mauth-client 4.1.1 → 5.0.0

data/lib/mauth/client/authenticator_base.rb

@@ -0,0 +1,118 @@
+# methods common to RemoteRequestAuthenticator and LocalAuthenticator
+
+module MAuth
+  class Client
+    module AuthenticatorBase
+      ALLOWED_DRIFT_SECONDS = 300
+
+      # takes an incoming request or response object, and returns whether
+      # the object is authentic according to its signature.
+      def authentic?(object)
+        log_authentication_request(object)
+        begin
+          authenticate!(object)
+          true
+        rescue InauthenticError, MAuthNotPresent, MissingV2Error
+          false
+        end
+      end
+
+      # raises InauthenticError unless the given object is authentic. Will only
+      # authenticate with v2 if the environment variable V2_ONLY_AUTHENTICATE
+      # is set. Otherwise will authenticate with only the highest protocol version present
+      def authenticate!(object)
+        if object.protocol_version == 2
+          authenticate_v2!(object)
+        elsif object.protocol_version == 1
+          if v2_only_authenticate?
+            # If v2 is required but not present and v1 is present we raise MissingV2Error
+            msg = 'This service requires mAuth v2 mcc-authentication header but only v1 x-mws-authentication is present'
+            logger.error(msg)
+            raise MissingV2Error, msg
+          end
+
+          authenticate_v1!(object)
+        else
+          sub_str = v2_only_authenticate? ? '' : 'X-MWS-Authentication header is blank, '
+          msg = "Authentication Failed. No mAuth signature present; #{sub_str}MCC-Authentication header is blank."
+          logger.warn("mAuth signature not present on #{object.class}. Exception: #{msg}")
+          raise MAuthNotPresent, msg
+        end
+      end
+
+      private
+
+      # Note: This log is likely consumed downstream and the contents SHOULD NOT
+      # be changed without a thorough review of downstream consumers.
+      def log_authentication_request(object)
+        object_app_uuid = object.signature_app_uuid || '[none provided]'
+        object_token = object.signature_token || '[none provided]'
+        logger.info(
+          "Mauth-client attempting to authenticate request from app with mauth" \
+          " app uuid #{object_app_uuid} to app with mauth app uuid #{client_app_uuid}" \
+          " using version #{object_token}."
+        )
+      end
+
+      def log_inauthentic(object, message)
+        logger.error("mAuth signature authentication failed for #{object.class}. Exception: #{message}")
+      end
+
+      def time_within_valid_range!(object, time_signed, now = Time.now)
+        return if  (-ALLOWED_DRIFT_SECONDS..ALLOWED_DRIFT_SECONDS).cover?(now.to_i - time_signed)
+
+        msg = "Time verification failed. #{time_signed} not within #{ALLOWED_DRIFT_SECONDS} of #{now}"
+        log_inauthentic(object, msg)
+        raise InauthenticError, msg
+      end
+
+      # V1 helpers
+      def authenticate_v1!(object)
+        time_valid_v1!(object)
+        token_valid_v1!(object)
+        signature_valid_v1!(object)
+      end
+
+      def time_valid_v1!(object)
+        if object.x_mws_time.nil?
+          msg = 'Time verification failed. No x-mws-time present.'
+          log_inauthentic(object, msg)
+          raise InauthenticError, msg
+        end
+        time_within_valid_range!(object, object.x_mws_time.to_i)
+      end
+
+      def token_valid_v1!(object)
+        return if object.signature_token == MWS_TOKEN
+
+        msg = "Token verification failed. Expected #{MWS_TOKEN}; token was #{object.signature_token}"
+        log_inauthentic(object, msg)
+        raise InauthenticError, msg
+      end
+
+      # V2 helpers
+      def authenticate_v2!(object)
+        time_valid_v2!(object)
+        token_valid_v2!(object)
+        signature_valid_v2!(object)
+      end
+
+      def time_valid_v2!(object)
+        if object.mcc_time.nil?
+          msg = 'Time verification failed. No MCC-Time present.'
+          log_inauthentic(object, msg)
+          raise InauthenticError, msg
+        end
+        time_within_valid_range!(object, object.mcc_time.to_i)
+      end
+
+      def token_valid_v2!(object)
+        return if object.signature_token == MWSV2_TOKEN
+
+        msg = "Token verification failed. Expected #{MWSV2_TOKEN}; token was #{object.signature_token}"
+        log_inauthentic(object, msg)
+        raise InauthenticError, msg
+      end
+    end
+  end
+end

data/lib/mauth/client/local_authenticator.rb

@@ -0,0 +1,137 @@
+require 'mauth/client/security_token_cacher'
+require 'mauth/client/signer'
+require 'openssl'
+
+# methods to verify the authenticity of signed requests and responses locally, retrieving
+# public keys from the mAuth service as needed
+
+module MAuth
+  class Client
+    module LocalAuthenticator
+      private
+
+      def signature_valid_v1!(object)
+        # We are in an unfortunate situation in which Euresource is percent-encoding parts of paths, but not
+        # all of them.  In particular, Euresource is percent-encoding all special characters save for '/'.
+        # Also, unfortunately, Nginx unencodes URIs before sending them off to served applications, though
+        # other web servers (particularly those we typically use for local testing) do not.  The various forms
+        # of the expected string to sign are meant to cover the main cases.
+        # TODO:  Revisit and simplify this unfortunate situation.
+
+        original_request_uri = object.attributes_for_signing[:request_url]
+
+        # craft an expected string-to-sign without doing any percent-encoding
+        expected_no_reencoding = object.string_to_sign_v1(time: object.x_mws_time, app_uuid: object.signature_app_uuid)
+
+        # do a simple percent reencoding variant of the path
+        object.attributes_for_signing[:request_url] = CGI.escape(original_request_uri.to_s)
+        expected_for_percent_reencoding = object.string_to_sign_v1(time: object.x_mws_time, app_uuid: object.signature_app_uuid)
+
+        # do a moderately complex Euresource-style reencoding of the path
+        object.attributes_for_signing[:request_url] = euresource_escape(original_request_uri.to_s)
+        expected_euresource_style_reencoding = object.string_to_sign_v1(time: object.x_mws_time, app_uuid: object.signature_app_uuid)
+
+        # reset the object original request_uri, just in case we need it again
+        object.attributes_for_signing[:request_url] = original_request_uri
+
+        begin
+          pubkey = OpenSSL::PKey::RSA.new(retrieve_public_key(object.signature_app_uuid))
+          actual = pubkey.public_decrypt(Base64.decode64(object.signature))
+        rescue OpenSSL::PKey::PKeyError => e
+          msg = "Public key decryption of signature failed! #{e.class}: #{e.message}"
+          log_inauthentic(object, msg)
+          raise InauthenticError, msg
+        end
+
+        unless verify_signature_v1!(actual, expected_no_reencoding) ||
+           verify_signature_v1!(actual, expected_euresource_style_reencoding) ||
+           verify_signature_v1!(actual, expected_for_percent_reencoding)
+          msg = "Signature verification failed for #{object.class}"
+          log_inauthentic(object, msg)
+          raise InauthenticError, msg
+        end
+      end
+
+      def verify_signature_v1!(actual, expected_str_to_sign)
+        actual == Digest::SHA512.hexdigest(expected_str_to_sign)
+      end
+
+      def signature_valid_v2!(object)
+        # We are in an unfortunate situation in which Euresource is percent-encoding parts of paths, but not
+        # all of them.  In particular, Euresource is percent-encoding all special characters save for '/'.
+        # Also, unfortunately, Nginx unencodes URIs before sending them off to served applications, though
+        # other web servers (particularly those we typically use for local testing) do not.  The various forms
+        # of the expected string to sign are meant to cover the main cases.
+        # TODO:  Revisit and simplify this unfortunate situation.
+
+        original_request_uri = object.attributes_for_signing[:request_url]
+        original_query_string = object.attributes_for_signing[:query_string]
+
+        # craft an expected string-to-sign without doing any percent-encoding
+        expected_no_reencoding = object.string_to_sign_v2(
+          time: object.mcc_time,
+          app_uuid: object.signature_app_uuid
+        )
+
+        # do a simple percent reencoding variant of the path
+        expected_for_percent_reencoding = object.string_to_sign_v2(
+          time: object.mcc_time,
+          app_uuid: object.signature_app_uuid,
+          request_url: CGI.escape(original_request_uri.to_s),
+          query_string: CGI.escape(original_query_string.to_s)
+        )
+
+        # do a moderately complex Euresource-style reencoding of the path
+        expected_euresource_style_reencoding = object.string_to_sign_v2(
+          time: object.mcc_time,
+          app_uuid: object.signature_app_uuid,
+          request_url: euresource_escape(original_request_uri.to_s),
+          query_string: euresource_escape(original_query_string.to_s)
+        )
+
+        pubkey = OpenSSL::PKey::RSA.new(retrieve_public_key(object.signature_app_uuid))
+        actual = Base64.decode64(object.signature)
+
+        unless verify_signature_v2!(object, actual, pubkey, expected_no_reencoding) ||
+           verify_signature_v2!(object, actual, pubkey, expected_euresource_style_reencoding) ||
+           verify_signature_v2!(object, actual, pubkey, expected_for_percent_reencoding)
+          msg = "Signature inauthentic for #{object.class}"
+          log_inauthentic(object, msg)
+          raise InauthenticError, msg
+        end
+      end
+
+      def verify_signature_v2!(object, actual, pubkey, expected_str_to_sign)
+        pubkey.verify(
+          MAuth::Client::SIGNING_DIGEST,
+          actual,
+          expected_str_to_sign
+        )
+      rescue OpenSSL::PKey::PKeyError => e
+        msg = "RSA verification of signature failed! #{e.class}: #{e.message}"
+        log_inauthentic(object, msg)
+        raise InauthenticError, msg
+      end
+
+      # Note: RFC 3986 (https://www.ietf.org/rfc/rfc3986.txt) reserves the forward slash "/"
+      #   and number sign "#" as component delimiters. Since these are valid URI components,
+      #   they are decoded back into characters here to avoid signature invalidation
+      def euresource_escape(str)
+        CGI.escape(str).gsub(/%2F|%23/, '%2F' => '/', '%23' => '#')
+      end
+
+      def retrieve_public_key(app_uuid)
+        retrieve_security_token(app_uuid)['security_token']['public_key_str']
+      end
+
+      def retrieve_security_token(app_uuid)
+        security_token_cacher.get(app_uuid)
+      end
+
+      def security_token_cacher
+        @security_token_cacher ||= SecurityTokenCacher.new(self)
+      end
+
+    end
+  end
+end

data/lib/mauth/client/remote_authenticator.rb

@@ -0,0 +1,75 @@
+# methods for remotely authenticating a request by sending it to the mauth service
+
+module MAuth
+  class Client
+    module RemoteRequestAuthenticator
+      private
+
+      # takes an incoming request object (no support for responses currently), and errors if the
+      # object is not authentic according to its signature
+      def signature_valid_v1!(object)
+        raise ArgumentError, "Remote Authenticator can only authenticate requests; received #{object.inspect}" unless object.is_a?(MAuth::Request)
+        authentication_ticket = {
+          'verb' => object.attributes_for_signing[:verb],
+          'app_uuid' => object.signature_app_uuid,
+          'client_signature' => object.signature,
+          'request_url' => object.attributes_for_signing[:request_url],
+          'request_time' => object.x_mws_time,
+          'b64encoded_body' => Base64.encode64(object.attributes_for_signing[:body] || '')
+        }
+        make_mauth_request(authentication_ticket)
+      end
+
+      def signature_valid_v2!(object)
+        unless object.is_a?(MAuth::Request)
+          msg = "Remote Authenticator can only authenticate requests; received #{object.inspect}"
+          raise ArgumentError, msg
+        end
+
+        authentication_ticket = {
+          verb: object.attributes_for_signing[:verb],
+          app_uuid: object.signature_app_uuid,
+          client_signature: object.signature,
+          request_url: object.attributes_for_signing[:request_url],
+          request_time: object.mcc_time,
+          b64encoded_body: Base64.encode64(object.attributes_for_signing[:body] || ''),
+          query_string: object.attributes_for_signing[:query_string],
+          token: object.signature_token
+        }
+        make_mauth_request(authentication_ticket)
+      end
+
+      def make_mauth_request(authentication_ticket)
+        begin
+          response = mauth_connection.post("/mauth/#{mauth_api_version}/authentication_tickets.json", 'authentication_ticket' => authentication_ticket)
+        rescue ::Faraday::Error::ConnectionFailed, ::Faraday::Error::TimeoutError => e
+          msg = "mAuth service did not respond; received #{e.class}: #{e.message}"
+          logger.error("Unable to authenticate with MAuth. Exception #{msg}")
+          raise UnableToAuthenticateError, msg
+        end
+        if (200..299).cover?(response.status)
+          nil
+        elsif response.status == 412 || response.status == 404
+          # the mAuth service responds with 412 when the given request is not authentically signed.
+          # older versions of the mAuth service respond with 404 when the given app_uuid
+          # does not exist, which is also considered to not be authentically signed. newer
+          # versions of the service respond 412 in all cases, so the 404 check may be removed
+          # when the old version of the mAuth service is out of service.
+          raise InauthenticError, "The mAuth service responded with #{response.status}: #{response.body}"
+        else
+          mauth_service_response_error(response)
+        end
+      end
+
+      def mauth_connection
+        require 'faraday'
+        require 'faraday_middleware'
+        @mauth_connection ||= ::Faraday.new(mauth_baseurl, faraday_options) do |builder|
+          builder.use MAuth::Faraday::MAuthClientUserAgent
+          builder.use FaradayMiddleware::EncodeJson
