mauth-client 4.0.1

data/lib/mauth/middleware.rb

@@ -0,0 +1,23 @@
+require 'mauth/core_ext'
+module MAuth
+  # base class for middleware, common to both Faraday and Rack
+  class Middleware
+    def initialize(app, config = {})
+      @app = app
+      # stringify symbol keys
+      @config = config.stringify_symbol_keys
+    end
+
+    # returns a MAuth::Client - if one was given as 'mauth_client' when initializing the
+    # middleware, then that one; otherwise the configurationg given to initialize the
+    # middleware is passed along to make a new MAuth::Client.
+    #
+    # this method may be overloaded to provide more flexibility in providing a MAuth::Client
+    def mauth_client
+      require 'mauth/client'
+      # @_mauth_client ivar only used here for caching; should not be used by other methods, in
+      # order that overloading #mauth_client will work
+      @_mauth_client ||= @config['mauth_client'] || MAuth::Client.new(@config)
+    end
+  end
+end

data/lib/mauth/proxy.rb

@@ -0,0 +1,77 @@
+require 'mauth/client'
+require 'faraday'
+require 'rack'
+
+module MAuth
+  # MAuth::Proxy is a simple Rack application to take incoming requests, sign them with MAuth, and
+  # proxy them to a target URI. the responses from the target may be authenticated, with MAuth
+  # (and are by default).
+  class Proxy
+    # target_uri is the base relative to which requests are made.
+    #
+    # options:
+    # - :authenticate_responses - boolean, default true. whether responses will be authenticated.
+    #   if this is true and an inauthentic response is encountered, then MAuth::InauthenticError
+    #   will be raised.
+    # - :mauth_config - configuration passed to MAuth::Client.new (see its doc). default is
+    #   MAuth::Client.default_config
+    def initialize(target_uri, options = {})
+      @target_uris = target_uri
+      @browser_proxy = options.delete(:browser_proxy)
+      @options = options
+      options = { authenticate_responses: true }.merge(options)
+      options[:mauth_config] ||= MAuth::Client.default_config
+      if @browser_proxy # Browser proxy mode
+        @signer_connection = ::Faraday.new do |builder|
+          builder.use MAuth::Faraday::RequestSigner, options[:mauth_config]
+          builder.use MAuth::Faraday::ResponseAuthenticator, options[:mauth_config] if options[:authenticate_responses]
+          builder.adapter ::Faraday.default_adapter
+        end
+        @unsigned_connection = ::Faraday.new do |builder|
+          builder.adapter ::Faraday.default_adapter
+        end
+      else # hard-wired mode
+        @connection = ::Faraday.new(target_uri) do |builder|
+          builder.use MAuth::Faraday::RequestSigner, options[:mauth_config]
+          builder.use MAuth::Faraday::ResponseAuthenticator, options[:mauth_config] if options[:authenticate_responses]
+          builder.adapter ::Faraday.default_adapter
+        end
+      end
+      @persistent_headers = {}
+      if options[:headers]
+        options[:headers].each do |cur|
+          raise "Headers must be in the format of [key]:[value]" unless cur.include?(':')
+          key, throw_away, value = cur.partition(':')
+          @persistent_headers[key.strip] = value.strip
+        end
+      end
+    end
+
+    def call(request_env)
+      request = ::Rack::Request.new(request_env)
+      request_method = request_env['REQUEST_METHOD'].downcase.to_sym
+      request_env['rack.input'].rewind
+      request_body = request_env['rack.input'].read
+      request_env['rack.input'].rewind
+      request_headers = {}
+      request_env.each do |k, v|
+        if k.start_with?('HTTP_') && !%w(HTTP_HOST).include?(k)
+          name = $'
+          request_headers[name] = v
+        end
+      end
+      request_headers.merge!(@persistent_headers)
+      if @browser_proxy
+        target_uri = request_env["REQUEST_URI"]
+        connection = @target_uris.any? { |u| target_uri.start_with? u } ? @signer_connection : @unsigned_connection
+        response = connection.run_request(request_method, target_uri, request_body, request_headers)
+      else
+        response = @connection.run_request(request_method, request.fullpath, request_body, request_headers)
+      end
+      response_headers = response.headers.reject do |name, _value|
+        %w(Content-Length Transfer-Encoding).map(&:downcase).include?(name.downcase)
+      end
+      [response.status, response_headers, [response.body || '']]
+    end
+  end
+end

data/lib/mauth/rack.rb

@@ -0,0 +1,137 @@
+require 'mauth/middleware'
+require 'mauth/request_and_response'
+require 'rack/utils'
+
+module MAuth
+  module Rack
+    # middleware which will check that a request is authentically signed.
+    #
+    # if the request is checked and is not authentic, 401 Unauthorized is returned
+    # and the app is not called.
+    #
+    # options accepted (key may be string or symbol)
+    # - should_authenticate_check: a proc which should accept a rack env as an argument,
+    #   and return true if the request should be authenticated; false if not. if the result
+    #   from this is false, the request is passed to the app with no authentication performed.
+    class RequestAuthenticator < MAuth::Middleware
+      def call(env)
+        if should_authenticate?(env)
+          mauth_request = MAuth::Rack::Request.new(env)
+          begin
+            if mauth_client.authentic?(mauth_request)
+              @app.call(env.merge('mauth.app_uuid' => mauth_request.signature_app_uuid, 'mauth.authentic' => true))
+            else
+              response_for_inauthentic_request(env)
+            end
+          rescue MAuth::UnableToAuthenticateError
+            response_for_unable_to_authenticate(env)
+          end
+        else
+          @app.call(env)
+        end
+      end
+
+      # discards the body if REQUEST_METHOD is HEAD. sets the Content-Length.
+      def handle_head(env)
+        status, headers, body = *yield
+        headers["Content-Length"] = body.map(&:bytesize).inject(0, &:+).to_s
+        [status, headers, env['REQUEST_METHOD'].casecmp('head').zero? ? [] : body]
+      end
+
+      # whether the request needs to be authenticated
+      def should_authenticate?(env)
+        @config['should_authenticate_check'] ? @config['should_authenticate_check'].call(env) : true
+      end
+
+      # response when the request is inauthentic. responds with status 401 Unauthorized and a
+      # message.
+      def response_for_inauthentic_request(env)
+        handle_head(env) do
+          body = { 'errors' => { 'mauth' => ['Unauthorized'] } }
+          [401, { 'Content-Type' => 'application/json' }, [JSON.pretty_generate(body)]]
+        end
+      end
+
+      # response when the authenticity of the request cannot be determined, due to
+      # a problem communicating with the MAuth service. responds with a status of 500 and
+      # a message.
+      def response_for_unable_to_authenticate(env)
+        handle_head(env) do
+          body = { 'errors' => { 'mauth' => ['Could not determine request authenticity'] } }
+          [500, { 'Content-Type' => 'application/json' }, [JSON.pretty_generate(body)]]
+        end
+      end
+    end
+
+    # same as MAuth::Rack::RequestAuthenticator, but does not authenticate /app_status
+    class RequestAuthenticatorNoAppStatus < RequestAuthenticator
+      def should_authenticate?(env)
+        env['PATH_INFO'] != "/app_status" && super
+      end
+    end
+
+    # signs outgoing responses
+    class ResponseSigner < MAuth::Middleware
+      def call(env)
+        unsigned_response = @app.call(env)
+        signed_response = mauth_client.signed(MAuth::Rack::Response.new(*unsigned_response))
+        signed_response.status_headers_body
+      end
+    end
+
+    # representation of a request composed from a rack request env which can be passed to a
+    # Mauth::Client for authentication
+    class Request < MAuth::Request
+      include Signed
+      attr_reader :env
+      def initialize(env)
+        @env = env
+      end
+
+      def attributes_for_signing
+        @attributes_for_signing ||= begin
+          env['rack.input'].rewind
+          body = env['rack.input'].read
+          env['rack.input'].rewind
+          { verb: env['REQUEST_METHOD'], request_url: env['PATH_INFO'], body: body }
+        end
+      end
+
+      def x_mws_time
+        @env['HTTP_X_MWS_TIME']
+      end
+
+      def x_mws_authentication
+        @env['HTTP_X_MWS_AUTHENTICATION']
+      end
+    end
+
+    # representation of a response composed from a rack response (status, headers, body) which
+    # can be passed to a Mauth::Client for signing
+    class Response < MAuth::Response
+      def initialize(status, headers, body)
+        @status = status
+        @headers = headers
+        @body = body
+      end
+
+      def status_headers_body
+        [@status, @headers, @body]
+      end
+
+      def attributes_for_signing
+        @attributes_for_signing ||= begin
+          body = ''
+          @body.each { |part| body << part } # note: rack only requires #each be defined on the body, so not using map or inject
+          { status_code: @status.to_i, body: body }
+        end
+      end
+
+      # takes a Hash of headers; returns an instance of this class whose
+      # headers have been updated with the argument headers
+      def merge_headers(headers)
+        self.class.new(@status, @headers.merge(headers), @body)
+      end
+    end
+  end
+end

