acquia / http-hmac-php Goto Github PK

An implementation of the HTTP HMAC Spec in PHP that integrates with popular libraries such as Symfony and Guzzle.

Home Page: https://github.com/acquia/http-hmac-spec

License: MIT License

PHP 99.48% Makefile 0.52%

http-hmac-php's Introduction

HTTP HMAC Signer for PHP

This library implements version 2.0 of the HTTP HMAC Spec to sign and verify RESTful Web API requests. It integrates with popular frameworks and libraries, like Symfony and Guzzle, and can be used on both the server and client.

Installation

Use Composer and add it as a dependency to your project's composer.json file:

{
    "require": {
        "acquia/http-hmac-php": "^5.0"
    }
}

Please refer to Composer's documentation for more detailed installation and usage instructions.

Usage

Sign an API request sent via Guzzle

require_once 'vendor/autoload.php';

use Acquia\Hmac\Guzzle\HmacAuthMiddleware;
use Acquia\Hmac\Key;
use GuzzleHttp\Client;
use GuzzleHttp\HandlerStack;

// Create the HTTP HMAC key.
// A key consists of and ID and a Base64-encoded shared secret.
// Note: the API provider may have already encoded the secret. In this case, it should not be re-encoded.
$key_id = 'e7fe97fa-a0c8-4a42-ab8e-2c26d52df059';
$key_secret = base64_encode('secret');
$key = new Key($key_id, $key_secret);

// Optionally, you can provide additional headers when generating the signature.
// The header keys need to be provided to the middleware below.
$headers = [
    'X-Custom-1' => 'value1',
    'X-Custom-2' => 'value2',
];

// Specify the API's realm.
// Consult the API documentation for this value.
$realm = 'Acquia';

// Create a Guzzle middleware to handle authentication during all requests.
// Provide your key, realm and the names of any additional custom headers.
$middleware = new HmacAuthMiddleware($key, $realm, array_keys($headers));

// Register the middleware.
$stack = HandlerStack::create();
$stack->push($middleware);

// Create a client.
$client = new Client([
    'handler' => $stack,
]);

// Request.
try {
    $result = $client->get('https://service.acquia.io/api/v1/widget', [
        'headers' => $headers,
    ]);
} catch (ClientException $e) {
    print $e->getMessage();
    $response = $e->getResponse();
}
  
print $response->getBody();

Authenticate the request using PSR-7-compatible requests

use Acquia\Hmac\RequestAuthenticator;
use Acquia\Hmac\ResponseSigner;

// $keyLoader implements \Acquia\Hmac\KeyLoaderInterface
$authenticator = new RequestAuthenticator($keyLoader);

// $request implements PSR-7's \Psr\Http\Message\RequestInterface
// An exception will be thrown if it cannot authenticate.
$key = $authenticator->authenticate($request);

$signer = new ResponseSigner($key, $request);
$signedResponse = $signer->signResponse($response);

Authenticate using Symfony's Security component

In order to use the provided Symfony integration, you will need to include the following optional libraries in your project's composer.json

{
    "require": {
        "symfony/psr-http-message-bridge": "~0.1",
        "symfony/security": "~3.0",
        "zendframework/zend-diactoros": "~1.3.5"
    }
}

Sample implementation:

# app/config/parameters.yml
parameters:
   hmac_keys: {"key": "secret"}

# app/config/services.yml
services:
    hmac.keyloader:
        class: Acquia\Hmac\KeyLoader
        arguments:
            $keys: '%hmac_keys%'

    hmac.request.authenticator:
        class: Acquia\Hmac\RequestAuthenticator
        arguments:
         - '@hmac.keyloader'
        public: false
        
    hmac.response.signer:
        class: Acquia\Hmac\Symfony\HmacResponseListener
        tags:
          - { name: kernel.event_listener, event: kernel.response, method: onKernelResponse }
          
    hmac.entry-point:
        class: Acquia\Hmac\Symfony\HmacAuthenticationEntryPoint

    hmac.security.authentication.provider:
        class: Acquia\Hmac\Symfony\HmacAuthenticationProvider
        arguments:
            - '@hmac.request.authenticator'
        public: false

    hmac.security.authentication.listener:
        class: Acquia\Hmac\Symfony\HmacAuthenticationListener
        arguments: ['@security.token_storage', '@security.authentication.manager', '@hmac.entry-point']
        public: false

# app/config/security.yml
security:
    # ...

    firewalls:
        hmac_auth:
            pattern:   ^/api/
            stateless: true
            hmac_auth: true

// src/AppBundle/AppBundle.php
namespace AppBundle;

use Acquia\Hmac\Symfony\HmacFactory;
use Symfony\Component\HttpKernel\Bundle\Bundle;
use Symfony\Component\DependencyInjection\ContainerBuilder;

class AppBundle extends Bundle
{
    public function build(ContainerBuilder $container)
    {
        parent::build($container);
        $extension = $container->getExtension('security');
        $extension->addSecurityListenerFactory(new HmacFactory());
    }
}

PHPUnit testing a controller using HMAC HTTP authentication in Symfony:

Add the service declaration:

# app/config/parameters_test.yml

services:
    test.client.hmac:
        class: Acquia\Hmac\Test\Mocks\Symfony\HmacClient
        arguments: ['@kernel', '%test.client.parameters%', '@test.client.history', '@test.client.cookiejar']

// src/AppBundle/Tests/HmacTestCase.php

namespace MyApp\Bundle\AppBundle\Tests;

use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Bundle\FrameworkBundle\Client;
use Acquia\Hmac\Key;

class HmacTestCase extends WebTestCase
{
    /**
     * @var Client
     */
    private $client;

    protected static function createClient(array $options = array(), array $server = array())
    {
        $kernel = static::bootKernel($options);

        $client = $kernel->getContainer()->get('test.client.hmac');
        $client->setServerParameters($server);

        return $client;
    }

    protected function setUp()
    {
        $this->client = static::createClient();

        $this->client->setKey(new Key('my-key', 'my-not-really-secret'));
    }

Contributing and Development

GNU Make and Composer are used to manage development dependencies and testing:

# Install depdendencies
make install

# Run test suite
make test

All code should adhere to the following standards:

Submit changes using GitHub's standard pull request workflow.

http-hmac-php's People

Contributors

Stargazers

Watchers

http-hmac-php's Issues

ResponseAuthenticator should not attempt to authenticate responses if it receives an authentication failure response from the server

Via typhonius/acquia-php-sdk-v2#1, ResponseAuthenticator will throw a MalformedRequest exception if it detects there is no X-Server-Authorization-HMAC-SHA256 header.

However, according to the spec, the header should be set if, and only if, the request could be authenticated (emphasis mine):

If the server authenticates the request successfully, it will add the following HTTP headers to the response (for all non-HEAD requests):
X-Server-Authorization-HMAC-SHA256: <HMACServerAuthorization>

ResponseAuthenticator should not throw an exception if the server response indicates the request could not be authenticated. We're probably safe to assume that this means a 401 response.

With symfony do not work, missing request attribute hmac.key in request signer

\Acquia\Hmac\RequestSigner::signRequest
so each test fails, prerequest JS for postman also do not set hmac.key so generaly it sucks.

Add the ability to set a custom header prefix, e.g. "acquia-*"

Currently the list of custom headers is a whitelist, it would be great to specify a glob of headers prefixed with something like "acquia".

Remove support for Silex

Silex will become end-of-life in June. We should stop supporting it.

Deprecate and drop support for PHP 5.5

PHP 5.5 reached end of life at the end of July: we should stop supporting it, as it would avoid us having to maintain polyfills like in #21.

My recommendation is to deprecate it in the next version, 3.1.2, and then release an acquia/http-hmac-php 4.0 that removes the hash_equals() polyfill and pegs support to PHP 5.6 only.

Can't include in PHP8.1 (Laravel) project

Any chance this can be updated to be included with a project that requires PHP 8.1?
It is locked to PHP 7.2

PHP 8 compatibility

Hey, I tried to install this library on Symfony 5.2 with PHP 8

composer update
Loading composer repositories with package information
Restricting packages listed in "symfony/symfony" to "5.2.*"
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires acquia/http-hmac-php ^5.0 -> satisfiable by acquia/http-hmac-php[5.0.0].
    - acquia/http-hmac-php 5.0.0 requires php ^7.2 -> your php version (8.0.2) does not satisfy that requirement.

By default it will install ^3.4 which in turn will later result in

In ClassExistenceResource.php line 74:

  Class "Symfony\Component\Security\Http\Firewall\ListenerInterface" not found while loading "Acquia\Hmac\Symfony\HmacAuthenticationListener".

Are there any plans on supporting PHP 8 any soon?

Thanks in advance!

Add support for Zend Framework's HTTP component

RequestAuthenticator.php and ResponseAuthenticator.php are vulnerable to timing attacks

In both files equals operators are used to test the expected hmac against the calculated hmac.
This makes the check susceptible to timing attacks.

Instead you should use: hash_equals(hmac1, hmac2) - available since PHP 5.6

Add support for the Buzz library

https://github.com/kriswallsmith/Buzz

Not compatible with drupal/core-recommended 10.2.2 or later

Describe the bug
I created a ticket at https://www.drupal.org/project/drupal/issues/3424183#comment-15464851

When trying to upgrade Drupal core to 10.2.2 or later with drupal/core-recommended installed, it fails.

drupal/core-recommended requires symfony/psr-http-message-bridge ~v6.4.0
acquia/http-hmac-php requires "symfony/psr-http-message-bridge": "^2.0",

Problem 1

Root composer.json requires drupal/core-recommended 10.2.3 -> satisfiable by drupal/core-recommended[10.2.3].
drupal/core-recommended 10.2.3 requires symfony/psr-http-message-bridge ~v6.4.0 -> found symfony/psr-http-message-bridge[v6.4.0-BETA1, ..., 6.4.x-dev] but these were not loaded, likely because it conflicts with another require.

Implement v2 of the HTTP HMAC Spec

Version 1 is effectively deprecated, v2 is the latest and greatest. We should implement v2 of the spec in this library.

This will likely be a massive refactoring, so this will result in a 3.0 version of this library. We can therefore drop support for the V1 version of the algorithm, as if you are using V1 then you should stick with the V2 version of this library.

Add support for Guzzle5

We need a RequestInterface implementation for Guzzle5 as well as an Auth Plugin modeled after the one implemented for Guzzle3.

401 Signature not valid

I'm using the Guzzle handler on the request side and the Symfony firewall on the response side, everything seems to be configured as it should (the key is found, the headers are found, etc..) but I alway receive the "401 Signature not valid" response.

I also tried without the symfony intergration, doing the validation manually but the problem remain the same.

I believe either there is a bug or there is something missing in the documentation.

Please tell me what information you need to resolve this issue. Thanks !

API keys with dashes (-) and underscored (_) do not validate

API keys that are UUIDs or have underscores do not validate.

Port number is not used when generating signature

From the spec:

Host: The (lowercase) hostname, matching the HTTP "Host" request header field (including any port number)

But in the code, no port number is added to the string, so the signature does not match when using a non-standard port.

Response::getBody->getContents() returns empty string

Hey,

In ResponseSigner.php the Response body stream in being consumed by signResponse() at line 60. Although explicit casting using __toString() will always rewind a stream before reading it, calling the getContents() method from StreamInterface will not. As a result, the middleware is breaking expected behavior, since Response::getBody()->getContents() will always return empty string after a POST.

I fixed it with a simple $response->getBody()->rewind() just after assigning $parts. I guess you can also use tell() and the seek() but I failed to find any real-life scenarios where it would make sense for a middleware to start reading the stream halfway through.

Do you want a pull request for this or is the fix trivial enough like this?

Cheers,

Matt

Symfony2

I've written a Symfony2 Integration, can you take a look and tell me your opinion
https://github.com/ibrows/IbrowsHmacBundle