integral-yandex-money-notification_validator 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +7 -0
  2. data/LICENSE.md +20 -0
  3. data/README.md +75 -0
  4. data/lib/integral/yandex/money/notification_validator.rb +77 -0
  5. data/lib/integral/yandex/money/notification_validator/identity.rb +28 -0
  6. metadata +193 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: e238282eda4f0f0fc91bc297336234aebf561fd734536fbe0860e71ad41a2fb2
4
+ data.tar.gz: be0f816d1e311364d19f8b0bc02e7a724eb98a0a49dcf27297795128e29481f8
5
+ SHA512:
6
+ metadata.gz: 23e1e258224cd3e91bb52422dcea93ec90917e7a35e191b0ad3d21f1ceffd1fef6590289998955ae91244f4f74dcc742b320a75bf61ced542d7834d544bc562f
7
+ data.tar.gz: d9dd652e80ccc2a156e7272adb7aaa9c333aeac3f6884cead87e10e52372fc4582e1ac50bb079029c6e7126c10114957f489ab7f903ec0abaad127529bf78f95
data/LICENSE.md ADDED
@@ -0,0 +1,20 @@
1
+ Copyright 2018 [Integral Design](http://integral-design.ru).
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining
4
+ a copy of this software and associated documentation files (the
5
+ "Software"), to deal in the Software without restriction, including
6
+ without limitation the rights to use, copy, modify, merge, publish,
7
+ distribute, sublicense, and/or sell copies of the Software, and to
8
+ permit persons to whom the Software is furnished to do so, subject to
9
+ the following conditions:
10
+
11
+ The above copyright notice and this permission notice shall be
12
+ included in all copies or substantial portions of the Software.
13
+
14
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,75 @@
1
+ # Yandex.Money notification validator
2
+
3
+ [![Gem Version](https://badge.fury.io/rb/integral-yandex-money-notification_validator.svg)](http://badge.fury.io/rb/integral-yandex-money-notification_validator)
4
+ [![Maintainability](https://api.codeclimate.com/v1/badges/5b7ba150248e751ccbc9/maintainability)](https://codeclimate.com/github/sergeypedan/integral-yandex-money-notification_validator/maintainability)
5
+ [![Test Coverage](https://api.codeclimate.com/v1/badges/5b7ba150248e751ccbc9/test_coverage)](https://codeclimate.com/github/sergeypedan/integral-yandex-money-notification_validator/test_coverage)
6
+
7
+ <!-- Tocer[start]: Auto-generated, don't remove. -->
8
+
9
+ ## Table of Contents
10
+
11
+ - [Features](#features)
12
+ - [Requirements](#requirements)
13
+ - [Setup](#setup)
14
+ - [Usage](#usage)
15
+ - [Tests](#tests)
16
+ - [Credits](#credits)
17
+
18
+ <!-- Tocer[finish]: Auto-generated, don't remove. -->
19
+
20
+ ## Features
21
+
22
+ Checks integrity of Yandex.Money payment notification by comparing SHA of strigified params including a secret shared with Yandex.
23
+
24
+ Here are the official docs for the [notification service](https://tech.yandex.ru/money/doc/dg/reference/notification-p2p-incoming-docpage/) and [validating notifications specifically](https://tech.yandex.ru/money/doc/dg/reference/notification-p2p-incoming-docpage/#notification-p2p-incoming__verify-notification).
25
+
26
+ ## Requirements
27
+
28
+ [Ruby 2.5.0](https://www.ruby-lang.org) or higher.
29
+
30
+ ## Setup
31
+
32
+ Add the following to your Gemfile:
33
+
34
+ ```ruby
35
+ gem "integral-yandex-money-notification_validator"
36
+ ```
37
+
38
+ ## Usage
39
+
40
+ Intended to use in a Rails controller like so:
41
+
42
+ ```ruby
43
+ class YandexMoneyReceiptsController < ApplicationController
44
+
45
+ def create
46
+ secret = "YOUR_YANDEX_MONEY_NOTIFICATIONS_SHARED_SECRET"
47
+ validator = Integral::Yandex::Money::NotificationValidator.new(params: params, secret: secret)
48
+
49
+ if validator.valid?
50
+ # Do your thing here, for example create a new `YandexMoneyReceipt` record in DB
51
+ else
52
+ render text: validator.errors.join(". "), status: :bad_request and return
53
+ end
54
+ end
55
+
56
+ end
57
+ ```
58
+
59
+ `params` are supposed to be an `ActionController::Parameters` or just a `Hash`.
60
+
61
+ `validator.errors` returns an Array of message strings — most often only 1 message, but who knows.
62
+
63
+ `secret` is obtained from Yandex.Money [somewehre in the settings](https://money.yandex.ru/myservices/online.xml). Recommended to keep in Rails credentials, ENV variable or elsewhere secure.
64
+
65
+ ## Tests
66
+
67
+ To test, run:
68
+
69
+ ```sh
70
+ bundle exec rake
71
+ ```
72
+
73
+ ## Credits
74
+
75
+ Developed by [Sergey Pedan](http://sergeypedan.ru) at [Integral Design](http://integral-design.ru).
data/lib/integral/yandex/money/notification_validator.rb ADDED
@@ -0,0 +1,77 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "digest"
4
+ require "integral/yandex/money/notification_validator/identity"
5
+
6
+ module Integral
7
+ module Yandex
8
+ module Money
9
+
10
+ # Validation is documented here: https://tech.yandex.ru/money/doc/dg/reference/notification-p2p-incoming-docpage/#notification-p2p-incoming__verify-notification
11
+ class NotificationValidator
12
+
13
+ # Order is crucial for `KEYS_FOR_DIGEST`
14
+ KEYS_FOR_DIGEST = %w[notification_type operation_id amount currency datetime sender codepro notification_secret label].freeze
15
+ PERMITTED_HASH_TYPES = ["ActionController::Parameters", "Hash"].freeze
16
+ REQUIRED_KEYS = %w[amount codepro datetime notification_type operation_id sender].freeze
17
+
18
+
19
+ def initialize params:, secret:
20
+ fail ArgumentError, "Yandex.Money notifications secret is required" if secret.to_s == ""
21
+ validate_params_hash!(params)
22
+ @secret = secret
23
+ @params = params
24
+ @errors = []
25
+ end
26
+
27
+ attr_reader :errors
28
+
29
+
30
+ def valid?
31
+ return false unless all_param_values_present?
32
+ return false unless integrity_correct?
33
+ true
34
+ end
35
+
36
+
37
+ private
38
+
39
+ def all_param_values_present?
40
+ missing_keys = REQUIRED_KEYS.select { |key| @params[key].to_s == "" }
41
+ return true if missing_keys.empty?
42
+ (@errors << "Required `params` keys missing: #{missing_keys.uniq.join(", ")}") and return false
43
+ end
44
+
45
+
46
+ def encode_sha string
47
+ Digest::SHA1.hexdigest string
48
+ end
49
+
50
+
51
+ def integrity_correct?
52
+ stringified_params = stringify_params params_with_secret(@params)
53
+ return true if @params["sha1_hash"] == encode_sha(stringified_params)
54
+ (@errors << "SHA hashes do not match") and return false
55
+ end
56
+
57
+
58
+ def params_with_secret params
59
+ params.merge("notification_secret" => @secret)
60
+ end
61
+
62
+
63
+ def stringify_params params
64
+ KEYS_FOR_DIGEST.map { |key| params[key] }.join("&")
65
+ # this way and not just `.to_s` is to enforce required order of params
66
+ end
67
+
68
+
69
+ def validate_params_hash! params
70
+ names = PERMITTED_HASH_TYPES.map { |name| "`#{name}`" }.join(" or ")
71
+ valid = PERMITTED_HASH_TYPES.include? params.class.to_s
72
+ fail ArgumentError, "`params` must be a #{names}, you passed #{params.inspect}" unless valid
73
+ end
74
+ end
75
+ end
76
+ end
77
+ end
data/lib/integral/yandex/money/notification_validator/identity.rb ADDED
@@ -0,0 +1,28 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Integral
4
+ module Yandex
5
+ module Money
6
+ class NotificationValidator
7
+ # Gem identity information.
8
+ module Identity
9
+ def self.name
10
+ "integral-yandex-money-notification_validator"
11
+ end
12
+
13
+ def self.label
14
+ "Yandex.Money notification validator by Integral Design"
15
+ end
16
+
17
+ def self.version
18
+ "0.1.0"
19
+ end
20
+
21
+ def self.version_label
22
+ "#{label} #{version}"
23
+ end
24
+ end
25
+ end
26
+ end
27
+ end
28
+ end
metadata ADDED
@@ -0,0 +1,193 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: integral-yandex-money-notification_validator
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: ruby
6
+ authors:
7
+ - Sergey Pedan
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2018-12-02 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: bundler-audit
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: '0.6'
20
+ type: :development
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: '0.6'
27
+ - !ruby/object:Gem::Dependency
28
+ name: gemsmith
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: '12.3'
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: '12.3'
41
+ - !ruby/object:Gem::Dependency
42
+ name: git-cop
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: '2.2'
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - "~>"
53
+ - !ruby/object:Gem::Version
54
+ version: '2.2'
55
+ - !ruby/object:Gem::Dependency
56
+ name: guard-rspec
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - "~>"
60
+ - !ruby/object:Gem::Version
61
+ version: '4.7'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - "~>"
67
+ - !ruby/object:Gem::Version
68
+ version: '4.7'
69
+ - !ruby/object:Gem::Dependency
70
+ name: pry
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - "~>"
74
+ - !ruby/object:Gem::Version
75
+ version: '0.10'
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - "~>"
81
+ - !ruby/object:Gem::Version
82
+ version: '0.10'
83
+ - !ruby/object:Gem::Dependency
84
+ name: pry-byebug
85
+ requirement: !ruby/object:Gem::Requirement
86
+ requirements:
87
+ - - "~>"
88
+ - !ruby/object:Gem::Version
89
+ version: '3.5'
90
+ type: :development
91
+ prerelease: false
92
+ version_requirements: !ruby/object:Gem::Requirement
93
+ requirements:
94
+ - - "~>"
95
+ - !ruby/object:Gem::Version
96
+ version: '3.5'
97
+ - !ruby/object:Gem::Dependency
98
+ name: rake
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - "~>"
102
+ - !ruby/object:Gem::Version
103
+ version: '12.3'
104
+ type: :development
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - "~>"
109
+ - !ruby/object:Gem::Version
110
+ version: '12.3'
111
+ - !ruby/object:Gem::Dependency
112
+ name: reek
113
+ requirement: !ruby/object:Gem::Requirement
114
+ requirements:
115
+ - - "~>"
116
+ - !ruby/object:Gem::Version
117
+ version: '5.0'
118
+ type: :development
119
+ prerelease: false
120
+ version_requirements: !ruby/object:Gem::Requirement
121
+ requirements:
122
+ - - "~>"
123
+ - !ruby/object:Gem::Version
124
+ version: '5.0'
125
+ - !ruby/object:Gem::Dependency
126
+ name: rspec
127
+ requirement: !ruby/object:Gem::Requirement
128
+ requirements:
129
+ - - "~>"
130
+ - !ruby/object:Gem::Version
131
+ version: '3.8'
132
+ type: :development
133
+ prerelease: false
134
+ version_requirements: !ruby/object:Gem::Requirement
135
+ requirements:
136
+ - - "~>"
137
+ - !ruby/object:Gem::Version
138
+ version: '3.8'
139
+ - !ruby/object:Gem::Dependency
140
+ name: rubocop
141
+ requirement: !ruby/object:Gem::Requirement
142
+ requirements:
143
+ - - "~>"
144
+ - !ruby/object:Gem::Version
145
+ version: '0.58'
146
+ type: :development
147
+ prerelease: false
148
+ version_requirements: !ruby/object:Gem::Requirement
149
+ requirements:
150
+ - - "~>"
151
+ - !ruby/object:Gem::Version
152
+ version: '0.58'
153
+ description:
154
+ email:
155
+ - sergey.pedan@gmail.com
156
+ executables: []
157
+ extensions: []
158
+ extra_rdoc_files:
159
+ - README.md
160
+ - LICENSE.md
161
+ files:
162
+ - LICENSE.md
163
+ - README.md
164
+ - lib/integral/yandex/money/notification_validator.rb
165
+ - lib/integral/yandex/money/notification_validator/identity.rb
166
+ homepage: https://github.com/sergeypedan/integral-yandex-money-notification_validator
167
+ licenses:
168
+ - MIT
169
+ metadata:
170
+ source_code_uri: https://github.com/sergeypedan/integral-yandex-money-notification_validator
171
+ changelog_uri: https://github.com/sergeypedan/integral-yandex-money-notification_validator/blob/master/CHANGES.md
172
+ post_install_message:
173
+ rdoc_options: []
174
+ require_paths:
175
+ - lib
176
+ required_ruby_version: !ruby/object:Gem::Requirement
177
+ requirements:
178
+ - - "~>"
179
+ - !ruby/object:Gem::Version
180
+ version: '2.5'
181
+ required_rubygems_version: !ruby/object:Gem::Requirement
182
+ requirements:
183
+ - - ">="
184
+ - !ruby/object:Gem::Version
185
+ version: '0'
186
+ requirements: []
187
+ rubyforge_project:
188
+ rubygems_version: 2.7.7
189
+ signing_key:
190
+ specification_version: 4
191
+ summary: Checks integrity of Yandex.Money payment notification by comparing SHA of
192
+ strigified params including a secret shared with Yandex.
193
+ test_files: []