remit 0.0.5 → 0.0.6

data/lib/amazon/fps/signatureutils.rb

@@ -0,0 +1,143 @@
+###############################################################################
+ #  Copyright 2008-2010 Amazon Technologies, Inc
+ #  Licensed under the Apache License, Version 2.0 (the "License");
+ #
+ #  You may not use this file except in compliance with the License.
+ #  You may obtain a copy of the License at: http://aws.amazon.com/apache2.0
+ #  This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+ #  CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ #  specific language governing permissions and limitations under the License.
+ ##############################################################################
+require 'base64'
+require 'cgi'
+require 'openssl'
+
+module Amazon
+module FPS
+
+#
+# Copyright:: Copyright (c) 2009 Amazon.com, Inc. or its affiliates.  All Rights Reserved.
+#
+# RFC 2104-compliant HMAC signature for request parameters
+#  Implements AWS Signature, as per following spec:
+#
+# If Signature Version is 1, it performs the following:
+#
+# Sorts all  parameters (including SignatureVersion and excluding Signature,
+# the value of which is being created), ignoring case.
+#
+# Iterate over the sorted list and append the parameter name (in original case)
+# and then its value. It will not URL-encode the parameter values before
+# constructing this string. There are no separators.
+#
+# If Signature Version is 2, string to sign is based on following:
+#
+#    1. The HTTP Request Method followed by an ASCII newline (%0A)
+#    2. The HTTP Host header in the form of lowercase host, followed by an ASCII newline.
+#    3. The URL encoded HTTP absolute path component of the URI
+#       (up to but not including the query string parameters);
+#       if this is empty use a forward '/'. This parameter is followed by an ASCII newline.
+#    4. The concatenation of all query string components (names and values)
+#       as UTF-8 characters which are URL encoded as per RFC 3986
+#       (hex characters MUST be uppercase), sorted using lexicographic byte ordering.
+#       Parameter names are separated from their values by the '=' character
+#       (ASCII character 61), even if the value is empty.
+#       Pairs of parameter and values are separated by the '&' character (ASCII code 38).
+#
+class SignatureUtils
+
+  SIGNATURE_KEYNAME = "Signature"
+  SIGNATURE_METHOD_KEYNAME = "SignatureMethod"
+  SIGNATURE_VERSION_KEYNAME = "SignatureVersion"
+
+  HMAC_SHA256_ALGORITHM = "HmacSHA256"
+  HMAC_SHA1_ALGORITHM = "HmacSHA1"
+
+  def self.sign_parameters(args)
+    signature_version = args[:parameters][SIGNATURE_VERSION_KEYNAME]
+    string_to_sign = "";
+    algorithm = 'sha1';
+    if (signature_version == '1') then
+      string_to_sign = calculate_string_to_sign_v1(args)
+    elsif (signature_version == '2') then
+      algorithm = get_algorithm(args[:parameters][SIGNATURE_METHOD_KEYNAME])
+      string_to_sign = calculate_string_to_sign_v2(args)
+    else
+      raise "Invalid Signature Version specified"
+    end
+    return compute_signature(string_to_sign, args[:aws_secret_key], algorithm)
+  end
+
+  # Convert a string into URL encoded form.
+  def self.urlencode(plaintext)
+    CGI.escape(plaintext.to_s).gsub("+", "%20").gsub("%7E", "~")
+  end
+
+  private # All the methods below are private
+
+  def self.calculate_string_to_sign_v1(args)
+    parameters = args[:parameters]
+
+    # exclude any existing Signature parameter from the canonical string
+    sorted = (parameters.reject { |k, v| k == SIGNATURE_KEYNAME }).sort { |a,b| a[0].downcase <=> b[0].downcase }
+
+    canonical = ''
+    sorted.each do |v|
+      canonical << v[0]
+      canonical << v[1] unless(v[1].nil?)
+    end
+
+    return canonical
+  end
+
+  def self.calculate_string_to_sign_v2(args)
+    parameters = args[:parameters]
+
+    uri = args[:uri]
+    uri = "/" if uri.nil? or uri.empty?
+    uri = urlencode(uri).gsub("%2F", "/")
+
+    verb = args[:verb]
+    host = args[:host].downcase
+
+    # exclude any existing Signature parameter from the canonical string
+    sorted = (parameters.reject { |k, v| k == SIGNATURE_KEYNAME })
+
+    # sort the parameters
+    sorted = sorted.sort{ |a, b| a.to_s <=> b.to_s }
+
+    canonical = "#{verb}\n#{host}\n#{uri}\n"
+    isFirst = true
+
+    sorted.each { |v|
+      if(isFirst) then
+        isFirst = false
+      else
+        canonical << '&'
+      end
+
+      canonical << urlencode(v[0])
+      unless(v[1].nil?) then
+        canonical << '='
+        canonical << urlencode(v[1])
+      end
+    }
+
+    return canonical
+  end
+
+  def self.get_algorithm(signature_method)
+    return 'sha256' if (signature_method == HMAC_SHA256_ALGORITHM);
+    return 'sha1'
+  end
+
+  def self.compute_signature(canonical, aws_secret_key, algorithm = 'sha1')
+    digest = OpenSSL::Digest::Digest.new(algorithm)
+    return Base64.encode64(OpenSSL::HMAC.digest(digest, aws_secret_key, canonical)).chomp
+  end
+
+end
+
+end
+end
+

