warden-hmac-authentication 0.6.1 → 0.6.2

data/README.md

@@ -11,7 +11,7 @@ The gem also provides a small helper class that can be used to generate request
 ## Header-Based authentication
 
 The header-based authentication transports the authentication information in the (misnamed) `Authorization` HTTP-Header. The primary 
-advantage of header-based authentication is that request urls are stable even if authentication information changes. The improves
+advantage of header-based authentication is that request urls are stable even if authentication information changes. This improves
 cacheability of the resource.
 
 Header-based authentication is supported by the `:hmac_header` strategy.
@@ -138,9 +138,9 @@ No authentication attempt is made if the scheme name in the `Authorization` head
 ## Authentication Header Format
 
 The format of the Authentication Header can be controlled using the `:auth_header_format` directive. The given format string will be interpolated
-with all given options and the signature. The default value is `%{scheme} %{signature}` which will result in an auth header with a format such as `HMAC 539263f4f83878a4917d2f9c1521320c28b926a9`. The format string must contain at least the `scheme` and `signature` components.
+with all given options and the signature. The default value is `%{auth_scheme} %{signature}` which will result in an auth header with a format such as `HMAC 539263f4f83878a4917d2f9c1521320c28b926a9`. The format string must contain at least the `scheme` and `signature` components.
 
-The `:auth_header_format` directive has a companion directive, `:auth_header_parse` which must be a regular expression. Any given regular expression will be evaluated against the authorization header. The results can be retrieved using the `parsed_auth_header` method. The regular expression must at least contain a pattern named `scheme` and pattern named `signature`. The default value for this directive is a regular expression that is auto-generated by translating the `:auth_header_format` setting to a regular expression that contains a named capture group for each named part of the format string. Each capture allows for word characters, plus, dash, underscore and dot. The default :auth_header_format `%{scheme} %{signature}` will be translated to `/(?<autschemeh_scheme>[-_+.\w]+) (?<signature>[-_+.\w]+)/`.
+The `:auth_header_format` directive has a companion directive, `:auth_header_parse` which must be a regular expression. Any given regular expression will be evaluated against the authorization header. The results can be retrieved using the `parsed_auth_header` method. The regular expression must at least contain a pattern named `scheme` and pattern named `signature`. The default value for this directive is a regular expression that is auto-generated by translating the `:auth_header_format` setting to a regular expression that contains a named capture group for each named part of the format string. Each capture allows for word characters, plus, dash, underscore and dot. The default :auth_header_format `%{auth_scheme} %{signature}` will be translated to `/(?<auth_scheme>[-_+.\w]+) (?<signature>[-_+.\w]+)/`.
 	
 See the section about multiple authentication secrets for a use-case and a comprehensive example.	
 
@@ -326,7 +326,7 @@ secrets allows us to implement multiple signing keys:
 							             access_key_id = strategy.parsed_auth_header["access_key_id"]
 							             keys[access_key_id]
 							           },
-							           :auth_header_format => '%{scheme} %{access_key_id} %{signature}'							         }
+							           :auth_header_format => '%{auth_scheme} %{access_key_id} %{signature}'							         }
     end
 
 This combination of settings uses a slightly different Format for the authorization header and transports the secret keys ID in the header of the form `HMAC KEY2 a59456da1f61f86e96622e283780f58b7428c892`
@@ -365,8 +365,18 @@ To simplify the generation of such urls, the `HMAC::Signer` accepts an `:extra_a
 
 The library includes a faraday middleware that can be used to sign requests made with the faraday http lib. The middleware accepts the same list of options as the HMAC::Signer class.
 
+### Example (query based)
+
+    Faraday.new(:url => "http://example.com") do |builder|
+      builder.use      Faraday::Request::Hmac, secret, {:query_based => true, :extra_auth_params => {"access_key_id" => "KEY2"}}
+      builder.response :raise_error
+      builder.adapter  :net_http
+    end
+
+### Example (header based with custom scheme name)
+
     Faraday.new(:url => "http://example.com") do |builder|
-      builder.use      Faraday::Request::Hmac, secret, {:extra_auth_params => {"access_key_id" => "KEY2"}}
+      builder.use      Faraday::Request::Hmac, secret, {:auth_scheme => 'MYSCHEME', :auth_key => 'TESTKEYID', :auth_header_format => '%{auth_scheme} %{auth_key} %{signature}'}}
       builder.response :raise_error
       builder.adapter  :net_http
     end

data/bin/warden-hmac-authentication

@@ -1,68 +1,16 @@
 #!/usr/bin/env ruby
+#
+# This file was generated by Bundler.
+#
+# The application 'warden-hmac-authentication' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
 
-begin
-  require 'trollop'
-rescue LoadError => e
-  puts ""
-  puts ""
-  puts "============= ERROR ================"
-  puts ""
-  puts "You need trollop installed or in your gemfile to use the signer"
-  puts ""
-  puts "============= ERROR ================"
-  puts ""
-  puts ""
-  exit(-1)
-end
+require 'pathname'
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path("../../Gemfile",
+  Pathname.new(__FILE__).realpath)
 
-require 'hmac/signer'
+require 'rubygems'
+require 'bundler/setup'
 
-opts = Trollop::options do
-  
-  version "warden-hmac-sign 0.3.0 (c) 2011 Felix Gilcher, Florian Gilcher"
-    banner <<-EOS
-  warden-hmac-authentication is used to create and validate signed urls for
-  usage with the HMAC authentication scheme used by 
-  https://github.com/Asquera/warden-hmac-authentication
-
-  Usage:
-         warden-hmac-authentication [options] <command> url
-  
-  where command is one of
-  
-    sign: signs the given url 
-    validate: validates the given url
-    
-  and where [options] are:
-  
-  EOS
-  
-  opt :algorithm, "The hashing algorithm to use for the HMAC", :type => :string, :default => "sha1"
-  opt :secret, "The shared secret for the HMAC", :type => :string, :required => true
-  opt :"auth-param", "The name for the auth param in the url", :default => "auth"
-  opt :"date", "The date to use for the signature (defaults to now)"
-end
-
-cmd = ARGV.shift
-Trollop::die "You must give a command" if cmd.nil?
-Trollop::die "You command must be one of [sign, validate]" unless ["sign", "validate"].include? cmd
-Trollop::die "You must provide a URL" if ARGV.empty?
-url = ARGV.shift
-
-secret = opts.delete(:secret)
-algorithm = opts.delete(:algorithm)
-
-signer = HMAC::Signer.new(algorithm)
-
-if "sign" == cmd
-  puts signer.sign_url(url, secret, opts)
-else
-  success = signer.validate_url_signature(url, secret, opts)
-  if success
-    puts "URL #{url} is valid"
-    exit 0
-  else
-    puts "URL #{url} does not contain a valid signature"
-    exit 1
-  end
-end
+load Gem.bin_path('warden-hmac-authentication', 'warden-hmac-authentication')

data/lib/faraday/request/hmac.rb

@@ -16,7 +16,7 @@ module Faraday
     #                       
     # @option options [String]             :auth_scheme ('HMAC')   The name of the authorization scheme used in the Authorization header and to construct various header-names
     # @option options [String]             :auth_param ('auth')   The name of the authentication param to use for query based authentication
-    # @option options [Hash]               :extra_auth_params ({}) Additional parameters to inject in the auth parameter
+    # @option options [Hash]               :extra_auth_params ({}) Additional parameters to inject in the auth parameter. This parameter is ignored unless :query_based evaluates to true.
     # @option options [String]             :auth_header ('Authorization') The name of the authorization header to use
     # @option options [String]             :auth_header_format ('%{auth_scheme} %{signature}') The format of the authorization header. Will be interpolated with the given options and the signature.
     # @option options [String]             :nonce_header ('X-#{auth_scheme}-Nonce') The header name for the request nonce

data/lib/hmac/signer.rb

@@ -105,7 +105,7 @@ module HMAC
     #
     # @return [Bool] true if the signature matches
     def validate_signature(signature, params)
-      signature == generate_signature(params)
+      compare_hashes(signature, generate_signature(params))
     end
 
     # convienience method to check the signature of a url with query-based authentication
@@ -268,5 +268,18 @@ module HMAC
       url
     end
 
+    private
+    
+    # compares two hashes in a manner that's invulnerable to timing sidechannel attacks (see issue #16)
+    # by comparing them characterwise up to the end in all cases, no matter where the mismatch happens
+    # short circuits if the length does not match since this does not allow timing sidechannel attacks.
+    def compare_hashes(presented, computed)
+      if computed.length == presented.length then
+        computed.chars.zip(presented.chars).map {|x,y| x == y}.all?
+      else
+        false
+      end
+    end
+
   end
 end

data/lib/hmac/strategies/base.rb

@@ -188,15 +188,15 @@ module Warden
           end
     
           def ttl
-            config[:ttl].to_i
+            (config[:ttl] || 900).to_i
           end
     
           def check_ttl?
-            !config[:ttl].nil?
+            !config.has_key?(:ttl) || !config[:ttl].nil?
           end
 
           def timestamp
-            Time.strptime(request_timestamp, '%a, %e %b %Y %T %z') unless request_timestamp.nil?
+            Time.strptime(request_timestamp, '%a, %e %b %Y %T %z') unless request_timestamp.nil? || request_timestamp.empty?
           end
     
           def has_timestamp?

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: warden-hmac-authentication
 version: !ruby/object:Gem::Version
-  version: 0.6.1
+  version: 0.6.2
   prerelease: 
 platform: ruby
 authors:
@@ -10,11 +10,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-04-13 00:00:00.000000000Z
+date: 2012-07-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
-  requirement: &2163603720 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -22,10 +22,15 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *2163603720
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rack
-  requirement: &2163603260 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -33,10 +38,15 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *2163603260
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: warden
-  requirement: &2163602820 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -44,10 +54,15 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *2163602820
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
-  requirement: &2163602340 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -55,10 +70,15 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2163602340
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rack-test
-  requirement: &2163601920 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -66,10 +86,15 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2163601920
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: riot
-  requirement: &2163601480 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -77,10 +102,15 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2163601480
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: timecop
-  requirement: &2163601060 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -88,10 +118,15 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2163601060
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: simplecov
-  requirement: &2163593440 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -99,10 +134,15 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2163593440
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: simplecov-html
-  requirement: &2163593000 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -110,10 +150,15 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2163593000
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: trollop
-  requirement: &2163592540 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -121,7 +166,12 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *2163592540
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: ! "This gem provides request authentication via [HMAC](http://en.wikipedia.org/wiki/Hmac).
   The main usage is request based, noninteractive\n  authentication for API implementations.
   Two strategies are supported that differ mainly in how the authentication information
@@ -147,7 +197,8 @@ files:
 - lib/hmac/strategies/header.rb
 - lib/hmac/strategies/query.rb
 - lib/hmac/string/jruby.rb
-- bin/warden-hmac-authentication
+- !binary |-
+  YmluL3dhcmRlbi1obWFjLWF1dGhlbnRpY2F0aW9u
 homepage: https://github.com/Asquera/warden-hmac-authentication
 licenses: []
 post_install_message: 
@@ -168,7 +219,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.7
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: Provides request based, non-interactive authentication for APIs