muxinc · eropple · Mar 17, 2022 · Mar 18, 2022 · Mar 18, 2022 · Mar 18, 2022
@@ -0,0 +1,6 @@
+root = true
+
+[*.rb]
+indent_size = 2
+indent_style = space
+insert_final_newline = true
@@ -21,6 +21,8 @@ jobs:
         run: gem install bundler
       - name: Install Ruby Dependencies
         run: bundle install --jobs 4 --retry 3
+      - name: Run unit test
+        run: rake spec
       - name: Run Integration Tests
         env:
           MUX_TOKEN_ID: ${{ secrets.MUX_TOKEN_ID }}

@@ -24,6 +24,8 @@ jobs:
         run: gem install bundler
       - name: Install Ruby Dependencies
         run: bundle install --jobs 4 --retry 3
+      - name: Run unit test
+        run: rake spec
       - name: Run Integration Tests
         env:
           MUX_TOKEN_ID: ${{ secrets.MUX_TOKEN_ID }}

@@ -25,3 +25,11 @@
 
 git_push.sh
 .travis.yml
+
+lib/helpers.rb
+lib/helpers/*.rb
+
+spec/api_client_spec.rb
+spec/configuration_spec.rb
+spec/api/*.rb
+spec/models/*.rb
@@ -1,7 +1,8 @@
 PATH
   remote: .
   specs:
-    mux_ruby (3.0.0)
+    mux_ruby (3.3.1)
+      securecompare (= 1.0.0)
       typhoeus (~> 1.0, >= 1.0.1)
 
 GEM
@@ -50,6 +51,7 @@ GEM
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 1.6)
     ruby-progressbar (1.11.0)
+    securecompare (1.0.0)
     solid_assert (1.0.0)
     typhoeus (1.4.0)
       ethon (>= 0.9.0)

@@ -22,6 +22,7 @@ clean-products:
 
 build: ensure clean-products
 	${OAS_CLI} generate -g "${GENERATOR_TYPE}" -c "${CONFIG_PATH}" -t "${TEMPLATE_DIR}" -o "${OUTPUT_DIR}" -i "${OAS_SPEC_PATH}"
+	cp -R ${OUTPUT_DIR}/lib-manual/* ${OUTPUT_DIR}/lib/mux_ruby
 
 config-help: ensure
 	${OAS_CLI} config-help -g "${GENERATOR_TYPE}"

@@ -21,6 +21,9 @@ require '{{importPath}}'
 {{/apis}}
 {{/apiInfo}}
 
+# Custom imports
+require 'mux_ruby/helpers'
+
 module {{moduleName}}
   class << self
     # Customize default settings for the SDK using block.

@@ -26,6 +26,7 @@ Gem::Specification.new do |s|
   {{^isFaraday}}
   s.add_runtime_dependency 'typhoeus', '~> 1.0', '>= 1.0.1'
   {{/isFaraday}}
+  s.add_runtime_dependency 'securecompare', '1.0.0'
 
   s.add_development_dependency 'rspec', '~> 3.6', '>= 3.6.0'
 

@@ -0,0 +1 @@
+require 'mux_ruby/helpers/webhook_verifier'
@@ -0,0 +1,74 @@
+require 'openssl'
+require 'securecompare'
+
+module MuxRuby
+  module Helpers
+    class WebhookVerifier
+      DEFAULT_TOLERANCE = 300
+      HEADER_SCHEMES = [:v1].freeze
+
+      # Initializer.
+      #
+      # @param [String] secret the webhook secret from your Mux control panel
+      # @param [Integer] tolerance the signature timing tolerance, in seconds (generally leave as is)
+      # @param [Array<Symbol>] header_schemes the list of accepted header schemes for this verifier
+      def initialize(secret: nil, tolerance: DEFAULT_TOLERANCE, header_schemes: [:v1])
+        raise "secret '#{secret.inspect}' must be a String" unless secret.is_a?(String)
+        raise "tolerance '#{tolerance.inspect}' must be a positive number." \
+          unless tolerance.is_a?(Integer) && tolerance > 0
+        raise "header schemes '#{header_schemes.inspect}' must all be in HEADER_SCHEMES: '#{HEADER_SCHEMES.inspect}'" \
+          unless header_schemes.all? { |h| HEADER_SCHEMES.include?(h) }
+
+        @secret = secret.dup
+        @tolerance = tolerance
+        @header_schemes = header_schemes.map(&:to_s).sort.uniq.reverse
+      end
+
+      # Initializer.
+      #
+      # @param [String] request_body the raw, unmodified body of the request
+      # @param [String] header the Mux-Signature header
+      # @param [Time] current_timestamp (for test purposes) the current time expected for this webhook (defaults to `Time.utc`)
+      # @return [Boolean] true if webhook is verified; false otherwise
+      def verify(request_body:, header:, current_timestamp: Time.now.getutc)
+        header_parts = self.kv_from_header(header)
+
+        timestamp = header_parts['t'].to_i
+        scheme_used = @header_schemes.detect { |scheme| !header_parts[scheme].nil? }
+        mux_signature = header_parts[scheme_used]
+
+        if timestamp.nil? || mux_signature.nil?
+          false
+        else
+          case scheme_used
+          when 'v1'
+            expected_signature = self.compute_v1_signature("#{timestamp}.#{request_body}")
+            if SecureCompare.compare(expected_signature, mux_signature)
+              delta = current_timestamp.to_i - timestamp
+
+              if (delta <= @tolerance)
+                true
+              else
+                false
+              end
+            else
+              false
+            end
+          else
+            warn "Unhandled *but recognized* Mux signature format '#{scheme_used}'. Please contact Mux."
+            false
+          end
+        end
+      end
+
+      private
+      def kv_from_header(header)
+        Hash[header.strip.gsub(/^Mux-Signature:/, "").strip.split(",").map { |tup| tup.split("=") }]
+      end
+
+      def compute_v1_signature(payload)
+        OpenSSL::HMAC.hexdigest("SHA256", @secret, payload)
+      end
+    end
+  end
+end
@@ -144,6 +144,9 @@
 require 'mux_ruby/api/url_signing_keys_api'
 require 'mux_ruby/api/video_views_api'
 
+# Custom imports
+require 'mux_ruby/helpers'
+
 module MuxRuby
   class << self
     # Customize default settings for the SDK using block.

@@ -0,0 +1 @@
+require 'mux_ruby/helpers/webhook_verifier'
@@ -0,0 +1,74 @@
+require 'openssl'
+require 'securecompare'
+
+module MuxRuby
+  module Helpers
+    class WebhookVerifier
+      DEFAULT_TOLERANCE = 300
+      HEADER_SCHEMES = [:v1].freeze
+
+      # Initializer.
+      #
+      # @param [String] secret the webhook secret from your Mux control panel
+      # @param [Integer] tolerance the signature timing tolerance, in seconds (generally leave as is)
+      # @param [Array<Symbol>] header_schemes the list of accepted header schemes for this verifier
+      def initialize(secret: nil, tolerance: DEFAULT_TOLERANCE, header_schemes: [:v1])
+        raise "secret '#{secret.inspect}' must be a String" unless secret.is_a?(String)
+        raise "tolerance '#{tolerance.inspect}' must be a positive number." \
+          unless tolerance.is_a?(Integer) && tolerance > 0
+        raise "header schemes '#{header_schemes.inspect}' must all be in HEADER_SCHEMES: '#{HEADER_SCHEMES.inspect}'" \
+          unless header_schemes.all? { |h| HEADER_SCHEMES.include?(h) }
+
+        @secret = secret.dup
+        @tolerance = tolerance
+        @header_schemes = header_schemes.map(&:to_s).sort.uniq.reverse
+      end
+
+      # Initializer.
+      #
+      # @param [String] request_body the raw, unmodified body of the request
+      # @param [String] header the Mux-Signature header
+      # @param [Time] current_timestamp (for test purposes) the current time expected for this webhook (defaults to `Time.utc`)
+      # @return [Boolean] true if webhook is verified; false otherwise
+      def verify(request_body:, header:, current_timestamp: Time.now.getutc)
+        header_parts = self.kv_from_header(header)
+
+        timestamp = header_parts['t'].to_i
+        scheme_used = @header_schemes.detect { |scheme| !header_parts[scheme].nil? }
+        mux_signature = header_parts[scheme_used]
+
+        if timestamp.nil? || mux_signature.nil?
+          false
+        else
+          case scheme_used
+          when 'v1'
+            expected_signature = self.compute_v1_signature("#{timestamp}.#{request_body}")
+            if SecureCompare.compare(expected_signature, mux_signature)
+              delta = current_timestamp.to_i - timestamp
+
+              if (delta <= @tolerance)
+                true
+              else
+                false
+              end
+            else
+              false
+            end
+          else
+            warn "Unhandled *but recognized* Mux signature format '#{scheme_used}'. Please contact Mux."
+            false
+          end
+        end
+      end
+
+      private
+      def kv_from_header(header)
+        Hash[header.strip.gsub(/^Mux-Signature:/, "").strip.split(",").map { |tup| tup.split("=") }]
+      end
+
+      def compute_v1_signature(payload)
+        OpenSSL::HMAC.hexdigest("SHA256", @secret, payload)
+      end
+    end
+  end
+end
@@ -29,6 +29,7 @@ Gem::Specification.new do |s|
   s.required_ruby_version = ">= 2.4"
 
   s.add_runtime_dependency 'typhoeus', '~> 1.0', '>= 1.0.1'
+  s.add_runtime_dependency 'securecompare', '1.0.0'
 
   s.add_development_dependency 'rspec', '~> 3.6', '>= 3.6.0'