oauthenticator 1.3.5 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 16ab24b09d173ed8caca336faa49d9cc263513b5a1b918f656985dff431caa61
-  data.tar.gz: d3439a11045ed50fb9c72ccb85d137c72ea04b04189d58729b24ca365744937f
+  metadata.gz: 98e9bd15e6f01dd9896f6d499d3141f56614f93fd13fc9ac000c24796e74c5c2
+  data.tar.gz: 5479b9b613a4a0b77758a325a007e258dbeaa9b9aaa430414223737870abb7b3
 SHA512:
-  metadata.gz: bd14158bfbc8c6ff4f998226ae110d5d3c9d251fb011968dd5ddc7d3fd1d131450e5dce683e1590728218527ea2a9f31e82b17f81b674eb4ea391a4d68d0bdb0
-  data.tar.gz: 82aef9ae6b004bcd95b5cf6a96c198089195022b3a131ec1346a62a2c18d3db1b6b2eae54af4ba41e665ef57677dc72bed6a9f886615fdeb53e7351e0a697918
+  metadata.gz: 6920168511a6582d34d4f4201e9c9d2c24adce1968389dc72e8d33878477b2a78d378aa4a140a817790ef41a8983c8ab620c631c83e6790333d7a7a3df41beff
+  data.tar.gz: 4260c1569b7a47d3bc1e9c3e40fb559cda77f5f1e888edeef1cb5943a927afd600f99348d0e6483a0de53005ad14707cd5e307e5509e41a138590c8190f9456f

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+# 1.4.0
+
+- support signature methods HMAC-SHA256, HMAC-SHA512
+
 # 1.3.5
 
 - relax faraday and rack gem dependency constraints

data/lib/oauthenticator/config_methods.rb

@@ -66,9 +66,10 @@ module OAuthenticator
     end
 
     # the signature methods which the application will accept. this MUST be a subset of the signature methods 
-    # defined in the OAuth 1.0 protocol: `%w(HMAC-SHA1 RSA-SHA1 PLAINTEXT)`. the default value for this is all 
-    # allowed signature methods, and may remain unimplemented if you wish to allow all defined signature 
-    # methods. 
+    # defined in the OAuth 1.0 protocol plus OAuthenticator-defined extensions:
+    # `%w(HMAC-SHA1 RSA-SHA1 PLAINTEXT HMAC-SHA512 HMAC-SHA256)`.
+    # the default value for this is all allowed signature methods, and may remain unimplemented if you wish
+    # to allow all defined signature methods.
     #
     # @return [Array<String>]
     def allowed_signature_methods

data/lib/oauthenticator/rack_test_signer.rb

@@ -33,6 +33,7 @@ end
 
 class Rack::Test::Session
   actual_process_request = instance_method(:process_request)
+  remove_method(:process_request)
   define_method(:process_request) do |uri, env, &block|
     oauth_attrs = Thread.current[:oauthenticator_rack_test_attributes]
     if oauth_attrs

data/lib/oauthenticator/signable_request.rb

@@ -304,9 +304,33 @@ module OAuthenticator
     #
     # @return [String]
     def hmac_sha1_signature
+      hmac_digest_signature(OpenSSL::Digest::SHA1)
+    end
+
+    # signature, with method HMAC-SHA256. OAuthenticator extension, outside of spec. do not use.
+    # unless you want to.
+    #
+    # @return [String]
+    def hmac_sha256_signature
+      hmac_digest_signature(OpenSSL::Digest::SHA256)
+    end
+
+    # signature, with method HMAC-SHA512. OAuthenticator extension, outside of spec. do not use.
+    # unless you want to.
+    #
+    # @return [String]
+    def hmac_sha512_signature
+      hmac_digest_signature(OpenSSL::Digest::SHA512)
+    end
+
+    # signature with a HMAC digest
+    #
+    # @param digest_class [Class] the digest class
+    # @return [String]
+    def hmac_digest_signature(digest_class)
       # hmac secret is same as plaintext signature 
       secret = plaintext_signature
-      Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::SHA1.new, secret, signature_base)).gsub(/\n/, '')
+      Base64.encode64(OpenSSL::HMAC.digest(digest_class.new, secret, signature_base)).gsub(/\n/, '')
     end
 
