mauth-client 4.2.0 → 5.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e197a763a48eeb58d88be12eab10dc6e2c7c104287b0371a41120bd920402db
-  data.tar.gz: 84ef6da779ededf897bfe7a44eb2581073c2404a1208ae3a233b2d84c1bc98eb
+  metadata.gz: fb397d4c368ae894af1012c2305891bdfe4c85269e75e54167d4a7482a034f5a
+  data.tar.gz: 8dc255a280b8304360b305be500b00bf1a8205293a7061af866a99f2eb69ca10
 SHA512:
-  metadata.gz: f640994364eee25edcbbf611a611eb539efc96432de37daf78c0211f83e966154c5dcfb321fff6e25e067fdb53faae6af792665897a7ae4d295beada833282d2
-  data.tar.gz: 6270a48e063208842a1055d39814b96fe2cb4b8ceea04592eb94c62b533f110fe5510ca9060f321d5f4a309b96aaf9c99489ff28e068e5ddd6c04e20c1ae9bab
+  metadata.gz: 8e519a163cba44ca112f31d91a2da679601cebeac172eac15704f0ff93cc3ea5a3eba6e654d15cce3cbd2c587cc5bc3e6ae88a1042b84bdaa77f3e71fda01a96
+  data.tar.gz: 18e5b9888c5c56ffa2f78197cdca887958e220f6f63e71807393d043508b5cd013ded15031d29230262cdfeb0de86f1f71f18cffd62a64c5719da030a59915d8

data/.gitignore

@@ -7,3 +7,4 @@
 /log
 
 /Gemfile.lock
+.byebug_history

data/CHANGELOG.md

@@ -1,5 +1,8 @@
-## v4.2.0
-* Drop legacy security token expiry in favor of honoring server cache headers via Faraday HTTP Cache Middleware.
+## v5.0.0
+- Add support for MWSV2 protocol.
+- Change request signing to sign with both V1 and V2 protocols by default.
+- Update log message for authentication request to include protocol version used.
+- Added `benchmark` rake task to benchmark request signing and authentication.
 
 ## v4.1.1
 - Use warning level instead of error level for logs about missing mauth header.

data/CONTRIBUTING.md

@@ -18,3 +18,11 @@ Next, run the tests:
 ```
 bundle exec rspec
 ```
+
+## Running Benchmark
+
+If you make changes which could affect performance, please run the benchmark before and after the change as a sanity check.
+
+```
+bundle exec rake benchmark
+```

data/README.md

@@ -1,10 +1,10 @@
-# MAuth Client
+# MAuth-Client
 [![Build Status](https://travis-ci.org/mdsol/mauth-client-ruby.svg?branch=master)](https://travis-ci.org/mdsol/mauth-client-ruby)
 
 This gem consists of MAuth::Client, a class to manage the information needed to both sign and authenticate requests
 and responses, and middlewares for Rack and Faraday which leverage the client's capabilities.
 
-MAuth Client exists in a variety of languages (.Net, Go, R etc.), see the [implementations list](doc/implementations.md) for more info.
+MAuth-Client exists in a variety of languages (.Net, Go, R etc.), see the [implementations list](doc/implementations.md) for more info.
 
 ## Installation
 
@@ -47,12 +47,19 @@ Remote authentication therefore requires more time than local authentication.
 You will not be able to sign your responses without an `app_uuid` and a private key, so `MAuth::Rack::ResponseSigner` cannot be used.
 
 The `mauth_baseurl` and `mauth_api_version` are required in mauth.yml.
-These tell the MAuth Client where and how to communicate with the MAuth service.
+These tell the MAuth-Client where and how to communicate with the MAuth service.
 
+The `v2_only_sign_requests` and `v2_only_authenticate` flags were added to facilitate conversion from the MAuth V1 protocol to the MAuth
+V2 protocol. By default both of these flags are false. See [Protocol Versions](#protocol-versions) below for more information about the different versions.
+
+|       | v2_only_sign_requests         | v2_only_authenticate                                                            |
+|-------|------------------------------------|--------------------------------------------------------------------------------------|
+| true  | requests are signed with only V2   | requests and responses are authenticated with only V2                                |
+| false | requests are signed with V1 and V2 | requests and responses are authenticated with the highest available protocol version |
 
 ## Rack Middleware Usage
 
-MAuth Client provides a middleware for request authentication and response verification in mauth/rack.
+MAuth-Client provides a middleware for request authentication and response verification in mauth/rack.
 
 ```ruby
 require 'mauth/rack'
@@ -212,13 +219,13 @@ Create a `MAuth::Request` object from the information in your HTTP request, what
 
 ```ruby
 require 'mauth/request_and_response'
-request = MAuth::Request.new(verb: my_verb, request_url: my_request_url, body: my_body)
+request = MAuth::Request.new(verb: my_verb, request_url: my_request_url, body: my_body, query_string: my_query_string)
 ```
 `mauth_client.signed_headers(request)` will then return mauth headers which you can apply to your request.
 
 ## Local Authentication
 
-When doing local authentication, the mauth client will periodically fetch and cache public keys from MAuth.
+When doing local authentication, the MAuth-Client will periodically fetch and cache public keys from MAuth.
 Each public key will be cached locally for 60 seconds.
 Applications which connect frequently to the app will benefit most from this caching strategy.
 When fetching public keys from MAuth, the following rules apply:
@@ -233,3 +240,8 @@ When fetching public keys from MAuth, the following rules apply:
 During development classes are typically not cached in Rails applications.
 If this is the case, be aware that the MAuth-Client middleware object will be instantiated anew for each request;
 this will cause applications performing local authentication to fetch public keys before each request is authenticated.
+
+## Protocol Versions
+
+The mauth V2 protocol was added as of v5.0.0. This protocol updates the string_to_sign to include query parameters, uses different authentication header names, and has a few other changes. See this document for more information: (DOC?). By default MAuth-Client will authenticate incoming requests with only the highest version of the protocol present, and sign their outgoing responses with only the version used to authenticate the request. By default MAuth-Client will sign outgoing requests with both the V1 and V2 protocols, and authenticate their incoming responses with only the highest version of the protocol present.
+If the `v2_only_sign_requests` flag is true all outgoing requests will be signed with only the V2 protocol (outgoing responses will still be signed with whatever protocol used to authenticate the request). If the `v2_only_authenticate` flag is true then MAuth-Client will reject any incoming request or incoming response that does not use the V2 protocol.

data/Rakefile

@@ -1,6 +1,113 @@
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
+require 'mauth/request_and_response'
+require 'mauth/client'
+require 'securerandom'
+require 'benchmark/ips'
+require 'faraday'
+require 'rspec/mocks/standalone'
 
 RSpec::Core::RakeTask.new(:spec)
 
 task default: :spec
+
+class TestSignableRequest < MAuth::Request
+  include MAuth::Signed
+  attr_accessor :headers
+
+  def merge_headers(headers)
+    self.class.new(@attributes_for_signing).tap{|r| r.headers = (@headers || {}).merge(headers) }
+  end
+
+  def x_mws_time
+    headers['X-MWS-Time']
+  end
+
+  def x_mws_authentication
+    headers['X-MWS-Authentication']
+  end
+
+  def mcc_time
+    headers['MCC-Time']
+  end
+
+  def mcc_authentication
+    headers['MCC-Authentication']
+  end
+end
+
+desc 'Runs benchmarks for the library.'
+task :benchmark do
+  mc = MAuth::Client.new(
+    private_key: OpenSSL::PKey::RSA.generate(2048),
+    app_uuid: SecureRandom.uuid,
+    v2_only_sign_requests: false
+  )
+  authenticating_mc = MAuth::Client.new(mauth_baseurl: 'http://whatever', mauth_api_version: 'v1')
+
+  stubs = Faraday::Adapter::Test::Stubs.new
+  test_faraday = ::Faraday.new do |builder|
+    builder.adapter(:test, stubs)
+  end
+  stubs.post('/mauth/v1/authentication_tickets.json') { [204, {}, []] }
+  allow(Faraday).to receive(:new).and_return(test_faraday)
+
+  short_body = 'Somewhere in La Mancha, in a place I do not care to remember'
+  average_body = short_body * 1_000
+  huge_body = average_body * 100
+
+  qs = 'don=quixote&quixote=don'
+
+  puts <<-MSG
+
+    A short request has a body of 60 chars.
+    An average request has a body of 60,000 chars.
+    A huge request has a body of 6,000,000 chars.
+    A qs request has a body of 60 chars and a query string with two k/v pairs.
+
+  MSG
+
+  short_request = TestSignableRequest.new(verb: 'PUT', request_url: '/', body: short_body)
+  qs_request = TestSignableRequest.new(verb: 'PUT', request_url: '/', body: short_body, query_string: qs)
+  average_request = TestSignableRequest.new(verb: 'PUT', request_url: '/', body: average_body)
+  huge_request = TestSignableRequest.new(verb: 'PUT', request_url: '/', body: huge_body)
+
+  v1_short_signed_request = mc.signed_v1(short_request)
+  v1_average_signed_request = mc.signed_v1(average_request)
+  v1_huge_signed_request = mc.signed_v1(huge_request)
+
+  v2_short_signed_request = mc.signed_v2(short_request)
+  v2_qs_signed_request = mc.signed_v1(qs_request)
+  v2_average_signed_request = mc.signed_v2(average_request)
+  v2_huge_signed_request = mc.signed_v1(huge_request)
+
+  Benchmark.ips do |bm|
+    bm.report('v1-sign-short') { mc.signed_v1(short_request) }
+    bm.report('v2-sign-short') { mc.signed_v2(short_request) }
+    bm.report('both-sign-short') { mc.signed(short_request) }
+    bm.report('v2-sign-qs') { mc.signed_v2(qs_request) }
+    bm.report('both-sign-qs') { mc.signed(qs_request) }
+    bm.report('v1-sign-average') { mc.signed_v1(average_request) }
