mauth-client 6.4.3 → 7.1.0

data/lib/mauth/client/authenticator_base.rb

@@ -1,133 +0,0 @@
-# frozen_string_literal: true
-
-# methods common to RemoteRequestAuthenticator and LocalAuthenticator
-
-module MAuth
-  class Client
-    module AuthenticatorBase
-      ALLOWED_DRIFT_SECONDS = 300
-
-      # takes an incoming request or response object, and returns whether
-      # the object is authentic according to its signature.
-      def authentic?(object)
-        log_authentication_request(object)
-        begin
-          authenticate!(object)
-          true
-        rescue InauthenticError, MAuthNotPresent, MissingV2Error
-          false
-        end
-      end
-
-      # raises InauthenticError unless the given object is authentic. Will only
-      # authenticate with v2 if the environment variable V2_ONLY_AUTHENTICATE
-      # is set. Otherwise will fall back to v1 when v2 authentication fails
-      def authenticate!(object)
-        case object.protocol_version
-        when 2
-          begin
-            authenticate_v2!(object)
-          rescue InauthenticError => e
-            raise e if v2_only_authenticate?
-            raise e if disable_fallback_to_v1_on_v2_failure?
-
-            object.fall_back_to_mws_signature_info
-            raise e unless object.signature
-
-            log_authentication_request(object)
-            authenticate_v1!(object)
-            logger.warn('Completed successful authentication attempt after fallback to v1')
-          end
-        when 1
-          if v2_only_authenticate?
-            # If v2 is required but not present and v1 is present we raise MissingV2Error
-            msg = 'This service requires mAuth v2 mcc-authentication header but only v1 x-mws-authentication is present'
-            logger.error(msg)
-            raise MissingV2Error, msg
-          end
-
-          authenticate_v1!(object)
-        else
-          sub_str = v2_only_authenticate? ? '' : 'X-MWS-Authentication header is blank, '
-          msg = "Authentication Failed. No mAuth signature present; #{sub_str}MCC-Authentication header is blank."
-          logger.warn("mAuth signature not present on #{object.class}. Exception: #{msg}")
-          raise MAuthNotPresent, msg
-        end
-      end
-
-      private
-
-      # NOTE: This log is likely consumed downstream and the contents SHOULD NOT
-      # be changed without a thorough review of downstream consumers.
-      def log_authentication_request(object)
-        object_app_uuid = object.signature_app_uuid || '[none provided]'
-        object_token = object.signature_token || '[none provided]'
-        logger.info(
-          'Mauth-client attempting to authenticate request from app with mauth' \
-          " app uuid #{object_app_uuid} to app with mauth app uuid #{client_app_uuid}" \
-          " using version #{object_token}."
-        )
-      end
-
-      def log_inauthentic(object, message)
-        logger.error("mAuth signature authentication failed for #{object.class}. Exception: #{message}")
-      end
-
-      def time_within_valid_range!(object, time_signed, now = Time.now)
-        return if (-ALLOWED_DRIFT_SECONDS..ALLOWED_DRIFT_SECONDS).cover?(now.to_i - time_signed)
-
-        msg = "Time verification failed. #{time_signed} not within #{ALLOWED_DRIFT_SECONDS} of #{now}"
-        log_inauthentic(object, msg)
-        raise InauthenticError, msg
-      end
-
-      # V1 helpers
-      def authenticate_v1!(object)
-        time_valid_v1!(object)
-        token_valid_v1!(object)
-        signature_valid_v1!(object)
-      end
-
-      def time_valid_v1!(object)
-        if object.x_mws_time.nil?
-          msg = 'Time verification failed. No x-mws-time present.'
-          log_inauthentic(object, msg)
-          raise InauthenticError, msg
-        end
-        time_within_valid_range!(object, object.x_mws_time.to_i)
-      end
-
-      def token_valid_v1!(object)
-        return if object.signature_token == MWS_TOKEN
-
-        msg = "Token verification failed. Expected #{MWS_TOKEN}; token was #{object.signature_token}"
-        log_inauthentic(object, msg)
-        raise InauthenticError, msg
-      end
-
-      # V2 helpers
-      def authenticate_v2!(object)
-        time_valid_v2!(object)
-        token_valid_v2!(object)
-        signature_valid_v2!(object)
-      end
-
-      def time_valid_v2!(object)
-        if object.mcc_time.nil?
-          msg = 'Time verification failed. No MCC-Time present.'
-          log_inauthentic(object, msg)
-          raise InauthenticError, msg
-        end
-        time_within_valid_range!(object, object.mcc_time.to_i)
-      end
-
-      def token_valid_v2!(object)
-        return if object.signature_token == MWSV2_TOKEN
-
-        msg = "Token verification failed. Expected #{MWSV2_TOKEN}; token was #{object.signature_token}"
-        log_inauthentic(object, msg)
-        raise InauthenticError, msg
-      end
-    end
-  end
-end

