ai 1.1.0 → 2.0.1

package/node_modules/request/node_modules/http-signature/http_signing.md

@@ -1,296 +0,0 @@
-# Abstract
-
-This document describes a way to add origin authentication, message integrity,
-and replay resistance to HTTP REST requests.  It is intended to be used over
-the HTTPS protocol.
-
-# Copyright Notice
-
-Copyright (c) 2011 Joyent, Inc. and the persons identified as document authors.
-All rights reserved.
-
-Code Components extracted from this document must include MIT License text.
-
-# Introduction
-
-This protocol is intended to provide a standard way for clients to sign HTTP
-requests.  RFC2617 (HTTP Authentication) defines Basic and Digest authentication
-mechanisms, and RFC5246 (TLS 1.2) defines client-auth, both of which are widely
-employed on the Internet today.  However, it is common place that the burdens of
-PKI prevent web service operators from deploying that methodoloy, and so many
-fall back to Basic authentication, which has poor security characteristics.
-
-Additionally, OAuth provides a fully-specified alternative for authorization
-of web service requests, but is not (always) ideal for machine to machine
-communication, as the key acquisition steps (generally) imply a fixed
-infrastructure that may not make sense to a service provider (e.g., symmetric
-keys).
-
-Several web service providers have invented their own schemes for signing
-HTTP requests, but to date, none have been placed in the public domain as a
-standard.  This document serves that purpose.  There are no techniques in this
-proposal that are novel beyond previous art, however, this aims to be a simple
-mechanism for signing these requests.
-
-# Signature Authentication Scheme
-
-The "signature" authentication scheme is based on the model that the client must
-authenticate itself with a digital signature produced by either a private
-asymmetric key (e.g., RSA) or a shared symmetric key (e.g., HMAC).  The scheme
-is parameterized enough such that it is not bound to any particular key type or
-signing algorithm.  However, it does explicitly assume that clients can send an
-HTTP `Date` header.
-
-## Authorization Header
-
-The client is expected to send an Authorization header (as defined in RFC 2617)
-with the following parameterization:
-
-    credentials := "Signature" params
-    params := 1#(keyId | algorithm | [headers] | [ext] | signature)
-    digitalSignature := plain-string
-
-    keyId := "keyId" "=" <"> plain-string <">
-    algorithm := "algorithm" "=" <"> plain-string <">
-    headers := "headers" "=" <"> 1#headers-value <">
-    ext := "ext" "=" <"> plain-string <">
-    signature := "signature" "=" <"> plain-string <">
-
-    headers-value := plain-string
-    plain-string   = 1*( %x20-21 / %x23-5B / %x5D-7E )
-
-### Signature Parameters
-
-#### keyId
-
-REQUIRED.  The `keyId` field is an opaque string that the server can use to look
-up the component they need to validate the signature.  It could be an SSH key
-fingerprint, an LDAP DN, etc.  Management of keys and assignment of `keyId` is
-out of scope for this document.
-
-#### algorithm
-
-REQUIRED. The `algorithm` parameter is used if the client and server agree on a
-non-standard digital signature algorithm.  The full list of supported signature
-mechanisms is listed below.
-
-#### headers
-
-OPTIONAL.  The `headers` parameter is used to specify the list of HTTP headers
-used to sign the request.  If specified, it should be a quoted list of HTTP
-header names, separated by a single space character.  By default, only one
-HTTP header is signed, which is the `Date` header.  Note that the list MUST be
-specified in the order the values are concatenated together during signing. To
-include the HTTP request line in the signature calculation, use the special
-`request-line` value.  While this is overloading the definition of `headers` in
-HTTP linguism, the request-line is defined in RFC 2616, and as the outlier from
-headers in useful signature calculation, it is deemed simpler to simply use
-`request-line` than to add a separate parameter for it.
-
-#### extensions
-
-OPTIONAL.  The `extensions` parameter is used to include additional information
-which is covered by the request.  The content and format of the string is out of
-scope for this document, and expected to be specified by implementors.
-
-#### signature
-
-REQUIRED.  The `signature` parameter is a `Base64` encoded digital signature
-generated by the client. The client uses the `algorithm` and `headers` request
-parameters to form a canonicalized `signing string`.  This `signing string` is
-then signed with the key associated with `keyId` and the algorithm
-corresponding to `algorithm`.  The `signature` parameter is then set to the
-`Base64` encoding of the signature.
-
-### Signing String Composition
-
-In order to generate the string that is signed with a key, the client MUST take
-the values of each HTTP header specified by `headers` in the order they appear.
-
-1. If the header name is not `request-line` then append the lowercased header
-   name followed with an ASCII colon `:` and an ASCII space ` `.
-2. If the header name is `request-line` then appened the HTTP request line,
-   otherwise append the header value.
-3. If value is not the last value then append an ASCII newline `\n`. The string
-   MUST NOT include a trailing ASCII newline.
-
-# Example Requests
-
-All requests refer to the following request (body ommitted):
-
-    POST /foo HTTP/1.1
-    Host: example.org
-    Date: Tue, 07 Jun 2011 20:51:35 GMT
-    Content-Type: application/json
-    Content-MD5: h0auK8hnYJKmHTLhKtMTkQ==
-    Content-Length: 123
-
-The "rsa-key-1" keyId refers to a private key known to the client and a public
-key known to the server. The "hmac-key-1" keyId refers to key known to the
-client and server.
-
-## Default parameterization
-
-The authorization header and signature would be generated as:
-
-    Authorization: Signature keyId="rsa-key-1",algorithm="rsa-sha256",signature="Base64(RSA-SHA256(signing string))"
-
-The client would compose the signing string as:
-
-    date: Tue, 07 Jun 2011 20:51:35 GMT
-
-## Header List
-
-The authorization header and signature would be generated as:
-
-    Authorization: Signature keyId="rsa-key-1",algorithm="rsa-sha256",headers="request-line date content-type content-md5",signature="Base64(RSA-SHA256(signing string))"
-
-The client would compose the signing string as (`+ "\n"` inserted for
-readability):
-
-    POST /foo HTTP/1.1 + "\n"
-    date: Tue, 07 Jun 2011 20:51:35 GMT + "\n"
-    content-type: application/json + "\n"
-    content-md5: h0auK8hnYJKmHTLhKtMTkQ==
-
-## Algorithm
-
-The authorization header and signature would be generated as:
-
-    Authorization: Signature keyId="hmac-key-1",algorithm="hmac-sha1",signature="Base64(HMAC-SHA1(signing string))"
-
-The client would compose the signing string as:
-
-    date: Tue, 07 Jun 2011 20:51:35 GMT
-
-# Signing Algorithms
-
-Currently supported algorithm names are:
-
-* rsa-sha1
-* rsa-sha256
-* rsa-sha512
-* dsa-sha1
-* hmac-sha1
-* hmac-sha256
-* hmac-sha512
-
-# Security Considerations
-
-## Default Parameters
-
-Note the default parameterization of the `Signature` scheme is only safe if all
-requests are carried over a secure transport (i.e., TLS).  Sending the default
-scheme over a non-secure transport will leave the request vulnerable to
-spoofing, tampering, replay/repudiaton, and integrity violations (if using the
-STRIDE threat-modeling methodology).
-
-## Insecure Transports
-
-If sending the request over plain HTTP, service providers SHOULD require clients
-to sign ALL HTTP headers, and the `request-line`.  Additionally, service
-providers SHOULD require `Content-MD5` calculations to be performed to ensure
-against any tampering from clients.
-
-## Nonces
-
-Nonces are out of scope for this document simply because many service providers
-fail to implement them correctly, or do not adopt security specfiications
-because of the infrastructure complexity.  Given the `header` parameterization,
-a service provider is fully enabled to add nonce semantics into this scheme by
-using something like an `x-request-nonce` header, and ensuring it is signed
-with the `Date` header.
-
-## Clock Skew
-
-As the default scheme is to sign the `Date` header, service providers SHOULD
-protect against logged replay attacks by enforcing a clock skew.  The server
-SHOULD be synchronized with NTP, and the recommendation in this specification
-is to allow 300s of clock skew (in either direction).
-
-## Required Headers to Sign
-
-It is out of scope for this document to dictate what headers a service provider
-will want to enforce, but service providers SHOULD at minimum include the
-`Date` header.
-
-# References
-
-## Normative References
-
-* [RFC2616] Hypertext Transfer Protocol -- HTTP/1.1
-* [RFC2617] HTTP Authentication: Basic and Digest Access Authentication
-* [RFC5246] The Transport Layer Security (TLS) Protocol Version 1.2
-
-## Informative References
-
-    Name: Mark Cavage (editor)
-    Company: Joyent, Inc.
-    Email: mark.cavage@joyent.com
-    URI: http://www.joyent.com
-
-# Appendix A - Test Values
-
-The following test data uses the RSA (2048b) keys, which we will refer
-to as `keyId=Test` in the following samples:
-
-   -----BEGIN PUBLIC KEY-----
-   MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCFENGw33yGihy92pDjZQhl0C3
-   6rPJj+CvfSC8+q28hxA161QFNUd13wuCTUcq0Qd2qsBe/2hFyc2DCJJg0h1L78+6
-   Z4UMR7EOcpfdUE9Hf3m/hs+FUR45uBJeDK1HSFHD8bHKD6kv8FPGfJTotc+2xjJw
-   oYi+1hqp1fIekaxsyQIDAQAB
-   -----END PUBLIC KEY-----
-
-    -----BEGIN RSA PRIVATE KEY-----
-    MIICXgIBAAKBgQDCFENGw33yGihy92pDjZQhl0C36rPJj+CvfSC8+q28hxA161QF
-    NUd13wuCTUcq0Qd2qsBe/2hFyc2DCJJg0h1L78+6Z4UMR7EOcpfdUE9Hf3m/hs+F
-    UR45uBJeDK1HSFHD8bHKD6kv8FPGfJTotc+2xjJwoYi+1hqp1fIekaxsyQIDAQAB
-    AoGBAJR8ZkCUvx5kzv+utdl7T5MnordT1TvoXXJGXK7ZZ+UuvMNUCdN2QPc4sBiA
-    QWvLw1cSKt5DsKZ8UETpYPy8pPYnnDEz2dDYiaew9+xEpubyeW2oH4Zx71wqBtOK
-    kqwrXa/pzdpiucRRjk6vE6YY7EBBs/g7uanVpGibOVAEsqH1AkEA7DkjVH28WDUg
-    f1nqvfn2Kj6CT7nIcE3jGJsZZ7zlZmBmHFDONMLUrXR/Zm3pR5m0tCmBqa5RK95u
-    412jt1dPIwJBANJT3v8pnkth48bQo/fKel6uEYyboRtA5/uHuHkZ6FQF7OUkGogc
-    mSJluOdc5t6hI1VsLn0QZEjQZMEOWr+wKSMCQQCC4kXJEsHAve77oP6HtG/IiEn7
-    kpyUXRNvFsDE0czpJJBvL/aRFUJxuRK91jhjC68sA7NsKMGg5OXb5I5Jj36xAkEA
-    gIT7aFOYBFwGgQAQkWNKLvySgKbAZRTeLBacpHMuQdl1DfdntvAyqpAZ0lY0RKmW
-    G6aFKaqQfOXKCyWoUiVknQJAXrlgySFci/2ueKlIE1QqIiLSZ8V8OlpFLRnb1pzI
-    7U1yQXnTAEFYM560yJlzUpOb1V4cScGd365tiSMvxLOvTA==
-    -----END RSA PRIVATE KEY-----
-
-And all examples use this request:
-
-    POST /foo?param=value&pet=dog HTTP/1.1
-    Host: example.com
-    Date: Thu, 05 Jan 2012 21:31:40 GMT
-    Content-Type: application/json
-    Content-MD5: Sd/dVLAcvNLSq16eXua5uQ==
-    Content-Length: 18
-
-    {"hello": "world"}
-
-### Default
-
-The string to sign would be:
-
-    date: Thu, 05 Jan 2012 21:31:40 GMT
-
-The Authorization header would be:
-
-    Authorization: Signature keyId="Test",algorithm="rsa-sha256",signature="JldXnt8W9t643M2Sce10gqCh/+E7QIYLiI+bSjnFBGCti7s+mPPvOjVb72sbd1FjeOUwPTDpKbrQQORrm+xBYfAwCxF3LBSSzORvyJ5nRFCFxfJ3nlQD6Kdxhw8wrVZX5nSem4A/W3C8qH5uhFTRwF4ruRjh+ENHWuovPgO/HGQ="
-
-### All Headers
-
-Parameterized to include all headers, the string to sign would be (`+ "\n"`
-inserted for readability):
-
-    POST /foo?param=value&pet=dog HTTP/1.1 + "\n"
-    host: example.com + "\n"
-    date: Thu, 05 Jan 2012 21:31:40 GMT + "\n"
-    content-type: application/json + "\n"
-    content-md5: Sd/dVLAcvNLSq16eXua5uQ== + "\n"
-    content-length: 18
-
-The Authorization header would be:
-
-    Authorization: Signature keyId="Test",algorithm="rsa-sha256",headers="request-line host date content-type content-md5 content-length",signature="Gm7W/r+e90REDpWytALMrft4MqZxCmslOTOvwJX17ViEBA5E65QqvWI0vIH3l/vSsGiaMVmuUgzYsJLYMLcm5dGrv1+a+0fCoUdVKPZWHyImQEqpLkopVwqEH67LVECFBqFTAKlQgBn676zrfXQbb+b/VebAsNUtvQMe6cTjnDY="
-

package/node_modules/request/node_modules/http-signature/lib/index.js

@@ -1,25 +0,0 @@
-// Copyright 2011 Joyent, Inc.  All rights reserved.
-
-var parser = require('./parser');
-var signer = require('./signer');
-var verify = require('./verify');
-var util = require('./util');
-
-
-
-///--- API
-
-module.exports = {
-
-  parse: parser.parseRequest,
-  parseRequest: parser.parseRequest,
-
-  sign: signer.signRequest,
-  signRequest: signer.signRequest,
-
-  sshKeyToPEM: util.sshKeyToPEM,
-  sshKeyFingerprint: util.fingerprint,
-
-  verify: verify.verifySignature,
-  verifySignature: verify.verifySignature
-};

package/node_modules/request/node_modules/http-signature/lib/parser.js

@@ -1,304 +0,0 @@
-// Copyright 2012 Joyent, Inc.  All rights reserved.
-
-var assert = require('assert-plus');
-var util = require('util');
-
-
-
-///--- Globals
-
-var Algorithms = {
-  'rsa-sha1': true,
-  'rsa-sha256': true,
-  'rsa-sha512': true,
-  'dsa-sha1': true,
-  'hmac-sha1': true,
-  'hmac-sha256': true,
-  'hmac-sha512': true
-};
-
-var State = {
-  New: 0,
-  Params: 1
-};
-
-var ParamsState = {
-  Name: 0,
-  Quote: 1,
-  Value: 2,
-  Comma: 3
-};
-
-
-
-///--- Specific Errors
-
-function HttpSignatureError(message, caller) {
-  if (Error.captureStackTrace)
-    Error.captureStackTrace(this, caller || HttpSignatureError);
-
-  this.message = message;
-  this.name = caller.name;
-}
-util.inherits(HttpSignatureError, Error);
-
-function ExpiredRequestError(message) {
-  HttpSignatureError.call(this, message, ExpiredRequestError);
-}
-util.inherits(ExpiredRequestError, HttpSignatureError);
-
-
-function InvalidHeaderError(message) {
-  HttpSignatureError.call(this, message, InvalidHeaderError);
-}
-util.inherits(InvalidHeaderError, HttpSignatureError);
-
-
-function InvalidParamsError(message) {
-  HttpSignatureError.call(this, message, InvalidParamsError);
-}
-util.inherits(InvalidParamsError, HttpSignatureError);
-
-
-function MissingHeaderError(message) {
-  HttpSignatureError.call(this, message, MissingHeaderError);
-}
-util.inherits(MissingHeaderError, HttpSignatureError);
-
-
-
-///--- Exported API
-
-module.exports = {
-
-  /**
-   * Parses the 'Authorization' header out of an http.ServerRequest object.
-   *
-   * Note that this API will fully validate the Authorization header, and throw
-   * on any error.  It will not however check the signature, or the keyId format
-   * as those are specific to your environment.  You can use the options object
-   * to pass in extra constraints.
-   *
-   * As a response object you can expect this:
-   *
-   *     {
-   *       "scheme": "Signature",
-   *       "params": {
-   *         "keyId": "foo",
-   *         "algorithm": "rsa-sha256",
-   *         "headers": [
-   *           "date" or "x-date",
-   *           "content-md5"
-   *         ],
-   *         "signature": "base64"
-   *       },
-   *       "signingString": "ready to be passed to crypto.verify()"
-   *     }
-   *
-   * @param {Object} request an http.ServerRequest.
-   * @param {Object} options an optional options object with:
-   *                   - clockSkew: allowed clock skew in seconds (default 300).
-   *                   - headers: required header names (def: date or x-date)
-   *                   - algorithms: algorithms to support (default: all).
-   * @return {Object} parsed out object (see above).
-   * @throws {TypeError} on invalid input.
-   * @throws {InvalidHeaderError} on an invalid Authorization header error.
-   * @throws {InvalidParamsError} if the params in the scheme are invalid.
-   * @throws {MissingHeaderError} if the params indicate a header not present,
-   *                              either in the request headers from the params,
-   *                              or not in the params from a required header
-   *                              in options.
-   * @throws {ExpiredRequestError} if the value of date or x-date exceeds skew.
-   */
-  parseRequest: function parseRequest(request, options) {
-    assert.object(request, 'request');
-    assert.object(request.headers, 'request.headers');
-    if (options === undefined) {
-      options = {};
-    }
-    if (options.headers === undefined) {
-      options.headers = [request.headers['x-date'] ? 'x-date' : 'date'];
-    }
-    assert.object(options, 'options');
-    assert.arrayOfString(options.headers, 'options.headers');
-    assert.optionalNumber(options.clockSkew, 'options.clockSkew');
-
-    if (!request.headers.authorization)
-      throw new MissingHeaderError('no authorization header present in ' +
-                                   'the request');
-
-    options.clockSkew = options.clockSkew || 300;
-
-
-    var i = 0;
-    var state = State.New;
-    var substate = ParamsState.Name;
-    var tmpName = '';
-    var tmpValue = '';
-
-    var parsed = {
-      scheme: '',
-      params: {},
-      signingString: '',
-
-      get algorithm() {
-        return this.params.algorithm.toUpperCase();
-      },
-
-      get keyId() {
-        return this.params.keyId;
-      }
-
-    };
-
-    var authz = request.headers.authorization;
-    for (i = 0; i < authz.length; i++) {
-      var c = authz.charAt(i);
-
-      switch (Number(state)) {
-
-      case State.New:
-        if (c !== ' ') parsed.scheme += c;
-        else state = State.Params;
-        break;
-
-      case State.Params:
-        switch (Number(substate)) {
-
-        case ParamsState.Name:
-          var code = c.charCodeAt(0);
-          // restricted name of A-Z / a-z
-          if ((code >= 0x41 && code <= 0x5a) || // A-Z
-              (code >= 0x61 && code <= 0x7a)) { // a-z
-            tmpName += c;
-          } else if (c === '=') {
-            if (tmpName.length === 0)
-              throw new InvalidHeaderError('bad param format');
-            substate = ParamsState.Quote;
-          } else {
-            throw new InvalidHeaderError('bad param format');
-          }
-          break;
-
-        case ParamsState.Quote:
-          if (c === '"') {
-            tmpValue = '';
-            substate = ParamsState.Value;
-          } else {
-            throw new InvalidHeaderError('bad param format');
-          }
-          break;
-
-        case ParamsState.Value:
-          if (c === '"') {
-            parsed.params[tmpName] = tmpValue;
-            substate = ParamsState.Comma;
-          } else {
-            tmpValue += c;
-          }
-          break;
-
-        case ParamsState.Comma:
-          if (c === ',') {
-            tmpName = '';
-            substate = ParamsState.Name;
-          } else {
-            throw new InvalidHeaderError('bad param format');
-          }
-          break;
-
-        default:
-          throw new Error('Invalid substate');
-        }
-        break;
-
-      default:
-        throw new Error('Invalid substate');
-      }
-
-    }
-
-    if (!parsed.params.headers || parsed.params.headers === '') {
-      if (request.headers['x-date']) {
-        parsed.params.headers = ['x-date'];
-      } else {
-        parsed.params.headers = ['date'];
-      }
-    } else {
-      parsed.params.headers = parsed.params.headers.split(' ');
-    }
-
-    // Minimally validate the parsed object
-    if (!parsed.scheme || parsed.scheme !== 'Signature')
-      throw new InvalidHeaderError('scheme was not "Signature"');
-
-    if (!parsed.params.keyId)
-      throw new InvalidHeaderError('keyId was not specified');
-
-    if (!parsed.params.algorithm)
-      throw new InvalidHeaderError('algorithm was not specified');
-
-    if (!parsed.params.signature)
-      throw new InvalidHeaderError('signature was not specified');
-
-    // Check the algorithm against the official list
-    parsed.params.algorithm = parsed.params.algorithm.toLowerCase();
-    if (!Algorithms[parsed.params.algorithm])
-      throw new InvalidParamsError(parsed.params.algorithm +
-                                   ' is not supported');
-
-    // Build the signingString
-    for (i = 0; i < parsed.params.headers.length; i++) {
-      var h = parsed.params.headers[i].toLowerCase();
-      parsed.params.headers[i] = h;
-
-      if (h !== 'request-line') {
-        var value = request.headers[h];
-        if (!value)
-          throw new MissingHeaderError(h + ' was not in the request');
-        parsed.signingString += h + ': ' + value;
-      } else {
-        parsed.signingString +=
-          request.method + ' ' + request.url + ' HTTP/' + request.httpVersion;
-      }
-
-      if ((i + 1) < parsed.params.headers.length)
-        parsed.signingString += '\n';
-    }
-
-    // Check against the constraints
-    var date;
-    if (request.headers.date || request.headers['x-date']) {
-        if (request.headers['x-date']) {
-          date = new Date(request.headers['x-date']);
-        } else {
-          date = new Date(request.headers.date);
-        }
-      var now = new Date();
-      var skew = Math.abs(now.getTime() - date.getTime());
-
-      if (skew > options.clockSkew * 1000) {
-        throw new ExpiredRequestError('clock skew of ' +
-                                      (skew / 1000) +
-                                      's was greater than ' +
-                                      options.clockSkew + 's');
-      }
-    }
-
-    options.headers.forEach(function (hdr) {
-      // Remember that we already checked any headers in the params
-      // were in the request, so if this passes we're good.
-      if (parsed.params.headers.indexOf(hdr) < 0)
-        throw new MissingHeaderError(hdr + ' was not a signed header');
-    });
-
-    if (options.algorithms) {
-      if (options.algorithms.indexOf(parsed.params.algorithm) === -1)
-        throw new InvalidParamsError(parsed.params.algorithm +
-                                     ' is not a supported algorithm');
-    }
-
-    return parsed;
-  }
-
-};