Update package to follow the latest draft

Author: kislyuk

.github/FUNDING.yml

@@ -0,0 +1 @@
+github: [kislyuk]

.github/workflows/ci.yml

@@ -0,0 +1,26 @@
+name: Test
+
+on: [push, pull_request]
+
+jobs:
+  CI:
+    name: Python ${{ matrix.python-version }}
+    runs-on: ubuntu-20.04
+    strategy:
+      fail-fast: false
+      max-parallel: 8
+      matrix:
+        python-version: ["3.7", "3.8", "3.9", "3.10"]
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v2
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Install build dependencies
+      run: pip install build wheel
+    - name: Install package
+      run: pip install .[tests]
+    - name: Test
+      run: make test

.github/workflows/pythonpackage.yml

@@ -1,27 +1,22 @@
-test_deps:
-	pip install coverage flake8 wheel
+SHELL=/bin/bash
 
-lint: test_deps
-	flake8 $$(python setup.py --name | sed 's/-/_/g')
+lint:
+	flake8
 
-test: test_deps lint
-	coverage run --source=$$(python setup.py --name | sed 's/-/_/g') ./test/test.py
+test: lint
+	python ./test/test.py -v
 
 init_docs:
 	cd docs; sphinx-quickstart
 
 docs:
-	$(MAKE) -C docs html
+	sphinx-build docs docs/html
 
-install: clean
-	pip install wheel
-	python setup.py bdist_wheel
+install:
+	-rm -rf dist
+	python -m build
 	pip install --upgrade dist/*.whl
 
-clean:
-	-rm -rf build dist
-	-rm -rf *.egg-info
-
-.PHONY: lint test test_deps docs install clean
+.PHONY: test lint release docs
 
 include common.mk

Makefile

@@ -2,10 +2,7 @@ requests-http-signature: A Requests auth module for HTTP Signature
 ==================================================================
 **requests-http-signature** is a `Requests <https://github.com/requests/requests>`_ `authentication plugin
 <http://docs.python-requests.org/en/master/user/authentication/>`_ (``requests.auth.AuthBase`` subclass) implementing
-the `IETF HTTP Signatures draft RFC <https://tools.ietf.org/html/draft-richanna-http-message-signatures>`_. It has no
-required dependencies outside the standard library. If you wish to use algorithms other than HMAC (namely, RSA and
-ECDSA algorithms specified in the RFC), there is an optional dependency on
-`cryptography <https://pypi.python.org/pypi/cryptography>`_.
+the `IETF HTTP Message Signatures draft RFC <https://datatracker.ietf.org/doc/draft-ietf-httpbis-message-signatures/>`_.
 
 Installation
 ------------
@@ -19,65 +16,74 @@ Usage
 .. code-block:: python
 
   import requests
-  from requests_http_signature import HTTPSignatureAuth
+  from requests_http_signature import HTTPSignatureAuth, algorithms
   
   preshared_key_id = 'squirrel'
-  preshared_secret = 'monorail_cat'
+  preshared_secret = b'monorail_cat'
   url = 'http://example.com/path'
-  
-  requests.get(url, auth=HTTPSignatureAuth(key=preshared_secret, key_id=preshared_key_id))
 
-By default, only the ``Date`` header is signed (as per the RFC) for body-less requests such as GET. The ``Date`` header
-is set if it is absent. In addition, for requests with bodies (such as POST), the ``Digest`` header is set to the SHA256
-of the request body and signed (an example of this appears in the RFC). To add other headers to the signature, pass an
-array of header names in the ``headers`` keyword argument.
+  auth = HTTPSignatureAuth(key=preshared_secret, key_id=preshared_key_id, signature_algorithm=algorithms.HMAC_SHA256)
+  requests.get(url, auth=auth)
+
+By default, only the ``Date`` header and the ``@method``, ``@authority``, and ``@target-uri`` derived component
+identifiers are signed for body-less requests such as GET. The ``Date`` header is set if it is absent. In addition, for
+requests with bodies (such as POST), the ``Content-Digest`` header is set to the SHA256 of the request body using the
+format described in the
+`IETF Digest Fields draft RFC <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-digest-headers>`_ and signed.
+To add other headers to the signature, pass an array of header names in the ``covered_component_ids`` keyword argument.
 
 In addition to signing messages in the client, the class method ``HTTPSignatureAuth.verify()`` can be used to verify
 incoming requests:
 
 .. code-block:: python
 
-  def key_resolver(key_id, algorithm):
-      return 'monorail_cat'
+  class key_resolver:
+      def resolve_public_key(self, key_id):
+          assert key_id == 'squirrel'
+          return 'monorail_cat'
+
+  HTTPSignatureAuth.verify(request, signature_algorithm=algorithms.HMAC_SHA256, key_resolver=key_resolver)
+
 
-  HTTPSignatureAuth.verify(request, key_resolver=key_resolver)
+Asymmetric key algorithms
+~~~~~~~~~~~~~~~~~~~~~~~~~
+To sign or verify messages with an asymmetric key algorithm, set the ``signature_algorithm`` keyword argument to
+``algorithms.ED25519``, ``algorithms.ECDSA_P256_SHA256``, ``algorithms.RSA_V1_5_SHA256``, or
+``algorithms.RSA_PSS_SHA512``. Note that signing with rsa-pss-sha512 is not currently supported due to a limitation of
+the cryptography library.
 
-Asymmetric key algorithms (RSA and ECDSA)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-For asymmetric key algorithms, you should supply the private key as the ``key`` parameter to the ``HTTPSignatureAuth()`` 
-constructor as bytes in the PEM format:
+For asymmetric key algorithms, you can supply the private key as the ``key`` parameter to the ``HTTPSignatureAuth()``
+constructor as bytes in the PEM format, or configure the key resolver as follows:
 
 .. code-block:: python
 
   with open('key.pem', 'rb') as fh:
-      requests.get(url, auth=HTTPSignatureAuth(algorithm="rsa-sha256", key=fh.read(), key_id=preshared_key_id))
+      auth = HTTPSignatureAuth(algorithm=algorithms.RSA_V1_5_SHA256, key=fh.read(), key_id=preshared_key_id)
+  requests.get(url, auth=auth)
 
-When verifying, the ``key_resolver()`` callback should provide the public key as bytes in the PEM format as well.
+  class MyKeyResolver:
+      def resolve_public_key(self, key_id: str):
+          return public_key_pem_bytes[key_id]
+
+      def resolve_private_key(self, key_id: str):
+          return private_key_pem_bytes[key_id]
+
+  auth = HTTPSignatureAuth(algorithm=algorithms.RSA_V1_5_SHA256, key=fh.read(), key_resolver=MyKeyResolver())
+  requests.get(url, auth=auth)
 
 Links
 -----
-* `IETF HTTP Signatures draft <https://tools.ietf.org/html/draft-richanna-http-message-signatures>`_
-* https://github.com/joyent/node-http-signature
-* `Project home page (GitHub) <https://github.com/kislyuk/requests-http-signature>`_
-* `Documentation (Read the Docs) <https://requests-http-signature.readthedocs.io/en/latest/>`_
+* `IETF HTTP Signatures draft <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-message-signatures>`_
+* `http-message-signatures <https://github.com/pyauth/http-message-signatures>`_ - a dependency of this library that
+  handles much of the implementation
+* `Project home page (GitHub) <https://github.com/pyauth/requests-http-signature>`_
 * `Package distribution (PyPI) <https://pypi.python.org/pypi/requests-http-signature>`_
-* `Change log <https://github.com/kislyuk/requests-http-signature/blob/master/Changes.rst>`_
+* `Change log <https://github.com/pyauth/requests-http-signature/blob/master/Changes.rst>`_
 
 Bugs
 ~~~~
-Please report bugs, issues, feature requests, etc. on `GitHub <https://github.com/kislyuk/requests-http-signature/issues>`_.
+Please report bugs, issues, feature requests, etc. on `GitHub <https://github.com/pyauth/requests-http-signature/issues>`_.
 
 License
 -------
 Licensed under the terms of the `Apache License, Version 2.0 <http://www.apache.org/licenses/LICENSE-2.0>`_.
-
-.. image:: https://github.com/pyauth/requests-http-signature/workflows/Python%20package/badge.svg
-        :target: https://github.com/pyauth/requests-http-signature/actions
-.. image:: https://codecov.io/github/kislyuk/requests-http-signature/coverage.svg?branch=master
-        :target: https://codecov.io/github/kislyuk/requests-http-signature?branch=master
-.. image:: https://img.shields.io/pypi/v/requests-http-signature.svg
-        :target: https://pypi.python.org/pypi/requests-http-signature
-.. image:: https://img.shields.io/pypi/l/requests-http-signature.svg
-        :target: https://pypi.python.org/pypi/requests-http-signature
-.. image:: https://readthedocs.org/projects/requests-http-signature/badge/?version=latest
-        :target: https://requests-http-signature.readthedocs.org/

README.rst

@@ -1,28 +1,31 @@
 SHELL=/bin/bash -eo pipefail
 
-release_major:
+release-major:
 	$(eval export TAG=$(shell git describe --tags --match 'v*.*.*' | perl -ne '/^v(\d+)\.(\d+)\.(\d+)/; print "v@{[$$1+1]}.0.0"'))
 	$(MAKE) release
 
-release_minor:
+release-minor:
 	$(eval export TAG=$(shell git describe --tags --match 'v*.*.*' | perl -ne '/^v(\d+)\.(\d+)\.(\d+)/; print "v$$1.@{[$$2+1]}.0"'))
 	$(MAKE) release
 
-release_patch:
+release-patch:
 	$(eval export TAG=$(shell git describe --tags --match 'v*.*.*' | perl -ne '/^v(\d+)\.(\d+)\.(\d+)/; print "v$$1.$$2.@{[$$3+1]}"'))
 	$(MAKE) release
 
 release:
-	@if [[ -z $$TAG ]]; then echo "Use release_{major,minor,patch}"; exit 1; fi
-	$(eval REMOTE=$(shell git remote get-url origin | perl -ne '/([^\/\:]+\/.+?)(\.git)?$$/; print $$1'))
+	@if ! git diff --cached --exit-code; then echo "Commit staged files before proceeding"; exit 1; fi
+	@if [[ -z $$TAG ]]; then echo "Use release-{major,minor,patch}"; exit 1; fi
+	@if ! type -P pandoc; then echo "Please install pandoc"; exit 1; fi
+	@if ! type -P sponge; then echo "Please install moreutils"; exit 1; fi
+	@if ! type -P http; then echo "Please install httpie"; exit 1; fi
+	@if ! type -P twine; then echo "Please install twine"; exit 1; fi
+	$(eval REMOTE=$(shell git remote get-url origin | perl -ne '/([^\/\:]+\/[^\/\:]+?)(\.git)?$$/; print $$1'))
 	$(eval GIT_USER=$(shell git config --get user.email))
 	$(eval GH_AUTH=$(shell if grep -q '@github.com' ~/.git-credentials; then echo $$(grep '@github.com' ~/.git-credentials | python3 -c 'import sys, urllib.parse as p; print(p.urlparse(sys.stdin.read()).netloc.split("@")[0])'); else echo $(GIT_USER); fi))
 	$(eval RELEASES_API=https://api.github.com/repos/${REMOTE}/releases)
 	$(eval UPLOADS_API=https://uploads.github.com/repos/${REMOTE}/releases)
 	git pull
 	git clean -x --force $$(python setup.py --name)
-	sed -i -e "s/version=\([\'\"]\)[0-9]*\.[0-9]*\.[0-9]*/version=\1$${TAG:1}/" setup.py
-	git add setup.py
 	TAG_MSG=$$(mktemp); \
 	    echo "# Changes for ${TAG} ($$(date +%Y-%m-%d))" > $$TAG_MSG; \
 	    git log --pretty=format:%s $$(git describe --abbrev=0)..HEAD >> $$TAG_MSG; \
@@ -32,15 +35,15 @@ release:
 	    git commit -m ${TAG}; \
 	    git tag --sign --annotate --file $$TAG_MSG ${TAG}
 	git push --follow-tags
-	http --auth ${GH_AUTH} ${RELEASES_API} tag_name=${TAG} name=${TAG} \
+	http --check-status --auth ${GH_AUTH} ${RELEASES_API} tag_name=${TAG} name=${TAG} \
 	    body="$$(git tag --list ${TAG} -n99 | perl -pe 's/^\S+\s*// if $$. == 1' | sed 's/^\s\s\s\s//')"
 	$(MAKE) install
-	http --auth ${GH_AUTH} POST ${UPLOADS_API}/$$(http --auth ${GH_AUTH} ${RELEASES_API}/latest | jq .id)/assets \
+	http --check-status --auth ${GH_AUTH} POST ${UPLOADS_API}/$$(http --auth ${GH_AUTH} ${RELEASES_API}/latest | jq .id)/assets \
 	    name==$$(basename dist/*.whl) label=="Python Wheel" < dist/*.whl
-	$(MAKE) pypi_release
+	$(MAKE) release-pypi
 
-pypi_release:
-	python setup.py sdist bdist_wheel
+release-pypi:
+	python -m build
 	twine upload dist/*.tar.gz dist/*.whl --sign --verbose
 
 .PHONY: release