Rename to httpsig

Updated to latest "HTTP Signature" spec.
Updated interface a bit to be easier to use.
Updated parsing of many aspects of the header to be more sane and standard.

Author: ahknight

.gitignore

@@ -19,4 +19,4 @@ celeryd.log
 celeryd.pid
 joy_rsa
 joy_rsa.pub
-
+.noseids

CHANGES.rst

@@ -1,7 +1,12 @@
 Changes
 -------
 
-0.2.0 ()
+0.2.0-AK (2014-Jun-23)
+~~~~~~~~~~~~~~~~~~~~~~
+* Removed HTTP version from request-line, per spec (breaks backwards compatability).
+* Removed auto-generation of missing Date header (ensures client compatability).
+
+0.2.0 (unreleased)
 ~~~~~~~~
 
 * Update to newer spec (incompatible with prior version).

http_signature/__init__.py httpsig/__init__.pyhttp_signature/__init__.py renamed to httpsig/__init__.py

@@ -175,8 +175,8 @@ def versions_from_parentdir(parentdir_prefix, versionfile_source, verbose=False)
     return {"version": dirname[len(parentdir_prefix):], "full": ""}
 
 tag_prefix = "v"
-parentdir_prefix = "http_signature-"
-versionfile_source = "http_signature/_version.py"
+parentdir_prefix = "httpsig-"
+versionfile_source = "httpsig/_version.py"
 
 def get_versions(default={"version": "unknown", "full": ""}, verbose=False):
     variables = { "refnames": git_refnames, "full": git_full }

http_signature/_version.py httpsig/_version.pyhttp_signature/_version.py renamed to httpsig/_version.py

@@ -14,21 +14,20 @@ class HTTPSignatureAuth(AuthBase):
     algorithm is one of the six specified algorithms
     headers is a list of http headers to be included in the signing string, defaulting to "Date" alone.
     '''
-    def __init__(self, key_id='', secret='', algorithm='rsa-sha256',
+    def __init__(self, key_id='', secret='', algorithm='hmac-sha256',
             headers=None, allow_agent=False):
         headers = headers or []
         self.header_signer = HeaderSigner(key_id=key_id, secret=secret,
                 algorithm=algorithm, headers=headers)
         self.uses_host = 'host' in [h.lower() for h in headers]
 
     def __call__(self, r):
-        headers = self.header_signer.sign_headers(
+        headers = self.header_signer.sign(
                 r.headers,
                 # 'Host' header unavailable in request object at this point
                 # if 'host' header is needed, extract it from the url
                 host=urlparse(r.url).netloc if self.uses_host else None,
                 method=r.method,
-                path=r.path_url,
-                http_version='1.1')
+                path=r.path_url)
         r.headers.update(headers)
         return r

http_signature/requests_auth.py httpsig/requests_auth.pyhttp_signature/requests_auth.py renamed to httpsig/requests_auth.py

@@ -48,23 +48,23 @@ def _get_key(self, secret):
             rsa_key = RSA.importKey(k, pw)
         return PKCS1_v1_5.new(rsa_key)
 
-    def sign_rsa(self, sign_string):
+    def _sign_rsa(self, sign_string):
         h = self._hash.new()
         h.update(sign_string)
         return self._rsa.sign(h)
 
-    def sign_hmac(self, sign_string):
+    def _sign_hmac(self, sign_string):
         hmac = self._hash.copy()
         hmac.update(sign_string)
         return hmac.digest()
 
 
-    def sign(self, sign_string):
+    def _sign(self, sign_string):
         data = None
         if self._rsa:
-            data = self.sign_rsa(sign_string)
+            data = self._sign_rsa(sign_string)
         elif self._hash:
-            data = self.sign_hmac(sign_string)
+            data = self._sign_hmac(sign_string)
         if not data:
             raise SystemError('No valid encryption: try allow_agent=False ?')
         return base64.b64encode(data)
@@ -113,12 +113,15 @@ class HeaderSigner(Signer):
     algorithm is one of the six specified algorithms
     headers is a list of http headers to be included in the signing string, defaulting to "Date" alone.
     '''
-    def __init__(self, key_id='', secret='~/.ssh/id_rsa',
-            algorithm='rsa-sha256', headers=None):
+    def __init__(self, key_id='', secret='~/.ssh/id_rsa', algorithm='rsa-sha256', headers=None):
+        
+        #PyCrypto wants strings, not unicode. We're not so demanding as an API.
+        key_id = str(key_id)
+        secret = str(secret)
+        
         super(HeaderSigner, self).__init__(secret=secret, algorithm=algorithm)
         self.headers = headers
-        self.signature_template = self.build_signature_template(
-                key_id, algorithm, headers)
+        self.signature_template = self.build_signature_template(key_id, algorithm, headers)
 
     def build_signature_template(self, key_id, algorithm, headers):
         """
@@ -134,37 +137,40 @@ def build_signature_template(self, key_id, algorithm, headers):
                      'algorithm': algorithm,
                      'signature': '%s'}
         if headers:
+            headers = [h.lower() for h in headers]
             param_map['headers'] = ' '.join(headers)
         kv = map('{0[0]}="{0[1]}"'.format, param_map.items())
         kv_string = ','.join(kv)
         sig_string = 'Signature {0}'.format(kv_string)
         return sig_string
 
-    def sign_headers(self, headers, host=None, method=None, path=None,
-            http_version='1.1'):
+    def sign(self, headers, host=None, method=None, path=None):
         """
         Add Signature Authorization header to case-insensitive header dict.
 
         headers is a case-insensitive dict of mutable headers.
         host is a override for the 'host' header (defaults to value in headers).
-        method is the HTTP method (used for 'request-line').
-        path is the HTTP path (used for 'request-line').
-        http_version is the HTTP version (used for 'request-line').
+        method is the HTTP method (used for '(request-line)').
+        path is the HTTP path (used for '(request-line)').
         """
         headers = CaseInsensitiveDict(headers)
-        if 'date' not in headers:
-            now = datetime.now()
-            stamp = mktime(now.timetuple())
-            headers['date'] = format_date_time(stamp)
+        
+        # AK: Possible problem here if the client and server's dates are off
+        #     by even one second, this will fail miserably.  This is also not
+        #     in the spec.  Should probably be removed.
+        # if 'date' not in headers:
+        #     now = datetime.now()
+        #     stamp = mktime(now.timetuple())
+        #     headers['date'] = format_date_time(stamp)
+        
         required_headers = self.headers or ['date']
         signable_list = []
         for h in required_headers:
-            if h == 'request-line':
+            if h == '(request-line)':
                 if not method or not path:
-                    raise Exception('method and path arguments required when using "request-line"')
+                    raise Exception('method and path arguments required when using "(request-line)"')
+                signable_list.append('%s %s' % (method.lower(), path))
 
-                signable_list.append('%s %s HTTP/%s' %
-                        (method.upper(), path, http_version))
             elif h == 'host':
                 # 'host' special case due to requests lib restrictions
                 # 'host' is not available when adding auth so must use a param
@@ -180,8 +186,9 @@ def sign_headers(self, headers, host=None, method=None, path=None,
                     raise Exception('missing required header "%s"' % (h))
 
                 signable_list.append('%s: %s' % (h.lower(), headers[h]))
+
         signable = '\n'.join(signable_list)
-        signature = self.sign(signable)
+        signature = self._sign(signable)
         headers['Authorization'] = self.signature_template % signature
-        return headers
 
+        return headers

http_signature/sign.py httpsig/sign.pyhttp_signature/sign.py renamed to httpsig/sign.py

@@ -5,6 +5,7 @@
 from Crypto.PublicKey import RSA
 from Crypto.Signature import PKCS1_v1_5
 from base64 import b64decode
+from urllib2 import parse_http_list
 
 from .utils import sig, is_rsa, CaseInsensitiveDict
 
@@ -28,7 +29,7 @@ def _get_key(self, key_id):
         return RSA.importKey(key)
 
 
-    def verify(self, data, signature):
+    def _verify(self, data, signature):
         """
         Checks data against the public key
         """
@@ -47,30 +48,35 @@ class HeaderVerifier(Verifier):
     """
     Verifies an HTTP signature from given headers.
     """
-    def __init__(self, headers, required_headers=None, method=None, path=None,
-                 host=None, http_version='1.1'):
+    def __init__(self, headers, required_headers=None, method=None, path=None, host=None):
 
         required_headers = required_headers or ['date']
         self.auth_dict = self.parse_auth(headers['authorization'])
         self.headers = CaseInsensitiveDict(headers)
         self.required_headers = [s.lower() for s in required_headers]
-        self.http_version = http_version
         self.method = method
         self.path = path
         self.host = host
         super(HeaderVerifier, self).__init__(key_id=self.auth_dict['keyId'],
                                              hash_algorithm="sha256") # should get hash algorithm from request...
 
     def parse_auth(self, auth):
-        """Basic Authorization header parsing."""
+        """
+        Basic Authorization header parsing.
+        AK: Fails if there is a comma inside a quoted string. Consider urllib2.parse_http_list.
+        """
         # split 'Signature kvpairs'
         s, param_str = auth.split(' ', 1)
+        
         # split k1="v1",k2="v2",...
         param_list = param_str.split(',')
+        
         # convert into [(k1,"v1"), (k2, "v2"), ...]
         param_pairs = [p.split('=', 1) for p in param_list]
+        
         # convert into {k1:v1, k2:v2, ...}
         param_dict = {k: v.strip('"') for k, v in param_pairs}
+        
         return param_dict
 
 
@@ -87,12 +93,12 @@ def get_signable(self):
 
         signable_list = []
         for h in auth_headers:
-            if h == 'request-line':
+            if h == '(request-line)':
                 if not self.method or not self.path:
-                    raise Exception('method and path arguments required when using "request-line"')
+                    raise Exception('method and path arguments required when using "(request-line)"')
 
-                signable_list.append('%s %s HTTP/%s' %
-                        (self.method.upper(), self.path, self.http_version))
+                signable_list.append('%s %s' % (self.method.upper(), self.path))
+            
             elif h == 'host':
                 # 'host' special case due to requests lib restrictions
                 # 'host' is not available when adding auth so must use a param
@@ -113,8 +119,8 @@ def get_signable(self):
         signable = '\n'.join(signable_list)
         return signable
 
-    def verify_headers(self):
+    def verify(self):
         signing_str = self.get_signable()
         # self.auth_dict['keyId']
         # self.auth_dict['signature']
-        return self.verify(signing_str, self.auth_dict['signature'])
+        return self._verify(signing_str, self.auth_dict['signature'])

http_signature/utils.py httpsig/utils.pyhttp_signature/utils.py renamed to httpsig/utils.py

@@ -0,0 +1,3 @@
+from .test_signature import *
+from .test_utils import *
+from .test_verify import *

http_signature/verify.py httpsig/verify.pyhttp_signature/verify.py renamed to httpsig/verify.py

@@ -6,7 +6,7 @@
 import json
 import unittest
 
-from http_signature.sign import HeaderSigner
+from httpsig.sign import HeaderSigner
 
 
 class TestSign(unittest.TestCase):
@@ -30,7 +30,7 @@ def setUp(self):
     def test_date_added(self):
         hs = HeaderSigner(key_id='', secret=self.key)
         unsigned = {}
-        signed = hs.sign_headers(unsigned)
+        signed = hs.sign(unsigned)
         self.assertIn('Date', signed)
         self.assertIn('Authorization', signed)
 
@@ -39,7 +39,7 @@ def test_default(self):
         unsigned = {
             'Date': 'Thu, 05 Jan 2012 21:31:40 GMT'
         }
-        signed = hs.sign_headers(unsigned)
+        signed = hs.sign(unsigned)
         self.assertIn('Date', signed)
         self.assertEqual(unsigned['Date'], signed['Date'])
         self.assertIn('Authorization', signed)
@@ -53,7 +53,7 @@ def test_default(self):
 
     def test_all(self):
         hs = HeaderSigner(key_id='Test', secret=self.key, headers=[
-            'request-line',
+            '(request-line)',
             'host',
             'date',
             'content-type',
@@ -67,7 +67,7 @@ def test_all(self):
             'Content-MD5': 'Sd/dVLAcvNLSq16eXua5uQ==',
             'Content-Length': '18',
         }
-        signed = hs.sign_headers(unsigned, method='POST',
+        signed = hs.sign(unsigned, method='POST',
                 path='/foo?param=value&pet=dog')
         self.assertIn('Date', signed)
         self.assertEqual(unsigned['Date'], signed['Date'])
@@ -78,7 +78,7 @@ def test_all(self):
         self.assertIn('signature', params)
         self.assertEqual(params['keyId'], 'Test')
         self.assertEqual(params['algorithm'], 'rsa-sha256')
-        self.assertEqual(params['headers'], 'request-line host date content-type content-md5 content-length')
+        self.assertEqual(params['headers'], '(request-line) host date content-type content-md5 content-length')
         self.assertEqual(params['signature'], 'H/AaTDkJvLELy4i1RujnKlS6dm8QWiJvEpn9cKRMi49kKF+mohZ15z1r+mF+XiKS5kOOscyS83olfBtsVhYjPg2Ei3/D9D4Mvb7bFm9IaLJgYTFFuQCghrKQQFPiqJN320emjHxFowpIm1BkstnEU7lktH/XdXVBo8a6Uteiztw=')
 
 if __name__ == '__main__':