+    bm.report('v2-sign-average') { mc.signed_v2(average_request) }
+    bm.report('both-sign-average') { mc.signed(average_request) }
+    bm.report('v1-sign-huge') { mc.signed_v1(huge_request) }
+    bm.report('v2-sign-huge') { mc.signed_v2(huge_request) }
+    bm.report('both-sign-huge') { mc.signed(huge_request) }
+    bm.compare!
+  end
+
+  puts "i/s means the number of signatures of a message per second.\n\n\n"
+
+  Benchmark.ips do |bm|
+    bm.report('v1-authenticate-short') { authenticating_mc.authentic?(v1_short_signed_request) }
+    bm.report('v2-authenticate-short') { authenticating_mc.authentic?(v2_short_signed_request) }
+    bm.report('v2-authenticate-qs') { authenticating_mc.authentic?(v2_qs_signed_request) }
+    bm.report('v1-authenticate-average') { authenticating_mc.authentic?(v1_average_signed_request) }
+    bm.report('v2-authenticate-average') { authenticating_mc.authentic?(v2_average_signed_request) }
+    bm.report('v1-authenticate-huge') { authenticating_mc.authentic?(v1_huge_signed_request) }
+    bm.report('v2-authenticate-huge') { authenticating_mc.authentic?(v2_huge_signed_request) }
+    bm.compare!
+  end
+
+  puts 'i/s means the number of authentication checks of signatures per second.'
+end

data/exe/mauth-client

@@ -11,7 +11,7 @@ require 'mauth/faraday'
 require 'yaml'
 require 'term/ansicolor'
 
-# OPTION PARSER 
+# OPTION PARSER
 
 require 'optparse'
 
@@ -53,10 +53,10 @@ end
 opt_parser.parse!
 abort(opt_parser.help) unless (2..3).include?(ARGV.size)
 
-# FIND MAUTH CONFIG 
+# FIND MAUTH CONFIG
 
 possible_mauth_config_files = [
-  # whoops, I called this MAUTH_CONFIG_YML in one place and MAUTH_CONFIG_YAML in another. supporting both for now. 
+  # whoops, I called this MAUTH_CONFIG_YML in one place and MAUTH_CONFIG_YAML in another. supporting both for now.
   ENV['MAUTH_CONFIG_YML'],
   ENV['MAUTH_CONFIG_YAML'],
   '~/.mauth_config.yml',
@@ -76,14 +76,14 @@ end
 
 mauth_config = MAuth::Client.default_config(:mauth_config_yml => File.expand_path(mauth_config_yml))
 
-# INSTANTIATE MAUTH CLIENT 
+# INSTANTIATE MAUTH CLIENT
 
 logger = Logger.new(STDERR)
 mauth_client = MAuth::Client.new(mauth_config.merge('logger' => logger))
 
-# OUTPUTTERS FOR FARADAY THAT SHOULD MOVE TO A LIB SOMEWHERE 
+# OUTPUTTERS FOR FARADAY THAT SHOULD MOVE TO A LIB SOMEWHERE
 
-# outputs the response body to the given output device (defaulting to STDOUT) 
+# outputs the response body to the given output device (defaulting to STDOUT)
 class FaradayOutputter < Faraday::Middleware
   def initialize(app, outdev=STDOUT)
     @app=app
@@ -97,12 +97,12 @@ class FaradayOutputter < Faraday::Middleware
   end
 end
 
-# this is to approximate `curl -v`s output. but it's all faked, whereas curl gives you 
-# the real text written and read for request and response. whatever, close enough. 
+# this is to approximate `curl -v`s output. but it's all faked, whereas curl gives you
+# the real text written and read for request and response. whatever, close enough.
 class FaradayCurlVOutputter < FaradayOutputter
 
-  # defines a method with the given name, applying coloring defined by any additional arguments. 
-  # if $options[:color] is set, respects that; otherwise, applies color if the output device is a tty. 
+  # defines a method with the given name, applying coloring defined by any additional arguments.
+  # if $options[:color] is set, respects that; otherwise, applies color if the output device is a tty.
   def self.color(name, *color_args)
     define_method(name) do |arg|
       if color?
@@ -159,8 +159,8 @@ class FaradayCurlVOutputter < FaradayOutputter
     $options[:color].nil? ? @outdev.tty? : $options[:color]
   end
 
-  # a mapping for each registered CodeRay scanner to the Media Types which represent 
-  # that language. extremely incomplete! 
+  # a mapping for each registered CodeRay scanner to the Media Types which represent
+  # that language. extremely incomplete!
   CodeRayForMediaTypes = {
     :c => [],
     :cpp => [],
@@ -184,7 +184,7 @@ class FaradayCurlVOutputter < FaradayOutputter
   }
 
   # takes a body and a content type; returns the body, with coloring (ansi colors for terminals)
-  # possibly added, if it's a recognized content type and #color? is true 
+  # possibly added, if it's a recognized content type and #color? is true
   def color_body_by_content_type(body, content_type)
     if body && color?
       # kinda hacky way to get the media_type. faraday should supply this ...
@@ -207,7 +207,7 @@ class FaradayCurlVOutputter < FaradayOutputter
   end
 end
 
-# CONFIGURE THE FARADAY CONNECTION 
+# CONFIGURE THE FARADAY CONNECTION
 faraday_options = {}
 if $options[:no_ssl_verify]
   faraday_options[:ssl] = {:verify => false}
@@ -233,8 +233,8 @@ if $options[:content_type]
   headers['Content-Type'] = $options[:content_type]
 else
   if body
-    # I'd rather not have a default content-type, but if none is set then the HTTP adapter sets this to 
-    # application/x-www-form-urlencoded anyway. application/json is a better default for our purposes. 
+    # I'd rather not have a default content-type, but if none is set then the HTTP adapter sets this to
+    # application/x-www-form-urlencoded anyway. application/json is a better default for our purposes.
