jmoses_api-auth 1.0.4

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/.gitignore

@@ -0,0 +1,44 @@
+.rvmrc
+
+# rcov generated
+coverage
+
+# rdoc generated
+rdoc
+
+# yard generated
+doc
+.yardoc
+
+# bundler
+.bundle
+
+# jeweler generated
+pkg
+
+# Have editor/IDE/OS specific files you need to ignore? Consider using a global gitignore: 
+#
+# * Create a file at ~/.gitignore
+# * Include files you want ignored
+# * Run: git config --global core.excludesfile ~/.gitignore
+#
+# After doing this, these files will be ignored in all your git projects,
+# saving you from having to 'pollute' every project you touch with them
+#
+# Not sure what to needs to be ignored for particular editors/OSes? Here's some ideas to get you started. (Remember, remove the leading # of the line)
+#
+# For MacOS:
+#
+#.DS_Store
+#
+# For TextMate
+#*.tmproj
+#tmtags
+#
+# For emacs:
+#*~
+#\#*
+#.\#*
+#
+# For vim:
+#*.swp

data/.rspec

@@ -0,0 +1,3 @@
+--colour
+--format nested
+--backtrace

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/Gemfile.lock

@@ -0,0 +1,46 @@
+PATH
+  remote: .
+  specs:
+    api-auth (1.0.3)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionpack (2.3.14)
+      activesupport (= 2.3.14)
+      rack (~> 1.1.0)
+    activeresource (2.3.14)
+      activesupport (= 2.3.14)
+    activesupport (2.3.14)
+    amatch (0.2.10)
+      tins (~> 0.3)
+    curb (0.8.1)
+    diff-lcs (1.1.3)
+    mime-types (1.17.2)
+    rack (1.1.3)
+    rake (0.9.2.2)
+    rest-client (1.6.7)
+      mime-types (>= 1.16)
+    rspec (2.4.0)
+      rspec-core (~> 2.4.0)
+      rspec-expectations (~> 2.4.0)
+      rspec-mocks (~> 2.4.0)
+    rspec-core (2.4.0)
+    rspec-expectations (2.4.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.4.0)
+    tins (0.5.5)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  actionpack (~> 2.3.2)
+  activeresource (~> 2.3.2)
+  activesupport (~> 2.3.2)
+  amatch
+  api-auth!
+  curb (~> 0.8.1)
+  rake
+  rest-client (~> 1.6.0)
+  rspec (~> 2.4.0)

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2012 Gemini SBS LLC
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,185 @@
+# ApiAuth #
+
+Logins and passwords are for humans. Communication between applications need to
+be protected through different means.
+
+ApiAuth is a Ruby gem designed to be used both in your client and server
+HTTP-based applications. It implements the same authentication methods (HMAC-SHA1)
+used by Amazon Web Services.
+
+The gem will sign your requests on the client side and authenticate that
+signature on the server side. If your server resources are implemented as a
+Rails ActiveResource, it will integrate with that. It will even generate the
+secret keys necessary for your clients to sign their requests.
+
+Since it operates entirely using HTTP headers, the server component does not
+have to be written in the same language as the clients.
+
+## How it works ##
+
+1. A canonical string is first created using your HTTP headers containing the
+content-type, content-MD5, request URI and the timestamp. If content-type or
+content-MD5 are not present, then a blank string is used in their place. If the
+timestamp isn't present, a valid HTTP date is automatically added to the
+request. The canonical string string is computed as follows:
+
+    canonical_string = 'content-type,content-MD5,request URI,timestamp'
+
+2. This string is then used to create the signature which is a Base64 encoded
+SHA1 HMAC, using the client's private secret key.
+
+3. This signature is then added as the `Authorization` HTTP header in the form:
+
+    Authorization = APIAuth 'client access id':'signature from step 2'
+
+5. On the server side, the SHA1 HMAC is computed in the same way using the
+request headers and the client's secret key, which is known to only
+the client and the server but can be looked up on the server using the client's
+access id that was attached in the header. The access id can be any integer or
+string that uniquely identifies the client. The signed request expires after 15
+minutes in order to avoid replay attacks.
+
+
+## References ##
+
+* [Hash functions](http://en.wikipedia.org/wiki/Cryptographic_hash_function)
+* [SHA-1 Hash function](http://en.wikipedia.org/wiki/SHA-1)
+* [HMAC algorithm](http://en.wikipedia.org/wiki/HMAC)
+* [RFC 2104 (HMAC)](http://tools.ietf.org/html/rfc2104)
+
+## Install ##
+
+The gem doesn't have any dependencies outside of having a working OpenSSL
+configuration for your Ruby VM. To install:
+
+    [sudo] gem install api-auth
+
+Please note the dash in the name versus the underscore.
+
+## Clients ##
+
+ApiAuth supports many popular HTTP clients. Support for other clients can be
+added as a request driver.
+
+Here is the current list of supported request objects:
+
+* Net::HTTP
+* ActionController::Request
+* Curb (Curl::Easy)
+* RestClient
+
+### HTTP Client Objects ###
+
+Here's a sample implementation of signing a request created with RestClient. For
+more examples, please check out the ApiAuth Spec where every supported HTTP
+client is tested.
+
+Assuming you have a client access id and secret as follows:
+
+``` ruby
+    @access_id = "1044"
+    @secret_key = ApiAuth.generate_secret_key
+```
+
+A typical RestClient PUT request may look like:
+
+``` ruby
+    headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
+        'Content-Type' => "text/plain",
+        'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
+    @request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
+        :headers => headers,
+        :method => :put)
+```
+
+To sign that request, simply call the `sign!` method as follows:
+
+``` ruby
+    @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
+```
+
+The proper `Authorization` request header has now been added to that request
+object and it's ready to be transmitted. It's recommended that you sign the
+request as one of the last steps in building the request to ensure the headers
+don't change after the signing process which would cause the authentication
+check to fail on the server side.
+
+### ActiveResource Clients ###
+
+ApiAuth can transparently protect your ActiveResource communications with a
+single configuration line:
+
+``` ruby
+    class MyResource < ActiveResource::Base
+      with_api_auth(access_id, secret_key)
+    end
+```
+
+This will automatically sign all outgoing ActiveResource requests from your app.
+
+## Server ##
+
+ApiAuth provides some built in methods to help you generate API keys for your
+clients as well as verifying incoming API requests.
+
+To generate a Base64 encoded API key for a client:
+
+``` ruby
+    ApiAuth.generate_secret_key
+```
+
+To validate whether or not a request is authentic:
+
+``` ruby
+    ApiAuth.authentic?(signed_request, secret_key)
+```
+
+If your server is a Rails app, the signed request will be the `request` object.
+
+In order to obtain the secret key for the client, you first need to look up the
+client's access_id. ApiAuth can pull that from the request headers for you:
+
+``` ruby
+    ApiAuth.access_id(signed_request)
+```
+
+Once you've looked up the client's record via the access id, you can then verify
+whether or not the request is authentic. Typically, the access id for the client
+will be their record's primary key in the DB that stores the record or some other
+public unique identifier for the client.
+
+Here's a sample method that can be used in a `before_filter` if your server is a
+Rails app:
+
+``` ruby
+    before_filter :api_authenticate
+
+    def api_authenticate
+      @current_account = Account.find_by_access_id(ApiAuth.access_id(request))
+      return ApiAuth.authentic?(request, @current_account.secret_key) unless @current_account.nil?
+      false
+    end
+```
+
+## Development ##
+
+ApiAuth uses bundler for gem dependencies and RSpec for testing. Developing the
+gem requires that you have all supported HTTP clients installed. Bundler will
+take care of all that for you.
+
+To run the tests:
+
+    rake spec
+
+If you'd like to add support for additional HTTP clients, check out the already
+implemented drivers in `lib/api_auth/request_drivers` for reference. All of
+the public methods for each driver are required to be implemented by your driver.
+
+## Authors ##
+
+* [Mauricio Gomes](http://github.com/mgomes)
+* [Kevin Glowacz](http://github.com/kjg)
+
+## Copyright ##
+
+Copyright (c) 2012 Gemini SBS LLC. See LICENSE.txt for further details.

data/Rakefile

@@ -0,0 +1,22 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks
+
+require 'rake'
+require 'rspec/core'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = FileList['spec/**/*_spec.rb']
+end
+
+task :default => :spec
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "test #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+1.0.4

data/api_auth.gemspec

@@ -0,0 +1,26 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+
+Gem::Specification.new do |s|
+  s.name = %q{jmoses_api-auth}
+  s.summary = %q{Simple HMAC authentication for your APIs (fork by jmoses)}
+  s.description = %q{Full HMAC auth implementation for use in your gems and Rails apps.}
+  s.homepage = %q{https://github.com/jmoses/api_auth}
+  s.version = File.read(File.join(File.dirname(__FILE__), 'VERSION'))
+  s.authors = ['Jon Moses', "Mauricio Gomes"]
+  s.email = ['jon@burningbush.us', "mauricio@edge14.com"]
+
+  s.add_development_dependency "rake"
+  s.add_development_dependency "amatch"
+  s.add_development_dependency "rspec", "~> 2.4.0"
+  s.add_development_dependency "actionpack", "~> 2.3.2"
+  s.add_development_dependency "activesupport", "~> 2.3.2"
+  s.add_development_dependency "activeresource", "~> 2.3.2"
+  s.add_development_dependency "rest-client", "~> 1.6.0"
+  s.add_development_dependency "curb", "~> 0.8.1"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+end

data/lib/api-auth.rb

@@ -0,0 +1,2 @@
+# So you can require "api-auth" instead of "api_auth"
+require "api_auth"

data/lib/api_auth/base.rb

@@ -0,0 +1,97 @@
+# api-auth is Ruby gem designed to be used both in your client and server
+# HTTP-based applications. It implements the same authentication methods (HMAC)
+# used by Amazon Web Services.
+
+# The gem will sign your requests on the client side and authenticate that
+# signature on the server side. If your server resources are implemented as a
+# Rails ActiveResource, it will integrate with that. It will even generate the
+# secret keys necessary for your clients to sign their requests.
+module ApiAuth
+
+  class << self
+
+    include Helpers
+
+    # Signs an HTTP request using the client's access id and secret key.
+    # Returns the HTTP request object with the modified headers.
+    #
+    # request: The request can be a Net::HTTP, ActionController::Request,
+    # Curb (Curl::Easy) or a RestClient object.
+    #
+    # access_id: The public unique identifier for the client
+    #
+    # secret_key: assigned secret key that is known to both parties
+    def sign!(request, access_id, secret_key)
+      headers = Headers.new(request)
+      headers.calculate_md5
+      headers.set_date
+      headers.sign_header auth_header(request, access_id, secret_key)
+    end
+
+    # Determines if the request is authentic given the request and the client's
+    # secret key. Returns true if the request is authentic and false otherwise.
+    def authentic?(request, secret_key)
+      return false if secret_key.nil?
+
+      return !md5_mismatch?(request) && signatures_match?(request, secret_key) && !request_too_old?(request)
+    end
+
+    # Returns the access id from the request's authorization header
+    def access_id(request)
+      headers = Headers.new(request)
+      if match_data = parse_auth_header(headers.authorization_header)
+        return match_data[1]
+      end
+
+      nil
+    end
+
+    # Generates a Base64 encoded, randomized secret key
+    #
+    # Store this key along with the access key that will be used for
+    # authenticating the client
+    def generate_secret_key
+      random_bytes = OpenSSL::Random.random_bytes(512)
+      b64_encode(Digest::SHA2.new(512).digest(random_bytes))
+    end
+
+  private
+
+    def request_too_old?(request)
+      headers = Headers.new(request)
+      # 900 seconds is 15 minutes
+      Time.parse(headers.timestamp).utc < (Time.now.utc - 900)
+    end
+
+    def md5_mismatch?(request)
+      headers = Headers.new(request)
+      headers.md5_mismatch?
+    end
+
+    def signatures_match?(request, secret_key)
+      headers = Headers.new(request)
+      if match_data = parse_auth_header(headers.authorization_header)
+        hmac = match_data[2]
+        return hmac == hmac_signature(request, secret_key)
+      end
+      false
+    end
+
+    def hmac_signature(request, secret_key)
+      headers = Headers.new(request)
+      canonical_string = headers.canonical_string
+      digest = OpenSSL::Digest::Digest.new('sha1')
+      b64_encode(OpenSSL::HMAC.digest(digest, secret_key, canonical_string))
+    end
+
+    def auth_header(request, access_id, secret_key)
+      "APIAuth #{access_id}:#{hmac_signature(request, secret_key)}"
+    end
+
+    def parse_auth_header(auth_header)
+      Regexp.new("APIAuth ([^:]+):(.+)$").match(auth_header)
+    end
+
+  end # class methods
+
+end # ApiAuth

data/lib/api_auth/errors.rb

@@ -0,0 +1,9 @@
+module ApiAuth
+  
+  # :nodoc:
+  class ApiAuthError < StandardError; end
+  
+  # Raised when the HTTP request object passed is not supported
+  class UnknownHTTPRequest < ApiAuthError; end
+  
+end

data/lib/api_auth/headers.rb

@@ -0,0 +1,82 @@
+module ApiAuth
+
+  # Builds the canonical string given a request object.
+  class Headers
+
+    include RequestDrivers
+
+    def initialize(request)
+      @original_request = request
+
+      case request.class.to_s
+      when /Net::HTTP/
+        @request = NetHttpRequest.new(request)
+      when /RestClient/
+        @request = RestClientRequest.new(request)
+      when /Curl::Easy/
+        @request = CurbRequest.new(request)
+      when /ActionController::Request/
+        @request = ActionControllerRequest.new(request)
+      when /ActionController::TestRequest/
+        if defined?(ActionDispatch)
+          @request = ActionDispatchRequest.new(request)
+        else
+          @request = ActionControllerRequest.new(request)
+        end
+      when /ActionDispatch::Request/
+        @request = ActionDispatchRequest.new(request)
+      when /Rack::Request/
+        @request = RackRequest.new(request)
+      else
+        raise UnknownHTTPRequest, "#{request.class.to_s} is not yet supported."
+      end
+      true
+    end
+    
+    # Returns the request timestamp
+    def timestamp
+       @request.timestamp 
+    end
+
+    # Returns the canonical string computed from the request's headers
+    def canonical_string
+      [ @request.content_type,
+        @request.content_md5,
+        @request.request_uri.gsub(/http:\/\/[^(,|\?|\/)]*/,''), # remove host
+        @request.timestamp
+      ].join(",")
+    end
+
+    # Returns the authorization header from the request's headers
+    def authorization_header
+      @request.authorization_header
+    end
+
+    def set_date
+      @request.set_date if @request.timestamp.blank?
+    end
+
+    def calculate_md5
+      @request.populate_content_md5 if @request.content_md5.blank?
+    end
+
+    def md5_mismatch?
+      if @request.content_md5.blank?
+        false
+      else
+        @request.md5_mismatch?
+      end
+    end
+
+    # Sets the request's authorization header with the passed in value.
+    # The header should be the ApiAuth HMAC signature.
+    #
+    # This will return the original request object with the signed Authorization
+    # header already in place.
+    def sign_header(header)
+      @request.set_auth_header header
+    end
+
+  end
+
+end

data/lib/api_auth/helpers.rb

@@ -0,0 +1,18 @@
+module ApiAuth
+
+  module Helpers # :nodoc:
+    
+    def b64_encode(string)
+      Base64.strict_encode64(string)
+    end
+    
+    # Capitalizes the keys of a hash
+    def capitalize_keys(hsh)
+      capitalized_hash = {}
+      hsh.each_pair {|k,v| capitalized_hash[k.to_s.upcase] = v }
+      capitalized_hash
+    end
+    
+  end
+  
+end