linzer 0.7.0.beta1 → 0.7.0.beta3

data/lib/linzer/message/adapter/rack/common.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module Linzer
+  class Message
+    module Adapter
+      module Rack
+        module Common
+          DERIVED_COMPONENT = {
+            method:           :request_method,
+            authority:        :authority,
+            path:             :path_info,
+            status:           :status,
+            "target-uri":     :url,
+            scheme:           :scheme,
+            "request-target": :fullpath,
+            query:            :query_string
+          }.freeze
+          private_constant :DERIVED_COMPONENT
+
+          private
+
+          def validate
+            msg = "Message instance must be an HTTP request or response"
+            raise Error.new msg if response? == request?
+          end
+
+          def validate_header_name(name)
+            raise ArgumentError.new, "Blank header name." if name.empty?
+            name.to_str
+          rescue => ex
+            err_msg = "Invalid header name: '#{name}'"
+            raise Linzer::Error.new, err_msg, cause: ex
+          end
+
+          def rack_header_name(field_name)
+            validate_header_name field_name
+
+            rack_name = field_name.upcase.tr("-", "_")
+            case field_name.downcase
+            when "content-type", "content-length"
+              rack_name
+            else
+              "HTTP_#{rack_name}"
+            end
+          end
+
+          def rack_request_headers(rack_request)
+            rack_request
+              .each_header
+              .to_h
+              .select do |k, _|
+                k.start_with?("HTTP_") || %w[CONTENT_TYPE CONTENT_LENGTH].include?(k)
+              end
+              .transform_keys { |k| k.downcase.tr("_", "-") }
+              .transform_keys do |k|
+                %w[content-type content-length].include?(k) ? k : k.gsub(/^http-/, "")
+              end
+          end
+
+          def derived(name)
+            method = DERIVED_COMPONENT[name.value]
+
+            value = case name.value
+            when :query         then derive(@operation, method)
+            when :"query-param" then query_param(name)
+            end
+
+            return nil if !method && !value
+            value || derive(@operation, method)
+          end
+
+          def field(name)
+            has_tr = name.parameters["tr"]
+            if has_tr
+              value = tr(name)
+            else
+              if request?
+                rack_header_name = rack_header_name(name.value.to_s)
+                value = @operation.env[rack_header_name]
+              end
+              value = @operation.headers[name.value.to_s] if response?
+            end
+            value.dup&.strip
+          end
+
+          def derive(operation, method)
+            return nil unless operation.respond_to?(method)
+            value = operation.public_send(method)
+            return "?" + value    if method == :query_string
+            return value.downcase if %i[authority scheme].include?(method)
+            value
+          end
+
+          def query_param(name)
+            param_name = name.parameters["name"]
+            return nil if !param_name
+            decoded_param_name = URI.decode_uri_component(param_name)
+            URI.encode_uri_component(@operation.params.fetch(decoded_param_name))
+          rescue => _
+            nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/linzer/message/adapter/rack/request.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Linzer
+  class Message
+    module Adapter
+      module Rack
+        class Request < Abstract
+          include Common
+
+          def initialize(operation, **options)
+            @operation = operation
+            validate
+            freeze
+          end
+
+          def headers
+            rack_request_headers(@operation)
+          end
+
+          def attach!(signature)
+            signature.to_h.each do |h, v|
+              @operation.set_header(rack_header_name(h), v)
+            end
+            @operation
+          end
+        end
+      end
+    end
+  end
+end

data/lib/linzer/message/adapter/rack/response.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Linzer
+  class Message
+    module Adapter
+      module Rack
+        class Response < Abstract
+          include Common
+
+          def initialize(operation, **options)
+            @operation = operation
+            validate
+            attached_request = options[:attached_request]
+            @attached_request = attached_request ? Message.new(attached_request) : nil
+            validate_attached_request @attached_request if @attached_request
+            freeze
+          end
+
+          def headers
+            @operation.headers
+          end
+
+          def attach!(signature)
+            signature.to_h.each { |h, v| @operation[h] = v }
+            @operation
+          end
+        end
+      end
+    end
+  end
+end

data/lib/linzer/message/adapter.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require_relative "adapter/abstract"
+require_relative "adapter/rack/common"
+require_relative "adapter/rack/request"
+require_relative "adapter/rack/response"
+require_relative "adapter/net_http/request"
+require_relative "adapter/net_http/response"

data/lib/linzer/message/wrapper.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Linzer
+  class Message
+    module Wrapper
+      @adapters = {
+        Rack::Request     => Linzer::Message::Adapter::Rack::Request,
+        Rack::Response    => Linzer::Message::Adapter::Rack::Response,
+        Net::HTTPRequest  => Linzer::Message::Adapter::NetHTTP::Request,
+        Net::HTTPResponse => Linzer::Message::Adapter::NetHTTP::Response
+      }
+
+      class << self
+        def wrap(operation, **options)
+          adapter_class = adapters[operation.class]
+
+          if !adapter_class
+            ancestor = find_ancestor(operation)
+            fail_with_unsupported(operation) unless ancestor
+          end
+
+          (adapter_class || ancestor).new(operation, **options)
+        end
+
+        def register_adapter(operation_class, adapter_class)
+          adapters[operation_class] = adapter_class
+        end
+
+        private
+
+        attr_reader :adapters
+
+        def find_ancestor(operation)
+          adapters
+            .select { |klz, adpt| operation.is_a? klz }
+            .values
+            .first
+        end
+
+        def fail_with_unsupported(operation)
+          err_msg = <<~EOM
+            Unknown/unsupported HTTP message class: '#{operation.class}'!
+
+            Linzer supports custom HTTP messages implementation by register them first
+            with `Linzer::Message.register_adapter` method.
+          EOM
+          raise Linzer::Error, err_msg
+        end
+      end
+    end
+  end
+end

data/lib/linzer/message.rb

@@ -1,207 +1,28 @@
 # frozen_string_literal: true
 
+require "forwardable"
+
 module Linzer
   class Message
+    extend Forwardable
+
     def initialize(operation, attached_request: nil)
-      @operation = operation
-      validate
-      @attached_request = attached_request ? Message.new(attached_request) : nil
+      @adapter = Wrapper.wrap(operation, attached_request: attached_request)
       freeze
     end
 
-    def request?
-      @operation.is_a?(Rack::Request) || @operation.respond_to?(:request_method)
-    end
-
-    def response?
-      @operation.is_a?(Rack::Response) || @operation.respond_to?(:status)
-    end
-
-    def attached_request?
-      !!@attached_request
-    end
-
-    def headers
-      return @operation.headers if response? || @operation.respond_to?(:headers)
+    # common predicates
+    def_delegators :@adapter, :request?, :response?, :attached_request?
 
-      Request.headers(@operation)
-    end
-
-    def field?(f)
-      !!self[f]
-    end
-
-    DERIVED_COMPONENT = {
-      method:           :request_method,
-      authority:        :authority,
-      path:             :path_info,
-      status:           :status,
-      "target-uri":     :url,
-      scheme:           :scheme,
-      "request-target": :fullpath,
-      query:            :query_string
-    }.freeze
+    # fields look up
+    def_delegators :@adapter, :headers, :field?, :[]
 
-    def [](field_name)
-      name = parse_field_name(field_name)
-      return nil if name.nil?
-
-      if field_name.start_with?("@")
-        retrieve(name, :derived)
-      else
-        retrieve(name, :field)
-      end
-    end
+    # to attach a signature to the underlying HTTP message
+    def_delegators :@adapter, :attach!
 
     class << self
-      def parse_structured_dictionary(str, field_name = nil)
-        Starry.parse_dictionary(str)
-      rescue Starry::ParseError => _
-        raise Error.new "Cannot parse \"#{field_name}\" field. Bailing out!"
-      end
-    end
-
-    private
-
-    def validate
-      msg = "Message instance must be an HTTP request or response"
-      raise Error.new msg if response? == request?
-    end
-
-    def parse_field_name(field_name)
-      if field_name&.start_with?("@")
-        Starry.parse_item(field_name[1..])
-      else
-        Starry.parse_item(field_name)
-      end
-    rescue => _
-      nil
-    end
-
-    def validate_parameters(name, method)
-      has_unknown = name.parameters.any? { |p, _| !KNOWN_PARAMETERS.include?(p) }
-      return nil if has_unknown
-
-      has_name = name.parameters["name"]
-      has_req  = name.parameters["req"]
-      has_sf   = name.parameters["sf"] || name.parameters.key?("key")
-      has_bs   = name.parameters["bs"]
-      value    = name.value
-
-      # Section 2.2.8 of RFC 9421
-      return nil if has_name && value != :"query-param"
-
-      # No derived values come from trailers section
-      return nil if method == :derived && name.parameters["tr"]
-
-      # From: 2.1. HTTP Fields:
-      # The bs parameter, which requires the raw bytes of the field values
-      # from the message, is not compatible with the use of the sf or key
-      # parameters, which require the parsed data structures of the field
-      # values after combination
-      return nil if has_sf && has_bs
-
-      # req param only makes sense on responses with an associated request
-      return nil if has_req && (!response? || !attached_request?)
-
-      name
-    end
-
-    KNOWN_PARAMETERS = %w[sf key bs req tr name]
-    private_constant :KNOWN_PARAMETERS
-
-    def retrieve(name, method)
-      if !name.parameters.empty?
-        valid_params = validate_parameters(name, method)
-        return nil if !valid_params
-      end
-
-      has_req = name.parameters["req"]
-      has_sf  = name.parameters["sf"] || name.parameters.key?("key")
-      has_bs  = name.parameters["bs"]
-
-      if has_req
-        name.parameters.delete("req")
-        return req(name, method)
-      end
-
-      value = send(method, name)
-
-      case
-      when has_sf
-        key = name.parameters["key"]
-        sf(value, key)
-      when has_bs then bs(value)
-      else value
-      end
-    end
-
-    def derived(name)
-      method = DERIVED_COMPONENT[name.value]
-
-      value = case name.value
-      when :query         then derive(@operation, method)
-      when :"query-param" then query_param(name)
-      end
-
-      return nil if !method && !value
-      value || derive(@operation, method)
-    end
-
-    def field(name)
-      has_tr = name.parameters["tr"]
-      if has_tr
-        value = tr(name)
-      else
-        if request?
-          rack_header_name = Request.rack_header_name(name.value.to_s)
-          value = @operation.env[rack_header_name]
-        end
-        value = @operation.headers[name.value.to_s] if response?
-      end
-      value.dup&.strip
-    end
-
-    def derive(operation, method)
-      return nil unless operation.respond_to?(method)
-      value = operation.public_send(method)
-      return "?" + value    if method == :query_string
-      return value.downcase if %i[authority scheme].include?(method)
-      value
-    end
-
-    def query_param(name)
-      param_name = name.parameters["name"]
-      return nil if !param_name
-      decoded_param_name = URI.decode_uri_component(param_name)
-      URI.encode_uri_component(@operation.params.fetch(decoded_param_name))
-    rescue => _
-      nil
-    end
-
-    def sf(value, key = nil)
-      dict = Starry.parse_dictionary(value)
-
-      if key
-        obj = dict[key]
-        Starry.serialize(obj.is_a?(Starry::InnerList) ? [obj] : obj)
-      else
-        Starry.serialize(dict)
-      end
-    end
-
-    def bs(value)
-      Starry.serialize(value.encode(Encoding::ASCII_8BIT))
-    end
-
-    def tr(trailer)
-      @operation.body.trailers[trailer.value.to_s]
-    end
-
-    def req(field, method)
-      case method
-      when :derived then @attached_request["@#{field}"]
-      when :field   then @attached_request[field.to_s]
+      def register_adapter(operation_class, adapter_class)
+        Wrapper.register_adapter(operation_class, adapter_class)
       end
     end
   end

data/lib/linzer/signature.rb

@@ -86,11 +86,17 @@ module Linzer
         raise Error.new "Unexpected value for covered components."
       end
 
+      def parse_structured_dictionary(str, field_name = nil)
+        Starry.parse_dictionary(str)
+      rescue Starry::ParseError => _
+        raise Error.new "Cannot parse \"#{field_name}\" field. Bailing out!"
+      end
+
       def parse_structured_field(hsh, field_name)
         # Serialized Structured Field values for HTTP are ASCII strings.
         # See: RFC 8941 (https://datatracker.ietf.org/doc/html/rfc8941)
         value = hsh[field_name].encode(Encoding::US_ASCII)
-        Message.parse_structured_dictionary(value, field_name)
+        parse_structured_dictionary(value, field_name)
       end
     end
   end

data/lib/linzer/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Linzer
-  VERSION = "0.7.0.beta1"
+  VERSION = "0.7.0.beta3"
 end

data/lib/linzer.rb

@@ -5,12 +5,13 @@ require "openssl"
 require "rack"
 require "uri"
 require "stringio"
+require "net/http"
 
 require_relative "linzer/version"
 require_relative "linzer/common"
-require_relative "linzer/request"
-require_relative "linzer/response"
 require_relative "linzer/message"
+require_relative "linzer/message/adapter"
+require_relative "linzer/message/wrapper"
 require_relative "linzer/signature"
 require_relative "linzer/key"
 require_relative "linzer/rsa"
@@ -28,11 +29,6 @@ module Linzer
 
   class << self
     include Key::Helper
-    include Response
-
-    def new_request(verb, uri = "/", params = {}, headers = {})
-      Linzer::Request.build(verb, uri, params, headers)
-    end
 
     def verify(pubkey, message, signature, no_older_than: nil)
       Linzer::Verifier.verify(pubkey, message, signature, no_older_than: no_older_than)
@@ -41,5 +37,27 @@ module Linzer
     def sign(key, message, components, options = {})
       Linzer::Signer.sign(key, message, components, options)
     end
+
+    def sign!(request_or_response, **args)
+      message = Message.new(request_or_response)
+      options = {}
+
+      label = args[:label]
+      options[:label] = label if label
+      options.merge!(args.fetch(:params, {}))
+
+      key = args.fetch(:key)
+      signature = Linzer::Signer.sign(key, message, args.fetch(:components), options)
+      message.attach!(signature)
+    end
+
+    def verify!(request_or_response, key: nil, no_older_than: 900)
+      message = Message.new(request_or_response)
+      signature = Signature.build(message.headers.slice("signature", "signature-input"))
+      keyid = signature.parameters["keyid"]
+      raise Linzer::Error, "key not found" if !key && !keyid
+      verify_key = block_given? ? (yield keyid) : key
+      Linzer.verify(verify_key, message, signature, no_older_than: no_older_than)
+    end
   end
 end

data/lib/rack/auth/signature/helpers.rb

@@ -0,0 +1,132 @@
+require "yaml"
+
+module Rack
+  module Auth
+    class Signature
+      module Helpers
+        module Parameters
+          private
+
+          def created?
+            !options[:signatures][:created_required] || !!Integer(params.fetch("created"))
+          end
+
+          def expires?
+            return true if !options[:signatures][:expires_required]
+            Integer(params.fetch("expires")) > Time.now.to_i
+          end
+
+          def keyid?
+            !options[:signatures][:keyid_required] || String(params.fetch("keyid"))
+          end
+
+          def nonce?
+            !options[:signatures][:nonce_required] || String(params.fetch("nonce"))
+          end
+
+          def alg?
+            !options[:signatures][:alg_required] || String(params.fetch("alg"))
+          end
+
+          def tag?
+            !options[:signatures][:tag_required] || String(params.fetch("tag"))
+          end
+        end
+
+        module Configuration
+          DEFAULT_OPTIONS = {
+            signatures: {
+              reject_older_than:  900,
+              created_required:   true,
+              nonce_required:     false,
+              alg_required:       false,
+              tag_required:       false,
+              expires_required:   false,
+              keyid_required:     false,
+              covered_components: %w[@method @request-target @authority date],
+              error_response:     {body: [], status: 401, headers: {}}
+            },
+            keys: {}
+          }
+
+          private_constant :DEFAULT_OPTIONS
+
+          private
+
+          def load_options(options)
+            options_from_file = load_options_from_config_file(options)
+            {
+              except:      options[:except]      || options_from_file[:except],
+              default_key: options[:default_key] || options_from_file[:default_key],
+              signatures:
+                DEFAULT_OPTIONS[:signatures]
+                  .merge(options_from_file[:signatures].to_h)
+                  .merge(options[:signatures].to_h),
+              keys:
+                DEFAULT_OPTIONS[:keys]
+                  .merge(options_from_file[:keys].to_h)
+                  .merge(options[:keys].to_h)
+            }
+          end
+
+          def load_options_from_config_file(options)
+            config_path = options[:config_path]
+            YAML.safe_load_file(config_path, symbolize_names: true)
+          rescue
+            {}
+          end
+        end
+
+        module Key
+          private
+
+          def key
+            build_key(params["keyid"])
+          end
+
+          def build_key(keyid)
+            key_data = if keyid.nil? ||
+                (!options[:keys].key?(keyid.to_sym) && options[:default_key])
+              options[:default_key].to_h
+            else
+              options[:keys][keyid.to_sym] || {}
+            end
+
+            if key_data.key?(:path) && !key_data.key?(:material)
+              key_data[:material] = IO.read(key_data[:path]) rescue nil
+            end
+
+            if !key_data || key_data.empty? || !key_data[:material]
+              key_not_found = "Key not found. Signature cannot be verified."
+              raise Linzer::Error.new key_not_found
+            end
+
+            alg = @signature.parameters["alg"] || key_data[:alg] || :unknown
+            instantiate_key(keyid || :default, alg, key_data)
+          end
+
+          def instantiate_key(keyid, alg, key_data)
+            key_methods = {
+              "rsa-pss-sha512"    => :new_rsa_pss_sha512_key,
+              "rsa-v1_5-sha256"   => :new_rsa_v1_5_sha256_key,
+              "hmac-sha256"       => :new_hmac_sha256_key,
+              "ecdsa-p256-sha256" => :new_ecdsa_p256_sha256_key,
+              "ecdsa-p384-sha384" => :new_ecdsa_p384_sha384_key,
+              "ed25519"           => :new_ed25519_public_key
+            }
+            method = key_methods[alg]
+
+            alg_error = "Unsupported or unknown signature algorithm"
+            raise Linzer::Error.new alg_error unless method
+
+            Linzer.public_send(method, key_data[:material], keyid.to_s)
+          end
+        end
+
+        include Parameters
+        include Configuration
+        include Key
+      end
+    end
+  end
+end