mauth-client 6.1.0 → 6.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: efbde48109b1d067f8901ca07cd13181a3564ef6ed0bce1b3741c8c956765341
-  data.tar.gz: a28441224938890a0e4538063273705cdda2b7b9efec79149db3929cceb2f6df
+  metadata.gz: 3d26cf42f3bc98d5ce98981ee710c52d2b87a9360b6ae54391288182c95fa09a
+  data.tar.gz: 03c4a9d0e96187d57232d5a1923935ad5db9c190a891fda410595010bbf1d946
 SHA512:
-  metadata.gz: e4afa642e9235c58371b7d42c2ec7c22f8357ce9379a2cb7045d7f9bda5bfd94c83caf8ba4eaa172926429d383d7956a35cd41bc0a79324eccf1123ed25d5642
-  data.tar.gz: d238221c9a124d45a33136c930346d6999bf2e0d8492f16ab4bf94090b67b6e149a4dde8388af1f479f3a21f5b723374b6b95b571add51f179b93cc6a8590b91
+  metadata.gz: 58751eb9040426589a0274390307abfc518c1465372c6b26329debb25a12c06fb63e96fccd4093fd45e90bd24fefd6c64966160b6520513515cd5dc9ac96f804
+  data.tar.gz: 0febdd455262d240d5f456acc00785d8a0941627ca352ffa559526ddadbaab726213b87e24eaa8f576c430b0a856725224ed48909cdc64cf9ce6b3a77b8c4acf

data/.gitmodules

@@ -0,0 +1,3 @@
+[submodule "spec/fixtures/mauth-protocol-test-suite"]
+	path = spec/fixtures/mauth-protocol-test-suite
+	url = https://github.com/mdsol/mauth-protocol-test-suite.git

data/.rspec

@@ -1,2 +1 @@
 --color
---tag ~protocol_suite

data/.travis.yml

@@ -1,12 +1,17 @@
+dist: focal
 language: ruby
 cache: bundler
 
 rvm:
-  - 2.3
-  - 2.4
   - 2.5
   - 2.6
   - 2.7
+  - 3.0
+
+jobs:
+  exclude:
+    - rvm: 3.0
+      gemfile: gemfiles/faraday_0.x.gemfile # Faraday v0.x does not officially support Ruby 3.0 (see: https://github.com/lostisland/faraday/releases/tag/v1.3.0)
 
 gemfile:
   - gemfiles/faraday_0.x.gemfile
@@ -14,28 +19,29 @@ gemfile:
 
 before_install:
   - gem update --system --force -N > /dev/null && echo "Rubygems version $(gem --version)"
-  - gem install bundler --force -N -v=2.1.4 && bundle --version
+  - gem install bundler --force -N && bundle --version
 
 install:
   - bundle install --jobs=3 --retry=3
   - >-
     curl -H 'Cache-Control: no-cache'
-    https://raw.githubusercontent.com/mdsol/fossa_ci_scripts/master/travis_ci/fossa_install.sh |
+    https://raw.githubusercontent.com/mdsol/fossa_ci_scripts/main/travis_ci/fossa_install.sh |
     bash -s -- -b $TRAVIS_BUILD_DIR
 
 script:
   - bundle exec rspec
+  - bundle exec rake benchmark
   - >-
     curl -H 'Cache-Control: no-cache'
-    https://raw.githubusercontent.com/mdsol/fossa_ci_scripts/master/travis_ci/fossa_run.sh |
+    https://raw.githubusercontent.com/mdsol/fossa_ci_scripts/main/travis_ci/fossa_run.sh |
     bash -s -- -b $TRAVIS_BUILD_DIR
 
 deploy:
   provider: rubygems
   gem: mauth-client
   api_key:
-    secure: J0aPDp4+Ev2L+ZDcgpF+hAG95S4IsD6pCiDRxDWnrk79P5hq1rXoD3S39ANyqtQEQqkoVjsgoSP5JLi420aL2lYj7mhvaEOty9fK+flwUhI4nw+Gztm7EKNDNX8WKvk4fl4Zc7noIeI0uyes867hDjRQfyYvUuma7aK5H9NWzNUV9Q+KrVAoneVDGnNydxwkuuIpOFdjbVQgNpxVhVBV7Q4OLsB1KtWB9lptMwhqnyqZKex7JZ+37sojaj3oVT5ijrnAm+bR1QO1hGIOwuBako2iz+MBZHPccM4BEFsZme/7olypxv0JfeCuhqDnH1VWIFh6IZRDeLnZuX3qOhkdx4HLwxB//5O5+iapK0wh1zbnLvXqkE1dalUHyaZzStKH9xchIWl5I77Ica232OJYrpj9hhroae0p3VARF0IoZceKaH8NnMpq+nBAW4REcWrqPpe9xkRLDTNibkpaAy08vGOF2kPZkWw4lfkVBM1+wjY2xDn6wJ7VgQ1BeosbeTXbmny2TUeI22beihn894tzpCPPHiTRvKu0lV3jBfeoOAXzE333PrGm3zF9MDhg+1/iBwXVhdoOwEwBPQ/3Hu37xJn0AfRneni4StYnIkZ1Ur9Vub03J/3C3Aw6it99rQSWvC+2PzHqQhsG22VprvxlozFe1jFzdqKgvDkbkn44ltI=
+    secure: QDp0P/lMGLYc4+A3M6VD9y551X6GrGwOSBE6xSG4lE6mPXoSISK5Yj18vNWQRQuQ4BsE6CdfZ/xsPjSRDda6b+yUQbgisjJ+Ry6jUVE1v9UKTZ0VHgHyXcsaJFC29tBKBeuGCj0AD5qhbTO1+ybeZSUfdSeVVoidD4W/bSnvzlT1Lht7IE8jbHbR57LsJKoEaDxKu33dg4CYV96xrlYGxHAS2UgEgi5Ve3ohzBWkX9RWF/wWoGCzIYhJBzXgCEEFw8iWkspjTePgv9yjD2HIMtF44aiSTHM5iqBBsYJ7A8+kUwoq7+srsashHZ1wZz1YulsCSkjwM9AXZ4E0f9AnERw/RQ5gG7bCuHZtSG9g/0SWBQeNfkAF3An6eTSS24KVfnarGdH2bk0G28k2oP26MWiDKz8nlQxNAY4rH+dITael18bgf45H4KccQqiooBEGnuYpUAuIPB+1l+BsIcRQnrU3LDtmtZn0KrCHHJ7EHOdogOG+/Pxof8ht1xF7V+HYhhzSRJs2JkvmZsp4q2T7W6b6kfi59Cz3LpqA1HHYcL5/OFZeLA/TlCNke0CRMxG8k3udDKj50jqFATXEa8lNyGLjmWh7tL9Bb/uy+CU47qUdx+V4K+kheAvNFtHfpxmyUGJSY0FH02H1VBPWm10DZ7kH+6jgCKyXuql+yWDw62s=
   on:
     tags: true
     repo: mdsol/mauth-client-ruby
-    condition: $TRAVIS_RUBY_VERSION == 2.7 && $BUNDLE_GEMFILE == $TRAVIS_BUILD_DIR/gemfiles/faraday_1.x.gemfile
+    condition: $TRAVIS_RUBY_VERSION == 3.0 && $BUNDLE_GEMFILE == $TRAVIS_BUILD_DIR/gemfiles/faraday_1.x.gemfile

data/CHANGELOG.md

@@ -1,5 +1,18 @@
+## v6.3.0
+- Support Ruby 3.0.
+- Drop support for Ruby < 2.5.0.
+
+## v6.2.1
+- Fix SecurityTokenCacher to not cache tokens forever.
+
+## v6.2.0
+- Drop legacy security token expiry in favor of honoring server cache headers via Faraday HTTP Cache Middleware.
+
+## v6.1.1
+- Replace `URI.escape` with `CGI.escape` in SecurityTokenCacher to suppress "URI.escape is obsolete" warning.
+
 ## v6.1.0
-* Allow Faraday 1.x.
+- Allow Faraday 1.x.
 
 ## v6.0.0
 - Added parsing code to test with mauth-protocol-test-suite.

data/CONTRIBUTING.md

@@ -1,5 +1,22 @@
 # Contributing
 
+## Cloning the Repo
+
+This repo contains the submodule `mauth-protocol-test-suite` so requires a flag when initially cloning in order to clone and init submodules.
+
+```
+git clone --recurse-submodules git@github.com:mdsol/mauth-client-ruby.git
+```
+
+If you have already cloned a version of this repo before the submodule was introduced in version 6.1.2 then run
+
+```
+cd spec/fixtures/mauth-protocol-test-suite
+git submodule update --init
+```
+
+to init the submodule.
+
 ## General Information
 