     # signature, with method plaintext. section 3.4.4
@@ -320,13 +344,39 @@ module OAuthenticator
     #
     # @return [String]
     def sha1_body_hash
-      Base64.encode64(OpenSSL::Digest::SHA1.digest(read_body)).gsub(/\n/, '')
+      digest_body_hash(OpenSSL::Digest::SHA1)
+    end
+
+    # body hash, with a signature method which uses SHA256. OAuthenticator extension, outside of spec. 
+    # do not use. unless you want to.
+    #
+    # @return [String]
+    def sha256_body_hash
+      digest_body_hash(OpenSSL::Digest::SHA256)
+    end
+
+    # body hash, with a signature method which uses SHA512. OAuthenticator extension, outside of spec. 
+    # do not use. unless you want to.
+    #
+    # @return [String]
+    def sha512_body_hash
+      digest_body_hash(OpenSSL::Digest::SHA512)
+    end
+
+    # body hash with a given digest
+    #
+    # @param digest_class [Class] the digest class
+    # @return [String]
+    def digest_body_hash(digest_class)
+      Base64.encode64(digest_class.digest(read_body)).gsub(/\n/, '')
     end
 
     # map of oauth signature methods to their signature instance methods on this class 
     SIGNATURE_METHODS = {
       'RSA-SHA1'.freeze => instance_method(:rsa_sha1_signature),
       'HMAC-SHA1'.freeze => instance_method(:hmac_sha1_signature),
+      'HMAC-SHA256'.freeze => instance_method(:hmac_sha256_signature),
+      'HMAC-SHA512'.freeze => instance_method(:hmac_sha512_signature),
       'PLAINTEXT'.freeze => instance_method(:plaintext_signature),
     }.freeze
 
@@ -335,6 +385,8 @@ module OAuthenticator
     BODY_HASH_METHODS = {
       'RSA-SHA1'.freeze => instance_method(:sha1_body_hash),
       'HMAC-SHA1'.freeze => instance_method(:sha1_body_hash),
+      'HMAC-SHA256'.freeze => instance_method(:sha256_body_hash),
+      'HMAC-SHA512'.freeze => instance_method(:sha512_body_hash),
     }.freeze
   end
 end

data/lib/oauthenticator/signed_request.rb

@@ -234,13 +234,13 @@ module OAuthenticator
     require 'oauthenticator/config_methods'
     include ConfigMethods
 
-    private
-
     # hash of header params. keys should be a subset of OAUTH_ATTRIBUTE_KEYS.
     def oauth_header_params
       @oauth_header_params ||= OAuthenticator.parse_authorization(authorization)
     end
 
+    private
+
     # raise a nice error message for a method that needs to be implemented on a module of config methods 
     def config_method_not_implemented
       caller_name = caller[0].match(%r(in `(.*?)'))[1]

data/lib/oauthenticator/version.rb

@@ -1,5 +1,5 @@
 # OAuthenticator 
 module OAuthenticator
   # OAuthenticator::VERSION
-  VERSION = "1.3.5"
+  VERSION = "1.4.0"
 end

data/test/config_methods_test.rb

@@ -8,7 +8,7 @@ describe OAuthenticator::SignedRequest do
       exc = assert_raises(NotImplementedError) do
         OAuthenticator::SignedRequest.new({}).public_send(method_without_default)
       end
-      assert_match /included in a subclass of OAuthenticator::SignedRequest/, exc.message
+      assert_match(/included in a subclass of OAuthenticator::SignedRequest/, exc.message)
     end
     it "uses the method #{method_without_default} when implemented" do
       called = false
@@ -21,7 +21,7 @@ describe OAuthenticator::SignedRequest do
     exc = assert_raises(NotImplementedError) do
       OAuthenticator::RackAuthenticator.new(proc {}, {:config_methods => Module.new}).call({'HTTP_AUTHORIZATION' => %q(OAuth oauth_timestamp="1")})
     end
-    assert_match /passed to OAuthenticator::RackAuthenticator using the option :config_methods./, exc.message
+    assert_match(/passed to OAuthenticator::RackAuthenticator using the option :config_methods./, exc.message)
   end
   it "complains RackAuthenticator is not given config methods" do
     assert_raises(ArgumentError) do
@@ -36,7 +36,7 @@ describe OAuthenticator::SignedRequest do
     assert_equal 2, called
   end
   it 'uses the default value for allowed signature methods' do
-    assert_equal %w(RSA-SHA1 HMAC-SHA1 PLAINTEXT).sort, OAuthenticator::SignedRequest.new({}).allowed_signature_methods.sort
+    assert_equal %w(RSA-SHA1 HMAC-SHA256 HMAC-SHA512 HMAC-SHA1 PLAINTEXT).sort, OAuthenticator::SignedRequest.new({}).allowed_signature_methods.sort
   end
   it 'uses default value for body_hash_required?' do
     assert_equal false, OAuthenticator::SignedRequest.new({}).body_hash_required?

data/test/signable_request_test.rb

@@ -127,7 +127,7 @@ describe OAuthenticator::SignableRequest do
       it 'complains about missing required params' do
         err = assert_raises(ArgumentError) { OAuthenticator::SignableRequest.new({}) }
         %w(request_method uri media_type body consumer_key signature_method).each do |required|
-          assert_match /#{required}/, err.message
+          assert_match(/#{required}/, err.message)
         end
       end
     end
@@ -135,7 +135,7 @@ describe OAuthenticator::SignableRequest do
 
   describe 'the example in 3.1' do
     # a request with attributes from the oauth spec
-    def spec_request(attributes={})
+    def spec_request
       example_request({
         :request_method => 'POST',
         :uri => 'http://example.com/request?b5=%3D%253D&a3=a&c%40=&a2=r%20b',
@@ -231,6 +231,20 @@ describe OAuthenticator::SignableRequest do
       end
     end
 
+    describe 'HMAC-SHA256' do
+      it 'signs with a HMAC-SHA256 digest of the signature base' do
+        request = example_request(
+          :token => 'a token',
+          :token_secret => 'a token secret',
+          :signature_method => 'HMAC-SHA256',
+          :nonce => 'a nonce',
+          :timestamp => 1397726597,
+          :hash_body? => false
+        )
+        assert_equal('Cb4UAr3l25eqC7p2PSm0l6j7lgXvh5SPnMOhPAJ1jWU=', request.signed_protocol_params['oauth_signature'])
+      end
+    end
+
     describe 'RSA-SHA1' do
       it 'signs with a RSA private key SHA1 signature' do
         request = example_request(
@@ -487,6 +501,10 @@ describe OAuthenticator::SignableRequest do
         request = example_request(:media_type => 'text/plain', :body => 'foo=bar', :signature_method => 'HMAC-SHA1')
         assert_equal('L7j0ARXdHmlcviPU+Xzlsftpfu4=', request.protocol_params['oauth_body_hash'])
       end
+      it 'includes by default with non-form-encoded and HMAC-SHA256' do
+        request = example_request(:media_type => 'text/plain', :body => 'foo=bar', :signature_method => 'HMAC-SHA256')
+        assert_equal('O6iQfnolIydIjfOQ7VF8Rblt6tAzYAIZvcpxB9HT+Io=', request.protocol_params['oauth_body_hash'])
+      end
       it 'includes by default with non-form-encoded and RSA-SHA1' do
         request = example_request(:media_type => 'text/plain', :body => 'foo=bar', :signature_method => 'RSA-SHA1', :consumer_secret => rsa_private_key)
         assert_equal('L7j0ARXdHmlcviPU+Xzlsftpfu4=', request.protocol_params['oauth_body_hash'])
@@ -499,6 +517,10 @@ describe OAuthenticator::SignableRequest do
         request = example_request(:media_type => 'application/x-www-form-urlencoded', :body => 'foo=bar', :signature_method => 'HMAC-SHA1')
         assert(!request.protocol_params.key?('oauth_body_hash'))
       end
+      it 'does not include by default with form-encoded and HMAC-SHA256' do
+        request = example_request(:media_type => 'application/x-www-form-urlencoded', :body => 'foo=bar', :signature_method => 'HMAC-SHA256')
+        assert(!request.protocol_params.key?('oauth_body_hash'))
+      end
       it 'does not include by default with form-encoded and RSA-SHA1' do
         request = example_request(:media_type => 'application/x-www-form-urlencoded', :body => 'foo=bar', :signature_method => 'RSA-SHA1', :consumer_secret => rsa_private_key)
         assert(!request.protocol_params.key?('oauth_body_hash'))

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: oauthenticator
 version: !ruby/object:Gem::Version
-  version: 1.3.5
+  version: 1.4.0
 platform: ruby
 authors:
 - Ethan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-13 00:00:00.000000000 Z
+date: 2021-01-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack