request_signing 0.1.0.pre1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 5befd0a9f3eb4b066c72fa1eb6a6cd630850bd52
+  data.tar.gz: 9aca1d909e3c7371023bc921d85267de50473a0f
+SHA512:
+  metadata.gz: 1c73007fc3990490803b997d85624ddd7bc402ede54cf49a8e81ba33ab876890249e075c6ad0985698951456596a9b828c8b81e8eef0ddcb9c588cf229b77d17
+  data.tar.gz: 67dcd66bcf0266f5f82328fedbb3d523459b1ba4f2f6c0e3ac47457beaef0aa00521cc0427e1e18def9463475f8c3df4c10f50e00806bce676cfd0ed8d5e70e2

data/.circleci/config.yml

@@ -0,0 +1,20 @@
+version: 2
+jobs:
+  build:
+    docker:
+       - image: circleci/ruby:2.4.1
+
+    working_directory: ~/repo
+
+    steps:
+      - checkout
+
+      - run:
+          name: install dependencies
+          command: |
+            bundle install --jobs=4 --retry=3 --path vendor/bundle
+
+      - run:
+          name: run tests
+          command: |
+            bundle exec rake test

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+.vimrc

data/Gemfile

@@ -0,0 +1,15 @@
+source 'https://rubygems.org'
+
+gemspec name: "request_signing"
+
+Dir["request_signing-*.gemspec"].each do |gemspec|
+  plugin = gemspec.scan(/request_signing-(.*)\.gemspec/).flatten.first
+  gemspec(name: "request_signing-#{plugin}", development_group: plugin)
+end
+
+group :test do
+  gem "rake", "~> 10.0"
+  gem "minitest", "~> 5.0"
+  gem "rack", "~> 2.0"
+  gem "yard", "~> 0.9"
+end

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Vlad Yarotsky
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,62 @@
+# RequestSigning
+
+[![Build Status](https://circleci.com/gh/remind101/request_signing.png?style=shield&circle-token=b945a7d85dbfbd7ef5a1257a985dee1ff3b47015)](https://circleci.com/gh/remind101/request_signing)
+
+
+An extensible implementation of [http request signing spec draft](https://tools.ietf.org/html/draft-cavage-http-signatures-08)
+for Ruby HTTP clients and servers.
+
+Supports the following algorithms:
+
+* rsa-sha1
+* rsa-sha256
+* rsa-sha512
+* dsa-sha1
+* hmac-sha1
+* hmac-sha256
+* hmac-sha512
+
+Integrates with the following libraries:
+
+* rack
+* net/http
+* faraday
+
+## Installation
+
+Add these lines to your application's Gemfile:
+
+```ruby
+gem 'request_signing'
+gem 'request_signing-rack'    # for rack integration
+gem 'request_signing-faraday' # for faraday integration
+gem 'request_signing-ssm'     # for AWS SSM integration
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install request_signing request_signing-rack request_signing-faraday request_signing-ssm
+
+## Usage
+
+See [examples](./examples)
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/remind101/request_signing.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+

data/Rakefile

@@ -0,0 +1,35 @@
+require "rake/testtask"
+require "yard"
+
+require "bundler/gem_helper"
+
+gems = [
+  :request_signing,
+  :"request_signing-rack",
+  :"request_signing-faraday",
+  :"request_signing-ssm",
+]
+
+gems.each do |g|
+  namespace g do
+    Bundler::GemHelper.install_tasks :name => g.to_s
+  end
+end
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+YARD::Rake::YardocTask.new(:doc) do |t|
+  t.files = ['lib/**/*.rb']
+end
+
+task :default => :test
+
+desc "Build and install request_signing and it's plugin gems into system gems"
+task :install => gems.map { |g| "#{g}:install" }
+
+desc "Build and install request_signing and it's plugin gems into system gems without network access"
+task :"install:local" => gems.map { |g| "#{g}:install:local" }

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "request_signing"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/examples/Gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+
+gem "request_signing",         "~> 0.1.0"
+gem "request_signing-rack",    "~> 0.1.0"
+gem "request_signing-faraday", "~> 0.1.0"
+gem "sinatra",                 "~> 2.0"
+gem "faraday",                 "~> 0.11"

data/examples/Gemfile.lock

@@ -0,0 +1,36 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    faraday (0.11.0)
+      multipart-post (>= 1.2, < 3)
+    multipart-post (2.0.0)
+    mustermann (1.0.1)
+    rack (2.0.3)
+    rack-protection (2.0.0)
+      rack
+    request_signing (0.1.0)
+    request_signing-faraday (0.1.0)
+      faraday (~> 0.9)
+      request_signing (= 0.1.0)
+    request_signing-rack (0.1.0)
+      rack (~> 2.0)
+      request_signing (= 0.1.0)
+    sinatra (2.0.0)
+      mustermann (~> 1.0)
+      rack (~> 2.0)
+      rack-protection (= 2.0.0)
+      tilt (~> 2.0)
+    tilt (2.0.8)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  faraday (~> 0.11)
+  request_signing (~> 0.1.0)
+  request_signing-faraday (~> 0.1.0)
+  request_signing-rack (~> 0.1.0)
+  sinatra (~> 2.0)
+
+BUNDLED WITH
+   1.15.1