data/lib/amazon/fps/signatureutilsforoutbound.rb

@@ -0,0 +1,180 @@
+###############################################################################
+ #  Copyright 2008-2010 Amazon Technologies, Inc
+ #  Licensed under the Apache License, Version 2.0 (the "License");
+ #
+ #  You may not use this file except in compliance with the License.
+ #  You may obtain a copy of the License at: http://aws.amazon.com/apache2.0
+ #  This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+ #  CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ #  specific language governing permissions and limitations under the License.
+ ##############################################################################
+
+require 'base64'
+require 'cgi'
+require 'openssl'
+require 'net/http'
+require 'net/https'
+require 'rexml/document'
+
+module Amazon
+module FPS
+
+
+class SignatureUtilsForOutbound
+
+  SIGNATURE_KEYNAME = "signature"
+  SIGNATURE_METHOD_KEYNAME = "signatureMethod"
+  SIGNATURE_VERSION_KEYNAME = "signatureVersion"
+  CERTIFICATE_URL_KEYNAME = "certificateUrl"
+  CERTIFICATE_URL_ROOT = "https://fps.amazonaws.com/"
+  CERTIFICATE_URL_ROOT_SANDBOX = "https://fps.sandbox.amazonaws.com/"
+
+  FPS_PROD_ENDPOINT = CERTIFICATE_URL_ROOT
+  FPS_SANDBOX_ENDPOINT = CERTIFICATE_URL_ROOT_SANDBOX
+  ACTION_PARAM = "?Action=VerifySignature"
+  END_POINT_PARAM = "&UrlEndPoint="
+  HTTP_PARAMS_PARAM = "&HttpParameters="
+  VERSION_PARAM_VALUE = "&Version=2008-09-17"
+
+  USER_AGENT_STRING = "SigV2_MigrationSampleCode_Ruby-2010-09-13"
+
+  SIGNATURE_VERSION_1 = "1"
+  SIGNATURE_VERSION_2 = "2"
+  RSA_SHA1_ALGORITHM = "RSA-SHA1"
+
+  def initialize(aws_access_key, aws_secret_key)
+    @aws_secret_key = aws_secret_key
+    @aws_access_key = aws_access_key
+  end
+
+  def validate_request(args)
+    parameters = args[:parameters]
+    return validate_signature_v2(args) if (parameters[SIGNATURE_VERSION_KEYNAME] == SIGNATURE_VERSION_2)
+    return validate_signature_v1(args)
+  end
+
+  def validate_signature_v1(args)
+    parameters = args[:parameters]
+    signature = "";
+    if(parameters[SIGNATURE_KEYNAME] != nil) then
+      signature = parameters[SIGNATURE_KEYNAME];
+    else
+       raise "Signature is missing from parameters"
+    end
+
+    canonical = SignatureUtilsForOutbound::calculate_string_to_sign_v1(args)
+    digest = OpenSSL::Digest::Digest.new('sha1')
+    return signature == Base64.encode64(OpenSSL::HMAC.digest(digest, @aws_secret_key, canonical)).chomp
+  end
+
+  def validate_signature_v2(args)
+      [:parameters,
+     :http_method,
+     :url_end_point].each do |arg|
+      raise "#{arg.inspect} is missing from the arguments." unless args[arg]
+    end
+
+    url_end_point = args[:url_end_point]
+
+    parameters = args[:parameters]
+    raise ":parameters must be enumerable" unless args[:parameters].kind_of? Enumerable
+
+    signature = parameters[SIGNATURE_KEYNAME];
+    raise "'signature' is missing from the parameters." if (signature.nil? or signature.empty?)
+
+    signature_version = parameters[SIGNATURE_VERSION_KEYNAME];
+    raise "'signatureVersion' is missing from the parameters." if (signature_version.nil? or signature_version.empty?)
+    raise "'signatureVersion' present in parameters is invalid. Valid values are: 2" if (signature_version != SIGNATURE_VERSION_2)
+
+    signature_method = parameters[SIGNATURE_METHOD_KEYNAME]
+    raise "'signatureMethod' is missing from the parameters." if (signature_method.nil? or signature_method.empty?)
+    signature_algorithm = SignatureUtilsForOutbound::get_algorithm(signature_method)
+    raise "'signatureMethod' present in parameters is invalid. Valid values are: RSA-SHA1" if (signature_algorithm.nil?)
+
+    certificate_url = parameters[CERTIFICATE_URL_KEYNAME]
+    raise "'certificate_url' is missing from the parameters." if (certificate_url.nil? or certificate_url.empty?)
+
+    # Construct VerifySignatureAPI request
+    if(SignatureUtilsForOutbound::starts_with(certificate_url, FPS_SANDBOX_ENDPOINT) == true) then
+       verify_signature_request = FPS_SANDBOX_ENDPOINT
+    elsif(SignatureUtilsForOutbound::starts_with(certificate_url, FPS_PROD_ENDPOINT) == true) then
+       verify_signature_request = FPS_PROD_ENDPOINT
+    else
+       raise "'certificateUrl' received is not valid. Valid certificate urls start with " <<
+        CERTIFICATE_URL_ROOT << " or " << CERTIFICATE_URL_ROOT_SANDBOX << "."
+    end
+
+    verify_signature_request = verify_signature_request + ACTION_PARAM +
+    END_POINT_PARAM +
+    SignatureUtilsForOutbound::urlencode(url_end_point) +
+    VERSION_PARAM_VALUE +
+    HTTP_PARAMS_PARAM +
+    SignatureUtilsForOutbound::urlencode(SignatureUtilsForOutbound::get_http_params(parameters))
+
+    verify_signature_response = SignatureUtilsForOutbound::get_http_data(verify_signature_request)
+
+    # parse the response
+    document = REXML::Document.new(verify_signature_response)
+
+    status_el = document.elements['VerifySignatureResponse/VerifySignatureResult/VerificationStatus']
+    return (!status_el.nil? && status_el.text == "Success")
+  end
+
+  def self.calculate_string_to_sign_v1(args)
+    parameters = args[:parameters]
+
+    # exclude any existing Signature parameter from the canonical string
+    sorted = (parameters.reject { |k, v| ((k == SIGNATURE_KEYNAME)) }).sort { |a,b| a[0].downcase <=> b[0].downcase }
+
+    canonical = ''
+    sorted.each do |v|
+      canonical << v[0]
+      canonical << v[1] unless(v[1].nil?)
+    end
+
+    return canonical
+  end
+
+  def self.get_algorithm(signature_method)
+    return OpenSSL::Digest::SHA1.new if (signature_method == RSA_SHA1_ALGORITHM)
+    return nil
+  end
+
+  # Convert a string into URL encoded form.
+  def self.urlencode(plaintext)
+    CGI.escape(plaintext.to_s).gsub("+", "%20").gsub("%7E", "~")
+  end
+
+  def self.get_http_data(url)
+    #2. fetch certificate if not found in cache
+    uri = URI.parse(url)
+    http_session = Net::HTTP.new(uri.host, uri.port)
+    http_session.use_ssl = true
+    http_session.ca_file = File.dirname(__FILE__) + '/ca-bundle.crt'
+    http_session.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    http_session.verify_depth = 5
+
+    res = http_session.start {|http_session|
+      req = Net::HTTP::Get.new(url, {"User-Agent" => USER_AGENT_STRING})
+      http_session.request(req)
+    }
+
+    return res.body
+  end
+
+  def self.starts_with(string, prefix)
+    prefix = prefix.to_s
+    string[0, prefix.length] == prefix
+  end
+
+  def self.get_http_params(params)
+     params.map do |(k, v)|
+        urlencode(k) + "=" + urlencode(v)
+     end.join("&")
+  end
+
+end
+
+end
+end
+

