rack-signature 0.0.8 → 0.1.2

data/.gitignore

@@ -16,3 +16,4 @@ test/tmp
 test/version_tmp
 tmp
 .DS_Store
+bin/

data/README.md

@@ -1,6 +1,11 @@
 [![Build Status](https://secure.travis-ci.org/revans/rack-signature.png)](https://travis-ci.org/revans/rack-signature)
 [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/revans/rack-signature)
 
+# This is currently still being worked on and does have several known bugs.
+
+This is an alpha release, a pre 1.0 version. If you use this, be aware it's in
+its infancy.
+
 # Rack::Signature
 
 Rack Middleware used to verify signed requests.
@@ -21,9 +26,53 @@ Or install it yourself as:
 
 ## Usage
 
+This is meant to be added to a Rails initializer like so:
+
 ```ruby
-  use Rack::Signature, 'your-shared-key'
+Rails.application.config.middleware.use Rack::Signature,
+  klass: ClassWithSharedKey,
+  method: 'method_within_class',
+  header_token: 'http header used to hold the api key'
 ```
+### Overview
+
+This gem is assumed to be used within a rails application. It computes the HMAC
+Signature internally and only sends a (single) request over the network when
+Signatures fail to match; sending a 401. Otherwise, it makes no requests - only
+accepts incoming JSON Api requests.
+
+
+This gem will build an HMAC Signature based off an incoming request made to its
+JSON Api initiated by some external client. Once it builds the "expected" HMAC
+Signature, it will compare its Signature against the Signature that was sent by
+the external client. If they match, the request is allowed to continue to the
+Rails application. If it fails, this gem will send back a 401 response from its
+own internal Rack application.
+
+
+### Options explained:
+
+#### klass
+
+The name of the class within the rails application that can be used to query for
+a model's shared key.
+
+It is assumed that each consumer has it's own unique shared key; similar to
+Oauth.
+
+#### method
+
+The method within the +klass+ that will be called to request a shared key to
+build the HMAC. This is a class level method.
+
+#### header_token
+
+This is a bad name. It will be changed.
+
+This is the name of the HTTP Header that holds the Api Key that is associated
+with the consumer's account. It is used as the authentication as well as a way
+to get the consumer's account to retreive the +shared key+.
+
 
 ## Contributing
 

data/lib/rack/signature.rb

@@ -1,6 +1,10 @@
+# encoding: UTF-8
+
 require_relative 'signature/version'
+require_relative 'signature/build_post_body'
 require_relative 'signature/build_message'
 require_relative 'signature/hmac_signature'
+require_relative 'signature/sort_query_params'
 require_relative 'signature/verify'
 
 module Rack

data/lib/rack/signature/build_message.rb

@@ -1,4 +1,7 @@
 require 'rack/request'
+require 'json'
+
+require_relative 'build_post_body'
 
 module Rack
   module Signature
@@ -16,24 +19,52 @@ module Rack
       end
 
       def build!
-        create_request_message
+        read_request_and_build_message
+      end
+
+      def query
+        sort_params
       end
 
       private
 
-      def sort_query_params
-        request.params.sort.map { |param| param.join('=') }
+      def read_request_and_build_message
+        params = sort_params
+        build_request_message(params)
+      end
+
+      def sort_params
+        empty_form? ? for_query_string(request.params) : for_post_body(form_vars)
+      end
+
+      def form_vars
+        @form_vars ||= read_rack_input
       end
 
-      def canonicalized_query_params
-        sort_query_params.join('&')
+      def empty_form?
+        form_vars.nil? || form_vars == ''
       end
 
-      def create_request_message
+      def for_query_string(params)
+        @sorted_params ||= params.sort.map { |p| p.join('=') }.join('&')
+      end
+
+      def for_post_body(params)
+        @sorted_json ||= BuildPostBody.new(params).sorted_json
+      end
+
+      def build_request_message(params)
         request.request_method.upcase +
           request.path_info.downcase +
           request.host.downcase +
-          canonicalized_query_params
+          params
+      end
+
+      def read_rack_input
+        form_vars = request.env['rack.input'].read
+        form_vars = JSON.parse(form_vars) rescue form_vars
+        request.env['rack.input'].rewind
+        form_vars
       end
 
     end

data/lib/rack/signature/build_post_body.rb

@@ -0,0 +1,28 @@
+require 'rack/request'
+require 'json'
+require_relative 'sort_query_params'
+
+module Rack
+  module Signature
+    class BuildPostBody
+      attr_reader :hash
+
+      def initialize(hash)
+        @hash = hash
+      end
+
+      def sorted_json
+        JSON.generate(sort_post_body)
+      end
+
+      def sort_post_body
+        SortQueryParams.new(parse_query).order
+      end
+
+      def parse_query
+        ::Rack::Utils.parse_query(hash) rescue hash
+      end
+
+    end
+  end
+end

