Merge branch 'release/1.2.0'

Author: ahknight

.gitignore

@@ -11,3 +11,5 @@ doc/__build/*
 *_rsa.pub
 locale/
 pip-log.txt
+/.idea
+/.eggs

CHANGELOG.rst

@@ -1,6 +1,14 @@
 httpsig Changes
 ---------------
 
+1.2.0 (2018-Mar-28)
+-------------------
+
+* Switched to pycryptodome instead of PyCrypto
+* Updated tests with the test data from Draft 8 and verified it still passes.
+* Dropped official Python 3.2 support (pip dropped it so it can't be properly tested)
+* Cleaned up the code to be more PEP8-like.
+
 1.1.2 (2015-Feb-11)
 -------------------
 

MANIFEST

@@ -5,9 +5,7 @@ README.rst
 requirements.txt
 setup.cfg
 setup.py
-versioneer.py
 httpsig/__init__.py
-httpsig/_version.py
 httpsig/requests_auth.py
 httpsig/sign.py
 httpsig/utils.py

MANIFEST.in

@@ -1,5 +1,3 @@
 include *.rst
 include *.txt
-include versioneer.py
-include httpsig/_version.py
 include httpsig/tests/*.pem

README.rst

@@ -7,29 +7,35 @@ httpsig
 .. image:: https://travis-ci.org/ahknight/httpsig.svg?branch=develop
     :target: https://travis-ci.org/ahknight/httpsig
 
-Sign HTTP requests with secure signatures according to the IETF HTTP Signatures specification (`Draft 3`_).  This is a fork of the original module_ to fully support both RSA and HMAC schemes as well as unit test both schemes to prove they work.  It's being used in production and is actively-developed.
+Sign HTTP requests with secure signatures according to the IETF HTTP Signatures specification (`Draft 8`_).  This is a fork of the original module_ to fully support both RSA and HMAC schemes as well as unit test both schemes to prove they work.  It's being used in production and is actively-developed.
 
 See the original project_, original Python module_, original spec_, and `current IETF draft`_ for more details on the signing scheme.
 
 .. _project: https://github.com/joyent/node-http-signature
 .. _module: https://github.com/zzsnzmn/py-http-signature
 .. _spec: https://github.com/joyent/node-http-signature/blob/master/http_signing.md
 .. _`current IETF draft`: https://datatracker.ietf.org/doc/draft-cavage-http-signatures/
-.. _`Draft 3`: http://tools.ietf.org/html/draft-cavage-http-signatures-03
+.. _`Draft 8`: http://tools.ietf.org/html/draft-cavage-http-signatures-08
 
 Requirements
 ------------
 
-* Python 2.7, 3.2, 3.3, 3.4
-* pycryptodome_
+* Python 2.7, 3.3-3.6
+* PyCryptodome_
 
 Optional:
 
 * requests_
 
-.. _pycryptodome: https://pypi.python.org/pypi/pycryptodome
+.. _PyCryptodome: https://pypi.python.org/pypi/pycryptodome
 .. _requests: https://pypi.python.org/pypi/requests
 
+For testing:
+
+* tox
+* pyenv (optional, handy way to access multiple versions)
+    $ for VERS in 2.7.14 3.3.7 3.4.8 3.5.5 3.6.4; do pyenv install -s $VERS; done
+
 Usage
 -----
 
@@ -105,6 +111,15 @@ or::
 
     tox
 
+Known Limitations
+-----------------
+
+1. Multiple values for the same header are not supported. New headers with the same name will overwrite the previous header. It might be possible to replace the CaseInsensitiveDict with the collection that the email package uses for headers to overcome this limitation.
+2. Keyfiles with passwords are not supported. There has been zero vocal demand for this so if you would like it, a PR would be a good way to get it in.
+3. Draft 2 added support for the Signature header. As this was principally designed to be an authentication helper, that header is not currently supported. PRs welcome. (It is trivial to move the value after generation, of course.)
+4. Draft 2 added support for ecdsa-sha256. This is available in PyCryptodome but has not been added to httpsig. PRs welcome.
+
+
 License
 -------
 

httpsig/__init__.py

@@ -1,6 +1,12 @@
+from pkg_resources import get_distribution, DistributionNotFound
+
 from .sign import Signer, HeaderSigner
 from .verify import Verifier, HeaderVerifier
 
-from ._version import get_versions
-__version__ = get_versions()['version']
-del get_versions
+try:
+    __version__ = get_distribution(__name__).version
+except DistributionNotFound:
+    # package is not installed
+    pass
+
+__all__ = (Signer, HeaderSigner, Verifier, HeaderVerifier)

httpsig/_version.py

@@ -1,4 +1,4 @@
-from requests.auth import AuthBase
+import requests.auth
 try:
     # Python 3
     from urllib.parse import urlparse
@@ -9,20 +9,23 @@
 from .sign import HeaderSigner
 
 
-class HTTPSignatureAuth(AuthBase):
-    '''
+class HTTPSignatureAuth(requests.auth.AuthBase):
+    """
     Sign a request using the http-signature scheme.
     https://github.com/joyent/node-http-signature/blob/master/http_signing.md
 
-    key_id is the mandatory label indicating to the server which secret to use
-    secret is the filename of a pem file in the case of rsa, a password string in the case of an hmac algorithm
-    algorithm is one of the six specified algorithms
-    headers is a list of http headers to be included in the signing string, defaulting to "Date" alone.
-    '''
+    `key_id` is the mandatory label indicating to the server which secret to
+      use secret is the filename of a pem file in the case of rsa, a password
+      string in the case of an hmac algorithm
+    `algorithm` is one of the six specified algorithms
+      headers is a list of http headers to be included in the signing string,
+      defaulting to "Date" alone.
+    """
     def __init__(self, key_id='', secret='', algorithm=None, headers=None):
         headers = headers or []
-        self.header_signer = HeaderSigner(key_id=key_id, secret=secret,
-                algorithm=algorithm, headers=headers)
+        self.header_signer = HeaderSigner(
+                                key_id=key_id, secret=secret,
+                                algorithm=algorithm, headers=headers)
         self.uses_host = 'host' in [h.lower() for h in headers]
 
     def __call__(self, r):