Skip to content
Browse files

support signatures for requests with no body coming from older versio…

…ns of ey_api_hmac
  • Loading branch information...
1 parent 45465e2 commit 8f2a3f1b23b9ffc9d8ff08cf829f2650fc700c31 @jacobo jacobo committed Dec 19, 2011
Showing with 23 additions and 6 deletions.
  1. +13 −5 lib/ey_api_hmac.rb
  2. +10 −1 spec/api_auth_spec.rb
View
18 lib/ey_api_hmac.rb
@@ -10,7 +10,7 @@ def self.sign!(env, key_id, secret)
env["HTTP_AUTHORIZATION"] = auth_string(key_id, signature(env, secret))
end
- def self.canonical_string(env)
+ def self.canonical_string(env, legacy = false)
parts = []
expect = Proc.new do |var|
unless env[var]
@@ -20,7 +20,7 @@ def self.canonical_string(env)
end
parts << expect["REQUEST_METHOD"]
parts << env["CONTENT_TYPE"]
- parts << generated_md5(env)
+ parts << generated_md5(env, legacy)
parts << expect["HTTP_DATE"]
if env["REQUEST_URI"]
parts << URI.parse(env["REQUEST_URI"]).path
@@ -38,6 +38,10 @@ def self.signature(env, secret)
base64digest(canonical_string(env), secret)
end
+ def self.signature_legacy(env, secret)
+ base64digest(canonical_string(env, true), secret)
+ end
+
def self.base64digest(data,secret)
digest = OpenSSL::Digest::Digest.new('sha1')
[OpenSSL::HMAC.digest(digest, secret, data)].pack('m').strip
@@ -54,7 +58,7 @@ def self.authenticate!(env, &lookup)
unless secret
raise HmacAuthFail, "couldn't find auth for #{access_key_id}"
end
- unless hmac == signature(env, secret)
+ unless hmac == signature(env, secret) || hmac == signature_legacy(env, secret)
raise HmacAuthFail, "signature mismatch. Calculated canonical_string: #{canonical_string(env).inspect}"
end
else
@@ -73,11 +77,15 @@ def self.authenticated?(env, &lookup)
private
- def self.generated_md5(env)
+ def self.generated_md5(env, legacy = false)
env["rack.input"].rewind
request_body = env["rack.input"].read
env["rack.input"].rewind
- request_body.empty? ? nil : OpenSSL::Digest::MD5.hexdigest(request_body)
+ if legacy
+ OpenSSL::Digest::MD5.hexdigest(request_body)
+ else
+ request_body.empty? ? nil : OpenSSL::Digest::MD5.hexdigest(request_body)
+ end
end
end
View
11 spec/api_auth_spec.rb
@@ -109,8 +109,17 @@ def compatible
end
describe "authenticated?" do
- describe "request signed by AuthHMAC" do
+ it "verifies the old signing method without body" do
+ @env['rack.input'] = StringIO.new
+ @env.delete('HTTP_CONTENT_MD5')
+ @request = Rack::Request.new(@env)
+ @env["HTTP_AUTHORIZATION"] = "AuthHMAC access key 1:isJ7zHHPrpnSdZ/XbvqxFhVUf0c="
+ @lookup = Proc.new{ |key| 'secret' if key == 'access key 1' }
+ EY::ApiHMAC.authenticated?(@env, &@lookup).should be_true
+ end
+
+ describe "request signed by AuthHMAC" do
describe do
before do
AuthHMAC.sign!(@request, 'access key 1', 'secret')

0 comments on commit 8f2a3f1

Please sign in to comment.
Something went wrong with that request. Please try again.