Merge pull request #4 from SoapBox/feature/add-a-request-signer

[Feature] Adds a Request Generator

Author: Jaspaul

composer.json

@@ -12,12 +12,14 @@
     "minimum-stability": "stable",
     "require": {
         "php": ">=7.1",
+        "guzzlehttp/guzzle": "^6.2",
         "illuminate/http": "^5.4",
         "illuminate/support": "^5.4",
-        "orchestra/testbench": "^3.4"
+        "ramsey/uuid": "^3.6"
     },
     "require-dev": {
         "mockery/mockery": "^0.9.9",
+        "orchestra/testbench": "^3.4",
         "phpunit/phpunit": "^6.0"
     },
     "autoload": {

resources/config/signed-requests.php

@@ -1,6 +1,15 @@
 <?php
 
 return [
+    /*
+    |--------------------------------------------------------------------------
+    | The algorithm to sign the request with
+    |--------------------------------------------------------------------------
+    |
+    | This is the algorithm we'll use to sign the
+    */
+    'algorithm' => env('SIGNED_REQUEST_ALGORITHM', 'sha256'),
+
     /*
     |--------------------------------------------------------------------------
     | Available header overrides

src/Requests/Generator.php

@@ -0,0 +1,57 @@
+<?php
+
+namespace SoapBox\SignedRequests\Requests;
+
+use Ramsey\Uuid\Uuid;
+use GuzzleHttp\Psr7\Request;
+use SoapBox\SignedRequests\Signature;
+use Illuminate\Support\Facades\Config;
+use Illuminate\Contracts\Config\Repository;
+
+class Generator
+{
+    /**
+     * An instance of the configuration repository.
+     *
+     * @var \Illuminate\Contracts\Config\Repository
+     */
+    private $repository;
+
+    /**
+     * Constructs our signed request generator with an instance of the
+     * configurations.
+     *
+     * @param \Illuminate\Contracts\Config\Repository $repository
+     *        A configuration repository.
+     */
+    public function __construct(Repository $repository)
+    {
+        $this->repository = $repository;
+    }
+
+    /**
+     * Signs and returns the request.
+     *
+     * @param \GuzzleHttp\Psr7\Request $request
+     *        The request to sign.
+     *
+     * @return \GuzzleHttp\Psr7\Request
+     *         The request with an id, algorith, and signature.
+     */
+    public function sign(Request $request) : Request
+    {
+        $algorithmHeader = $this->repository->get('signed-requests.headers.algorithm');
+        $signatureHeader = $this->repository->get('signed-requests.headers.signature');
+
+        $algorithm = $this->repository->get('signed-requests.algorithm');
+        $key = $this->repository->get('signed-requests.key');
+
+        $request = $request->withHeader('X-SIGNED-ID', (string) Uuid::uuid4());
+
+        $signature = new Signature(new Payload($request), $algorithm, $key);
+
+        return $request
+            ->withHeader($algorithmHeader, (string) $algorithm)
+            ->withHeader($signatureHeader, (string) $signature);
+    }
+}

src/Requests/Payload.php

@@ -0,0 +1,92 @@
+<?php
+
+namespace SoapBox\SignedRequests\Requests;
+
+use GuzzleHttp\Psr7\Request as GuzzleRequest;
+use Illuminate\Http\Request as IlluminateRequest;
+
+class Payload
+{
+    /**
+     * A request object. Currently both \GuzzleHttp\Psr7\Request and
+     * \Illuminate\Http\Request are supported.
+     *
+     * @var mixed
+     */
+    private $request;
+
+    /**
+     * Set's the local request to extract a payload from.
+     *
+     * @param mixed $request
+     *        The request to extract a payload from. Currently both
+     *        \GuzzleHttp\Psr7\Request and \Illuminate\Http\Request are
+     *        supported.
+     */
+    public function __construct($request)
+    {
+        $this->request = $request;
+    }
+
+    /**
+     * Returns the payload from a guzzle request.
+     *
+     * @param \GuzzleHttp\Psr7\Request $request
+     *        An instance of the guzzle request to extract a payload from.
+     *
+     * @return string
+     *         The payload.
+     */
+    protected function generateFromGuzzleRequest(GuzzleRequest $request) : string
+    {
+        $id = isset($this->request->getHeader('X-SIGNED-ID')[0]) ?
+            $this->request->getHeader('X-SIGNED-ID')[0] : '';
+
+        return json_encode([
+            'id' => (string) $id,
+            'method' => $this->request->getMethod(),
+            'uri' => (string) $this->request->getUri(),
+            'content' => $this->request->getBody()
+        ], JSON_UNESCAPED_SLASHES);
+    }
+
+    /**
+     * Retruns the payload from an illuminate request.
+     *
+     * @param \Illuminate\Http\Request $request
+     *        An instance of the illuminate request to extract the payload from.
+     *
+     * @return string
+     *         The payload.
+     */
+    protected function generateFromIlluminateRequest(IlluminateRequest $request) : string
+    {
+        $id = $this->request->headers->get('X-SIGNED-ID', '');
+
+        return json_encode([
+            'id' => (string) $id,
+            'method' => $this->request->getMethod(),
+            'uri' => (string) $this->request->fullUrl(),
+            'content' => $this->request->getContent()
+        ], JSON_UNESCAPED_SLASHES);
+    }
+
+    /**
+     * Returns a payload with the id, method, uri, and content embedded.
+     *
+     * @return string
+     *         A json encoded payload.
+     */
+    public function __toString() : string
+    {
+        if ($this->request instanceof GuzzleRequest) {
+            return $this->generateFromGuzzleRequest($this->request);
+        }
+
+        if ($this->request instanceof IlluminateRequest) {
+            return $this->generateFromIlluminateRequest($this->request);
+        }
+
+        return '';
+    }
+}

src/Requests/Verifier.php

@@ -4,6 +4,7 @@
 
 use Illuminate\Http\Request;
 use SoapBox\SignedRequests\Signature;
+use SoapBox\SignedRequests\Requests\Payload;
 
 class Verifier
 {
@@ -167,7 +168,7 @@ public function isValid(string $key) : bool
             return false;
         }
 
-        $signature = new Signature($this->getContent(), $this->getAlgorithm(), $key);
+        $signature = new Signature(new Payload($this->request), $this->getAlgorithm(), $key);
 
         return $signature->equals($this->getSignature());
     }

src/Signature.php

@@ -47,4 +47,15 @@ public function equals($signature) : bool
 
         return false;
     }
+
+    /**
+     * Returns the generated signature string.
+     *
+     * @return string
+     *         The signature.
+     */
+    public function __toString() : string
+    {
+        return (string) $this->signature;
+    }
 }

tests/Middlewares/VerifySignatureTest.php

@@ -4,10 +4,13 @@
 
 use Mockery;
 use Tests\TestCase;
+use Ramsey\Uuid\Uuid;
 use Illuminate\Http\Request;
 use SoapBox\SignedRequests\Signature;
 use Illuminate\Contracts\Config\Repository;
 use SoapBox\SignedRequests\Requests\Signed;
+use SoapBox\SignedRequests\Requests\Payload;
+use SoapBox\SignedRequests\Requests\Generator;
 use SoapBox\SignedRequests\Middlewares\VerifySignature;
 
 class VerifySignatureTest extends TestCase
@@ -71,6 +74,8 @@ public function it_throws_an_invalid_signature_exception_if_the_request_is_not_v
      */
     public function it_should_call_our_callback_if_the_request_is_valid()
     {
+        $id = (string) Uuid::uuid4();
+
         $this->configurations->shouldReceive('get')
             ->with('signed-requests.headers.signature')
             ->andReturn('signature');
@@ -89,11 +94,12 @@ public function it_should_call_our_callback_if_the_request_is_valid()
         $cookies = [];
         $files = [];
         $server = [
-            'HTTP_SIGNATURE' => hash_hmac('sha256', 'a', 'key'),
+            'HTTP_X-SIGNED-ID' => $id,
             'HTTP_ALGORITHM' => 'sha256'
         ];
 
         $request = new Request($query, $request, $attributes, $cookies, $files, $server, 'a');
+        $request->headers->set('signature', (string) new Signature(new Payload($request), 'sha256', 'key'));
 
         $this->middleware->handle($request, function () {
             // This should be called.

tests/Requests/GeneratorTest.php

@@ -0,0 +1,82 @@
+<?php
+
+namespace Tests\Requests;
+
+use Mockery;
+use Tests\TestCase;
+use GuzzleHttp\Psr7\Request;
+use SoapBox\SignedRequests\Signature;
+use Illuminate\Contracts\Config\Repository;
+use SoapBox\SignedRequests\Requests\Payload;
+use SoapBox\SignedRequests\Requests\Generator;
+
+class GeneratorTest extends TestCase
+{
+    private $repository;
+    private $generator;
+
+    /**
+     * @before
+     */
+    public function setup_a_local_generator()
+    {
+        $this->repository = Mockery::mock(Repository::class);
+
+        $this->repository
+            ->shouldReceive('get')
+            ->with('signed-requests.headers.algorithm')
+            ->andReturn('X-ALGORITHM');
+        $this->repository
+            ->shouldReceive('get')
+            ->with('signed-requests.headers.signature')
+            ->andReturn('X-SIGNATURE');
+        $this->repository
+            ->shouldReceive('get')
+            ->with('signed-requests.algorithm')
+            ->andReturn('sha256');
+        $this->repository
+            ->shouldReceive('get')
+            ->with('signed-requests.key')
+            ->andReturn('key');
+
+        $this->generator = new Generator($this->repository);
+    }
+
+    /**
+     * @test
+     */
+    public function it_adds_an_id_header_to_the_request()
+    {
+        $request = new Request('GET', 'https://localhost');
+        $this->assertNotContains('X-SIGNED-ID', array_keys($request->getHeaders()));
+        $request = $this->generator->sign($request);
+        $this->assertContains('X-SIGNED-ID', array_keys($request->getHeaders()));
+    }
+
+    /**
+     * @test
+     */
+    public function it_adds_an_algorithm_header_to_the_request()
+    {
+        $request = new Request('GET', 'https://localhost');
+        $this->assertNotContains('X-ALGORITHM', array_keys($request->getHeaders()));
+        $request = $this->generator->sign($request);
+        $this->assertContains('X-ALGORITHM', array_keys($request->getHeaders()));
+        $this->assertSame('sha256', $request->getHeaders()['X-ALGORITHM'][0]);
+    }
+
+    /**
+     * @test
+     */
+    public function it_adds_a_signature_header_to_the_request()
+    {
+        $request = new Request('GET', 'https://localhost');
+        $this->assertNotContains('X-SIGNATURE', array_keys($request->getHeaders()));
+        $request = $this->generator->sign($request);
+        $this->assertContains('X-SIGNATURE', array_keys($request->getHeaders()));
+
+        $signature = new Signature(new Payload($request), 'sha256', 'key');
+
+        $this->assertSame((string) $signature, $request->getHeaders()['X-SIGNATURE'][0]);
+    }
+}