@@ -78,34 +78,34 @@ module Contacts # (default: false) def self.authentication_url(target, options = {}) params = authentication_url_options.merge(options) - key = params.delete(:key) - params[:secure] = true if !params[:secure] && key + if key = params.delete(:key) + params[:secure] = true + set_private_key(key) + end params[:next] = target query = query_string(params) - url = "https://#{DOMAIN}#{AuthSubPath}Request?#{query}" - sig = generate_sig(url, key) if key - key ? "#{url}&#{query_string(:sig => sig)}" : url + "https://#{DOMAIN}#{AuthSubPath}Request?#{query}" end - # Generates the signature for a secure AuthSub request. +key+ may be an IO, String or + # Sets the private key for a secure AuthSub request. +key+ may be an IO, String or # OpenSSL::PKey::RSA. # Stolen from http://github.com/stuart/google-authsub/lib/googleauthsub.rb - def self.generate_sig(url, key) - pkey = case key + def self.set_private_key(key) + case key when OpenSSL::PKey::RSA - key + @@pkey = key when File - OpenSSL::PKey::RSA.new(key.read) + @@pkey = OpenSSL::PKey::RSA.new(key.read) when String - OpenSSL::PKey::RSA.new(key) + @@pkey = OpenSSL::PKey::RSA.new(key) else raise "Private Key in wrong format. Require IO, String or OpenSSL::PKey::RSA, you gave me #{key.class}" end - timestamp = Time.now.to_i - nonce = OpenSSL::BN.rand_range(2**64) - data = "GET #{url} #{timestamp} #{nonce}" - digest = OpenSSL::Digest::SHA1.new(data).hexdigest - sig = [pkey.private_encrypt(digest)].pack("m") #Base64 encode + end + + # Unsets the private key. Only used for test teardowns. + def self.unset_private_key + @@pkey = nil end # Makes an HTTPS request to exchange the given token with a session one. Session @@ -115,13 +115,14 @@ module Contacts # body. def self.session_token(token) response = http_start do |google| - google.get(AuthSubPath + 'SessionToken', authorization_header(token)) + uri = AuthSubPath + 'SessionToken' + google.get(uri, authorization_header(token, false, uri)) end pair = response.body.split(/\n/).detect { |p| p.index('Token=') == 0 } pair.split('=').last if pair end - + # Alternative to AuthSub: using email and password. def self.client_login(email, password) response = http_start do |google| @@ -142,6 +143,7 @@ module Contacts def initialize(token, user_id = 'default', client = false) @user = user_id.to_s @token = token.to_s + @client = client @headers = { 'Accept-Encoding' => 'gzip', 'User-Agent' => Identifier + ' (gzip)' @@ -154,7 +156,9 @@ module Contacts path = FeedsPath + CGI.escape(@user) google_params = translate_parameters(params) query = self.class.query_string(google_params) - google.get("#{path}/#{@projection}?#{query}", @headers) + uri = "#{path}/#{@projection}?#{query}" + headers = @headers.update(self.class.authorization_header(@token, @client, uri)) + google.get(uri, headers) end end @@ -284,9 +288,23 @@ module Contacts end end - def self.authorization_header(token, client = false) - type = client ? 'GoogleLogin auth' : 'AuthSub token' - { 'Authorization' => %(#{type}="#{token}") } + def self.secure? + defined?(@@pkey) && !@@pkey.nil? + end + + def self.authorization_header(token, client = false, uri = nil) + if client + { 'Authorization' => %(GoogleLogin auth="#{token}") } + elsif secure? + timestamp = Time.now.to_i + nonce = OpenSSL::BN.rand_range(2**64) + data = "GET http://#{DOMAIN}#{uri} #{timestamp} #{nonce}" + sig = @@pkey.sign(OpenSSL::Digest::SHA1.new, data) + sig = [sig].pack("m").gsub(/\n/, "") #Base64 encode + { 'Authorization' => %(AuthSub token="#{token}" sigalg="rsa-sha1" data="#{data}" sig="#{sig}") } + else + { 'Authorization' => %(AuthSub token="#{token}") } + end end def self.http_start(ssl = true) lib/contacts/google.rb @@ -29,40 +29,29 @@ describe Contacts::Google, '.authentication_url' do end it 'should imply secure=true when the key parameter is set' do - rsa = mock('OpenSSL::PKey::RSA', :private_encrypt => 'signature') - digest = mock('OpenSSL::Digest::SHA1', :hexdigest => 'digest') - OpenSSL::Digest::SHA1.expects(:new).returns(digest).at_least_once - OpenSSL::PKey::RSA.expects(:new).with('secret-key').returns(rsa).at_least_once + pairs = parse_authentication_url(nil, :key => File.open(File.join(File.dirname(__FILE__), 'myrsakey.pem'))).query.split('&') + + pairs.should include('secure=1') + end - pairs = parse_authentication_url(nil, :key => 'secret-key').query.split('&') + it 'should accept String key parameter' do + key = File.open(File.join(File.dirname(__FILE__), 'myrsakey.pem')).read + pairs = parse_authentication_url(nil, :key => key).query.split('&') pairs.should include('secure=1') - pairs.should include('sig=c2lnbmF0dXJl%0A') # ['signature'].pack('m') - pairs.should_not include('key=secret-key') + pairs.should_not include("key=#{key}") end it 'should accept File or IO key parameter' do - rsa = mock('OpenSSL::PKey::RSA', :private_encrypt => 'signature') - digest = mock('OpenSSL::Digest::SHA1', :hexdigest => 'digest') - OpenSSL::Digest::SHA1.expects(:new).returns(digest).at_least_once - OpenSSL::PKey::RSA.expects(:new).with(File.open(File.join(File.dirname(__FILE__), 'myrsakey.pem')).read).returns(rsa).at_least_once - pairs = parse_authentication_url(nil, :key => File.open(File.join(File.dirname(__FILE__), 'myrsakey.pem'))).query.split('&') pairs.should include('secure=1') - pairs.should include('sig=c2lnbmF0dXJl%0A') # ['signature'].pack('m') - pairs.should_not include('key=secret-key') end it 'should accept OpenSSL::Pkey::RSA key parameter' do - digest = mock('OpenSSL::Digest::SHA1', :hexdigest => 'digest') - OpenSSL::Digest::SHA1.expects(:new).returns(digest).at_least_once - pairs = parse_authentication_url(nil, :key => OpenSSL::PKey::RSA.new(File.open(File.join(File.dirname(__FILE__), 'myrsakey.pem')).read)).query.split('&') pairs.should include('secure=1') - pairs.should include('sig=nhzzbfqHUOhN6iE%2BkyHQabRvtfc3pbxKQt4hHqlNtBZVliswTFfVIISFPo5Z%0Ads6YVeAKdqAAZuVFUwMDihA83ihIf8spWN%2BrKpeLxAhrUCM69oihD7csdedG%0AbN9TCToIp4q9tJj2o4SsAgxs3dK55Nc1vhCOlVB7mIbxM%2B8YGL4%3D%0A') # based on 'digest' data - pairs.should_not include('key=secret-key') end it 'skips parameters that have nil value' do spec/gmail/auth_spec.rb @@ -13,6 +13,7 @@ describe Contacts::Google do after :each do FakeWeb.clean_registry + Contacts::Google.unset_private_key end describe 'fetches contacts feed via HTTP GET' do @@ -41,6 +42,29 @@ describe Contacts::Google do response = @gmail.get({}) response.body.should == 'full results' end + + it 'with signed requests' do + # freeze time and nonce for consistent results + time = mock('Time.now') + time.expects(:to_i).with().returns(1237384927).at_least_once + Time.expects(:now).returns(time).at_least_once + OpenSSL::BN.expects(:rand_range).with(2**64).returns(11138977546881557915).at_least_once + + Contacts::Google.set_private_key(File.open(File.join(File.dirname(__FILE__), 'myrsakey.pem'))) + @gmail = Contacts::Google.new('dummytoken') + + FakeWeb::register_uri(:get, 'www.google.com/m8/feeds/contacts/default/thin', + :string => 'thin results', + :verify => lambda { |req| + req['Authorization'].should == %(AuthSub token="dummytoken" sigalg="rsa-sha1" data="GET http://www.google.com/m8/feeds/contacts/default/thin? 1237384927 11138977546881557915" sig="EAO7okp0W+0kAOOFxaAfexym0tWEgKogHpjSs7AX8GZYBWJvyJg6+SFHMAeGUEpAXIyAxCoF+RYzvEt2ONVXEJKaMw4zo/qAFc/RC4dLkFbzwe4r5srFMAGrgbWgqQEeUBeY2koc0vfs2dfOP19rJgACtksm3HLMKpl8M9sUF8c=") + req['Accept-Encoding'].should == 'gzip' + req['User-Agent'].should == "Ruby Contacts v#{Contacts::VERSION::STRING} (gzip)" + } + ) + + response = @gmail.get({}) + response.body.should == 'thin results' + end end it 'handles a normal response body' do spec/gmail/fetching_spec.rb 2ceaadbcc8e18cd94759399c357ef0db051ba513 Kamal Fariz Mahyuddin kamal kamal.fariz@gmail.com http://github.com/kamal/contacts/commit/b3e9585fe1688f946eeb5fb8fe028bd2f63e374b b3e9585fe1688f946eeb5fb8fe028bd2f63e374b 2009-03-18T07:12:06-07:00 2009-03-18T06:53:33-07:00 Fix signing the AuthSub request. It's set in the headers, instead of in the params. 5df43083bf88819a084e93ee915856c30c1c96fe Kamal Fariz Mahyuddin kamal kamal.fariz@gmail.com