RubyGems - api-auth - Versions diffs - 2.2.1 → 2.5.0 - Mend

api-auth 2.2.1 → 2.5.0

Files changed (51) hide show

checksums.yaml +4 -4
data/.rubocop.yml +12 -2
data/.rubocop_todo.yml +51 -9
data/.travis.yml +9 -25
data/CHANGELOG.md +36 -0
data/Gemfile +1 -1
data/README.md +91 -50
data/VERSION +1 -1
data/api_auth.gemspec +7 -5
data/gemfiles/http4.gemfile +3 -3
data/gemfiles/rails_52.gemfile +9 -0
data/gemfiles/rails_60.gemfile +9 -0
data/gemfiles/rails_61.gemfile +11 -0
data/lib/api_auth.rb +1 -0
data/lib/api_auth/base.rb +4 -4
data/lib/api_auth/headers.rb +22 -11
data/lib/api_auth/helpers.rb +2 -2
data/lib/api_auth/railtie.rb +13 -5
data/lib/api_auth/request_drivers/action_controller.rb +9 -8
data/lib/api_auth/request_drivers/curb.rb +4 -4
data/lib/api_auth/request_drivers/faraday.rb +13 -12
data/lib/api_auth/request_drivers/grape_request.rb +87 -0
data/lib/api_auth/request_drivers/http.rb +13 -8
data/lib/api_auth/request_drivers/httpi.rb +9 -8
data/lib/api_auth/request_drivers/net_http.rb +9 -8
data/lib/api_auth/request_drivers/rack.rb +9 -8
data/lib/api_auth/request_drivers/rest_client.rb +9 -8
data/spec/api_auth_spec.rb +15 -8
data/spec/headers_spec.rb +51 -25
data/spec/helpers_spec.rb +1 -1
data/spec/railtie_spec.rb +3 -3
data/spec/request_drivers/action_controller_spec.rb +45 -39
data/spec/request_drivers/action_dispatch_spec.rb +51 -45
data/spec/request_drivers/curb_spec.rb +16 -10
data/spec/request_drivers/faraday_spec.rb +49 -43
data/spec/request_drivers/grape_request_spec.rb +280 -0
data/spec/request_drivers/http_spec.rb +29 -23
data/spec/request_drivers/httpi_spec.rb +28 -22
data/spec/request_drivers/net_http_spec.rb +29 -23
data/spec/request_drivers/rack_spec.rb +41 -35
data/spec/request_drivers/rest_client_spec.rb +42 -36
data/spec/spec_helper.rb +2 -1
metadata +51 -26
data/gemfiles/http2.gemfile +0 -7
data/gemfiles/http3.gemfile +0 -7
data/gemfiles/rails_4.gemfile +0 -11
data/gemfiles/rails_41.gemfile +0 -11
data/gemfiles/rails_42.gemfile +0 -11
data/gemfiles/rails_5.gemfile +0 -11
data/gemfiles/rails_51.gemfile +0 -9
data/spec/.rubocop.yml +0 -5

data/spec/request_drivers/faraday_spec.rb CHANGED Viewed

@@ -20,7 +20,7 @@ describe ApiAuth::RequestDrivers::FaradayRequest do
   let(:request_headers) do
     {
       'Authorization' => 'APIAuth 1044:12345',
-      'Content-MD5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+      'X-Authorization-Content-SHA256' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
       'content-type' => 'text/plain',
       'DATE' => timestamp
     }
@@ -44,8 +44,8 @@ describe ApiAuth::RequestDrivers::FaradayRequest do
       expect(driven_request.content_type).to eq('text/plain')
     end
-    it 'gets the content_md5' do
-      expect(driven_request.content_md5).to eq('1B2M2Y8AsgTpgAmY7PhCfg==')
+    it 'gets the content_hash' do
+      expect(driven_request.content_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
     end
     it 'gets the request_uri' do
@@ -60,14 +60,14 @@ describe ApiAuth::RequestDrivers::FaradayRequest do
       expect(driven_request.authorization_header).to eq('APIAuth 1044:12345')
     end
-    describe '#calculated_md5' do
-      it 'calculates md5 from the body' do
-        expect(driven_request.calculated_md5).to eq('kZXQvrKoieG+Be1rsZVINw==')
+    describe '#calculated_hash' do
+      it 'calculates hash from the body' do
+        expect(driven_request.calculated_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
       end
       it 'treats no body as empty string' do
         request.body = nil
-        expect(driven_request.calculated_md5).to eq('1B2M2Y8AsgTpgAmY7PhCfg==')
+        expect(driven_request.calculated_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
       end
     end
@@ -115,46 +115,46 @@ describe ApiAuth::RequestDrivers::FaradayRequest do
       }
     end
-    describe '#populate_content_md5' do
+    describe '#populate_content_hash' do
       context 'when getting' do
-        it "doesn't populate content-md5" do
-          request.method = :get
-          driven_request.populate_content_md5
-          expect(request.headers['Content-MD5']).to be_nil
+        it "doesn't populate content hash" do
+          request.http_method = :get
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-SHA256']).to be_nil
         end
       end
       context 'when posting' do
-        it 'populates content-md5' do
-          request.method = :post
-          driven_request.populate_content_md5
-          expect(request.headers['Content-MD5']).to eq('kZXQvrKoieG+Be1rsZVINw==')
+        it 'populates content hash' do
+          request.http_method = :post
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-SHA256']).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
         end
         it 'refreshes the cached headers' do
-          driven_request.populate_content_md5
-          expect(driven_request.content_md5).to eq('kZXQvrKoieG+Be1rsZVINw==')
+          driven_request.populate_content_hash
+          expect(driven_request.content_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
         end
       end
       context 'when putting' do
-        it 'populates content-md5' do
-          request.method = :put
-          driven_request.populate_content_md5
-          expect(request.headers['Content-MD5']).to eq('kZXQvrKoieG+Be1rsZVINw==')
+        it 'populates content hash' do
+          request.http_method = :put
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-SHA256']).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
         end
         it 'refreshes the cached headers' do
-          driven_request.populate_content_md5
-          expect(driven_request.content_md5).to eq('kZXQvrKoieG+Be1rsZVINw==')
+          driven_request.populate_content_hash
+          expect(driven_request.content_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
         end
       end
       context 'when deleting' do
-        it "doesn't populate content-md5" do
-          request.method = :delete
-          driven_request.populate_content_md5
-          expect(request.headers['Content-MD5']).to be_nil
+        it "doesn't populate content hash" do
+          request.http_method = :delete
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-SHA256']).to be_nil
         end
       end
     end
@@ -183,77 +183,83 @@ describe ApiAuth::RequestDrivers::FaradayRequest do
     end
   end
-  describe 'md5_mismatch?' do
+  describe 'content_hash_mismatch?' do
     context 'when getting' do
       before do
-        request.method = :get
+        request.http_method = :get
       end
       it 'is false' do
-        expect(driven_request.md5_mismatch?).to be false
+        expect(driven_request.content_hash_mismatch?).to be false
       end
     end
     context 'when posting' do
       before do
-        request.method = :post
+        request.http_method = :post
       end
       context 'when calculated matches sent' do
         before do
-          request.headers['Content-MD5'] = 'kZXQvrKoieG+Be1rsZVINw=='
+          request.headers['X-Authorization-Content-SHA256'] = 'JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='
         end
         it 'is false' do
-          expect(driven_request.md5_mismatch?).to be false
+          expect(driven_request.content_hash_mismatch?).to be false
         end
       end
       context "when calculated doesn't match sent" do
         before do
-          request.headers['Content-MD5'] = '3'
+          request.headers['X-Authorization-Content-SHA256'] = '3'
         end
         it 'is true' do
-          expect(driven_request.md5_mismatch?).to be true
+          expect(driven_request.content_hash_mismatch?).to be true
         end
       end
     end
     context 'when putting' do
       before do
-        request.method = :put
+        request.http_method = :put
       end
       context 'when calculated matches sent' do
         before do
-          request.headers['Content-MD5'] = 'kZXQvrKoieG+Be1rsZVINw=='
+          request.headers['X-Authorization-Content-SHA256'] = 'JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='
         end
         it 'is false' do
-          expect(driven_request.md5_mismatch?).to be false
+          expect(driven_request.content_hash_mismatch?).to be false
         end
       end
       context "when calculated doesn't match sent" do
         before do
-          request.headers['Content-MD5'] = '3'
+          request.headers['X-Authorization-Content-SHA256'] = '3'
         end
         it 'is true' do
-          expect(driven_request.md5_mismatch?).to be true
+          expect(driven_request.content_hash_mismatch?).to be true
         end
       end
     end
     context 'when deleting' do
       before do
-        request.method = :delete
+        request.http_method = :delete
       end
       it 'is false' do
-        expect(driven_request.md5_mismatch?).to be false
+        expect(driven_request.content_hash_mismatch?).to be false
       end
     end
   end
+  describe 'fetch_headers' do
+    it 'returns request headers' do
+      expect(driven_request.fetch_headers).to include('CONTENT-TYPE' => 'text/plain')
+    end
+  end
 end

data/spec/request_drivers/grape_request_spec.rb ADDED Viewed

@@ -0,0 +1,280 @@
+require 'spec_helper'
+describe ApiAuth::RequestDrivers::GrapeRequest do
+  let(:default_method) { 'PUT' }
+  let(:default_params) do
+    { 'message' => "hello\nworld" }
+  end
+  let(:default_options) do
+    {
+      method: method,
+      params: params
+    }
+  end
+  let(:default_env) do
+    Rack::MockRequest.env_for('/', options)
+  end
+  let(:method) { default_method }
+  let(:params) { default_params }
+  let(:options) { default_options.merge(request_headers) }
+  let(:env) { default_env }
+  let(:request) do
+    Grape::Request.new(env)
+  end
+  let(:timestamp) { Time.now.utc.httpdate }
+  let(:request_headers) do
+    {
+      'HTTP_X_AUTHORIZATION' => 'APIAuth 1044:12345',
+      'HTTP_X_AUTHORIZATION_CONTENT_SHA256' => 'bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=',
+      'HTTP_X_HMAC_CONTENT_TYPE' => 'text/plain',
+      'HTTP_X_HMAC_DATE' => timestamp
+    }
+  end
+  subject(:driven_request) { ApiAuth::RequestDrivers::GrapeRequest.new(request) }
+  describe 'getting headers correctly' do
+    it 'gets the content_type' do
+      expect(driven_request.content_type).to eq('text/plain')
+    end
+    it 'gets the content_hash' do
+      expect(driven_request.content_hash).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+    end
+    it 'gets the request_uri' do
+      expect(driven_request.request_uri).to eq('http://example.org/')
+    end
+    it 'gets the timestamp' do
+      expect(driven_request.timestamp).to eq(timestamp)
+    end
+    it 'gets the authorization_header' do
+      expect(driven_request.authorization_header).to eq('APIAuth 1044:12345')
+    end
+    describe '#calculated_hash' do
+      it 'calculates hash from the body' do
+        expect(driven_request.calculated_hash).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+      end
+      context 'no body' do
+        let(:params) { {} }
+        it 'treats no body as empty string' do
+          expect(driven_request.calculated_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
+        end
+      end
+    end
+    describe 'http_method' do
+      context 'when put request' do
+        let(:method) { 'put' }
+        it 'returns upcased put' do
+          expect(driven_request.http_method).to eq('PUT')
+        end
+      end
+      context 'when get request' do
+        let(:method) { 'get' }
+        it 'returns upcased get' do
+          expect(driven_request.http_method).to eq('GET')
+        end
+      end
+    end
+  end
+  describe 'setting headers correctly' do
+    let(:request_headers) do
+      {
+        'HTTP_X_HMAC_CONTENT_TYPE' => 'text/plain'
+      }
+    end
+    describe '#populate_content_hash' do
+      context 'when getting' do
+        let(:method) { 'get' }
+        it "doesn't populate content hash" do
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-Sha256']).to be_nil
+        end
+      end
+      context 'when posting' do
+        let(:method) { 'post' }
+        it 'populates content bash' do
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-Sha256']).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+        end
+        it 'refreshes the cached headers' do
+          driven_request.populate_content_hash
+          expect(driven_request.content_hash).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+        end
+      end
+      context 'when putting' do
+        let(:method) { 'put' }
+        it 'populates content hash' do
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-Sha256']).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+        end
+        it 'refreshes the cached headers' do
+          driven_request.populate_content_hash
+          expect(driven_request.content_hash).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+        end
+      end
+      context 'when deleting' do
+        let(:method) { 'delete' }
+        it "doesn't populate content hash" do
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-Sha256']).to be_nil
+        end
+      end
+    end
+    describe '#set_date' do
+      before do
+        allow(Time).to receive_message_chain(:now, :utc, :httpdate).and_return(timestamp)
+      end
+      it 'sets the date header of the request' do
+        allow(Time).to receive_message_chain(:now, :utc, :httpdate).and_return(timestamp)
+        driven_request.set_date
+        expect(request.headers['Date']).to eq(timestamp)
+      end
+      it 'refreshes the cached headers' do
+        driven_request.set_date
+        expect(driven_request.timestamp).to eq(timestamp)
+      end
+    end
+    describe '#set_auth_header' do
+      it 'sets the auth header' do
+        driven_request.set_auth_header('APIAuth 1044:54321')
+        expect(request.headers['Authorization']).to eq('APIAuth 1044:54321')
+      end
+    end
+  end
+  describe 'content_hash_mismatch?' do
+    context 'when getting' do
+      let(:method) { 'get' }
+      it 'is false' do
+        expect(driven_request.content_hash_mismatch?).to be false
+      end
+    end
+    context 'when posting' do
+      let(:method) { 'post' }
+      context 'when calculated matches sent' do
+        it 'is false' do
+          expect(driven_request.content_hash_mismatch?).to be false
+        end
+      end
+      context "when calculated doesn't match sent" do
+        let(:params) { { 'message' => 'hello only' } }
+        it 'is true' do
+          expect(driven_request.content_hash_mismatch?).to be true
+        end
+      end
+    end
+    context 'when putting' do
+      let(:method) { 'put' }
+      context 'when calculated matches sent' do
+        it 'is false' do
+          puts driven_request.calculated_hash
+          expect(driven_request.content_hash_mismatch?).to be false
+        end
+      end
+      context "when calculated doesn't match sent" do
+        let(:params) { { 'message' => 'hello only' } }
+        it 'is true' do
+          expect(driven_request.content_hash_mismatch?).to be true
+        end
+      end
+    end
+    context 'when deleting' do
+      let(:method) { 'delete' }
+      it 'is false' do
+        expect(driven_request.content_hash_mismatch?).to be false
+      end
+    end
+  end
+  describe 'authentics?' do
+    let(:request_headers) { {} }
+    let(:signed_request) do
+      ApiAuth.sign!(request, '1044', '123')
+    end
+    context 'when getting' do
+      let(:method) { 'get' }
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+    context 'when posting' do
+      let(:method) { 'post' }
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+    context 'when putting' do
+      let(:method) { 'put' }
+      let(:signed_request) do
+        ApiAuth.sign!(request, '1044', '123')
+      end
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+    context 'when deleting' do
+      let(:method) { 'delete' }
+      let(:signed_request) do
+        ApiAuth.sign!(request, '1044', '123')
+      end
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+  end
+  describe 'fetch_headers' do
+    it 'returns request headers' do
+      expect(driven_request.fetch_headers).to include(
+        'CONTENT_TYPE' => 'application/x-www-form-urlencoded'
+      )
+    end
+  end
+end