mauth-client 4.1.1 → 5.0.0

data/lib/mauth/dice_bag/mauth.yml.dice

@@ -5,6 +5,8 @@ common: &common
   mauth_api_version: v1
   app_uuid: <%= configured.mauth_app_uuid! || 'fb17460e-9868-11e1-8399-0090f5ccb4d3' %>
   private_key_file: config/mauth_key
+  v2_only_authenticate: <%= configured.v2_only_authenticate || 'false' %>
+  v2_only_sign_requests: <%= configured.v2_only_sign_requests || 'false' %>
 
 production:
   <<: *common

data/lib/mauth/errors.rb

@@ -0,0 +1,29 @@
+module MAuth
+  # mAuth client was unable to verify the authenticity of a signed object (this does NOT mean the
+  # object is inauthentic). typically due to a failure communicating with the mAuth service, in
+  # which case the error may include the attribute mauth_service_response - a response from
+  # the mauth service (if it was contactable at all), which may contain more information about
+  # the error.
+  class UnableToAuthenticateError < StandardError
+    # the response from the MAuth service encountered when attempting to retrieve authentication
+    attr_accessor :mauth_service_response
+  end
+
+  # used to indicate that an object was expected to be validly signed but its signature does not
+  # match its contents, and so is inauthentic.
+  class InauthenticError < StandardError; end
+
+  # Used when the incoming request does not contain any mAuth related information
+  class MAuthNotPresent < StandardError; end
+
+  # required information for signing was missing
+  class UnableToSignError < StandardError; end
+
+  # used when an object has the V1 headers but not the V2 headers and the
+  # V2_ONLY_AUTHENTICATE variable is set to true.
+  class MissingV2Error < StandardError; end
+
+  class Client
+    class ConfigurationError < StandardError; end
+  end
+end

data/lib/mauth/fake/rack.rb

@@ -26,8 +26,10 @@ module MAuth
       def call(env)
         retval = if should_authenticate?(env)
           mauth_request = MAuth::Rack::Request.new(env)
+          env['mauth.protocol_version'] = mauth_request.protocol_version
+
           if self.class.is_authentic?
-            @app.call(env.merge('mauth.app_uuid' => mauth_request.signature_app_uuid, 'mauth.authentic' => true))
+            @app.call(env.merge!('mauth.app_uuid' => mauth_request.signature_app_uuid, 'mauth.authentic' => true))
           else
             response_for_inauthentic_request(env)
           end

data/lib/mauth/faraday.rb

@@ -36,9 +36,15 @@ module MAuth
       end
 
       def attributes_for_signing
-        request_url = @request_env[:url].path
-        request_url = '/' if request_url.empty?
-        @attributes_for_signing ||= { verb: @request_env[:method].to_s.upcase, request_url: request_url, body: @request_env[:body] }
+        @attributes_for_signing ||= begin
+          request_url = @request_env[:url].path.empty? ? '/' : @request_env[:url].path
+          {
+            verb: @request_env[:method].to_s.upcase,
+            request_url: request_url,
+            body: @request_env[:body],
+            query_string: @request_env[:url].query
+          }
+        end
       end
 
       # takes a Hash of headers; returns an instance of this class whose
@@ -68,6 +74,14 @@ module MAuth
       def x_mws_authentication
         @response_env[:response_headers]['x-mws-authentication']
       end
+
+      def mcc_time
+        @response_env[:response_headers]['mcc-time']
+      end
+
+      def mcc_authentication
+        @response_env[:response_headers]['mcc-authentication']
+      end
     end
 
     # add MAuth-Client's user-agent to a request

data/lib/mauth/rack.rb

@@ -15,19 +15,26 @@ module MAuth
     #   from this is false, the request is passed to the app with no authentication performed.
     class RequestAuthenticator < MAuth::Middleware
       def call(env)
-        if should_authenticate?(env)
-          mauth_request = MAuth::Rack::Request.new(env)
-          begin
-            if mauth_client.authentic?(mauth_request)
-              @app.call(env.merge('mauth.app_uuid' => mauth_request.signature_app_uuid, 'mauth.authentic' => true))
-            else
-              response_for_inauthentic_request(env)
-            end
-          rescue MAuth::UnableToAuthenticateError
-            response_for_unable_to_authenticate(env)
+        mauth_request = MAuth::Rack::Request.new(env)
+        env['mauth.protocol_version'] = mauth_request.protocol_version
+
+        return @app.call(env) unless should_authenticate?(env)
+
+        if mauth_client.v2_only_authenticate? && mauth_request.protocol_version == 1
+          return response_for_missing_v2(env)
+        end
+
+        begin
+          if mauth_client.authentic?(mauth_request)
+            @app.call(env.merge!(
+              'mauth.app_uuid' => mauth_request.signature_app_uuid,
+              'mauth.authentic' => true
+            ))
+          else
+            response_for_inauthentic_request(env)
           end
-        else
-          @app.call(env)
+        rescue MAuth::UnableToAuthenticateError
+          response_for_unable_to_authenticate(env)
         end
       end
 
@@ -61,6 +68,18 @@ module MAuth
           [500, { 'Content-Type' => 'application/json' }, [JSON.pretty_generate(body)]]
         end
       end
+
+      # response when the requests includes V1 headers but does not include V2
+      # headers and the V2_ONLY_AUTHENTICATE flag is set.
+      def response_for_missing_v2(env)
+        handle_head(env) do
+          body = {
+            'type' => 'errors:mauth:missing_v2',
+            'title' => 'This service requires mAuth v2 mcc-authentication header. Upgrade your mAuth library and configure it properly.'
+          }
+          [401, { 'Content-Type' => 'application/json' }, [JSON.pretty_generate(body)]]
+        end
+      end
     end
 
     # same as MAuth::Rack::RequestAuthenticator, but does not authenticate /app_status
@@ -70,12 +89,24 @@ module MAuth
       end
     end
 
-    # signs outgoing responses
+    # signs outgoing responses with only the protocol used to sign the request.
     class ResponseSigner < MAuth::Middleware
       def call(env)
         unsigned_response = @app.call(env)
-        signed_response = mauth_client.signed(MAuth::Rack::Response.new(*unsigned_response))
-        signed_response.status_headers_body
+
+        method =
+          if env['mauth.protocol_version'] == 2
+            :signed_v2
+          elsif env['mauth.protocol_version'] == 1
+            :signed_v1
+          else
+            # if no protocol was supplied then use `signed` which either signs
+            # with both protocol versions (by default) or only v2 when the
+            # v2_only_sign_requests flag is set to true.
+            :signed
+          end
+        response = mauth_client.send(method, MAuth::Rack::Response.new(*unsigned_response))
+        response.status_headers_body
       end
     end
 
@@ -93,7 +124,12 @@ module MAuth
           env['rack.input'].rewind
           body = env['rack.input'].read
           env['rack.input'].rewind
-          { verb: env['REQUEST_METHOD'], request_url: env['PATH_INFO'], body: body }
+          {
+            verb: env['REQUEST_METHOD'],
+            request_url: env['PATH_INFO'],
+            body: body,
+            query_string: env['QUERY_STRING']
+          }
         end
       end
 
@@ -104,6 +140,14 @@ module MAuth
       def x_mws_authentication
         @env['HTTP_X_MWS_AUTHENTICATION']
       end
+
+      def mcc_time
+        @env['HTTP_MCC_TIME']
+      end
+
+      def mcc_authentication
+        @env['HTTP_MCC_AUTHENTICATION']
+      end
     end
 
     # representation of a response composed from a rack response (status, headers, body) which

data/lib/mauth/request_and_response.rb

@@ -4,7 +4,7 @@ module MAuth
   # module which composes a string to sign.
   #
   # includer must provide
-  # - SIGNATURE_COMPONENTS constant - array of keys to get from #attributes_for_signing
+  # - SIGNATURE_COMPONENTS OR SIGNATURE_COMPONENTS_V2 constant - array of keys to get from
   # - #attributes_for_signing
   # - #merge_headers (takes a Hash of headers; returns an instance of includer's own class whose
   #   headers have been updated with the argument headers)
@@ -12,15 +12,89 @@ module MAuth
     # composes a string suitable for private-key signing from the SIGNATURE_COMPONENTS keys of
     # attributes for signing, which are themselves taken from #attributes_for_signing and
     # the given argument more_attributes
-    def string_to_sign(more_attributes)
+
+    # the string to sign for V1 protocol will be (where LF is line feed character)
+    # for requests:
+    #   string_to_sign =
+    #     http_verb + <LF> +
+    #     resource_url_path (no host, port or query string; first "/" is included) + <LF> +
+    #     request_body + <LF> +
+    #     app_uuid + <LF> +
+    #     current_seconds_since_epoch
+    #
+    # for responses:
+    #   string_to_sign =
+    #     status_code_string + <LF> +
+    #     response_body_digest + <LF> +
+    #     app_uuid + <LF> +
+    #     current_seconds_since_epoch
+    def string_to_sign_v1(more_attributes)
       attributes_for_signing = self.attributes_for_signing.merge(more_attributes)
       missing_attributes = self.class::SIGNATURE_COMPONENTS.select { |key| !attributes_for_signing.key?(key) || attributes_for_signing[key].nil? }
       missing_attributes.delete(:body) # body may be omitted
       if missing_attributes.any?
         raise(UnableToSignError, "Missing required attributes to sign: #{missing_attributes.inspect}\non object to sign: #{inspect}")
       end
-      string = self.class::SIGNATURE_COMPONENTS.map { |k| attributes_for_signing[k].to_s }.join("\n")
-      Digest::SHA512.hexdigest(string)
+      self.class::SIGNATURE_COMPONENTS.map { |k| attributes_for_signing[k].to_s }.join("\n")
+    end
+
+    # the string to sign for V2 protocol will be (where LF is line feed character)
+    # for requests:
+    #   string_to_sign =
+    #     http_verb + <LF> +
+    #     resource_url_path (no host, port or query string; first "/" is included) + <LF> +
+    #     request_body_digest + <LF> +
+    #     app_uuid + <LF> +
+    #     current_seconds_since_epoch + <LF> +
+    #     encoded_query_params
+    #
+    # for responses:
+    #   string_to_sign =
+    #     status_code_string + <LF> +
+    #     response_body_digest + <LF> +
+    #     app_uuid + <LF> +
+    #     current_seconds_since_epoch
+    def string_to_sign_v2(override_attrs)
+      attrs_with_overrides = self.attributes_for_signing.merge(override_attrs)
+
+      # memoization of body_digest to avoid hashing three times when we call
+      # string_to_sign_v2 three times in client#signature_valid_v2!
+      # note that if :body is nil we hash an empty string ("")
+      attrs_with_overrides[:body_digest] ||= Digest::SHA512.hexdigest(attrs_with_overrides[:body].to_s)
+      attrs_with_overrides[:encoded_query_params] = encode_query_string(attrs_with_overrides[:query_string].to_s)
+
+      missing_attributes = self.class::SIGNATURE_COMPONENTS_V2.reject do |key|
+        attrs_with_overrides.dig(key)
+      end
+
+      missing_attributes.delete(:body_digest) # body may be omitted
+      missing_attributes.delete(:encoded_query_params) # query_string may be omitted
+      if missing_attributes.any?
+        raise(UnableToSignError, "Missing required attributes to sign: #{missing_attributes.inspect}\non object to sign: #{inspect}")
+      end
+
+      self.class::SIGNATURE_COMPONENTS_V2.map do |k|
+        attrs_with_overrides[k].to_s.force_encoding('UTF-8')
+      end.join("\n")
+    end
+
+    # sorts query string parameters by codepoint, uri encodes keys and values,
+    # and rejoins parameters into a query string
+    def encode_query_string(q_string)
+      q_string.split('&').sort.map do |part|
+        k, e, v = part.partition('=')
+        uri_escape(k) + e + uri_escape(v)
+      end.join('&')
+    end
+
+    # percent encodes special characters, preserving character encoding.
+    # encodes space as '%20'
+    # does not encode A-Z, a-z, 0-9, hyphen ( - ), underscore ( _ ), period ( . ),
+    # or tilde ( ~ )
+    # NOTE the CGI.escape spec changed in 2.5 to not escape tildes. we gsub
+    # tilde encoding back to tildes to account for older Rubies
+    def uri_escape(string)
+      CGI.escape(string).gsub(/\+|%7E/, '+' => '%20', '%7E' => '~')
     end
 
     def initialize(attributes_for_signing)
@@ -35,13 +109,27 @@ module MAuth
   # methods for an incoming object which is expected to have a signature.
   #
   # includer must provide
+  # - #mcc_authentication which returns that header's value
+  # - #mcc_time
+  # OR
   # - #x_mws_authentication which returns that header's value
   # - #x_mws_time
   module Signed
-    # returns a hash with keys :token, :app_uuid, and :signature parsed from the X-MWS-Authentication header
+    # mauth_client will authenticate with the highest protocol version present and ignore other
+    # protocol versions.
+    # returns a hash with keys :token, :app_uuid, and :signature parsed from the MCC-Authentication header
+    # if it is present and if not then the X-MWS-Authentication header if it is present.
+    # Note MWSV2 protocol no longer allows more than one space between the token and app uuid.
     def signature_info
       @signature_info ||= begin
-        match = x_mws_authentication && x_mws_authentication.match(/\A([^ ]+) *([^:]+):([^:]+)\z/)
+        match = if mcc_authentication
+          mcc_authentication.match(
+            /\A(#{MAuth::Client::MWSV2_TOKEN}) ([^:]+):([^:]+)#{MAuth::Client::AUTH_HEADER_DELIMITER}\z/
+          )
+        elsif x_mws_authentication
+          x_mws_authentication.match(/\A([^ ]+) *([^:]+):([^:]+)\z/)
+        end
+
         match ? { token: match[1], app_uuid: match[2], signature: match[3] } : {}
       end
     end
@@ -57,17 +145,36 @@ module MAuth
     def signature
       signature_info[:signature]
     end
+
+    def protocol_version
+      if !mcc_authentication.to_s.strip.empty?
+        2
+      elsif !x_mws_authentication.to_s.strip.empty?
+        1
+      end
+    end
   end
 
   # virtual base class for signable requests
   class Request
-    SIGNATURE_COMPONENTS = [:verb, :request_url, :body, :app_uuid, :time].freeze
+    SIGNATURE_COMPONENTS = %i[verb request_url body app_uuid time].freeze
+    SIGNATURE_COMPONENTS_V2 =
+      %i[
+        verb
+        request_url
+        body_digest
+        app_uuid
+        time
+        encoded_query_params
+      ].freeze
+
     include Signable
   end
 
   # virtual base class for signable responses
   class Response
-    SIGNATURE_COMPONENTS = [:status_code, :body, :app_uuid, :time].freeze
+    SIGNATURE_COMPONENTS = %i[status_code body app_uuid time].freeze
+    SIGNATURE_COMPONENTS_V2 = %i[status_code body_digest app_uuid time].freeze
     include Signable
   end
 end

data/lib/mauth/version.rb

@@ -1,3 +1,3 @@
 module MAuth
-  VERSION = '4.1.1'.freeze
+  VERSION = '5.0.0'.freeze
 end

data/mauth-client.gemspec

@@ -32,4 +32,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rspec', '~> 3.8'
   spec.add_development_dependency 'simplecov', '~> 0.16'
   spec.add_development_dependency 'timecop', '~> 0.9'
+  spec.add_development_dependency 'benchmark-ips', '~> 2.7'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mauth-client
 version: !ruby/object:Gem::Version
-  version: 4.1.1
+  version: 5.0.0
 platform: ruby
 authors:
 - Matthew Szenher
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-06-26 00:00:00.000000000 Z
+date: 2019-07-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -201,6 +201,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: benchmark-ips
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
 description: Client for signing and authentication of requests and responses with
   mAuth authentication. Includes middleware for Rack and Faraday for incoming and
   outgoing requests and responses.
@@ -237,11 +251,17 @@ files:
 - lib/mauth-client.rb
 - lib/mauth/autoload.rb
 - lib/mauth/client.rb
+- lib/mauth/client/authenticator_base.rb
+- lib/mauth/client/local_authenticator.rb
+- lib/mauth/client/remote_authenticator.rb
+- lib/mauth/client/security_token_cacher.rb
+- lib/mauth/client/signer.rb
 - lib/mauth/core_ext.rb
 - lib/mauth/dice_bag/mauth.rb.dice
 - lib/mauth/dice_bag/mauth.yml.dice
 - lib/mauth/dice_bag/mauth_key.dice
 - lib/mauth/dice_bag/mauth_templates.rb
+- lib/mauth/errors.rb
 - lib/mauth/fake/rack.rb
 - lib/mauth/faraday.rb
 - lib/mauth/middleware.rb