+          builder.adapter ::Faraday.default_adapter
+        end
+      end
+    end
+  end
+end

data/lib/mauth/client/security_token_cacher.rb

@@ -0,0 +1,71 @@
+module MAuth
+  class Client
+    module LocalAuthenticator
+      class SecurityTokenCacher
+
+        class ExpirableSecurityToken < Struct.new(:security_token, :create_time)
+          CACHE_LIFE = 60
+          def expired?
+            create_time + CACHE_LIFE < Time.now
+          end
+        end
+
+        def initialize(mauth_client)
+          @mauth_client = mauth_client
+          # TODO: should this be UnableToSignError?
+          @mauth_client.assert_private_key(UnableToAuthenticateError.new("Cannot fetch public keys from mAuth service without a private key!"))
+          @cache = {}
+          require 'thread'
+          @cache_write_lock = Mutex.new
+        end
+
+        def get(app_uuid)
+          if !@cache[app_uuid] || @cache[app_uuid].expired?
+            # url-encode the app_uuid to prevent trickery like escaping upward with ../../ in a malicious
+            # app_uuid - probably not exploitable, but this is the right way to do it anyway.
+            # use UNRESERVED instead of UNSAFE (the default) as UNSAFE doesn't include /
+            url_encoded_app_uuid = URI.escape(app_uuid, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+            begin
+              response = signed_mauth_connection.get("/mauth/#{@mauth_client.mauth_api_version}/security_tokens/#{url_encoded_app_uuid}.json")
+            rescue ::Faraday::Error::ConnectionFailed, ::Faraday::Error::TimeoutError => e
+              msg = "mAuth service did not respond; received #{e.class}: #{e.message}"
+              @mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
+              raise UnableToAuthenticateError, msg
+            end
+            if response.status == 200
+              begin
+                security_token = JSON.parse(response.body)
+              rescue JSON::ParserError => e
+                msg =  "mAuth service responded with unparseable json: #{response.body}\n#{e.class}: #{e.message}"
+                @mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
+                raise UnableToAuthenticateError, msg
+              end
+              @cache_write_lock.synchronize do
+                @cache[app_uuid] = ExpirableSecurityToken.new(security_token, Time.now)
+              end
+            elsif response.status == 404
+              # signing with a key mAuth doesn't know about is considered inauthentic
+              raise InauthenticError, "mAuth service responded with 404 looking up public key for #{app_uuid}"
+            else
+              @mauth_client.send(:mauth_service_response_error, response)
+            end
+          end
+          @cache[app_uuid].security_token
+        end
+
+        private
+
+        def signed_mauth_connection
+          require 'faraday'
+          require 'mauth/faraday'
+          @mauth_client.faraday_options[:ssl] = { ca_path: @mauth_client.ssl_certs_path } if @mauth_client.ssl_certs_path
+          @signed_mauth_connection ||= ::Faraday.new(@mauth_client.mauth_baseurl, @mauth_client.faraday_options) do |builder|
+            builder.use MAuth::Faraday::MAuthClientUserAgent
+            builder.use MAuth::Faraday::RequestSigner, 'mauth_client' => @mauth_client
+            builder.adapter ::Faraday.default_adapter
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mauth/client/signer.rb

@@ -0,0 +1,67 @@
+require 'openssl'
+require 'mauth/errors'
+
+# methods to sign requests and responses. part of MAuth::Client
+
+module MAuth
+  class Client
+    SIGNING_DIGEST = OpenSSL::Digest::SHA512.new
+
+    module Signer
+      UNABLE_TO_SIGN_ERR = UnableToSignError.new('mAuth client cannot sign without a private key!')
+
+      # takes an outgoing request or response object, and returns an object of the same class
+      # whose headers are updated to include mauth's signature headers
+      def signed(object, attributes = {})
+        object.merge_headers(signed_headers(object, attributes))
+      end
+
+      # signs with v1 only. used when signing responses to v1 requests.
+      def signed_v1(object, attributes = {})
+        object.merge_headers(signed_headers_v1(object, attributes))
+      end
+
+      def signed_v2(object, attributes = {})
+        object.merge_headers(signed_headers_v2(object, attributes))
+      end
+
+      # takes a signable object (outgoing request or response). returns a hash of headers to be
+      # applied to the object which comprises its signature.
+      def signed_headers(object, attributes = {})
+        if v2_only_sign_requests?
+          signed_headers_v2(object, attributes)
+        else # by default sign with both the v1 and v2 protocol
+          signed_headers_v1(object, attributes).merge(signed_headers_v2(object, attributes))
+        end
+      end
+
+      def signed_headers_v1(object, attributes = {})
+        attributes = { time: Time.now.to_i.to_s, app_uuid: client_app_uuid }.merge(attributes)
+        string_to_sign = object.string_to_sign_v1(attributes)
+        signature = self.signature_v1(string_to_sign)
+        { 'X-MWS-Authentication' => "#{MWS_TOKEN} #{client_app_uuid}:#{signature}", 'X-MWS-Time' => attributes[:time] }
+      end
+
+      def signed_headers_v2(object, attributes = {})
+        attributes = { time: Time.now.to_i.to_s, app_uuid: client_app_uuid }.merge(attributes)
+        string_to_sign = object.string_to_sign_v2(attributes)
+        signature = self.signature_v2(string_to_sign)
+        {
+          'MCC-Authentication' => "#{MWSV2_TOKEN} #{client_app_uuid}:#{signature}#{AUTH_HEADER_DELIMITER}",
+          'MCC-Time' => attributes[:time]
+        }
+      end
+
+      def signature_v1(string_to_sign)
+        assert_private_key(UNABLE_TO_SIGN_ERR)
+        hashed_string_to_sign = Digest::SHA512.hexdigest(string_to_sign)
+        Base64.encode64(private_key.private_encrypt(hashed_string_to_sign)).delete("\n")
+      end
+
+      def signature_v2(string_to_sign)
+        assert_private_key(UNABLE_TO_SIGN_ERR)
+        Base64.encode64(private_key.sign(SIGNING_DIGEST, string_to_sign)).delete("\n")
+      end
+    end
+  end
+end