data/lib/remit.rb

@@ -85,7 +85,7 @@ module Remit
     PIPELINE_URL = 'https://authorize.payments.amazon.com/cobranded-ui/actions/start'.freeze
     PIPELINE_SANDBOX_URL = 'https://authorize.payments-sandbox.amazon.com/cobranded-ui/actions/start'.freeze
     API_VERSION = Date.new(2007, 1, 8).to_s.freeze
-    SIGNATURE_VERSION = 1.freeze
+    SIGNATURE_VERSION = 2.freeze
 
     attr_reader :access_key
     attr_reader :secret_key
@@ -108,6 +108,7 @@ module Remit
       new_query({
         :AWSAccessKeyId => @access_key,
         :SignatureVersion => SIGNATURE_VERSION,
+        Amazon::FPS::SignatureUtils::SIGNATURE_METHOD_KEYNAME => Amazon::FPS::SignatureUtils::HMAC_SHA256_ALGORITHM,
         :Version => API_VERSION,
         :Timestamp => Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
       })
@@ -122,13 +123,13 @@ module Remit
     private :query
 
     def sign(values)
-      keys = values.keys.sort { |a, b| a.to_s.downcase <=> b.to_s.downcase }
-
-      signature = keys.inject('') do |signature, key|
-        signature += key.to_s + values[key].to_s
-      end
-
-      Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::SHA1.new, @secret_key, signature)).strip
+      signature = Amazon::FPS::SignatureUtils.sign_parameters({
+                                              :parameters => values,
+                                              :aws_secret_key => @secret_key,
+                                              :host => @endpoint.host,
+                                              :verb => "GET",
+                                              :uri  => @endpoint.path })
+      return signature
     end
     private :sign
   end

data/lib/remit/common.rb

@@ -5,6 +5,9 @@ require 'uri'
 require 'rubygems'
 require 'relax'
 
+require File.dirname(__FILE__) + '/../amazon/fps/signatureutils'
+require File.dirname(__FILE__) + '/../amazon/fps/signatureutilsforoutbound'
+
 module Remit
   class Request < Relax::Request
     def self.action(name)
@@ -63,8 +66,17 @@ module Remit
     end
 
     def sign
-      delete(:awsSignature)
-      store(:awsSignature, Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::SHA1.new, @secret_key, "#{@uri.path}?#{to_s(false)}".gsub('%20', '+'))).strip)
+      self[Amazon::FPS::SignatureUtils::SIGNATURE_VERSION_KEYNAME] = Remit::API::SIGNATURE_VERSION
+      self[Amazon::FPS::SignatureUtils::SIGNATURE_METHOD_KEYNAME] = Amazon::FPS::SignatureUtils::HMAC_SHA256_ALGORITHM
+
+      signature = Amazon::FPS::SignatureUtils.sign_parameters({
+                                              :parameters => self,
+                                              :aws_secret_key => @secret_key,
+                                              :host => @uri.host,
+                                              :verb => "GET",
+                                              :uri  => @uri.path })
+
+      store(Amazon::FPS::SignatureUtilsForOutbound::SIGNATURE_KEYNAME.to_sym, signature)
     end
 
     def to_s(signed=true)

