RubyGems - shmac - Versions diffs - 0.1.0 → 0.2.0 - Mend

shmac 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

checksums.yaml +4 -4
data/.ruby-version +1 -0
data/.travis.yml +3 -0
data/Gemfile +1 -0
data/README.md +4 -0
data/lib/shmac.rb +8 -6
data/lib/shmac/authentication.rb +26 -5
data/lib/shmac/authorization_header.rb +5 -1
data/lib/shmac/request.rb +12 -5
data/lib/shmac/security.rb +16 -0
data/lib/shmac/signature_calculator.rb +5 -5
data/lib/shmac/version.rb +1 -1
metadata +4 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 134e0f7871345b0f56699849f2fcbb27da1b33b6
-  data.tar.gz: 3fa782727eea6bdcd2b7a5dea3ea0de352add1e5
+  metadata.gz: 34daa52fbfddb3e27abe5cd0c80da5cbfbb99fcd
+  data.tar.gz: 7b45ab0eff281a6385baa7c6a9911f87b9211148
 SHA512:
-  metadata.gz: fe1a5876c513ac6d943be35ad2ff21b8c4280a02f3b9c769d9cb422c5fc8efa0b348a70c1754324385f2fcbfc65f960d7174c8e71479c43ef0aafa2e275388e4
-  data.tar.gz: 436a767db4e95c9594a6f18ded0a9e489ed422f808e4f1a1c6b19afec603a537fb6f00b77e029c574d8717ed52c17e6dc6b3bf1e3722745023085d5acc82347a
+  metadata.gz: 0eb6cb29738a08567fd3f5a394f9a1d48d8dabd522202d8c8355861764e9442a046d8304b512e8e00c8a66fea0ecaea3d23ca473cd768e7a31c254ec73d4ad77
+  data.tar.gz: e3b7c7edee5a3e11c71b146b8860e5ed39778f1cfbba0441f94a08c091b576bf70a49c914b43a87e78580a00ba914d4347c624936e0789228adbc51d9729fc7c

data/.ruby-version ADDED

	@@ -0,0 +1 @@
1	+ 2.3.1

data/.travis.yml CHANGED

@@ -3,3 +3,6 @@ language: ruby
 rvm:
   - 2.3.1
 before_install: gem install bundler -v 1.12.5
+addons:
+  code_climate:
+    repo_token: 0675be7b5a92ad9afe8e8a4143f00626067a1fe4355684273b436f41932f6cf4

data/Gemfile CHANGED

@@ -2,3 +2,4 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in shmac.gemspec
 gemspec
+gem "codeclimate-test-reporter", group: :test, require: nil

data/README.md CHANGED

@@ -2,6 +2,10 @@
 Simple HMAC authentication in a semi-usable state.
+[![Build Status](https://travis-ci.org/Oktavilla/shmac.svg?branch=master)](https://travis-ci.org/Oktavilla/shmac)
+[![Code issues](https://codeclimate.com/github/Oktavilla/shmac/badges/gpa.svg)](https://codeclimate.com/github/Oktavilla/shmac)
+[![Coverage](https://codeclimate.com/github/Oktavilla/shmac/badges/coverage.svg)](https://codeclimate.com/github/Oktavilla/shmac/coverage)
 ## Installation
 Add this line to your application's Gemfile:

data/lib/shmac.rb CHANGED

@@ -1,22 +1,24 @@
 require "shmac/version"
+require "shmac/security"
 require "shmac/authentication"
 require "shmac/request_adapters"
 module Shmac
-  def self.rails secret, request, namespace: nil
-    authentication(secret, request, namespace: namespace, request_adapter: RequestAdapters::Rails)
+  def self.rails secret, request, namespace: nil, options: {}
+    authentication(secret, request, namespace: namespace, request_adapter: RequestAdapters::Rails, options: options)
   end
-  def self.net_http secret, request, namespace: nil
-    authentication(secret, request, namespace: namespace, request_adapter: RequestAdapters::NetHttp)
+  def self.net_http secret, request, namespace: nil, options: {}
+    authentication(secret, request, namespace: namespace, request_adapter: RequestAdapters::NetHttp, options: options)
   end
-  def self.authentication secret, request, namespace: nil, request_adapter: nil
+  def self.authentication secret, request, namespace: nil, request_adapter: nil, options: {}
     Authentication.new(
       secret,
       request,
       header_namespace: namespace,
-      request_adapter: request_adapter
+      request_adapter: request_adapter,
+      options: options
     )
   end
 end

data/lib/shmac/authentication.rb CHANGED

@@ -1,11 +1,12 @@
 require "shmac/signature_calculator"
 require "shmac/authorization_header"
+require "shmac/security"
 module Shmac
   class Authentication
     include Comparable
-    attr_reader :secret, :header_namespace
+    attr_reader :secret, :header_namespace, :options
     def self.generate_authorization_header request, secret:, access_key:, organization:, header_namespace: nil
       AuthorizationHeader.generate(
@@ -19,29 +20,36 @@ module Shmac
       new(secret, request, header_namespace: header_namespace).signature
     end
-    def initialize secret, request, header_namespace: nil, request_adapter: nil
+    def initialize secret, request, header_namespace: nil, request_adapter: nil, options: {}
       @secret = secret
       @request = request
       @request_adapter = request_adapter
       @header_namespace = header_namespace
+      self.options = options
     end
     def == other
-      other.is_a?(self.class) && self.signature == other.signature
+      return false unless other.is_a?(self.class)
+      Security.secure_compare self.signature, other.signature
     end
     def signature
       SignatureCalculator.new(
         secret: self.secret,
         request: self.request,
-        header_namespace: self.header_namespace
+        header_namespace: self.header_namespace,
+        options: { skip_path: self.options[:skip_path] }
       ).to_s
     end
     def authentic?
       return false if request.authorization.to_s.strip.empty?
+      return false if request.tampered_body?
+      given_signature = AuthorizationHeader.new(request.authorization).signature
-      AuthorizationHeader.new(request.authorization).signature == self.signature
+      Security.secure_compare given_signature, self.signature
     end
     def request
@@ -51,5 +59,18 @@ module Shmac
     def request_adapter
       @request_adapter ||= ->(r) { r }
     end
+    private
+    def options= opts = {}
+      unknown_keys = opts.keys - default_options.keys
+      raise ArgumentError.new("Unknown options: #{unknown_keys.join(", ")}") if unknown_keys.any?
+      @options = default_options.merge(opts)
+    end
+    def default_options
+      { skip_path: false, validate_body_contents: true }
+    end
   end
 end

data/lib/shmac/authorization_header.rb CHANGED

@@ -1,3 +1,5 @@
+require "shmac/security"
 module Shmac
   class AuthorizationHeader
     include Comparable
@@ -17,7 +19,9 @@ module Shmac
     end
     def == other
-      other.is_a?(self.class) && self.to_s == other.to_s
+      return false unless other.is_a?(self.class)
+      Security.secure_compare self.to_s, other.to_s
     end
     def to_s

data/lib/shmac/request.rb CHANGED

@@ -1,4 +1,5 @@
 require "shmac/normalized_http_headers"
+require "shmac/security"
 module Shmac
   class Request
@@ -24,6 +25,17 @@ module Shmac
       headers.fetch("content-md5") { headers["x-content-md5"] }
     end
+    def tampered_body?
+      return false unless body
+      return false if content_md5.to_s.strip.empty?
+      !content_md5_matches_body?
+    end
+    def content_md5_matches_body?
+      Security.secure_compare content_md5, Digest::MD5.base64digest(body)
+    end
     def authorization
       # Test for x-authorization for clients that have issues with standard headers
       headers.fetch("x-authorization") { headers["authorization"] }
@@ -32,10 +44,5 @@ module Shmac
     def headers= headers
       @headers = NormalizedHttpHeaders.new(headers).to_h
     end
-    def api_version
-      headers.fetch("x-authorization-version", 0).to_i
-    end
   end
 end

data/lib/shmac/security.rb ADDED

@@ -0,0 +1,16 @@
+module Shmac
+  module Security
+    # Constant time comparison of strings
+    # Borrowed from ActiveSupport::SecurityUtils
+    def self.secure_compare a, b
+      return false if a.empty? || b.empty?
+      return false unless a.bytesize == b.bytesize
+      l = a.unpack "C#{a.bytesize}"
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+  end
+end

data/lib/shmac/signature_calculator.rb CHANGED

@@ -3,12 +3,13 @@ require "base64"
 module Shmac
   class SignatureCalculator
-    attr_reader :secret, :request, :header_namespace
+    attr_reader :secret, :request, :header_namespace, :options
-    def initialize secret:, request:, header_namespace: nil
+    def initialize secret:, request:, header_namespace: nil, options: {}
       @secret = secret
       @request = request
       @header_namespace = header_namespace.downcase if header_namespace
+      @options = options
     end
     def to_s
@@ -32,9 +33,8 @@ module Shmac
       platform_headers = canonicalized_platform_headers.to_s.strip
       parts << platform_headers unless platform_headers.empty?
-      # The path is expected by spec but the DPO sends the same message (including headers) to several endpoints
-      # We introduce an api version so we do not lose messages
-      parts << request.path unless request.api_version > 0
+      # Some clients do not know to which endpoint a message is sent
+      parts << request.path unless options[:skip_path]
       parts.join("\n")
     end

data/lib/shmac/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Shmac
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shmac
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Joel Junström
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2016-08-31 00:00:00.000000000 Z
+date: 2016-09-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -75,6 +75,7 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".rspec"
+- ".ruby-version"
 - ".travis.yml"
 - CODE_OF_CONDUCT.md
 - Gemfile
@@ -90,6 +91,7 @@ files:
 - lib/shmac/normalized_http_headers.rb
 - lib/shmac/request.rb
 - lib/shmac/request_adapters.rb
+- lib/shmac/security.rb
 - lib/shmac/signature_calculator.rb
 - lib/shmac/version.rb
 - shmac.gemspec