signed_api 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 417c51a567e81d9aa1947d5b449390fb8485954b
+  data.tar.gz: ac5806bd0571ec2fcab13a968f4c4917ee347dff
+SHA512:
+  metadata.gz: 7a8abf9335e3adf9e102e0ca505c9643962318f76abfa4d920f84b182c18ce98c44f241235943c79968af787cbb02b15285f7ee3a5fb574ea6dd7674addf014a
+  data.tar.gz: 67a134983ee25e04458927b0ffb6c0c373df4607cca18c90de2fbd8f5ea92b960a1cc1a2223ca3eadb840d1f22996608db03c2bc1dd9d70ffd48887799fca1f6

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in signed_api.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2015 ykmr1224
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,48 @@
+# SignedApi
+
+SignedApi gem offers easy way to make your web APIs secure by using secret key based signature authentication.
+This uses the similar way as AWS's signed URLs.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'signed_api'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install signed_api
+
+## Usage
+
+### Client side
+You can easily sign your params by sign_params method
+```ruby
+  signed_params = SignedApi::sign_params('GET', '/api/search', {a: 'param_a', b: 'param_b', c: 'param_c'}, 'SOME_KEY', 'SOME_SECRET_STRING', 60)
+```
+or you can directly make a signed URL like this.
+```ruby
+  signed_url = SignedApi::get_signed_url('https://example.com', 'GET', '/api/search', {a: 'param_a', b: 'param_b', c: 'param_c'}, 'SOME_KEY', 'SOME_SECRET_STRING', 60)
+```
+
+### Server side
+You can verify the request easily.
+```ruby
+  begin
+    SignedApi::verify_signature!(method, path, params) {|key| secrets[key]}
+  rescue
+    # log error and return error to the client
+  end
+```
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/signed_api.rb

@@ -0,0 +1,110 @@
+require "signed_api/version"
+require 'openssl'
+require 'uri'
+require 'cgi'
+require 'base64'
+
+module SignedApi
+  extend self
+
+  class MissingParameterError < RuntimeError; end
+  class AuthSecretNotFoundError < RuntimeError; end
+  class SignatureExpiredError < RuntimeError; end
+  class SignatureUnmatchError < RuntimeError; end
+
+  # Returns url signed by the key, secret, and expiry
+  #
+  # Parameter examples
+  # root_url : "http://example.com"
+  # method : "GET"/"POST"/etc
+  # path : "/some/useful/api"
+  # params : {:param1 => "value1", :param2 => "value2"}
+  # key : "SomeKeyStringForYourSecretKey"
+  # secret : "anysecretstring"
+  # expiry_limit : 60 #the signature will be expired in 60 sec
+  def get_signed_url(root_url, method, path, params, key, secret, expiry_limit=60)
+    params = ApiHelper::sign_params(method, path, params, key, secret, expiry_limit)
+    root_url + path + '?' + ApiHelper::normalize_params(params)
+  end
+
+  def get_signed_path(method, path, params, key, secret, expiry_limit=60)
+    params = ApiHelper::sign_params(method, path, params, key, secret, expiry_limit)
+    path + '?' + ApiHelper::normalize_params(params)
+  end
+
+  # Returns signature added parameter hash
+  #
+  # method: HTTP METHOD ('GET', 'POST', etc)
+  # path: invoked path ('/api/search', '/api/get', etc)
+  # params: http params ({param1: value1, param2: value2}, etc)
+  # key: authentication key (any string)
+  # secret: authentication secret (any string)
+  # expiry_limit: the request will expire in expiry_limit seconds (integer)
+  def sign_params(method, path, params, key, secret, expiry_limit=60)
+    raise ArgumentError, "Expected string for method parameter" unless method.kind_of?(String)
+    raise ArgumentError, "Expected string for path parameter" unless path.kind_of?(String)
+    raise ArgumentError, "Expected hash for params parameter" unless params.kind_of?(Hash)
+    raise ArgumentError, "Expected string for key parameter" unless key.kind_of?(String)
+    raise ArgumentError, "Expected string for secret parameter" unless secret.kind_of?(String)
+    raise ArgumentError, "Expected integer for expiry_limit parameter" unless expiry_limit.kind_of?(Integer)
+    raise ArgumentError, "Expected params not contain auth_key/auth_hash/expiry" unless params[:auth_key].nil? && params[:auth_hash].nil? && params[:expiry].nil?
+    res_params = params.merge(auth_key: key, expiry: (Time.now.utc.to_i + expiry_limit).to_s)
+    string_to_sign = signed_string(method, path, res_params)
+    res_params[:auth_hash] = sha256_hmac_base64(secret, string_to_sign)
+    return res_params
+  end
+
+  # Verify input params contains valid signature
+  #
+  # This method will raise an error if the verification failed.
+  def verify_signature!(method, path, params, &get_secret)
+    auth_hash = params[:auth_hash]
+
+    # duplicate params without :auth_hash
+    params = params.reject{|key| key==:auth_hash}
+    auth_key = params[:auth_key]
+    expiry = params[:expiry]
+    raise MissingParameterError, "auth_key, auth_hash, or expiry is missing" if auth_key.nil? || auth_hash.nil? || expiry.nil?
+
+    secret = get_secret.call(auth_key)
+    raise AuthSecretNotFoundError, "auth_secret for the auth_key is not found" if secret.nil?
+
+    now = Time.now.utc.to_i.to_s
+    raise SignatureExpiredError if now > expiry
+
+    raise SignatureUnmatchError, "auth_hash did not match" if auth_hash != gen_authhash(method, path, params, auth_key, secret)
+
+    return true
+  end
+
+  # Verify input params contain valid signature
+  #
+  # This method merely returns the result of verification by true or false.
+  def verify_signature(method, path, params, &get_secret)
+    begin
+      return true if verify_signature!(method, path, params, &get_secret)
+    rescue MissingParameterError, AuthSecretNotFoundError, SignatureExpiredError, SignatureUnmatchError
+      return false
+    end
+  end
+
+  def normalize_params(params)
+    params.collect{|key, value| "#{CGI.escape(key.to_s)}=#{CGI.escape(value.to_s)}"}.compact.sort! * "&"
+  end
+
+protected
+
+  def signed_string(method, path, params)
+    "#{method}\n#{path}\n#{normalize_params(params)}"
+  end
+
+  def sha256_hmac_base64(secret, string_to_sign)
+    digest = OpenSSL::Digest::SHA256.new
+    Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, string_to_sign))
+  end
+
+  def gen_authhash(method, path, params, key, secret)
+    string_to_sign = signed_string(method, path, params)
+    sha256_hmac_base64(secret, string_to_sign)
+  end
+end

data/lib/signed_api/version.rb

@@ -0,0 +1,3 @@
+module SignedApi
+  VERSION = "0.0.1"
+end

data/signed_api.gemspec

@@ -0,0 +1,24 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'signed_api/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "signed_api"
+  spec.version       = SignedApi::VERSION
+  spec.authors       = ["ykmr1224"]
+  spec.email         = ["ykmr1224@gmail.com"]
+  spec.description   = %q{SignedApi gem offers easy way to make your web APIs secure by using secret key based signature authentication.}
+  spec.summary       = %q{SignedApi gem offers easy way to make your web APIs secure by using secret key based signature authentication.}
+  spec.homepage      = "https://github.com/ykmr1224"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+end

data/spec/signed_api_spec.rb

@@ -0,0 +1,105 @@
+require 'spec_helper'
+require 'signed_api'
+
+describe SignedApi do
+  it 'should have a version number' do
+    expect(SignedApi::VERSION).not_to be_nil
+  end
+
+  describe "#sign_params" do
+    it "signs parameter properly" do
+      params = SignedApi::sign_params("GET", "/api/search", {a: "param_a", b: "param_b", c: "param_c"}, "key", "secret", 10)
+      expect(params[:auth_key]).to eql("key")
+      expect(params[:auth_hash]).not_to be_nil
+      expect(params[:expiry]).not_to be_nil
+      expect(params[:expiry].to_i).to be > Time.now.utc.to_i
+      expect(params[:expiry].to_i).to be < Time.now.utc.to_i+20
+      expect(params[:a]).to eql("param_a")
+      expect(params[:b]).to eql("param_b")
+      expect(params[:c]).to eql("param_c")
+    end
+
+    it "handle exceptional case properly" do
+      expect {
+        SignedApi::sign_params(nil, "/api/search", {a: "param_a"}, "key", "secret", 10)
+      }.to raise_error
+
+      expect {
+        SignedApi::sign_params('GET', nil, {a: "param_a"}, "key", "secret", 10)
+      }.to raise_error
+
+      expect {
+        SignedApi::sign_params('GET', "/api/search", nil, "key", "secret", 10)
+      }.to raise_error
+
+      expect {
+        SignedApi::sign_params('GET', "/api/search", {a: "param_a"}, nil, "secret", 10)
+      }.to raise_error
+
+      expect {
+        SignedApi::sign_params('GET', "/api/search", {a: "param_a"}, "key", nil, 10)
+      }.to raise_error
+
+      expect {
+        SignedApi::sign_params('GET', "/api/search", {a: "param_a"}, "key", "secret", "10")
+      }.to raise_error
+
+      expect {
+        SignedApi::sign_params('GET', "/api/search", {a: "param_a", auth_key: "hoge"}, "key", "secret", 10)
+      }.to raise_error
+
+      expect {
+        SignedApi::sign_params('GET', "/api/search", {a: "param_a", auth_hash: "hoge"}, "key", "secret", 10)
+      }.to raise_error
+
+      expect {
+        SignedApi::sign_params('GET', "/api/search", {a: "param_a", expiry: "hoge"}, "key", "secret", 10)
+      }.to raise_error
+    end
+  end
+
+  describe "#verify_signature!" do
+    it "verify properly" do
+      params = SignedApi::sign_params("POST", "/api/find", {a: "param_a", b: "param_b", c: "param_c"}, "key", "secret", 10)
+      expect(SignedApi::verify_signature!("POST", "/api/find", params){|key| "secret"}).to be true
+
+      key = "123456789ABCDEF"
+      secret = "123456789ABCDEF0123456789ABCDEF0"
+      params = SignedApi::sign_params("GET", "/", {a: "param_a", b: "param_b", c: "param_c"}, key, secret, 10)
+      expect(SignedApi::verify_signature!("GET", "/", params){|key| secret}).to be true
+
+      params = SignedApi::sign_params("GET", "/", {}, key, secret, 10)
+      expect(SignedApi::verify_signature!("GET", "/", params){|key| secret}).to be true
+    end
+
+    it "reject properly" do
+      params = SignedApi::sign_params("POST", "/api/find", {a: "param_a", b: "param_b", c: "param_c"}, "key", "secret", 30)
+      expect{ SignedApi::verify_signature!("GET", "/api/find", params){|key| "secret"} }.to raise_error(SignedApi::SignatureUnmatchError)
+      expect{ SignedApi::verify_signature!("POST", "/api/finds", params){|key| "secret"} }.to raise_error(SignedApi::SignatureUnmatchError)
+      expect{ SignedApi::verify_signature!("POST", "api/find", params){|key| "secret"} }.to raise_error(SignedApi::SignatureUnmatchError)
+      expect{ SignedApi::verify_signature!("POST", "/api/find", params){|key| "wrongsecret"} }.to raise_error(SignedApi::SignatureUnmatchError)
+      expect{ SignedApi::verify_signature!("POST", "/api/find", params){|key| ""} }.to raise_error(SignedApi::SignatureUnmatchError)
+      params[:a] = "param_"
+      expect{ SignedApi::verify_signature!("POST", "/api/find", params){|key| ""} }.to raise_error(SignedApi::SignatureUnmatchError)
+      params[:a] = "param_a"
+      params[:x] = "param_x"
+      expect{ SignedApi::verify_signature!("POST", "/api/find", params){|key| ""} }.to raise_error(SignedApi::SignatureUnmatchError)
+    end
+
+    it "handle exceptional case properly" do
+      params = SignedApi::sign_params("POST", "/api/find", {a: "param_a", b: "param_b", c: "param_c"}, "key", "secret", 10)
+      expect{ SignedApi::verify_signature!("POST", "", params){|key| nil} }.to raise_error(SignedApi::AuthSecretNotFoundError)
+
+      expect{ SignedApi::verify_signature!("POST", "", params.reject{|k| k==:auth_key}){|key| "secret"} }.to raise_error(SignedApi::MissingParameterError)
+      expect{ SignedApi::verify_signature!("POST", "", params.reject{|k| k==:auth_hash}){|key| "secret"} }.to raise_error(SignedApi::MissingParameterError)
+      expect{ SignedApi::verify_signature!("POST", "", params.reject{|k| k==:expiry}){|key| "secret"} }.to raise_error(SignedApi::MissingParameterError)
+    end
+
+    it "reject expired signature" do
+      params = SignedApi::sign_params("POST", "/api/find", {a: "param_a", b: "param_b", c: "param_c"}, "key", "secret", 0)
+      sleep 1
+      expect{ SignedApi::verify_signature!("POST", "/api/find", params){|key| "secret"} }.to raise_error(SignedApi::SignatureExpiredError)
+    end
+
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1 @@
+require 'rubygems'

metadata

@@ -0,0 +1,101 @@
+--- !ruby/object:Gem::Specification
+name: signed_api
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- ykmr1224
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-06-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: SignedApi gem offers easy way to make your web APIs secure by using secret
+  key based signature authentication.
+email:
+- ykmr1224@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/signed_api.rb
+- lib/signed_api/version.rb
+- signed_api.gemspec
+- spec/signed_api_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/ykmr1224
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: SignedApi gem offers easy way to make your web APIs secure by using secret
+  key based signature authentication.
+test_files:
+- spec/signed_api_spec.rb
+- spec/spec_helper.rb
+has_rdoc: