mauth-client 4.2.1 → 5.0.0

data/lib/mauth/client/remote_authenticator.rb

@@ -0,0 +1,75 @@
+# methods for remotely authenticating a request by sending it to the mauth service
+
+module MAuth
+  class Client
+    module RemoteRequestAuthenticator
+      private
+
+      # takes an incoming request object (no support for responses currently), and errors if the
+      # object is not authentic according to its signature
+      def signature_valid_v1!(object)
+        raise ArgumentError, "Remote Authenticator can only authenticate requests; received #{object.inspect}" unless object.is_a?(MAuth::Request)
+        authentication_ticket = {
+          'verb' => object.attributes_for_signing[:verb],
+          'app_uuid' => object.signature_app_uuid,
+          'client_signature' => object.signature,
+          'request_url' => object.attributes_for_signing[:request_url],
+          'request_time' => object.x_mws_time,
+          'b64encoded_body' => Base64.encode64(object.attributes_for_signing[:body] || '')
+        }
+        make_mauth_request(authentication_ticket)
+      end
+
+      def signature_valid_v2!(object)
+        unless object.is_a?(MAuth::Request)
+          msg = "Remote Authenticator can only authenticate requests; received #{object.inspect}"
+          raise ArgumentError, msg
+        end
+
+        authentication_ticket = {
+          verb: object.attributes_for_signing[:verb],
+          app_uuid: object.signature_app_uuid,
+          client_signature: object.signature,
+          request_url: object.attributes_for_signing[:request_url],
+          request_time: object.mcc_time,
+          b64encoded_body: Base64.encode64(object.attributes_for_signing[:body] || ''),
+          query_string: object.attributes_for_signing[:query_string],
+          token: object.signature_token
+        }
+        make_mauth_request(authentication_ticket)
+      end
+
+      def make_mauth_request(authentication_ticket)
+        begin
+          response = mauth_connection.post("/mauth/#{mauth_api_version}/authentication_tickets.json", 'authentication_ticket' => authentication_ticket)
+        rescue ::Faraday::Error::ConnectionFailed, ::Faraday::Error::TimeoutError => e
+          msg = "mAuth service did not respond; received #{e.class}: #{e.message}"
+          logger.error("Unable to authenticate with MAuth. Exception #{msg}")
+          raise UnableToAuthenticateError, msg
+        end
+        if (200..299).cover?(response.status)
+          nil
+        elsif response.status == 412 || response.status == 404
+          # the mAuth service responds with 412 when the given request is not authentically signed.
+          # older versions of the mAuth service respond with 404 when the given app_uuid
+          # does not exist, which is also considered to not be authentically signed. newer
+          # versions of the service respond 412 in all cases, so the 404 check may be removed
+          # when the old version of the mAuth service is out of service.
+          raise InauthenticError, "The mAuth service responded with #{response.status}: #{response.body}"
+        else
+          mauth_service_response_error(response)
+        end
+      end
+
+      def mauth_connection
+        require 'faraday'
+        require 'faraday_middleware'
+        @mauth_connection ||= ::Faraday.new(mauth_baseurl, faraday_options) do |builder|
+          builder.use MAuth::Faraday::MAuthClientUserAgent
+          builder.use FaradayMiddleware::EncodeJson
+          builder.adapter ::Faraday.default_adapter
+        end
+      end
+    end
+  end
+end

data/lib/mauth/client/security_token_cacher.rb

@@ -0,0 +1,71 @@
+module MAuth
+  class Client
+    module LocalAuthenticator
+      class SecurityTokenCacher
+
+        class ExpirableSecurityToken < Struct.new(:security_token, :create_time)
+          CACHE_LIFE = 60
+          def expired?
+            create_time + CACHE_LIFE < Time.now
+          end
+        end
+
+        def initialize(mauth_client)
+          @mauth_client = mauth_client
+          # TODO: should this be UnableToSignError?
+          @mauth_client.assert_private_key(UnableToAuthenticateError.new("Cannot fetch public keys from mAuth service without a private key!"))
+          @cache = {}
+          require 'thread'
+          @cache_write_lock = Mutex.new
+        end
+
+        def get(app_uuid)
+          if !@cache[app_uuid] || @cache[app_uuid].expired?
+            # url-encode the app_uuid to prevent trickery like escaping upward with ../../ in a malicious
+            # app_uuid - probably not exploitable, but this is the right way to do it anyway.
+            # use UNRESERVED instead of UNSAFE (the default) as UNSAFE doesn't include /
+            url_encoded_app_uuid = URI.escape(app_uuid, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+            begin
+              response = signed_mauth_connection.get("/mauth/#{@mauth_client.mauth_api_version}/security_tokens/#{url_encoded_app_uuid}.json")
+            rescue ::Faraday::Error::ConnectionFailed, ::Faraday::Error::TimeoutError => e
+              msg = "mAuth service did not respond; received #{e.class}: #{e.message}"
+              @mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
+              raise UnableToAuthenticateError, msg
+            end
+            if response.status == 200
+              begin
+                security_token = JSON.parse(response.body)
+              rescue JSON::ParserError => e
+                msg =  "mAuth service responded with unparseable json: #{response.body}\n#{e.class}: #{e.message}"
+                @mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
+                raise UnableToAuthenticateError, msg
+              end
+              @cache_write_lock.synchronize do
+                @cache[app_uuid] = ExpirableSecurityToken.new(security_token, Time.now)
+              end
+            elsif response.status == 404
+              # signing with a key mAuth doesn't know about is considered inauthentic
+              raise InauthenticError, "mAuth service responded with 404 looking up public key for #{app_uuid}"
+            else
+              @mauth_client.send(:mauth_service_response_error, response)
+            end
+          end
+          @cache[app_uuid].security_token
+        end
+
+        private
+
+        def signed_mauth_connection
+          require 'faraday'
+          require 'mauth/faraday'
+          @mauth_client.faraday_options[:ssl] = { ca_path: @mauth_client.ssl_certs_path } if @mauth_client.ssl_certs_path
+          @signed_mauth_connection ||= ::Faraday.new(@mauth_client.mauth_baseurl, @mauth_client.faraday_options) do |builder|
+            builder.use MAuth::Faraday::MAuthClientUserAgent
+            builder.use MAuth::Faraday::RequestSigner, 'mauth_client' => @mauth_client
+            builder.adapter ::Faraday.default_adapter
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mauth/client/signer.rb

@@ -0,0 +1,67 @@
+require 'openssl'
+require 'mauth/errors'
+
+# methods to sign requests and responses. part of MAuth::Client
+
+module MAuth
+  class Client
+    SIGNING_DIGEST = OpenSSL::Digest::SHA512.new
+
+    module Signer
+      UNABLE_TO_SIGN_ERR = UnableToSignError.new('mAuth client cannot sign without a private key!')
+
+      # takes an outgoing request or response object, and returns an object of the same class
+      # whose headers are updated to include mauth's signature headers
+      def signed(object, attributes = {})
+        object.merge_headers(signed_headers(object, attributes))
+      end
+
+      # signs with v1 only. used when signing responses to v1 requests.
+      def signed_v1(object, attributes = {})
+        object.merge_headers(signed_headers_v1(object, attributes))
+      end
+
+      def signed_v2(object, attributes = {})
+        object.merge_headers(signed_headers_v2(object, attributes))
+      end
+
+      # takes a signable object (outgoing request or response). returns a hash of headers to be
+      # applied to the object which comprises its signature.
+      def signed_headers(object, attributes = {})
+        if v2_only_sign_requests?
+          signed_headers_v2(object, attributes)
+        else # by default sign with both the v1 and v2 protocol
+          signed_headers_v1(object, attributes).merge(signed_headers_v2(object, attributes))
+        end
+      end
+
+      def signed_headers_v1(object, attributes = {})
+        attributes = { time: Time.now.to_i.to_s, app_uuid: client_app_uuid }.merge(attributes)
+        string_to_sign = object.string_to_sign_v1(attributes)
+        signature = self.signature_v1(string_to_sign)
+        { 'X-MWS-Authentication' => "#{MWS_TOKEN} #{client_app_uuid}:#{signature}", 'X-MWS-Time' => attributes[:time] }
+      end
+
+      def signed_headers_v2(object, attributes = {})
+        attributes = { time: Time.now.to_i.to_s, app_uuid: client_app_uuid }.merge(attributes)
+        string_to_sign = object.string_to_sign_v2(attributes)
+        signature = self.signature_v2(string_to_sign)
+        {
+          'MCC-Authentication' => "#{MWSV2_TOKEN} #{client_app_uuid}:#{signature}#{AUTH_HEADER_DELIMITER}",
+          'MCC-Time' => attributes[:time]
+        }
+      end
+
+      def signature_v1(string_to_sign)
+        assert_private_key(UNABLE_TO_SIGN_ERR)
+        hashed_string_to_sign = Digest::SHA512.hexdigest(string_to_sign)
+        Base64.encode64(private_key.private_encrypt(hashed_string_to_sign)).delete("\n")
+      end
+
+      def signature_v2(string_to_sign)
+        assert_private_key(UNABLE_TO_SIGN_ERR)
+        Base64.encode64(private_key.sign(SIGNING_DIGEST, string_to_sign)).delete("\n")
+      end
+    end
+  end
+end