api-auth 2.2.0 → 2.4.1

data/lib/api_auth/request_drivers/httpi.rb

@@ -21,6 +21,7 @@ module ApiAuth
 
       def populate_content_md5
         return unless @request.body
+
         @request.headers['Content-MD5'] = calculated_md5
         fetch_headers
       end

data/lib/api_auth/request_drivers/net_http.rb

@@ -1,4 +1,3 @@
-require 'time'
 module ApiAuth
   module RequestDrivers # :nodoc:
     class NetHttpRequest # :nodoc:
@@ -29,6 +28,7 @@ module ApiAuth
 
       def populate_content_md5
         return unless @request.class::REQUEST_HAS_BODY
+
         @request['Content-MD5'] = calculated_md5
       end
 

data/lib/api_auth/request_drivers/rack.rb

@@ -27,6 +27,7 @@ module ApiAuth
 
       def populate_content_md5
         return unless %w[POST PUT].include?(@request.request_method)
+
         @request.env['Content-MD5'] = calculated_md5
         fetch_headers
       end

data/lib/api_auth/request_drivers/rest_client.rb

@@ -29,13 +29,14 @@ module ApiAuth
       end
 
       def populate_content_md5
-        return unless %i[post put].include?(@request.method)
+        return unless %w[post put].include?(@request.method.to_s)
+
         @request.headers['Content-MD5'] = calculated_md5
         save_headers
       end
 
       def md5_mismatch?
-        if %i[post put].include?(@request.method)
+        if %w[post put].include?(@request.method.to_s)
           calculated_md5 != content_md5
         else
           false

data/spec/api_auth_spec.rb

@@ -169,6 +169,13 @@ describe 'ApiAuth' do
         expect(ApiAuth.authentic?(signed_request, '123', clock_skew: 60.seconds)).to eq false
       end
     end
+
+    context 'when passed the headers_to_sign option' do
+      it 'validates the request' do
+        request['X-Forwarded-For'] = '192.168.1.1'
+        expect(ApiAuth.authentic?(signed_request, '123', headers_to_sign: %w[HTTP_X_FORWARDED_FOR])).to eq true
+      end
+    end
   end
 
   describe '.access_id' do

data/spec/headers_spec.rb

@@ -7,14 +7,6 @@ describe ApiAuth::Headers do
       subject(:headers) { described_class.new(request) }
       let(:uri) { '' }
 
-      context 'empty uri' do
-        let(:uri) { ''.freeze }
-
-        it 'adds / to canonical string' do
-          expect(subject.canonical_string).to eq('GET,,,/,')
-        end
-      end
-
       context 'uri with just host without /' do
         let(:uri) { 'http://google.com'.freeze }
 
@@ -133,6 +125,32 @@ describe ApiAuth::Headers do
           end
         end
       end
+
+      context 'when headers to sign are provided' do
+        let(:request) do
+          Faraday::Request.create('GET') do |req|
+            req.options = Faraday::RequestOptions.new(Faraday::FlatParamsEncoder)
+            req.params = Faraday::Utils::ParamsHash.new
+            req.url('/resource.xml?foo=bar&bar=foo')
+            req.headers = { 'X-Forwarded-For' => '192.168.1.1' }
+          end
+        end
+        subject(:headers) { described_class.new(request) }
+        let(:driver) { headers.instance_variable_get('@request') }
+
+        before do
+          allow(driver).to receive(:content_type).and_return 'text/html'
+          allow(driver).to receive(:content_md5).and_return '12345'
+          allow(driver).to receive(:timestamp).and_return 'Mon, 23 Jan 1984 03:29:56 GMT'
+        end
+
+        context 'the driver uses the original_uri' do
+          it 'constructs the canonical_string with the original_uri' do
+            expect(headers.canonical_string(nil, %w[X-FORWARDED-FOR]))
+              .to eq 'GET,text/html,12345,/resource.xml?bar=foo&foo=bar,Mon, 23 Jan 1984 03:29:56 GMT,192.168.1.1'
+          end
+        end
+      end
     end
   end
 

data/spec/request_drivers/action_controller_spec.rb

@@ -80,12 +80,12 @@ if defined?(ActionController::Request)
     describe 'setting headers correctly' do
       let(:request) do
         ActionController::Request.new(
-          'PATH_INFO'      => '/resource.xml',
-          'QUERY_STRING'   => 'foo=bar&bar=foo',
+          'PATH_INFO' => '/resource.xml',
+          'QUERY_STRING' => 'foo=bar&bar=foo',
           'REQUEST_METHOD' => 'PUT',
-          'CONTENT_TYPE'   => 'text/plain',
+          'CONTENT_TYPE' => 'text/plain',
           'CONTENT_LENGTH' => '11',
-          'rack.input'     => StringIO.new("hello\nworld")
+          'rack.input' => StringIO.new("hello\nworld")
         )
       end
 
@@ -231,4 +231,10 @@ if defined?(ActionController::Request)
       end
     end
   end
+
+  describe 'fetch_headers' do
+    it 'returns request headers' do
+      expect(driven_request.fetch_headers).to include('CONTENT-TYPE' => 'text/plain')
+    end
+  end
 end

data/spec/request_drivers/action_dispatch_spec.rb

@@ -7,15 +7,15 @@ if defined?(ActionDispatch::Request)
 
     let(:request) do
       ActionDispatch::Request.new(
-        'AUTHORIZATION'  => 'APIAuth 1044:12345',
-        'PATH_INFO'      => '/resource.xml',
-        'QUERY_STRING'   => 'foo=bar&bar=foo',
+        'AUTHORIZATION' => 'APIAuth 1044:12345',
+        'PATH_INFO' => '/resource.xml',
+        'QUERY_STRING' => 'foo=bar&bar=foo',
         'REQUEST_METHOD' => 'PUT',
-        'CONTENT_MD5'    => '1B2M2Y8AsgTpgAmY7PhCfg==',
-        'CONTENT_TYPE'   => 'text/plain',
+        'CONTENT_MD5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+        'CONTENT_TYPE' => 'text/plain',
         'CONTENT_LENGTH' => '11',
-        'HTTP_DATE'      => timestamp,
-        'rack.input'     => StringIO.new("hello\nworld")
+        'HTTP_DATE' => timestamp,
+        'rack.input' => StringIO.new("hello\nworld")
       )
     end
 
@@ -80,12 +80,12 @@ if defined?(ActionDispatch::Request)
     describe 'setting headers correctly' do
       let(:request) do
         ActionDispatch::Request.new(
-          'PATH_INFO'      => '/resource.xml',
-          'QUERY_STRING'   => 'foo=bar&bar=foo',
+          'PATH_INFO' => '/resource.xml',
+          'QUERY_STRING' => 'foo=bar&bar=foo',
           'REQUEST_METHOD' => 'PUT',
-          'CONTENT_TYPE'   => 'text/plain',
+          'CONTENT_TYPE' => 'text/plain',
           'CONTENT_LENGTH' => '11',
-          'rack.input'     => StringIO.new("hello\nworld")
+          'rack.input' => StringIO.new("hello\nworld")
         )
       end
 
@@ -230,5 +230,11 @@ if defined?(ActionDispatch::Request)
         end
       end
     end
+
+    describe 'fetch_headers' do
+      it 'returns request headers' do
+        expect(driven_request.fetch_headers).to include('CONTENT_TYPE' => 'text/plain')
+      end
+    end
   end
 end

data/spec/request_drivers/curb_spec.rb

@@ -6,9 +6,9 @@ describe ApiAuth::RequestDrivers::CurbRequest do
   let(:request) do
     headers = {
       'Authorization' => 'APIAuth 1044:12345',
-      'Content-MD5'   => '1B2M2Y8AsgTpgAmY7PhCfg==',
-      'Content-Type'  => 'text/plain',
-      'Date'          => timestamp
+      'Content-MD5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+      'Content-Type' => 'text/plain',
+      'Date' => timestamp
     }
     Curl::Easy.new('/resource.xml?foo=bar&bar=foo') do |curl|
       curl.headers = headers
@@ -91,4 +91,10 @@ describe ApiAuth::RequestDrivers::CurbRequest do
       expect(driven_request.md5_mismatch?).to be false
     end
   end
+
+  describe 'fetch_headers' do
+    it 'returns request headers' do
+      expect(driven_request.fetch_headers).to include('CONTENT-TYPE' => 'text/plain')
+    end
+  end
 end

data/spec/request_drivers/faraday_spec.rb

@@ -256,4 +256,10 @@ describe ApiAuth::RequestDrivers::FaradayRequest do
       end
     end
   end
+
+  describe 'fetch_headers' do
+    it 'returns request headers' do
+      expect(driven_request.fetch_headers).to include('CONTENT-TYPE' => 'text/plain')
+    end
+  end
 end

data/spec/request_drivers/grape_request_spec.rb

@@ -0,0 +1,279 @@
+require 'spec_helper'
+
+describe ApiAuth::RequestDrivers::GrapeRequest do
+  let(:default_method) { 'PUT' }
+  let(:default_params) do
+    { 'message' => "hello\nworld" }
+  end
+  let(:default_options) do
+    {
+      method: method,
+      params: params
+    }
+  end
+  let(:default_env) do
+    Rack::MockRequest.env_for('/', options)
+  end
+  let(:method) { default_method }
+  let(:params) { default_params }
+  let(:options) { default_options.merge(request_headers) }
+  let(:env) { default_env }
+
+  let(:request) do
+    Grape::Request.new(env)
+  end
+
+  let(:timestamp) { Time.now.utc.httpdate }
+  let(:request_headers) do
+    {
+      'HTTP_X_HMAC_AUTHORIZATION' => 'APIAuth 1044:12345',
+      'HTTP_X_HMAC_CONTENT_MD5' => 'WEqCyXEuRBYZbohpZmUyAw==',
+      'HTTP_X_HMAC_CONTENT_TYPE' => 'text/plain',
+      'HTTP_X_HMAC_DATE' => timestamp
+    }
+  end
+
+  subject(:driven_request) { ApiAuth::RequestDrivers::GrapeRequest.new(request) }
+
+  describe 'getting headers correctly' do
+    it 'gets the content_type' do
+      expect(driven_request.content_type).to eq('text/plain')
+    end
+
+    it 'gets the content_md5' do
+      expect(driven_request.content_md5).to eq('WEqCyXEuRBYZbohpZmUyAw==')
+    end
+
+    it 'gets the request_uri' do
+      expect(driven_request.request_uri).to eq('http://example.org/')
+    end
+
+    it 'gets the timestamp' do
+      expect(driven_request.timestamp).to eq(timestamp)
+    end
+
+    it 'gets the authorization_header' do
+      expect(driven_request.authorization_header).to eq('APIAuth 1044:12345')
+    end
+
+    describe '#calculated_md5' do
+      it 'calculates md5 from the body' do
+        expect(driven_request.calculated_md5).to eq('WEqCyXEuRBYZbohpZmUyAw==')
+      end
+
+      context 'no body' do
+        let(:params) { {} }
+
+        it 'treats no body as empty string' do
+          expect(driven_request.calculated_md5).to eq('1B2M2Y8AsgTpgAmY7PhCfg==')
+        end
+      end
+    end
+
+    describe 'http_method' do
+      context 'when put request' do
+        let(:method) { 'put' }
+
+        it 'returns upcased put' do
+          expect(driven_request.http_method).to eq('PUT')
+        end
+      end
+
+      context 'when get request' do
+        let(:method) { 'get' }
+
+        it 'returns upcased get' do
+          expect(driven_request.http_method).to eq('GET')
+        end
+      end
+    end
+  end
+
+  describe 'setting headers correctly' do
+    let(:request_headers) do
+      {
+        'HTTP_X_HMAC_CONTENT_TYPE' => 'text/plain'
+      }
+    end
+
+    describe '#populate_content_md5' do
+      context 'when getting' do
+        let(:method) { 'get' }
+
+        it "doesn't populate content-md5" do
+          driven_request.populate_content_md5
+          expect(request.headers['Content-Md5']).to be_nil
+        end
+      end
+
+      context 'when posting' do
+        let(:method) { 'post' }
+
+        it 'populates content-md5' do
+          driven_request.populate_content_md5
+          expect(request.headers['Content-Md5']).to eq('WEqCyXEuRBYZbohpZmUyAw==')
+        end
+
+        it 'refreshes the cached headers' do
+          driven_request.populate_content_md5
+          expect(driven_request.content_md5).to eq('WEqCyXEuRBYZbohpZmUyAw==')
+        end
+      end
+
+      context 'when putting' do
+        let(:method) { 'put' }
+
+        it 'populates content-md5' do
+          driven_request.populate_content_md5
+          expect(request.headers['Content-Md5']).to eq('WEqCyXEuRBYZbohpZmUyAw==')
+        end
+
+        it 'refreshes the cached headers' do
+          driven_request.populate_content_md5
+          expect(driven_request.content_md5).to eq('WEqCyXEuRBYZbohpZmUyAw==')
+        end
+      end
+
+      context 'when deleting' do
+        let(:method) { 'delete' }
+
+        it "doesn't populate content-md5" do
+          driven_request.populate_content_md5
+          expect(request.headers['Content-Md5']).to be_nil
+        end
+      end
+    end
+
+    describe '#set_date' do
+      before do
+        allow(Time).to receive_message_chain(:now, :utc, :httpdate).and_return(timestamp)
+      end
+
+      it 'sets the date header of the request' do
+        allow(Time).to receive_message_chain(:now, :utc, :httpdate).and_return(timestamp)
+        driven_request.set_date
+        expect(request.headers['Date']).to eq(timestamp)
+      end
+
+      it 'refreshes the cached headers' do
+        driven_request.set_date
+        expect(driven_request.timestamp).to eq(timestamp)
+      end
+    end
+
+    describe '#set_auth_header' do
+      it 'sets the auth header' do
+        driven_request.set_auth_header('APIAuth 1044:54321')
+        expect(request.headers['Authorization']).to eq('APIAuth 1044:54321')
+      end
+    end
+  end
+
+  describe 'md5_mismatch?' do
+    context 'when getting' do
+      let(:method) { 'get' }
+
+      it 'is false' do
+        expect(driven_request.md5_mismatch?).to be false
+      end
+    end
+
+    context 'when posting' do
+      let(:method) { 'post' }
+
+      context 'when calculated matches sent' do
+        it 'is false' do
+          expect(driven_request.md5_mismatch?).to be false
+        end
+      end
+
+      context "when calculated doesn't match sent" do
+        let(:params) { { 'message' => 'hello only' } }
+
+        it 'is true' do
+          expect(driven_request.md5_mismatch?).to be true
+        end
+      end
+    end
+
+    context 'when putting' do
+      let(:method) { 'put' }
+
+      context 'when calculated matches sent' do
+        it 'is false' do
+          expect(driven_request.md5_mismatch?).to be false
+        end
+      end
+
+      context "when calculated doesn't match sent" do
+        let(:params) { { 'message' => 'hello only' } }
+        it 'is true' do
+          expect(driven_request.md5_mismatch?).to be true
+        end
+      end
+    end
+
+    context 'when deleting' do
+      let(:method) { 'delete' }
+
+      it 'is false' do
+        expect(driven_request.md5_mismatch?).to be false
+      end
+    end
+  end
+
+  describe 'authentics?' do
+    let(:request_headers) { {} }
+    let(:signed_request) do
+      ApiAuth.sign!(request, '1044', '123')
+    end
+
+    context 'when getting' do
+      let(:method) { 'get' }
+
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+
+    context 'when posting' do
+      let(:method) { 'post' }
+
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+
+    context 'when putting' do
+      let(:method) { 'put' }
+
+      let(:signed_request) do
+        ApiAuth.sign!(request, '1044', '123')
+      end
+
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+
+    context 'when deleting' do
+      let(:method) { 'delete' }
+
+      let(:signed_request) do
+        ApiAuth.sign!(request, '1044', '123')
+      end
+
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+  end
+
+  describe 'fetch_headers' do
+    it 'returns request headers' do
+      expect(driven_request.fetch_headers).to include(
+        'CONTENT_TYPE' => 'application/x-www-form-urlencoded'
+      )
+    end
+  end
+end