data/examples/client.rb

@@ -0,0 +1,64 @@
+require 'bundler/setup'
+require 'request_signing'
+require 'faraday'
+require 'request_signing/faraday'
+
+require 'net/http'
+require 'optparse'
+require 'time'
+require 'uri'
+
+options = {
+  host:   "localhost",
+  port:   4567,
+  sign:   true,
+  client: :net_http
+}
+
+SUPPORTED_CLIENTS = [:net_http, :faraday]
+
+OptionParser.new do |opts|
+  opts.banner = "example HTTP client"
+
+  opts.on("-h", "--host HOST", "Example server host (default: localhost)") { |v| options[:host] = v }
+  opts.on("-p", "--port PORT", Integer, "Example server port (default: 4567)") { |v| options[:port] = v }
+  opts.on("-s", "--[no-]sign", "Whether the request should be signed (default: true)") { |v| options[:sign] = v }
+  opts.on("-c", "--client CLIENT", SUPPORTED_CLIENTS, "which client should be used (net_http, faraday) (default: net_http)") { |v| options[:client] = v }
+end.parse!
+
+key_store = RequestSigning::KeyStores::Static.new(
+  "client1.v1" => "uTj1izUmomtpECEhDfFb9lVDf54luNlH"
+)
+
+case options[:client]
+when :net_http
+  req = Net::HTTP::Get.new(URI("http://#{options[:host]}:#{options[:port]}/"))
+  req["Date"] = Time.now.httpdate
+
+  if options[:sign]
+    signer = RequestSigning::Signer.new(adapter: :net_http, key_store: key_store)
+    req["Signature"] =
+      signer.create_signature!(req, key_id: "client1.v1", algorithm: "hmac-sha256", headers: %w[(request-target) host date])
+  end
+
+  http = Net::HTTP.new(options[:host], options[:port])
+  http.set_debug_output(STDERR)
+  http.start do
+    response = http.request req
+    puts response.body
+  end
+when :faraday
+  conn = Faraday.new(url: "http://#{options[:host]}:#{options[:port]}") do |builder|
+    if options[:sign]
+      # note Faraday does not set the Host header, it is set downstream in in Net::HTTP::GenericRequest, but we can't use it in faraday itself.
+      builder.request :request_signing, key_store: key_store, key_id: "client1.v1", algorithm: "hmac-sha256", headers: %w[(request-target) date]
+    end
+    builder.adapter :net_http
+  end
+
+  response = conn.get("/")
+  puts response.body
+else
+  raise "Unsupported client: #{options[:client]}"
+end
+

data/examples/server.rb

@@ -0,0 +1,30 @@
+require 'bundler/setup'
+require 'sinatra'
+require 'request_signing/rack'
+
+class ExceptionHandling
+  def initialize(app)
+    @app = app
+  end
+
+  def call(env)
+    begin
+      @app.call env
+    rescue RequestSigning::Error => e
+      [401, { "Content-Type" => "text/plain" }, ["request signature verification error: #{e.message}"]]
+    rescue => e
+      [500, { "Content-Type" => "text/plain" }, ["unknown server error: #{e.message}"]]
+    end
+  end
+end
+
+key_store = RequestSigning::KeyStores::Static.new(
+  "client1.v1" => "uTj1izUmomtpECEhDfFb9lVDf54luNlH"
+)
+
+use ExceptionHandling
+use RequestSigning::Rack::Middleware, key_store: key_store
+
+get "/" do
+  "Request signature verified successfully!"
+end

data/lib/request_signing/adapters/net_http.rb

@@ -0,0 +1,23 @@
+require "request_signing/generic_http_request"
+
+module RequestSigning
+  module Adapters
+
+    # Registers `:net_http` adapter for user with {RequestSigning::Signer}
+    #
+    # @example
+    #   s = RequestSigning::Signer.new(adapter: :net_http, key_store: key_store)
+    class NetHTTP
+      def call(r)
+        GenericHTTPRequest.new(
+          r.method.downcase,
+          r.path,
+          r.each_header.map do |h, v|
+            [h, Array(v)]
+          end.to_h
+        )
+      end
+    end
+
+  end
+end

data/lib/request_signing/adapters/plaintext.rb

@@ -0,0 +1,26 @@
+require "webrick/httprequest"
+require "webrick/config"
+require "stringio"
+
+require "request_signing/generic_http_request"
+
+module RequestSigning
+  module Adapters
+
+    # @api private
+    class Plaintext
+      def call(plaintext_http)
+        webrick_req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
+        webrick_req.parse(StringIO.new(plaintext_http))
+
+        GenericHTTPRequest.new(
+          webrick_req.request_method.downcase,
+          webrick_req.request_uri.request_uri,
+          webrick_req.header
+        )
+      end
+    end
+
+  end
+end
+

data/lib/request_signing/adapters.rb

@@ -0,0 +1,56 @@
+module RequestSigning
+
+  ##
+  # Contains adapters for various http libraries.
+  # Adapters are used by {RequestSigning::Signer} and {RequestSigning::Verifier} to
+  # convert library specific http request objects to a common format.
+  #
+  # @example Adding new adapter
+  #
+  #   require 'request_signing'
+  #
+  #   class MyAdapter
+  #     def call(my_http_library_req)
+  #       RequestSigning::GenericHTTPRequest.new(
+  #         my_http_library_req.request_method.downcase,
+  #         my_http_library_req.request_full_path,
+  #         my_http_library_req.headers.map do |h, v|
+  #           [h, Array(v)]
+  #         end.to_h
+  #       )
+  #     end
+  #   end
+  #
+  #   RequestSigning.register_adapter :my_http_library, ->() { MyAdapter.new }
+  #
+  #   # ...
+  #
+  #   req = MyHTTPLibrary::Post("/foo?bar=baz", "Date" => "Mon, 23 Oct 2017 00:00:00 GMT")
+  #   signer = RequestSigning::Signer.new(adapter: :my_http_library, key_store: key_store)
+  #   req.set_header "Signature", signer.create_signature!(req, key_id: "my_key", algorithm: "rsa-sha256", headers: %w[(request-target) date])
+  #
+  #   # ...
+  #
+  # @see RequestSigning::GenericHTTPRequest#initialize
+  ##
+  module Adapters
+    require "request_signing/adapters/plaintext"
+    require "request_signing/adapters/net_http"
+  end
+
+  @adapters = {}
+
+  def self.get_adapter(name)
+    @adapters.fetch(name).call
+  rescue KeyError
+    raise UnsupportedAdapter, name
+  end
+
+  def self.register_adapter(name, adapter_factory)
+    @adapters[name] = adapter_factory
+  end
+
+  register_adapter :plaintext, ->() { Adapters::Plaintext.new }
+  register_adapter :net_http,  ->() { Adapters::NetHTTP.new }
+
+end

data/lib/request_signing/algorithms/dsa.rb

@@ -0,0 +1,39 @@
+require "openssl"
+
+module RequestSigning
+  module Algorithms
+
+    class DSA
+      # @param digester [OpenSSL::Digest]
+      def initialize(digester)
+        @digester = digester
+      end
+
+      # @param raw_private_key [String] DSA private key
+      # @param str [String] string to sign
+      # @raise [InvalidKey] when invalid DSA private key is supplied
+      def create_signature(raw_private_key, str)
+        key = OpenSSL::PKey::DSA.new(raw_private_key)
+        key.sign(@digester, str)
+      rescue OpenSSL::PKey::DSAError => e
+        raise InvalidKey, e
+      end
+
+      # @param raw_public_key [String] DSA public key
+      # @param signature [String] signature to verify
+      # @param str [String] signed string
+      # @raise [InvalidKey] when invalid DSA public key is supplied
+      # @return true if signature is valid
+      # @return false if signature is invalid
+      def verify_signature(raw_public_key, signature, str)
+        key = OpenSSL::PKey::DSA.new(raw_public_key)
+        key.verify(@digester, signature, str)
+      rescue OpenSSL::PKey::DSAError => e
+        raise InvalidKey, e
+      rescue OpenSSL::PKey::PKeyError
+        false
+      end
+    end
+
+  end
+end

data/lib/request_signing/algorithms/hmac.rb

@@ -0,0 +1,37 @@
+require "openssl"
+
+module RequestSigning
+  module Algorithms
+
+    class HMAC
+      # @param digester [OpenSSL::Digest]
+      def initialize(digester)
+        @digester = digester
+      end
+
+      # @param hmac_secret [String] HMAC signing secret; 32-byte secret is recommended
+      # @param str [String] string to sign
+      # @raise [InvalidKey] when invalid HMAC signing secret is supplied
+      def create_signature(hmac_secret, str)
+        raise InvalidKey, "HMAC secret cannot be empty" if String(hmac_secret).empty?
+
+        OpenSSL::HMAC.digest(@digester, hmac_secret, str)
+      end
+
+      # @param hmac_secret [String] HMAC signing secret; 32-byte secret is recommended
+      # @param signature [String] signature to verify
+      # @param str [String] signed string
+      # @raise [InvalidKey] when invalid HMAC signing secret is supplied
+      # @return true if signature is valid
+      # @return false if signature is invalid
+      def verify_signature(hmac_secret, signature, str)
+        raise InvalidKey, "HMAC secret cannot be empty" if String(hmac_secret).empty?
+
+        recreated_signature = OpenSSL::HMAC.digest(@digester, hmac_secret, str)
+        signature == recreated_signature
+      end
+    end
+
+  end
+end
+

data/lib/request_signing/algorithms/rsa.rb

@@ -0,0 +1,38 @@
+require "openssl"
+
+module RequestSigning
+  module Algorithms
+
+    class RSA
+      # @param digester [OpenSSL::Digest]
+      def initialize(digester)
+        @digester = digester
+      end
+
+      # @param raw_private_key [String] RSA private key
+      # @param str [String] string to sign
+      # @raise [InvalidKey] when invalid RSA private key is supplied
+      def create_signature(raw_private_key, str)
+        key = OpenSSL::PKey::RSA.new(raw_private_key)
+        key.sign(@digester, str)
+      rescue OpenSSL::PKey::RSAError => e
+        raise InvalidKey, e
+      end
+
+      # @param raw_public_key [String] RSA public key
+      # @param signature [String] signature to verify
+      # @param str [String] signed string
+      # @raise [InvalidKey] when invalid RSA public key is supplied
+      # @return true if signature is valid
+      # @return false if signature is invalid
+      def verify_signature(raw_public_key, signature, str)
+        key = OpenSSL::PKey::RSA.new(raw_public_key)
+        key.verify(@digester, signature, str)
+      rescue OpenSSL::PKey::RSAError => e
+        raise InvalidKey, e
+      end
+    end
+
+  end
+end
+

data/lib/request_signing/algorithms.rb

@@ -0,0 +1,30 @@
+module RequestSigning
+
+  module Algorithms
+    require "request_signing/algorithms/rsa"
+    require "request_signing/algorithms/dsa"
+    require "request_signing/algorithms/hmac"
+  end
+
+  @algorithms = {}
+
+  def self.get_algorithm(name)
+    @algorithms.fetch(name).call
+  rescue KeyError
+    raise UnsupportedAlgorithm, name
+  end
+
+  def self.register_algorithm(name, algorithm_factory)
+    @algorithms[name] = algorithm_factory
+  end
+
+  register_algorithm "rsa-sha1",    ->() { Algorithms::RSA.new(OpenSSL::Digest::SHA1.new) }
+  register_algorithm "rsa-sha256",  ->() { Algorithms::RSA.new(OpenSSL::Digest::SHA256.new) }
+  register_algorithm "rsa-sha512",  ->() { Algorithms::RSA.new(OpenSSL::Digest::SHA512.new ) }
+  register_algorithm "dsa-sha1",    ->() { Algorithms::DSA.new(OpenSSL::Digest::SHA1.new) }
+  register_algorithm "hmac-sha1",   ->() { Algorithms::HMAC.new(OpenSSL::Digest::SHA1.new) }
+  register_algorithm "hmac-sha256", ->() { Algorithms::HMAC.new(OpenSSL::Digest::SHA256.new) }
+  register_algorithm "hmac-sha512", ->() { Algorithms::HMAC.new(OpenSSL::Digest::SHA512.new) }
+
+end
+

data/lib/request_signing/errors.rb

@@ -0,0 +1,37 @@
+module RequestSigning
+
+  # Base class for all errors
+  class Error < StandardError; end
+
+  # Key with specified keyId could not be found
+  class KeyNotFound < Error; end
+
+  # Provided signature does not match the request
+  class SignatureMismatch < Error; end
+
+  # Signature/Authorization header is malformed
+  class BadSignatureParameters < Error; end
+
+  # Signing algorithm is not supported
+  class UnsupportedAlgorithm < Error; end
+
+  # Library is not supported
+  class UnsupportedAdapter < Error; end
+
+  # Key can not be used to create/verify the signature by the given algorithm
+  class InvalidKey < Error; end
+
+  # Header specified in `headers` parameter for signature is
+  # not present in the request
+  class HeaderNotInRequest < Error; end
+
+  # Signature/Authorization header are missing from the request
+  class MissingSignatureHeader < Error; end
+
+  # Authorization header scheme is incorrect. It must be "Signature"
+  class UnsupportedAuthorizationScheme < Error; end
+
+  # Keys string provided to {RequestSigning::KeyStores::Static#from_string} is not valid
+  class MalformedKeysString < Error; end
+
+end