data/lib/mauth/request_and_response.rb

@@ -0,0 +1,73 @@
+require 'digest'
+
+module MAuth
+  # module which composes a string to sign.
+  #
+  # includer must provide
+  # - SIGNATURE_COMPONENTS constant - array of keys to get from #attributes_for_signing
+  # - #attributes_for_signing
+  # - #merge_headers (takes a Hash of headers; returns an instance of includer's own class whose
+  #   headers have been updated with the argument headers)
+  module Signable
+    # composes a string suitable for private-key signing from the SIGNATURE_COMPONENTS keys of
+    # attributes for signing, which are themselves taken from #attributes_for_signing and
+    # the given argument more_attributes
+    def string_to_sign(more_attributes)
+      attributes_for_signing = self.attributes_for_signing.merge(more_attributes)
+      missing_attributes = self.class::SIGNATURE_COMPONENTS.select { |key| !attributes_for_signing.key?(key) || attributes_for_signing[key].nil? }
+      missing_attributes.delete(:body) # body may be omitted
+      if missing_attributes.any?
+        raise(UnableToSignError, "Missing required attributes to sign: #{missing_attributes.inspect}\non object to sign: #{inspect}")
+      end
+      string = self.class::SIGNATURE_COMPONENTS.map { |k| attributes_for_signing[k].to_s }.join("\n")
+      Digest::SHA512.hexdigest(string)
+    end
+
+    def initialize(attributes_for_signing)
+      @attributes_for_signing = attributes_for_signing
+    end
+
+    def attributes_for_signing
+      @attributes_for_signing
+    end
+  end
+
+  # methods for an incoming object which is expected to have a signature.
+  #
+  # includer must provide
+  # - #x_mws_authentication which returns that header's value
+  # - #x_mws_time
+  module Signed
+    # returns a hash with keys :token, :app_uuid, and :signature parsed from the X-MWS-Authentication header
+    def signature_info
+      @signature_info ||= begin
+        match = x_mws_authentication && x_mws_authentication.match(/\A([^ ]+) *([^:]+):([^:]+)\z/)
+        match ? { token: match[1], app_uuid: match[2], signature: match[3] } : {}
+      end
+    end
+
+    def signature_app_uuid
+      signature_info[:app_uuid]
+    end
+
+    def signature_token
+      signature_info[:token]
+    end
+
+    def signature
+      signature_info[:signature]
+    end
+  end
+
+  # virtual base class for signable requests
+  class Request
+    SIGNATURE_COMPONENTS = [:verb, :request_url, :body, :app_uuid, :time].freeze
+    include Signable
+  end
+
+  # virtual base class for signable responses
+  class Response
+    SIGNATURE_COMPONENTS = [:status_code, :body, :app_uuid, :time].freeze
+    include Signable
+  end
+end

data/lib/mauth/version.rb

@@ -0,0 +1,3 @@
+module MAuth
+  VERSION = '4.0.1'.freeze
+end

data/lib/mauth-client.rb

@@ -0,0 +1 @@
+require 'mauth/client'

data/lib/rack/mauth.rb

@@ -0,0 +1 @@
+require 'mauth/rack'

data/mauth-client.gemspec

@@ -0,0 +1,36 @@
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'mauth/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'mauth-client'
+  spec.version       = MAuth::VERSION
+  spec.authors       = ['Matthew Szenher', 'Aaron Suggs', 'Geoffrey Ducharme', 'Ethan']
+  spec.email         = ['mszenher@mdsol.com']
+  spec.summary       = 'Sign and authenticate requests and responses with mAuth authentication.'
+  spec.description   = 'Client for signing and authentication of requests and responses with mAuth authentication. Includes middleware for Rack and Faraday for incoming and outgoing requests and responses.'
+  spec.homepage      = 'https://github.com/mdsol/mauth-client-ruby'
+  spec.license       = 'MIT'
+  spec.required_ruby_version = '>= 2.1.0'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'faraday', '~> 0.7'
+  spec.add_dependency 'faraday_middleware', '~> 0.9'
+  spec.add_dependency 'term-ansicolor', '~> 1.0'
+  spec.add_dependency 'coderay', '~> 1.0'
+  spec.add_dependency 'rack'
+  spec.add_dependency 'dice_bag', '>= 0.9', '< 2.0'
+
+  spec.add_development_dependency 'bundler', '~> 1.10'
+  spec.add_development_dependency 'kender', '~> 0.4'
+  spec.add_development_dependency 'rack-test', '~> 0.6.3'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.4'
+  spec.add_development_dependency 'simplecov', '~> 0.12.0'
+  spec.add_development_dependency 'timecop', '~> 0.8.1'
+  spec.add_development_dependency 'uuidtools', '~> 2.1.5'
+end

metadata

@@ -0,0 +1,292 @@
+--- !ruby/object:Gem::Specification
+name: mauth-client
+version: !ruby/object:Gem::Version
+  version: 4.0.1
+platform: ruby
+authors:
+- Matthew Szenher
+- Aaron Suggs
+- Geoffrey Ducharme
+- Ethan
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2016-08-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+- !ruby/object:Gem::Dependency
+  name: faraday_middleware
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: term-ansicolor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: coderay
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: dice_bag
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: kender
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.6.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.6.3
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.12.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.12.0
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.8.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.8.1
+- !ruby/object:Gem::Dependency
+  name: uuidtools
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.1.5
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.1.5
+description: Client for signing and authentication of requests and responses with
+  mAuth authentication. Includes middleware for Rack and Faraday for incoming and
+  outgoing requests and responses.
+email:
+- mszenher@mdsol.com
+executables:
+- mauth-client
+- mauth-proxy
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- ".yardopts"
+- CHANGELOG.md
+- CONTRIBUTING.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- doc/implementations.md
+- doc/mauth-client_CLI.md
+- doc/mauth-proxy.md
+- doc/mauth.yml.md
+- examples/Gemfile
+- examples/Gemfile.lock
+- examples/README.md
+- examples/config.yml
+- examples/get_user_info.rb
+- examples/mauth_key
+- exe/mauth-client
+- exe/mauth-proxy
+- lib/mauth-client.rb
+- lib/mauth/autoload.rb
+- lib/mauth/client.rb
+- lib/mauth/core_ext.rb
+- lib/mauth/dice_bag/mauth.rb.dice
+- lib/mauth/dice_bag/mauth.yml.dice
+- lib/mauth/dice_bag/mauth_key.dice
+- lib/mauth/dice_bag/mauth_templates.rb
+- lib/mauth/fake/rack.rb
+- lib/mauth/faraday.rb
+- lib/mauth/middleware.rb
+- lib/mauth/proxy.rb
+- lib/mauth/rack.rb
+- lib/mauth/request_and_response.rb
+- lib/mauth/version.rb
+- lib/rack/mauth.rb
+- mauth-client.gemspec
+homepage: https://github.com/mdsol/mauth-client-ruby
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Sign and authenticate requests and responses with mAuth authentication.
+test_files: []
+has_rdoc: