5. EPMO Open Source Coordination Office Redaction File Detail Report

Produced by Araxis Merge on 4/5/2017 4:21:38 PM Central Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.

5.1 Files compared

#	Location	File	Last Modified
1	C:\working_scrub\Unredacted\Direct Code Base\DSM_Bld2_Source_Code_CIF_2017-02-14\api_build02-sprint01\application\views\api\onboarding\services	automatic_reply_delete.php	Fri Oct 21 18:34:06 2016 UTC
2	eHX-CIF.zip\eHX-CIF\Direct Code Base\DSM_Bld2_Source_Code_CIF_2017-02-14\api_build02-sprint01\application\views\api\onboarding\services	automatic_reply_delete.php	Mon Apr 3 13:54:43 2017 UTC

5.2 Comparison summary

Description	Between Files 1 and 2
Description	Text Blocks	Lines
Unchanged	2	234
Changed	1	2
Inserted	0	0
Removed	0	0

5.3 Comparison options

Whitespace
Character case	Differences in character case are significant
Line endings	Differences in line endings (`CR` and `LF` characters) are ignored
CR/LF characters	Not shown in the comparison detail

5.4 Active regular expressions

No regular expressions were active.

5.5 Comparison detail

	1	<?php
	2	/**
	3	* @packag e direct-a s-a-servic e
	4	* @subpac kage views
	5	* @fileso urce
	6	/ /* */
	7
	8	$this->loa d->view('a pi/header' );
	9	$this->loa d->view('a pi/nav');
	10	?>
	11	<h1><a hre f="/onboar ding/docum entation/" class="un derline">D ocumentati on</a> &ra rr; /direc t/automati c_reply/de lete - GET </h1>
	12	<p>The Aut omatic Rep ly service allows au thorized a pplication s to delet e an “Out of Office” message f or a mailb ox and can accessed by sending a GET req uest to di rect/autom atic_reply /delete
	13	</p>
	14	<h3>Authen tication</ h3>
	15	<p>
	16	The AP I authenti cation uti lized is b ased upon hash messa ge authent ication co de (HMAC). HMAC is a n authenti cation met hod that c ombines a cryptograp hic hash f unction wi th a secre t cryptogr aphic key. After the successfu l registra tion of an applicati on on the API, a pub lic and pr ivate key like the e xample bel ow will be provision ed for its use.
	17	</p>
	18	<p class=" code">
	19	Public Key: eca4 15a13daaec 88cabba68b 81a2149c97 800864acd9 ef0e15b5b8 426de2464d
	20	<br/>P rivate Key : 0097cd10 9a3b72df1f 988e4a6e3e 344ecc02cd ab9a03736b c12463b7d1 b889a8
	21	</p>
	22	<p>
	23	On eve ry request that an a pplication sends to the API th ey must in clude an A uthorizati on header. The autho rization h eader is a string th at the API will util ize to con firm the i dentity, a nd the mes sage conte nt, of the sender. T he authori zation hea der consis ts of thre e parts. T he first p art is the API ident ifier, rep resented b y the word "DAAS", w hich stand s for Dire ct as a Se rvice. The API ident ifier is f ollowed by a space t hat separa tes it fro m the iden tifying co ntent. The identifyi ng content consists of the uni que public key and t he base64 encoded HM AC hash ge nerated by the reque st content and the p rivate key , delimite d by a col on. An exa mple of th e authoriz ation head er is belo w.
	24	</p>
	25	<p class=" code">
	26	Author ization: D AAS eca415 a13daaec88 cabba68b81 a2149c9780 0864acd9ef 0e15b5b842 6de2464d: Y2UwOTMwNG RmYzhlNTQ0 YTZiODlmMD kwYWQzOWY1 ODZmNzI4OT E5NTc3ZTYy YWE2M2EwNT hlMGIzMTZk ZTZlZA==
	27	</p>
	28	<p>
	29	The HM AC string is generat ed by runn ing an HMA C hash fun ction on a plain tex t string a nd the app lication's private k ey. The pl ain text s tring that must be h ashed usin g HMAC is constructe d as follo ws:
	30	<ul>
	31	<li>HT TP Request Type</li>
	32	<li>Da te</li>
	33	<li>Co ntent-MD5 (Optional) </li>
	34	<li>Co ntent Type (Not incl uding boun dary)</li>
	35	<li>UR I</li>
	36	</ul>
	37	These valu es are sep arated by new line c haracters ("\n"). An example o f the plai n text str ing is bel ow:
	38	</p>
	39	<p class=" code">
	40	GET\n0 6/03/2013 12:13:56 E ST\niB94ga wbwUSiZy5F uruIOQ==\n /direct/va lidate/for mat/json?a ddress=unt rusted@<?p hp echo CL INICAL_DOM AIN;?>
	41	</p>
	42	<p>
	43	The st ring above is hashed with the applicatio n's privat e key usin g the SHA- 256 algori thm. A sni ppet of Ja vaScript c ode showin g an examp le of this is shown below:
	44	</p>
	45	<p class=" code">
	46	var ha shString = CryptoJS. HmacSHA256 ("GET\n06/ 03/2013 12 :13:56 EDT \niB94gawb wUSiZy5Fur uIOQ==\n/d irect/auto matic_repl y/delete/f ormat/json ?mailbox=1 ","0097cd1 09a3b72df1 f988e4a6e3 e344ecc02c dab9a03736 bc12463b7d 1b889a8");
	47	<br/>v ar base64 = encode64 (""+hashSt ring);
	48	<br/>v ar authori zation = " DAAS eca41 5a13daaec8 8cabba68b8 1a2149c978 00864acd9e f0e15b5b84 26de2464d: "+base64;
	49	</p>
	50	<p>
	51	In the example a bove the C ontent MD5 is provid ed but thi s is an op tional fie ld. If the Content M D5 header is not spe cified the n the hash should no t have the MD5 speci fied eithe r.
	52	</p>
	53	<h3>Header s</h3>
	54	<div class ="column">
	55	<div c lass="left ">
	56	<u l>
	57	<li>Auth orization< /li>
	58	<p>
	59	The first requ ired heade r is the A uthorizati on header covered in the Authe ntication section at the top o f this pag e.
	60	</p>
	61	<li>Date or X-Daas -Date</li>
	62	<p>
	63	The second req uired head er that mu st be incl uded is th e Date hea der. Some browsers w ill not le t an appli cation spe cify the D ate header programma tically, s o in this case it is also acce ptable to use the X- Daas-Date header as the API wi ll interpr et them in terchangea bly. This header sho uld be pop ulated wit h the curr ent date a nd time, i n any stan dard forma t (includi ng time zo ne informa tion if no t time zon e agnostic ), when th e POST req uest is su bmitted. T he value s upplied in the Date header mus t match th e value us ed in the creation o f the hash string fo r the Auth orization header.
	64	</p>
	65	</ ul>
	66	</div>
	67	<div c lass="righ t">
	68	<u l>
	69	<li>Cont ent-Type</ li>
	70	<p>
	71	The Content-Ty pe header must match the Conte nt-Type pr ovided in the hash s tring for the Author ization he ader excep t the hash string do es not inc lude the b oundary pa rameter of the Conte nt-Type if there is one (i.e. applicatio n/x-www-fo rm-urlenco ded Conten t-Type).
	72	</p>
	73	<li>Cont ent-Md5</l i>
	74	<p>
	75	The optional h eader is t he Content -Md5 heade r. This he ader shoul d contain an MD5 has h of the e ntire POST body. If this heade r is speci fied then it must al so be incl uded in th e hash str ing for th e Authoriz ation head er. When p rovided, t his serves as an ext ra securit y precauti on above a nd beyond TLS to ens ure the PO ST request sent has not been m odified in transit.
	76	</p>
	77	</ ul>
	78	</div>
	79	</div>
	80	<h3>Argume nts</h3>
	81	<ul>
	82	<l i>Mailbox< /li>
	83	<p >
	84	Mailbox This is a required field whi ch identif ies which mailbox’s messages s hould be r eturned. T his is the local por tion of th e Direct a ddress, i. e., test.u ser@direct . DNS is the Dir ect addres s so that passed val ue you wou ld test.us er.
	85	</ p>
	86	</ul>
	87	<h3>Exampl e Response </h3>
	88	<ul>
	89	<li>Su ccess</li>
	90	<ul>
	91	<l i>HTTP-200 , {"reques t_id":6,"m essage":”s uccessfull ”}
	92	</ li>
	93	</ul>
	94	<li>Er ror</li>
	95	<ul>
	96	<l i>
	97	HTTP-401 , {“reques t_id”:4, “ message”: “Access De nied. Auth entication Failed.”}
	98	</ li>
	99	<l i>
	100	HTTP-403 , {"reques t_id":5,"m essage":"A ccess Deni ed. Use No t Authoriz ed."}
	101	</ li>
	102	<l i>
	103	HTTP-403 , {"reques t_id":6,"m essage":"A ccess Deni ed. User N ot Authori zed."}
	104	</ li>
	105	<l i>
	106	HTTP-422 , {"reques t_id":"894 ","message ":"'start_ at' contai ns invalid input","f ields":["s tart_at"]}
	107	</ li>
	108	</ul>
	109	</ul>
	110	<h3>Sample Code</h3>
	111	<p>
	112	Please click <a href="/onb oarding/do cumentatio n/validate _example"> here</a> t o be taken to some s ample code snippets for the va lidate web service.
	113	</p>
	114	</div>
	115	<?PHP $thi s->load->v iew('api/f ooter'); ? >
	116	</div>
	117	</body>
	118	</html>