scout 5.7.1 → 5.7.2.pre

data/vendor/{pusher-gem → pusher}/spec/spec_helper.rb

@@ -11,3 +11,15 @@ require 'webmock/rspec'
 
 require 'pusher'
 require 'eventmachine'
+
+RSpec.configure do |config|
+  config.before(:each) do
+    WebMock.reset!
+    WebMock.disable_net_connect!
+  end
+end
+
+def hmac(key, data)
+  digest = OpenSSL::Digest::SHA256.new
+  OpenSSL::HMAC.hexdigest(digest, key, data)
+end

data/vendor/pusher/spec/web_hook_spec.rb

@@ -0,0 +1,117 @@
+require 'spec_helper'
+
+require 'rack'
+require 'stringio'
+
+describe Pusher::WebHook do
+  before :each do
+    @hook_data = {
+      "time_ms" => 123456,
+      "events" => [
+        {"name" => 'foo'}
+      ]
+    }
+  end
+
+  describe "initialization" do
+    it "can be initialized with Rack::Request" do
+      request = Rack::Request.new({
+        'HTTP_X_PUSHER_KEY' => '1234',
+        'HTTP_X_PUSHER_SIGNATURE' => 'asdf',
+        'CONTENT_TYPE' => 'application/json',
+        'rack.input' => StringIO.new(MultiJson.encode(@hook_data))
+      })
+      wh = Pusher::WebHook.new(request)
+      wh.key.should == '1234'
+      wh.signature.should == 'asdf'
+      wh.data.should == @hook_data
+    end
+
+    it "can be initialized with a hash" do
+      request = {
+        :key => '1234',
+        :signature => 'asdf',
+        :content_type => 'application/json',
+        :body => MultiJson.encode(@hook_data),
+      }
+      wh = Pusher::WebHook.new(request)
+      wh.key.should == '1234'
+      wh.signature.should == 'asdf'
+      wh.data.should == @hook_data
+    end
+  end
+
+  describe "after initialization" do
+    before :each do
+      @body = MultiJson.encode(@hook_data)
+      request = {
+        :key => '1234',
+        :signature => hmac('asdf', @body),
+        :content_type => 'application/json',
+        :body => @body
+      }
+
+      @client = Pusher::Client.new
+      @wh = Pusher::WebHook.new(request, @client)
+    end
+
+    it "should validate" do
+      @client.key = '1234'
+      @client.secret = 'asdf'
+      @wh.should be_valid
+    end
+
+    it "should not validate if key is wrong" do
+      @client.key = '12345'
+      @client.secret = 'asdf'
+      Pusher.logger.should_receive(:warn).with("Received webhook with unknown key: 1234")
+      @wh.should_not be_valid
+    end
+
+    it "should not validate if secret is wrong" do
+      @client.key = '1234'
+      @client.secret = 'asdfxxx'
+      digest = OpenSSL::Digest::SHA256.new
+      expected = OpenSSL::HMAC.hexdigest(digest, @client.secret, @body)
+      Pusher.logger.should_receive(:warn).with("Received WebHook with invalid signature: got #{@wh.signature}, expected #{expected}")
+      @wh.should_not be_valid
+    end
+
+    it "should validate with an extra token" do
+      @client.key = '12345'
+      @client.secret = 'xxx'
+      @wh.valid?({:key => '1234', :secret => 'asdf'}).should be_true
+    end
+
+    it "should validate with an array of extra tokens" do
+      @client.key = '123456'
+      @client.secret = 'xxx'
+      @wh.valid?([
+        {:key => '12345', :secret => 'wtf'},
+        {:key => '1234', :secret => 'asdf'}
+      ]).should be_true
+    end
+
+    it "should not validate if all keys are wrong with extra tokens" do
+      @client.key = '123456'
+      @client.secret = 'asdf'
+      Pusher.logger.should_receive(:warn).with("Received webhook with unknown key: 1234")
+      @wh.valid?({:key => '12345', :secret => 'asdf'}).should be_false
+    end
+
+    it "should not validate if secret is wrong with extra tokens" do
+      @client.key = '123456'
+      @client.secret = 'asdfxxx'
+      Pusher.logger.should_receive(:warn).with(/Received WebHook with invalid signature/)
+      @wh.valid?({:key => '1234', :secret => 'wtf'}).should be_false
+    end
+
+    it "should expose events" do
+      @wh.events.should == @hook_data["events"]
+    end
+
+    it "should expose time" do
+      @wh.time.should == Time.at(123.456)
+    end
+  end
+end

data/vendor/signature/.travis.yml

@@ -0,0 +1,15 @@
+language: ruby
+rvm:
+  - 1.8.7
+  - 1.9.2
+  - 1.9.3
+  - jruby-18mode # JRuby in 1.8 mode
+  - jruby-19mode # JRuby in 1.9 mode
+  - rbx-18mode
+  - rbx-19mode
+matrix:
+  allow_failures:
+    - rvm: rbx-18mode
+    - rvm: rbx-19mode
+
+script: bundle exec rspec spec

data/vendor/signature/Gemfile

@@ -1,3 +1,3 @@
-source :rubygems
+source 'https://rubygems.org'
 
 gemspec

data/vendor/signature/README.md

@@ -1,47 +1,55 @@
 signature
 =========
 
+[![Build Status](https://secure.travis-ci.org/mloughran/signature.png?branch=master)](http://travis-ci.org/mloughran/signature)
+
 Examples
 --------
 
 Client example
 
-    params = {:some => 'parameters'}
-    token = Signature::Token.new('my_key', 'my_secret')
-    request = Signature::Request.new('POST', '/api/thing', params)
-    auth_hash = request.sign(token)
-    query_params = params.merge(auth_hash)
-    
-    HTTParty.post('http://myservice/api/thing', {
-      :query => query_params
-    })
+```ruby
+params       = {:some => 'parameters'}
+token        = Signature::Token.new('my_key', 'my_secret')
+request      = Signature::Request.new('POST', '/api/thing', params)
+auth_hash    = request.sign(token)
+query_params = params.merge(auth_hash)
+
+HTTParty.post('http://myservice/api/thing', {
+  :query => query_params
+})
+```
 
 `query_params` looks like:
 
-    {
-      :some => "parameters",
-      :auth_timestamp => 1273231888,
-      :auth_signature => "28b6bb0f242f71064916fad6ae463fe91f5adc302222dfc02c348ae1941eaf80",
-      :auth_version => "1.0",
-      :auth_key => "my_key"
-    }
+```ruby
+{
+  :some           => "parameters",
+  :auth_timestamp => 1273231888,
+  :auth_signature => "28b6bb0f242f71064916fad6ae463fe91f5adc302222dfc02c348ae1941eaf80",
+  :auth_version   => "1.0",
+  :auth_key       => "my_key"
+}
 
+```
 Server example (sinatra)
 
-    error Signature::AuthenticationError do |controller|
-      error = controller.env["sinatra.error"]
-      halt 401, "401 UNAUTHORIZED: #{error.message}\n"
-    end
+```ruby
+error Signature::AuthenticationError do |controller|
+  error = controller.env["sinatra.error"]
+  halt 401, "401 UNAUTHORIZED: #{error.message}\n"
+end
 
-    post '/api/thing' do
-      request = Signature::Request.new('POST', env["REQUEST_PATH"], params)
-      # This will raise a Signature::AuthenticationError if request does not authenticate
-      token = request.authenticate do |key|
-        Signature::Token.new(key, lookup_secret(key))
-      end
+post '/api/thing' do
+  request = Signature::Request.new('POST', env["REQUEST_PATH"], params)
+  # This will raise a Signature::AuthenticationError if request does not authenticate
+  token = request.authenticate do |key|
+    Signature::Token.new(key, lookup_secret(key))
+  end
 
-      # Do whatever you need to do
-    end
+  # Do whatever you need to do
+end
+```
 
 Developing
 ----------
@@ -49,6 +57,8 @@ Developing
     bundle
     bundle exec rspec spec/*_spec.rb
 
+Please see the travis status for a list of rubies tested against
+
 Copyright
 ---------
 

data/vendor/signature/lib/signature.rb

@@ -1,4 +1,6 @@
-require 'hmac-sha2'
+require 'openssl'
+
+require 'signature/query_encoder'
 
 module Signature
   class AuthenticationError < RuntimeError; end
@@ -18,6 +20,8 @@ module Signature
   class Request
     attr_accessor :path, :query_hash
 
+    include QueryEncoder
+
     # http://www.w3.org/TR/NOTE-datetime
     ISO8601 = "%Y-%m-%dT%H:%M:%SZ"
 
@@ -34,63 +38,139 @@ module Signature
 
       @method = method.upcase
       @path, @query_hash, @auth_hash = path, query_hash, auth_hash
+      @signed = false
     end
 
+    # Sign the request with the given token, and return the computed
+    # authentication parameters
+    #
     def sign(token)
       @auth_hash = {
         :auth_version => "1.0",
         :auth_key => token.key,
         :auth_timestamp => Time.now.to_i.to_s
       }
-
       @auth_hash[:auth_signature] = signature(token)
 
+      @signed = true
+
       return @auth_hash
     end
 
     # Authenticates the request with a token
     #
-    # Timestamp check: Unless timestamp_grace is set to nil (which will skip
-    # the timestamp check), an exception will be raised if timestamp is not
-    # supplied or if the timestamp provided is not within timestamp_grace of
-    # the real time (defaults to 10 minutes)
+    # Raises an AuthenticationError if the request is invalid.
+    # AuthenticationError exception messages are designed to be exposed to API
+    # consumers, and should help them correct errors generating signatures
+    #
+    # Timestamp: Unless timestamp_grace is set to nil (which allows this check
+    # to be skipped), AuthenticationError will be raised if the timestamp is
+    # missing or further than timestamp_grace period away from the real time
+    # (defaults to 10 minutes)
     #
-    # Signature check: Raises an exception if the signature does not match the
-    # computed value
+    # Signature: Raises AuthenticationError if the signature does not match
+    # the computed HMAC. The error contains a hint for how to sign.
     #
     def authenticate_by_token!(token, timestamp_grace = 600)
+      # Validate that your code has provided a valid token. This does not
+      # raise an AuthenticationError since passing tokens with empty secret is
+      # a code error which should be fixed, not reported to the API's consumer
+      if token.secret.nil? || token.secret.empty?
+        raise "Provided token is missing secret"
+      end
+
       validate_version!
       validate_timestamp!(timestamp_grace)
       validate_signature!(token)
       true
     end
 