data/lib/mauth/client/remote_authenticator.rb

@@ -1,85 +0,0 @@
-# frozen_string_literal: true
-
-# methods for remotely authenticating a request by sending it to the mauth service
-
-module MAuth
-  class Client
-    module RemoteRequestAuthenticator
-      private
-
-      # takes an incoming request object (no support for responses currently), and errors if the
-      # object is not authentic according to its signature
-      def signature_valid_v1!(object)
-        unless object.is_a?(MAuth::Request)
-          raise ArgumentError,
-            "Remote Authenticator can only authenticate requests; received #{object.inspect}"
-        end
-
-        authentication_ticket = {
-          'verb' => object.attributes_for_signing[:verb],
-          'app_uuid' => object.signature_app_uuid,
-          'client_signature' => object.signature,
-          'request_url' => object.attributes_for_signing[:request_url],
-          'request_time' => object.x_mws_time,
-          'b64encoded_body' => Base64.encode64(object.attributes_for_signing[:body] || '')
-        }
-        make_mauth_request(authentication_ticket)
-      end
-
-      def signature_valid_v2!(object)
-        unless object.is_a?(MAuth::Request)
-          msg = "Remote Authenticator can only authenticate requests; received #{object.inspect}"
-          raise ArgumentError, msg
-        end
-
-        authentication_ticket = {
-          verb: object.attributes_for_signing[:verb],
-          app_uuid: object.signature_app_uuid,
-          client_signature: object.signature,
-          request_url: object.attributes_for_signing[:request_url],
-          request_time: object.mcc_time,
-          b64encoded_body: Base64.encode64(object.attributes_for_signing[:body] || ''),
-          query_string: object.attributes_for_signing[:query_string],
-          token: object.signature_token
-        }
-        make_mauth_request(authentication_ticket)
-      end
-
-      def make_mauth_request(authentication_ticket)
-        begin
-          request_body = JSON.generate(authentication_ticket: authentication_ticket)
-          response = mauth_connection.post("/mauth/#{mauth_api_version}/authentication_tickets.json", request_body)
-        rescue ::Faraday::ConnectionFailed, ::Faraday::TimeoutError => e
-          msg = "mAuth service did not respond; received #{e.class}: #{e.message}"
-          logger.error("Unable to authenticate with MAuth. Exception #{msg}")
-          raise UnableToAuthenticateError, msg
-        end
-        case response.status
-        when 200..299
-          nil
-        when 412, 404
-          # the mAuth service responds with 412 when the given request is not authentically signed.
-          # older versions of the mAuth service respond with 404 when the given app_uuid
-          # does not exist, which is also considered to not be authentically signed. newer
-          # versions of the service respond 412 in all cases, so the 404 check may be removed
-          # when the old version of the mAuth service is out of service.
-          raise InauthenticError, "The mAuth service responded with #{response.status}: #{response.body}"
-        else
-          mauth_service_response_error(response)
-        end
-      end
-
-      def mauth_connection
-        @mauth_connection ||= begin
-          require 'faraday'
-
-          ::Faraday.new(mauth_baseurl,
-            faraday_options.merge(headers: { 'Content-Type' => 'application/json' })) do |builder|
-            builder.use MAuth::Faraday::MAuthClientUserAgent
-            builder.adapter ::Faraday.default_adapter
-          end
-        end
-      end
-    end
-  end
-end

data/lib/mauth/dice_bag/mauth.rb.dice

@@ -1,12 +0,0 @@
-<%= warning.as_yaml_comment %>
-
-MAUTH_CONF = MAuth::Client.default_config
-require 'mauth/rack'
-# ResponseSigner OPTIONAL; only use if you are registered in mauth service
-Rails.application.config.middleware.insert_after Rack::Runtime, MAuth::Rack::ResponseSigner, MAUTH_CONF
-if Rails.env.test? || Rails.env.development?
-  require 'mauth/fake/rack'
-  Rails.application.config.middleware.insert_after MAuth::Rack::ResponseSigner, MAuth::Rack::RequestAuthenticationFaker, MAUTH_CONF
-else
-  Rails.application.config.middleware.insert_after MAuth::Rack::ResponseSigner, MAuth::Rack::RequestAuthenticatorNoAppStatus, MAUTH_CONF
-end

data/lib/mauth/dice_bag/mauth.yml.dice

@@ -1,18 +0,0 @@
-<%= warning.as_yaml_comment %>
-
-common: &common
-  mauth_baseurl: <%= configured.mauth_url! || 'http://localhost:7000' %>
-  mauth_api_version: v1
-  app_uuid: <%= configured.mauth_app_uuid! || 'fb17460e-9868-11e1-8399-0090f5ccb4d3' %>
-  private_key_file: config/mauth_key
-  v2_only_authenticate: <%= configured.v2_only_authenticate || 'false' %>
-  v2_only_sign_requests: <%= configured.v2_only_sign_requests || 'false' %>
-  disable_fallback_to_v1_on_v2_failure: <%= configured.disable_fallback_to_v1_on_v2_failure || 'false' %>
-  v1_only_sign_requests: <%= configured.v1_only_sign_requests || 'true' %>
-
-production:
-  <<: *common
-development:
-  <<: *common
-test:
-  <<: *common

data/lib/mauth/dice_bag/mauth_key.dice

@@ -1 +0,0 @@
-<%= ensure_is_private_key(configured.mauth_private_key! || generate_private_key.to_s) %>

data/lib/mauth/dice_bag/mauth_templates.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-require 'dice_bag'
-
-class MauthTemplate < DiceBag::AvailableTemplates
-  def templates
-    ['mauth.yml.dice', 'mauth_key.dice'].map do |template|
-      File.join(File.dirname(__FILE__), template)
-    end
-  end
-end
-
-class MauthInitializerTemplate < DiceBag::AvailableTemplates
-  def templates_location
-    'config/initializers'
-  end
-
-  def templates
-    [File.join(File.dirname(__FILE__), 'mauth.rb.dice')] if Object.const_defined?(:Rails)
-  end
-end