RubyGems - shmac - Versions diffs - 0.1.0 → 0.2.0 - Mend

shmac 0.1.0 → 0.2.0

Files changed (13) hide show

checksums.yaml +4 -4
data/.ruby-version +1 -0
data/.travis.yml +3 -0
data/Gemfile +1 -0
data/README.md +4 -0
data/lib/shmac.rb +8 -6
data/lib/shmac/authentication.rb +26 -5
data/lib/shmac/authorization_header.rb +5 -1
data/lib/shmac/request.rb +12 -5
data/lib/shmac/security.rb +16 -0
data/lib/shmac/signature_calculator.rb +5 -5
data/lib/shmac/version.rb +1 -1
metadata +4 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 134e0f7871345b0f56699849f2fcbb27da1b33b6
-  data.tar.gz: 3fa782727eea6bdcd2b7a5dea3ea0de352add1e5
+  metadata.gz: 34daa52fbfddb3e27abe5cd0c80da5cbfbb99fcd
+  data.tar.gz: 7b45ab0eff281a6385baa7c6a9911f87b9211148
 SHA512:
-  metadata.gz: fe1a5876c513ac6d943be35ad2ff21b8c4280a02f3b9c769d9cb422c5fc8efa0b348a70c1754324385f2fcbfc65f960d7174c8e71479c43ef0aafa2e275388e4
-  data.tar.gz: 436a767db4e95c9594a6f18ded0a9e489ed422f808e4f1a1c6b19afec603a537fb6f00b77e029c574d8717ed52c17e6dc6b3bf1e3722745023085d5acc82347a
+  metadata.gz: 0eb6cb29738a08567fd3f5a394f9a1d48d8dabd522202d8c8355861764e9442a046d8304b512e8e00c8a66fea0ecaea3d23ca473cd768e7a31c254ec73d4ad77
+  data.tar.gz: e3b7c7edee5a3e11c71b146b8860e5ed39778f1cfbba0441f94a08c091b576bf70a49c914b43a87e78580a00ba914d4347c624936e0789228adbc51d9729fc7c

data/.ruby-version ADDED

	@@ -0,0 +1 @@
1	+ 2.3.1

data/.travis.yml CHANGED

@@ -3,3 +3,6 @@ language: ruby
 rvm:
   - 2.3.1
 before_install: gem install bundler -v 1.12.5
+addons:
+  code_climate:
+    repo_token: 0675be7b5a92ad9afe8e8a4143f00626067a1fe4355684273b436f41932f6cf4

data/Gemfile CHANGED

@@ -2,3 +2,4 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in shmac.gemspec
 gemspec
+gem "codeclimate-test-reporter", group: :test, require: nil

data/README.md CHANGED

@@ -2,6 +2,10 @@
 Simple HMAC authentication in a semi-usable state.
+[![Build Status](https://travis-ci.org/Oktavilla/shmac.svg?branch=master)](https://travis-ci.org/Oktavilla/shmac)
+[![Code issues](https://codeclimate.com/github/Oktavilla/shmac/badges/gpa.svg)](https://codeclimate.com/github/Oktavilla/shmac)
+[![Coverage](https://codeclimate.com/github/Oktavilla/shmac/badges/coverage.svg)](https://codeclimate.com/github/Oktavilla/shmac/coverage)
 ## Installation
 Add this line to your application's Gemfile:

data/lib/shmac.rb CHANGED

@@ -1,22 +1,24 @@
 require "shmac/version"
+require "shmac/security"
 require "shmac/authentication"
 require "shmac/request_adapters"
 module Shmac
-  def self.rails secret, request, namespace: nil
-    authentication(secret, request, namespace: namespace, request_adapter: RequestAdapters::Rails)
+  def self.rails secret, request, namespace: nil, options: {}
+    authentication(secret, request, namespace: namespace, request_adapter: RequestAdapters::Rails, options: options)
   end
-  def self.net_http secret, request, namespace: nil
-    authentication(secret, request, namespace: namespace, request_adapter: RequestAdapters::NetHttp)
+  def self.net_http secret, request, namespace: nil, options: {}
+    authentication(secret, request, namespace: namespace, request_adapter: RequestAdapters::NetHttp, options: options)
   end
-  def self.authentication secret, request, namespace: nil, request_adapter: nil
+  def self.authentication secret, request, namespace: nil, request_adapter: nil, options: {}
     Authentication.new(
       secret,
       request,
       header_namespace: namespace,
-      request_adapter: request_adapter
+      request_adapter: request_adapter,
+      options: options
     )
   end
 end

data/lib/shmac/authentication.rb CHANGED

@@ -1,11 +1,12 @@
 require "shmac/signature_calculator"
 require "shmac/authorization_header"
+require "shmac/security"
 module Shmac
   class Authentication
     include Comparable
-    attr_reader :secret, :header_namespace
+    attr_reader :secret, :header_namespace, :options
     def self.generate_authorization_header request, secret:, access_key:, organization:, header_namespace: nil
       AuthorizationHeader.generate(
@@ -19,29 +20,36 @@ module Shmac
       new(secret, request, header_namespace: header_namespace).signature
     end
-    def initialize secret, request, header_namespace: nil, request_adapter: nil
+    def initialize secret, request, header_namespace: nil, request_adapter: nil, options: {}
       @secret = secret
       @request = request
       @request_adapter = request_adapter
       @header_namespace = header_namespace
+      self.options = options
     end
     def == other
-      other.is_a?(self.class) && self.signature == other.signature
+      return false unless other.is_a?(self.class)
+      Security.secure_compare self.signature, other.signature
     end
     def signature
       SignatureCalculator.new(
         secret: self.secret,
         request: self.request,
-        header_namespace: self.header_namespace
+        header_namespace: self.header_namespace,
+        options: { skip_path: self.options[:skip_path] }
       ).to_s
     end
     def authentic?
       return false if request.authorization.to_s.strip.empty?
+      return false if request.tampered_body?
+      given_signature = AuthorizationHeader.new(request.authorization).signature
-      AuthorizationHeader.new(request.authorization).signature == self.signature
+      Security.secure_compare given_signature, self.signature
     end
     def request
@@ -51,5 +59,18 @@ module Shmac
     def request_adapter
       @request_adapter ||= ->(r) { r }
     end
+    private
+    def options= opts = {}
+      unknown_keys = opts.keys - default_options.keys
+      raise ArgumentError.new("Unknown options: #{unknown_keys.join(", ")}") if unknown_keys.any?
+      @options = default_options.merge(opts)
+    end
+    def default_options
+      { skip_path: false, validate_body_contents: true }
+    end
   end
 end

data/lib/shmac/authorization_header.rb CHANGED

@@ -1,3 +1,5 @@
+require "shmac/security"
 module Shmac
   class AuthorizationHeader
     include Comparable
@@ -17,7 +19,9 @@ module Shmac
     end
     def == other
-      other.is_a?(self.class) && self.to_s == other.to_s
+      return false unless other.is_a?(self.class)
+      Security.secure_compare self.to_s, other.to_s
     end
     def to_s

data/lib/shmac/request.rb CHANGED

@@ -1,4 +1,5 @@
 require "shmac/normalized_http_headers"
+require "shmac/security"
 module Shmac
   class Request
@@ -24,6 +25,17 @@ module Shmac
       headers.fetch("content-md5") { headers["x-content-md5"] }
     end
+    def tampered_body?
+      return false unless body
+      return false if content_md5.to_s.strip.empty?
+      !content_md5_matches_body?
+    end
+    def content_md5_matches_body?
+      Security.secure_compare content_md5, Digest::MD5.base64digest(body)
+    end
     def authorization
       # Test for x-authorization for clients that have issues with standard headers
       headers.fetch("x-authorization") { headers["authorization"] }
@@ -32,10 +44,5 @@ module Shmac
     def headers= headers
       @headers = NormalizedHttpHeaders.new(headers).to_h
     end
-    def api_version
-      headers.fetch("x-authorization-version", 0).to_i
-    end
   end
 end

data/lib/shmac/security.rb ADDED

@@ -0,0 +1,16 @@
+module Shmac
+  module Security
+    # Constant time comparison of strings
+    # Borrowed from ActiveSupport::SecurityUtils
+    def self.secure_compare a, b
+      return false if a.empty? || b.empty?
+      return false unless a.bytesize == b.bytesize
+      l = a.unpack "C#{a.bytesize}"
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+  end
+end

data/lib/shmac/signature_calculator.rb CHANGED

@@ -3,12 +3,13 @@ require "base64"
 module Shmac
   class SignatureCalculator
-    attr_reader :secret, :request, :header_namespace
+    attr_reader :secret, :request, :header_namespace, :options
-    def initialize secret:, request:, header_namespace: nil
+    def initialize secret:, request:, header_namespace: nil, options: {}
       @secret = secret
       @request = request
       @header_namespace = header_namespace.downcase if header_namespace
+      @options = options
     end
     def to_s
@@ -32,9 +33,8 @@ module Shmac
       platform_headers = canonicalized_platform_headers.to_s.strip
       parts << platform_headers unless platform_headers.empty?
-      # The path is expected by spec but the DPO sends the same message (including headers) to several endpoints
-      # We introduce an api version so we do not lose messages
-      parts << request.path unless request.api_version > 0
+      # Some clients do not know to which endpoint a message is sent
+      parts << request.path unless options[:skip_path]
       parts.join("\n")
     end

data/lib/shmac/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Shmac
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shmac
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Joel Junström
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2016-08-31 00:00:00.000000000 Z
+date: 2016-09-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -75,6 +75,7 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".rspec"
+- ".ruby-version"
 - ".travis.yml"
 - CODE_OF_CONDUCT.md
 - Gemfile
@@ -90,6 +91,7 @@ files:
 - lib/shmac/normalized_http_headers.rb
 - lib/shmac/request.rb
 - lib/shmac/request_adapters.rb
+- lib/shmac/security.rb
 - lib/shmac/signature_calculator.rb
 - lib/shmac/version.rb
 - shmac.gemspec