veracode_api_signing 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 81116e99b04c7860e24ea32f2f2aaee4d8c84f8b45d094acfbeb89b668198a06
+  data.tar.gz: 85540edb0fe3b0e723bc2260f70bc980e135845a2fe8d561c8677926b0b92f62
+SHA512:
+  metadata.gz: e101221d2ef7f19af442c2a7e2c47e4fae6af13d40b8ada771b08554db6cf4d6ccbd9efe550ac1adbdf7ee796408c0bd90ccedeed77bd324437e46ffc63e026f
+  data.tar.gz: ee9f009356caa2b78ed466cefedccc50974ee70ed4f0de0f5a7e69255e670b2c121648a1ae879183a1a496fba4eb9b867739adef215e8f83030ef1af537b37a2

data/.github/workflows/codeql-analysis.yml

@@ -0,0 +1,70 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '29 8 * * 5'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'ruby' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

data/.github/workflows/tests.yml

@@ -0,0 +1,53 @@
+name: VeracodeApiSigning
+on:
+  pull_request:
+    branches-ignore:
+      - 'gh-pages'
+  push:
+    branches-ignore:
+      - 'gh-pages'
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        # Due to https://github.com/actions/runner/issues/849, we have to use quotes for '3.0'
+        ruby: [2.7, '3.0', truffleruby, truffleruby-head]
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v2
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+    - run: bundle exec rake
+
+  deploy:
+    needs: test
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.0'
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+
+      - name: Yard documents
+        run: |
+          bundle exec rake yard
+
+      - name: Deploy pages
+        if: github.event_name == 'push'
+        uses: JamesIves/github-pages-deploy-action@4.1.5
+        with:
+          SSH: false
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH: gh-pages
+          FOLDER: doc
+          CLEAN: true
+          CLEAN_EXCLUDE: '[".gitattributes", ".gitignore", "CNAME", "LICENSE"]'

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,27 @@
+inherit_from: .rubocop_todo.yml
+
+require:
+  - rubocop-performance
+  - rubocop-rake
+  - rubocop-rspec
+
+AllCops:
+  NewCops: enable
+  TargetRubyVersion: 2.7
+
+Style/StringLiterals:
+  Enabled: true
+  EnforcedStyle: double_quotes
+
+Style/StringLiteralsInInterpolation:
+  Enabled: true
+  EnforcedStyle: double_quotes
+
+RSpec/ExampleLength:
+  Max: 50
+
+RSpec/NestedGroups:
+  Max: 4
+
+Metrics/BlockLength:
+  Max: 100

data/.rubocop_todo.yml

@@ -0,0 +1,87 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2021-10-29 23:02:10 UTC using RuboCop version 1.22.3.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+# Configuration parameters: Include.
+# Include: **/*.gemspec
+Gemspec/RequiredRubyVersion:
+  Exclude:
+    - 'veracode_api_signing.gemspec'
+
+# Offense count: 1
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle.
+# SupportedStyles: runtime_error, standard_error
+Lint/InheritException:
+  Exclude:
+    - 'lib/veracode_api_signing/exception.rb'
+
+# Offense count: 1
+# Configuration parameters: IgnoredMethods, CountRepeatedAttributes.
+Metrics/AbcSize:
+  Max: 38
+
+# Offense count: 5
+# Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
+Metrics/MethodLength:
+  Max: 15
+
+# Offense count: 1
+# Configuration parameters: CountKeywordArgs, MaxOptionalParameters.
+Metrics/ParameterLists:
+  Max: 6
+
+# Offense count: 3
+Naming/AccessorMethodName:
+  Exclude:
+    - 'lib/veracode_api_signing/credentials.rb'
+    - 'lib/veracode_api_signing/utils.rb'
+
+# Offense count: 3
+# Configuration parameters: ForbiddenDelimiters.
+# ForbiddenDelimiters: (?-mix:(^|\s)(EO[A-Z]{1}|END)(\s|$))
+Naming/HeredocDelimiterNaming:
+  Exclude:
+    - 'spec/veracode_api_signing/credentials_spec.rb'
+
+# Offense count: 2
+# Configuration parameters: Include, CustomTransform, IgnoreMethods, SpecSuffixOnly.
+# Include: **/*_spec*rb*, **/spec/**/*
+RSpec/FilePath:
+  Exclude:
+    - 'spec/veracode_api_signing/exception_spec.rb'
+    - 'spec/veracode_api_signing/version_spec.rb'
+
+# Offense count: 8
+# Configuration parameters: AllowedConstants.
+Style/Documentation:
+  Exclude:
+    - 'spec/**/*'
+    - 'test/**/*'
+    - 'lib/veracode_api_signing.rb'
+    - 'lib/veracode_api_signing/credentials.rb'
+    - 'lib/veracode_api_signing/formatters.rb'
+    - 'lib/veracode_api_signing/hmac_auth.rb'
+    - 'lib/veracode_api_signing/plugins/faraday_middleware.rb'
+    - 'lib/veracode_api_signing/regions.rb'
+    - 'lib/veracode_api_signing/utils.rb'
+    - 'lib/veracode_api_signing/validation.rb'
+
+# Offense count: 4
+# Configuration parameters: MinBodyLength.
+Style/GuardClause:
+  Exclude:
+    - 'lib/veracode_api_signing/hmac_auth.rb'
+    - 'lib/veracode_api_signing/validation.rb'
+
+# Offense count: 14
+# Cop supports --auto-correct.
+# Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns.
+# URISchemes: http, https
+Layout/LineLength:
+  Max: 312

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2021-10-12
+
+- Initial release

data/Gemfile

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,78 @@
+PATH
+  remote: .
+  specs:
+    veracode_api_signing (0.1.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.2)
+    brakeman (5.1.2)
+    diff-lcs (1.4.4)
+    docile (1.4.0)
+    parallel (1.21.0)
+    parser (3.0.2.0)
+      ast (~> 2.4.1)
+    rainbow (3.0.0)
+    rake (13.0.6)
+    regexp_parser (2.1.1)
+    rexml (3.2.5)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-support (3.10.2)
+    rubocop (1.22.3)
+      parallel (~> 1.10)
+      parser (>= 3.0.0.0)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml
+      rubocop-ast (>= 1.12.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.12.0)
+      parser (>= 3.0.1.1)
+    rubocop-performance (1.11.5)
+      rubocop (>= 1.7.0, < 2.0)
+      rubocop-ast (>= 0.4.0)
+    rubocop-rake (0.6.0)
+      rubocop (~> 1.0)
+    rubocop-rspec (2.5.0)
+      rubocop (~> 1.19)
+    ruby-progressbar (1.11.0)
+    simplecov (0.21.2)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.12.3)
+    simplecov_json_formatter (0.1.3)
+    unicode-display_width (2.1.0)
+    yard (0.9.26)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  brakeman (~> 5.1)
+  bundler (~> 2.0)
+  rake (~> 13.0)
+  rspec (~> 3.0)
+  rubocop (~> 1.2)
+  rubocop-performance (~> 1.1)
+  rubocop-rake (~> 0.6)
+  rubocop-rspec (~> 2.5)
+  simplecov (~> 0.21.2)
+  veracode_api_signing!
+  yard (~> 0.9.26)
+
+BUNDLED WITH
+   2.2.30

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2021 Corban Raun
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,52 @@
+# VeracodeApiSigning
+
+![tests](https://github.com/CorbanR/veracode_api_signing/actions/workflows/tests.yml/badge.svg)
+
+Library which uses HMAC to generate signed requests for Veracode API
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'veracode_api_signing'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install veracode_api_signing
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+### Nix development
+If you have [nix](https://nixos.org/download.html) installed, you can run
+- `nix-shell`
+- `gem install bundler`
+- `bundle install`
+- `bundle exec rspec`
+
+Optional tools
+- [direnv](https://direnv.net/)
+- [lorri](https://github.com/target/lorri)
+
+**NOTE:** At some point [nix flakes](https://nixos.wiki/wiki/Flakes) will become stable, and, if you choose to use something like `lorri`, you can just use `nix` with `direnv`!
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/veracode_api_signing.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+require "rubocop/rake_task"
+
+RuboCop::RakeTask.new
+
+require "yard"
+
+YARD::Rake::YardocTask.new
+
+namespace :brakeman do
+  desc "Run Brakeman"
+  task :run, :output_files do |_t, args|
+    require "brakeman"
+
+    files = args[:output_files].split if args[:output_files]
+    Brakeman.run app_path: ".", output_files: files, print_report: true, run_all_checks: true, force_scan: true
+  end
+end
+
+multitask mytasks: %i[spec rubocop yard brakeman:run]
+
+task default: %i[mytasks]

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "veracode_api_signing"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/veracode_api_signing/credentials.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require "veracode_api_signing/exception"
+
+module VeracodeApiSigning
+  class Credentials
+    PROFILE_DEFAULT = "default"
+
+    ENV_API_KEY_NAME = "VERACODE_API_KEY_ID"
+    ENV_API_SECRET_KEY_NAME = "VERACODE_API_KEY_SECRET"
+    ENV_PROFILE = "VERACODE_API_PROFILE"
+
+    FIX_INSTRUCTIONS = "Please consult the documentation to get your Veracode credentials set up."
+
+    # Get credentials from supported sources. Precedence is 1) env vars, 2) file.
+    def get_credentials(auth_file = "#{Dir.home}/.veracode/credentials")
+      credentials_from_environment = get_credentials_from_environment_variables
+      return credentials_from_environment if credentials_from_environment.compact.length == 2
+
+      credentials_from_filesystem = get_credentials_from_filesystem(auth_file)
+      if credentials_from_filesystem.compact.length == 2
+        credentials_from_filesystem
+      else
+        raise VeracodeApiSigning::CredentialsError,
+              "Unable to determine credentials. Set environment variables #{ENV_API_KEY_NAME}, and #{ENV_API_SECRET_KEY_NAME} or create credentials file #{Dir.home}/.veracode/credentials"
+      end
+    end
+
+    private
+
+    def get_credentials_from_environment_variables
+      [ENV[ENV_API_KEY_NAME], ENV[ENV_API_SECRET_KEY_NAME]]
+    end
+
+    def get_credentials_from_filesystem(auth_file)
+      unless File.exist?(auth_file)
+        raise VeracodeApiSigning::CredentialsError,
+              "Could not read credentials file #{auth_file}"
+      end
+
+      credentials_section_name = get_credentials_profile
+      raw_creds = File.read(auth_file)
+      api_key_id = raw_creds.match(/(\[#{credentials_section_name}\].*\n)(.*#{ENV_API_KEY_NAME.downcase}.*=)(.*\S)/) do |g|
+                     g[3]
+                   end&.strip&.tr('"', "")
+      api_secret_key = raw_creds.match(/(\[#{credentials_section_name}\].*\n)(.*\n#{ENV_API_SECRET_KEY_NAME.downcase}.*=)(.*\S)/) do |g|
+                         g[3]
+                       end&.strip&.tr('"', "")
+
+      [api_key_id, api_secret_key]
+    end
+
+    def get_credentials_profile
+      ENV.fetch(ENV_PROFILE, PROFILE_DEFAULT)
+    end
+  end
+end

data/lib/veracode_api_signing/exception.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module VeracodeApiSigning
+  # Generic error thrown when anything goes wrong
+  class Exception < StandardError; end
+
+  # Thrown if there is anything Veracode credentials, such as not found, improper format ... etc
+  class CredentialsError < Exception; end
+
+  # Thrown if there is anything Veracode credentials, such as not found, improper format ... etc
+  class UnsupportedAuthSchemeException < CredentialsError; end
+end

data/lib/veracode_api_signing/formatters.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require "veracode_api_signing/regions"
+
+module VeracodeApiSigning
+  module Formatters
+    include Regions
+    # @param api_key_id [String] the veracode api key
+    # @param host [String] the url host
+    # @param url [String] the url path
+    # @param method [String] method to use [get, post, put, patch, delete]
+    # @example
+    #     format_signing_data("0123456789abcdef", "veracode.com", "/home", "GET") #=> "id=0123456789abcdef&host=veracode.com&url=/home&method=GET"
+    # @example
+    #     format_signing_data("0123456789abcdef", "VERACODE.com", "/home", "get") #=> "id=0123456789abcdef&host=veracode.com&url=/home&method=GET"
+    # @return [String] the formatted signing data
+    def format_signing_data(api_key_id, host, url, method)
+      # Ensure some things are in the right case.
+      # Note: that path (url) is allowed to be case-sensitive (because path is sent along verbatim)
+      api_key_id = remove_prefix_from_api_credential(api_key_id).downcase
+      host = host.downcase
+      method = method.upcase
+
+      "id=#{api_key_id}&host=#{host}&url=#{url}&method=#{method}"
+    end
+
+    # @param auth_scheme [String] the veracode auth scheme
+    # @param api_key_id [String] the veracode api key
+    # @param timestamp [String] the epoch timestamp
+    # @param nonce [String] the random nonce
+    # @param signature [String] the veracode signature
+    # @example
+    #     format_veracode_hmac_header(auth_scheme="VERACODE-HMAC-SHA-256", api_key_id="702a1650", timestamp="1445452792746", nonce="3b1974fbaa7c97cc", signature="b81c0315b8df360778083d1b408916f8") => "VERACODE-HMAC-SHA-256 id=702a1650,ts=1445452792746,nonce=3b1974fbaa7c97cc,sig=b81c0315b8df360778083d1b408916f8"
+    # @return [String] the formatted hmac header
+    def format_veracode_hmac_header(auth_scheme, api_key_id, timestamp, nonce, signature)
+      # NOTE: This should _NOT_ manipulate case and so-on, that would likely break things.
+      api_key_id = remove_prefix_from_api_credential(api_key_id)
+      "#{auth_scheme} id=#{api_key_id},ts=#{timestamp},nonce=#{nonce},sig=#{signature}"
+    end
+  end
+end

data/lib/veracode_api_signing/hmac_auth.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "veracode_api_signing/exception"
+require "veracode_api_signing/formatters"
+require "veracode_api_signing/regions"
+require "veracode_api_signing/utils"
+require "veracode_api_signing/validation"
+
+module VeracodeApiSigning
+  class HMACAuth
+    include Validation
+    include Utils
+    include Formatters
+    include Regions
+
+    DEFAULT_AUTH_SCHEME = "VERACODE-HMAC-SHA-256"
+
+    # @param host [String] The host of the request("api.veracode.com")
+    # @param path [String] The path of the request("/v1/results")
+    # @param method [String] The method of the request("GET", "POST")
+    # @param api_key_id [String] The user's API key
+    # @param api_key_secret [String] The user's API secret key
+    # @param auth_scheme [String] What authentication algorithm will be used to create the signature of the request
+    # @return [String] The value of Veracode compliant HMAC header
+    def generate_veracode_hmac_header(host, path, method, api_key_id, api_key_secret, auth_scheme = DEFAULT_AUTH_SCHEME)
+      signing_data = format_signing_data(api_key_id, host, path, method)
+      timestamp = get_current_timestamp
+      nonce = generate_nonce
+      signature = create_signature(auth_scheme, api_key_secret, signing_data, timestamp, nonce)
+      format_veracode_hmac_header(auth_scheme, api_key_id, timestamp, nonce, signature)
+    end
+
+    private
+
+    # @param auth_scheme [String] Used to describe what algorithm to use when creating the signature
+    # @param api_key_secret [String] The user's API secret key
+    # @param signing_data [String] The data to be signed (usually consists of host, path, request method and other data)
+    # @param timestamp [String] A unix timestamp to millisecond precision
+    # @param nonce [String] A random value to prevent replay attacks
+    # @return [String] The signature according to algorithm specified
+    # @raise [VeracodeApiSigning::UnsupportedAuthSchemeException] if auth scheme is not supported
+    def create_signature(auth_scheme, api_key_secret, signing_data, timestamp, nonce)
+      if auth_scheme == "VERACODE-HMAC-SHA-256"
+        create_hmac_sha_256_signature(api_key_secret, signing_data, timestamp, nonce)
+      else
+        raise VeracodeApiSigning::UnsupportedAuthSchemeException, "Auth scheme #{auth_scheme} not supported"
+      end
+    end
+
+    # @param api_key_secret [String] The user's API secret key
+    # @param signing_data [String] The data to be signed (usually consists of host, path, request method and other data)
+    # @param timestamp [String] A unix timestamp to millisecond precision
+    # @param nonce [String] A random value to prevent replay attacks
+    # @return [String] An HMAC-SHA-256 signature
+    def create_hmac_sha_256_signature(api_key_secret, signing_data, timestamp, nonce)
+      api_key_secret = remove_prefix_from_api_credential(api_key_secret)
+      key_nonce = generate_digest(hex_to_bin(api_key_secret), hex_to_bin(nonce))
+      key_date = generate_digest(key_nonce, timestamp.to_s.encode)
+      signature_key = generate_digest(key_date, "vcode_request_version_1".encode)
+
+      OpenSSL::HMAC.hexdigest("sha256", signature_key, signing_data.encode)
+    end
+
+    # @param hex_string [String] the hex string
+    # @return [String] The hex string converted to binary
+    # @raise [VeracodeApiSigning::Exception] if string is NOT valid hex
+    def hex_to_bin(hex_string)
+      raise VeracodeApiSigning::Exception, "String is not valid hex: #{hex_string}" unless valid_hex?(hex_string)
+
+      hex_string.scan(/../).map { |x| x.hex.chr }.join
+    end
+
+    def generate_digest(key, data)
+      OpenSSL::HMAC.digest("sha256", key, data)
+    end
+  end
+end

data/lib/veracode_api_signing/plugins/faraday_middleware.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require "faraday"
+require "faraday/request"
+require "veracode_api_signing/credentials"
+require "veracode_api_signing/utils"
+require "veracode_api_signing/hmac_auth"
+require "veracode_api_signing/validation"
+
+module VeracodeApiSigning
+  module Plugins
+    class FaradayMiddleware < Faraday::Middleware
+      include Utils
+      include Validation
+
+      KEY = "Authorization"
+
+      attr_reader :api_key_id, :api_secret_key
+
+      # @param app [#call]
+      # @param api_key_id [String] the veracode api key
+      # @param api_secret_key [String] The user's API secret key
+      def initialize(app, api_key_id = nil, api_secret_key = nil)
+        if api_key_id && api_secret_key
+          validate_credentials(api_key_id, api_secret_key)
+          @api_key_id = api_key_id
+          @api_secret_key = api_secret_key
+        else
+          api_key_id, api_secret_key = Credentials.new.get_credentials
+          validate_credentials(api_key_id, api_secret_key)
+          @api_key_id = api_key_id
+          @api_secret_key = api_secret_key
+        end
+
+        super(app)
+      end
+
+      # @param env [Faraday::Env]
+      def on_request(env)
+        return if env.request_headers[KEY]
+
+        url = env.url
+        host = get_host_from_url(url)
+        path = get_path_and_params_from_url(url)
+        method = env.method.to_s.upcase
+        auth = HMACAuth.new.generate_veracode_hmac_header(host, path, method, api_key_id, api_secret_key)
+        env.request_headers[KEY] = auth
+      end
+
+      def validate_credentials(key, secret)
+        validate_api_key_id(key)
+        validate_api_key_secret(secret)
+      end
+    end
+  end
+end
+Faraday::Request.register_middleware(veracode_api_signing: VeracodeApiSigning::Plugins::FaradayMiddleware)

data/lib/veracode_api_signing/regions.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require "veracode_api_signing/exception"
+
+module VeracodeApiSigning
+  module Regions
+    REGIONS = { "e" => "eu", "f" => "fedramp", "g" => "global" }.freeze
+
+    def get_region_for_api_credential(api_credential)
+      if api_credential.include?("-")
+        prefix = api_credential.split("-").first
+        raise VeracodeApiSigning::CredentialsError, "Credential starts with an invalid prefix" if prefix.length != 8
+
+        region_character = prefix[6].downcase
+      else
+        region_character = "g"
+      end
+
+      if REGIONS.key?(region_character)
+        REGIONS.fetch(region_character)
+      else
+        (raise VeracodeApiSigning::CredentialsError,
+               "Credential does not map to a known region")
+      end
+    end
+
+    def remove_prefix_from_api_credential(api_credential)
+      api_credential.split("-").last
+    end
+  end
+end

data/lib/veracode_api_signing/utils.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require "securerandom"
+require "uri"
+
+module VeracodeApiSigning
+  module Utils
+    # @return [Integer] current epoch time * 1000 rounded
+    def get_current_timestamp
+      Time.now.utc.to_i * 1000.round
+    end
+
+    # @return [String] nonce string
+    def generate_nonce
+      SecureRandom.hex(16)
+    end
+
+    # @param url [String] the url to parse
+    # @example
+    #     get_host_from_url("https://api.example.com/foo/bar") #=> "api.example.com"
+    # @return [String] just returns the host
+    def get_host_from_url(url)
+      parsed_url(url).host
+    end
+
+    # @param url [String] the url to parse
+    # @example
+    #     get_path_and_params_from_url("https://api.example.com/foo/bar") #=> "/foo/bar"
+    # @example
+    #     get_path_and_params_from_url("https://api.example.com") #=> ""
+    # @example
+    #     get_path_and_params_from_url("https://api.example.com/apm/v1/assets?page=2") #=> "/apm/v1/assets?page=2"
+    # @return [String] returns the the path and params formatted, or an empty String
+    def get_path_and_params_from_url(url)
+      uri = parsed_url(url)
+      path = uri.path
+      params = uri.query
+      return "" if (path.nil? || path.empty?) && params.nil?
+
+      built_url = URI::HTTPS.build(path: path, query: params)
+      built_url.request_uri
+    end
+
+    # @param url [String] the url to parse
+    # @example
+    #     get_scheme_from_url("https://api.example.com/foo/bar") #=> "https"
+    # @example
+    #     get_scheme_from_url("api.example.com") #=> ""
+    def get_scheme_from_url(url)
+      parsed_url(url).scheme.to_s
+    end
+
+    def parsed_url(url)
+      URI(url)
+    end
+  end
+end

data/lib/veracode_api_signing/validation.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require "veracode_api_signing/exception"
+require "veracode_api_signing/regions"
+
+module VeracodeApiSigning
+  module Validation
+    include Regions
+
+    # @param api_key_id [String] the api key id to validate
+    # @example
+    #     validate_api_key_id("3ddaeeb10ca690df3fee5e3bd1c329fa") #=> nil
+    # @example
+    #     validate_api_key_id("3ddaeeb10ca690df3f") #=> VeracodeApiSigning::CredentialsError
+    # @raise [VeracodeApiSigning::CredentialsError] if api key id is not valid
+    def validate_api_key_id(api_key_id)
+      api_key_id_minimum_length = 32
+      api_key_id_maximum_length = 128 + 9
+      api_key_id_hex = remove_prefix_from_api_credential(api_key_id)
+
+      if api_key_id.length < api_key_id_minimum_length
+        raise VeracodeApiSigning::CredentialsError,
+              "API key #{api_key_id} is #{api_key_id.length} characters, which is not long enough. The API key should be at least #{api_key_id_minimum_length} characters"
+      end
+      if api_key_id.length > api_key_id_maximum_length
+        raise VeracodeApiSigning::CredentialsError,
+              "API key #{api_key_id} is #{api_key_id.length} characters, which is too long. The API key should not be more than #{api_key_id_maximum_length} characters"
+      end
+      unless valid_hex?(api_key_id_hex)
+        raise VeracodeApiSigning::CredentialsError,
+              "API key #{api_key_id} does not seem to be hexadecimal"
+      end
+    end
+
+    # @param api_key_secret [String] the api key secret to validate
+    # @example
+    #     validate_api_key_secret("0123456789abcdef"*8) #=> nil
+    # @example
+    #     validate_api_key_secret("0123456789abcdef") #=> Veracode::ApiSigning::CredentialsError
+    # @raise [VeracodeApiSigning::CredentialsError] if api secret key is not valid
+    def validate_api_key_secret(api_key_secret)
+      secret_key_minimum_length = 128
+      secret_key_maximum_length = 1024 + 9
+      api_key_secret_hex = remove_prefix_from_api_credential(api_key_secret)
+
+      if api_key_secret.length < secret_key_minimum_length
+        raise VeracodeApiSigning::CredentialsError,
+              "API secret key #{api_key_secret} is #{api_key_secret.length} characters, which is not long enough. The API secret key should be at least #{secret_key_minimum_length} characters"
+      end
+      if api_key_secret.length > secret_key_maximum_length
+        raise VeracodeApiSigning::CredentialsError,
+              "API secret key #{api_key_secret} is #{api_key_secret.length} characters, which is too long. The API secret key should not be more than #{secret_key_maximum_length} characters"
+      end
+      unless valid_hex?(api_key_secret_hex)
+        raise VeracodeApiSigning::CredentialsError,
+              "API secret key #{api_key_secret} does not seem to be hexadecimal"
+      end
+    end
+
+    # @param scheme [String] the scheme to validate
+    # @example
+    #     validate_scheme("https") #=> true
+    # @example
+    #     validate_scheme("httpss") #=> VeracodeApiSigning::Exception
+    # @return [Boolean] true if valid scheme, otherwise raise error
+    # @raise [VeracodeApiSigning::Exception] if scheme is not valid
+    def validate_scheme(scheme)
+      if scheme.casecmp("https").zero?
+        true
+      else
+        raise VeracodeApiSigning::Exception, "Only HTTPS APIs are supported by Veracode."
+      end
+    end
+
+    # @param hex_string [String] the hex string to validate
+    # @example
+    #     valid_hex?("af") #=> true
+    # @example
+    #     valid_hex?("zh") #=> false
+    # @return [Boolean] true if valid hex, otherwise false
+    # @raise [VeracodeApiSigning::CredentialsError] if api secret key is not valid
+    def valid_hex?(hex_string)
+      hex_string = hex_string.to_s
+      hex = true
+      hex_string.chars.each do |digit|
+        hex = false unless /[0-9A-Fa-f]/.match?(digit)
+      end
+      hex
+    end
+  end
+end

data/lib/veracode_api_signing/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module VeracodeApiSigning
+  VERSION = "0.1.0"
+end

data/lib/veracode_api_signing.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require "veracode_api_signing/hmac_auth"
+require "veracode_api_signing/version"
+
+module VeracodeApiSigning
+end

data/shell.nix

@@ -0,0 +1,84 @@
+{ pkgs ? import <nixpkgs> {}, ...}:
+
+with pkgs;
+
+let
+  darwin_packages = lib.optionals stdenv.isDarwin (with darwin.apple_sdk.frameworks; [
+    CoreServices
+    ApplicationServices
+    Security
+  ]);
+  ruby = ruby_3_0;
+
+  # Issue with using gemspec files
+  #
+  #gems = bundlerEnv {
+    #name = "veracodeRubyEnv";
+    #inherit ruby;
+    #gemdir  = ./.;
+    #gemConfig = defaultGemConfig;
+  #};
+
+in mkShell rec {
+  name = "veracode_api_signing";
+
+  buildInputs = [
+    libressl
+    #(lowPrio gems.wrappedRuby)
+    autoconf
+    automake
+    bash-completion
+    bison
+    cairo
+    coreutils
+    gdbm
+    #gems
+    git
+    gnumake
+    groff
+    libffi
+    libiconv
+    libtool
+    libunwind
+    libxml2
+    libxslt
+    libyaml
+    msgpack
+    ncurses
+    netcat
+    openssl
+    pkg-config
+    pkgconfig
+    postgresql
+    postgresql_13
+    readline
+    ruby
+    shared-mime-info # Required for the mime gem
+    sqlcipher
+    sqlite
+    swagger-codegen3
+    zlib
+  ] ++ (lib.optionals stdenv.isDarwin darwin_packages);
+
+  shellHook = ''
+    export FREEDESKTOP_MIME_TYPES_PATH=${shared-mime-info}/share/mime/packages/freedesktop.org.xml
+
+    mkdir -p .gems
+    export GEM_HOME=$PWD/.gems
+    export GEM_PATH=$GEM_HOME
+    export PATH=$GEM_HOME/bin:$PATH
+
+    # Add additional folders to to XDG_DATA_DIRS if they exists, which will get sourced by bash-completion
+    for p in ''${buildInputs}; do
+      if [ -d "$p/share/bash-completion" ]; then
+        if [ -z ''${XDG_DATA_DIRS} ]; then
+          XDG_DATA_DIRS="$p/share"
+        else
+          XDG_DATA_DIRS="$XDG_DATA_DIRS:$p/share"
+        fi
+      fi
+    done
+
+    source ${bash-completion}/etc/profile.d/bash_completion.sh
+  '';
+}

data/veracode_api_signing.gemspec

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+lib = File.expand_path("lib", __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+require "veracode_api_signing/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "veracode_api_signing"
+  spec.version       = VeracodeApiSigning::VERSION
+  spec.authors       = ["Corban Raun"]
+  spec.email         = ["corban@raunco.co"]
+
+  spec.summary       = "Veracode hmac signing library used with Veracode API"
+  spec.homepage      = "https://CorbanR.github.io/veracode_api_signing"
+  spec.license       = "MIT"
+  spec.required_ruby_version = ">= 2.6.0"
+
+  spec.metadata["allowed_push_host"] = "https://rubygems.org/"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["documentation_uri"] = "https://www.raunco.co/veracode_api_signing/"
+  spec.metadata["source_code_uri"] = "https://github.com/CorbanR/veracode_api_signing"
+  spec.metadata["changelog_uri"] = "https://github.com/CorbanR/veracode_api_signing/blob/main/CHANGELOG.md"
+
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{\A(?:test|spec|features|examples|docs|coverage)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "brakeman", "~> 5.1"
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 13.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "rubocop", "~> 1.2"
+  spec.add_development_dependency "rubocop-performance", "~> 1.1"
+  spec.add_development_dependency "rubocop-rake", "~> 0.6"
+  spec.add_development_dependency "rubocop-rspec", "~> 2.5"
+  spec.add_development_dependency "simplecov", "~> 0.21.2"
+  spec.add_development_dependency "yard", "~> 0.9.26"
+end

metadata

@@ -0,0 +1,214 @@
+--- !ruby/object:Gem::Specification
+name: veracode_api_signing
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Corban Raun
+autorequire:
+bindir: exe
+cert_chain: []
+date: 1980-01-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: brakeman
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.1'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rubocop-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.5'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.21.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.21.2
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.26
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.26
+description:
+email:
+- corban@raunco.co
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/codeql-analysis.yml"
+- ".github/workflows/tests.yml"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".rubocop_todo.yml"
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/veracode_api_signing.rb
+- lib/veracode_api_signing/credentials.rb
+- lib/veracode_api_signing/exception.rb
+- lib/veracode_api_signing/formatters.rb
+- lib/veracode_api_signing/hmac_auth.rb
+- lib/veracode_api_signing/plugins/faraday_middleware.rb
+- lib/veracode_api_signing/regions.rb
+- lib/veracode_api_signing/utils.rb
+- lib/veracode_api_signing/validation.rb
+- lib/veracode_api_signing/version.rb
+- shell.nix
+- veracode_api_signing.gemspec
+homepage: https://CorbanR.github.io/veracode_api_signing
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org/
+  homepage_uri: https://CorbanR.github.io/veracode_api_signing
+  documentation_uri: https://www.raunco.co/veracode_api_signing/
+  source_code_uri: https://github.com/CorbanR/veracode_api_signing
+  changelog_uri: https://github.com/CorbanR/veracode_api_signing/blob/main/CHANGELOG.md
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.6.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.2.26
+signing_key:
+specification_version: 4
+summary: Veracode hmac signing library used with Veracode API
+test_files: []