rack-signature 0.0.6 → 0.0.7
Sign up to get free protection for your applications and to get access to all the features.
- data/lib/rack/signature/test_helpers.rb +40 -0
- data/lib/rack/signature/verify.rb +2 -2
- data/lib/rack/signature/version.rb +1 -1
- data/test/test_helper.rb +2 -0
- data/test/verify_test.rb +35 -33
- metadata +2 -1
@@ -0,0 +1,40 @@
|
|
1
|
+
require_relative 'build_message'
|
2
|
+
require_relative 'hmac_signature'
|
3
|
+
|
4
|
+
module Rack
|
5
|
+
module Signature
|
6
|
+
module TestHelpers
|
7
|
+
include Rack::Test::Methods
|
8
|
+
|
9
|
+
def generate_shared_token; ::SecureRandom.hex(8); end
|
10
|
+
|
11
|
+
def stringify_request_message(env)
|
12
|
+
::Rack::Signature::BuildMessage.new(env).build!
|
13
|
+
end
|
14
|
+
|
15
|
+
def hmac_message(key, message)
|
16
|
+
::Rack::Signature::HmacSignature.new(key, message).sign
|
17
|
+
end
|
18
|
+
|
19
|
+
def expected_signature(shared_key, env)
|
20
|
+
msg = stringify_request_message(env)
|
21
|
+
hmac_message(shared_key, msg)
|
22
|
+
end
|
23
|
+
|
24
|
+
def setup_request(uri, opts, key)
|
25
|
+
env = ::Rack::MockRequest.env_for(uri, opts)
|
26
|
+
sig = sign(env, key)
|
27
|
+
req = Rack::Request.new(env)
|
28
|
+
query_params = req.params
|
29
|
+
|
30
|
+
[uri, sig, opts, query_params, env]
|
31
|
+
end
|
32
|
+
|
33
|
+
def sign(env, key)
|
34
|
+
message = stringify_request_message(env)
|
35
|
+
hmac_message(key, message)
|
36
|
+
end
|
37
|
+
|
38
|
+
end
|
39
|
+
end
|
40
|
+
end
|
@@ -40,7 +40,7 @@ module Rack
|
|
40
40
|
# compares the received Signature against what the Signature should be
|
41
41
|
# (computed signature)
|
42
42
|
def signature_is_valid?(env)
|
43
|
-
received_signature = env["
|
43
|
+
received_signature = env["X-Auth-Sig"]
|
44
44
|
expected_signature = compute_signature(env)
|
45
45
|
|
46
46
|
expected_signature == received_signature
|
@@ -55,7 +55,7 @@ module Rack
|
|
55
55
|
# FIXME: This is here for now for a quick implementation within another
|
56
56
|
# app. This will eventually need to be a rack app itself
|
57
57
|
def shared_key(env)
|
58
|
-
token = env[
|
58
|
+
token = env[options[:header_token]]
|
59
59
|
return '' if token.nil? || token == ''
|
60
60
|
options[:klass].send(options[:method].to_s, token)
|
61
61
|
end
|
data/test/test_helper.rb
CHANGED
data/test/verify_test.rb
CHANGED
@@ -2,20 +2,40 @@ require_relative '../lib/rack/signature'
|
|
2
2
|
require 'test_helper'
|
3
3
|
|
4
4
|
describe "Verifying a signed request" do
|
5
|
-
include Rack::
|
5
|
+
include Rack::Signature::TestHelpers
|
6
6
|
|
7
|
+
TOKEN = ::SecureRandom.hex(8)
|
7
8
|
def setup
|
8
|
-
@
|
9
|
-
@
|
10
|
-
|
9
|
+
@klass_options = {klass: DemoClass, method: :get_shared_token, header_token: 'LOCKER-API-KEY'}
|
10
|
+
@uri, @sig, @headers, @params, @env = setup_request("http://example.com/api/login",
|
11
|
+
{"Content-Type" => "application/json",
|
12
|
+
"REQUEST_METHOD" => "POST",
|
13
|
+
"LOCKER-API-KEY" => '123',
|
14
|
+
input: "password=123456&email=me@home.com&name=me&age=1"
|
15
|
+
}, TOKEN)
|
11
16
|
end
|
12
17
|
|
13
18
|
let(:app) { lambda { |env| [200, {}, ['Hello World']] } }
|
14
|
-
let(:rack_signature) { Rack::Signature.new(app, @
|
19
|
+
let(:rack_signature) { Rack::Signature.new(app, @klass_options) }
|
15
20
|
let(:mock_request) { Rack::MockRequest.new(rack_signature) }
|
16
21
|
|
22
|
+
class DemoClass
|
23
|
+
def self.get_shared_token(token = '')
|
24
|
+
TOKEN if token
|
25
|
+
end
|
26
|
+
end
|
27
|
+
|
28
|
+
let(:uri) { @uri }
|
29
|
+
let(:signature) { @sig }
|
30
|
+
let(:headers) { @headers }
|
31
|
+
let(:query_params) { @params }
|
32
|
+
let(:env) { @env }
|
33
|
+
|
17
34
|
describe "when a request is made without a signature" do
|
18
|
-
|
35
|
+
before {
|
36
|
+
@response = mock_request.get '/api/login?password=123456&email=me@home.com'
|
37
|
+
}
|
38
|
+
let(:response) { @response }
|
19
39
|
|
20
40
|
it 'returns a 403 status' do
|
21
41
|
assert_equal 403, response.status
|
@@ -33,11 +53,11 @@ describe "Verifying a signed request" do
|
|
33
53
|
|
34
54
|
describe "when a requests is sent with a valid signature" do
|
35
55
|
let(:response) do
|
36
|
-
mock_request.post(
|
56
|
+
mock_request.post(uri,
|
37
57
|
"Content-Type" => "application/json",
|
38
58
|
"REQUEST_METHOD" => "POST",
|
39
|
-
"
|
40
|
-
"
|
59
|
+
"LOCKER-API-KEY" => '123',
|
60
|
+
"X-Auth-Sig" => signature,
|
41
61
|
input: "password=123456&email=me@home.com&name=me&age=1")
|
42
62
|
end
|
43
63
|
|
@@ -50,14 +70,15 @@ describe "Verifying a signed request" do
|
|
50
70
|
end
|
51
71
|
end
|
52
72
|
|
73
|
+
|
53
74
|
describe "when a requests is sent with a tampered signature" do
|
54
75
|
let(:response) do
|
55
|
-
mock_request.post(
|
56
|
-
"Content-Type"
|
76
|
+
mock_request.post(uri,
|
77
|
+
{"Content-Type" => "application/json",
|
57
78
|
"REQUEST_METHOD" => "POST",
|
58
|
-
"
|
59
|
-
"
|
60
|
-
input: "password=1234567&email=me@home.com&name=me&age=1")
|
79
|
+
"LOCKER-API-KEY" => '123',
|
80
|
+
"X-Auth-Sig" => signature,
|
81
|
+
input: "password=1234567&email=me@home.com&name=me&age=1"})
|
61
82
|
end
|
62
83
|
|
63
84
|
it 'returns a 403 status' do
|
@@ -74,23 +95,4 @@ describe "Verifying a signed request" do
|
|
74
95
|
end
|
75
96
|
end
|
76
97
|
|
77
|
-
# Helper Methods
|
78
|
-
def key
|
79
|
-
::Digest::SHA2.hexdigest("shared-key")
|
80
|
-
end
|
81
|
-
|
82
|
-
def expected_signature
|
83
|
-
"Z0qY8Hy4a/gJkGZI0gklzM6vZztsAVVDjA18vb1BvHg="
|
84
|
-
end
|
85
|
-
|
86
|
-
class DemoClass
|
87
|
-
def self.get_shared_token(token = '')
|
88
|
-
::Digest::SHA2.hexdigest("shared-key") if token == '123'
|
89
|
-
end
|
90
|
-
end
|
91
|
-
|
92
|
-
def get_app_options
|
93
|
-
{ klass: DemoClass, method: :get_shared_token, header_token: 'API_TOKEN' }
|
94
|
-
end
|
95
|
-
|
96
98
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-signature
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.7
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -91,6 +91,7 @@ files:
|
|
91
91
|
- lib/rack/signature.rb
|
92
92
|
- lib/rack/signature/build_message.rb
|
93
93
|
- lib/rack/signature/hmac_signature.rb
|
94
|
+
- lib/rack/signature/test_helpers.rb
|
94
95
|
- lib/rack/signature/verify.rb
|
95
96
|
- lib/rack/signature/version.rb
|
96
97
|
- rack-signature.gemspec
|