api-auth 1.5.0 → 2.6.0

data/spec/headers_spec.rb

@@ -1,26 +1,17 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require 'spec_helper'
 
 describe ApiAuth::Headers do
-
   describe '#canonical_string' do
-    context "uri edge cases" do
-      let(:request) { RestClient::Request.new(:url => uri, :method => :get) }
+    context 'uri edge cases' do
+      let(:request) { RestClient::Request.new(url: uri, method: :get) }
       subject(:headers) { described_class.new(request) }
       let(:uri) { '' }
 
-      context 'empty uri' do
-        let(:uri) { ''.freeze }
-
-        it 'adds / to canonical string' do
-          expect(subject.canonical_string).to eq(',,/,')
-        end
-      end
-
       context 'uri with just host without /' do
-        let(:uri) { 'http://google.com'.freeze }
+        let(:uri) { 'https://google.com'.freeze }
 
         it 'return / as canonical string path' do
-          expect(subject.canonical_string).to eq(',,/,')
+          expect(subject.canonical_string).to eq('GET,,,/,')
         end
 
         it 'does not change request url (by removing host)' do
@@ -29,153 +20,202 @@ describe ApiAuth::Headers do
       end
 
       context 'uri with host and /' do
-        let(:uri) { 'http://google.com/'.freeze }
+        let(:uri) { 'https://google.com/'.freeze }
 
         it 'return / as canonical string path' do
-          expect(subject.canonical_string).to eq(',,/,')
+          expect(subject.canonical_string).to eq('GET,,,/,')
         end
 
         it 'does not change request url (by removing host)' do
           expect(request.url).to eq(uri)
         end
       end
-    end
 
-    context "string construction" do
-      let(:request){ RestClient::Request.new(:url => "http://google.com", :method => :get) }
-      subject(:headers) { described_class.new(request) }
-      let(:driver){ headers.instance_variable_get("@request")}
-
-      it "puts the canonical string together correctly" do
-        allow(driver).to receive(:content_type).and_return "text/html"
-        allow(driver).to receive(:content_md5).and_return "12345"
-        allow(driver).to receive(:request_uri).and_return "/foo"
-        allow(driver).to receive(:timestamp).and_return "Mon, 23 Jan 1984 03:29:56 GMT"
-        expect(headers.canonical_string).to eq "text/html,12345,/foo,Mon, 23 Jan 1984 03:29:56 GMT"
+      context 'uri has a string matching https:// in it' do
+        let(:uri) { 'https://google.com/?redirect_to=https://www.example.com'.freeze }
+
+        it 'return /?redirect_to=https://www.example.com as canonical string path' do
+          expect(subject.canonical_string).to eq('GET,,,/?redirect_to=https://www.example.com,')
+        end
+
+        it 'does not change request url (by removing host)' do
+          expect(request.url).to eq(uri)
+        end
       end
     end
-  end
 
-  describe "#canonical_string_with_http_method" do
-    context "with a driver that supplies http_method" do
-      let(:request){ RestClient::Request.new(:url => "http://google.com", :method => :get) }
-      subject(:headers) { described_class.new(request) }
-      let(:driver){ headers.instance_variable_get("@request")}
-
-      before do
-        allow(driver).to receive(:http_method).and_return "GET"
-        allow(driver).to receive(:content_type).and_return "text/html"
-        allow(driver).to receive(:content_md5).and_return "12345"
-        allow(driver).to receive(:request_uri).and_return "/foo"
-        allow(driver).to receive(:timestamp).and_return "Mon, 23 Jan 1984 03:29:56 GMT"
-      end
+    context 'string construction' do
+      context 'with a driver that supplies http_method' do
+        let(:request) { RestClient::Request.new(url: 'https://google.com', method: :get) }
+        subject(:headers) { described_class.new(request) }
+        let(:driver) { headers.instance_variable_get('@request') }
+
+        before do
+          allow(driver).to receive(:http_method).and_return 'GET'
+          allow(driver).to receive(:content_type).and_return 'text/html'
+          allow(driver).to receive(:content_hash).and_return '12345'
+          allow(driver).to receive(:request_uri).and_return '/foo'
+          allow(driver).to receive(:timestamp).and_return 'Mon, 23 Jan 1984 03:29:56 GMT'
+        end
 