data/lib/request_signing/generic_http_request.rb

@@ -0,0 +1,47 @@
+module RequestSigning
+
+  # @api private
+  class GenericHTTPRequest
+    attr_reader :method, :headers
+
+    # HTTP/1.1 request methods
+    # @see https://tools.ietf.org/html/rfc7231#section-4.1
+    HTTP_METHODS = %w(get head post put delete connect options trace).freeze
+
+    # @api public
+    # @param method [String] HTTP request method
+    # @param request_uri [URI] part of request url after host and port, e.g. "/foo?bar=baz"
+    # @param headers [Hash{String=>Array<String>}] hash of lowercased request headers,
+    #   e.g. { "date" => ["Mon, 23 Oct 2017 00:00:00 GMT"] }
+    def initialize(method, request_uri, headers)
+      method = method.downcase
+
+      unless HTTP_METHODS.include?(method)
+        raise ArgumentError, "Invalid HTTP method"
+      end
+
+      @method = method
+      @request_uri = URI(request_uri)
+      @headers = Hash[headers].freeze
+    end
+
+
+    # :path pseudo-header
+    # @see https://tools.ietf.org/html/rfc7540#section-8.1.2.3
+    def path
+      @request_uri.to_s
+    end
+
+    def header?(name)
+      @headers.key?(name)
+    end
+
+    def ==(other)
+      return false unless self.class === other
+      method == other.method &&
+        path == other.path &&
+        headers == other.headers
+    end
+  end
+
+end

data/lib/request_signing/key_stores/static.rb

@@ -0,0 +1,54 @@
+require "request_signing/errors"
+
+module RequestSigning
+  module KeyStores
+
+    # Simple static key store implementation.
+    # @see RequestSigning::Signer
+    # @see RequestSigning::Verifier
+    class Static
+
+      ##
+      # Makes a new instance of {RequestSigning::KeyStores::Static} from `keys_str`
+      #
+      # @param keys_str [String] a list of keys in the form of
+      #   `keyId:keySecret,keyId2:keySecret2`
+      # @raise [RequestSigning::MalformedKeysString] when the `keys_str` is malformed
+      #
+      # @note not recommended for use with anything other than HMAC secrets.
+      ##
+      def self.from_string(keys_str)
+        keys = keys_str.split(",").each_with_object({}) do |id_key, r|
+          id, key = id_key.split(":", 2).map(&:strip)
+          raise MalformedKeysString unless id && key
+          r[id] = key
+        end
+        new(keys)
+      end
+
+      # @param keys [Hash{String=>String}] a map from keyId to key value
+      # @example
+      #   RequestSigning::KeyStores::Static.new("my_key" => "key secret")
+      def initialize(keys)
+        @keys = keys
+      end
+
+      # @param key_id [String] id of the key to retrieve
+      # @return [String] key contents
+      # @raise [RequestSigning::KeyNotFound] when requested key is not found
+      def fetch(key_id)
+        @keys.fetch(key_id)
+      rescue KeyError
+        raise KeyNotFound, key_id
+      end
+
+      # @param key_id [String] id of the key
+      # @return true if store knows this key
+      # @return false if store does not recognize the key
+      def key?(key_id)
+        @keys.key?(key_id)
+      end
+    end
+
+  end
+end

data/lib/request_signing/key_stores.rb

@@ -0,0 +1,5 @@
+module RequestSigning
+  module KeyStores
+    require "request_signing/key_stores/static"
+  end
+end

data/lib/request_signing/parameter_parser.rb

@@ -0,0 +1,41 @@
+require "webrick/httputils"
+require "request_signing/errors"
+require "request_signing/signature_parameters"
+
+module RequestSigning
+
+  # @api private
+  class ParameterParser
+    def parse(signature_parameters_str)
+      values = values_hash(signature_parameters_str)
+      raise BadSignatureParameters, "keyId is required"     if String(values["keyId"]).empty?
+      raise BadSignatureParameters, "algorithm is required" if String(values["algorithm"]).empty?
+      raise BadSignatureParameters, "signature is required" if String(values["signature"]).empty?
+
+      headers = String(values["headers"]).split(" ").map(&:downcase)
+      headers = ["date"] if headers.empty?
+
+      SignatureParameters.new(
+        key_id:    values["keyId"],
+        algorithm: values["algorithm"],
+        headers:   headers,
+        signature: values["signature"]
+      )
+    end
+
+    private
+
+    def values_hash(signature_parameters_str)
+      fields = WEBrick::HTTPUtils.split_header_value(signature_parameters_str)
+      fields.each_with_object({}) do |f, r|
+        fname, quoted_value = f.split("=", 2).map { |t| String(t).strip }
+        unless quoted_value =~ /\A".*\"\Z/
+          raise BadSignatureParameters, "malformed field value"
+        end
+        value = WEBrick::HTTPUtils.dequote(quoted_value)
+        r[fname] = value
+      end
+    end
+  end
+
+end

