Updated tests with the test data from Draft 8.

Author: ahknight

README.rst

@@ -7,27 +7,27 @@ httpsig
 .. image:: https://travis-ci.org/ahknight/httpsig.svg?branch=develop
     :target: https://travis-ci.org/ahknight/httpsig
 
-Sign HTTP requests with secure signatures according to the IETF HTTP Signatures specification (`Draft 3`_).  This is a fork of the original module_ to fully support both RSA and HMAC schemes as well as unit test both schemes to prove they work.  It's being used in production and is actively-developed.
+Sign HTTP requests with secure signatures according to the IETF HTTP Signatures specification (`Draft 8`_).  This is a fork of the original module_ to fully support both RSA and HMAC schemes as well as unit test both schemes to prove they work.  It's being used in production and is actively-developed.
 
 See the original project_, original Python module_, original spec_, and `current IETF draft`_ for more details on the signing scheme.
 
 .. _project: https://github.com/joyent/node-http-signature
 .. _module: https://github.com/zzsnzmn/py-http-signature
 .. _spec: https://github.com/joyent/node-http-signature/blob/master/http_signing.md
 .. _`current IETF draft`: https://datatracker.ietf.org/doc/draft-cavage-http-signatures/
-.. _`Draft 3`: http://tools.ietf.org/html/draft-cavage-http-signatures-03
+.. _`Draft 8`: http://tools.ietf.org/html/draft-cavage-http-signatures-08
 
 Requirements
 ------------
 
-* Python 2.7, 3.3, 3.4, 3.5, 3.6
-* PyCrypto_
+* Python 2.7, 3.3-3.6
+* PyCryptodome_
 
 Optional:
 
 * requests_
 
-.. _pycryptodome: https://pypi.python.org/pypi/pycryptodome
+.. _PyCryptodome: https://pypi.python.org/pypi/pycryptodome
 .. _requests: https://pypi.python.org/pypi/requests
 
 For testing:
@@ -111,6 +111,15 @@ or::
 
     tox
 
+Known Limitations
+-----------------
+
+1. Multiple values for the same header are not supported. New headers with the same name will overwrite the previous header. It might be possible to replace the CaseInsensitiveDict with the collection that the email package uses for headers to overcome this limitation.
+2. Keyfiles with passwords are not supported. There has been zero vocal demand for this so if you would like it, a PR would be a good way to get it in.
+3. Draft 2 added support for the Signature header. As this was principally designed to be an authentication helper, that header is not currently supported. PRs welcome. (It is trivial to move the value after generation, of course.)
+4. Draft 2 added support for ecdsa-sha256. This is available in PyCryptodome but has not been added to httpsig. PRs welcome.
+
+
 License
 -------
 

