sendgrid-ruby 6.2.1 → 6.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ea1b4cb0cc31dd8e381e79b4c9f4912ddb1410bad86520d16f1ce10a379966f6
-  data.tar.gz: 3833bb588763748d2528f0a6df78de36f787b1077f82f2274144bc2ae0b4626c
+  metadata.gz: 34e9f9d2222a7a622d3a92b44006854f282296230b5e08958bdc0c3983ce1bf0
+  data.tar.gz: d2d1daecf34261120b150a4c3d64fb48b90816e18dd3b053478751365e0ae426
 SHA512:
-  metadata.gz: 36a1a916671b8a473dcba3ddcde48a6cfb1d4d5dba78aebfe7e776424ed9b15acf662ed2cbd6f905b871a48921795af128eac84a5f3a18022558f8c963d3f4af
-  data.tar.gz: 80702d4af42f97acee0c4b8c61a8adf1543d98e726174d5a2df63829970bb23a658bb415bb45b52e22d7b570cf8c6b023c2674d918155307f1824c8dd3621ca2
+  metadata.gz: ce14fa4b6341a6dac4c09aa83f999463f1c07849b05e47e5c9a596c009ba39a6ca733193c6f8543adc5aa1c989d6651a48f21223c608bda1a95d61b6e0af42a0
+  data.tar.gz: 77b872b63c84354a2f01d4a1b2717e23212f5a59a1ef8b6ae427491aabd43bc165cbbf1657383786187751b6db372ac1358e818c2f4ebe7a29e3cb17fbebce48

data/.gitignore

@@ -40,4 +40,4 @@ Gemfile.lock
 # unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
 .rvmrc
 
-prism
+prism*

data/.travis.yml

@@ -19,7 +19,7 @@ deploy:
   gem: sendgrid-ruby
   on:
     tags: true
-    condition: $version=ruby:2.4 AND '$BUNDLE_GEMFILE == *"gemfiles/Sinatra_1.gemfile"'
+    condition: $version = ruby:2.4 && $BUNDLE_GEMFILE = *"gemfiles/Sinatra_1.gemfile"
 
 notifications:
   slack:

data/CHANGELOG.md

@@ -1,6 +1,20 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+[2020-06-25] Version 6.3.1
+--------------------------
+
+
+[2020-06-24] Version 6.3.0
+--------------------------
+**Library - Feature**
+- [PR #428](https://github.com/sendgrid/sendgrid-ruby/pull/428): adds rack middleware to make request verification easier in rack apps. Thanks to [@philnash](https://github.com/philnash)!
+- [PR #425](https://github.com/sendgrid/sendgrid-ruby/pull/425): verify signature from event webhook. Thanks to [@eshanholtz](https://github.com/eshanholtz)!
+
+**Library - Fix**
+- [PR #427](https://github.com/sendgrid/sendgrid-ruby/pull/427): drop the starkbank dependency. Thanks to [@childish-sambino](https://github.com/childish-sambino)!
+
+
 [2020-05-13] Version 6.2.1
 --------------------------
 **Library - Fix**

data/CONTRIBUTING.md

@@ -47,7 +47,7 @@ Before you decide to create a new issue, please try the following:
 
 ### Please use our Bug Report Template
 
-In order to make the process easier, we've included a [sample bug report template](https://github.com/sendgrid/sendgrid-ruby/blob/master/ISSUE_TEMPLATE.md) (borrowed from [Ghost](https://github.com/TryGhost/Ghost/)). The template uses [GitHub flavored markdown](https://help.github.com/articles/github-flavored-markdown/) for formatting.
+In order to make the process easier, we've included a [sample bug report template](ISSUE_TEMPLATE.md).
 
 <a name="improvements-to-the-codebase"></a>
 ## Improvements to the Codebase

data/Gemfile

@@ -3,4 +3,3 @@ source 'http://rubygems.org'
 gemspec
 
 gem 'ruby_http_client'
-

data/Makefile

@@ -10,4 +10,5 @@ test-integ: test
 
 version ?= ruby:latest
 test-docker:
-	curl -s https://raw.githubusercontent.com/sendgrid/sendgrid-oai/master/prism/prism.sh | version=$(version) bash
+	curl -s https://raw.githubusercontent.com/sendgrid/sendgrid-oai/master/prism/prism.sh -o prism.sh
+	version=$(version) bash ./prism.sh

data/examples/helpers/eventwebhook/example.rb

@@ -0,0 +1,16 @@
+require 'sengrid-ruby'
+include SendGrid
+
+def is_valid_signature(request)
+  public_key = 'base64-encoded public key'
+
+  event_webhook = SendGrid::EventWebhook.new
+  ec_public_key = event_webhook.convert_public_key_to_ecdsa(public_key)
+
+  event_webhook.verify_signature(
+      ec_public_key,
+      request.body.read,
+      request.env[SendGrid::EventWebhookHeader::SIGNATURE],
+      request.env[SendGrid::EventWebhookHeader::TIMESTAMP]
+  )
+end

data/lib/rack/sendgrid_webhook_verification.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Rack
+  # Middleware that verifies webhooks from SendGrid using the EventWebhook
+  # verifier.
+  #
+  # The middleware takes a public key with which to set up the request
+  # validator and any number of paths. When a path matches the incoming request
+  # path, the request will be verified using the signature and timestamp of the
+  # request.
+  #
+  # Example:
+  #
+  # require 'rack'
+  # use Rack::SendGridWebhookVerification, ENV['PUBLIC_KEY'], /\/emails/
+  #
+  # The above appends this middleware to the stack, using a public key saved in
+  # the ENV and only against paths that match /\/emails/. If the request
+  # validates then it gets passed on to the action as normal. If the request
+  # doesn't validate then the middleware responds immediately with a 403 status.
+  class SendGridWebhookVerification
+    def initialize(app, public_key, *paths)
+      @app = app
+      @public_key = public_key
+      @path_regex = Regexp.union(paths)
+    end
+
+    def call(env)
+      return @app.call(env) unless env['PATH_INFO'].match(@path_regex)
+      request = Rack::Request.new(env)
+
+      event_webhook = SendGrid::EventWebhook.new
+      ec_public_key = event_webhook.convert_public_key_to_ecdsa(@public_key)
+      verified = event_webhook.verify_signature(
+        ec_public_key,
+        request.body.read,
+        request.env[SendGrid::EventWebhookHeader::SIGNATURE],
+        request.env[SendGrid::EventWebhookHeader::TIMESTAMP]
+      )
+
+      if verified
+        return @app.call(env)
+      else
+        return [
+          403,
+          { 'Content-Type' => 'text/plain' },
+          ['SendGrid Request Verification Failed.']
+        ]
+      end
+    end
+  end
+end

data/lib/sendgrid-ruby.rb

@@ -2,6 +2,7 @@ require_relative 'sendgrid/base_interface'
 require_relative 'sendgrid/sendgrid'
 require_relative 'sendgrid/twilio_email'
 require_relative 'sendgrid/version'
+require_relative 'sendgrid/helpers/eventwebhook/eventwebhook'
 require_relative 'sendgrid/helpers/ip_management/ip_management'
 require_relative 'sendgrid/helpers/mail/asm'
 require_relative 'sendgrid/helpers/mail/attachment'
@@ -29,3 +30,4 @@ require_relative 'sendgrid/helpers/stats/email_stats'
 require_relative 'sendgrid/helpers/stats/stats_response'
 require_relative 'sendgrid/helpers/stats/metrics'
 require_relative 'sendgrid/helpers/permissions/scope'
+require_relative 'rack/sendgrid_webhook_verification'

data/lib/sendgrid/helpers/eventwebhook/eventwebhook.rb

@@ -0,0 +1,52 @@
+require 'base64'
+require 'digest'
+require 'openssl'
+
+module SendGrid
+  # This class allows you to use the Event Webhook feature. Read the docs for
+  # more details: https://sendgrid.com/docs/for-developers/tracking-events/event
+  class EventWebhook
+    # * *Args* :
+    #   - +public_key+ -> verification key under Mail Settings
+    #
+    def convert_public_key_to_ecdsa(public_key)
+      verify_engine
+      OpenSSL::PKey::EC.new(Base64.decode64(public_key))
+    end
+
+    # * *Args* :
+    #   - +public_key+ -> elliptic curve public key
+    #   - +payload+ -> event payload in the request body
+    #   - +signature+ -> signature value obtained from the 'X-Twilio-Email-Event-Webhook-Signature' header
+    #   - +timestamp+ -> timestamp value obtained from the 'X-Twilio-Email-Event-Webhook-Timestamp' header
+    def verify_signature(public_key, payload, signature, timestamp)
+      verify_engine
+      timestamped_playload = "#{timestamp}#{payload}"
+      payload_digest = Digest::SHA256.digest(timestamped_playload)
+      decoded_signature = Base64.decode64(signature)
+      public_key.dsa_verify_asn1(payload_digest, decoded_signature)
+    rescue
+      false
+    end
+
+    def verify_engine
+      # JRuby does not fully support ECDSA: https://github.com/jruby/jruby-openssl/issues/193
+      if RUBY_PLATFORM == "java"
+        raise NotSupportedError, "Event Webhook verification is not supported by JRuby"
+      end
+    end
+
+    class Error < ::RuntimeError
+    end
+
+    class NotSupportedError < Error
+    end
+  end
+
+  # This class lists headers that get posted to the webhook. Read the docs for
+  # more details: https://sendgrid.com/docs/for-developers/tracking-events/event
+  class EventWebhookHeader
+    SIGNATURE = "HTTP_X_TWILIO_EMAIL_EVENT_WEBHOOK_SIGNATURE"
+    TIMESTAMP = "HTTP_X_TWILIO_EMAIL_EVENT_WEBHOOK_TIMESTAMP"
+  end
+end

data/lib/sendgrid/version.rb

@@ -1,3 +1,3 @@
 module SendGrid
-  VERSION = '6.2.1'
+  VERSION = '6.3.1'
 end

data/sendgrid-ruby.gemspec

@@ -27,4 +27,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'faker'
   spec.add_development_dependency 'rubocop'
   spec.add_development_dependency 'minitest', '~> 5.9'
+  spec.add_development_dependency 'rack'
 end

data/spec/fixtures/event_webhook.rb

@@ -0,0 +1,16 @@
+require "json" 
+
+module Fixtures
+  module EventWebhook
+    PUBLIC_KEY = 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEDr2LjtURuePQzplybdC+u4CwrqDqBaWjcMMsTbhdbcwHBcepxo7yAQGhHPTnlvFYPAZFceEu/1FwCM/QmGUhA=='
+    FAILING_PUBLIC_KEY = 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEqTxd43gyp8IOEto2LdIfjRQrIbsd4SXZkLW6jDutdhXSJCWHw8REntlo7aNDthvj+y7GjUuFDb/R1NGe1OPzpA=='
+    SIGNATURE = 'MEUCIQCtIHJeH93Y+qpYeWrySphQgpNGNr/U+UyUlBkU6n7RAwIgJTz2C+8a8xonZGi6BpSzoQsbVRamr2nlxFDWYNH2j/0='
+    FAILING_SIGNATURE = 'MEUCIQCtIHJeH93Y+qpYeWrySphQgpNGNr/U+UyUlBkU6n7RAwIgJTz2C+8a8xonZGi6BpSzoQsbVRamr2nlxFDWYNH3j/0='
+    TIMESTAMP = '1588788367'
+    PAYLOAD = {
+        'category'=>'example_payload',
+        'event'=>'test_event',
+        'message_id'=>'message_id',
+    }.to_json
+  end
+end

data/spec/rack/sendgrid_webhook_verification_spec.rb

@@ -0,0 +1,116 @@
+require 'spec_helper'
+require 'rack/mock'
+require './spec/fixtures/event_webhook'
+
+unless RUBY_PLATFORM == 'java'
+  describe Rack::SendGridWebhookVerification do
+    let(:public_key) { Fixtures::EventWebhook::PUBLIC_KEY }
+    before do
+      @app = ->(_env) { [200, { 'Content-Type' => 'text/plain' }, ['Hello']] }
+    end
+
+    describe 'new' do
+      it 'should initialize with an app, public key and a path' do
+        expect do
+          Rack::SendGridWebhookVerification.new(@app, 'ABC', /\/email/)
+        end.not_to raise_error
+      end
+
+      it 'should initialize with an app, public key and paths' do
+        expect do
+          Rack::SendGridWebhookVerification.new(@app, 'ABC', /\/email/, /\/event/)
+        end.not_to raise_error
+      end
+    end
+
+    describe 'calling against one path' do
+      let(:middleware) { Rack::SendGridWebhookVerification.new(@app, public_key, /\/email/) }
+
+      it "should not intercept when the path doesn't match" do
+        expect(SendGrid::EventWebhook).to_not receive(:new)
+        request = Rack::MockRequest.env_for('/login')
+        status, headers, body = middleware.call(request)
+        expect(status).to eq(200)
+      end
+
+      it 'should allow a request through if it is verified' do
+        options = {
+          :input => Fixtures::EventWebhook::PAYLOAD,
+          'Content-Type' => "application/json"
+        }
+        options[SendGrid::EventWebhookHeader::SIGNATURE] = Fixtures::EventWebhook::SIGNATURE
+        options[SendGrid::EventWebhookHeader::TIMESTAMP] = Fixtures::EventWebhook::TIMESTAMP
+        request = Rack::MockRequest.env_for('/email', options)
+        status, headers, body = middleware.call(request)
+        expect(status).to eq(200)
+      end
+
+      it 'should short circuit a request to 403 if there is no signature or timestamp' do
+        options = {
+          :input => Fixtures::EventWebhook::PAYLOAD,
+          'Content-Type' => "application/json"
+        }
+        request = Rack::MockRequest.env_for('/email', options)
+        status, headers, body = middleware.call(request)
+        expect(status).to eq(403)
+      end
+
+      it 'should short circuit a request to 403 if the signature is incorrect' do
+        options = {
+          :input => Fixtures::EventWebhook::PAYLOAD,
+          'Content-Type' => "application/json"
+        }
+        options[SendGrid::EventWebhookHeader::SIGNATURE] = Fixtures::EventWebhook::FAILING_SIGNATURE
+        options[SendGrid::EventWebhookHeader::TIMESTAMP] = Fixtures::EventWebhook::TIMESTAMP
+        request = Rack::MockRequest.env_for('/email', options)
+        status, headers, body = middleware.call(request)
+        expect(status).to eq(403)
+      end
+
+      it 'should short circuit a request to 403 if the payload is incorrect' do
+        options = {
+          :input => 'payload',
+          'Content-Type' => "application/json"
+        }
+        options[SendGrid::EventWebhookHeader::SIGNATURE] = Fixtures::EventWebhook::SIGNATURE
+        options[SendGrid::EventWebhookHeader::TIMESTAMP] = Fixtures::EventWebhook::TIMESTAMP
+        request = Rack::MockRequest.env_for('/email', options)
+        status, headers, body = middleware.call(request)
+        expect(status).to eq(403)
+      end
+    end
+
+    describe 'calling with multiple paths' do
+      let(:middleware) { Rack::SendGridWebhookVerification.new(@app, public_key, /\/email/, /\/events/) }
+
+      it "should not intercept when the path doesn't match" do
+        expect(SendGrid::EventWebhook).to_not receive(:new)
+        request = Rack::MockRequest.env_for('/sms_events')
+        status, headers, body = middleware.call(request)
+        expect(status).to eq(200)
+      end
+
+      it 'should allow a request through if it is verified' do
+        options = {
+          :input => Fixtures::EventWebhook::PAYLOAD,
+          'Content-Type' => "application/json"
+        }
+        options[SendGrid::EventWebhookHeader::SIGNATURE] = Fixtures::EventWebhook::SIGNATURE
+        options[SendGrid::EventWebhookHeader::TIMESTAMP] = Fixtures::EventWebhook::TIMESTAMP
+        request = Rack::MockRequest.env_for('/events', options)
+        status, headers, body = middleware.call(request)
+        expect(status).to eq(200)
+      end
+
+      it 'should short circuit a request to 403 if there is no signature or timestamp' do
+        options = {
+          :input => Fixtures::EventWebhook::PAYLOAD,
+          'Content-Type' => "application/json"
+        }
+        request = Rack::MockRequest.env_for('/events', options)
+        status, headers, body = middleware.call(request)
+        expect(status).to eq(403)
+      end
+    end
+  end
+end

data/spec/sendgrid/helpers/eventwebhook/eventwebhook_spec.rb

@@ -0,0 +1,103 @@
+require 'spec_helper'
+require './spec/fixtures/event_webhook'
+
+describe SendGrid::EventWebhook do
+  describe '.verify_signature' do
+    it 'verifies a valid signature' do
+      unless skip_jruby
+        expect(verify(
+          Fixtures::EventWebhook::PUBLIC_KEY,
+          Fixtures::EventWebhook::PAYLOAD,
+          Fixtures::EventWebhook::SIGNATURE,
+          Fixtures::EventWebhook::TIMESTAMP
+        )).to be true
+      end
+    end
+
+    it 'rejects a bad key' do
+      unless skip_jruby
+        expect(verify(
+          Fixtures::EventWebhook::FAILING_PUBLIC_KEY,
+          Fixtures::EventWebhook::PAYLOAD,
+          Fixtures::EventWebhook::SIGNATURE,
+          Fixtures::EventWebhook::TIMESTAMP
+        )).to be false
+      end
+    end
+
+    it 'rejects a bad payload' do
+      unless skip_jruby
+        expect(verify(
+          Fixtures::EventWebhook::PUBLIC_KEY,
+          'payload',
+          Fixtures::EventWebhook::SIGNATURE,
+          Fixtures::EventWebhook::TIMESTAMP
+        )).to be false
+      end
+    end
+
+    it 'rejects a bad signature' do
+      unless skip_jruby
+        expect(verify(
+          Fixtures::EventWebhook::PUBLIC_KEY,
+          Fixtures::EventWebhook::PAYLOAD,
+          Fixtures::EventWebhook::FAILING_SIGNATURE,
+          Fixtures::EventWebhook::TIMESTAMP
+        )).to be false
+      end
+    end
+
+    it 'rejects a bad timestamp' do
+      unless skip_jruby
+        expect(verify(
+          Fixtures::EventWebhook::PUBLIC_KEY,
+          Fixtures::EventWebhook::PAYLOAD,
+          Fixtures::EventWebhook::SIGNATURE,
+          'timestamp'
+        )).to be false
+      end
+    end
+
+    it 'rejects a missing signature' do
+      unless skip_jruby
+        expect(verify(
+          Fixtures::EventWebhook::PUBLIC_KEY,
+          Fixtures::EventWebhook::PAYLOAD,
+          nil,
+          Fixtures::EventWebhook::TIMESTAMP
+        )).to be false
+      end
+    end
+
+    it 'throws an error when using jruby' do
+      if skip_jruby
+        expect{ verify(
+          Fixtures::EventWebhook::PUBLIC_KEY,
+          Fixtures::EventWebhook::PAYLOAD,
+          Fixtures::EventWebhook::SIGNATURE, 
+          Fixtures::EventWebhook::TIMESTAMP
+        )}.to raise_error(SendGrid::EventWebhook::NotSupportedError)
+      end
+    end
+  end
+end
+
+describe SendGrid::EventWebhookHeader do
+  it 'sets the signature header constant' do
+    expect(SendGrid::EventWebhookHeader::SIGNATURE).to eq("HTTP_X_TWILIO_EMAIL_EVENT_WEBHOOK_SIGNATURE")
+  end
+
+  it 'sets the timestamp header constant' do
+    expect(SendGrid::EventWebhookHeader::TIMESTAMP).to eq("HTTP_X_TWILIO_EMAIL_EVENT_WEBHOOK_TIMESTAMP")
+  end
+end
+
+def verify(public_key, payload, signature, timestamp)
+  ew = SendGrid::EventWebhook.new
+  ec_public_key = ew.convert_public_key_to_ecdsa(public_key)
+  ew.verify_signature(ec_public_key, payload, signature, timestamp)
+end
+
+def skip_jruby
+  RUBY_PLATFORM == 'java'
+end

data/test/sendgrid/test_sendgrid-ruby.rb

@@ -32,7 +32,7 @@ class TestAPI < MiniTest::Test
         assert_equal(test_headers, sg.request_headers)
         assert_equal("v3", sg.version)
         assert_equal(subuser, sg.impersonate_subuser)
-        assert_equal("6.2.1", SendGrid::VERSION)
+        assert_equal("6.3.1", SendGrid::VERSION)
         assert_instance_of(SendGrid::Client, sg.client)
     end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sendgrid-ruby
 version: !ruby/object:Gem::Version
-  version: 6.2.1
+  version: 6.3.1
 platform: ruby
 authors:
 - Elmer Thomas
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-14 00:00:00.000000000 Z
+date: 2020-06-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby_http_client
@@ -130,6 +130,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5.9'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Official Twilio SendGrid Gem to Interact with Twilio SendGrids API in
   native Ruby
 email: help@twilio.com
@@ -170,6 +184,7 @@ files:
 - examples/contactdb/contactdb.rb
 - examples/devices/devices.rb
 - examples/geo/geo.rb
+- examples/helpers/eventwebhook/example.rb
 - examples/helpers/mail/example.rb
 - examples/helpers/settings/example.rb
 - examples/helpers/stats/example.rb
@@ -189,8 +204,10 @@ files:
 - examples/user/user.rb
 - gemfiles/Sinatra_1.gemfile
 - gemfiles/Sinatra_2.gemfile
+- lib/rack/sendgrid_webhook_verification.rb
 - lib/sendgrid-ruby.rb
 - lib/sendgrid/base_interface.rb
+- lib/sendgrid/helpers/eventwebhook/eventwebhook.rb
 - lib/sendgrid/helpers/inbound/README.md
 - lib/sendgrid/helpers/inbound/app.rb
 - lib/sendgrid/helpers/inbound/config.yml
@@ -238,6 +255,9 @@ files:
 - lib/sendgrid/version.rb
 - mail_helper_v3.md
 - sendgrid-ruby.gemspec
+- spec/fixtures/event_webhook.rb
+- spec/rack/sendgrid_webhook_verification_spec.rb
+- spec/sendgrid/helpers/eventwebhook/eventwebhook_spec.rb
 - spec/sendgrid/helpers/ip_management/ip_management_spec.rb
 - spec/sendgrid/helpers/settings/mail_settings_dto_spec.rb
 - spec/sendgrid/helpers/settings/partner_settings_dto_spec.rb
@@ -276,11 +296,15 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubyforge_project: 
+rubygems_version: 2.7.7
 signing_key: 
 specification_version: 4
 summary: Official Twilio SendGrid Gem
 test_files:
+- spec/fixtures/event_webhook.rb
+- spec/rack/sendgrid_webhook_verification_spec.rb
+- spec/sendgrid/helpers/eventwebhook/eventwebhook_spec.rb
 - spec/sendgrid/helpers/ip_management/ip_management_spec.rb
 - spec/sendgrid/helpers/settings/mail_settings_dto_spec.rb
 - spec/sendgrid/helpers/settings/partner_settings_dto_spec.rb