linzer 0.7.0.beta1 → 0.7.0.beta3

data/lib/rack/auth/signature.rb

@@ -1,6 +1,6 @@
 require "linzer"
 require "logger"
-require "yaml"
+require_relative "signature/helpers"
 
 # Rack::Auth::Signature implements HTTP Message Signatures, as per RFC 9421.
 #
@@ -11,9 +11,11 @@ require "yaml"
 module Rack
   module Auth
     class Signature
+      include Helpers
+
       def initialize(app, options = {}, &block)
         @app = app
-        @options = load_options(options)
+        @options = load_options(Hash(options))
         instance_eval(&block) if block
       end
 
@@ -23,7 +25,7 @@ module Rack
         if excluded? || allowed?
           @app.call(env)
         else
-          response = options[:error_response].values
+          response = options[:signatures][:error_response].values
           Rack::Response.new(*response).finish
         end
       end
@@ -39,21 +41,6 @@ module Rack
         has_signature? && acceptable? && verifiable?
       end
 
-      DEFAULT_OPTIONS = {
-        no_older_than: 900,
-        created_required: true,
-        nonce_required:   false,
-        alg_required:     false,
-        tag_required:     false,
-        expires_required: false,
-        keyid_required:   false,
-        known_keys:       {},
-        covered_components: %w[@method @request-target @authority date],
-        error_response: {body: [], status: 401, headers: {}}
-      }
-
-      private_constant :DEFAULT_OPTIONS
-
       attr_reader :request, :options
 
       def params
@@ -65,51 +52,22 @@ module Rack
       end
 
       def has_signature?
-        @message = Linzer::Message.new(request)
-        @signature = Linzer::Signature.build(@message.headers)
-        request.env["rack.signature"] = @signature
+        @signature = build_signature
         (@signature.to_h.keys & %w[signature signature-input]).size == 2
       rescue => ex
         logger.error ex.message
         false
       end
 
-      def created?
-        required = options[:created_required]
-        if required
-          params.key?("created") && Integer(params["created"])
-        else
-          !required
-        end
-      end
-
-      def expires?
-        required = options[:expires_required]
-        if required
-          params.key?("expires") && Integer(params["expires"]) > Time.now.to_i
-        else
-          !required
-        end
-      end
-
-      def keyid?
-        required = options[:keyid_required]
-        required ? params.key?("keyid") : !required
-      end
-
-      def nonce?
-        required = options[:nonce_required]
-        required ? params.key?("nonce") : !required
-      end
+      def build_signature
+        signature_opts = {}
+        label = options[:signatures][:default_label]
+        signature_opts[:label] = label if label
 
-      def alg?
-        required = options[:alg_required]
-        required ? params.key?("alg") : !required
-      end
-
-      def tag?
-        required = options[:tag_required]
-        required ? params.key?("tag") : !required
+        @message = Linzer::Message.new(request)
+        signature = Linzer::Signature.build(@message.headers, **signature_opts)
+        request.env["rack.signature"] = signature
+        signature
       end
 
       def has_required_params?
@@ -121,7 +79,7 @@ module Rack
 
       def has_required_components?
         components         = @signature.components || []
-        covered_components = options[:covered_components]
+        covered_components = options[:signatures][:covered_components]
         warning = "Insufficient coverage by signature. Consult S 7.2.1. in RFC"
         logger.warn warning if covered_components.empty?
         (covered_components || []).all? { |c| components.include?(c) }
@@ -132,74 +90,25 @@ module Rack
       end
 
       def verifiable?
-        verify_opts = {}
-
-        warning = "Risk of signature replay! (Consult S 7.2.2. in RFC)"
-        logger.warn warning unless options[:no_older_than]
-
-        if options[:no_older_than]
-          age = Integer(options[:no_older_than])
-          verify_opts[:no_older_than] = age
-        end
-
+        verify_opts = build_and_check_verify_opts || {}
         Linzer.verify(key, @message, @signature, **verify_opts)
       rescue => ex
         logger.error ex.message
         false
       end
 
-      def key
-        build_key(params["keyid"] || :default)
-      end
+      def build_and_check_verify_opts
+        verify_opts = {}
+        reject_older = options[:signatures][:reject_older_than]
+        warning = "Risk of signature replay! (Consult S 7.2.2. in RFC)"
+        logger.warn warning unless reject_older
 
-      def build_key(keyid)
-        material = if keyid == :default
-          options[:default_key]
-        else
-          key_data = options[:known_keys][keyid] || {}
-          if !key_data.key?("key") && key_data.key?("path")
-            key_data["key"] = IO.read(key_data["path"]) rescue nil
-          end
-          key_data
+        if reject_older
+          age = Integer(reject_older)
+          verify_opts[:no_older_than] = age
         end
 
-        key_not_found = "Key not found. Signature cannot be verified."
-        raise Linzer::Error.new key_not_found if !material || !material["key"]
-
-        alg = @signature.parameters["alg"] || material["alg"] || :unknown
-        instantiate_key(keyid, alg, material)
-      end
-
-      def instantiate_key(keyid, alg, material)
-        key_methods = {
-          "rsa-pss-sha512"    => :new_rsa_pss_sha512_key,
-          "rsa-v1_5-sha256"   => :new_rsa_v1_5_sha256_key,
-          "hmac-sha256"       => :new_hmac_sha256_key,
-          "ecdsa-p256-sha256" => :new_ecdsa_p256_sha256_key,
-          "ecdsa-p384-sha384" => :new_ecdsa_p384_sha384_key,
-          "ed25519"           => :new_ed25519_public_key
-        }
-        method = key_methods[alg]
-
-        alg_error = "Unsupported or unknown signature algorithm"
-        raise Linzer::Error.new alg_error unless method
-
-        Linzer.public_send(method, material["key"], keyid.to_s)
-      end
-
-      def load_options(options)
-        DEFAULT_OPTIONS
-          .merge(load_options_from_config_file(options))
-          .merge(Hash(options)) || {}
-      end
-
-      def load_options_from_config_file(options)
-        config_path = options[:config_path]
-        YAML
-          .safe_load_file(config_path)
-          .transform_keys(&:to_sym)
-      rescue
-        {}
+        verify_opts
       end
     end
   end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: linzer
 version: !ruby/object:Gem::Version
-  version: 0.7.0.beta1
+  version: 0.7.0.beta3
 platform: ruby
 authors:
 - Miguel Landaeta
 bindir: exe
 cert_chain: []
-date: 1980-01-02 00:00:00.000000000 Z
+date: 2025-05-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: openssl
@@ -123,6 +123,40 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.7.0
+- !ruby/object:Gem::Dependency
+  name: forwardable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.3
+- !ruby/object:Gem::Dependency
+  name: net-http
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.6.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.6.0
 email:
 - miguel@miguel.cc
 executables: []
@@ -148,8 +182,15 @@ files:
 - lib/linzer/key.rb
 - lib/linzer/key/helper.rb
 - lib/linzer/message.rb
-- lib/linzer/request.rb
-- lib/linzer/response.rb
+- lib/linzer/message/adapter.rb
+- lib/linzer/message/adapter/abstract.rb
+- lib/linzer/message/adapter/http_gem/response.rb
+- lib/linzer/message/adapter/net_http/request.rb
+- lib/linzer/message/adapter/net_http/response.rb
+- lib/linzer/message/adapter/rack/common.rb
+- lib/linzer/message/adapter/rack/request.rb
+- lib/linzer/message/adapter/rack/response.rb
+- lib/linzer/message/wrapper.rb
 - lib/linzer/rsa.rb
 - lib/linzer/rsa_pss.rb
 - lib/linzer/signature.rb
@@ -157,6 +198,7 @@ files:
 - lib/linzer/verifier.rb
 - lib/linzer/version.rb
 - lib/rack/auth/signature.rb
+- lib/rack/auth/signature/helpers.rb
 homepage: https://github.com/nomadium/linzer
 licenses:
 - MIT
@@ -178,7 +220,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 3.6.2
 specification_version: 4
 summary: An implementation of HTTP Messages Signatures (RFC9421)
 test_files: []

data/lib/linzer/request.rb

@@ -1,95 +0,0 @@
-# frozen_string_literal: true
-
-module Linzer
-  module Request
-    extend self
-
-    def build(verb, uri = "/", params = {}, headers = {})
-      validate verb, uri, params, headers
-
-      # XXX: to-do: handle rack request params?
-      request_method = Rack.const_get(verb.upcase)
-      args = {
-        "REQUEST_METHOD" => request_method,
-        "PATH_INFO"      => uri.to_str,
-        "rack.input"     => StringIO.new
-      }
-
-      Rack::Request.new(build_rack_env(headers).merge(args))
-    end
-
-    def rack_header_name(field_name)
-      validate_header_name field_name
-
-      rack_name = field_name.upcase.tr("-", "_")
-      case field_name.downcase
-      when "content-type", "content-length"
-        rack_name
-      else
-        "HTTP_#{rack_name}"
-      end
-    end
-
-    def headers(rack_request)
-      rack_request
-        .each_header
-        .to_h
-        .select do |k, _|
-          k.start_with?("HTTP_") || %w[CONTENT_TYPE CONTENT_LENGTH].include?(k)
-        end
-        .transform_keys { |k| k.downcase.tr("_", "-") }
-        .transform_keys do |k|
-          %w[content-type content-length].include?(k) ? k : k.gsub(/^http-/, "")
-        end
-    end
-
-    private
-
-    def validate(verb, uri, params, headers)
-      validate_verb      verb
-      validate_uri       uri
-      validate_arg_hash  headers: headers
-      validate_arg_hash  params:  params
-    end
-
-    def validate_verb(verb)
-      Rack.const_get(verb.upcase)
-    rescue => ex
-      unknown_method = "Unknown/invalid HTTP request method"
-      raise Error.new, unknown_method, cause: ex
-    end
-
-    def validate_uri(uri)
-      uri.to_str
-    rescue => ex
-      invalid_uri = "Invalid URI"
-      raise Error.new, invalid_uri, cause: ex
-    end
-
-    def validate_arg_hash(hsh)
-      arg_name = hsh.keys.first
-      hsh[arg_name].to_hash
-    rescue => ex
-      err_msg = "invalid \"#{arg_name}\" parameter, cannot be converted to hash."
-      raise Error.new, "Cannot build request: #{err_msg}", cause: ex
-    end
-
-    def validate_header_name(name)
-      raise ArgumentError.new, "Blank header name." if name.empty?
-      name.to_str
-    rescue => ex
-      err_msg = "Invalid header name: '#{name}'"
-      raise Error.new, err_msg, cause: ex
-    end
-
-    def build_rack_env(headers)
-      headers
-        .to_hash
-        .transform_values(&:to_s)
-        .transform_keys { |k| k.upcase.tr("-", "_") }
-        .transform_keys do |k|
-          %w[CONTENT_TYPE CONTENT_LENGTH].include?(k) ? k : "HTTP_#{k}"
-        end
-    end
-  end
-end

data/lib/linzer/response.rb

@@ -1,9 +0,0 @@
-# frozen_string_literal: true
-
-module Linzer
-  module Response
-    def new_response(body = nil, status = 200, headers = {})
-      Rack::Response.new(body, status, headers.transform_values(&:to_s))
-    end
-  end
-end