data/lib/request_signing/signature_parameters.rb

@@ -0,0 +1,31 @@
+require "webrick/httputils"
+
+module RequestSigning
+
+  # @api private
+  class SignatureParameters
+    attr_reader :key_id, :algorithm, :headers, :signature
+
+    def initialize(key_id:, algorithm:, headers:, signature:)
+      @key_id = key_id
+      @algorithm = algorithm
+      @headers = headers
+      @signature = signature
+    end
+
+    def to_s
+      "keyId=#{quote(key_id)},algorithm=#{quote(algorithm)},headers=#{quote(headers_str)},signature=#{quote(signature)}"
+    end
+
+    private
+
+    def quote(str)
+      WEBrick::HTTPUtils.quote(str)
+    end
+
+    def headers_str
+      headers.join(" ")
+    end
+  end
+
+end

data/lib/request_signing/version.rb

@@ -0,0 +1,3 @@
+module RequestSigning
+  VERSION = "0.1.0.pre1"
+end

data/lib/request_signing.rb

@@ -0,0 +1,213 @@
+require "request_signing/version"
+require "uri"
+require "base64"
+require "request_signing/generic_http_request"
+require "request_signing/parameter_parser"
+require "request_signing/adapters"
+require "request_signing/algorithms"
+require "request_signing/errors"
+require "request_signing/key_stores"
+require "request_signing/signature_parameters"
+
+# @see RequestSigning::Signer
+# @see RequestSigning::Verifier
+module RequestSigning
+
+  # Verifies the request signature
+  #
+  # @see RequestSigning::Rack
+  class Verifier
+
+    ##
+    # @param adapter [Symbol] name of the library adapter.
+    # @param key_store [#fetch, #key?] signature verification key store
+    #
+    # @raise [RequestSigning::UnsupportedAdapter] when the adapter is not registered
+    #
+    # @see RequestSigning::Adapters
+    # @see RequestSigning::KeyStores::Static
+    ##
+    def initialize(adapter:, key_store:)
+      @adapter = RequestSigning.get_adapter(adapter)
+      @key_store = key_store
+    end
+
+    ##
+    # Verifies request signature
+    #
+    # @param req - an http request object from the library specified via :adapter
+    #
+    # @raise [RequestSigning::SignatureMismatch] when the signature is invalid
+    # @raise [RequestSigning::KeyNotFound] when the key store does not contain the key
+    #   referenced in the request
+    # @raise [RequestSigning::BadSignatureParameters] when the signature is malformed
+    # @raise [RequestSigning::UnsupportedAlgorithm] when the algorithm referenced
+    #   in the request is not supported
+    # @raise [RequestSigning::InvalidKey] when the key in key store can not be used
+    #   to verify the signature
+    # @raise [RequestSigning::HeaderNotInRequest] when one of the headers specified
+    #   in `headers` signature component is not present in the request
+    # @raise [RequestSigning::MissingSignatureHeader] when neither `Signature` nor
+    #   `Authorization` headers are present
+    # @raise [RequestSigning::UnsupportedAuthorizationScheme] when the scheme
+    #   specified in the `Authorization` header is not `Signature` and the `Signature`
+    #   header is absent
+    ##
+    def verify!(req)
+      verifiable_req = @adapter.call(req)
+      signature_parameters = get_signature_parameters(verifiable_req)
+
+      key = get_key(signature_parameters.key_id)
+      alg = get_algorithm(signature_parameters.algorithm)
+      string_for_signing = RequestSigning.make_string_for_signing(signature_parameters.headers, verifiable_req)
+      signature = decode_signature(signature_parameters.signature)
+      unless alg.verify_signature(key, signature, string_for_signing)
+        raise SignatureMismatch
+      end
+    end
+
+    private
+
+    def get_signature_parameters(req)
+      if req.header?("signature")
+        parameters_str = req.headers["signature"].first
+        ParameterParser.new.parse(parameters_str)
+      elsif req.header?("authorization")
+        auth_header = req.headers["authorization"].first
+        auth_scheme, parameters_str = auth_header.split(" ", 2).map(&:strip)
+        unless auth_scheme == "Signature"
+          raise UnsupportedAuthorizationScheme, "Authorization header scheme must be 'Signature'"
+        end
+        ParameterParser.new.parse(parameters_str)
+      else
+        raise MissingSignatureHeader, "request must contain either Authorization or Signature header"
+      end
+    end
+
+    def get_algorithm(name)
+      RequestSigning.get_algorithm(name)
+    end
+
+    def get_key(id)
+      @key_store.fetch(id)
+    end
+
+    def decode_signature(signature_base64)
+      Base64.strict_decode64(signature_base64)
+    rescue ArgumentError
+      raise BadSignatureParameters, "malformed signature"
+    end
+  end
+
+  ##
+  # Creates request signature string
+  #
+  # @example
+  #   key_store = RequestSigning::KeyStores::Static.new(
+  #     "app_1.v1" => ENV["APP_1_PRIVATE_KEY"],
+  #     "app_2.v1" => ENV["APP_2_PRIVATE_KEY"],
+  #   )
+  #   req = Net::HTTP::Get.new("/foo?bar=baz")
+  #   req["Date"] = "Thu, 05 Jan 2014 21:31:40 GMT"
+  #   req["Signature"] =
+  #     @signer.create_signature!(req, key_id: "app_1.v1", algorithm: "rsa-sha256", headers: %w[(request-target) date host])
+  #   Net::HTTP.start("http://example.com", 80) do |http|
+  #     response = http.request(req)
+  #   end
+  ##
+  class Signer
+    ##
+    # @param adapter [Symbol] name of the library adapter.
+    # @param key_store [#fetch, #key?] signature verification key store
+    #
+    # @raise [RequestSigning::UnsupportedAdapter] when the adapter is not registered
+    #
+    # @see RequestSigning::Adapters
+    # @see RequestSigning::KeyStores::Static
+    ##
+    def initialize(adapter:, key_store:)
+      @adapter = RequestSigning.get_adapter(adapter)
+      @key_store = key_store
+    end
+
+    ##
+    # Creates a signature string
+    #
+    # @example
+    #   keyId="hmac",algorithm="hmac-sha256",headers="date",signature="id0KmonZJTY53n+fk27Q5CtroeQ5UyRY/tbotiuhob4="
+    #
+    # @param req an http request object from the library specified via :adapter; see {RequestSigning::Adapters}
+    # @param key_id [String] key id to use for signing
+    # @param algorithm [String] algorithm to use for signing, e.g. `"rsa-sha256"`
+    # @param headers [Array<String>] headers to sign
+    #
+    #   May include special `(request-target)` header.
+    #
+    #   The recommendation is to sign:
+    #   - for HTTPS requests - `["(request-target"), "host", "date"]`
+    #   - for HTTP requests - all headers
+    #
+    #   See {https://tools.ietf.org/html/draft-cavage-http-signatures-08#section-2.3}
+    #
+    # @return [String] signature components string. See example above.
+    #
+    # @raise [RequestSigning::KeyNotFound] when the key store does not contain the key
+    #   referenced in the :key_id parameter
+    # @raise [RequestSigning::UnsupportedAlgorithm] when the algorithm referenced
+    #   in :algorithm parameter is not supported
+    # @raise [RequestSigning::InvalidKey] when the key in key store can not be used
+    #   to create the signature
+    # @raise [RequestSigning::HeaderNotInRequest] when one of the headers specified
+    #   in `headers` signature component is not present in the request
+    ##
+    def create_signature!(req, key_id:, algorithm:, headers: %w[date])
+      signable_req = @adapter.call(req)
+
+      headers = normalize_headers(headers)
+      key = get_key(key_id)
+      alg = get_algorithm(algorithm)
+      string_for_signing = RequestSigning.make_string_for_signing(headers, signable_req)
+      signature = alg.create_signature(key, string_for_signing)
+      SignatureParameters.new(
+        key_id:    key_id,
+        algorithm: algorithm,
+        headers:   headers,
+        signature: encode_signature(signature)
+      )
+    end
+
+    private
+
+    def get_algorithm(name)
+      RequestSigning.get_algorithm(name)
+    end
+
+    def get_key(id)
+      @key_store.fetch(id)
+    end
+
+    def encode_signature(signature)
+      Base64.strict_encode64(signature).chomp
+    end
+
+    def normalize_headers(headers)
+      headers.map(&:downcase)
+    end
+  end
+
+  # @api private
+  def self.make_string_for_signing(headers_list, verifiable_req)
+    headers_list.each_with_object([]) do |h, a|
+      case h
+      when "(request-target)"
+        a << "(request-target): #{verifiable_req.method.downcase} #{verifiable_req.path}"
+      else
+        vs = Array(verifiable_req.headers[h])
+        if vs.empty?
+          raise HeaderNotInRequest, h
+        end
+        a << "#{h}: #{vs.join(", ").strip}"
+      end
+    end.join("\n")
+  end
+end

data/request_signing-faraday.gemspec

@@ -0,0 +1,24 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'request_signing/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "request_signing-faraday"
+  spec.version       = "0.1.0.pre1"
+  spec.authors       = ["Vlad Yarotsky"]
+  spec.email         = ["vlad@remind101.com"]
+
+  spec.summary       = %q{Faraday middleware for request signing}
+  spec.description   = %q{Faraday middleware for request signing}
+  spec.homepage      = "https://github.com/remind101/request_signing"
+  spec.license       = "MIT"
+
+  spec.files         = ["lib/request_signing/faraday.rb"]
+
+  spec.require_paths = ["lib"]
+  spec.metadata["yard.run"] = "yri"
+
+  spec.add_dependency "request_signing", RequestSigning::VERSION
+  spec.add_dependency "faraday", "~> 0.9"
+end

data/request_signing-rack.gemspec

@@ -0,0 +1,24 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'request_signing/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "request_signing-rack"
+  spec.version       = "0.1.0.pre1"
+  spec.authors       = ["Vlad Yarotsky"]
+  spec.email         = ["vlad@remind101.com"]
+
+  spec.summary       = %q{Rack middleware for request signature verification}
+  spec.description   = %q{Rack middleware for request signature verification based on request_signing}
+  spec.homepage      = "https://github.com/remind101/request_signing"
+  spec.license       = "MIT"
+
+  spec.files         = ["lib/request_signing/rack.rb"]
+
+  spec.require_paths = ["lib"]
+  spec.metadata["yard.run"] = "yri"
+
+  spec.add_dependency "request_signing", RequestSigning::VERSION
+  spec.add_dependency "rack", "~> 2.0"
+end

data/request_signing-ssm.gemspec

@@ -0,0 +1,24 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'request_signing/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "request_signing-ssm"
+  spec.version       = "0.1.0.pre1"
+  spec.authors       = ["Vlad Yarotsky"]
+  spec.email         = ["vlad@remind101.com"]
+
+  spec.summary       = %q{AWS SSM key store for request_signing gem}
+  spec.description   = %q{AWS SSM key store for request_signing gem}
+  spec.homepage      = "https://github.com/remind101/request_signing"
+  spec.license       = "MIT"
+
+  spec.files         = ["lib/request_signing/ssm.rb"]
+
+  spec.require_paths = ["lib"]
+  spec.metadata["yard.run"] = "yri"
+
+  spec.add_dependency "request_signing", RequestSigning::VERSION
+  spec.add_dependency "aws-sdk-ssm", "~> 1"
+end

data/request_signing.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'request_signing/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "request_signing"
+  spec.version       = RequestSigning::VERSION
+  spec.authors       = ["Vlad Yarotsky"]
+  spec.email         = ["vlad@remind101.com"]
+
+  spec.summary       = %q{Implementation of http request signing draft https://tools.ietf.org/html/draft-cavage-http-signatures-08}
+  spec.description   = %q{Implementation of http request signing draft https://tools.ietf.org/html/draft-cavage-http-signatures-08}
+  spec.homepage      = "https://github.com/remind101/request_signing"
+  spec.license       = "MIT"
+
+  plugin_files = Dir["request_signing-*.gemspec"].map { |gemspec|
+    eval(File.read(gemspec)).files
+  }.flatten.uniq
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end - plugin_files
+
+  spec.require_paths = ["lib"]
+  spec.metadata["yard.run"] = "yri"
+end

metadata

@@ -0,0 +1,76 @@
+--- !ruby/object:Gem::Specification
+name: request_signing
+version: !ruby/object:Gem::Version
+  version: 0.1.0.pre1
+platform: ruby
+authors:
+- Vlad Yarotsky
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-10-27 00:00:00.000000000 Z
+dependencies: []
+description: Implementation of http request signing draft https://tools.ietf.org/html/draft-cavage-http-signatures-08
+email:
+- vlad@remind101.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".circleci/config.yml"
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- examples/Gemfile
+- examples/Gemfile.lock
+- examples/client.rb
+- examples/server.rb
+- lib/request_signing.rb
+- lib/request_signing/adapters.rb
+- lib/request_signing/adapters/net_http.rb
+- lib/request_signing/adapters/plaintext.rb
+- lib/request_signing/algorithms.rb
+- lib/request_signing/algorithms/dsa.rb
+- lib/request_signing/algorithms/hmac.rb
+- lib/request_signing/algorithms/rsa.rb
+- lib/request_signing/errors.rb
+- lib/request_signing/generic_http_request.rb
+- lib/request_signing/key_stores.rb
+- lib/request_signing/key_stores/static.rb
+- lib/request_signing/parameter_parser.rb
+- lib/request_signing/signature_parameters.rb
+- lib/request_signing/version.rb
+- request_signing-faraday.gemspec
+- request_signing-rack.gemspec
+- request_signing-ssm.gemspec
+- request_signing.gemspec
+homepage: https://github.com/remind101/request_signing
+licenses:
+- MIT
+metadata:
+  yard.run: yri
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.8
+signing_key: 
+specification_version: 4
+summary: Implementation of http request signing draft https://tools.ietf.org/html/draft-cavage-http-signatures-08
+test_files: []