     headers['Content-Type'] = 'application/json'
   end
 end
@@ -251,10 +251,10 @@ end
 
 begin
   response = connection.run_request(httpmethod.downcase.to_sym, url, body, headers)
-rescue MAuth::InauthenticError, MAuth::UnableToAuthenticateError => e
+rescue MAuth::InauthenticError, MAuth::UnableToAuthenticateError, MAuth::MAuthNotPresent, MAuth::MissingV2Error => e
   if $options[:color].nil? ? STDERR.tty? : $options[:color]
-    class_color = Term::ANSIColor.method(e.is_a?(MAuth::InauthenticError) ? :intense_red : :intense_yellow)
-    message_color = Term::ANSIColor.method(e.is_a?(MAuth::InauthenticError) ? :red : :yellow)
+    class_color = Term::ANSIColor.method(e.is_a?(MAuth::UnableToAuthenticateError) ? :intense_yellow : :intense_red)
+    message_color = Term::ANSIColor.method(e.is_a?(MAuth::UnableToAuthenticateError) ? :yellow : :red)
   else
     class_color = proc{|s| s }
     message_color = proc{|s| s }

data/lib/mauth/client.rb

@@ -7,139 +7,98 @@ require 'mauth/core_ext'
 require 'mauth/autoload'
 require 'mauth/dice_bag/mauth_templates'
 require 'mauth/version'
-require 'faraday-http-cache'
-require 'oj'
+require 'mauth/client/authenticator_base'
+require 'mauth/client/local_authenticator'
+require 'mauth/client/remote_authenticator'
+require 'mauth/client/signer'
+require 'mauth/errors'
 
 module MAuth
+  # does operations which require a private key and corresponding app uuid. this is primarily:
+  # - signing outgoing requests and responses
+  # - authenticating incoming requests and responses, which may require retrieving the appropriate
+  #   public key from mAuth (which requires a request to mAuth which is signed using the private
+  #   key)
+  #
+  # this nominally operates on request and response objects, but really the only requirements are
+  # that the object responds to the methods of MAuth::Signable and/or MAuth::Signed (as
+  # appropriate)
   class Client
-    class << self
-      # returns a configuration (to be passed to MAuth::Client.new) which is configured from information stored in
-      # standard places. all of which is overridable by options in case some defaults do not apply.
-      #
-      # options (may be symbols or strings) - any or all may be omitted where your usage conforms to the defaults.
-      # - root: the path relative to which this method looks for configuration yaml files. defaults to Rails.root
-      #   if ::Rails is defined, otherwise ENV['RAILS_ROOT'], ENV['RACK_ROOT'], ENV['APP_ROOT'], or '.'
-      # - environment: the environment, pertaining to top-level keys of the configuration yaml files. by default,
-      #   tries Rails.environment, ENV['RAILS_ENV'], and ENV['RACK_ENV'], and falls back to 'development' if none
-      #   of these are set.
-      # - mauth_config - MAuth configuration. defaults to load this from a yaml file (see mauth_config_yml option)
-      #   which is assumed to be keyed with the environment at the root. if this is specified, no yaml file is
-      #   loaded, and the given config is passed through with any other defaults applied. at the moment, the only
-      #   other default is to set the logger.
-      # - mauth_config_yml - specifies where a mauth configuration yaml file can be found. by default checks
-      #   ENV['MAUTH_CONFIG_YML'] or a file 'config/mauth.yml' relative to the root.
-      # - logger - by default checks ::Rails.logger
-      def default_config(options = {})
-        options = options.stringify_symbol_keys
+    MWS_TOKEN = 'MWS'.freeze
+    MWSV2_TOKEN = 'MWSV2'.freeze
+    AUTH_HEADER_DELIMITER = ';'.freeze
 
-        # find the app_root (relative to which we look for yaml files). note that this
-        # is different than MAuth::Client.root, the root of the mauth-client library.
-        app_root = options['root'] || begin
-          if Object.const_defined?('Rails') && ::Rails.respond_to?(:root) && ::Rails.root
-            Rails.root
-          else
-            ENV['RAILS_ROOT'] || ENV['RACK_ROOT'] || ENV['APP_ROOT'] || '.'
-          end
-        end
+    include AuthenticatorBase
+    include Signer
 
-        # find the environment (with which yaml files are keyed)
-        env = options['environment'] || begin
-          if Object.const_defined?('Rails') && ::Rails.respond_to?(:environment)
-            Rails.environment
-          else
-            ENV['RAILS_ENV'] || ENV['RACK_ENV'] || 'development'
-          end
+    # returns a configuration (to be passed to MAuth::Client.new) which is configured from information stored in
+    # standard places. all of which is overridable by options in case some defaults do not apply.
+    #
+    # options (may be symbols or strings) - any or all may be omitted where your usage conforms to the defaults.
+    # - root: the path relative to which this method looks for configuration yaml files. defaults to Rails.root
+    #   if ::Rails is defined, otherwise ENV['RAILS_ROOT'], ENV['RACK_ROOT'], ENV['APP_ROOT'], or '.'
+    # - environment: the environment, pertaining to top-level keys of the configuration yaml files. by default,
+    #   tries Rails.environment, ENV['RAILS_ENV'], and ENV['RACK_ENV'], and falls back to 'development' if none
