simple-api-auth 0.1.0

data/simple-api-auth.gemspec

@@ -0,0 +1,25 @@
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'simple-api-auth/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'simple-api-auth'
+  spec.version       = SimpleApiAuth::VERSION
+  spec.authors       = ['Daniel Perez']
+  spec.email         = ['daniel@claudetech.com']
+  spec.summary       = 'Basic token based authentication for APIs'
+  spec.homepage      = 'https://github.com/claude-tech/ruby-simple-api-auth'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.test_files    = Dir['specs/**/*']
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rspec-its'
+  spec.add_development_dependency 'coveralls', '~> 0.7'
+  spec.add_development_dependency 'activerecord', ['>= 3', '< 5']
+  spec.add_development_dependency 'database_cleaner'
+  spec.add_development_dependency 'sqlite3'
+end

data/spec/extensions/string_spec.rb

@@ -0,0 +1,13 @@
+describe String do
+  describe '#hexdecode' do
+    it 'should decode text' do
+      expect(Digest.hexencode('foo').hexdecode).to eq('foo')
+    end
+
+    it 'should decode binary' do
+      digest = OpenSSL::Digest.new('sha1')
+      binary_data = OpenSSL::HMAC.digest(digest, 'foo', 'bar')
+      expect(Digest.hexencode(binary_data).hexdecode).to eq(binary_data)
+    end
+  end
+end

data/spec/internal/app/models/models.rb

@@ -0,0 +1,13 @@
+class AuthenticableModel < ActiveRecord::Base
+  acts_as_api_authenticable
+end
+
+class OverriddenAuthenticableModel < ActiveRecord::Base
+  acts_as_api_authenticable ssa_key: :ssa_key, ssa_secret: :ssa_secret
+  acts_as_api_authenticable ssa_key: :ssa_key, ssa_secret: :overriden_secret
+end
+
+class AuthenticableModelWithHooks < ActiveRecord::Base
+  self.table_name = 'authenticable_models'
+  acts_as_api_authenticable auto_generate: true
+end

data/spec/internal/config/database.yml

@@ -0,0 +1,4 @@
+test:
+  adapter: sqlite3
+  database: ':memory:'
+  timeout: 500

data/spec/internal/db/schema.rb

@@ -0,0 +1,7 @@
+ActiveRecord::Schema.define version: 0 do
+  create_table :authenticable_models do |t|
+    t.string :ssa_key
+    t.string :ssa_secret
+  end
+  add_index :authenticable_models, :ssa_key, unique: true
+end

data/spec/lib/simple-api-auth/authenticable_spec.rb

@@ -0,0 +1,106 @@
+describe SimpleApiAuth do
+  describe SimpleApiAuth::Authenticable do
+
+    describe 'class extensions' do
+      subject(:clazz) { AuthenticableModel }
+
+      it { should respond_to(:ssa_options) }
+      it { should respond_to(:ssa_authenticate) }
+      it { should respond_to(:ssa_find) }
+
+      it 'should set options' do
+        expect(clazz.ssa_options[:ssa_key]).to eq(:ssa_key)
+        expect(clazz.ssa_options[:ssa_secret]).to eq(:ssa_secret)
+      end
+
+      context 'when included several times' do
+        subject(:clazz) { OverriddenAuthenticableModel }
+
+        it { should respond_to(:ssa_options) }
+        it 'should have overriden attributes' do
+          expect(clazz.ssa_options[:ssa_secret]).to eq(:overriden_secret)
+        end
+      end
+
+      describe '#ssa_find' do
+        let(:request) { mock_request }
+
+        subject { clazz.ssa_find(request) }
+
+        it 'should return nil when not found' do
+          expect(subject).to be_nil
+        end
+
+        it 'should return entity when present' do
+          entity = AuthenticableModel.create(ssa_key: 'user_personal_key')
+          expect(subject.id).to eq(entity.id)
+        end
+      end
+
+      describe '#ssa_authenticate' do
+        let(:request) { mock_request }
+        before(:each) do
+          request.headers[:authorization] = "Signature: #{mock_signature}"
+        end
+
+        subject { clazz.ssa_authenticate(request) }
+
+        it 'should return false when the entity does not exists' do
+          expect(subject).to be false
+        end
+
+        it 'should return false when the secret key does not match' do
+          clazz.create(ssa_key: 'user_personal_key', ssa_secret: 'something else')
+          expect(subject).to be false
+        end
+
+        it 'should return the resource when signature matches' do
+          entity = clazz.create(
+            ssa_key: 'user_personal_key', ssa_secret: 'ultra_secret_key')
+          expect(subject.id).to eq(entity.id)
+        end
+      end
+
+      { 'generate_ssa_key' => 5, 'generate_ssa_secret' => 64 }.each do |method, value|
+        describe "##{method}" do
+          let(:options) { {} }
+          let(:key) { clazz.send(method.to_sym, options) }
+          it 'should generate a long enough key' do
+            expect(key.length).to be > value
+          end
+
+          it 'should use options length' do
+            options[:length] = 1
+            expect(key.length).to be < 3
+          end
+        end
+      end
+
+      describe 'hooks' do
+        subject { AuthenticableModelWithHooks.new }
+        its(:ssa_key) { should_not be_nil }
+        its(:ssa_secret) { should_not be_nil }
+      end
+    end
+
+    describe 'instance extension' do
+      subject(:model) { AuthenticableModel.new }
+
+      it { should respond_to(:assign_ssa_key) }
+      it { should respond_to(:assign_ssa_secret) }
+      its(:ssa_key) { should be_nil }
+      its(:ssa_secret) { should be_nil }
+
+      [:assign_ssa_key, :assign_ssa_secret].each do |method|
+        field_name = method.to_s.gsub('assign_', '')
+        describe "##{method}" do
+          it "should assign #{field_name}" do
+            expect(model.send(field_name)).to be_nil
+            model.send(method)
+            expect(model.send(field_name)).not_to be_nil
+          end
+        end
+      end
+    end
+  end
+end

data/spec/lib/simple-api-auth/authenticator_spec.rb

@@ -0,0 +1,35 @@
+describe SimpleApiAuth do
+  describe SimpleApiAuth::Authenticator do
+    include SimpleApiAuth::Helpers::Request
+
+    let(:dummy_headers) { mock_headers }
+
+    let(:authenticator) { SimpleApiAuth::Authenticator.new(dummy_request, mock_secret_key) }
+
+    requests.each do |name, request|
+      context "with #{name}" do
+        before(:each) do
+          request.configure
+          setup_dummy_signer
+        end
+        let(:dummy_request) { request.new(headers: dummy_headers, method: 'GET') }
+
+        describe '#valid_signature?' do
+          it 'should fail on missing header' do
+            dummy_headers.delete 'X-Saa-Key'
+            expect(authenticator.valid_signature?).to be_falsy
+          end
+
+          it 'should fail on outdated request' do
+            dummy_headers[:x_saa_auth_time] = outdated_time.iso8601
+            expect(authenticator.valid_signature?).to be_falsy
+          end
+
+          it 'should compare signature otherwise' do
+            expect(authenticator.valid_signature?).to be_truthy
+          end
+        end
+      end
+    end
+  end
+end

data/spec/lib/simple-api-auth/config_spec.rb

@@ -0,0 +1,48 @@
+describe SimpleApiAuth do
+  describe SimpleApiAuth::Config do
+    let(:config) { SimpleApiAuth::Config.new }
+
+    it 'should have default values' do
+      expect(config.request_fields[:headers]).to eq(:headers)
+      expect(config.request_fields[:http_verb]).to eq(:method)
+    end
+
+    it 'should be mutable' do
+      config.request_fields[:headers] = :env
+      expect(config.request_fields[:headers]).to eq(:env)
+    end
+
+    describe 'make_model_options' do
+      let(:model_options) { { ssa_key: :foobar } }
+      subject(:options) { config.make_model_options(model_options) }
+
+      it 'should merge options' do
+        expect(options[:ssa_key]).to eq(:foobar)
+        expect(options[:ssa_secret]).to eq(:ssa_secret)
+        expect(options[:auto_generate]).to eq([])
+      end
+
+      describe 'auto_generate configuration' do
+        it 'should handle symbol' do
+          model_options[:auto_generate] = :ssa_key
+          expect(options[:auto_generate]).to eq([:ssa_key])
+        end
+
+        it 'should handle true' do
+          model_options[:auto_generate] = true
+          expect(options[:auto_generate]).to eq([:ssa_key, :ssa_secret])
+        end
+
+        it 'should handle false' do
+          model_options[:auto_generate] = false
+          expect(options[:auto_generate]).to eq([])
+        end
+
+        it 'should handle arrays' do
+          model_options[:auto_generate] = [:ssa_secret]
+          expect(options[:auto_generate]).to eq([:ssa_secret])
+        end
+      end
+    end
+  end
+end

data/spec/lib/simple-api-auth/helpers/auth_helpers_spec.rb

@@ -0,0 +1,61 @@
+describe SimpleApiAuth do
+  describe SimpleApiAuth::Helpers::Auth do
+    include SimpleApiAuth::Helpers::Request
+    include SimpleApiAuth::Helpers::Auth
+
+    let(:headers) { normalize_headers(mock_headers) }
+    let(:request) { SimpleApiAuth::Request.create(rails_request) }
+
+    describe '#extract_signature' do
+      it 'should return signature when present' do
+        expect(extract_signature(headers)).to eq('dummy_signature')
+      end
+
+      it 'should return nil otherwise' do
+        headers[:authorization] = 'Signatur: foobar'
+        expect(extract_signature(headers)).to be_nil
+      end
+    end
+
+    describe '#check_data' do
+      it 'should return true when headers are present and http verb is valid' do
+        expect(check_data(request)).to be_truthy
+        request.http_verb = :post
+        expect(check_data(request)).to be_truthy
+      end
+
+      it 'should fail when http verb is not valid' do
+        request.http_verb = nil
+        expect(check_data(request)).to be_falsy
+        request.http_verb = :forbidden_verb
+        expect(check_data(request)).to be_falsy
+      end
+
+      it 'should fail when header is missing' do
+        request.headers.delete :authorization
+        expect(check_data(request)).to be_falsy
+      end
+    end
+
+    describe '#too_old?' do
+      it 'should allow recent enough requests' do
+        expect(too_old?(request)).to be_falsy
+      end
+
+      it 'should reject old requests' do
+        request.headers[:x_saa_auth_time] = Time.new(2014, 11, 8).iso8601
+        expect(too_old?(request)).to be_truthy
+      end
+    end
+
+    describe '#secure_equals?' do
+      it 'should succeed on equal values' do
+        expect(secure_equals?('foo', 'foo', 'secret_key')).to be_truthy
+      end
+
+      it 'should fail on different values' do
+        expect(secure_equals?('foo', 'bar', 'secret_key')).to be_falsy
+      end
+    end
+  end
+end

data/spec/lib/simple-api-auth/helpers/request_helpers_spec.rb

@@ -0,0 +1,39 @@
+describe SimpleApiAuth do
+  describe SimpleApiAuth::Helpers::Request do
+    include SimpleApiAuth::Helpers::Request
+
+    describe '#normalize_headers' do
+      let(:raw_headers) { mock_headers }
+      let(:headers) { normalize_headers(raw_headers) }
+
+      it 'should normalize headers keys' do
+        [:authorization, :x_saa_auth_time, :x_saa_key].each do |key|
+          expect(headers).to include(key)
+        end
+        expect(headers.values).to eq(raw_headers.values)
+      end
+    end
+
+    describe '#normalize' do
+      it 'should symbolize keys' do
+        expect(normalize('foo')).to eq(:foo)
+      end
+
+      it 'should work with symbols' do
+        expect(normalize(:foo)).to eq(:foo)
+      end
+
+      it 'should downcase' do
+        expect(normalize('FOO')).to eq(:foo)
+      end
+
+      it 'should replace hyphens' do
+        expect(normalize('foo-bar')).to eq(:foo_bar)
+      end
+
+      it 'should work with more complex keys' do
+        expect(normalize('FOO-BAR-BAZ')).to eq(:foo_bar_baz)
+      end
+    end
+  end
+end

data/spec/lib/simple-api-auth/request_spec.rb

@@ -0,0 +1,49 @@
+describe SimpleApiAuth do
+  describe SimpleApiAuth::Request do
+    include SimpleApiAuth::Helpers::Request
+
+    let(:base_request) { SimpleApiAuth::Request.create(rails_request) }
+
+    def check_request(request)
+      expect(request.headers).to eq(normalize_headers(mock_headers))
+      expect(request.http_verb).to eq(:get)
+    end
+
+    describe '#initialize' do
+      let(:request) { SimpleApiAuth::Request.create(rails_request) }
+
+      it 'should set headers and http verb' do
+        check_request(request)
+      end
+    end
+
+    describe '#create' do
+      context 'with third party requests' do
+        requests.each do |name, request|
+          before(:each) { request.configure }
+          let(:dummy_request) { request.new(headers: mock_headers, method: 'GET') }
+
+          it "should create normalized request from #{name}" do
+            normalized_request = SimpleApiAuth::Request.create(dummy_request)
+            check_request(normalized_request)
+          end
+        end
+      end
+
+      it 'should not modify already normalized requests' do
+        expect(SimpleApiAuth::Request.create(base_request).object_id).to eq(base_request.object_id)
+      end
+    end
+
+    describe '#time' do
+      it 'should return request time' do
+        expect(base_request.time).to eq(request_time)
+      end
+
+      it 'should return nil on wrong time' do
+        base_request.headers[:x_saa_auth_time] = 'foobar'
+        expect(base_request.time).to be_nil
+      end
+    end
+  end
+end

data/spec/lib/simple-api-auth/signer_spec.rb

@@ -0,0 +1,37 @@
+describe SimpleApiAuth do
+  describe SimpleApiAuth::Signer do
+
+    let(:signer) { SimpleApiAuth::Signer.new }
+    let(:request) { mock_request }
+
+    describe '#make_hashed_request' do
+      it 'should make a hased canonical request' do
+        expect(signer.make_hashed_request(request)).to eq(mock_hashed_request)
+      end
+
+      it 'should encode payload' do
+        request.body = StringIO.new('abc')
+        expected = <<-EOF.unindent[0..-2]
+          hashed:get
+          /foobar
+          foo=bar&baz=qux
+          #{Digest.hexencode('hashed:abc')}
+        EOF
+        expect(signer.make_hashed_request(request)).to eq(Digest.hexencode(expected))
+      end
+    end
+
+    describe '#make_string_to_sign' do
+      it 'should generate correct string to sign' do
+        expect(signer.make_string_to_sign(request)).to eq(mock_string_to_sign)
+      end
+    end
+
+    describe '#sign' do
+      let(:secret_key) { 'ultra_secret_key' }
+      it 'should generate correct signature' do
+        expect(signer.sign(request, secret_key)).to eq(mock_signature)
+      end
+    end
+  end
+end

data/spec/lib/simple-api-auth_spec.rb

@@ -0,0 +1,110 @@
+describe SimpleApiAuth do
+  it 'should be configurable' do
+    expect(SimpleApiAuth.config.request_fields[:headers]).to eq(:headers)
+    SimpleApiAuth.configure do |config|
+      config.request_fields[:headers] = :env
+    end
+    expect(SimpleApiAuth.config.request_fields[:headers]).to eq(:env)
+  end
+
+  describe '#log' do
+    it 'should not fail on nil' do
+      SimpleApiAuth.log('foobar')
+    end
+
+    it 'should log when logger is present' do
+      s = StringIO.new('', 'a')
+      SimpleApiAuth.config.logger = Logger.new(s)
+      expect(s.string).not_to include('foobar')
+      SimpleApiAuth.log(Logger::WARN, 'foobar')
+      expect(s.string).to include('foobar')
+    end
+  end
+
+  describe '#extract_key' do
+    let(:request) { mock_request }
+    subject { SimpleApiAuth.extract_key(request) }
+
+    it 'should extract correct key' do
+      expect(subject).to eq('user_personal_key')
+    end
+
+    it 'should work with custom headers' do
+      SimpleApiAuth.config.header_keys[:key] = :key
+      request.headers[:key] = request.headers.delete(:x_saa_key)
+      expect(subject).to eq('user_personal_key')
+    end
+  end
+
+  describe '#valid_signature?' do
+    let(:request) { mock_request }
+    let(:result) { SimpleApiAuth.valid_signature?(request, mock_secret_key) }
+
+    it 'should fail with wrong request' do
+      expect(result).to be_falsy
+    end
+
+    it 'should succeed with correct signature' do
+      request.headers[:authorization] = "Signature: #{mock_signature}"
+      expect(result).to be_truthy
+    end
+
+    context 'with real world example' do
+      before(:each) do
+        SimpleApiAuth.config.hasher = SimpleApiAuth::Hasher::SHA1
+      end
+      let(:request) do
+        SimpleApiAuth::Request.new(
+          http_verb: 'GET',
+          uri: '/foo/bar',
+          query_string: 'foo=bar&bar=qux',
+          body: StringIO.new('somerandombody'),
+          headers: {
+            authorization: 'Signature: 7c171d095fd65b7078afd13a6b3bd4ecfe596552',
+            x_saa_auth_time: request_time.iso8601,
+            x_saa_key: 'wedontreallycarehere'
+          }
+        )
+      end
+
+      it 'should succeed with correct key' do
+        expect(SimpleApiAuth.valid_signature?(request, mock_secret_key)).to be_truthy
+      end
+
+      it 'should fail with wrong key' do
+        expect(SimpleApiAuth.valid_signature?(request, 'somerandomkey')).to be_falsy
+      end
+    end
+  end
+
+  describe 'signing methods' do
+    let(:request) { mock_request }
+    let(:base_secret) { 'a_very_secret_key' }
+    let(:secret_key) { base_secret }
+    subject { SimpleApiAuth.valid_signature?(request, secret_key) }
+
+    describe '#compute_signature' do
+      let(:signature) { SimpleApiAuth.compute_signature(request, secret_key) }
+
+      it 'should return correct signature' do
+        request.headers[:authorization] = "Signature: #{signature}"
+        expect(subject).to be_truthy
+      end
+
+      context 'with a different key' do
+        let(:secret_key) { 'another cool key' }
+        it 'should not return the same signature' do
+          request.headers[:authorization] = "Signature: #{signature}"
+          expect(SimpleApiAuth.valid_signature?(request, base_secret)).to be_falsy
+        end
+      end
+    end
+
+    describe '#sign!' do
+      before(:each) { SimpleApiAuth.sign!(request, secret_key) }
+      it 'should sign the current request' do
+        expect(subject).to be_truthy
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,31 @@
+require 'coveralls'
+require 'codeclimate-test-reporter'
+Coveralls.wear!
+CodeClimate::TestReporter.start
+
+SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter[
+  Coveralls::SimpleCov::Formatter,
+  SimpleCov::Formatter::HTMLFormatter,
+  CodeClimate::TestReporter::Formatter
+]
+
+$LOAD_PATH.unshift(File.dirname(__FILE__) + '/../lib')
+
+require 'active_record'
+require 'database_cleaner'
+require 'simple-api-auth'
+require 'rspec/its'
+
+support_glob = File.expand_path('support/**/*.rb', File.dirname(__FILE__))
+Dir[support_glob].each { |f| require f }
+
+RSpec.configure do |config|
+  config.include SpecHelpers::Dummy
+  config.extend SpecHelpers::Requests
+
+  config.before(:each) do
+    allow(Time).to receive(:now) { Time.utc(2014, 11, 8, 0, 7) }
+    SimpleApiAuth.config.reset!
+    SimpleApiAuth.config.hasher = SpecHelpers::Auth::DummyHasher
+  end
+end

data/spec/support/auth.rb

@@ -0,0 +1,13 @@
+module SpecHelpers
+  module Auth
+    class DummyHasher
+      def hash(value)
+        "hashed:#{value}"
+      end
+
+      def hmac(key, message)
+        "#{key}:#{message}"
+      end
+    end
+  end
+end

data/spec/support/database.rb

@@ -0,0 +1,14 @@
+database_yml = File.expand_path('../../internal/config/database.yml', __FILE__)
+ActiveRecord::Base.default_timezone = :utc
+ActiveRecord::Base.logger = Logger.new(File.join(File.dirname(__FILE__), '../debug.log'))
+ActiveRecord::Base.logger.level = ENV['TRAVIS'] ? ::Logger::ERROR : ::Logger::DEBUG
+ActiveRecord::Base.configurations = YAML.load_file(database_yml)
+
+begin
+  ActiveRecord::Base.establish_connection(:test)
+rescue
+  ActiveRecord::Base.establish_connection('test')
+end
+
+load(File.dirname(__FILE__) + '/../internal/db/schema.rb')
+load(File.dirname(__FILE__) + '/../internal/app/models/models.rb')

data/spec/support/database_cleaner.rb

@@ -0,0 +1,19 @@
+RSpec.configure do |config|
+  config.before(:suite) do
+    DatabaseCleaner.clean_with(:truncation)
+    DatabaseCleaner.strategy = :transaction
+    DatabaseCleaner.clean
+  end
+
+  config.after(:suite) do
+    DatabaseCleaner.clean
+  end
+
+  config.before(:each) do
+    DatabaseCleaner.start
+  end
+
+  config.after(:each) do
+    DatabaseCleaner.clean
+  end
+end

data/spec/support/extensions.rb

@@ -0,0 +1,10 @@
+class String
+  def unindent
+    first_line_spaces = self[/\A\s*/]
+    gsub(/^#{first_line_spaces}/, '')
+  end
+
+  def hexdecode
+    scan(/../).map(&:hex).map(&:chr).join
+  end
+end