RubyGems - api-auth - Versions diffs - 2.2.1 → 2.5.0 - Mend

api-auth 2.2.1 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

checksums.yaml +4 -4
data/.rubocop.yml +12 -2
data/.rubocop_todo.yml +51 -9
data/.travis.yml +9 -25
data/CHANGELOG.md +36 -0
data/Gemfile +1 -1
data/README.md +91 -50
data/VERSION +1 -1
data/api_auth.gemspec +7 -5
data/gemfiles/http4.gemfile +3 -3
data/gemfiles/rails_52.gemfile +9 -0
data/gemfiles/rails_60.gemfile +9 -0
data/gemfiles/rails_61.gemfile +11 -0
data/lib/api_auth.rb +1 -0
data/lib/api_auth/base.rb +4 -4
data/lib/api_auth/headers.rb +22 -11
data/lib/api_auth/helpers.rb +2 -2
data/lib/api_auth/railtie.rb +13 -5
data/lib/api_auth/request_drivers/action_controller.rb +9 -8
data/lib/api_auth/request_drivers/curb.rb +4 -4
data/lib/api_auth/request_drivers/faraday.rb +13 -12
data/lib/api_auth/request_drivers/grape_request.rb +87 -0
data/lib/api_auth/request_drivers/http.rb +13 -8
data/lib/api_auth/request_drivers/httpi.rb +9 -8
data/lib/api_auth/request_drivers/net_http.rb +9 -8
data/lib/api_auth/request_drivers/rack.rb +9 -8
data/lib/api_auth/request_drivers/rest_client.rb +9 -8
data/spec/api_auth_spec.rb +15 -8
data/spec/headers_spec.rb +51 -25
data/spec/helpers_spec.rb +1 -1
data/spec/railtie_spec.rb +3 -3
data/spec/request_drivers/action_controller_spec.rb +45 -39
data/spec/request_drivers/action_dispatch_spec.rb +51 -45
data/spec/request_drivers/curb_spec.rb +16 -10
data/spec/request_drivers/faraday_spec.rb +49 -43
data/spec/request_drivers/grape_request_spec.rb +280 -0
data/spec/request_drivers/http_spec.rb +29 -23
data/spec/request_drivers/httpi_spec.rb +28 -22
data/spec/request_drivers/net_http_spec.rb +29 -23
data/spec/request_drivers/rack_spec.rb +41 -35
data/spec/request_drivers/rest_client_spec.rb +42 -36
data/spec/spec_helper.rb +2 -1
metadata +51 -26
data/gemfiles/http2.gemfile +0 -7
data/gemfiles/http3.gemfile +0 -7
data/gemfiles/rails_4.gemfile +0 -11
data/gemfiles/rails_41.gemfile +0 -11
data/gemfiles/rails_42.gemfile +0 -11
data/gemfiles/rails_5.gemfile +0 -11
data/gemfiles/rails_51.gemfile +0 -9
data/spec/.rubocop.yml +0 -5

data/spec/request_drivers/faraday_spec.rb CHANGED Viewed

@@ -20,7 +20,7 @@ describe ApiAuth::RequestDrivers::FaradayRequest do
   let(:request_headers) do
     {
       'Authorization' => 'APIAuth 1044:12345',
-      'Content-MD5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+      'X-Authorization-Content-SHA256' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
       'content-type' => 'text/plain',
       'DATE' => timestamp
     }
@@ -44,8 +44,8 @@ describe ApiAuth::RequestDrivers::FaradayRequest do
       expect(driven_request.content_type).to eq('text/plain')
     end
-    it 'gets the content_md5' do
-      expect(driven_request.content_md5).to eq('1B2M2Y8AsgTpgAmY7PhCfg==')
+    it 'gets the content_hash' do
+      expect(driven_request.content_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
     end
     it 'gets the request_uri' do
@@ -60,14 +60,14 @@ describe ApiAuth::RequestDrivers::FaradayRequest do
       expect(driven_request.authorization_header).to eq('APIAuth 1044:12345')
     end
-    describe '#calculated_md5' do
-      it 'calculates md5 from the body' do
-        expect(driven_request.calculated_md5).to eq('kZXQvrKoieG+Be1rsZVINw==')
+    describe '#calculated_hash' do
+      it 'calculates hash from the body' do
+        expect(driven_request.calculated_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
       end
       it 'treats no body as empty string' do
         request.body = nil
-        expect(driven_request.calculated_md5).to eq('1B2M2Y8AsgTpgAmY7PhCfg==')
+        expect(driven_request.calculated_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
       end
     end
@@ -115,46 +115,46 @@ describe ApiAuth::RequestDrivers::FaradayRequest do
       }
     end
-    describe '#populate_content_md5' do
+    describe '#populate_content_hash' do
       context 'when getting' do
-        it "doesn't populate content-md5" do
-          request.method = :get
-          driven_request.populate_content_md5
-          expect(request.headers['Content-MD5']).to be_nil
+        it "doesn't populate content hash" do
+          request.http_method = :get
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-SHA256']).to be_nil
         end
       end
       context 'when posting' do
-        it 'populates content-md5' do
-          request.method = :post
-          driven_request.populate_content_md5
-          expect(request.headers['Content-MD5']).to eq('kZXQvrKoieG+Be1rsZVINw==')
+        it 'populates content hash' do
+          request.http_method = :post
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-SHA256']).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
         end
         it 'refreshes the cached headers' do
-          driven_request.populate_content_md5
-          expect(driven_request.content_md5).to eq('kZXQvrKoieG+Be1rsZVINw==')
+          driven_request.populate_content_hash
+          expect(driven_request.content_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
         end
       end
       context 'when putting' do
-        it 'populates content-md5' do
-          request.method = :put
-          driven_request.populate_content_md5
-          expect(request.headers['Content-MD5']).to eq('kZXQvrKoieG+Be1rsZVINw==')
+        it 'populates content hash' do
+          request.http_method = :put
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-SHA256']).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
         end
         it 'refreshes the cached headers' do
-          driven_request.populate_content_md5
-          expect(driven_request.content_md5).to eq('kZXQvrKoieG+Be1rsZVINw==')
+          driven_request.populate_content_hash
+          expect(driven_request.content_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
         end
       end
       context 'when deleting' do
-        it "doesn't populate content-md5" do
-          request.method = :delete
-          driven_request.populate_content_md5
-          expect(request.headers['Content-MD5']).to be_nil
+        it "doesn't populate content hash" do
+          request.http_method = :delete
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-SHA256']).to be_nil
         end
       end
     end
@@ -183,77 +183,83 @@ describe ApiAuth::RequestDrivers::FaradayRequest do
     end
   end
-  describe 'md5_mismatch?' do
+  describe 'content_hash_mismatch?' do
     context 'when getting' do
       before do
-        request.method = :get
+        request.http_method = :get
       end
       it 'is false' do
-        expect(driven_request.md5_mismatch?).to be false
+        expect(driven_request.content_hash_mismatch?).to be false
       end
     end
     context 'when posting' do
       before do
-        request.method = :post
+        request.http_method = :post
       end
       context 'when calculated matches sent' do
         before do
-          request.headers['Content-MD5'] = 'kZXQvrKoieG+Be1rsZVINw=='
+          request.headers['X-Authorization-Content-SHA256'] = 'JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='
         end
         it 'is false' do
-          expect(driven_request.md5_mismatch?).to be false
+          expect(driven_request.content_hash_mismatch?).to be false
         end
       end
       context "when calculated doesn't match sent" do
         before do
-          request.headers['Content-MD5'] = '3'
+          request.headers['X-Authorization-Content-SHA256'] = '3'
         end
         it 'is true' do
-          expect(driven_request.md5_mismatch?).to be true
+          expect(driven_request.content_hash_mismatch?).to be true
         end
       end
     end
     context 'when putting' do
       before do
-        request.method = :put
+        request.http_method = :put
       end
       context 'when calculated matches sent' do
         before do
-          request.headers['Content-MD5'] = 'kZXQvrKoieG+Be1rsZVINw=='
+          request.headers['X-Authorization-Content-SHA256'] = 'JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='
         end
         it 'is false' do
-          expect(driven_request.md5_mismatch?).to be false
+          expect(driven_request.content_hash_mismatch?).to be false
         end
       end
       context "when calculated doesn't match sent" do
         before do
-          request.headers['Content-MD5'] = '3'
+          request.headers['X-Authorization-Content-SHA256'] = '3'
         end
         it 'is true' do
-          expect(driven_request.md5_mismatch?).to be true
+          expect(driven_request.content_hash_mismatch?).to be true
         end
       end
     end
     context 'when deleting' do
       before do
-        request.method = :delete
+        request.http_method = :delete
       end
       it 'is false' do
-        expect(driven_request.md5_mismatch?).to be false
+        expect(driven_request.content_hash_mismatch?).to be false
       end
     end
   end
+  describe 'fetch_headers' do
+    it 'returns request headers' do
+      expect(driven_request.fetch_headers).to include('CONTENT-TYPE' => 'text/plain')
+    end
+  end
 end

data/spec/request_drivers/grape_request_spec.rb ADDED Viewed

@@ -0,0 +1,280 @@
+require 'spec_helper'
+describe ApiAuth::RequestDrivers::GrapeRequest do
+  let(:default_method) { 'PUT' }
+  let(:default_params) do
+    { 'message' => "hello\nworld" }
+  end
+  let(:default_options) do
+    {
+      method: method,
+      params: params
+    }
+  end
+  let(:default_env) do
+    Rack::MockRequest.env_for('/', options)
+  end
+  let(:method) { default_method }
+  let(:params) { default_params }
+  let(:options) { default_options.merge(request_headers) }
+  let(:env) { default_env }
+  let(:request) do
+    Grape::Request.new(env)
+  end
+  let(:timestamp) { Time.now.utc.httpdate }
+  let(:request_headers) do
+    {
+      'HTTP_X_AUTHORIZATION' => 'APIAuth 1044:12345',
+      'HTTP_X_AUTHORIZATION_CONTENT_SHA256' => 'bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=',
+      'HTTP_X_HMAC_CONTENT_TYPE' => 'text/plain',
+      'HTTP_X_HMAC_DATE' => timestamp
+    }
+  end
+  subject(:driven_request) { ApiAuth::RequestDrivers::GrapeRequest.new(request) }
+  describe 'getting headers correctly' do
+    it 'gets the content_type' do
+      expect(driven_request.content_type).to eq('text/plain')
+    end
+    it 'gets the content_hash' do
+      expect(driven_request.content_hash).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+    end
+    it 'gets the request_uri' do
+      expect(driven_request.request_uri).to eq('http://example.org/')
+    end
+    it 'gets the timestamp' do
+      expect(driven_request.timestamp).to eq(timestamp)
+    end
+    it 'gets the authorization_header' do
+      expect(driven_request.authorization_header).to eq('APIAuth 1044:12345')
+    end
+    describe '#calculated_hash' do
+      it 'calculates hash from the body' do
+        expect(driven_request.calculated_hash).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+      end
+      context 'no body' do
+        let(:params) { {} }
+        it 'treats no body as empty string' do
+          expect(driven_request.calculated_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
+        end
+      end
+    end
+    describe 'http_method' do
+      context 'when put request' do
+        let(:method) { 'put' }
+        it 'returns upcased put' do
+          expect(driven_request.http_method).to eq('PUT')
+        end
+      end
+      context 'when get request' do
+        let(:method) { 'get' }
+        it 'returns upcased get' do
+          expect(driven_request.http_method).to eq('GET')
+        end
+      end
+    end
+  end
+  describe 'setting headers correctly' do
+    let(:request_headers) do
+      {
+        'HTTP_X_HMAC_CONTENT_TYPE' => 'text/plain'
+      }
+    end
+    describe '#populate_content_hash' do
+      context 'when getting' do
+        let(:method) { 'get' }
+        it "doesn't populate content hash" do
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-Sha256']).to be_nil
+        end
+      end
+      context 'when posting' do
+        let(:method) { 'post' }
+        it 'populates content bash' do
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-Sha256']).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+        end
+        it 'refreshes the cached headers' do
+          driven_request.populate_content_hash
+          expect(driven_request.content_hash).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+        end
+      end
+      context 'when putting' do
+        let(:method) { 'put' }
+        it 'populates content hash' do
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-Sha256']).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+        end
+        it 'refreshes the cached headers' do
+          driven_request.populate_content_hash
+          expect(driven_request.content_hash).to eq('bxVSdFeR6aHBtw7+EBi5Bt8KllUZpUutOg9ChQmaSPA=')
+        end
+      end
+      context 'when deleting' do
+        let(:method) { 'delete' }
+        it "doesn't populate content hash" do
+          driven_request.populate_content_hash
+          expect(request.headers['X-Authorization-Content-Sha256']).to be_nil
+        end
+      end
+    end
+    describe '#set_date' do
+      before do
+        allow(Time).to receive_message_chain(:now, :utc, :httpdate).and_return(timestamp)
+      end
+      it 'sets the date header of the request' do
+        allow(Time).to receive_message_chain(:now, :utc, :httpdate).and_return(timestamp)
+        driven_request.set_date
+        expect(request.headers['Date']).to eq(timestamp)
+      end
+      it 'refreshes the cached headers' do
+        driven_request.set_date
+        expect(driven_request.timestamp).to eq(timestamp)
+      end
+    end
+    describe '#set_auth_header' do
+      it 'sets the auth header' do
+        driven_request.set_auth_header('APIAuth 1044:54321')
+        expect(request.headers['Authorization']).to eq('APIAuth 1044:54321')
+      end
+    end
+  end
+  describe 'content_hash_mismatch?' do
+    context 'when getting' do
+      let(:method) { 'get' }
+      it 'is false' do
+        expect(driven_request.content_hash_mismatch?).to be false
+      end
+    end
+    context 'when posting' do
+      let(:method) { 'post' }
+      context 'when calculated matches sent' do
+        it 'is false' do
+          expect(driven_request.content_hash_mismatch?).to be false
+        end
+      end
+      context "when calculated doesn't match sent" do
+        let(:params) { { 'message' => 'hello only' } }
+        it 'is true' do
+          expect(driven_request.content_hash_mismatch?).to be true
+        end
+      end
+    end
+    context 'when putting' do
+      let(:method) { 'put' }
+      context 'when calculated matches sent' do
+        it 'is false' do
+          puts driven_request.calculated_hash
+          expect(driven_request.content_hash_mismatch?).to be false
+        end
+      end
+      context "when calculated doesn't match sent" do
+        let(:params) { { 'message' => 'hello only' } }
+        it 'is true' do
+          expect(driven_request.content_hash_mismatch?).to be true
+        end
+      end
+    end
+    context 'when deleting' do
+      let(:method) { 'delete' }
+      it 'is false' do
+        expect(driven_request.content_hash_mismatch?).to be false
+      end
+    end
+  end
+  describe 'authentics?' do
+    let(:request_headers) { {} }
+    let(:signed_request) do
+      ApiAuth.sign!(request, '1044', '123')
+    end
+    context 'when getting' do
+      let(:method) { 'get' }
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+    context 'when posting' do
+      let(:method) { 'post' }
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+    context 'when putting' do
+      let(:method) { 'put' }
+      let(:signed_request) do
+        ApiAuth.sign!(request, '1044', '123')
+      end
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+    context 'when deleting' do
+      let(:method) { 'delete' }
+      let(:signed_request) do
+        ApiAuth.sign!(request, '1044', '123')
+      end
+      it 'validates that the signature in the request header matches the way we sign it' do
+        expect(ApiAuth.authentic?(signed_request, '123')).to eq true
+      end
+    end
+  end
+  describe 'fetch_headers' do
+    it 'returns request headers' do
+      expect(driven_request.fetch_headers).to include(
+        'CONTENT_TYPE' => 'application/x-www-form-urlencoded'
+      )
+    end
+  end
+end