+    # Authenticate the request with a token, but rather than raising an
+    # exception if the request is invalid, simply returns false
+    #
     def authenticate_by_token(token, timestamp_grace = 600)
       authenticate_by_token!(token, timestamp_grace)
     rescue AuthenticationError
       false
     end
 
-    def authenticate(timestamp_grace = 600, &block)
+    # Authenticate a request
+    #
+    # Takes a block which will be called with the auth_key from the request,
+    # and which should return a Signature::Token (or nil if no token can be
+    # found for the key)
+    #
+    # Raises errors in the same way as authenticate_by_token!
+    #
+    def authenticate(timestamp_grace = 600)
+      raise ArgumentError, "Block required" unless block_given?
       key = @auth_hash['auth_key']
-      raise AuthenticationError, "Authentication key required" unless key
+      raise AuthenticationError, "Missing parameter: auth_key" unless key
       token = yield key
-      unless token && token.secret
-        raise AuthenticationError, "Invalid authentication key"
+      unless token
+        raise AuthenticationError, "Unknown auth_key"
       end
       authenticate_by_token!(token, timestamp_grace)
       return token
     end
 
+    # Authenticate a request asynchronously
+    #
+    # This method is useful it you're running a server inside eventmachine and
+    # need to lookup the token asynchronously.
+    #
+    # The block is passed an auth key and a deferrable which should succeed
+    # with the token, or fail if the token cannot be found
+    #
+    # This method returns a deferrable which succeeds with the valid token, or
+    # fails with an AuthenticationError which can be used to pass the error
+    # back to the user
+    #
+    def authenticate_async(timestamp_grace = 600)
+      raise ArgumentError, "Block required" unless block_given?
+      df = EM::DefaultDeferrable.new
+
+      key = @auth_hash['auth_key']
+
+      unless key
+        df.fail(AuthenticationError.new("Missing parameter: auth_key"))
+        return
+      end
+
+      token_df = yield key
+      token_df.callback { |token|
+        begin
+          authenticate_by_token!(token, timestamp_grace)
+          df.succeed(token)
+        rescue AuthenticationError => e
+          df.fail(e)
+        end
+      }
+      token_df.errback {
+        df.fail(AuthenticationError.new("Unknown auth_key"))
+      }
+    ensure
+      return df
+    end
+
+    # Expose the authentication parameters for a signed request
+    #
     def auth_hash
-      raise "Request not signed" unless @auth_hash && @auth_hash[:auth_signature]
+      raise "Request not signed" unless @signed
       @auth_hash
     end
 
+    # Query parameters merged with the computed authentication parameters
+    #
+    def signed_params
+      @query_hash.merge(auth_hash)
+    end
+
     private
 
       def signature(token)
-        HMAC::SHA256.hexdigest(token.secret, string_to_sign)
+        digest = OpenSSL::Digest::SHA256.new
+        OpenSSL::HMAC.hexdigest(digest, token.secret, string_to_sign)
       end
 
       def string_to_sign
@@ -106,7 +186,9 @@ module Signature
         # Exclude signature from signature generation!
         hash.delete("auth_signature")
 
-        hash.keys.sort.map { |k| "#{k}=#{hash[k]}" }.join("&")
+        hash.sort.map do |k, v|
+          QueryEncoder.encode_param_without_escaping(k, v)
+        end.join('&')
       end
 
       def validate_version!

data/vendor/signature/lib/signature/query_encoder.rb

@@ -0,0 +1,47 @@
+module Signature
+  # Query string encoding extracted with thanks from em-http-request
+  module QueryEncoder
+    class << self
+      # URL encodes query parameters:
+      # single k=v, or a URL encoded array, if v is an array of values
+      def encode_param(k, v)
+        if v.is_a?(Array)
+          v.map { |e| escape(k) + "[]=" + escape(e) }.join("&")
+        else
+          escape(k) + "=" + escape(v)
+        end
+      end
+      
+      # Like encode_param, but doesn't url escape keys or values
+      def encode_param_without_escaping(k, v)
+        if v.is_a?(Array)
+          v.map { |e| k + "[]=" + e }.join("&")
+        else
+          "#{k}=#{v}"
+        end
+      end
+
+      private
+
+      def escape(s)
+        if defined?(EscapeUtils)
+          EscapeUtils.escape_url(s.to_s)
+        else
+          s.to_s.gsub(/([^a-zA-Z0-9_.-]+)/n) {
+            '%'+$1.unpack('H2'*bytesize($1)).join('%').upcase
+          }
+        end
+      end
+
+      if ''.respond_to?(:bytesize)
+        def bytesize(string)
+          string.bytesize
+        end
+      else
+        def bytesize(string)
+          string.size
+        end
+      end
+    end
+  end
+end