api-auth 1.5.0 → 2.6.0

data/spec/request_drivers/grape_request_spec.rb

@@ -0,0 +1,280 @@
+require 'spec_helper'
+
+describe ApiAuth::RequestDrivers::GrapeRequest do
+  let(:default_method) { 'PUT' }
+  let(:default_params) do
+    { 'message' => "hello\nworld" }
+  end
+  let(:default_options) do
+    {
+      method: method,
+      params: params
+    }
+  end
+  let(:default_env) do
+    Rack::MockRequest.env_for('/', options)
+  end
+  let(:method) { default_method }
+  let(:params) { default_params }
+  let(:options) { default_options.merge(request_headers) }
+  let(:env) { default_env }
+
+  let(:request) do
+    Grape::Request.new(env)
+  end
+
+  let(:timestamp) { Time.now.utc.httpdate }
+  let(:request_headers) do
+    {
+      'HTTP_X_AUTHORIZATION' => 'APIAuth 1044:12345',
+      'HTTP_X_AUTHORIZATION_CONTENT_SHA256' => 'bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=',
+      'HTTP_X_HMAC_CONTENT_TYPE' => 'text/plain',
+      'HTTP_X_HMAC_DATE' => timestamp
+    }
+  end
+
+  subject(:driven_request) { ApiAuth::RequestDrivers::GrapeRequest.new(request) }
+
+  describe 'getting headers correctly' do
+    it 'gets the content_type' do
+      expect(driven_request.content_type).to eq('text/plain')
+    end
+
+    it 'gets the content_hash' do
+      expect(driven_request.content_hash).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+    end
+
+    it 'gets the request_uri' do
+      expect(driven_request.request_uri).to eq('http://example.org/')
+    end
+
+    it 'gets the timestamp' do
+      expect(driven_request.timestamp).to eq(timestamp)
+    end
+
+    it 'gets the authorization_header' do
+      expect(driven_request.authorization_header).to eq('APIAuth 1044:12345')
+    end
+
+    describe '#calculated_hash' do
+      it 'calculates hash from the body' do
+        expect(driven_request.calculated_hash).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+      end
+
+      context 'no body' do
+        let(:params) { {} }
+
+        it 'treats no body as empty string' do
+          expect(driven_request.calculated_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
+        end
+      end
+    end
+
+    describe 'http_method' do
+      context 'when put request' do
+        let(:method) { 'put' }
+
+        it 'returns upcased put' do
+          expect(driven_request.http_method).to eq('PUT')
+        end
+      end
+
+      context 'when get request' do
+        let(:method) { 'get' }
+
+        it 'returns upcased get' do
+          expect(driven_request.http_method).to eq('GET')
+        end
+      end
+    end
+  end
+
+  describe 'setting headers correctly' do
+    let(:request_headers) do
+      {
+        'HTTP_X_HMAC_CONTENT_TYPE' => 'text/plain'
+      }
+    end
+
+    describe '#populate_content_hash' do
+      context 'when getting' do
+        let(:method) { 'get' }
+
+        it "doesn't populate content hash" do
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-Sha256']).to be_nil
+        end
+      end
+
+      context 'when posting' do
+        let(:method) { 'post' }
+
+        it 'populates content bash' do
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-Sha256']).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+        end
+
+        it 'refreshes the cached headers' do
+          driven_request.populate_content_hash
+          expect(driven_request.content_hash).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+        end
+      end
+
+      context 'when putting' do
+        let(:method) { 'put' }
+
+        it 'populates content hash' do
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-Sha256']).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+        end
+
+        it 'refreshes the cached headers' do
+          driven_request.populate_content_hash
+          expect(driven_request.content_hash).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+        end
+      end
+
+      context 'when deleting' do
+        let(:method) { 'delete' }
+
+        it "doesn't populate content hash" do
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-Sha256']).to be_nil
+        end
+      end
+    end
+
+    describe '#set_date' do
+      before do
+        allow(Time).to receive_message_chain(:now, :utc, :httpdate).and_return(timestamp)
+      end
+
+      it 'sets the date header of the request' do
+        allow(Time).to receive_message_chain(:now, :utc, :httpdate).and_return(timestamp)
+        driven_request.set_date
+        expect(request.headers['Date']).to eq(timestamp)
+      end
+
+      it 'refreshes the cached headers' do
+        driven_request.set_date
+        expect(driven_request.timestamp).to eq(timestamp)
+      end
+    end
+
+    describe '#set_auth_header' do
+      it 'sets the auth header' do
+        driven_request.set_auth_header('APIAuth 1044:54321')
+        expect(request.headers['Authorization']).to eq('APIAuth 1044:54321')
+      end
+    end
+  end
+
+  describe 'content_hash_mismatch?' do
+    context 'when getting' do
+      let(:method) { 'get' }
+
+      it 'is false' do
+        expect(driven_request.content_hash_mismatch?).to be false
+      end
+    end
+
+    context 'when posting' do
+      let(:method) { 'post' }
+
+      context 'when calculated matches sent' do
+        it 'is false' do
+          expect(driven_request.content_hash_mismatch?).to be false
+        end
+      end
+
+      context "when calculated doesn't match sent" do
+        let(:params) { { 'message' => 'hello only' } }
+
+        it 'is true' do
+          expect(driven_request.content_hash_mismatch?).to be true
+        end
+      end
+    end
+
+    context 'when putting' do
+      let(:method) { 'put' }
+
+      context 'when calculated matches sent' do
+        it 'is false' do
+          puts driven_request.calculated_hash
+          expect(driven_request.content_hash_mismatch?).to be false
+        end
+      end
+
+      context "when calculated doesn't match sent" do
+        let(:params) { { 'message' => 'hello only' } }
+        it 'is true' do
+          expect(driven_request.content_hash_mismatch?).to be true
+        end
+      end
+    end
+
+    context 'when deleting' do
+      let(:method) { 'delete' }
+
+      it 'is false' do
+        expect(driven_request.content_hash_mismatch?).to be false
+      end
+    end
+  end
+
+  describe 'authentics?' do
+    let(:request_headers) { {} }
+    let(:signed_request) do
+      ApiAuth.sign!(request, '1044', '123')
+    end
+
+    context 'when getting' do
+      let(:method) { 'get' }
+
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+
+    context 'when posting' do
+      let(:method) { 'post' }
+
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+
+    context 'when putting' do
+      let(:method) { 'put' }
+
+      let(:signed_request) do
+        ApiAuth.sign!(request, '1044', '123')
+      end
+
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+
+    context 'when deleting' do
+      let(:method) { 'delete' }
+
+      let(:signed_request) do
+        ApiAuth.sign!(request, '1044', '123')
+      end
+
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+  end
+
+  describe 'fetch_headers' do
+    it 'returns request headers' do
+      expect(driven_request.fetch_headers).to include(
+        'CONTENT_TYPE' => 'application/x-www-form-urlencoded'
+      )
+    end
+  end
+end

data/spec/request_drivers/http_spec.rb

@@ -0,0 +1,190 @@
+require 'spec_helper'
+
+describe ApiAuth::RequestDrivers::HttpRequest do
+  let(:timestamp) { Time.now.utc.httpdate }
+
+  let(:request) do
+    HTTP::Request.new(
+      verb: verb,
+      uri: uri,
+      headers: headers,
+      body: body
+    )
+  end
+
+  let(:verb) { :put }
+  let(:uri) { 'https://localhost/resource.xml?foo=bar&bar=foo' }
+  let(:body) { "hello\nworld" }
+
+  let(:headers) do
+    {
+      'Authorization' => 'APIAuth 1044:12345',
+      'X-Authorization-Content-SHA256' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
+      'content-type' => 'text/plain',
+      'date' => timestamp
+    }
+  end
+
+  subject(:driven_request) { described_class.new(request) }
+
+  describe 'getting headers correctly' do
+    it 'gets the content_type' do
+      expect(driven_request.content_type).to eq('text/plain')
+    end
+
+    it 'gets the content_hash' do
+      expect(driven_request.content_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
+    end
+
+    it 'gets the request_uri' do
+      expect(driven_request.request_uri).to eq('/resource.xml?foo=bar&bar=foo')
+    end
+
+    it 'gets the timestamp' do
+      expect(driven_request.timestamp).to eq(timestamp)
+    end
+
+    it 'gets the authorization_header' do
+      expect(driven_request.authorization_header).to eq('APIAuth 1044:12345')
+    end
+
+    describe '#calculated_hash' do
+      it 'calculates hash from the body' do
+        expect(driven_request.calculated_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+        expect(driven_request.body.bytesize).to eq(11)
+      end
+
+      context 'no body' do
+        let(:body) { nil }
+
+        it 'treats no body as empty string' do
+          expect(driven_request.calculated_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
+          expect(driven_request.body.bytesize).to eq(0)
+        end
+      end
+
+      context 'multipart content' do
+        let(:body) { File.new('spec/fixtures/upload.png') }
+
+        it 'calculates correctly for multipart content' do
+          expect(driven_request.calculated_hash).to eq('AlKDe7kjMQhuKgKuNG8I7GA93MasHcaVJkJLaUT7+dY=')
+          expect(driven_request.body.bytesize).to eq(5112)
+        end
+      end
+    end
+
+    describe 'http_method' do
+      context 'when put request' do
+        let(:verb) { :put }
+
+        it 'returns upcased put' do
+          expect(driven_request.http_method).to eq('PUT')
+        end
+      end
+
+      context 'when get request' do
+        let(:verb) { :get }
+
+        it 'returns upcased get' do
+          expect(driven_request.http_method).to eq('GET')
+        end
+      end
+    end
+  end
+
+  describe 'setting headers correctly' do
+    let(:headers) do
+      {
+        'content-type' => 'text/plain'
+      }
+    end
+
+    describe '#populate_content_hash' do
+      context 'when request type has no body' do
+        let(:verb) { :get }
+
+        it "doesn't populate content hash" do
+          driven_request.populate_content_hash
+          expect(request['X-Authorization-Content-SHA256']).to be_nil
+        end
+      end
+
+      context 'when request type has a body' do
+        let(:verb) { :put }
+
+        it 'populates content hash' do
+          driven_request.populate_content_hash
+          expect(request['X-Authorization-Content-SHA256']).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+        end
+
+        it 'refreshes the cached headers' do
+          driven_request.populate_content_hash
+          expect(driven_request.content_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+        end
+      end
+    end
+
+    describe '#set_date' do
+      before do
+        allow(Time).to receive_message_chain(:now, :utc, :httpdate).and_return(timestamp)
+      end
+
+      it 'sets the date header of the request' do
+        driven_request.set_date
+        expect(request['DATE']).to eq(timestamp)
+      end
+
+      it 'refreshes the cached headers' do
+        driven_request.set_date
+        expect(driven_request.timestamp).to eq(timestamp)
+      end
+    end
+
+    describe '#set_auth_header' do
+      it 'sets the auth header' do
+        driven_request.set_auth_header('APIAuth 1044:54321')
+        expect(request['Authorization']).to eq('APIAuth 1044:54321')
+      end
+    end
+  end
+
+  describe 'content_hash_mismatch?' do
+    context 'when request type has no body' do
+      let(:verb) { :get }
+
+      it 'is false' do
+        expect(driven_request.content_hash_mismatch?).to be false
+      end
+    end
+
+    context 'when request type has a body' do
+      let(:verb) { :put }
+
+      context 'when calculated matches sent' do
+        before do
+          request['X-Authorization-Content-SHA256'] = 'JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='
+        end
+
+        it 'is false' do
+          expect(driven_request.content_hash_mismatch?).to be false
+        end
+      end
+
+      context "when calculated doesn't match sent" do
+        before do
+          request['X-Authorization-Content-SHA256'] = '3'
+        end
+
+        it 'is true' do
+          expect(driven_request.content_hash_mismatch?).to be true
+        end
+      end
+    end
+  end
+
+  describe 'fetch_headers' do
+    it 'returns request headers' do
+      expect(driven_request.fetch_headers).to include('CONTENT-TYPE' => 'text/plain')
+    end
+  end
+end

data/spec/request_drivers/httpi_spec.rb

@@ -1,160 +1,160 @@
 require 'spec_helper'
 
 describe ApiAuth::RequestDrivers::HttpiRequest do
-
-  let(:timestamp){ Time.now.utc.httpdate }
+  let(:timestamp) { Time.now.utc.httpdate }
 
   let(:request) do
-    httpi_request = HTTPI::Request.new("http://localhost/resource.xml?foo=bar&bar=foo")
-    httpi_request.headers.merge!({
-        'Authorization'  => 'APIAuth 1044:12345',
-        'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
-        'content-type' => 'text/plain',
-        'date' => timestamp
-    })
+    httpi_request = HTTPI::Request.new('https://localhost/resource.xml?foo=bar&bar=foo')
+    httpi_request.headers.merge!('Authorization' => 'APIAuth 1044:12345',
+                                 'X-Authorization-Content-SHA256' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
+                                 'content-type' => 'text/plain',
+                                 'date' => timestamp)
     httpi_request.body = "hello\nworld"
     httpi_request
   end
 
-  subject(:driven_request){ ApiAuth::RequestDrivers::HttpiRequest.new(request) }
+  subject(:driven_request) { ApiAuth::RequestDrivers::HttpiRequest.new(request) }
 
-  describe "getting headers correctly" do
-    it "gets the content_type" do
+  describe 'getting headers correctly' do
+    it 'gets the content_type' do
       expect(driven_request.content_type).to eq('text/plain')
     end
 
-    it "gets the content_md5" do
-      expect(driven_request.content_md5).to eq('1B2M2Y8AsgTpgAmY7PhCfg==')
+    it 'gets the content_hash' do
+      expect(driven_request.content_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
     end
 
-    it "gets the request_uri" do
+    it 'gets the request_uri' do
       expect(driven_request.request_uri).to eq('/resource.xml?foo=bar&bar=foo')
     end
 
-    it "gets the timestamp" do
+    it 'gets the timestamp' do
       expect(driven_request.timestamp).to eq(timestamp)
     end
 
-    it "gets the authorization_header" do
+    it 'gets the authorization_header' do
       expect(driven_request.authorization_header).to eq('APIAuth 1044:12345')
     end
 
-    describe "#calculated_md5" do
-      it "calculates md5 from the body" do
-        expect(driven_request.calculated_md5).to eq('kZXQvrKoieG+Be1rsZVINw==')
+    describe '#calculated_hash' do
+      it 'calculates hash from the body' do
+        expect(driven_request.calculated_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
       end
 
-      it "treats no body as empty string" do
+      it 'treats no body as empty string' do
         request.body = nil
-        expect(driven_request.calculated_md5).to eq('1B2M2Y8AsgTpgAmY7PhCfg==')
+        expect(driven_request.calculated_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
       end
     end
 
-    describe "http_method" do
-      it "is always nil" do
+    describe 'http_method' do
+      it 'is always nil' do
         expect(driven_request.http_method).to be_nil
       end
     end
   end
 
-  describe "setting headers correctly" do
+  describe 'setting headers correctly' do
     let(:request) do
-      httpi_request = HTTPI::Request.new("http://localhost/resource.xml?foo=bar&bar=foo")
-      httpi_request.headers.merge!({
-        'content-type' => 'text/plain'
-      })
+      httpi_request = HTTPI::Request.new('https://localhost/resource.xml?foo=bar&bar=foo')
+      httpi_request.headers['content-type'] = 'text/plain'
       httpi_request
     end
 
-    describe "#populate_content_md5" do
-      context "when there is no content body" do
+    describe '#populate_content_hash' do
+      context 'when there is no content body' do
         before do
           request.body = nil
         end
 
-        it "doesn't populate content-md5" do
-          driven_request.populate_content_md5
-          expect(request.headers["Content-MD5"]).to be_nil
+        it "doesn't populate content hash" do
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-SHA256']).to be_nil
         end
       end
 
-      context "when there is a content body" do
+      context 'when there is a content body' do
         before do
           request.body = "hello\nworld"
         end
 
-        it "populates content-md5" do
-          driven_request.populate_content_md5
-          expect(request.headers["Content-MD5"]).to eq('kZXQvrKoieG+Be1rsZVINw==')
+        it 'populates content hash' do
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-SHA256']).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
         end
 
-        it "refreshes the cached headers" do
-          driven_request.populate_content_md5
-          expect(driven_request.content_md5).to eq('kZXQvrKoieG+Be1rsZVINw==')
+        it 'refreshes the cached headers' do
+          driven_request.populate_content_hash
+          expect(driven_request.content_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
         end
       end
     end
 
-    describe "#set_date" do
+    describe '#set_date' do
       before do
         allow(Time).to receive_message_chain(:now, :utc, :httpdate).and_return(timestamp)
       end
 
-      it "sets the date header of the request" do
+      it 'sets the date header of the request' do
         driven_request.set_date
         expect(request.headers['DATE']).to eq(timestamp)
       end
 
-      it "refreshes the cached headers" do
+      it 'refreshes the cached headers' do
         driven_request.set_date
         expect(driven_request.timestamp).to eq(timestamp)
       end
     end
 
-    describe "#set_auth_header" do
-      it "sets the auth header" do
+    describe '#set_auth_header' do
+      it 'sets the auth header' do
         driven_request.set_auth_header('APIAuth 1044:54321')
         expect(request.headers['Authorization']).to eq('APIAuth 1044:54321')
       end
     end
   end
 
-  describe "md5_mismatch?" do
-    context "when there is no content body" do
+  describe 'content_hash_mismatch?' do
+    context 'when there is no content body' do
       before do
         request.body = nil
       end
 
-
-      it "is false" do
-        expect(driven_request.md5_mismatch?).to be false
+      it 'is false' do
+        expect(driven_request.content_hash_mismatch?).to be false
       end
     end
 
-    context "when there is a content body" do
+    context 'when there is a content body' do
       before do
         request.body = "hello\nworld"
       end
 
-      context "when calculated matches sent" do
+      context 'when calculated matches sent' do
         before do
-          request.headers["Content-MD5"] = 'kZXQvrKoieG+Be1rsZVINw=='
+          request.headers['X-Authorization-Content-SHA256'] = 'JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='
         end
 
-        it "is false" do
-          expect(driven_request.md5_mismatch?).to be false
+        it 'is false' do
+          expect(driven_request.content_hash_mismatch?).to be false
         end
       end
 
       context "when calculated doesn't match sent" do
         before do
-          request.headers["Content-MD5"] = "3"
+          request.headers['X-Authorization-Content-SHA256'] = '3'
         end
 
-        it "is true" do
-          expect(driven_request.md5_mismatch?).to be true
+        it 'is true' do
+          expect(driven_request.content_hash_mismatch?).to be true
         end
       end
     end
   end
+
+  describe 'fetch_headers' do
+    it 'returns request headers' do
+      expect(driven_request.fetch_headers).to include('CONTENT-TYPE' => 'text/plain')
+    end
+  end
 end