 * Check out the latest develop to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
@@ -19,14 +36,6 @@ Next, run the tests:
 bundle exec rspec
 ```
 
-# Running mauth-protocol-test-suite
-
-To run the mauth-protocol-test-suite clone the latest test suite onto your machine and place it in the same parent directory as this repo (or supply the ENV var `TEST_SUITE_RELATIVE_PATH` with the path to the test suite relative to this repo). Then run:
-
-```
-bundle exec rspec --tag protocol_suite
-```
-
 ## Running Benchmark
 
 If you make changes which could affect performance, please run the benchmark before and after the change as a sanity check.

data/doc/implementations.md

@@ -4,8 +4,7 @@
 - Clojure: [clojure-mauth-client](https://github.com/mdsol/clojure-mauth-client)
 - Go: [go-mauth-client](https://github.com/mdsol/go-mauth-client)
 - Java: [mauth-jvm-clients](https://github.com/mdsol/mauth-jvm-clients)
-- Python:
-  - [requests-mauth](https://github.com/mdsol/requests-mauth)
-  - [flask-mauth](https://github.com/mdsol/flask-mauth)
+- Python: [mauth-client-python](https://github.com/mdsol/mauth-client-python)
 - R: [RMauthClient](https://github.com/mdsol/RMauthClient)
 - Ruby: [mauth-client-ruby](https://github.com/mdsol/mauth-client-ruby)
+- Rust: [mauth-client-rust](https://github.com/mdsol/mauth-client-rust)

data/examples/Gemfile.lock

@@ -1,11 +1,12 @@
 PATH
   remote: ..
   specs:
-    mauth-client (6.1.0)
+    mauth-client (6.3.0)
       addressable (~> 2.0)
       coderay (~> 1.0)
       dice_bag (>= 0.9, < 2.0)
       faraday (>= 0.9, < 2.0)
+      faraday-http-cache (>= 2.0, < 3.0)
       faraday_middleware (>= 0.9, < 2.0)
       rack
       term-ansicolor (~> 1.0)
@@ -13,27 +14,47 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.7.0)
+    addressable (2.8.0)
       public_suffix (>= 2.0.2, < 5.0)
     coderay (1.1.3)
-    dice_bag (1.4.1)
+    dice_bag (1.6.0)
       diff-lcs (~> 1.0)
       rake
       thor (< 2.0)
     diff-lcs (1.4.4)
-    faraday (1.0.1)
+    faraday (1.8.0)
+      faraday-em_http (~> 1.0)
+      faraday-em_synchrony (~> 1.0)
+      faraday-excon (~> 1.1)
+      faraday-httpclient (~> 1.0.1)
+      faraday-net_http (~> 1.0)
+      faraday-net_http_persistent (~> 1.1)
+      faraday-patron (~> 1.0)
+      faraday-rack (~> 1.0)
       multipart-post (>= 1.2, < 3)
-    faraday_middleware (1.0.0)
+      ruby2_keywords (>= 0.0.4)
+    faraday-em_http (1.0.0)
+    faraday-em_synchrony (1.0.0)
+    faraday-excon (1.1.0)
+    faraday-http-cache (2.2.0)
+      faraday (>= 0.8)
+    faraday-httpclient (1.0.1)
+    faraday-net_http (1.0.1)
+    faraday-net_http_persistent (1.2.0)
+    faraday-patron (1.0.0)
+    faraday-rack (1.0.0)
+    faraday_middleware (1.2.0)
       faraday (~> 1.0)
     multipart-post (2.1.1)
     public_suffix (4.0.6)
     rack (2.2.3)
-    rake (13.0.1)
+    rake (13.0.6)
+    ruby2_keywords (0.0.5)
     sync (0.5.0)
     term-ansicolor (1.7.1)
       tins (~> 1.0)
-    thor (1.0.1)
-    tins (1.25.0)
+    thor (1.1.0)
+    tins (1.29.1)
       sync
 
 PLATFORMS
@@ -44,4 +65,4 @@ DEPENDENCIES
   mauth-client!
 
 BUNDLED WITH
-   2.1.4
+   2.2.29

data/lib/mauth/client/local_authenticator.rb

@@ -53,7 +53,7 @@ module MAuth
       end
 
       def verify_signature_v1!(actual, expected_str_to_sign)
-        actual == Digest::SHA512.hexdigest(expected_str_to_sign)
+        actual == OpenSSL::Digest::SHA512.hexdigest(expected_str_to_sign)
       end
 
       def signature_valid_v2!(object)

data/lib/mauth/client/security_token_cacher.rb

@@ -1,68 +1,63 @@
+require 'faraday-http-cache'
+require 'mauth/faraday'
+
 module MAuth
   class Client
     module LocalAuthenticator
       class SecurityTokenCacher
 
-        class ExpirableSecurityToken < Struct.new(:security_token, :create_time)
-          CACHE_LIFE = 60
-          def expired?
-            create_time + CACHE_LIFE < Time.now
-          end
-        end
-
         def initialize(mauth_client)
           @mauth_client = mauth_client
           # TODO: should this be UnableToSignError?
-          @mauth_client.assert_private_key(UnableToAuthenticateError.new("Cannot fetch public keys from mAuth service without a private key!"))
-          @cache = {}
-          require 'thread'
-          @cache_write_lock = Mutex.new
+          @mauth_client.assert_private_key(
+            UnableToAuthenticateError.new("Cannot fetch public keys from mAuth service without a private key!")
+          )
         end
 
         def get(app_uuid)
-          if !@cache[app_uuid] || @cache[app_uuid].expired?
-            # url-encode the app_uuid to prevent trickery like escaping upward with ../../ in a malicious
-            # app_uuid - probably not exploitable, but this is the right way to do it anyway.
-            # use UNRESERVED instead of UNSAFE (the default) as UNSAFE doesn't include /
-            url_encoded_app_uuid = URI.escape(app_uuid, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
-            begin
-              response = signed_mauth_connection.get("/mauth/#{@mauth_client.mauth_api_version}/security_tokens/#{url_encoded_app_uuid}.json")
-            rescue ::Faraday::ConnectionFailed, ::Faraday::TimeoutError => e
-              msg = "mAuth service did not respond; received #{e.class}: #{e.message}"
-              @mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
-              raise UnableToAuthenticateError, msg
-            end
-            if response.status == 200
-              begin
-                security_token = JSON.parse(response.body)
-              rescue JSON::ParserError => e
-                msg =  "mAuth service responded with unparseable json: #{response.body}\n#{e.class}: #{e.message}"
-                @mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
-                raise UnableToAuthenticateError, msg
-              end
-              @cache_write_lock.synchronize do
-                @cache[app_uuid] = ExpirableSecurityToken.new(security_token, Time.now)
-              end
-            elsif response.status == 404
-              # signing with a key mAuth doesn't know about is considered inauthentic
-              raise InauthenticError, "mAuth service responded with 404 looking up public key for #{app_uuid}"
-            else
-              @mauth_client.send(:mauth_service_response_error, response)
-            end
+          # url-encode the app_uuid to prevent trickery like escaping upward with ../../ in a malicious
+          # app_uuid - probably not exploitable, but this is the right way to do it anyway.
+          url_encoded_app_uuid = CGI.escape(app_uuid)
+          path = "/mauth/#{@mauth_client.mauth_api_version}/security_tokens/#{url_encoded_app_uuid}.json"
+          response = signed_mauth_connection.get(path)
+
+          case response.status
+          when 200
+            security_token_from(response.body)
+          when 404
+            # signing with a key mAuth doesn't know about is considered inauthentic
+            raise InauthenticError, "mAuth service responded with 404 looking up public key for #{app_uuid}"
+          else
+            @mauth_client.send(:mauth_service_response_error, response)
           end
-          @cache[app_uuid].security_token
+        rescue ::Faraday::ConnectionFailed, ::Faraday::TimeoutError => e
+          msg = "mAuth service did not respond; received #{e.class}: #{e.message}"
+          @mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
+          raise UnableToAuthenticateError, msg
         end
 
         private
 
+        def security_token_from(response_body)
+          JSON.parse response_body
+        rescue JSON::ParserError => e
+          msg =  "mAuth service responded with unparseable json: #{response_body}\n#{e.class}: #{e.message}"
+          @mauth_client.logger.error("Unable to authenticate with MAuth. Exception #{msg}")
+          raise UnableToAuthenticateError, msg
+        end
+
         def signed_mauth_connection
-          require 'faraday'
-          require 'mauth/faraday'
-          @mauth_client.faraday_options[:ssl] = { ca_path: @mauth_client.ssl_certs_path } if @mauth_client.ssl_certs_path
-          @signed_mauth_connection ||= ::Faraday.new(@mauth_client.mauth_baseurl, @mauth_client.faraday_options) do |builder|
-            builder.use MAuth::Faraday::MAuthClientUserAgent
-            builder.use MAuth::Faraday::RequestSigner, 'mauth_client' => @mauth_client
-            builder.adapter ::Faraday.default_adapter
+          @signed_mauth_connection ||= begin
+            if @mauth_client.ssl_certs_path
+              @mauth_client.faraday_options[:ssl] = { ca_path: @mauth_client.ssl_certs_path }
+            end
+
+            ::Faraday.new(@mauth_client.mauth_baseurl, @mauth_client.faraday_options) do |builder|
+              builder.use MAuth::Faraday::MAuthClientUserAgent
+              builder.use MAuth::Faraday::RequestSigner, 'mauth_client' => @mauth_client
+              builder.use :http_cache, logger: MAuth::Client.new.logger, shared_cache: false
+              builder.adapter ::Faraday.default_adapter
+            end
           end
         end
       end

data/lib/mauth/client/signer.rb

@@ -56,7 +56,7 @@ module MAuth
 
       def signature_v1(string_to_sign)
         assert_private_key(UNABLE_TO_SIGN_ERR)
-        hashed_string_to_sign = Digest::SHA512.hexdigest(string_to_sign)
+        hashed_string_to_sign = OpenSSL::Digest::SHA512.hexdigest(string_to_sign)
         Base64.encode64(private_key.private_encrypt(hashed_string_to_sign)).delete("\n")
       end
 

data/lib/mauth/request_and_response.rb

@@ -1,4 +1,4 @@
-require 'digest'
+require 'openssl'
 require 'addressable'
 
 module MAuth
@@ -61,7 +61,7 @@ module MAuth
       # memoization of body_digest to avoid hashing three times when we call
       # string_to_sign_v2 three times in client#signature_valid_v2!
       # note that if :body is nil we hash an empty string ('')
-      attrs_with_overrides[:body_digest] ||= Digest::SHA512.hexdigest(attrs_with_overrides[:body] || '')
+      attrs_with_overrides[:body_digest] ||= OpenSSL::Digest::SHA512.hexdigest(attrs_with_overrides[:body] || '')
       attrs_with_overrides[:encoded_query_params] = unescape_encode_query_string(attrs_with_overrides[:query_string] || '')
       attrs_with_overrides[:request_url] = normalize_path(attrs_with_overrides[:request_url])
 

data/lib/mauth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MAuth
-  VERSION = '6.1.0'
+  VERSION = '6.3.0'
 end

data/mauth-client.gemspec

@@ -11,7 +11,7 @@ Gem::Specification.new do |spec|
   spec.description   = 'Client for signing and authentication of requests and responses with mAuth authentication. Includes middleware for Rack and Faraday for incoming and outgoing requests and responses.'
   spec.homepage      = 'https://github.com/mdsol/mauth-client-ruby'
   spec.license       = 'MIT'
-  spec.required_ruby_version = '>= 2.3.0'
+  spec.required_ruby_version = '>= 2.5.0'
 
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.bindir        = 'exe'
@@ -20,6 +20,7 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'faraday', '>= 0.9', '< 2.0'
   spec.add_dependency 'faraday_middleware', '>= 0.9', '< 2.0'
+  spec.add_dependency 'faraday-http-cache', '>= 2.0', '< 3.0'
   spec.add_dependency 'term-ansicolor', '~> 1.0'
   spec.add_dependency 'coderay', '~> 1.0'
   spec.add_dependency 'rack'
@@ -35,4 +36,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'simplecov', '~> 0.16'
   spec.add_development_dependency 'timecop', '~> 0.9'
   spec.add_development_dependency 'benchmark-ips', '~> 2.7'
+  spec.add_development_dependency 'webmock', '~> 3.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mauth-client
 version: !ruby/object:Gem::Version
-  version: 6.1.0
+  version: 6.3.0
 platform: ruby
 authors:
 - Matthew Szenher
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-09-10 00:00:00.000000000 Z
+date: 2021-10-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -53,6 +53,26 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: faraday-http-cache
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: term-ansicolor
   requirement: !ruby/object:Gem::Requirement
@@ -255,6 +275,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.7'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 description: Client for signing and authentication of requests and responses with
   mAuth authentication. Includes middleware for Rack and Faraday for incoming and
   outgoing requests and responses.
@@ -268,6 +302,7 @@ extra_rdoc_files: []
 files:
 - ".fossa.yml"
 - ".gitignore"
+- ".gitmodules"
 - ".rspec"
 - ".travis.yml"
 - ".yardopts"
@@ -327,14 +362,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.0
+      version: 2.5.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.8
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Sign and authenticate requests and responses with mAuth authentication.