stripe 2.0.3 → 5.55.0

data/lib/stripe/webhook.rb

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+
+module Stripe
+  module Webhook
+    DEFAULT_TOLERANCE = 300
+
+    # Initializes an Event object from a JSON payload.
+    #
+    # This may raise JSON::ParserError if the payload is not valid JSON, or
+    # SignatureVerificationError if the signature verification fails.
+    def self.construct_event(payload, sig_header, secret,
+                             tolerance: DEFAULT_TOLERANCE)
+      Signature.verify_header(payload, sig_header, secret, tolerance: tolerance)
+
+      # It's a good idea to parse the payload only after verifying it. We use
+      # `symbolize_names` so it would otherwise be technically possible to
+      # flood a target's memory if they were on an older version of Ruby that
+      # doesn't GC symbols. It also decreases the likelihood that we receive a
+      # bad payload that fails to parse and throws an exception.
+      data = JSON.parse(payload, symbolize_names: true)
+      Event.construct_from(data)
+    end
+
+    module Signature
+      EXPECTED_SCHEME = "v1"
+
+      # Computes a webhook signature given a time (probably the current time),
+      # a payload, and a signing secret.
+      def self.compute_signature(timestamp, payload, secret)
+        raise ArgumentError, "timestamp should be an instance of Time" \
+          unless timestamp.is_a?(Time)
+        raise ArgumentError, "payload should be a string" \
+          unless payload.is_a?(String)
+        raise ArgumentError, "secret should be a string" \
+          unless secret.is_a?(String)
+
+        timestamped_payload = "#{timestamp.to_i}.#{payload}"
+        OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha256"), secret,
+                                timestamped_payload)
+      end
+
+      # Generates a value that would be added to a `Stripe-Signature` for a
+      # given webhook payload.
+      #
+      # Note that this isn't needed to verify webhooks in any way, and is
+      # mainly here for use in test cases (those that are both within this
+      # project and without).
+      def self.generate_header(timestamp, signature, scheme: EXPECTED_SCHEME)
+        raise ArgumentError, "timestamp should be an instance of Time" \
+          unless timestamp.is_a?(Time)
+        raise ArgumentError, "signature should be a string" \
+          unless signature.is_a?(String)
+        raise ArgumentError, "scheme should be a string" \
+          unless scheme.is_a?(String)
+
+        "t=#{timestamp.to_i},#{scheme}=#{signature}"
+      end
+
+      # Extracts the timestamp and the signature(s) with the desired scheme
+      # from the header
+      def self.get_timestamp_and_signatures(header, scheme)
+        list_items = header.split(/,\s*/).map { |i| i.split("=", 2) }
+        timestamp = Integer(list_items.select { |i| i[0] == "t" }[0][1])
+        signatures = list_items.select { |i| i[0] == scheme }.map { |i| i[1] }
+        [Time.at(timestamp), signatures]
+      end
+      private_class_method :get_timestamp_and_signatures
+
+      # Verifies the signature header for a given payload.
+      #
+      # Raises a SignatureVerificationError in the following cases:
+      # - the header does not match the expected format
+      # - no signatures found with the expected scheme
+      # - no signatures matching the expected signature
+      # - a tolerance is provided and the timestamp is not within the
+      #   tolerance
+      #
+      # Returns true otherwise
+      def self.verify_header(payload, header, secret, tolerance: nil)
+        begin
+          timestamp, signatures =
+            get_timestamp_and_signatures(header, EXPECTED_SCHEME)
+
+        # TODO: Try to knock over this blanket rescue as it can unintentionally
+        # swallow many valid errors. Instead, try to validate an incoming
+        # header one piece at a time, and error with a known exception class if
+        # any part is found to be invalid. Rescue that class here.
+        rescue StandardError
+          raise SignatureVerificationError.new(
+            "Unable to extract timestamp and signatures from header",
+            header, http_body: payload
+          )
+        end
+
+        if signatures.empty?
+          raise SignatureVerificationError.new(
+            "No signatures found with expected scheme #{EXPECTED_SCHEME}",
+            header, http_body: payload
+          )
+        end
+
+        expected_sig = compute_signature(timestamp, payload, secret)
+        unless signatures.any? { |s| Util.secure_compare(expected_sig, s) }
+          raise SignatureVerificationError.new(
+            "No signatures found matching the expected signature for payload",
+            header, http_body: payload
+          )
+        end
+
+        if tolerance && timestamp < Time.now - tolerance
+          raise SignatureVerificationError.new(
+            "Timestamp outside the tolerance zone (#{Time.at(timestamp)})",
+            header, http_body: payload
+          )
+        end
+
+        true
+      end
+    end
+  end
+end

data/lib/stripe.rb

@@ -1,142 +1,120 @@
+# frozen_string_literal: true
+
 # Stripe Ruby bindings
 # API spec at https://stripe.com/docs/api
-require 'cgi'
-require 'openssl'
-require 'rbconfig'
-require 'set'
-require 'socket'
-
-require 'faraday'
-require 'json'
+require "cgi"
+require "json"
+require "logger"
+require "net/http"
+require "openssl"
+require "rbconfig"
+require "securerandom"
+require "set"
+require "socket"
+require "uri"
+require "forwardable"
 
 # Version
-require 'stripe/version'
+require "stripe/version"
 
 # API operations
-require 'stripe/api_operations/create'
-require 'stripe/api_operations/save'
-require 'stripe/api_operations/delete'
-require 'stripe/api_operations/list'
-require 'stripe/api_operations/request'
+require "stripe/api_operations/create"
+require "stripe/api_operations/delete"
+require "stripe/api_operations/list"
+require "stripe/api_operations/nested_resource"
+require "stripe/api_operations/request"
+require "stripe/api_operations/save"
+require "stripe/api_operations/search"
 
 # API resource support classes
-require 'stripe/errors'
-require 'stripe/util'
-require 'stripe/stripe_client'
-require 'stripe/stripe_object'
-require 'stripe/stripe_response'
-require 'stripe/list_object'
-require 'stripe/api_resource'
-require 'stripe/singleton_api_resource'
+require "stripe/errors"
+require "stripe/object_types"
+require "stripe/util"
+require "stripe/connection_manager"
+require "stripe/multipart_encoder"
+require "stripe/stripe_client"
+require "stripe/stripe_object"
+require "stripe/stripe_response"
+require "stripe/list_object"
+require "stripe/search_result_object"
+require "stripe/error_object"
+require "stripe/api_resource"
+require "stripe/api_resource_test_helpers"
+require "stripe/singleton_api_resource"
+require "stripe/webhook"
+require "stripe/stripe_configuration"
 
 # Named API resources
-require 'stripe/account'
-require 'stripe/alipay_account'
-require 'stripe/apple_pay_domain'
-require 'stripe/application_fee'
-require 'stripe/application_fee_refund'
-require 'stripe/balance'
-require 'stripe/balance_transaction'
-require 'stripe/bank_account'
-require 'stripe/bitcoin_receiver'
-require 'stripe/bitcoin_transaction'
-require 'stripe/card'
-require 'stripe/charge'
-require 'stripe/country_spec'
-require 'stripe/coupon'
-require 'stripe/customer'
-require 'stripe/dispute'
-require 'stripe/event'
-require 'stripe/file_upload'
-require 'stripe/invoice'
-require 'stripe/invoice_item'
-require 'stripe/order'
-require 'stripe/order_return'
-require 'stripe/plan'
-require 'stripe/product'
-require 'stripe/recipient'
-require 'stripe/refund'
-require 'stripe/reversal'
-require 'stripe/sku'
-require 'stripe/source'
-require 'stripe/subscription'
-require 'stripe/subscription_item'
-require 'stripe/three_d_secure'
-require 'stripe/token'
-require 'stripe/transfer'
+require "stripe/resources"
 
-module Stripe
-  DEFAULT_CA_BUNDLE_PATH = File.dirname(__FILE__) + '/data/ca-certificates.crt'
+# OAuth
+require "stripe/oauth"
 
-  @api_base = 'https://api.stripe.com'
-  @connect_base = 'https://connect.stripe.com'
-  @uploads_base = 'https://uploads.stripe.com'
+module Stripe
+  DEFAULT_CA_BUNDLE_PATH = __dir__ + "/data/ca-certificates.crt"
 
-  @max_network_retries = 0
-  @max_network_retry_delay = 2
-  @initial_network_retry_delay = 0.5
+  # map to the same values as the standard library's logger
+  LEVEL_DEBUG = Logger::DEBUG
+  LEVEL_ERROR = Logger::ERROR
+  LEVEL_INFO = Logger::INFO
 
-  @ca_bundle_path = DEFAULT_CA_BUNDLE_PATH
-  @ca_store = nil
-  @verify_ssl_certs = true
+  @app_info = nil
 
-  @open_timeout = 30
-  @read_timeout = 80
+  @config = Stripe::StripeConfiguration.setup
 
   class << self
-    attr_accessor :stripe_account, :api_key, :api_base, :verify_ssl_certs, :api_version, :connect_base, :uploads_base,
-                  :open_timeout, :read_timeout
-
-    attr_reader :max_network_retry_delay, :initial_network_retry_delay
+    extend Forwardable
+
+    attr_reader :config
+
+    # User configurable options
+    def_delegators :@config, :api_key, :api_key=
+    def_delegators :@config, :api_version, :api_version=
+    def_delegators :@config, :stripe_account, :stripe_account=
+    def_delegators :@config, :api_base, :api_base=
+    def_delegators :@config, :uploads_base, :uploads_base=
+    def_delegators :@config, :connect_base, :connect_base=
+    def_delegators :@config, :open_timeout, :open_timeout=
+    def_delegators :@config, :read_timeout, :read_timeout=
+    def_delegators :@config, :write_timeout, :write_timeout=
+    def_delegators :@config, :proxy, :proxy=
+    def_delegators :@config, :verify_ssl_certs, :verify_ssl_certs=
+    def_delegators :@config, :ca_bundle_path, :ca_bundle_path=
+    def_delegators :@config, :log_level, :log_level=
+    def_delegators :@config, :logger, :logger=
+    def_delegators :@config, :max_network_retries, :max_network_retries=
+    def_delegators :@config, :enable_telemetry=, :enable_telemetry?
+    def_delegators :@config, :client_id=, :client_id
+
+    # Internal configurations
+    def_delegators :@config, :max_network_retry_delay
+    def_delegators :@config, :initial_network_retry_delay
+    def_delegators :@config, :ca_store
   end
 
-  # The location of a file containing a bundle of CA certificates. By default
-  # the library will use an included bundle that can successfully validate
-  # Stripe certificates.
-  def self.ca_bundle_path
-    @ca_bundle_path
+  # Gets the application for a plugin that's identified some. See
+  # #set_app_info.
+  def self.app_info
+    @app_info
   end
 
-  def self.ca_bundle_path=(path)
-    @ca_bundle_path = path
-
-    # empty this field so a new store is initialized
-    @ca_store = nil
+  def self.app_info=(info)
+    @app_info = info
   end
 
-  # A certificate store initialized from the the bundle in #ca_bundle_path and
-  # which is used to validate TLS on every request.
+  # Sets some basic information about the running application that's sent along
+  # with API requests. Useful for plugin authors to identify their plugin when
+  # communicating with Stripe.
   #
-  # This was added to the give the gem "pseudo thread safety" in that it seems
-  # when initiating many parallel requests marshaling the certificate store is
-  # the most likely point of failure (see issue #382). Any program attempting
-  # to leverage this pseudo safety should make a call to this method (i.e.
-  # `Stripe.ca_store`) in their initialization code because it marshals lazily
-  # and is itself not thread safe.
-  def self.ca_store
-    @ca_store ||= begin
-      store = OpenSSL::X509::Store.new
-      store.add_file(ca_bundle_path)
-      store
-    end
-  end
-
-  def self.max_network_retries
-    @max_network_retries
-  end
-
-  def self.max_network_retries=(val)
-    @max_network_retries = val.to_i
-  end
-
-  private
-
-  # DEPRECATED. Use `Util#encode_parameters` instead.
-  def self.uri_encode(params)
-    Util.encode_parameters(params)
-  end
-  class << self
-    extend Gem::Deprecate
-    deprecate :uri_encode, "Stripe::Util#encode_parameters", 2016, 01
+  # Takes a name and optional partner program ID, plugin URL, and version.
+  def self.set_app_info(name, partner_id: nil, url: nil, version: nil)
+    @app_info = {
+      name: name,
+      partner_id: partner_id,
+      url: url,
+      version: version,
+    }
   end
 end
+
+Stripe.log_level = ENV["STRIPE_LOG"] unless ENV["STRIPE_LOG"].nil?

data/stripe.gemspec

@@ -1,22 +1,41 @@
-$:.unshift(File.join(File.dirname(__FILE__), 'lib'))
+# frozen_string_literal: true
 
-require 'stripe/version'
+$LOAD_PATH.unshift(::File.join(::File.dirname(__FILE__), "lib"))
 
-spec = Gem::Specification.new do |s|
-  s.name = 'stripe'
+require "stripe/version"
+
+Gem::Specification.new do |s|
+  s.name = "stripe"
   s.version = Stripe::VERSION
-  s.required_ruby_version = '>= 1.9.3'
-  s.summary = 'Ruby bindings for the Stripe API'
-  s.description = 'Stripe is the easiest way to accept payments online.  See https://stripe.com for details.'
-  s.author = 'Stripe'
-  s.email = 'support@stripe.com'
-  s.homepage = 'https://stripe.com/docs/api/ruby'
-  s.license = 'MIT'
+  s.required_ruby_version = ">= 2.3.0"
+  s.summary = "Ruby bindings for the Stripe API"
+  s.description = "Stripe is the easiest way to accept payments online.  " \
+                  "See https://stripe.com for details."
+  s.author = "Stripe"
+  s.email = "support@stripe.com"
+  s.homepage = "https://stripe.com/docs/api?lang=ruby"
+  s.license = "MIT"
 
-  s.add_dependency('faraday', '~> 0')
+  s.metadata = {
+    "bug_tracker_uri" => "https://github.com/stripe/stripe-ruby/issues",
+    "changelog_uri" =>
+      "https://github.com/stripe/stripe-ruby/blob/master/CHANGELOG.md",
+    "documentation_uri" => "https://stripe.com/docs/api?lang=ruby",
+    "github_repo" => "ssh://github.com/stripe/stripe-ruby",
+    "homepage_uri" => "https://stripe.com/docs/api?lang=ruby",
+    "source_code_uri" => "https://github.com/stripe/stripe-ruby",
+  }
 
-  s.files = `git ls-files`.split("\n")
-  s.test_files    = `git ls-files -- test/*`.split("\n")
-  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
-  s.require_paths = ['lib']
+  ignored = Regexp.union(
+    /\A\.editorconfig/,
+    /\A\.git/,
+    /\A\.rubocop/,
+    /\A\.travis.yml/,
+    /\A\.vscode/,
+    /\Atest/
+  )
+  s.files = `git ls-files`.split("\n").reject { |f| ignored.match(f) }
+  s.executables   = `git ls-files -- bin/*`.split("\n")
+                                           .map { |f| ::File.basename(f) }
+  s.require_paths = ["lib"]
 end