httpsig/tests/test_signature.py

@@ -14,7 +14,14 @@
 
 
 class TestSign(unittest.TestCase):
-
+    test_method = 'POST'
+    test_path = '/foo?param=value&pet=dog'
+    header_host = 'example.com'
+    header_date = 'Thu, 05 Jan 2014 21:31:40 GMT'
+    header_content_type = 'application/json'
+    header_digest = 'SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE='
+    header_content_length = '18'
+    
     def setUp(self):
         self.key_path = os.path.join(os.path.dirname(__file__), 'rsa_private.pem')
         with open(self.key_path, 'rb') as f:
@@ -23,7 +30,7 @@ def setUp(self):
     def test_default(self):
         hs = sign.HeaderSigner(key_id='Test', secret=self.key)
         unsigned = {
-            'Date': 'Thu, 05 Jan 2012 21:31:40 GMT'
+            'Date': self.header_date
         }
         signed = hs.sign(unsigned)
         self.assertIn('Date', signed)
@@ -36,25 +43,51 @@ def test_default(self):
         self.assertIn('signature', params)
         self.assertEqual(params['keyId'], 'Test')
         self.assertEqual(params['algorithm'], 'rsa-sha256')
-        self.assertEqual(params['signature'], 'ATp0r26dbMIxOopqw0OfABDT7CKMIoENumuruOtarj8n/97Q3htHFYpH8yOSQk3Z5zh8UxUym6FYTb5+A0Nz3NRsXJibnYi7brE/4tx5But9kkFGzG+xpUmimN4c3TMN7OFH//+r8hBf7BT9/GmHDUVZT2JzWGLZES2xDOUuMtA=')
+        self.assertEqual(params['signature'], 'jKyvPcxB4JbmYY4mByyBY7cZfNl4OW9HpFQlG7N4YcJPteKTu4MWCLyk+gIr0wDgqtLWf9NLpMAMimdfsH7FSWGfbMFSrsVTHNTk0rK3usrfFnti1dxsM4jl0kYJCKTGI/UWkqiaxwNiKqGcdlEDrTcUhhsFsOIo8VhddmZTZ8w=')
+
+    def test_basic(self):
+        hs = sign.HeaderSigner(key_id='Test', secret=self.key, headers=[
+            '(request-target)',
+            'host',
+            'date',
+        ])
+        unsigned = {
+            'Host': self.header_host,
+            'Date': self.header_date,
+        }
+        signed = hs.sign(unsigned, method=self.test_method, path=self.test_path)
+        
+        self.assertIn('Date', signed)
+        self.assertEqual(unsigned['Date'], signed['Date'])
+        self.assertIn('Authorization', signed)
+        auth = parse_authorization_header(signed['authorization'])
+        params = auth[1]
+        self.assertIn('keyId', params)
+        self.assertIn('algorithm', params)
+        self.assertIn('signature', params)
+        self.assertEqual(params['keyId'], 'Test')
+        self.assertEqual(params['algorithm'], 'rsa-sha256')
+        self.assertEqual(params['headers'],
+            '(request-target) host date')
+        self.assertEqual(params['signature'], 'HUxc9BS3P/kPhSmJo+0pQ4IsCo007vkv6bUm4Qehrx+B1Eo4Mq5/6KylET72ZpMUS80XvjlOPjKzxfeTQj4DiKbAzwJAb4HX3qX6obQTa00/qPDXlMepD2JtTw33yNnm/0xV7fQuvILN/ys+378Ysi082+4xBQFwvhNvSoVsGv4=')
 
     def test_all(self):
         hs = sign.HeaderSigner(key_id='Test', secret=self.key, headers=[
             '(request-target)',
             'host',
             'date',
             'content-type',
-            'content-md5',
+            'digest',
             'content-length'
         ])
         unsigned = {
-            'Host': 'example.com',
-            'Date': 'Thu, 05 Jan 2012 21:31:40 GMT',
-            'Content-Type': 'application/json',
-            'Content-MD5': 'Sd/dVLAcvNLSq16eXua5uQ==',
-            'Content-Length': '18',
+            'Host': self.header_host,
+            'Date': self.header_date,
+            'Content-Type': self.header_content_type,
+            'Digest': self.header_digest,
+            'Content-Length': self.header_content_length,
         }
-        signed = hs.sign(unsigned, method='POST', path='/foo?param=value&pet=dog')
+        signed = hs.sign(unsigned, method=self.test_method, path=self.test_path)
 
         self.assertIn('Date', signed)
         self.assertEqual(unsigned['Date'], signed['Date'])
@@ -66,5 +99,5 @@ def test_all(self):
         self.assertIn('signature', params)
         self.assertEqual(params['keyId'], 'Test')
         self.assertEqual(params['algorithm'], 'rsa-sha256')
-        self.assertEqual(params['headers'], '(request-target) host date content-type content-md5 content-length')
-        self.assertEqual(params['signature'], 'G8/Uh6BBDaqldRi3VfFfklHSFoq8CMt5NUZiepq0q66e+fS3Up3BmXn0NbUnr3L1WgAAZGplifRAJqp2LgeZ5gXNk6UX9zV3hw5BERLWscWXlwX/dvHQES27lGRCvyFv3djHP6Plfd5mhPWRkmjnvqeOOSS0lZJYFYHJz994s6w=')
+        self.assertEqual(params['headers'], '(request-target) host date content-type digest content-length')
+        self.assertEqual(params['signature'], 'Ef7MlxLXoBovhil3AlyjtBwAL9g4TN3tibLj7uuNB3CROat/9KaeQ4hW2NiJ+pZ6HQEOx9vYZAyi+7cmIkmJszJCut5kQLAwuX+Ms/mUFvpKlSo9StS2bMXDBNjOh4Auj774GFj4gwjS+3NhFeoqyr/MuN6HsEnkvn6zdgfE2i0=')

httpsig/tests/test_verify.py

@@ -25,6 +25,14 @@ def _parse_auth(self, auth):
 
 
 class TestVerifyHMACSHA1(BaseTestCase):
+    test_method = 'POST'
+    test_path = '/foo?param=value&pet=dog'
+    header_host = 'example.com'
+    header_date = 'Thu, 05 Jan 2014 21:31:40 GMT'
+    header_content_type = 'application/json'
+    header_digest = 'SHA-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE='
+    header_content_length = '18'
+
     def setUp(self):
         secret = b"something special goes here"
 
@@ -47,7 +55,7 @@ def test_basic_sign(self):
 
     def test_default(self):
         unsigned = {
-            'Date': 'Thu, 05 Jan 2012 21:31:40 GMT'
+            'Date': self.header_date
         }
 
         hs = HeaderSigner(key_id="Test", secret=self.sign_secret, algorithm=self.algorithm)
@@ -56,33 +64,33 @@ def test_default(self):
         self.assertTrue(hv.verify())
 
     def test_signed_headers(self):
-        HOST = "example.com"
-        METHOD = "POST"
-        PATH = '/foo?param=value&pet=dog'
+        HOST = self.header_host
+        METHOD = self.test_method
+        PATH = self.test_path
         hs = HeaderSigner(key_id="Test", secret=self.sign_secret, algorithm=self.algorithm, headers=[
             '(request-target)',
             'host',
             'date',
             'content-type',
-            'content-md5',
+            'digest',
             'content-length'
         ])
         unsigned = {
             'Host': HOST,
-            'Date': 'Thu, 05 Jan 2012 21:31:40 GMT',
-            'Content-Type': 'application/json',
-            'Content-MD5': 'Sd/dVLAcvNLSq16eXua5uQ==',
-            'Content-Length': '18',
+            'Date': self.header_date,
+            'Content-Type': self.header_content_type,
+            'Digest': self.header_digest,
+            'Content-Length': self.header_content_length,
         }
         signed = hs.sign(unsigned, method=METHOD, path=PATH)
 
         hv = HeaderVerifier(headers=signed, secret=self.verify_secret, host=HOST, method=METHOD, path=PATH)
         self.assertTrue(hv.verify())
 
     def test_incorrect_headers(self):
-        HOST = "example.com"
-        METHOD = "POST"
-        PATH = '/foo?param=value&pet=dog'
+        HOST = self.header_host
+        METHOD = self.test_method
+        PATH = self.test_path
         hs = HeaderSigner(secret=self.sign_secret,
                           key_id="Test",
                           algorithm=self.algorithm,
@@ -91,14 +99,14 @@ def test_incorrect_headers(self):
                             'host',
                             'date',
                             'content-type',
-                            'content-md5',
+                            'digest',
                             'content-length'])
         unsigned = {
             'Host': HOST,
-            'Date': 'Thu, 05 Jan 2012 21:31:40 GMT',
-            'Content-Type': 'application/json',
-            'Content-MD5': 'Sd/dVLAcvNLSq16eXua5uQ==',
-            'Content-Length': '18',
+            'Date': self.header_date,
+            'Content-Type': self.header_content_type,
+            'Digest': self.header_digest,
+            'Content-Length': self.header_content_length,
         }
         signed = hs.sign(unsigned, method=METHOD, path=PATH)
 
@@ -115,15 +123,15 @@ def test_extra_auth_headers(self):
             'host',
             'date',
             'content-type',
-            'content-md5',
+            'digest',
             'content-length'
         ])
         unsigned = {
             'Host': HOST,
-            'Date': 'Thu, 05 Jan 2012 21:31:40 GMT',
-            'Content-Type': 'application/json',
-            'Content-MD5': 'Sd/dVLAcvNLSq16eXua5uQ==',
-            'Content-Length': '18',
+            'Date': self.header_date,
+            'Content-Type': self.header_content_type,
+            'Digest': self.header_digest,
+            'Content-Length': self.header_content_length,
         }
         signed = hs.sign(unsigned, method=METHOD, path=PATH)
         hv = HeaderVerifier(headers=signed, secret=self.verify_secret, method=METHOD, path=PATH, required_headers=['date', '(request-target)'])

httpsig/utils.py

@@ -151,6 +151,11 @@ def is_rsa(keyobj):
 
 # based on http://stackoverflow.com/a/2082169/151401
 class CaseInsensitiveDict(dict):
+    """ A case-insensitive dictionary for header storage.
+        A limitation of this approach is the inability to store
+        multiple instances of the same header. If that is changed
+        then we suddenly care about the assembly rules in sec 2.3.
+    """
     def __init__(self, d=None, **kwargs):
         super(CaseInsensitiveDict, self).__init__(**kwargs)
         if d: