train-rest 0.4.2 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bdaed9296e5756a522d6fbaf9fd8d5aca6ed8f2e74250387a97f65fbf58c51b2
-  data.tar.gz: 0bd7dd4791ea737ff122343445bb58a974c0e01e03431a31ab57616e548805aa
+  metadata.gz: 73a28c27d6e8385d3d8356c363847ddae1380ff0d0e75d6f919f64cefb315637
+  data.tar.gz: 1b0140ce7079d48ac070b05607acc1b142c987cd598a7f60fdc28ff3025dc3f6
 SHA512:
-  metadata.gz: dc8d624d5b44cf12e3fb1810cc0f3e84acd53230e503a4a46dee3d04335aef445d21178959b35a712e3b9d2e98eb6328eb45c6e8dc55684cecd1322f3a8be128
-  data.tar.gz: cd8d93fc0e5b0926ce86c6d1ab826f0a84c1996b0c15586e46cd7d78096e851127a4f82fac49998a34e57e3b04d626ef274b5870c771eb824450cf8179b7d2ce
+  metadata.gz: 293e8e03b838b888108eb25ac164080f76aa0291420bcd04feb8503245c3149ff3d03257ad01df3ea3d2fae018094a0ec85c1e4a3b052b1a07c3cc0db69b0244
+  data.tar.gz: a816054a1e6db4bd24134249adaedd933b16b9796c3cfde7afa90f4e66ea70d9cdf744bea124ee2e93b383d6ad4b666e4bdd2a4ae363fa09056bad3eb85ada6f

data/lib/train-rest/auth_handler/awsv4.rb

@@ -0,0 +1,119 @@
+require 'aws-sigv4'
+require 'json'
+
+require_relative "../auth_handler"
+
+module TrainPlugins
+  module Rest
+    class AWSV4 < AuthHandler
+      VALID_CREDENTIALS = %w[
+        access_keys
+      ].freeze
+
+      SIGNED_HEADERS = %w[
+        content-type host x-amz-date x-amz-target
+      ].freeze
+
+      def check_options
+        options[:credentials] ||= "access_keys"
+
+        unless VALID_CREDENTIALS.include? credentials
+          raise ArgumentError.new("Invalid type of credentials: #{credentials}")
+        end
+
+        if access_keys?
+          raise ArgumentError.new('Missing `access_key` credential') unless access_key
+          raise ArgumentError.new('Missing `secret_access_key` credential') unless secret_access_key
+        end
+      end
+
+      def signature_based?
+        true
+      end
+
+      def process(payload: "", headers: {}, url: "", method: nil)
+        headers.merge! ({
+          'Accept-Encoding' => 'identity',
+          'User-Agent' => "train-rest/#{TrainPlugins::Rest::VERSION}",
+          'Content-Type' => 'application/x-amz-json-1.0'
+        })
+
+        signed_headers = headers.select do |name, _value|
+          SIGNED_HEADERS.include? name.downcase
+        end
+
+	@url = url
+
+        signature = signer(url).sign_request(
+          http_method: method.to_s.upcase,
+          url: url,
+          headers: signed_headers,
+          body: payload.to_json
+        )
+
+        {
+          headers: headers.merge(signature.headers)
+        }
+      end
+
+      def process_error(error)
+        raise AuthenticationError.new("Authentication failed: #{error.response.to_s.chop}") if error.response.code == 401
+        raise BadRequest.new("Bad request: #{error.response.to_s.chop}") if error.response.code == 400
+
+        message = JSON.parse(error.response.to_s)
+
+        raise AuthenticationError.new(message["message"] || message["__type"])
+      rescue JSON::ParserError => e
+        raise AuthenticationError.new(error.response.to_s)
+      end
+
+      def access_key
+        options[:access_key] || ENV['AWS_ACCESS_KEY_ID']
+      end
+
+      def region(url = default_url)
+        url.delete_prefix('https://').split('.').at(1)
+      end
+
+      private
+
+      def credentials
+        options[:credentials]
+      end
+
+      def default_url
+        options[:endpoint]
+      end
+
+      def access_keys?
+        credentials == 'access_keys'
+      end
+
+      def secret_access_key
+        options[:secret_access_key] || ENV['AWS_SECRET_ACCESS_KEY']
+      end
+
+      def service(url)
+        url.delete_prefix('https://').split('.').at(0)
+      end
+
+      def signer(url)
+        Aws::Sigv4::Signer.new(
+          service: service(url),
+          region:  region(url),
+
+          **signer_credentials
+        )
+      end
+
+      def signer_credentials
+        if access_keys?
+          {
+            access_key_id: access_key,
+            secret_access_key: secret_access_key
+          }
+        end
+      end
+    end
+  end
+end

data/lib/train-rest/auth_handler/hmac-signature.rb

@@ -0,0 +1,39 @@
+require_relative "../auth_handler"
+
+module TrainPlugins
+  module Rest
+    # Authentication via HMAC Signature.
+    class HmacSignature < AuthHandler
+      def check_options
+        raise ArgumentError.new("Need :hmac_secret for HMAC signatures") unless options[:hmac_secret]
+
+        options[:header] ||= "X-Signature"
+        options[:digest] ||= "SHA256"
+      end
+
+      def hmac_secret
+        options[:hmac_secret]
+      end
+
+      def digest
+        options[:digest]
+      end
+
+      def header
+        options[:header]
+      end
+
+      def signature_based?
+        true
+      end
+
+      def process(payload: "", headers: {}, url: "", method: nil)
+        {
+          headers: {
+            header => OpenSSL::HMAC.hexdigest(digest, hmac_secret, payload)
+          }
+        }
+      end
+    end
+  end
+end

data/lib/train-rest/auth_handler.rb

@@ -67,6 +67,30 @@ module TrainPlugins
         { headers: auth_headers }
       end
 
+      # This Auth Handler will need payload, URI and headers, e.g. for signatures.
+      #
+      # @return  [Boolean]
+      def signature_based?
+        false
+      end
+
+      # Return headers based on payload signing.
+      #
+      # @param [Hash] data different types of data for processing
+      # @option data [String] :payload contents of the message body
+      # @option data [Hash] :headers existing headers to the request
+      # @option data [String] :url URL which will be requested
+      # @option data [Symbol] :method Method to execute
+      # @returns [Hash]
+      def process(payload: "", headers: {}, url: "", method: nil)
+        {}
+      end
+
+      # Allow processing errors related to authentication.
+      #
+      # @param [RestClient::Exception] error raw error data
+      def process_error(_error); end
+
       class << self
         private
 
@@ -77,7 +101,8 @@ module TrainPlugins
         # @see https://github.com/chef/chef/blob/main/lib/chef/mixin/convert_to_class_name.rb
         def convert_to_snake_case(str)
           str = str.dup
-          str.gsub!(/[A-Z]/) { |s| "_" + s }
+          str.gsub!(/([A-Z]+)([A-Z][a-z])/, '\1_\2')
+          str.gsub!(/([a-z\d])([A-Z])/, '\1_\2')
           str.downcase!
           str.sub!(/^\_/, "")
           str

data/lib/train-rest/connection.rb

@@ -114,6 +114,21 @@ module TrainPlugins
         # Merge override headers + request specific headers
         parameters[:headers].merge!(override_headers || {})
         parameters[:headers].merge!(headers)
+
+        # Merge payload based headers (e.g. signature-based auth)
+        if auth_handler.signature_based?
+          auth_signature = auth_handler.process(
+                                payload: data,
+                                headers: parameters[:headers],
+                                url: parameters[:url],
+                                method: method
+                              )
+
+          parameters[:headers].merge! auth_signature[:headers]
+        else
+          parameters[:headers].merge! auth_parameters[:headers]
+        end
+
         parameters.compact!
 
         logger.info format("[REST] => %s", parameters.to_s) if options[:debug_rest]
@@ -121,6 +136,9 @@ module TrainPlugins
 
         logger.info format("[REST] <= %s", response.to_s) if options[:debug_rest]
         transform_response(response, json_processing)
+
+      rescue RestClient::Exception => error
+        auth_handler.process_error(error)
       end
 
       # Allow switching generic handlers for an API-specific one.
@@ -144,12 +162,21 @@ module TrainPlugins
         options[:auth_type]
       end
 
+      attr_writer :auth_handler
+
       # Auth Handlers-faced API
 
       def auth_parameters
         auth_handler.auth_parameters
       end
 
+      def auth_handler
+        desired_handler = auth_handler_classes.detect { |handler| handler.name == auth_type.to_s }
+        raise NameError.new(format("Authentication handler %s not found", auth_type.to_s)) unless desired_handler
+
+        @auth_handler ||= desired_handler.new(self)
+      end
+
       private
 
       def global_parameters
@@ -160,8 +187,6 @@ module TrainPlugins
           headers: options[:headers],
         }
 
-        params.merge!(auth_parameters)
-
         params
       end
 
@@ -184,23 +209,14 @@ module TrainPlugins
         :basic if options[:username] && options[:password]
       end
 
-      attr_writer :auth_handler
-
       def auth_handler_classes
-        AuthHandler.descendants
+        ::TrainPlugins::Rest::AuthHandler.descendants
       end
 
       def auth_handlers
         auth_handler_classes.map { |handler| handler.name.to_sym }
       end
 
-      def auth_handler
-        desired_handler = auth_handler_classes.detect { |handler| handler.name == auth_type.to_s }
-        raise NameError.new(format("Authentication handler %s not found", auth_type.to_s)) unless desired_handler
-
-        @auth_handler ||= desired_handler.new(self)
-      end
-
       def login
         logger.info format("REST Login via %s authentication handler", auth_type.to_s) unless %i{anonymous basic}.include? auth_type
 

data/lib/train-rest/errors.rb

@@ -0,0 +1,6 @@
+module TrainPlugins
+  module Rest
+    class AuthenticationError < RuntimeError; end
+    class BadRequest < RuntimeError; end
+  end
+end

data/lib/train-rest/version.rb

@@ -1,5 +1,5 @@
 module TrainPlugins
   module Rest
-    VERSION = "0.4.2".freeze
+    VERSION = "0.5.0".freeze
   end
 end

data/lib/train-rest.rb

@@ -1,14 +1,18 @@
 libdir = File.dirname(__FILE__)
 $LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
 
+require "train-rest/errors"
 require "train-rest/version"
 
 require "train-rest/transport"
 require "train-rest/connection"
 
+require "train-rest/auth_handler"
+require "train-rest/auth_handler/awsv4"
 require "train-rest/auth_handler/anonymous"
 require "train-rest/auth_handler/authtype-apikey"
-require "train-rest/auth_handler/header"
 require "train-rest/auth_handler/basic"
 require "train-rest/auth_handler/bearer"
+require "train-rest/auth_handler/header"
+require "train-rest/auth_handler/hmac-signature"
 require "train-rest/auth_handler/redfish"

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: train-rest
 version: !ruby/object:Gem::Version
-  version: 0.4.2
+  version: 0.5.0
 platform: ruby
 authors:
 - Thomas Heinen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-03-01 00:00:00.000000000 Z
+date: 2022-09-06 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sigv4
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: train-core
   requirement: !ruby/object:Gem::Requirement
@@ -120,11 +134,14 @@ files:
 - lib/train-rest/auth_handler.rb
 - lib/train-rest/auth_handler/anonymous.rb
 - lib/train-rest/auth_handler/authtype-apikey.rb
+- lib/train-rest/auth_handler/awsv4.rb
 - lib/train-rest/auth_handler/basic.rb
 - lib/train-rest/auth_handler/bearer.rb
 - lib/train-rest/auth_handler/header.rb
+- lib/train-rest/auth_handler/hmac-signature.rb
 - lib/train-rest/auth_handler/redfish.rb
 - lib/train-rest/connection.rb
+- lib/train-rest/errors.rb
 - lib/train-rest/transport.rb
 - lib/train-rest/version.rb
 homepage: https://github.com/tecracer-chef/train-rest