data/lib/remit/get_pipeline.rb

@@ -7,35 +7,36 @@ module Remit
     class Pipeline
       @parameters = []
       attr_reader :parameters
-      
+
       class << self
         # Create the parameters hash for the subclass.
         def inherited(subclass) #:nodoc:
           subclass.instance_variable_set('@parameters', [])
         end
-        
+
         def parameter(name)
           attr_accessor name
           @parameters << name
         end
-        
+
         def convert_key(key)
           key.to_s.gsub(/_(.)/) { $1.upcase }.to_sym
         end
-        
+
         # Returns a hash of all of the parameters for this request, including
         # those that are inherited.
         def parameters #:nodoc:
           (superclass.respond_to?(:parameters) ? superclass.parameters : []) + @parameters
         end
       end
-      
+
       attr_reader :api
-      
+
       parameter :pipeline_name
       parameter :return_url
       parameter :caller_key
       parameter :version
+      parameter :signature_version
       parameter :address_name
       parameter :address_line_1
       parameter :address_line_2
@@ -47,7 +48,7 @@ module Remit
 
       def initialize(api, options)
         @api = api
-        
+
         options.each do |k,v|
           self.send("#{k}=", v)
         end
@@ -55,14 +56,14 @@ module Remit
 
       def url
         uri = URI.parse(@api.pipeline_url)
-        
+
         query = {}
         self.class.parameters.each do |p|
           val = self.send(p)
-          
+
           # Convert Time values to seconds from Epoch
           val = val.to_i if val.is_a?(Time)
-          
+
           query[self.class.convert_key(p.to_s)] = val
         end
 
@@ -73,19 +74,19 @@ module Remit
         uri.to_s
       end
     end
-    
+
     class SingleUsePipeline < Pipeline
       parameter :caller_reference
       parameter :payment_reason
       parameter :payment_method
       parameter :transaction_amount
       parameter :recipient_token
-      
+
       def pipeline_name
         Remit::PipelineName::SINGLE_USE
       end
     end
-    
+
     class MultiUsePipeline < Pipeline
       parameter :caller_reference
       parameter :payment_reason
@@ -103,12 +104,12 @@ module Remit
       parameter :usage_limit_period_2
       parameter :usage_limit_value_2
       parameter :is_recipient_cobranding
-      
+
       def pipeline_name
         Remit::PipelineName::MULTI_USE
       end
     end
-    
+
     class RecipientPipeline < Pipeline
       parameter :caller_reference
       parameter :validity_start # Time or seconds from Epoch
@@ -118,7 +119,7 @@ module Remit
       parameter :caller_reference_refund
       parameter :max_variable_fee
       parameter :max_fixed_fee
-      
+
       def pipeline_name
         Remit::PipelineName::RECIPIENT
       end
@@ -132,13 +133,13 @@ module Remit
       parameter :validity_start # Time or seconds from Epoch
       parameter :validity_expiry # Time or seconds from Epoch
       parameter :payment_method
-      parameter :recurring_period  
-      
+      parameter :recurring_period
+
       def pipeline_name
         Remit::PipelineName::RECURRING
-      end 
+      end
     end
-    
+
     class PostpaidPipeline < Pipeline
       parameter :caller_reference_sender
       parameter :caller_reference_settlement
@@ -154,12 +155,25 @@ module Remit
       parameter :usage_limit_type2
       parameter :usage_limit_period2
       parameter :usage_limit_value2
-      
+
       def pipeline_name
         Remit::PipelineName::SETUP_POSTPAID
       end
     end
     
+    class PrepaidPipeline < Pipeline
+      parameter :caller_reference_sender
+      parameter :caller_reference_funding
+      parameter :payment_reason
+      parameter :payment_method
+      parameter :validity_start # Time or seconds from Epoch
+      parameter :validity_expiry # Time or seconds from Epoch
+      parameter :funding_amount
+      def pipeline_name
+        Remit::PipelineName::SETUP_PREPAID
+      end
+    end
+    
     def get_single_use_pipeline(options)
       self.get_pipeline(SingleUsePipeline, options)
     end
@@ -171,14 +185,18 @@ module Remit
     def get_recipient_pipeline(options)
       self.get_pipeline(RecipientPipeline, options)
     end
-    
+
     def get_recurring_use_pipeline(options)
       self.get_pipeline(RecurringUsePipeline, options)
     end
-    
+
     def get_postpaid_pipeline(options)
       self.get_pipeline(PostpaidPipeline, options)
     end
+
+    def get_prepaid_pipeline(options)
+      self.get_pipeline(PrepaidPipeline, options)
+    end
     
     def get_pipeline(pipeline_subclass, options)
       pipeline = pipeline_subclass.new(self, {