthenticationFailure)
+          expect(actual.key).to eql(:id)
+          expect(actual.message).to_not eql(nil)
+        end
+      end
+
+      context "when invalid ext" do
+        let(:bewit) { "MTIzNDU2XDQ1MTkzMTE0NThcVTN4dVF5TEVXUGNOa3Q4Vm5oRy9BSDg4VERQZXlKT2JKeGVNb0tkZWZUQT1caW52YWxpZCBleHQ" }
+
+        it "returns error object" do
+          actual = described_class.authenticate_bewit(bewit, input)
+          expect(actual).to be_a(Hawk::AuthenticationFailure)
+          expect(actual.key).to eql(:bewit)
+          expect(actual.message).to_not eql(nil)
+        end
+      end
+
+      context "when stale timestamp" do
+        let(:now) { 4519311459 }
+
+        it "returns error object" do
+          actual = described_class.authenticate_bewit(bewit, input)
+          expect(actual).to be_a(Hawk::AuthenticationFailure)
+          expect(actual.key).to eql(:ts)
+          expect(actual.message).to_not eql(nil)
+        end
+      end
+    end
+
     let(:credentials_lookup) do
       lambda { |id|
         if id == credentials[:id]
@@ -234,7 +277,7 @@ describe Hawk::Server do
       {
         :credentials_lookup => credentials_lookup,
         :method => 'GET',
-        :path => "/resource/4?a=1&bewit=#{bewit}&b=2",
+        :request_uri => "/resource/4?a=1&bewit=#{bewit}&b=2",
         :host => 'example.com',
         :port => 80,
       }
@@ -247,43 +290,16 @@ describe Hawk::Server do
       Time.stubs(:now).returns(Time.at(now))
     end
 
-    context "when valid" do
-      it "returns credentials" do
-        expect(described_class.authenticate_bewit(bewit, input)).to eql(credentials)
-      end
+    context "when request_uri is path" do
+      it_behaves_like "authenticate_bewit"
     end
 
-    context "when invalid format" do
-      let(:bewit) { "invalid-bewit" }
-
-      it "returns error object" do
-        actual = described_class.authenticate_bewit(bewit, input)
-        expect(actual).to be_a(Hawk::AuthenticationFailure)
-        expect(actual.key).to eql(:id)
-        expect(actual.message).to_not eql(nil)
+    context "when request_uri is full url" do
+      before do
+        input[:request_uri] = "http://example.com/resource/4?a=1&bewit=#{bewit}&b=2"
       end
-    end
 
-    context "when invalid ext" do
-      let(:bewit) { "MTIzNDU2XDQ1MTkzMTE0NThcVTN4dVF5TEVXUGNOa3Q4Vm5oRy9BSDg4VERQZXlKT2JKeGVNb0tkZWZUQT1caW52YWxpZCBleHQ" }
-
-      it "returns error object" do
-        actual = described_class.authenticate_bewit(bewit, input)
-        expect(actual).to be_a(Hawk::AuthenticationFailure)
-        expect(actual.key).to eql(:bewit)
-        expect(actual.message).to_not eql(nil)
-      end
-    end
-
-    context "when stale timestamp" do
-      let(:now) { 4519311459 }
-
-      it "returns error object" do
-        actual = described_class.authenticate_bewit(bewit, input)
-        expect(actual).to be_a(Hawk::AuthenticationFailure)
-        expect(actual.key).to eql(:ts)
-        expect(actual.message).to_not eql(nil)
-      end
+      it_behaves_like "authenticate_bewit"
     end
   end
 

data/spec/support/shared_examples/authorization_header.rb

@@ -35,7 +35,7 @@ shared_examples "an authorization header builder" do
     context '', &returns_valid_authorization_header
   end
 
-  %w( method path host port ).each do |missing_option|
+  %w( method request_uri host port ).each do |missing_option|
     context "when missing #{missing_option} option" do
       before do
         input.delete(missing_option.to_sym)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hawk-auth
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-05-15 00:00:00.000000000 Z
+date: 2013-06-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler