mauth-client 6.4.3 → 7.0.0

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mauth-client
 version: !ruby/object:Gem::Version
-  version: 6.4.3
+  version: 7.0.0
 platform: ruby
 authors:
 - Matthew Szenher
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-10-07 00:00:00.000000000 Z
+date: 2023-05-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -41,26 +41,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: dice_bag
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0.9'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '2.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0.9'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
@@ -129,188 +109,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: appraisal
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: benchmark-ips
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.7'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.7'
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.17'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.17'
-- !ruby/object:Gem::Dependency
-  name: byebug
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rack-test
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.1.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.1.0
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '12.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '12.0'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.8'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.8'
-- !ruby/object:Gem::Dependency
-  name: rubocop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 1.25.1
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 1.25.1
-- !ruby/object:Gem::Dependency
-  name: rubocop-mdsol
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.1'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.1'
-- !ruby/object:Gem::Dependency
-  name: rubocop-performance
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 1.13.2
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 1.13.2
-- !ruby/object:Gem::Dependency
-  name: simplecov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.16'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.16'
-- !ruby/object:Gem::Dependency
-  name: timecop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.9'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.9'
-- !ruby/object:Gem::Dependency
-  name: webmock
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.0'
 description: Client for signing and authentication of requests and responses with
   mAuth authentication. Includes middleware for Rack and Faraday for incoming and
   outgoing requests and responses.
@@ -337,15 +135,13 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- UPGRADE_GUIDE.md
 - doc/implementations.md
 - doc/mauth-client_CLI.md
 - doc/mauth-proxy.md
-- doc/mauth.yml.md
 - examples/Gemfile
-- examples/Gemfile.lock
 - examples/README.md
-- examples/config.yml
-- examples/get_user_info.rb
+- examples/get_country_info.rb
 - examples/mauth_key
 - exe/mauth-client
 - exe/mauth-proxy
@@ -355,16 +151,11 @@ files:
 - lib/mauth-client.rb
 - lib/mauth/autoload.rb
 - lib/mauth/client.rb
-- lib/mauth/client/authenticator_base.rb
-- lib/mauth/client/local_authenticator.rb
-- lib/mauth/client/remote_authenticator.rb
+- lib/mauth/client/authenticator.rb
 - lib/mauth/client/security_token_cacher.rb
 - lib/mauth/client/signer.rb
+- lib/mauth/config_env.rb
 - lib/mauth/core_ext.rb
-- lib/mauth/dice_bag/mauth.rb.dice
-- lib/mauth/dice_bag/mauth.yml.dice
-- lib/mauth/dice_bag/mauth_key.dice
-- lib/mauth/dice_bag/mauth_templates.rb
 - lib/mauth/errors.rb
 - lib/mauth/fake/rack.rb
 - lib/mauth/faraday.rb
@@ -388,7 +179,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.6.0
+      version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="

data/doc/mauth.yml.md

@@ -1,84 +0,0 @@
-# mauth.yml
-
-The conventional way to configure MAuth-Client for your project is through a YAML file which lives in your project at `config/mauth.yml`.
-It is keyed on environment, and for the most part its contents are passed directly to instantiate an MAuth::Client.
-See the documentation for [MAuth::Client#initialize](../lib/mauth/client.rb) for more details of what it accepts.
-
-## Generating keys
-
-To generate a private key (`mauth_key`) and its public counterpart (`mauth_key.pub`) run:
-
-```
-openssl genrsa -out mauth_key 2048
-openssl rsa -in mauth_key -pubout -out mauth_key.pub
-```
-
-## Format
-
-```yaml
-common: &common
-  mauth_baseurl: https://mauth-innovate.imedidata.com
-  mauth_api_version: v1
-  app_uuid: 123we997-0333-44d8-8fCf-5dd555c5bd51
-  private_key: |
-    -----BEGIN RSA PRIVATE KEY-----
-    AIIEowIBAAKCAQEAwLYWYcKrCAl7uWVlkwzBcBXRiRREqGYLXEnRGgDrlqbY+lDg
-    gwMNga3ylckui/rTUZhtefx1MLtxgnTGiil45eleoJgjdfsOO5yXzUA46KW0cuL4
-    ...
-    oEKe4QKBgFNbVJp3Zut83MzpN4Zu7/wZ/+q9ds9WMMxWb4hUugKQTPjsgj+8tCqa
-    SIY2exfsy7Y8NoOnBPlGiXKhgaF21T8kqV9C7R6OAuP0U6CgMJnINx/UjozvBENH
-    Ux45QdvRd6vai8nHp7AgV7rr55SxXAZVgATll84uBUpfpmC6YK/j
-    -----END RSA PRIVATE KEY-----
-  v2_only_authenticate: false
-  v2_only_sign_requests: false
-  disable_fallback_to_v1_on_v2_failure: true
-
-production:
-  <<: *common
-development:
-  <<: *common
-test:
-  <<: *common
-```
-
-Optionally you can load the private key from a file:
-
-```yaml
-common: &common
-  mauth_baseurl: https://mauth-innovate.imedidata.com
-  mauth_api_version: v1
-  app_uuid: 123we997-0333-44d8-8fCf-5dd555c5bd51
-  private_key_file: config/my_mauth_private.key
-  v2_only_authenticate: false
-  v2_only_sign_requests: false
-  disable_fallback_to_v1_on_v2_failure: true
-  v1_only_sign_requests: false
-
-production:
-  <<: *common
-development:
-  <<: *common
-test:
-  <<: *common
-```
-
-## Configuration options
-
-- `private_key` - Required for signing and for authenticating responses. May be omitted if only remote authentication of requests is being performed.
-- `private_key_file` - May be used instead of `private_key`, mauth-client will load the file instead.
-- `app_uuid` - Required in the same circumstances where a `private_key` is required.
-- `mauth_baseurl` - Required for authentication but not for signing. Needed for local authentication to retrieve public keys and for remote authentication. Usually this is `https://mauth.imedidata.com` for production.
-- `mauth_api_version` - Required for authentication but not for signing. only `v1` exists as of this writing.
-- `v2_only_sign_requests` - If true, all outgoing requests will be signed with only the V2 protocol. Defaults to false.
-- `v2_only_authenticate` - If true, any incoming request or incoming response that does not use the V2 protocol will be rejected. Defaults to false.
-- `disable_fallback_to_v1_on_v2_failure` - If true, any incoming V2 requests that fail authentication will not fall back to V1 authentication. Defaults to false.
-- `v1_only_sign_requests` - If true, all outgoing requests will be signed with only the V1 protocol. Defaults to true. Note, cannot be `true` if `v2_only_sign_requests` is also `true`.
-
-## Usage in your application
-
-Load mauth.yml, merge in any other configuration that is needed for your usage, and pass the config along to instantiate a `MAuth::Client` or a middleware.
-See the [README](../README.md) for more detail.
-
-## Usage in MAuth-Client executables (mauth-client, mauth-proxy)
-
-See the [MAuth-Client CLI Tool doc](./mauth-client_CLI.md#configuration).

data/examples/Gemfile.lock

@@ -1,69 +0,0 @@
-PATH
-  remote: ..
-  specs:
-    mauth-client (6.4.3)
-      addressable (~> 2.0)
-      coderay (~> 1.0)
-      dice_bag (>= 0.9, < 2.0)
-      faraday (>= 0.9, < 3.0)
-      faraday-http-cache (>= 2.0, < 3.0)
-      rack (> 2.2.3)
-      term-ansicolor (~> 1.0)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    addressable (2.8.1)
-      public_suffix (>= 2.0.2, < 6.0)
-    coderay (1.1.3)
-    dice_bag (1.6.1)
-      diff-lcs (~> 1.0)
-      rake
-      thor (< 2.0)
-    diff-lcs (1.5.0)
-    faraday (1.10.2)
-      faraday-em_http (~> 1.0)
-      faraday-em_synchrony (~> 1.0)
-      faraday-excon (~> 1.1)
-      faraday-httpclient (~> 1.0)
-      faraday-multipart (~> 1.0)
-      faraday-net_http (~> 1.0)
-      faraday-net_http_persistent (~> 1.0)
-      faraday-patron (~> 1.0)
-      faraday-rack (~> 1.0)
-      faraday-retry (~> 1.0)
-      ruby2_keywords (>= 0.0.4)
-    faraday-em_http (1.0.0)
-    faraday-em_synchrony (1.0.0)
-    faraday-excon (1.1.0)
-    faraday-http-cache (2.4.1)
-      faraday (>= 0.8)
-    faraday-httpclient (1.0.1)
-    faraday-multipart (1.0.4)
-      multipart-post (~> 2)
-    faraday-net_http (1.0.1)
-    faraday-net_http_persistent (1.2.0)
-    faraday-patron (1.0.0)
-    faraday-rack (1.0.0)
-    faraday-retry (1.0.3)
-    multipart-post (2.2.3)
-    public_suffix (5.0.0)
-    rack (3.0.0)
-    rake (13.0.6)
-    ruby2_keywords (0.0.5)
-    sync (0.5.0)
-    term-ansicolor (1.7.1)
-      tins (~> 1.0)
-    thor (1.2.1)
-    tins (1.31.1)
-      sync
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  faraday (~> 1.0)
-  mauth-client!
-
-BUNDLED WITH
-   2.2.29

data/examples/config.yml

@@ -1,12 +0,0 @@
-imedidata:
-  host: https://innovate.imedidata.com
-
-mauth:
-  mauth_baseurl: https://mauth-innovate.imedidata.com
-  mauth_api_version: v1
-  app_uuid: <APP UUID>
-  private_key_file: ./mauth_key
-  v2_only_authenticate: false
-  v2_only_sign_requests: false
-  disable_fallback_to_v1_on_v2_failure: true
-  v1_only_sign_requests: false

data/examples/get_user_info.rb

@@ -1,58 +0,0 @@
-#!/usr/bin/env ruby
-# frozen_string_literal: true
-
-abort "USAGE: ./#{__FILE__} <USER UUID>" unless ARGV.size == 1
-
-require 'bundler/setup'
-Bundler.require(:default)
-
-def config
-  @config ||= YAML.safe_load(File.open('./config.yml'))
-end
-
-# get user information
-def get_user_info_mauth(user_uuid)
-  get_data_from_imedidata "users/#{user_uuid}.json"
-end
-
-# fetch data from iMedidata
-def get_data_from_imedidata(resource_name)
-  puts "fetching #{resource_name}..."
-  begin
-    connection = Faraday::Connection.new(url: config['imedidata']['host']) do |builder|
-      builder.use MAuth::Faraday::RequestSigner, config['mauth']
-      builder.adapter Faraday.default_adapter
-    end
-
-    # get the data
-    response = connection.get "/api/v2/#{resource_name}"
-    puts "HTTP #{response.status}"
-
-    # return the user info
-    if response.status == 200
-      result = JSON.parse(response.body)
-      puts JSON.pretty_generate(result)
-      result
-    else
-      puts response.body
-      nil
-    end
-  rescue JSON::ParserError => e
-    puts "Error parsing data from imedidata: #{e.inspect}"
-    puts e.backtrace.join("\n")
-  end
-end
-
-get_user_info_mauth(ARGV[0])
-
-### OTHER EXAMPLES
-
-#### get study groups for an user
-def get_study_groups_mauth(user_uuid)
-  get_data_from_imedidata "users/#{user_uuid}/study_groups.json"
-end
-
-#### get roles for a user in an application study
-def get_user_study_roles_mauth(user_uuid, study_uuid)
-  get_data_from_imedidata "users/#{user_uuid}/studies/#{study_uuid}/apps/#{config["mauth"]["app_uuid"]}/roles.json"
-end

data/lib/mauth/client/authenticator_base.rb

@@ -1,133 +0,0 @@
-# frozen_string_literal: true
-
-# methods common to RemoteRequestAuthenticator and LocalAuthenticator
-
-module MAuth
-  class Client
-    module AuthenticatorBase
-      ALLOWED_DRIFT_SECONDS = 300
-
-      # takes an incoming request or response object, and returns whether
-      # the object is authentic according to its signature.
-      def authentic?(object)
-        log_authentication_request(object)
-        begin
-          authenticate!(object)
-          true
-        rescue InauthenticError, MAuthNotPresent, MissingV2Error
-          false
-        end
-      end
-
-      # raises InauthenticError unless the given object is authentic. Will only
-      # authenticate with v2 if the environment variable V2_ONLY_AUTHENTICATE
-      # is set. Otherwise will fall back to v1 when v2 authentication fails
-      def authenticate!(object)
-        case object.protocol_version
-        when 2
-          begin
-            authenticate_v2!(object)
-          rescue InauthenticError => e
-            raise e if v2_only_authenticate?
-            raise e if disable_fallback_to_v1_on_v2_failure?
-
-            object.fall_back_to_mws_signature_info
-            raise e unless object.signature
-
-            log_authentication_request(object)
-            authenticate_v1!(object)
-            logger.warn('Completed successful authentication attempt after fallback to v1')
-          end
-        when 1
-          if v2_only_authenticate?
-            # If v2 is required but not present and v1 is present we raise MissingV2Error
-            msg = 'This service requires mAuth v2 mcc-authentication header but only v1 x-mws-authentication is present'
-            logger.error(msg)
-            raise MissingV2Error, msg
-          end
-
-          authenticate_v1!(object)
-        else
-          sub_str = v2_only_authenticate? ? '' : 'X-MWS-Authentication header is blank, '
-          msg = "Authentication Failed. No mAuth signature present; #{sub_str}MCC-Authentication header is blank."
-          logger.warn("mAuth signature not present on #{object.class}. Exception: #{msg}")
-          raise MAuthNotPresent, msg
-        end
-      end
-
-      private
-
-      # NOTE: This log is likely consumed downstream and the contents SHOULD NOT
-      # be changed without a thorough review of downstream consumers.
-      def log_authentication_request(object)
-        object_app_uuid = object.signature_app_uuid || '[none provided]'
-        object_token = object.signature_token || '[none provided]'
-        logger.info(
-          'Mauth-client attempting to authenticate request from app with mauth' \
-          " app uuid #{object_app_uuid} to app with mauth app uuid #{client_app_uuid}" \
-          " using version #{object_token}."
-        )
-      end
-
-      def log_inauthentic(object, message)
-        logger.error("mAuth signature authentication failed for #{object.class}. Exception: #{message}")
-      end
-
-      def time_within_valid_range!(object, time_signed, now = Time.now)
-        return if (-ALLOWED_DRIFT_SECONDS..ALLOWED_DRIFT_SECONDS).cover?(now.to_i - time_signed)
-
-        msg = "Time verification failed. #{time_signed} not within #{ALLOWED_DRIFT_SECONDS} of #{now}"
-        log_inauthentic(object, msg)
-        raise InauthenticError, msg
-      end
-
-      # V1 helpers
-      def authenticate_v1!(object)
-        time_valid_v1!(object)
-        token_valid_v1!(object)
-        signature_valid_v1!(object)
-      end
-
-      def time_valid_v1!(object)
-        if object.x_mws_time.nil?
-          msg = 'Time verification failed. No x-mws-time present.'
-          log_inauthentic(object, msg)
-          raise InauthenticError, msg
-        end
-        time_within_valid_range!(object, object.x_mws_time.to_i)
-      end
-
-      def token_valid_v1!(object)
-        return if object.signature_token == MWS_TOKEN
-
-        msg = "Token verification failed. Expected #{MWS_TOKEN}; token was #{object.signature_token}"
-        log_inauthentic(object, msg)
-        raise InauthenticError, msg
-      end
-
-      # V2 helpers
-      def authenticate_v2!(object)
-        time_valid_v2!(object)
-        token_valid_v2!(object)
-        signature_valid_v2!(object)
-      end
-
-      def time_valid_v2!(object)
-        if object.mcc_time.nil?
-          msg = 'Time verification failed. No MCC-Time present.'
-          log_inauthentic(object, msg)
-          raise InauthenticError, msg
-        end
-        time_within_valid_range!(object, object.mcc_time.to_i)
-      end
-
-      def token_valid_v2!(object)
-        return if object.signature_token == MWSV2_TOKEN
-
-        msg = "Token verification failed. Expected #{MWSV2_TOKEN}; token was #{object.signature_token}"
-        log_inauthentic(object, msg)
-        raise InauthenticError, msg
-      end
-    end
-  end
-end