Merge pull request ahknight#15 from rbignon/master

Ability to supply another signature header like Signature

Author: ahknight

README.rst

@@ -116,8 +116,7 @@ Known Limitations
 
 1. Multiple values for the same header are not supported. New headers with the same name will overwrite the previous header. It might be possible to replace the CaseInsensitiveDict with the collection that the email package uses for headers to overcome this limitation.
 2. Keyfiles with passwords are not supported. There has been zero vocal demand for this so if you would like it, a PR would be a good way to get it in.
-3. Draft 2 added support for the Signature header. As this was principally designed to be an authentication helper, that header is not currently supported. PRs welcome. (It is trivial to move the value after generation, of course.)
-4. Draft 2 added support for ecdsa-sha256. This is available in PyCryptodome but has not been added to httpsig. PRs welcome.
+3. Draft 2 added support for ecdsa-sha256. This is available in PyCryptodome but has not been added to httpsig. PRs welcome.
 
 
 License

httpsig/sign.py

@@ -86,15 +86,18 @@ class HeaderSigner(Signer):
     :arg algorithm: one of the six specified algorithms
     :arg headers:   a list of http headers to be included in the signing
         string, defaulting to ['date'].
+    :arg sign_header: header used to include signature, defaulting to
+       'authorization'.
     """
-    def __init__(self, key_id, secret, algorithm=None, headers=None):
+    def __init__(self, key_id, secret, algorithm=None, headers=None, sign_header='authorization'):
         if algorithm is None:
             algorithm = DEFAULT_SIGN_ALGORITHM
 
         super(HeaderSigner, self).__init__(secret=secret, algorithm=algorithm)
         self.headers = headers or ['date']
         self.signature_template = build_signature_template(
-                                    key_id, algorithm, headers)
+                                    key_id, algorithm, headers, sign_header)
+        self.sign_header = sign_header
 
     def sign(self, headers, host=None, method=None, path=None):
         """
@@ -112,6 +115,6 @@ def sign(self, headers, host=None, method=None, path=None):
                     required_headers, headers, host, method, path)
 
         signature = self._sign(signable)
-        headers['authorization'] = self.signature_template % signature
+        headers[self.sign_header] = self.signature_template % signature
 
         return headers

httpsig/tests/test_verify.py

@@ -34,6 +34,7 @@ class TestVerifyHMACSHA1(BaseTestCase):
     header_content_type = 'application/json'
     header_digest = 'SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE='
     header_content_length = '18'
+    sign_header = 'authorization'
 
     def setUp(self):
         secret = b"something special goes here"
@@ -62,9 +63,11 @@ def test_default(self):
         }
 
         hs = HeaderSigner(
-            key_id="Test", secret=self.sign_secret, algorithm=self.algorithm)
+            key_id="Test", secret=self.sign_secret, algorithm=self.algorithm,
+            sign_header=self.sign_header)
         signed = hs.sign(unsigned)
-        hv = HeaderVerifier(headers=signed, secret=self.verify_secret)
+        hv = HeaderVerifier(
+            headers=signed, secret=self.verify_secret, sign_header=self.sign_header)
         self.assertTrue(hv.verify())
 
     def test_signed_headers(self):
@@ -75,6 +78,7 @@ def test_signed_headers(self):
                 key_id="Test",
                 secret=self.sign_secret,
                 algorithm=self.algorithm,
+                sign_header=self.sign_header,
                 headers=[
                     '(request-target)',
                     'host',
@@ -94,7 +98,8 @@ def test_signed_headers(self):
 
         hv = HeaderVerifier(
                 headers=signed, secret=self.verify_secret,
-                host=HOST, method=METHOD, path=PATH)
+                host=HOST, method=METHOD, path=PATH,
+                sign_header=self.sign_header)
         self.assertTrue(hv.verify())
 
     def test_incorrect_headers(self):
@@ -104,6 +109,7 @@ def test_incorrect_headers(self):
         hs = HeaderSigner(secret=self.sign_secret,
                           key_id="Test",
                           algorithm=self.algorithm,
+                          sign_header=self.sign_header,
                           headers=[
                               '(request-target)',
                               'host',
@@ -122,7 +128,8 @@ def test_incorrect_headers(self):
 
         hv = HeaderVerifier(headers=signed, secret=self.verify_secret,
                             required_headers=["some-other-header"],
-                            host=HOST, method=METHOD, path=PATH)
+                            host=HOST, method=METHOD, path=PATH,
+                            sign_header=self.sign_header)
         with self.assertRaises(Exception):
             hv.verify()
 
@@ -133,6 +140,7 @@ def test_extra_auth_headers(self):
         hs = HeaderSigner(
                 key_id="Test",
                 secret=self.sign_secret,
+                sign_header=self.sign_header,
                 algorithm=self.algorithm, headers=[
                     '(request-target)',
                     'host',
@@ -154,6 +162,7 @@ def test_extra_auth_headers(self):
                 secret=self.verify_secret,
                 method=METHOD,
                 path=PATH,
+                sign_header=self.sign_header,
                 required_headers=['date', '(request-target)'])
         self.assertTrue(hv.verify())
 
@@ -205,3 +214,7 @@ class TestVerifyRSASHA512(TestVerifyRSASHA1):
     def setUp(self):
         super(TestVerifyRSASHA512, self).setUp()
         self.algorithm = "rsa-sha512"
+
+
+class TestVerifyRSASHA512ChangeHeader(TestVerifyRSASHA1):
+    sign_header = 'Signature'

httpsig/utils.py

@@ -88,6 +88,28 @@ def generate_message(required_headers, headers, host=None, method=None,
     return signable
 
 
+def parse_signature_header(sign_value):
+    values = {}
+    if sign_value:
+        # This is tricky string magic.  Let urllib do it.
+        fields = parse_http_list(sign_value)
+
+        for item in fields:
+            # Only include keypairs.
+            if '=' in item:
+                # Split on the first '=' only.
+                key, value = item.split('=', 1)
+                if not (len(key) and len(value)):
+                    continue
+
+                # Unquote values, if quoted.
+                if value[0] == '"':
+                    value = value[1:-1]
+
+                values[key] = value
+    return CaseInsensitiveDict(values)
+
+
 def parse_authorization_header(header):
     if not isinstance(header, six.string_types):
         header = header.decode("ascii")  # HTTP headers cannot be Unicode.
@@ -100,30 +122,13 @@ def parse_authorization_header(header):
     # Split up any args into a dictionary.
     values = {}
     if len(auth) == 2:
-        auth_value = auth[1]
-        if auth_value and len(auth_value):
-            # This is tricky string magic.  Let urllib do it.
-            fields = parse_http_list(auth_value)
-
-            for item in fields:
-                # Only include keypairs.
-                if '=' in item:
-                    # Split on the first '=' only.
-                    key, value = item.split('=', 1)
-                    if not (len(key) and len(value)):
-                        continue
-
-                    # Unquote values, if quoted.
-                    if value[0] == '"':
-                        value = value[1:-1]
-
-                    values[key] = value
+        values = parse_signature_header(auth[1])
 
     # ("Signature", {"headers": "date", "algorithm": "hmac-sha256", ... })
-    return (auth[0], CaseInsensitiveDict(values))
+    return (auth[0], values)
 
 
-def build_signature_template(key_id, algorithm, headers):
+def build_signature_template(key_id, algorithm, headers, sign_header='authorization'):
     """
     Build the Signature template for use with the Authorization header.
 
@@ -142,8 +147,10 @@ def build_signature_template(key_id, algorithm, headers):
         param_map['headers'] = ' '.join(headers)
     kv = map('{0[0]}="{0[1]}"'.format, param_map.items())
     kv_string = ','.join(kv)
-    sig_string = 'Signature {0}'.format(kv_string)
-    return sig_string
+    if sign_header.lower() == 'authorization':
+        return 'Signature {0}'.format(kv_string)
+
+    return kv_string
 
 
 def lkv(d):

httpsig/verify.py

@@ -47,7 +47,7 @@ class HeaderVerifier(Verifier):
     """
 
     def __init__(self, headers, secret, required_headers=None, method=None,
-                 path=None, host=None):
+                 path=None, host=None, sign_header='authorization'):
         """
         Instantiate a HeaderVerifier object.
 
@@ -64,16 +64,21 @@ def __init__(self, headers, secret, required_headers=None, method=None,
             Required for the '(request-target)' header.
         :param host:                Optional. The value to use for the Host
             header, if not supplied in :param:headers.
+        :param sign_header:         Optional. The header where the signature is.
+            Default is 'authorization'.
         """
         required_headers = required_headers or ['date']
+        self.headers = CaseInsensitiveDict(headers)
 
-        auth = parse_authorization_header(headers['authorization'])
-        if len(auth) == 2:
-            self.auth_dict = auth[1]
+        if sign_header.lower() == 'authorization':
+            auth = parse_authorization_header(self.headers['authorization'])
+            if len(auth) == 2:
+                self.auth_dict = auth[1]
+            else:
+                raise HttpSigException("Invalid authorization header.")
         else:
-            raise HttpSigException("Invalid authorization header.")
+            self.auth_dict = parse_signature_header(self.headers[sign_header])
 
-        self.headers = CaseInsensitiveDict(headers)
         self.required_headers = [s.lower() for s in required_headers]
         self.method = method
         self.path = path