signature-acd 0.1.9

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: bb3d0b4d61f9b917ea4ff7b3767ee3b3fabd276b
+  data.tar.gz: 94b38fe0aca3221961c9919dd57e6cda345ac5fd
+SHA512:
+  metadata.gz: fc32e214764d82a4e18266a0ec90831c64587507d57fc0c49332449f7dbeb0b4bef74db5be0f7d5b17175c66e0ef6b6a844a5571cdceb2f62c428d7ac3aeee1d
+  data.tar.gz: 68f96770675a1ec5ff91e57c09a72b79438ec9f1111e11468a90bc6146496bea6af2f3fc6e0f7420bf4ec3f068a39a4058ef6f4b12bcc8bb756158b23e5fb7e6

data/.gitignore

@@ -0,0 +1,23 @@
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+
+## PROJECT::SPECIFIC
+.rbx
+.rspec

data/.travis.yml

@@ -0,0 +1,18 @@
+language: ruby
+rvm:
+  - 1.8.7
+  - 1.9.2
+  - 1.9.3
+  - 2.0.0
+  - jruby-18mode
+  - jruby-19mode
+  - rbx-18mode
+  - rbx-19mode
+matrix:
+  allow_failures:
+    - rvm: jruby-18mode
+    - rvm: jruby-19mode
+    - rvm: rbx-18mode
+    - rvm: rbx-19mode
+
+script: bundle exec rspec spec

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,41 @@
+PATH
+  remote: .
+  specs:
+    signature (0.1.9)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    bacon (1.2.0)
+    coderay (1.1.0)
+    diff-lcs (1.2.5)
+    em-spec (0.2.6)
+      bacon
+      eventmachine
+      rspec (> 2.6.0)
+      test-unit
+    eventmachine (1.0.3)
+    method_source (0.8.2)
+    pry (0.9.12.6)
+      coderay (~> 1.0)
+      method_source (~> 0.8)
+      slop (~> 3.4)
+    rspec (2.14.1)
+      rspec-core (~> 2.14.0)
+      rspec-expectations (~> 2.14.0)
+      rspec-mocks (~> 2.14.0)
+    rspec-core (2.14.8)
+    rspec-expectations (2.14.5)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.14.6)
+    slop (3.5.0)
+    test-unit (2.5.5)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  em-spec
+  pry
+  rspec
+  signature!

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2010 Martyn Loughran
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,65 @@
+signature
+=========
+
+[![Build Status](https://secure.travis-ci.org/mloughran/signature.png?branch=master)](http://travis-ci.org/mloughran/signature)
+
+Examples
+--------
+
+Client example
+
+```ruby
+params       = {:some => 'parameters'}
+token        = Signature::Token.new('my_key', 'my_secret')
+request      = Signature::Request.new('POST', '/api/thing', params)
+auth_hash    = request.sign(token)
+query_params = params.merge(auth_hash)
+
+HTTParty.post('http://myservice/api/thing', {
+  :query => query_params
+})
+```
+
+`query_params` looks like:
+
+```ruby
+{
+  :some           => "parameters",
+  :auth_timestamp => 1273231888,
+  :auth_signature => "28b6bb0f242f71064916fad6ae463fe91f5adc302222dfc02c348ae1941eaf80",
+  :auth_version   => "1.0",
+  :auth_key       => "my_key"
+}
+
+```
+Server example (sinatra)
+
+```ruby
+error Signature::AuthenticationError do |controller|
+  error = controller.env["sinatra.error"]
+  halt 401, "401 UNAUTHORIZED: #{error.message}\n"
+end
+
+post '/api/thing' do
+  request = Signature::Request.new('POST', env["REQUEST_PATH"], params)
+  # This will raise a Signature::AuthenticationError if request does not authenticate
+  token = request.authenticate do |key|
+    Signature::Token.new(key, lookup_secret(key))
+  end
+
+  # Do whatever you need to do
+end
+```
+
+Developing
+----------
+
+    bundle
+    bundle exec rspec spec/*_spec.rb
+
+Please see the travis status for a list of rubies tested against
+
+Copyright
+---------
+
+Copyright (c) 2010 Martyn Loughran. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,2 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks

data/lib/signature.rb

@@ -0,0 +1,4 @@
+require 'signature/exceptions'
+require 'signature/token'
+require 'signature/query_encoder'
+require 'signature/request'

data/lib/signature/exceptions.rb

@@ -0,0 +1,3 @@
+module Signature
+  class AuthenticationError < RuntimeError; end
+end

data/lib/signature/header.rb

@@ -0,0 +1,31 @@
+module Signature
+  module Header
+    class Request < ::Signature::Request
+      AUTH_HEADER_PREFIX = "X-API-"
+      AUTH_HEADER_PREFIX_REGEX = /^X\-API\-(AUTH\-.+)$/
+
+      def self.parse_headers headers={}
+        hh = {}
+        headers.each do |k,v|
+          if match = k.upcase.match(AUTH_HEADER_PREFIX_REGEX)
+            hh[match[1].downcase.gsub!('-', '_')] = v
+          end
+        end
+        hh
+      end
+
+      def initialize method, path, query={}, headers={}
+        auth_hash = self.class.parse_headers(headers)
+        super(method, path, query.merge(auth_hash))
+      end
+
+      def sign token
+        auth_hash = super(token)
+        auth_hash.inject({}) do |memo, (k,v)|
+          memo["#{AUTH_HEADER_PREFIX}#{k.to_s.upcase.gsub('_', '-')}"] = v
+          memo
+        end
+      end
+    end
+  end
+end

data/lib/signature/query_encoder.rb

@@ -0,0 +1,47 @@
+module Signature
+  # Query string encoding extracted with thanks from em-http-request
+  module QueryEncoder
+    class << self
+      # URL encodes query parameters:
+      # single k=v, or a URL encoded array, if v is an array of values
+      def encode_param(k, v)
+        if v.is_a?(Array)
+          v.map { |e| escape(k) + "[]=" + escape(e) }.join("&")
+        else
+          escape(k) + "=" + escape(v)
+        end
+      end
+      
+      # Like encode_param, but doesn't url escape keys or values
+      def encode_param_without_escaping(k, v)
+        if v.is_a?(Array)
+          v.map { |e| k + "[]=" + e }.join("&")
+        else
+          "#{k}=#{v}"
+        end
+      end
+
+      private
+
+      def escape(s)
+        if defined?(EscapeUtils)
+          EscapeUtils.escape_url(s.to_s)
+        else
+          s.to_s.gsub(/([^a-zA-Z0-9_.-]+)/n) {
+            '%'+$1.unpack('H2'*bytesize($1)).join('%').upcase
+          }
+        end
+      end
+
+      if ''.respond_to?(:bytesize)
+        def bytesize(string)
+          string.bytesize
+        end
+      else
+        def bytesize(string)
+          string.size
+        end
+      end
+    end
+  end
+end

data/lib/signature/request.rb

@@ -0,0 +1,242 @@
+require 'openssl'
+require 'json'
+
+module Signature
+  class Request
+    AUTH_HEADER_PREFIX = "X-API-"
+    AUTH_HEADER_PREFIX_REGEX = /^X\-API\-(AUTH\-.+)$/
+
+    attr_accessor :path, :query_hash
+
+    include QueryEncoder
+
+    # http://www.w3.org/TR/NOTE-datetime
+    ISO8601 = "%Y-%m-%dT%H:%M:%SZ"
+
+    def initialize(method, path, query, headers=nil)
+      raise ArgumentError, "Expected string" unless path.kind_of?(String)
+      raise ArgumentError, "Expected hash" unless query.kind_of?(Hash)
+
+      query_hash = {}
+
+      auth_hash = self.class.parse_headers(headers) if headers
+      auth_hash ||= {}
+
+      query.each do |key, v|
+        k = key.to_s.downcase
+        k[0..4] == 'auth_' ? auth_hash[k] = v : query_hash[k] = v
+      end
+
+      @method = method.upcase
+      @path, @query_hash, @auth_hash = path, query_hash, auth_hash
+      @signed = false
+    end
+
+    def self.parse_headers headers={}
+      hh = {}
+      headers.each do |k,v|
+        if match = k.upcase.match(AUTH_HEADER_PREFIX_REGEX)
+          hh[match[1].downcase.gsub!('-', '_')] = v
+        end
+      end
+      hh
+    end
+
+    # Sign the request with the given token, and return the computed
+    # authentication parameters
+    #
+    def sign(token)
+      @auth_hash = {
+        :auth_version => "1.0",
+        :auth_key => token.key,
+        :auth_timestamp => Time.now.to_i.to_s
+      }
+      @auth_hash[:auth_signature] = signature(token)
+
+      @signed = true
+
+      return @auth_hash
+    end
+
+    # Authenticates the request with a token
+    #
+    # Raises an AuthenticationError if the request is invalid.
+    # AuthenticationError exception messages are designed to be exposed to API
+    # consumers, and should help them correct errors generating signatures
+    #
+    # Timestamp: Unless timestamp_grace is set to nil (which allows this check
+    # to be skipped), AuthenticationError will be raised if the timestamp is
+    # missing or further than timestamp_grace period away from the real time
+    # (defaults to 10 minutes)
+    #
+    # Signature: Raises AuthenticationError if the signature does not match
+    # the computed HMAC. The error contains a hint for how to sign.
+    #
+    def authenticate_by_token!(token, timestamp_grace = 600)
+      # Validate that your code has provided a valid token. This does not
+      # raise an AuthenticationError since passing tokens with empty secret is
+      # a code error which should be fixed, not reported to the API's consumer
+      if token.secret.nil? || token.secret.empty?
+        raise "Provided token is missing secret"
+      end
+
+      validate_version!
+      validate_timestamp!(timestamp_grace)
+      validate_signature!(token)
+      true
+    end
+
+    # Authenticate the request with a token, but rather than raising an
+    # exception if the request is invalid, simply returns false
+    #
+    def authenticate_by_token(token, timestamp_grace = 600)
+      authenticate_by_token!(token, timestamp_grace)
+    rescue AuthenticationError
+      false
+    end
+
+    # Authenticate a request
+    #
+    # Takes a block which will be called with the auth_key from the request,
+    # and which should return a Signature::Token (or nil if no token can be
+    # found for the key)
+    #
+    # Raises errors in the same way as authenticate_by_token!
+    #
+    def authenticate(timestamp_grace = 600)
+      raise ArgumentError, "Block required" unless block_given?
+      key = @auth_hash['auth_key']
+      raise AuthenticationError, "Missing parameter: auth_key" unless key
+      token = yield key
+      unless token
+        raise AuthenticationError, "Unknown auth_key"
+      end
+      authenticate_by_token!(token, timestamp_grace)
+      return token
+    end
+
+    # Authenticate a request asynchronously
+    #
+    # This method is useful it you're running a server inside eventmachine and
+    # need to lookup the token asynchronously.
+    #
+    # The block is passed an auth key and a deferrable which should succeed
+    # with the token, or fail if the token cannot be found
+    #
+    # This method returns a deferrable which succeeds with the valid token, or
+    # fails with an AuthenticationError which can be used to pass the error
+    # back to the user
+    #
+    def authenticate_async(timestamp_grace = 600)
+      raise ArgumentError, "Block required" unless block_given?
+      df = EM::DefaultDeferrable.new
+
+      key = @auth_hash['auth_key']
+
+      unless key
+        df.fail(AuthenticationError.new("Missing parameter: auth_key"))
+        return
+      end
+
+      token_df = yield key
+      token_df.callback { |token|
+        begin
+          authenticate_by_token!(token, timestamp_grace)
+          df.succeed(token)
+        rescue AuthenticationError => e
+          df.fail(e)
+        end
+      }
+      token_df.errback {
+        df.fail(AuthenticationError.new("Unknown auth_key"))
+      }
+    ensure
+      return df
+    end
+
+    # Expose the authentication parameters for a signed request
+    #
+    def auth_hash
+      raise "Request not signed" unless @signed
+      @auth_hash
+    end
+
+    # Query parameters merged with the computed authentication parameters
+    #
+    def signed_params
+      @query_hash.merge(auth_hash)
+    end
+
+    private
+
+      def signature(token)
+        digest = OpenSSL::Digest::SHA256.new
+        OpenSSL::HMAC.hexdigest(digest, token.secret, string_to_sign)
+      end
+
+      def string_to_sign
+        auth_hash = @auth_hash || {}
+        {
+          api: {
+            method: @method,
+            path: @path,
+            timestamp: auth_hash[:auth_timestamp] || auth_hash["auth_timestamp"],
+            version: auth_hash[:auth_version] || auth_hash["auth_version"]
+          },
+          params: parameters_sorted
+        }.to_json
+      end
+
+      def parameters_sorted
+        shash = {}
+        @query_hash.sort.map do |k, v|
+            shash[k.to_s.downcase] = v
+        end
+        shash
+      end
+
+      # def parameter_string
+      #   param_hash = @query_hash.merge(@auth_hash || {})
+      #
+      #   # Convert keys to lowercase strings
+      #   hash = {}; param_hash.each { |k,v| hash[k.to_s.downcase] = v }
+      #
+      #   # Exclude signature from signature generation!
+      #   hash.delete("auth_signature")
+      #
+      #   hash.sort.map do |k, v|
+      #     QueryEncoder.encode_param_without_escaping(k, v)
+      #   end.join('&')
+      # end
+
+      def validate_version!
+        version = @auth_hash["auth_version"]
+        raise AuthenticationError, "Version required" unless version
+        raise AuthenticationError, "Version not supported" unless version == '1.0'
+      end
+
+      def validate_timestamp!(grace)
+        return true if grace.nil?
+
+        timestamp = @auth_hash["auth_timestamp"]
+        error = (timestamp.to_i - Time.now.to_i).abs
+        raise AuthenticationError, "Timestamp required" unless timestamp
+        if error >= grace
+          raise AuthenticationError, "Timestamp expired: Given timestamp "\
+            "(#{Time.at(timestamp.to_i).utc.strftime(ISO8601)}) "\
+            "not within #{grace}s of server time "\
+            "(#{Time.now.utc.strftime(ISO8601)})"
+        end
+        return true
+      end
+
+      def validate_signature!(token)
+        unless @auth_hash["auth_signature"] == signature(token)
+          raise AuthenticationError, "Invalid signature: you should have "\
+            "sent HmacSHA256Hex(#{string_to_sign.inspect}, your_secret_key)"\
+            ", but you sent #{@auth_hash["auth_signature"].inspect}"
+        end
+        return true
+      end
+  end
+end

data/lib/signature/token.rb

@@ -0,0 +1,13 @@
+module Signature
+  class Token
+    attr_reader :key, :secret
+
+    def initialize(key, secret)
+      @key, @secret = key, secret
+    end
+
+    def sign(request)
+      request.sign(self)
+    end
+  end
+end

data/lib/signature/version.rb

@@ -0,0 +1,3 @@
+module Signature
+  VERSION = "0.1.9"
+end

data/signature.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "signature/version"
+
+Gem::Specification.new do |s|
+  s.name        = "signature-acd"
+  s.version     = Signature::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["Thomas Hanson", "CJ Lazell", "Thomas Hanson"]
+  s.email       = ["thanson@acdcorp.com"]
+  s.homepage    = "http://github.com/acdcorp/signature"
+  s.summary     = %q{Simple key/secret based authentication for apis}
+  s.description = %q{Simple key/secret based authentication for apis}
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_dependency "jruby-openssl" if defined?(JRUBY_VERSION)
+  s.add_development_dependency "rspec"
+  s.add_development_dependency "em-spec"
+  s.add_development_dependency "pry"
+end

data/spec/signature_spec.rb

@@ -0,0 +1,332 @@
+require File.expand_path('../spec_helper', __FILE__)
+
+describe Signature do
+  before :each do
+    Time.stub!(:now).and_return(Time.at(1234))
+
+    @token = Signature::Token.new('key', 'secret')
+
+    @request = Signature::Request.new('POST', '/some/path', {
+      "query" => "params",
+      "go" => "here"
+    })
+
+    @headers = {
+      "X-API-AUTH-VERSION" => "1.0",
+      "X-API-AUTH-KEY" => "key",
+      "X-API-AUTH-SIGNATURE" => "9a86683edaf7db6782ac2d78d1958f3d53fa6aeb4c80542335ac64ee5e926411",
+      "X-API-AUTH-TIMESTAMP" => "3456"
+    }
+  end
+
+  describe "generating signatures" do
+    before :each do
+      @signature = "9a86683edaf7db6782ac2d78d1958f3d53fa6aeb4c80542335ac64ee5e926411"
+    end
+
+    it "should generate signature correctly" do
+      @request.sign(@token)
+      string = @request.send(:string_to_sign)
+      # string.should == "POST\n/some/path\nauth_key=key&auth_timestamp=1234&auth_version=1.0&go=here&query=params"
+      string.should ==  {
+                          api: {
+                            method: "POST",
+                            path: "/some/path",
+                            timestamp: "1234",
+                            version: "1.0"
+                          },
+                          params: {
+                            go: "here",
+                            query: "params"
+                          }
+                        }.to_json
+
+      # "{\"api\":{\"method\":\"POST\",\"path\":\"/some/path\",\"timestamp\":null,\"version\":null},\"params\":{\"query\":\"params\",\"go\":\"here\"}}"
+
+      digest = OpenSSL::Digest::SHA256.new
+      signature = OpenSSL::HMAC.hexdigest(digest, @token.secret, string)
+      signature.should == @signature
+    end
+
+    it "should make auth_hash available after request is signed" do
+      @request.query_hash = {
+        "query" => "params"
+      }
+      lambda {
+        @request.auth_hash
+      }.should raise_error('Request not signed')
+
+      @request.sign(@token)
+      @request.auth_hash.should == {
+        :auth_signature => "e4b1eee7fbe9beb5aebcd918b45d53c76a69157e8e3575d636a370b5afb3c662",
+        :auth_version => "1.0",
+        :auth_key => "key",
+        :auth_timestamp => '1234'
+      }
+    end
+
+    it "should cope with symbol keys" do
+      @request.query_hash = {
+        :query => "params",
+        :go => "here"
+      }
+      @request.sign(@token)[:auth_signature].should == @signature
+    end
+
+    it "should cope with upcase keys (keys are lowercased before signing)" do
+      @request.query_hash = {
+        "Query" => "params",
+        "GO" => "here"
+      }
+      @request.sign(@token)[:auth_signature].should == @signature
+    end
+
+    it "should generate correct string when query hash contains array" do
+      @request.query_hash = {
+        "things" => ["thing1", "thing2"]
+      }
+      @request.send(:string_to_sign).should == "{\"api\":{\"method\":\"POST\",\"path\":\"/some/path\",\"timestamp\":null,\"version\":null},\"params\":{\"things\":[\"thing1\",\"thing2\"]}}"
+    end
+
+    # This may well change in auth version 2
+    it "should not escape keys or values in the query string" do
+      @request.query_hash = {
+        "key;" => "value@"
+      }
+      @request.send(:string_to_sign).should == "{\"api\":{\"method\":\"POST\",\"path\":\"/some/path\",\"timestamp\":null,\"version\":null},\"params\":{\"key;\":\"value@\"}}"
+    end
+
+    it "should cope with requests where the value is nil (antiregression)" do
+      @request.query_hash = {
+        "key" => nil
+      }
+      @request.send(:string_to_sign).should == "{\"api\":{\"method\":\"POST\",\"path\":\"/some/path\",\"timestamp\":null,\"version\":null},\"params\":{\"key\":null}}"
+    end
+
+    it "should use the path to generate signature" do
+      @request.path = '/some/other/path'
+      @request.sign(@token)[:auth_signature].should_not == @signature
+    end
+
+    it "should use the query string keys to generate signature" do
+      @request.query_hash = {
+        "other" => "query"
+      }
+      @request.sign(@token)[:auth_signature].should_not == @signature
+    end
+
+    it "should use the query string values to generate signature" do
+      @request.query_hash = {
+        "key" => "notfoo",
+        "other" => 'bar'
+      }
+      @request.sign(@token)[:signature].should_not == @signature
+    end
+
+    it "should accept authentication parameters via HTTP headers" do
+      request = Signature::Request.new('POST', '/some/path/with/headers', {
+        "query" => "params",
+        "go" => "here"
+      }, @headers)
+
+      string = request.send(:string_to_sign)
+      string.should ==  {
+                          api: {
+                            method: "POST",
+                            path: "/some/path/with/headers",
+                            timestamp: "3456",
+                            version: "1.0"
+                          },
+                          params: {
+                            go: "here",
+                            query: "params"
+                          }
+                        }.to_json
+
+      digest = OpenSSL::Digest::SHA256.new
+      signature = OpenSSL::HMAC.hexdigest(digest, @token.secret, string)
+      signature.should == "002b9f68b311a172995cb2f9c8ce3954b5adb37c721d501afae55a150f2f608d"
+    end
+  end
+
+  describe "verification" do
+    before :each do
+      @request.sign(@token)
+      @params = @request.signed_params
+    end
+
+    it "should verify requests" do
+      request = Signature::Request.new('POST', '/some/path', @params)
+      request.authenticate_by_token(@token).should == true
+    end
+
+    it "should raise error if signature is not correct" do
+      @params[:auth_signature] =  'asdf'
+      request = Signature::Request.new('POST', '/some/path', @params)
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error('Invalid signature: you should have sent HmacSHA256Hex("{\"api\":{\"method\":\"POST\",\"path\":\"/some/path\",\"timestamp\":\"1234\",\"version\":\"1.0\"},\"params\":{\"go\":\"here\",\"query\":\"params\"}}", your_secret_key), but you sent "asdf"')
+    end
+
+    it "should raise error if timestamp not available" do
+      @params.delete(:auth_timestamp)
+      request = Signature::Request.new('POST', '/some/path', @params)
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error('Timestamp required')
+    end
+
+    it "should raise error if timestamp has expired (default of 600s)" do
+      request = Signature::Request.new('POST', '/some/path', @params)
+      Time.stub!(:now).and_return(Time.at(1234 + 599))
+      request.authenticate_by_token!(@token).should == true
+      Time.stub!(:now).and_return(Time.at(1234 - 599))
+      request.authenticate_by_token!(@token).should == true
+      Time.stub!(:now).and_return(Time.at(1234 + 600))
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error("Timestamp expired: Given timestamp (1970-01-01T00:20:34Z) not within 600s of server time (1970-01-01T00:30:34Z)")
+      Time.stub!(:now).and_return(Time.at(1234 - 600))
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error("Timestamp expired: Given timestamp (1970-01-01T00:20:34Z) not within 600s of server time (1970-01-01T00:10:34Z)")
+    end
+
+    it "should be possible to customize the timeout grace period" do
+      grace = 10
+      request = Signature::Request.new('POST', '/some/path', @params)
+      Time.stub!(:now).and_return(Time.at(1234 + grace - 1))
+      request.authenticate_by_token!(@token, grace).should == true
+      Time.stub!(:now).and_return(Time.at(1234 + grace))
+      lambda {
+        request.authenticate_by_token!(@token, grace)
+      }.should raise_error("Timestamp expired: Given timestamp (1970-01-01T00:20:34Z) not within 10s of server time (1970-01-01T00:20:44Z)")
+    end
+
+    it "should be possible to skip timestamp check by passing nil" do
+      request = Signature::Request.new('POST', '/some/path', @params)
+      Time.stub!(:now).and_return(Time.at(1234 + 1000))
+      request.authenticate_by_token!(@token, nil).should == true
+    end
+
+    it "should check that auth_version is supplied" do
+      @params.delete(:auth_version)
+      request = Signature::Request.new('POST', '/some/path', @params)
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error('Version required')
+    end
+
+    it "should check that auth_version equals 1.0" do
+      @params[:auth_version] = '1.1'
+      request = Signature::Request.new('POST', '/some/path', @params)
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error('Version not supported')
+    end
+
+    it "should validate that the provided token has a non-empty secret" do
+      token = Signature::Token.new('key', '')
+      request = Signature::Request.new('POST', '/some/path', @params)
+
+      lambda {
+        request.authenticate_by_token!(token)
+      }.should raise_error('Provided token is missing secret')
+    end
+
+    describe "when used with optional block" do
+      it "should optionally take a block which yields the signature" do
+        request = Signature::Request.new('POST', '/some/path', @params)
+        request.authenticate do |key|
+          key.should == @token.key
+          @token
+        end.should == @token
+      end
+
+      it "should raise error if no auth_key supplied to request" do
+        @params.delete(:auth_key)
+        request = Signature::Request.new('POST', '/some/path', @params)
+        lambda {
+          request.authenticate { |key| nil }
+        }.should raise_error('Missing parameter: auth_key')
+      end
+
+      it "should raise error if block returns nil (i.e. key doesn't exist)" do
+        request = Signature::Request.new('POST', '/some/path', @params)
+        lambda {
+          request.authenticate { |key| nil }
+        }.should raise_error('Unknown auth_key')
+      end
+
+      it "should raise unless block given" do
+        request = Signature::Request.new('POST', '/some/path', @params)
+        lambda {
+          request.authenticate
+        }.should raise_error(ArgumentError, "Block required")
+      end
+    end
+
+    describe "authenticate_async" do
+      include EM::SpecHelper
+      default_timeout 1
+
+      it "returns a deferrable which succeeds if authentication passes" do
+        request = Signature::Request.new('POST', '/some/path', @params)
+        em {
+          df = EM::DefaultDeferrable.new
+
+          request_df = request.authenticate_async do |key|
+            df
+          end
+
+          df.succeed(@token)
+
+          request_df.callback { |token|
+            token.should == @token
+            done
+          }
+        }
+      end
+
+      it "returns a deferrable which fails if block df fails" do
+        request = Signature::Request.new('POST', '/some/path', @params)
+        em {
+          df = EM::DefaultDeferrable.new
+
+          request_df = request.authenticate_async do |key|
+            df
+          end
+
+          df.fail()
+
+          request_df.errback { |e|
+            e.class.should == Signature::AuthenticationError
+            e.message.should == 'Unknown auth_key'
+            done
+          }
+        }
+      end
+
+      it "returns a deferrable which fails if request does not validate" do
+        request = Signature::Request.new('POST', '/some/path', @params)
+        em {
+          df = EM::DefaultDeferrable.new
+
+          request_df = request.authenticate_async do |key|
+            df
+          end
+
+          token = Signature::Token.new('key', 'wrong_secret')
+          df.succeed(token)
+
+          request_df.errback { |e|
+            e.class.should == Signature::AuthenticationError
+            e.message.should =~ /Invalid signature/
+            done
+          }
+        }
+      end
+    end
+
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,10 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+require 'signature'
+
+require 'rspec'
+require 'em-spec/rspec'
+require 'pry'
+
+RSpec.configure do |config|
+
+end

metadata

@@ -0,0 +1,105 @@
+--- !ruby/object:Gem::Specification
+name: signature-acd
+version: !ruby/object:Gem::Version
+  version: 0.1.9
+platform: ruby
+authors:
+- Thomas Hanson
+- CJ Lazell
+- Thomas Hanson
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-05-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: em-spec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Simple key/secret based authentication for apis
+email:
+- thanson@acdcorp.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- lib/signature.rb
+- lib/signature/exceptions.rb
+- lib/signature/header.rb
+- lib/signature/query_encoder.rb
+- lib/signature/request.rb
+- lib/signature/token.rb
+- lib/signature/version.rb
+- signature.gemspec
+- spec/signature_spec.rb
+- spec/spec_helper.rb
+homepage: http://github.com/acdcorp/signature
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Simple key/secret based authentication for apis
+test_files: []
+has_rdoc: