mauth-client 6.4.3 → 7.0.0

data/lib/mauth/client/{local_authenticator.rb → authenticator.rb}

@@ -4,14 +4,135 @@ require 'mauth/client/security_token_cacher'
 require 'mauth/client/signer'
 require 'openssl'
 
-# methods to verify the authenticity of signed requests and responses locally, retrieving
-# public keys from the mAuth service as needed
+# methods to verify the authenticity of signed requests and responses
 
 module MAuth
   class Client
-    module LocalAuthenticator
+    module Authenticator
+      ALLOWED_DRIFT_SECONDS = 300
+
+      # takes an incoming request or response object, and returns whether
+      # the object is authentic according to its signature.
+      def authentic?(object)
+        log_authentication_request(object)
+        begin
+          authenticate!(object)
+          true
+        rescue InauthenticError, MAuthNotPresent, MissingV2Error
+          false
+        end
+      end
+
+      # raises InauthenticError unless the given object is authentic. Will only
+      # authenticate with v2 if the environment variable V2_ONLY_AUTHENTICATE
+      # is set. Otherwise will fall back to v1 when v2 authentication fails
+      def authenticate!(object)
+        case object.protocol_version
+        when 2
+          begin
+            authenticate_v2!(object)
+          rescue InauthenticError => e
+            raise e if v2_only_authenticate?
+            raise e if disable_fallback_to_v1_on_v2_failure?
+
+            object.fall_back_to_mws_signature_info
+            raise e unless object.signature
+
+            log_authentication_request(object)
+            authenticate_v1!(object)
+            logger.warn('Completed successful authentication attempt after fallback to v1')
+          end
+        when 1
+          if v2_only_authenticate?
+            # If v2 is required but not present and v1 is present we raise MissingV2Error
+            msg = 'This service requires mAuth v2 mcc-authentication header but only v1 x-mws-authentication is present'
+            logger.error(msg)
+            raise MissingV2Error, msg
+          end
+
+          authenticate_v1!(object)
+        else
+          sub_str = v2_only_authenticate? ? '' : 'X-MWS-Authentication header is blank, '
+          msg = "Authentication Failed. No mAuth signature present; #{sub_str}MCC-Authentication header is blank."
+          logger.warn("mAuth signature not present on #{object.class}. Exception: #{msg}")
+          raise MAuthNotPresent, msg
+        end
+      end
+
       private
 
+      # NOTE: This log is likely consumed downstream and the contents SHOULD NOT
+      # be changed without a thorough review of downstream consumers.
+      def log_authentication_request(object)
+        object_app_uuid = object.signature_app_uuid || '[none provided]'
+        object_token = object.signature_token || '[none provided]'
+        logger.info(
+          'Mauth-client attempting to authenticate request from app with mauth ' \
+          "app uuid #{object_app_uuid} to app with mauth app uuid #{client_app_uuid} " \
+          "using version #{object_token}."
+        )
+      end
+
+      def log_inauthentic(object, message)
+        logger.error("mAuth signature authentication failed for #{object.class}. Exception: #{message}")
+      end
+
+      def time_within_valid_range!(object, time_signed, now = Time.now)
+        return if (-ALLOWED_DRIFT_SECONDS..ALLOWED_DRIFT_SECONDS).cover?(now.to_i - time_signed)
+
+        msg = "Time verification failed. #{time_signed} not within #{ALLOWED_DRIFT_SECONDS} of #{now}"
+        log_inauthentic(object, msg)
+        raise InauthenticError, msg
+      end
+
+      # V1 helpers
+      def authenticate_v1!(object)
+        time_valid_v1!(object)
+        token_valid_v1!(object)
+        signature_valid_v1!(object)
+      end
+
+      def time_valid_v1!(object)
+        if object.x_mws_time.nil?
+          msg = 'Time verification failed. No x-mws-time present.'
+          log_inauthentic(object, msg)
+          raise InauthenticError, msg
+        end
+        time_within_valid_range!(object, object.x_mws_time.to_i)
+      end
+
+      def token_valid_v1!(object)
+        return if object.signature_token == MWS_TOKEN
+
+        msg = "Token verification failed. Expected #{MWS_TOKEN}; token was #{object.signature_token}"
+        log_inauthentic(object, msg)
+        raise InauthenticError, msg
+      end
+
+      # V2 helpers
+      def authenticate_v2!(object)
+        time_valid_v2!(object)
+        token_valid_v2!(object)
+        signature_valid_v2!(object)
+      end
+
+      def time_valid_v2!(object)
+        if object.mcc_time.nil?
+          msg = 'Time verification failed. No MCC-Time present.'
+          log_inauthentic(object, msg)
+          raise InauthenticError, msg
+        end
+        time_within_valid_range!(object, object.mcc_time.to_i)
+      end
+
+      def token_valid_v2!(object)
+        return if object.signature_token == MWSV2_TOKEN
+
+        msg = "Token verification failed. Expected #{MWSV2_TOKEN}; token was #{object.signature_token}"
+        log_inauthentic(object, msg)
+        raise InauthenticError, msg
+      end
+
       def signature_valid_v1!(object)
         # We are in an unfortunate situation in which Euresource is percent-encoding parts of paths, but not
         # all of them.  In particular, Euresource is percent-encoding all special characters save for '/'.

data/lib/mauth/client/security_token_cacher.rb

@@ -5,7 +5,7 @@ require 'mauth/faraday'
 
 module MAuth
   class Client
-    module LocalAuthenticator
+    module Authenticator
       class SecurityTokenCacher
         def initialize(mauth_client)
           @mauth_client = mauth_client

data/lib/mauth/client.rb

@@ -7,12 +7,10 @@ require 'json'
 require 'yaml'
 require 'mauth/core_ext'
 require 'mauth/autoload'
-require 'mauth/dice_bag/mauth_templates'
 require 'mauth/version'
-require 'mauth/client/authenticator_base'
-require 'mauth/client/local_authenticator'
-require 'mauth/client/remote_authenticator'
+require 'mauth/client/authenticator'
 require 'mauth/client/signer'
+require 'mauth/config_env'
 require 'mauth/errors'
 
 module MAuth
@@ -31,66 +29,22 @@ module MAuth
     AUTH_HEADER_DELIMITER = ';'
     RACK_ENV_APP_UUID_KEY = 'mauth.app_uuid'
 
-    include AuthenticatorBase
+    include Authenticator
     include Signer
 
     # returns a configuration (to be passed to MAuth::Client.new) which is configured from information stored in
     # standard places. all of which is overridable by options in case some defaults do not apply.
     #
     # options (may be symbols or strings) - any or all may be omitted where your usage conforms to the defaults.
-    # - root: the path relative to which this method looks for configuration yaml files. defaults to Rails.root
-    #   if ::Rails is defined, otherwise ENV['RAILS_ROOT'], ENV['RACK_ROOT'], ENV['APP_ROOT'], or '.'
-    # - environment: the environment, pertaining to top-level keys of the configuration yaml files. by default,
-    #   tries Rails.environment, ENV['RAILS_ENV'], and ENV['RACK_ENV'], and falls back to 'development' if none
-    #   of these are set.
-    # - mauth_config - MAuth configuration. defaults to load this from a yaml file (see mauth_config_yml option)
-    #   which is assumed to be keyed with the environment at the root. if this is specified, no yaml file is
-    #   loaded, and the given config is passed through with any other defaults applied. at the moment, the only
-    #   other default is to set the logger.
-    # - mauth_config_yml - specifies where a mauth configuration yaml file can be found. by default checks
-    #   ENV['MAUTH_CONFIG_YML'] or a file 'config/mauth.yml' relative to the root.
+    # - mauth_config - MAuth configuration. defaults to load this from environment variables. if this is specified,
+    #   no environment variable is loaded, and the given config is passed through with any other defaults applied.
+    #   at the moment, the only other default is to set the logger.
     # - logger - by default checks ::Rails.logger
     def self.default_config(options = {})
       options = options.stringify_symbol_keys
 
-      # find the app_root (relative to which we look for yaml files). note that this
-      # is different than MAuth::Client.root, the root of the mauth-client library.
-      app_root = options['root'] || begin
-        if Object.const_defined?(:Rails) && ::Rails.respond_to?(:root) && ::Rails.root
-          Rails.root
-        else
-          ENV['RAILS_ROOT'] || ENV['RACK_ROOT'] || ENV['APP_ROOT'] || '.'
-        end
-      end
-
-      # find the environment (with which yaml files are keyed)
-      env = options['environment'] || begin
-        if Object.const_defined?(:Rails) && ::Rails.respond_to?(:environment)
-          Rails.environment
-        else
-          ENV['RAILS_ENV'] || ENV['RACK_ENV'] || 'development'
-        end
-      end
-
-      # find mauth config, given on options, or in a file at
-      # ENV['MAUTH_CONFIG_YML'] or config/mauth.yml in the app_root
-      mauth_config = options['mauth_config'] || begin
-        mauth_config_yml = options['mauth_config_yml']
-        mauth_config_yml ||= ENV['MAUTH_CONFIG_YML']
-        default_loc = 'config/mauth.yml'
-        default_yml = File.join(app_root, default_loc)
-        mauth_config_yml ||= default_yml if File.exist?(default_yml)
-        if mauth_config_yml && File.exist?(mauth_config_yml)
-          whole_config = ConfigFile.load(mauth_config_yml)
-          errmessage = "#{mauth_config_yml} config has no key #{env} - it has keys #{whole_config.keys.inspect}"
-          whole_config[env] || raise(MAuth::Client::ConfigurationError, errmessage)
-        else
-          raise MAuth::Client::ConfigurationError,
-            'could not find mauth config yaml file. this file may be ' \
-            "placed in #{default_loc}, specified with the mauth_config_yml option, or specified with the " \
-            'MAUTH_CONFIG_YML environment variable.'
-        end
-      end
+      # find mauth config
+      mauth_config = options['mauth_config'] || ConfigEnv.load
 
       unless mauth_config.key?('logger')
         # the logger. Rails.logger if it exists, otherwise, no logger
@@ -106,18 +60,13 @@ module MAuth
 
     # new client with the given App UUID and public key. config may include the following (all
     # config keys may be strings or symbols):
-    # - private_key - required for signing and for authenticating responses. may be omitted if
-    #   only remote authentication of requests is being performed (with
-    #   MAuth::Rack::RequestAuthenticator). may be given as a string or a OpenSSL::PKey::RSA
-    #   instance.
+    # - private_key - required for signing and for authenticating responses.
+    #   may be given as a string or a OpenSSL::PKey::RSA instance.
     # - app_uuid - required in the same circumstances where a private_key is required
-    # - mauth_baseurl - required. needed for local authentication to retrieve public keys; needed
-    #   for remote authentication for hopefully obvious reasons.
+    # - mauth_baseurl - required. needed to retrieve public keys.
     # - mauth_api_version - required. only 'v1' exists / is supported as of this writing.
     # - logger - a Logger to which any useful information will be written. if this is omitted and
     #   Rails.logger exists, that will be used.
-    # - authenticator - this pretty much never needs to be specified. LocalAuthenticator or
-    #   RemoteRequestAuthenticator will be used as appropriate.
     def initialize(config = {})
       # stringify symbol keys
       given_config = config.stringify_symbol_keys
@@ -159,25 +108,13 @@ module MAuth
       @config['ssl_certs_path'] = given_config['ssl_certs_path'] if given_config['ssl_certs_path']
       @config['v2_only_authenticate'] = given_config['v2_only_authenticate'].to_s.casecmp('true').zero?
       @config['v2_only_sign_requests'] = given_config['v2_only_sign_requests'].to_s.casecmp('true').zero?
-      @config['disable_fallback_to_v1_on_v2_failure'] =
-        given_config['disable_fallback_to_v1_on_v2_failure'].to_s.casecmp('true').zero?
       @config['v1_only_sign_requests'] = given_config['v1_only_sign_requests'].to_s.casecmp('true').zero?
-
       if @config['v2_only_sign_requests'] && @config['v1_only_sign_requests']
         raise MAuth::Client::ConfigurationError, 'v2_only_sign_requests and v1_only_sign_requests may not both be true'
       end
 
-      # if 'authenticator' was given, don't override that - including if it was given as nil / false
-      if given_config.key?('authenticator')
-        @config['authenticator'] = given_config['authenticator']
-      elsif client_app_uuid && private_key
-        @config['authenticator'] = LocalAuthenticator
-      # MAuth::Client can authenticate locally if it's provided a client_app_uuid and private_key
-      else
-        # otherwise, it will authenticate remotely (requests only)
-        @config['authenticator'] = RemoteRequestAuthenticator
-      end
-      extend @config['authenticator'] if @config['authenticator']
+      @config['disable_fallback_to_v1_on_v2_failure'] =
+        given_config['disable_fallback_to_v1_on_v2_failure'].to_s.casecmp('true').zero?
     end
 
     def logger
@@ -246,27 +183,4 @@ module MAuth
       hash
     end
   end
-
-  module ConfigFile
-    GITHUB_URL = 'https://github.com/mdsol/mauth-client-ruby'
-    @config = {}
-
-    def self.load(path)
-      unless File.exist?(path)
-        raise "File #{path} not found. Please visit #{GITHUB_URL} for details."
-      end
-
-      @config[path] ||= yaml_safe_load_file(path)
-      unless @config[path]
-        raise "File #{path} does not contain proper YAML information. Visit #{GITHUB_URL} for details."
-      end
-
-      @config[path]
-    end
-
-    def self.yaml_safe_load_file(path)
-      yml_data = File.read(path)
-      YAML.safe_load(yml_data, aliases: true)
-    end
-  end
 end

data/lib/mauth/config_env.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+module MAuth
+  class ConfigEnv
+    GITHUB_URL = 'https://github.com/mdsol/mauth-client-ruby'
+
+    ENV_STUFF = {
+      'MAUTH_URL' => nil,
+      'MAUTH_API_VERSION' => 'v1',
+      'MAUTH_APP_UUID' => nil,
+      'MAUTH_PRIVATE_KEY' => nil,
+      'MAUTH_PRIVATE_KEY_FILE' => 'config/mauth_key',
+      'MAUTH_V2_ONLY_AUTHENTICATE' => false,
+      'MAUTH_V2_ONLY_SIGN_REQUESTS' => false,
+      'MAUTH_DISABLE_FALLBACK_TO_V1_ON_V2_FAILURE' => false,
+      'MAUTH_V1_ONLY_SIGN_REQUESTS' => true
+    }.freeze
+
+    class << self
+      def load
+        validate! if production?
+
+        {
+          'mauth_baseurl' => env[:mauth_url] || 'http://localhost:7000',
+          'mauth_api_version' => env[:mauth_api_version],
+          'app_uuid' => env[:mauth_app_uuid] || 'fb17460e-9868-11e1-8399-0090f5ccb4d3',
+          'private_key' => private_key || generate_private_key,
+          'v2_only_authenticate' => env[:mauth_v2_only_authenticate],
+          'v2_only_sign_requests' => env[:mauth_v2_only_sign_requests],
+          'disable_fallback_to_v1_on_v2_failure' => env[:mauth_disable_fallback_to_v1_on_v2_failure],
+          'v1_only_sign_requests' => env[:mauth_v1_only_sign_requests]
+        }
+      end
+
+      private
+
+      def validate!
+        errors = []
+        errors << 'The MAUTH_URL environment variable must be set' if env[:mauth_url].nil?
+        errors << 'The MAUTH_APP_UUID environment variable must be set' if env[:mauth_app_uuid].nil?
+        errors << 'The MAUTH_PRIVATE_KEY environment variable must be set' if env[:mauth_private_key].nil?
+        return if errors.empty?
+
+        errors.map! { |err| "#{err} => See #{GITHUB_URL}" }
+        errors.unshift('Invalid MAuth Client configuration:')
+        raise errors.join("\n")
+      end
+
+      def env
+        @env ||= ENV_STUFF.each_with_object({}) do |(key, default), hsh|
+          env_key = key.downcase.to_sym
+          hsh[env_key] = ENV.fetch(key, default)
+
+          case default
+          when TrueClass, FalseClass
+            hsh[env_key] = hsh[env_key].to_s.casecmp('true').zero?
+          end
+        end
+      end
+
+      def production?
+        environment.to_s.casecmp('production').zero?
+      end
+
+      def environment
+        return Rails.environment if Object.const_defined?(:Rails) && ::Rails.respond_to?(:environment)
+
+        ENV.fetch('RAILS_ENV') { ENV.fetch('RACK_ENV', 'development') }
+      end
+
+      def private_key
+        return env[:mauth_private_key] if env[:mauth_private_key]
+        return nil unless env[:mauth_private_key_file] && File.readable?(env[:mauth_private_key_file])
+
+        File.read(env[:mauth_private_key_file])
+      end
+
+      def generate_private_key
+        require 'openssl'
+        OpenSSL::PKey::RSA.generate(2048).to_s
+      end
+    end
+  end
+end

data/lib/mauth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MAuth
-  VERSION = '6.4.3'
+  VERSION = '7.0.0'
 end

data/mauth-client.gemspec

@@ -14,7 +14,7 @@ Gem::Specification.new do |spec|
                        'Includes middleware for Rack and Faraday for incoming and outgoing requests and responses.'
   spec.homepage      = 'https://github.com/mdsol/mauth-client-ruby'
   spec.license       = 'MIT'
-  spec.required_ruby_version = '>= 2.6.0'
+  spec.required_ruby_version = '>= 2.7.0'
 
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.bindir        = 'exe'
@@ -23,23 +23,8 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'addressable', '~> 2.0'
   spec.add_dependency 'coderay', '~> 1.0'
-  spec.add_dependency 'dice_bag', '>= 0.9', '< 2.0'
   spec.add_dependency 'faraday', '>= 0.9', '< 3.0'
   spec.add_dependency 'faraday-http-cache', '>= 2.0', '< 3.0'
   spec.add_dependency 'rack', '> 2.2.3'
   spec.add_dependency 'term-ansicolor', '~> 1.0'
-
-  spec.add_development_dependency 'appraisal'
-  spec.add_development_dependency 'benchmark-ips', '~> 2.7'
-  spec.add_development_dependency 'bundler', '>= 1.17'
-  spec.add_development_dependency 'byebug'
-  spec.add_development_dependency 'rack-test', '~> 1.1.0'
-  spec.add_development_dependency 'rake', '~> 12.0'
-  spec.add_development_dependency 'rspec', '~> 3.8'
-  spec.add_development_dependency 'rubocop', '= 1.25.1'
-  spec.add_development_dependency 'rubocop-mdsol', '~> 0.1'
-  spec.add_development_dependency 'rubocop-performance', '= 1.13.2'
-  spec.add_development_dependency 'simplecov', '~> 0.16'
-  spec.add_development_dependency 'timecop', '~> 0.9'
-  spec.add_development_dependency 'webmock', '~> 3.0'
 end