-      context "when not passed an override" do
-        it "constructs the canonical_string with the driver's http method" do
-          expect(headers.canonical_string_with_http_method).to eq "GET,text/html,12345,/foo,Mon, 23 Jan 1984 03:29:56 GMT"
+        context 'when not passed an override' do
+          it "constructs the canonical_string with the driver's http method" do
+            expect(headers.canonical_string).to eq 'GET,text/html,12345,/foo,Mon, 23 Jan 1984 03:29:56 GMT'
+          end
         end
-      end
 
-      context "when passed an override" do
-        it "constructs the canonical_string with the overridden http method" do
-          expect(headers.canonical_string_with_http_method("put")).to eq "PUT,text/html,12345,/foo,Mon, 23 Jan 1984 03:29:56 GMT"
+        context 'when passed an override' do
+          it 'constructs the canonical_string with the overridden http method' do
+            expect(headers.canonical_string('put')).to eq 'PUT,text/html,12345,/foo,Mon, 23 Jan 1984 03:29:56 GMT'
+          end
         end
       end
-    end
 
-    context "when a driver that doesn't supply http_method" do
-      let(:request) do
-        Curl::Easy.new("/resource.xml?foo=bar&bar=foo") do |curl|
-          curl.headers = { 'Content-Type'  => "text/plain" }
+      context "when a driver that doesn't supply http_method" do
+        let(:request) do
+          Curl::Easy.new('/resource.xml?foo=bar&bar=foo') do |curl|
+            curl.headers = { 'Content-Type' => 'text/plain' }
+          end
+        end
+        subject(:headers) { described_class.new(request) }
+        let(:driver) { headers.instance_variable_get('@request') }
+
+        before do
+          allow(driver).to receive(:http_method).and_return nil
+          allow(driver).to receive(:content_type).and_return 'text/html'
+          allow(driver).to receive(:content_hash).and_return '12345'
+          allow(driver).to receive(:request_uri).and_return '/foo'
+          allow(driver).to receive(:timestamp).and_return 'Mon, 23 Jan 1984 03:29:56 GMT'
+        end
+
+        context 'when not passed an override' do
+          it 'raises an error' do
+            expect { headers.canonical_string }.to raise_error(ArgumentError)
+          end
+        end
+
+        context 'when passed an override' do
+          it 'constructs the canonical_string with the overridden http method' do
+            expect(headers.canonical_string('put')).to eq 'PUT,text/html,12345,/foo,Mon, 23 Jan 1984 03:29:56 GMT'
+          end
         end
-      end
-      subject(:headers) { described_class.new(request) }
-      let(:driver){ headers.instance_variable_get("@request")}
-
-      before do
-        allow(driver).to receive(:http_method).and_return nil
-        allow(driver).to receive(:content_type).and_return "text/html"
-        allow(driver).to receive(:content_md5).and_return "12345"
-        allow(driver).to receive(:request_uri).and_return "/foo"
-        allow(driver).to receive(:timestamp).and_return "Mon, 23 Jan 1984 03:29:56 GMT"
       end
 
-      context "when not passed an override" do
-        it "raises an error" do
-          expect{ headers.canonical_string_with_http_method }.to raise_error(ArgumentError)
+      context "when there's a proxy server (e.g. Nginx) with rewrite rules" do
+        let(:request) do
+          Faraday::Request.create('GET') do |req|
+            req.options = Faraday::RequestOptions.new(Faraday::FlatParamsEncoder)
+            req.params = Faraday::Utils::ParamsHash.new
+            req.url('/resource.xml?foo=bar&bar=foo')
+            req.headers = { 'X-Original-URI' => '/api/resource.xml?foo=bar&bar=foo' }
+          end
+        end
+        subject(:headers) { described_class.new(request) }
+        let(:driver) { headers.instance_variable_get('@request') }
+
+        before do
+          allow(driver).to receive(:content_type).and_return 'text/html'
+          allow(driver).to receive(:content_hash).and_return '12345'
+          allow(driver).to receive(:timestamp).and_return 'Mon, 23 Jan 1984 03:29:56 GMT'
+        end
+
+        context 'the driver uses the original_uri' do
+          it 'constructs the canonical_string with the original_uri' do
+            expect(headers.canonical_string).to eq 'GET,text/html,12345,/api/resource.xml?foo=bar&bar=foo,Mon, 23 Jan 1984 03:29:56 GMT'
+          end
         end
       end
 
-      context "when passed an override" do
-        it "constructs the canonical_string with the overridden http method" do
-          expect(headers.canonical_string_with_http_method("put")).to eq "PUT,text/html,12345,/foo,Mon, 23 Jan 1984 03:29:56 GMT"
+      context 'when headers to sign are provided' do
+        let(:request) do
+          Faraday::Request.create('GET') do |req|
+            req.options = Faraday::RequestOptions.new(Faraday::FlatParamsEncoder)
+            req.params = Faraday::Utils::ParamsHash.new
+            req.url('/resource.xml?foo=bar&bar=foo')
+            req.headers = { 'X-Forwarded-For' => '192.168.1.1' }
+          end
+        end
+        subject(:headers) { described_class.new(request) }
+        let(:driver) { headers.instance_variable_get('@request') }
+
+        before do
+          allow(driver).to receive(:content_type).and_return 'text/html'
+          allow(driver).to receive(:content_hash).and_return '12345'
+          allow(driver).to receive(:timestamp).and_return 'Mon, 23 Jan 1984 03:29:56 GMT'
+        end
+
+        context 'the driver uses the original_uri' do
+          it 'constructs the canonical_string with the original_uri' do
+            expect(headers.canonical_string(nil, %w[X-FORWARDED-FOR]))
+              .to eq 'GET,text/html,12345,/resource.xml?bar=foo&foo=bar,Mon, 23 Jan 1984 03:29:56 GMT,192.168.1.1'
+          end
         end
       end
     end
   end
 
-  describe '#calculate_md5' do
-    subject(:headers){ described_class.new(request) }
-    let(:driver){ headers.instance_variable_get("@request")}
+  describe '#calculate_hash' do
+    subject(:headers) { described_class.new(request) }
+    let(:driver) { headers.instance_variable_get('@request') }
 
-    context "no md5 already calculated" do
-      let(:request) {
+    context 'no content hash already calculated' do
+      let(:request) do
         RestClient::Request.new(
-          :url => 'http://google.com',
-          :method => :post,
-          :payload => "hello\nworld"
+          url: 'https://google.com',
+          method: :post,
+          payload: "hello\nworld"
         )
-      }
+      end
 
-      it "populates the md5 header" do
-        expect(driver).to receive(:populate_content_md5)
-        headers.calculate_md5
+      it 'populates the content hash header' do
+        expect(driver).to receive(:populate_content_hash)
+        headers.calculate_hash
       end
     end
 
-    context "md5 already calculated" do
-      let(:request) {
+    context 'hash already calculated' do
+      let(:request) do
         RestClient::Request.new(
-          :url => 'http://google.com',
-          :method => :post,
-          :payload => "hello\nworld",
-          :headers => {:content_md5 => "abcd"}
+          url: 'https://google.com',
+          method: :post,
+          payload: "hello\nworld",
+          headers: { 'X-Authorization-Content-SHA256' => 'abcd' }
         )
-      }
+      end
 
-      it "doesn't populate the md5 header" do
-        expect(driver).not_to receive(:populate_content_md5)
-        headers.calculate_md5
+      it "doesn't populate the X-Authorization-Content-SHA256 header" do
+        expect(driver).not_to receive(:populate_content_hash)
+        headers.calculate_hash
       end
     end
   end
 
-  describe "#md5_mismatch?" do
-    let(:request){ RestClient::Request.new(:url => "http://google.com", :method => :get) }
-    subject(:headers){ described_class.new(request) }
-    let(:driver){ headers.instance_variable_get("@request") }
+  describe '#content_hash_mismatch?' do
+    let(:request) { RestClient::Request.new(url: 'https://google.com', method: :get) }
+    subject(:headers) { described_class.new(request) }
+    let(:driver) { headers.instance_variable_get('@request') }
 
-    context "when request has md5 header" do
-      it "asks the driver" do
-        allow(driver).to receive(:content_md5).and_return "1234"
+    context 'when request has X-Authorization-Content-SHA256 header' do
+      it 'asks the driver' do
+        allow(driver).to receive(:content_hash).and_return '1234'
 
-        expect(driver).to receive(:md5_mismatch?).and_call_original
-        headers.md5_mismatch?
+        expect(driver).to receive(:content_hash_mismatch?).and_call_original
+        headers.content_hash_mismatch?
       end
     end
 
-    context "when request has no md5" do
+    context 'when request has no content hash' do
       it "doesn't ask the driver" do
-        allow(driver).to receive(:content_md5).and_return ""
+        allow(driver).to receive(:content_hash).and_return nil
 
-        expect(driver).not_to receive(:md5_mismatch?).and_call_original
-        headers.md5_mismatch?
+        expect(driver).not_to receive(:content_hash_mismatch?).and_call_original
+        headers.content_hash_mismatch?
       end
 
-      it "returns false" do
-        allow(driver).to receive(:content_md5).and_return ""
+      it 'returns false' do
+        allow(driver).to receive(:content_hash).and_return nil
 
-        expect(headers.md5_mismatch?).to be false
+        expect(headers.content_hash_mismatch?).to be false
       end
     end
   end

data/spec/helpers_spec.rb

@@ -1,14 +1,12 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require 'spec_helper'
 
-describe "ApiAuth::Helpers" do
-  
-  it "should strip the new line character on a Base64 encoding" do
-    expect(ApiAuth.b64_encode("some string")).not_to match(/\n/)
+describe 'ApiAuth::Helpers' do
+  it 'should strip the new line character on a Base64 encoding' do
+    expect(ApiAuth.b64_encode('some string')).not_to match(/\n/)
   end
-  
+
   it "should properly upcase a hash's keys" do
-    hsh = { "JoE" => "rOOLz" }
-    expect(ApiAuth.capitalize_keys(hsh)["JOE"]).to eq("rOOLz")
+    hsh = { 'JoE' => 'rOOLz' }
+    expect(ApiAuth.capitalize_keys(hsh)['JOE']).to eq('rOOLz')
   end
-  
-end
+end

data/spec/railtie_spec.rb

@@ -1,159 +1,140 @@
-require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+require 'spec_helper'
+require 'action_controller/test_case'
 
-describe "Rails integration" do
-
-  API_KEY_STORE = { "1044" => "l16imAXie1sRMcJODpOG7UwC1VyoqvO13jejkfpKWX4Z09W8DC9IrU23DvCwMry7pgSFW6c5S1GIfV0OY6F/vUA==" }
-
-  describe "Rails controller integration" do
+describe 'Rails integration' do
+  API_KEY_STORE = { '1044' => 'l16imAXie1sRMcJODpOG7UwC1VyoqvO13jejkfpKWX4Z09W8DC9IrU23DvCwMry7pgSFW6c5S1GIfV0OY6F/vUA==' }.freeze
 
+  describe 'Rails controller integration' do
     class ApplicationController < ActionController::Base
-
-    private
+      private
 
       def require_api_auth
-        if (access_id = get_api_access_id_from_request)
-          return true if api_authenticated?(API_KEY_STORE[access_id])
+        if (access_id = get_api_access_id_from_request) && api_authenticated?(API_KEY_STORE[access_id])
+          return true
         end
 
         respond_to do |format|
-          format.xml { render :xml => "You are unauthorized to perform this action.", :status => 401 }
-          format.json { render :json => "You are unauthorized to perform this action.", :status => 401 }
-          format.html { render :text => "You are unauthorized to perform this action", :status => 401 }
+          format.xml { render xml: 'You are unauthorized to perform this action.', status: 401 }
+          format.json { render json: 'You are unauthorized to perform this action.', status: 401 }
+          format.html { render plain: 'You are unauthorized to perform this action', status: 401 }
         end
       end
-
     end
 
     class TestController < ApplicationController
-      before_filter :require_api_auth, :only => [:index]
+      before_action :require_api_auth, only: [:index]
 
-      if defined?(ActionDispatch)
-        def self._routes
-          ActionDispatch::Routing::RouteSet.new
-        end
+      def self._routes
+        ActionDispatch::Routing::RouteSet.new
       end
 
       def index
-        render :text => "OK"
+        render json: 'OK'
       end
 
       def public
-        render :text => "OK"
+        render json: 'OK'
       end
 
-      def rescue_action(e); raise(e); end
+      def rescue_action(e)
+        raise(e)
+      end
     end
 
-    unless defined?(ActionDispatch)
-      ActionController::Routing::Routes.draw {|map| map.resources :test }
+    def generated_response(request, action = :index)
+      response = ActionDispatch::TestResponse.new
+      controller = TestController.new
+      controller.request = request
+      controller.response = response
+      controller.process(action)
+      response
     end
 
-    def generated_response(request, action = :index)
-      if defined?(ActionDispatch)
-        response = ActionDispatch::TestResponse.new
-        controller = TestController.new
-        controller.request = request
-        controller.response = response
-        controller.process(action)
-        response
-      else
-        request.action = action.to_s
-        request.path = "/#{action.to_s}"
-        TestController.new.process(request, ActionController::TestResponse.new)
-      end
+    def generated_request
+      request = if ActionController::TestRequest.respond_to?(:create)
+                  if Gem.loaded_specs['actionpack'].version < Gem::Version.new('5.1.0')
+                    ActionController::TestRequest.create
+                  else
+                    ActionController::TestRequest.create(TestController)
+                  end
+                else
+                  ActionController::TestRequest.new
+                end
+      request.accept = ['application/json']
+      request
     end
 
-    it "should permit a request with properly signed headers" do
-      request = ActionController::TestRequest.new
+    it 'should permit a request with properly signed headers' do
+      request = generated_request
       request.env['DATE'] = Time.now.utc.httpdate
-      ApiAuth.sign!(request, "1044", API_KEY_STORE["1044"])
+      ApiAuth.sign!(request, '1044', API_KEY_STORE['1044'])
+      response = generated_response(request, :index)
+      expect(response.code).to eq('200')
+    end
+
+    it 'should forbid a request with properly signed headers but timestamp > 15 minutes ago' do
+      request = generated_request
+      request.env['DATE'] = 'Mon, 23 Jan 1984 03:29:56 GMT'
+      ApiAuth.sign!(request, '1044', API_KEY_STORE['1044'])
       response = generated_response(request, :index)
-      expect(response.code).to eq("200")
+      expect(response.code).to eq('401')
     end
 
-    it "should forbid a request with properly signed headers but timestamp > 15 minutes" do
-      request = ActionController::TestRequest.new
-      request.env['DATE'] = "Mon, 23 Jan 1984 03:29:56 GMT"
-      ApiAuth.sign!(request, "1044", API_KEY_STORE["1044"])
+    it 'should forbid a request with properly signed headers but timestamp > 15 minutes in the future' do
+      request = generated_request
+      request.env['DATE'] = 'Mon, 23 Jan 2100 03:29:56 GMT'
+      ApiAuth.sign!(request, '1044', API_KEY_STORE['1044'])
       response = generated_response(request, :index)
-      expect(response.code).to eq("401")
+      expect(response.code).to eq('401')
     end
 
     it "should insert a DATE header in the request when one hasn't been specified" do
-      request = ActionController::TestRequest.new
-      ApiAuth.sign!(request, "1044", API_KEY_STORE["1044"])
+      request = generated_request
+      ApiAuth.sign!(request, '1044', API_KEY_STORE['1044'])
       expect(request.headers['DATE']).not_to be_nil
     end
 
-    it "should forbid an unsigned request to a protected controller action" do
-      request = ActionController::TestRequest.new
+    it 'should forbid an unsigned request to a protected controller action' do
+      request = generated_request
       response = generated_response(request, :index)
-      expect(response.code).to eq("401")
+      expect(response.code).to eq('401')
     end
 
-    it "should forbid a request with a bogus signature" do
-      request = ActionController::TestRequest.new
-      request.env['Authorization'] = "APIAuth bogus:bogus"
+    it 'should forbid a request with a bogus signature' do
+      request = generated_request
+      request.env['Authorization'] = 'APIAuth bogus:bogus'
       response = generated_response(request, :index)
-      expect(response.code).to eq("401")
+      expect(response.code).to eq('401')
     end
 
-    it "should allow non-protected controller actions to function as before" do
-      request = ActionController::TestRequest.new
+    it 'should allow non-protected controller actions to function as before' do
+      request = generated_request
       response = generated_response(request, :public)
-      expect(response.code).to eq("200")
+      expect(response.code).to eq('200')
     end
-
   end
 
-  describe "Rails ActiveResource integration" do
-
+  describe 'Rails ActiveResource integration' do
     class TestResource < ActiveResource::Base
-      with_api_auth "1044", API_KEY_STORE["1044"]
-      self.site = "http://localhost/"
+      with_api_auth '1044', API_KEY_STORE['1044']
+      self.site = 'https://localhost/'
       self.format = :xml
     end
 
-    it "should send signed requests automagically" do
-      timestamp = Time.parse("Mon, 23 Jan 1984 03:29:56 GMT")
+    it 'should send signed requests automagically' do
+      timestamp = Time.parse('Mon, 23 Jan 1984 03:29:56 GMT')
       allow(Time).to receive(:now).at_least(1).times.and_return(timestamp)
       ActiveResource::HttpMock.respond_to do |mock|
-        mock.get "/test_resources/1.xml",
-          {
-            'Authorization' => 'APIAuth 1044:IbTx7VzSOGU55HNbV4y2jZDnVis=',
-            'Accept' => 'application/xml',
-            'DATE' => "Mon, 23 Jan 1984 03:29:56 GMT"
-          },
-          { :id => "1" }.to_xml(:root => 'test_resource')
+        mock.get '/test_resources/1.xml',
+                 {
+                   'Authorization' => 'APIAuth 1044:LZ1jujf3x1nnGR70/208WPXdUHw=',
+                   'Accept' => 'application/xml',
+                   'DATE' => 'Mon, 23 Jan 1984 03:29:56 GMT'
+                 },
+                 { id: '1' }.to_xml(root: 'test_resource')
       end
-      expect(ApiAuth).to receive(:sign!).with(anything, "1044", API_KEY_STORE["1044"], { :with_http_method => false }).and_call_original
+      expect(ApiAuth).to receive(:sign!).with(anything, '1044', API_KEY_STORE['1044'], {}).and_call_original
       TestResource.find(1)
     end
-
-    context "when telling it to include the http method in the signature" do
-      class TestResourceForHttpMethod < ActiveResource::Base
-        with_api_auth "1044", API_KEY_STORE["1044"], :sign_with_http_method => true
-        self.site = "http://localhost/"
-        self.format = :xml
-      end
-
-      it "signs with the http method" do
-        timestamp = Time.parse("Mon, 23 Jan 1984 03:29:56 GMT")
-        allow(Time).to receive(:now).at_least(1).times.and_return(timestamp)
-        ActiveResource::HttpMock.respond_to do |mock|
-          mock.get "/test_resource_for_http_methods/1.xml",
-            {
-              'Authorization' => 'APIAuth 1044:Gq190cxgKm7oWH1fc+y8+wmD9ts=',
-              'Accept' => 'application/xml',
-              'DATE' => "Mon, 23 Jan 1984 03:29:56 GMT"
-            },
-            { :id => "1" }.to_xml(:root => 'test_resource')
-        end
-        expect(ApiAuth).to receive(:sign!).with(anything, "1044", API_KEY_STORE["1044"], { :with_http_method => true }).and_call_original
-        TestResourceForHttpMethod.find(1)
-      end
-    end
-
   end
-
 end