data/lib/rack/signature/deep_merge.rb

@@ -0,0 +1,57 @@
+module Rack
+  module Signature
+    class DeepMerge
+      attr_reader :hash
+      def initialize(hash)
+        @hash = hash
+      end
+
+      def merge!
+        deep_merge(hash).chomp('&')
+      end
+
+      # merge deep_merge & merge_hash
+      def deep_merge(object, key = nil)
+        object.each_with_object('') do |array, string|
+          string << send_to_method( array, key )
+        end
+      end
+
+      private
+
+      def send_to_method(object, keys)
+        key,values  = bind_variables(object, keys)
+        continue_merge_or_complete(values, key)
+      end
+
+      def bind_variables(object, keys)
+        if object.first.is_a?(String)
+          key, values = build_key(keys, object.first), object.last
+        else
+          key, values = build_key(keys), object
+        end
+        [key,values]
+      end
+
+      def build_key(keys, keychain = nil)
+        key   = keychain                  if keys.nil? || keys.empty? # root node
+        key ||= hash_key(keys)            if keychain.nil?            # nested array
+        key ||= hash_key(keys, keychain)  if keychain.is_a?(String)   # nested hash
+        key
+      end
+
+      def hash_key(orig_key, key = nil)
+        "#{orig_key}[#{key}]"
+      end
+
+      def continue_merge_or_complete(object, key)
+        if object.is_a?(Hash) || object.is_a?(Array)
+          deep_merge(object, key)
+        else
+          [key, object].join('=') << '&'
+        end
+      end
+
+    end
+  end
+end

data/lib/rack/signature/sort_query_params.rb

@@ -0,0 +1,45 @@
+module Rack
+  module Signature
+    class SortQueryParams
+
+      def initialize(object)
+        @object = object
+      end
+
+      def order
+        deep_sort(@object)
+      end
+
+      def deep_sort(object)
+        if object.is_a?(Array)
+
+          deep_array_sort(object)
+        elsif object.is_a?(Hash)
+
+          deep_hash_sort(object)
+        else
+          object
+        end
+      end
+
+      def deep_hash_sort(object)
+        return object unless object.is_a?(Hash)
+        hash = Hash.new
+        object.each         { |k,v| hash[k] = deep_sort(v) }
+        sorted = hash.sort  { |a,b| a[0].to_s <=> b[0].to_s }
+        hash.class[sorted]
+      end
+
+      def deep_array_sort(object)
+        object.map do |value|
+          if value.is_a?(Hash)
+            deep_hash_sort(value)
+          else
+            value
+          end
+        end
+      end
+
+    end
+  end
+end

data/lib/rack/signature/test_helpers.rb

@@ -1,13 +1,25 @@
 require_relative 'build_message'
 require_relative 'hmac_signature'
+require_relative 'sort_query_params'
+require 'rack'
+require 'json'
 
 module Rack
   module Signature
     module TestHelpers
-      include Rack::Test::Methods
 
-      # def generate_shared_token; ::SecureRandom.hex(8); end
-      def generate_shared_token; "a8a5ac6e39f1f5cd"; end
+      def convert_hash_to_string(params)
+        params.map { |p| p.join('=')}.join('&')
+      end
+
+      def hash_to_sorted_json(obj)
+        sorted_hash = SortQueryParams.new(obj).order
+        JSON.generate(sorted_hash)
+      end
+
+      def sorted_json_to_hash(obj)
+        JSON.parse(obj)
+      end
 
       def stringify_request_message(env)
         ::Rack::Signature::BuildMessage.new(env).build!
@@ -17,19 +29,12 @@ module Rack
         ::Rack::Signature::HmacSignature.new(key, message).sign
       end
 
-      def expected_signature(shared_key, env)
-        msg = stringify_request_message(env)
-        hmac_message(shared_key, msg)
-      end
-
       def setup_request(uri, opts, key)
-        env  = ::Rack::MockRequest.env_for(uri, opts)
-        msg  = stringify_request_message(env)
-        sig  = hmac_message(key, msg)
-        req  = Rack::Request.new(env)
-        query_params = req.params
+        env = ::Rack::MockRequest.env_for(uri, opts)
+        msg = stringify_request_message(env)
+        sig = hmac_message(key, msg)
 
-        [uri, opts, query_params, env, sig, msg]
+        { signature: sig, message: msg, env: env, key: key }
       end
 
     end

data/lib/rack/signature/verify.rb

@@ -1,3 +1,4 @@
+# encoding: UTF-8
 require_relative 'hmac_signature'
 
 # A Rack app to verify requests based on a computed signature passed within the
@@ -23,27 +24,32 @@ module Rack
       end
 
       def call(env)
+        dup._call(env)
+      end
+
+      def _call(env)
         if signature_is_valid?(env)
           @app.call(env)
         else
-          invalid_signature
+          status, headers, body = @app.call(env)
+          body.close if body.respond_to?(:close)
+          [401, {'CONTENT_TYPE' => 'application/json', :charset => 'utf-8'}, ['Access Denied']]
         end
       end
 
       private
 
-      # if the signature is invalid we send back this Rack app
-      def invalid_signature
-        [403, {'Content-Type' => 'text/html'}, 'Invalid Signature']
-      end
-
       # compares the received Signature against what the Signature should be
       # (computed signature)
       def signature_is_valid?(env)
-        received_signature = env["X-Auth-Sig"]
-        expected_signature = compute_signature(env)
+        return true if html_request?(env)
+
+        # grab and compute the X-AUTH-SIG
+        signature_sent    = env["HTTP_X_AUTH_SIG"]
+        actual_signature  = compute_signature(env)
 
-        expected_signature == received_signature
+        # are they the same?
+        signature_sent.to_s == actual_signature.to_s
       end
 
       # builds the request message and tells HmacSignature to sign the message
@@ -56,8 +62,33 @@ module Rack
       # app. This will eventually need to be a rack app itself
       def shared_key(env)
         token = env[options[:header_token]]
-        return '' if token.nil? || token == ''
-        options[:klass].send(options[:method].to_s, token)
+
+        shared_token = options[:klass].send(options[:method].to_s, token)
+        shared_token.to_s
+      end
+
+      # we only want to use this if the request is an api request
+      def html_request?(env)
+        debug(env) if options[:debug]
+        (env['CONTENT_TYPE'] || "").to_s !~ /json/i
+      end
+
+      def debug(env)
+        builder = BuildMessage.new(env)
+        log "WHAT MODEL WILL BE CALLED:     #{options[:klass]}##{options[:method]} pulling api token from #{options[:header_token]} which is #{env[options[:header_token]]}"
+        log "CALL RAILS MODEL:              #{options[:klass].send(options[:method].to_s, (env[options[:header_token]])).inspect}"
+        log "SHARED_KEY from Rails:         #{shared_key(env).inspect}"
+        log "CONTENT_TYPE of request:       #{env['CONTENT_TYPE'].inspect}"
+        log "QUERY SENT:                    #{builder.query.inspect}"
+        log "MESSAGE built by rails:        #{builder.build!.inspect}"
+        log "HMAC built by rails:           #{HmacSignature.new(shared_key(env), builder.build!).sign.inspect}"
+        log "HMAC received from client      #{env['HTTP_X_AUTH_SIG'].inspect}"
+        log "API KEY received from client   #{env['HTTP_LOCKER_API_KEY'].inspect}"
+        log "RACK ENV:                      #{env.inspect}"
+      end
+
+      def log(msg)
+        options[:logger].info(msg)
       end
 
     end

data/lib/rack/signature/version.rb

@@ -1,8 +1,8 @@
 module Rack
   module Signature
     MAJOR = 0
-    MINOR = 0
-    PATCH = 8
+    MINOR = 1
+    PATCH = 2
 
     def self.version
       [MAJOR, MINOR, PATCH].join('.')

data/rack-signature.gemspec

@@ -22,4 +22,5 @@ Gem::Specification.new do |gem|
   gem.add_development_dependency 'minitest'
   gem.add_development_dependency 'rack-test'
   gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'active_support'
 end

data/test/array_of_hashes.json

@@ -0,0 +1,32 @@
+{"club_swing_data": [
+    {
+      "shot": 1,
+      "club": "driver",
+      "mode": "manual",
+      "ball_speed": "130.0",
+      "launch_angle": "10.0",
+      "deviation_angle": "0.0",
+      "backspin": "3000.0",
+      "slidespin": "0.0"
+    },
+    {
+      "shot": 2,
+      "club": "driver",
+      "mode": "manual",
+      "ball_speed": "130.0",
+      "launch_angle": "10.0",
+      "deviation_angle": "0.0",
+      "backspin": "3000.0",
+      "slidespin": "0.0"
+    },
+    {
+      "shot": 3,
+      "club": "driver",
+      "mode": "manual",
+      "ball_speed": "130.0",
+      "launch_angle": "10.0",
+      "deviation_angle": "0.0",
+      "backspin": "3000.0",
+      "slidespin": "0.0"
+    }
+]}