stripe 8.6.0.pre.beta.2 → 8.6.0.pre.beta.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1b51765f7e0a00e3c7e757a9e7959af0511cd8a3b08b4514f6dd0cf465206f4a
-  data.tar.gz: a735dda919d79edda717051b862bb6dd0767efc5ddf2293284be9e865c71d0d9
+  metadata.gz: b8329baf2324481281bac8a14057e933252bcc1fccbde79f4303fb1e84d113c9
+  data.tar.gz: bce0345d4c34fb1b25278e55a5ca31db6303d7b5b69037d05e55b3aa8f68537e
 SHA512:
-  metadata.gz: 19a6751739586398a67de1384983910cf0c9ed6615264d409cbc3ef1ad729a799f4a1be5a6c3b1c20b3bd473150b2cedd7cca2786d2709c31b524b66e185cfbc
-  data.tar.gz: 18ded4cf0d4466e896d1b8844949e8b3a6c7e03b4594cead22405604ca59afcdf027d1f72385745723ca49a261babdbf4eeef5859ac62cc6c00cc585aad60fa2
+  metadata.gz: 7055e66eae45c2a9e3cf0d3dd6f65c1da2e7ef6a0189feb9a7cbf04de25b857a37e7888c7cfe8f391004192c9cbce4f3f30ee25236fa2f94bd4b7d4263ae696a
+  data.tar.gz: 47077ba02bc7c0c73071d92500333e84bce73cae25ea88ec0ff5c47b378bc5b2e0473cb5bc8cdc9d65d9151b6f74f5361df674685af2ce194d452ae0fe6d5df7

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 8.6.0-beta.3 - 2023-04-17
+* [#1211](https://github.com/stripe/stripe-ruby/pull/1211) Update generated code for beta
+* [#1210](https://github.com/stripe/stripe-ruby/pull/1210), [#1212](https://github.com/stripe/stripe-ruby/pull/1212), [#1213](https://github.com/stripe/stripe-ruby/pull/1213) Add support for request signing
+
 ## 8.6.0-beta.2 - 2023-04-13
 * [#1206](https://github.com/stripe/stripe-ruby/pull/1206) Update generated code for beta
   * Add support for `collect_payment_method` and `confirm_payment_intent` methods on resource `Terminal.Reader`
@@ -12,7 +16,7 @@
 
 ## 8.5.0 - 2023-03-30
 * [#1203](https://github.com/stripe/stripe-ruby/pull/1203) Update generated code
-  * Remove support for `create` method on resource `Tax.Transaction`
+  * Remove support for `create` method on resource `Tax.Transaction`
     * This is not a breaking change, as this method was deprecated before the Tax Transactions API was released in favor of the `create_from_calculation` method.
 * [#1201](https://github.com/stripe/stripe-ruby/pull/1201) Update save deprecation message
 

data/Gemfile

@@ -10,8 +10,7 @@ group :development do
   gem "rack", ">= 2.0.6"
   gem "rake"
 
-  # Update to 2.0.0 once it ships.
-  gem "shoulda-context", "2.0.0.rc4"
+  gem "shoulda-context", "2.0.0"
 
   gem "test-unit"
 

data/OPENAPI_VERSION

@@ -1 +1 @@
-v296
+v299

data/VERSION

@@ -1 +1 @@
-8.6.0-beta.2
+8.6.0-beta.3

data/lib/stripe/request_signing_authenticator.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+module Stripe
+  class RequestSigningAuthenticator
+    AUTHORIZATION_HEADER_NAME = "Authorization"
+    CONTENT_TYPE_HEADER_NAME = "Content-Type"
+    STRIPE_CONTEXT_HEADER_NAME = "Stripe-Context"
+    STRIPE_ACCOUNT_HEADER_NAME = "Stripe-Account"
+    CONTENT_DIGEST_HEADER_NAME = "Content-Digest"
+    SIGNATURE_INPUT_HEADER_NAME = "Signature-Input"
+    SIGNATURE_HEADER_NAME = "Signature"
+
+    attr_reader :auth_token, :sign_lambda
+
+    def initialize(auth_token, sign_lambda)
+      unless auth_token.is_a?(String)
+        raise ArgumentError, "auth_token must be a string"
+      end
+      unless sign_lambda.is_a?(Proc)
+        raise ArgumentError, "sign_lambda must be a lambda"
+      end
+
+      @auth_token = auth_token
+      @sign_lambda = sign_lambda
+    end
+
+    def authenticate(method, headers, body)
+      covered_headers = [CONTENT_TYPE_HEADER_NAME,
+                         CONTENT_DIGEST_HEADER_NAME,
+                         STRIPE_CONTEXT_HEADER_NAME,
+                         STRIPE_ACCOUNT_HEADER_NAME,
+                         AUTHORIZATION_HEADER_NAME,]
+
+      headers[AUTHORIZATION_HEADER_NAME] = "STRIPE-V2-SIG #{auth_token}"
+
+      if method == :get
+        covered_headers -= [CONTENT_TYPE_HEADER_NAME,
+                            CONTENT_DIGEST_HEADER_NAME,]
+      else
+        content = body || ""
+        headers[CONTENT_DIGEST_HEADER_NAME] =
+          %(sha-256=:#{content_digest(content)}:)
+      end
+
+      covered_headers_formatted = covered_headers
+                                  .map { |string| %("#{string.downcase}") }
+                                  .join(" ")
+
+      signature_input = "(#{covered_headers_formatted});created=#{created_time}"
+
+      inputs = covered_headers
+               .map { |header| %("#{header.downcase}": #{headers[header]}) }
+               .join("\n")
+
+      signature_base = %(#{inputs}\n"@signature-params": #{signature_input})
+                       .encode(Encoding::UTF_8)
+
+      headers[SIGNATURE_INPUT_HEADER_NAME] = "sig1=#{signature_input}"
+
+      headers[SIGNATURE_HEADER_NAME] =
+        "sig1=:#{encoded_signature(signature_base)}:"
+    end
+
+    private def sign(signature_base)
+      @sign_lambda.call(signature_base)
+    end
+
+    private def encoded_signature(signature_base)
+      Base64.strict_encode64(sign(signature_base))
+    rescue StandardError
+      raise AuthenticationError, "Encountered '#{e.message} (#{e.class})' "\
+       "when calculating request signature."
+    end
+
+    private def content_digest(content)
+      Base64.strict_encode64(OpenSSL::Digest.new("SHA256").digest(content))
+    end
+
+    private def created_time
+      Time.now.to_i
+    end
+  end
+end

data/lib/stripe/stripe_client.rb

@@ -440,9 +440,10 @@ module Stripe
 
       api_base ||= config.api_base
       api_key ||= config.api_key
+      authenticator ||= config.authenticator
       params = Util.objects_to_ids(params)
 
-      check_api_key!(api_key)
+      check_keys!(api_key, authenticator)
 
       body_params = nil
       query_params = nil
@@ -469,11 +470,14 @@ module Stripe
       body, body_log =
         body_params ? encode_body(body_params, headers) : [nil, nil]
 
+      authenticator.authenticate(method, headers, body) unless api_key
+
       # stores information on the request we're about to make so that we don't
       # have to pass as many parameters around for logging.
       context = RequestLogContext.new
       context.account         = headers["Stripe-Account"]
       context.api_key         = api_key
+      context.authenticator   = authenticator
       context.api_version     = headers["Stripe-Version"]
       context.body            = body_log
       context.idempotency_key = headers["Idempotency-Key"]
@@ -512,8 +516,16 @@ module Stripe
       (api_base || config.api_base) + url
     end
 
-    private def check_api_key!(api_key)
-      unless api_key
+    private def check_keys!(api_key, authenticator)
+      if api_key && authenticator
+        raise AuthenticationError, "Can't specify both API key " \
+          "and authenticator. Either set your API key" \
+          'using "Stripe.api_key = <API-KEY>", or set your authenticator ' \
+          'using "Stripe.authenticator = <AUTHENTICATOR>"' \
+      end
+
+      unless api_key || authenticator
+        # Default to missing API key error message for general users.
         raise AuthenticationError, "No API key provided. " \
           'Set your API key using "Stripe.api_key = <API-KEY>". ' \
           "You can generate API keys from the Stripe web interface. " \
@@ -966,6 +978,7 @@ module Stripe
       attr_accessor :body
       attr_accessor :account
       attr_accessor :api_key
+      attr_accessor :authenticator
       attr_accessor :api_version
       attr_accessor :idempotency_key
       attr_accessor :method

data/lib/stripe/stripe_configuration.rb

@@ -27,6 +27,7 @@ module Stripe
   class StripeConfiguration
     attr_accessor :api_key
     attr_accessor :api_version
+    attr_accessor :authenticator
     attr_accessor :client_id
     attr_accessor :enable_telemetry
     attr_accessor :logger

data/lib/stripe/util.rb

@@ -7,6 +7,7 @@ module Stripe
     # Options that a user is allowed to specify.
     OPTS_USER_SPECIFIED = Set[
       :api_key,
+      :authenticator,
       :idempotency_key,
       :stripe_account,
       :stripe_version
@@ -281,7 +282,13 @@ module Stripe
       when String
         { api_key: opts }
       when Hash
-        check_api_key!(opts.fetch(:api_key)) if opts.key?(:api_key)
+        # If the user is using request signing for authentication,
+        # no need to check the api_key per request.
+        if !(opts.key?(:client) &&
+           opts.fetch(:client).config.authenticator) &&
+           opts.key?(:api_key)
+          check_api_key!(opts.fetch(:api_key))
+        end
         # Explicitly use dup here instead of clone to avoid preserving freeze
         # state on input params.
         opts.dup

data/lib/stripe/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stripe
-  VERSION = "8.6.0-beta.2"
+  VERSION = "8.6.0-beta.3"
 end

data/lib/stripe.rb

@@ -13,6 +13,7 @@ require "set"
 require "socket"
 require "uri"
 require "forwardable"
+require "base64"
 
 # Version
 require "stripe/api_version"
@@ -44,6 +45,7 @@ require "stripe/api_resource_test_helpers"
 require "stripe/singleton_api_resource"
 require "stripe/webhook"
 require "stripe/stripe_configuration"
+require "stripe/request_signing_authenticator"
 
 # Named API resources
 require "stripe/resources"
@@ -70,6 +72,7 @@ module Stripe
 
     # User configurable options
     def_delegators :@config, :api_key, :api_key=
+    def_delegators :@config, :authenticator, :authenticator=
     def_delegators :@config, :api_version, :api_version=
     def_delegators :@config, :stripe_account, :stripe_account=
     def_delegators :@config, :api_base, :api_base=

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: stripe
 version: !ruby/object:Gem::Version
-  version: 8.6.0.pre.beta.2
+  version: 8.6.0.pre.beta.3
 platform: ruby
 authors:
 - Stripe
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-04-13 00:00:00.000000000 Z
+date: 2023-04-17 00:00:00.000000000 Z
 dependencies: []
 description: Stripe is the easiest way to accept payments online.  See https://stripe.com
   for details.
@@ -50,6 +50,7 @@ files:
 - lib/stripe/multipart_encoder.rb
 - lib/stripe/oauth.rb
 - lib/stripe/object_types.rb
+- lib/stripe/request_signing_authenticator.rb
 - lib/stripe/resources.rb
 - lib/stripe/resources/account.rb
 - lib/stripe/resources/account_link.rb