+    #   of these are set.
+    # - mauth_config - MAuth configuration. defaults to load this from a yaml file (see mauth_config_yml option)
+    #   which is assumed to be keyed with the environment at the root. if this is specified, no yaml file is
+    #   loaded, and the given config is passed through with any other defaults applied. at the moment, the only
+    #   other default is to set the logger.
+    # - mauth_config_yml - specifies where a mauth configuration yaml file can be found. by default checks
+    #   ENV['MAUTH_CONFIG_YML'] or a file 'config/mauth.yml' relative to the root.
+    # - logger - by default checks ::Rails.logger
+    def self.default_config(options = {})
+      options = options.stringify_symbol_keys
+
+      # find the app_root (relative to which we look for yaml files). note that this
+      # is different than MAuth::Client.root, the root of the mauth-client library.
+      app_root = options['root'] || begin
+        if Object.const_defined?('Rails') && ::Rails.respond_to?(:root) && ::Rails.root
+          Rails.root
+        else
+          ENV['RAILS_ROOT'] || ENV['RACK_ROOT'] || ENV['APP_ROOT'] || '.'
         end
+      end
 
-        # find mauth config, given on options, or in a file at
-        # ENV['MAUTH_CONFIG_YML'] or config/mauth.yml in the app_root
-        mauth_config = options['mauth_config'] || begin
-          mauth_config_yml = options['mauth_config_yml']
-          mauth_config_yml ||= ENV['MAUTH_CONFIG_YML']
-          default_loc = 'config/mauth.yml'
-          default_yml = File.join(app_root, default_loc)
-          mauth_config_yml ||= default_yml if File.exist?(default_yml)
-          if mauth_config_yml && File.exist?(mauth_config_yml)
-            whole_config = ConfigFile.load(mauth_config_yml)
-            errmessage = "#{mauth_config_yml} config has no key #{env} - it has keys #{whole_config.keys.inspect}"
-            whole_config[env] || raise(MAuth::Client::ConfigurationError, errmessage)
-          else
-            raise MAuth::Client::ConfigurationError, "could not find mauth config yaml file. this file may be " \
-              "placed in #{default_loc}, specified with the mauth_config_yml option, or specified with the " \
-              "MAUTH_CONFIG_YML environment variable."
-          end
+      # find the environment (with which yaml files are keyed)
+      env = options['environment'] || begin
+        if Object.const_defined?('Rails') && ::Rails.respond_to?(:environment)
+          Rails.environment
+        else
+          ENV['RAILS_ENV'] || ENV['RACK_ENV'] || 'development'
+        end
+      end
+
+      # find mauth config, given on options, or in a file at
+      # ENV['MAUTH_CONFIG_YML'] or config/mauth.yml in the app_root
+      mauth_config = options['mauth_config'] || begin
+        mauth_config_yml = options['mauth_config_yml']
+        mauth_config_yml ||= ENV['MAUTH_CONFIG_YML']
+        default_loc = 'config/mauth.yml'
+        default_yml = File.join(app_root, default_loc)
+        mauth_config_yml ||= default_yml if File.exist?(default_yml)
+        if mauth_config_yml && File.exist?(mauth_config_yml)
+          whole_config = ConfigFile.load(mauth_config_yml)
+          errmessage = "#{mauth_config_yml} config has no key #{env} - it has keys #{whole_config.keys.inspect}"
+          whole_config[env] || raise(MAuth::Client::ConfigurationError, errmessage)
+        else
+          raise MAuth::Client::ConfigurationError, "could not find mauth config yaml file. this file may be " \
+            "placed in #{default_loc}, specified with the mauth_config_yml option, or specified with the " \
+            "MAUTH_CONFIG_YML environment variable."
         end
+      end
 
-        unless mauth_config.key?('logger')
-          # the logger. Rails.logger if it exists, otherwise, no logger
-          mauth_config['logger'] = options['logger'] || begin
-            if Object.const_defined?('Rails') && ::Rails.respond_to?(:logger)
-              Rails.logger
-            end
+      unless mauth_config.key?('logger')
+        # the logger. Rails.logger if it exists, otherwise, no logger
+        mauth_config['logger'] = options['logger'] || begin
+          if Object.const_defined?('Rails') && ::Rails.respond_to?(:logger)
+            Rails.logger
           end
         end
-
-        mauth_config
       end
-    end
-  end
 
-  class ConfigFile
-    GITHUB_URL = 'https://github.com/mdsol/mauth-client-ruby'.freeze
-    @config = {}
-
-    def self.load(path)
-      unless File.exist?(path)
-        raise "File #{path} not found. Please visit #{GITHUB_URL} for details."
-      end
-
-      @config[path] ||= YAML.load_file(path)
-      unless @config[path]
-        raise "File #{path} does not contain proper YAML information. Visit #{GITHUB_URL} for details."
-      end
-      @config[path]
+      mauth_config
     end
-  end
-end
-
-module MAuth
-  # mAuth client was unable to verify the authenticity of a signed object (this does NOT mean the
-  # object is inauthentic). typically due to a failure communicating with the mAuth service, in
-  # which case the error may include the attribute mauth_service_response - a response from
-  # the mauth service (if it was contactable at all), which may contain more information about
-  # the error.
-  class UnableToAuthenticateError < StandardError
-    # the response from the MAuth service encountered when attempting to retrieve authentication
-    attr_accessor :mauth_service_response
-  end
-
-  # used to indicate that an object was expected to be validly signed but its signature does not
-  # match its contents, and so is inauthentic.
-  class InauthenticError < StandardError
-  end
-
-  # Used when the incoming request does not contain any mAuth related information
-  class MauthNotPresent < StandardError
-  end
-
-
-  # required information for signing was missing
-  class UnableToSignError < StandardError
-  end
-
-  # does operations which require a private key and corresponding app uuid. this is primarily:
-  # - signing outgoing requests and responses
-  # - authenticating incoming requests and responses, which may require retrieving the appropriate
-  #   public key from mAuth (which requires a request to mAuth which is signed using the private
-  #   key)
-  #
-  # this nominally operates on request and response objects, but really the only requirements are
-  # that the object responds to the methods of MAuth::Signable and/or MAuth::Signed (as
-  # appropriate)
-  class Client
-    class ConfigurationError < StandardError; end
-
-    MWS_TOKEN = 'MWS'.freeze
 
     # new client with the given App UUID and public key. config may include the following (all
     # config keys may be strings or symbols):
@@ -192,6 +151,8 @@ module MAuth
       request_config.merge!(symbolize_keys(given_config['faraday_options'])) if given_config['faraday_options']
       @config['faraday_options'] = { request: request_config } || {}
       @config['ssl_certs_path'] = given_config['ssl_certs_path'] if given_config['ssl_certs_path']
+      @config['v2_only_authenticate'] = given_config['v2_only_authenticate'].to_s.downcase == 'true'
+      @config['v2_only_sign_requests'] = given_config['v2_only_sign_requests'].to_s.downcase == 'true'
 
       # if 'authenticator' was given, don't override that - including if it was given as nil / false
       if given_config.key?('authenticator')
@@ -236,6 +197,14 @@ module MAuth
       @config['ssl_certs_path']
     end
 
+    def v2_only_sign_requests?
+      @config['v2_only_sign_requests']
+    end
+
+    def v2_only_authenticate?
+      @config['v2_only_authenticate']
+    end
+
     def assert_private_key(err)
       raise err unless private_key
     end
@@ -257,259 +226,23 @@ module MAuth
       end
       hash
     end
+  end
 
-    # methods to sign requests and responses. part of MAuth::Client
-    module Signer
-      # takes an outgoing request or response object, and returns an object of the same class
-      # whose headers are updated to include mauth's signature headers
-      def signed(object, attributes = {})
-        object.merge_headers(signed_headers(object, attributes))
-      end
-
-      # takes a signable object (outgoing request or response). returns a hash of headers to be
-      # applied tothe object which comprise its signature.
-      def signed_headers(object, attributes = {})
-        attributes = { time: Time.now.to_i.to_s, app_uuid: client_app_uuid }.merge(attributes)
-        signature = self.signature(object, attributes)
-        { 'X-MWS-Authentication' => "#{MWS_TOKEN} #{client_app_uuid}:#{signature}", 'X-MWS-Time' => attributes[:time] }
-      end
-
-      # takes a signable object (outgoing request or response). returns a mauth signature string
-      # for that object.
-      def signature(object, attributes = {})
-        assert_private_key(UnableToSignError.new("mAuth client cannot sign without a private key!"))
-        attributes = { time: Time.now.to_i.to_s, app_uuid: client_app_uuid }.merge(attributes)
-        signature = Base64.encode64(private_key.private_encrypt(object.string_to_sign(attributes))).delete("\n")
-      end
-    end
-    include Signer
-
-    # methods common to RemoteRequestAuthenticator and LocalAuthenticator
-    module Authenticator
-      ALLOWED_DRIFT_SECONDS = 300
-
-      # takes an incoming request or response object, and returns whether
-      # the object is authentic according to its signature.
-      def authentic?(object)
-        log_authentication_request(object)
-        begin
-          authenticate!(object)
-          true
-        rescue InauthenticError, MauthNotPresent
-          false
-        end
-      end
-
-      # raises InauthenticError unless the given object is authentic
-      def authenticate!(object)
-        authentication_present!(object)
-        time_valid!(object)
-        token_valid!(object)
-        signature_valid!(object)
-      rescue MauthNotPresent => e
-        logger.warn "mAuth signature not present on #{object.class}. Exception: #{e.message}"
-        raise
-      rescue InauthenticError => e
-        logger.error "mAuth signature authentication failed for #{object.class}. Exception: #{e.message}"
-        raise
-      rescue UnableToAuthenticateError => e
-        logger.error "Unable to authenticate with MAuth for #{object.class}. Exception: #{e.message}"
-        raise
-      end
-
-      private
-
-      # Note:  This log is likely consumed downstream and the contents SHOULD NOT be changed without a thorough review of downstream consumers.
-      def log_authentication_request(object)
-        object_app_uuid = object.signature_app_uuid || '[none provided]'
-        logger.info "Mauth-client attempting to authenticate request from app with mauth app uuid #{object_app_uuid} to app with mauth app uuid #{client_app_uuid}."
-      end
-
-      def authentication_present!(object)
-        if object.x_mws_authentication.nil? || object.x_mws_authentication !~ /\S/
-          raise MauthNotPresent, "Authentication Failed. No mAuth signature present; X-MWS-Authentication header is blank."
-        end
-      end
-
-      def time_valid!(object, now = Time.now)
-        if object.x_mws_time.nil?
-          raise InauthenticError, "Time verification failed. No x-mws-time present."
-        elsif !(-ALLOWED_DRIFT_SECONDS..ALLOWED_DRIFT_SECONDS).cover?(now.to_i - object.x_mws_time.to_i)
-          raise InauthenticError, "Time verification failed. #{object.x_mws_time} not within #{ALLOWED_DRIFT_SECONDS} of #{now}"
-        end
-      end
-
-      def token_valid!(object)
-        unless object.signature_token == MWS_TOKEN
-          raise InauthenticError, "Token verification failed. Expected #{MWS_TOKEN.inspect}; token was #{object.signature_token}"
-        end
-      end
-    end
-    include Authenticator
-
-    # methods to verify the authenticity of signed requests and responses locally, retrieving
-    # public keys from the mAuth service as needed
-    module LocalAuthenticator
-      private
-
-      def signature_valid!(object)
-        # We are in an unfortunate situation in which Euresource is percent-encoding parts of paths, but not
-        # all of them.  In particular, Euresource is percent-encoding all special characters save for '/'.
-        # Also, unfortunately, Nginx unencodes URIs before sending them off to served applications, though
-        # other web servers (particularly those we typically use for local testing) do not.  The various forms
-        # of the expected string to sign are meant to cover the main cases.
-        # TODO:  Revisit and simplify this unfortunate situation.
-
-        original_request_uri = object.attributes_for_signing[:request_url]
-
-        # craft an expected string-to-sign without doing any percent-encoding
-        expected_no_reencoding = object.string_to_sign(time: object.x_mws_time, app_uuid: object.signature_app_uuid)
-
-        # do a simple percent reencoding variant of the path
-        object.attributes_for_signing[:request_url] = CGI.escape(original_request_uri.to_s)
-        expected_for_percent_reencoding = object.string_to_sign(time: object.x_mws_time, app_uuid: object.signature_app_uuid)
-
-        # do a moderately complex Euresource-style reencoding of the path
-        object.attributes_for_signing[:request_url] = euresource_escape(original_request_uri.to_s)
-        expected_euresource_style_reencoding = object.string_to_sign(time: object.x_mws_time, app_uuid: object.signature_app_uuid)
-
-        # reset the object original request_uri, just in case we need it again
-        object.attributes_for_signing[:request_url] = original_request_uri
-
-        pubkey = OpenSSL::PKey::RSA.new(retrieve_public_key(object.signature_app_uuid))
-        begin
-          actual = pubkey.public_decrypt(Base64.decode64(object.signature))
-        rescue OpenSSL::PKey::PKeyError
-          raise InauthenticError, "Public key decryption of signature failed!\n#{$!.class}: #{$!.message}"
-        end
-        # TODO: time-invariant comparison instead of #== ?
-        unless expected_no_reencoding == actual || expected_euresource_style_reencoding == actual || expected_for_percent_reencoding == actual
-          raise InauthenticError, "Signature verification failed for #{object.class}"
-        end
-      end
-
-      # Note: RFC 3986 (https://www.ietf.org/rfc/rfc3986.txt) reserves the forward slash "/"
-      #   and number sign "#" as component delimiters. Since these are valid URI components,
-      #   they are decoded back into characters here to avoid signature invalidation
-      def euresource_escape(str)
-        CGI.escape(str).gsub(/%2F|%23/, "%2F" => "/", "%23" => "#")
-      end
-
-      def retrieve_public_key(app_uuid)
-        retrieve_security_token(app_uuid)['security_token']['public_key_str']
-      end
-
-      def retrieve_security_token(app_uuid)
-        security_token_cacher.get(app_uuid)
-      end
-
-      def security_token_cacher
-        @security_token_cacher ||= SecurityTokenCacher.new(self)
-      end
-      class SecurityTokenCacher
-
-        def initialize(mauth_client)
-          @mauth_client = mauth_client
-          # TODO: should this be UnableToSignError?
-          @mauth_client.assert_private_key(UnableToAuthenticateError.new("Cannot fetch public keys from mAuth service without a private key!"))
-          @cache = {}
-          require 'thread'
-          @cache_write_lock = Mutex.new
-        end
-
-        def get(app_uuid)
-          if !@cache[app_uuid]
-            # url-encode the app_uuid to prevent trickery like escaping upward with ../../ in a malicious
-            # app_uuid - probably not exploitable, but this is the right way to do it anyway.
-            # use UNRESERVED instead of UNSAFE (the default) as UNSAFE doesn't include /
-            url_encoded_app_uuid = URI.escape(app_uuid, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
-            begin
-              response = signed_mauth_connection.get("/mauth/#{@mauth_client.mauth_api_version}/security_tokens/#{url_encoded_app_uuid}.json")
-            rescue ::Faraday::Error::ConnectionFailed, ::Faraday::Error::TimeoutError
-              raise UnableToAuthenticateError, "mAuth service did not respond; received #{$!.class}: #{$!.message}"
-            end
-            if response.status == 200
-              @cache_write_lock.synchronize do
-                @cache[app_uuid] = security_token_from(response.body)
-              end
-            elsif response.status == 404
-              # signing with a key mAuth doesn't know about is considered inauthentic
-              raise InauthenticError, "mAuth service responded with 404 looking up public key for #{app_uuid}"
-            else
-              @mauth_client.send(:mauth_service_response_error, response)
-            end
-          end
-          @cache[app_uuid]
-        end
-
-        private
-
-        def security_token_from(response_body)
-          JSON.parse response_body
-        rescue JSON::ParserError => e
-          msg =  "mAuth service responded with unparseable json: #{response_body}\n#{e.class}: #{e.message}"
-          @mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
-          raise UnableToAuthenticateError, msg
-        end
+  module ConfigFile
+    GITHUB_URL = 'https://github.com/mdsol/mauth-client-ruby'.freeze
+    @config = {}
 
-        def signed_mauth_connection
-          require 'faraday'
-          require 'mauth/faraday'
-          @mauth_client.faraday_options[:ssl] = { ca_path: @mauth_client.ssl_certs_path } if @mauth_client.ssl_certs_path
-          @signed_mauth_connection ||= ::Faraday.new(@mauth_client.mauth_baseurl, @mauth_client.faraday_options) do |builder|
-            builder.use MAuth::Faraday::MAuthClientUserAgent
-            builder.use MAuth::Faraday::RequestSigner, 'mauth_client' => @mauth_client
-            builder.use :http_cache, serializer: Oj, logger: MAuth::Client.new.logger, shared_cache: false
-            builder.adapter ::Faraday.default_adapter
-          end
-        end
+    def self.load(path)
+      unless File.exist?(path)
+        raise "File #{path} not found. Please visit #{GITHUB_URL} for details."
       end
-    end
 
-    # methods for remotely authenticating a request by sending it to the mauth service
-    module RemoteRequestAuthenticator
-      private
-
-      # takes an incoming request object (no support for responses currently), and errors if the
-      # object is not authentic according to its signature
-      def signature_valid!(object)
-        raise ArgumentError, "Remote Authenticator can only authenticate requests; received #{object.inspect}" unless object.is_a?(MAuth::Request)
-        authentication_ticket = {
-          'verb' => object.attributes_for_signing[:verb],
-          'app_uuid' => object.signature_app_uuid,
-          'client_signature' => object.signature,
-          'request_url' => object.attributes_for_signing[:request_url],
-          'request_time' => object.x_mws_time,
-          'b64encoded_body' => Base64.encode64(object.attributes_for_signing[:body] || '')
-        }
-        begin
-          response = mauth_connection.post("/mauth/#{mauth_api_version}/authentication_tickets.json", "authentication_ticket" => authentication_ticket)
-        rescue ::Faraday::Error::ConnectionFailed, ::Faraday::Error::TimeoutError
-          raise UnableToAuthenticateError, "mAuth service did not respond; received #{$!.class}: #{$!.message}"
-        end
-        if (200..299).cover?(response.status)
-          nil
-        elsif response.status == 412 || response.status == 404
-          # the mAuth service responds with 412 when the given request is not authentically signed.
-          # older versions of the mAuth service respond with 404 when the given app_uuid
-          # does not exist, which is also considered to not be authentically signed. newer
-          # versions of the service respond 412 in all cases, so the 404 check may be removed
-          # when the old version of the mAuth service is out of service.
-          raise InauthenticError, "The mAuth service responded with #{response.status}: #{response.body}"
-        else
-          mauth_service_response_error(response)
-        end
+      @config[path] ||= YAML.load_file(path)
+      unless @config[path]
+        raise "File #{path} does not contain proper YAML information. Visit #{GITHUB_URL} for details."
       end
 
-      def mauth_connection
-        require 'faraday'
-        require 'faraday_middleware'
-        @mauth_connection ||= ::Faraday.new(mauth_baseurl, faraday_options) do |builder|
-          builder.use MAuth::Faraday::MAuthClientUserAgent
-          builder.use FaradayMiddleware::EncodeJson
-          builder.adapter ::Faraday.default_adapter
-        end
-      end
+      @config[path]
     end
   end
 end