api-auth 2.3.1 → 2.5.1

data/spec/request_drivers/action_controller_spec.rb

@@ -4,6 +4,7 @@ if defined?(ActionController::Request)
 
   describe ApiAuth::RequestDrivers::ActionControllerRequest do
     let(:timestamp) { Time.now.utc.httpdate }
+    let(:content_sha256) { '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' }
 
     let(:request) do
       ActionController::Request.new(
@@ -11,7 +12,35 @@ if defined?(ActionController::Request)
         'PATH_INFO' => '/resource.xml',
         'QUERY_STRING' => 'foo=bar&bar=foo',
         'REQUEST_METHOD' => 'PUT',
-        'CONTENT_MD5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+        'HTTP_X_AUTHORIZATION_CONTENT_SHA256' => content_sha256,
+        'CONTENT_TYPE' => 'text/plain',
+        'CONTENT_LENGTH' => '11',
+        'HTTP_DATE' => timestamp,
+        'rack.input' => StringIO.new("hello\nworld")
+      )
+    end
+
+    let(:request2) do
+      ActionController::Request.new(
+        'AUTHORIZATION' => 'APIAuth 1044:12345',
+        'PATH_INFO' => '/resource.xml',
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'REQUEST_METHOD' => 'PUT',
+        'X_AUTHORIZATION_CONTENT_SHA256' => content_sha256,
+        'CONTENT_TYPE' => 'text/plain',
+        'CONTENT_LENGTH' => '11',
+        'HTTP_DATE' => timestamp,
+        'rack.input' => StringIO.new("hello\nworld")
+      )
+    end
+
+    let(:request3) do
+      ActionController::Request.new(
+        'AUTHORIZATION' => 'APIAuth 1044:12345',
+        'PATH_INFO' => '/resource.xml',
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'REQUEST_METHOD' => 'PUT',
+        'X-AUTHORIZATION-CONTENT-SHA256' => content_sha256,
         'CONTENT_TYPE' => 'text/plain',
         'CONTENT_LENGTH' => '11',
         'HTTP_DATE' => timestamp,
@@ -26,8 +55,18 @@ if defined?(ActionController::Request)
         expect(driven_request.content_type).to eq('text/plain')
       end
 
-      it 'gets the content_md5' do
-        expect(driven_request.content_md5).to eq('1B2M2Y8AsgTpgAmY7PhCfg==')
+      it 'gets the content_hash' do
+        expect(driven_request.content_hash).to eq(content_sha256)
+      end
+
+      it 'gets the content_hash for request 2' do
+        example_request = ApiAuth::RequestDrivers::ActionControllerRequest.new(request2)
+        expect(example_request.content_hash).to eq(content_sha256)
+      end
+
+      it 'gets the content_hash for request 3' do
+        example_request = ApiAuth::RequestDrivers::ActionControllerRequest.new(request3)
+        expect(example_request.content_hash).to eq(content_sha256)
       end
 
       it 'gets the request_uri' do
@@ -42,15 +81,15 @@ if defined?(ActionController::Request)
         expect(driven_request.authorization_header).to eq('APIAuth 1044:12345')
       end
 
-      describe '#calculated_md5' do
-        it 'calculates md5 from the body' do
-          expect(driven_request.calculated_md5).to eq('kZXQvrKoieG+Be1rsZVINw==')
+      describe '#calculated_hash' do
+        it 'calculates hash from the body' do
+          expect(driven_request.calculated_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
         end
 
         it 'treats no body as empty string' do
           request.env['rack.input'] = StringIO.new
           request.env['CONTENT_LENGTH'] = 0
-          expect(driven_request.calculated_md5).to eq('1B2M2Y8AsgTpgAmY7PhCfg==')
+          expect(driven_request.calculated_hash).to eq(content_sha256)
         end
       end
 
@@ -89,46 +128,46 @@ if defined?(ActionController::Request)
         )
       end
 
-      describe '#populate_content_md5' do
+      describe '#populate_content_hash' do
         context 'when getting' do
-          it "doesn't populate content-md5" do
+          it "doesn't populate content hash" do
             request.env['REQUEST_METHOD'] = 'GET'
-            driven_request.populate_content_md5
-            expect(request.env['Content-MD5']).to be_nil
+            driven_request.populate_content_hash
+            expect(request.env['X-Authorization-Content-SHA256']).to be_nil
           end
         end
 
         context 'when posting' do
-          it 'populates content-md5' do
+          it 'populates content hash' do
             request.env['REQUEST_METHOD'] = 'POST'
-            driven_request.populate_content_md5
-            expect(request.env['Content-MD5']).to eq('kZXQvrKoieG+Be1rsZVINw==')
+            driven_request.populate_content_hash
+            expect(request.env['X-Authorization-Content-SHA256']).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
           end
 
           it 'refreshes the cached headers' do
-            driven_request.populate_content_md5
-            expect(driven_request.content_md5).to eq('kZXQvrKoieG+Be1rsZVINw==')
+            driven_request.populate_content_hash
+            expect(driven_request.content_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
           end
         end
 
         context 'when putting' do
-          it 'populates content-md5' do
+          it 'populates content hash' do
             request.env['REQUEST_METHOD'] = 'PUT'
-            driven_request.populate_content_md5
-            expect(request.env['Content-MD5']).to eq('kZXQvrKoieG+Be1rsZVINw==')
+            driven_request.populate_content_hash
+            expect(request.env['X-Authorization-Content-SHA256']).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
           end
 
           it 'refreshes the cached headers' do
-            driven_request.populate_content_md5
-            expect(driven_request.content_md5).to eq('kZXQvrKoieG+Be1rsZVINw==')
+            driven_request.populate_content_hash
+            expect(driven_request.content_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
           end
         end
 
         context 'when deleting' do
-          it "doesn't populate content-md5" do
+          it "doesn't populate content hash" do
             request.env['REQUEST_METHOD'] = 'DELETE'
-            driven_request.populate_content_md5
-            expect(request.env['Content-MD5']).to be_nil
+            driven_request.populate_content_hash
+            expect(request.env['X-Authorization-Content-SHA256']).to be_nil
           end
         end
       end
@@ -157,14 +196,14 @@ if defined?(ActionController::Request)
       end
     end
 
-    describe 'md5_mismatch?' do
+    describe 'content_hash_mismatch?' do
       context 'when getting' do
         before do
           request.env['REQUEST_METHOD'] = 'GET'
         end
 
         it 'is false' do
-          expect(driven_request.md5_mismatch?).to be false
+          expect(driven_request.content_hash_mismatch?).to be false
         end
       end
 
@@ -175,21 +214,21 @@ if defined?(ActionController::Request)
 
         context 'when calculated matches sent' do
           before do
-            request.env['CONTENT_MD5'] = 'kZXQvrKoieG+Be1rsZVINw=='
+            request.env['X-Authorization-Content-SHA256'] = 'JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='
           end
 
           it 'is false' do
-            expect(driven_request.md5_mismatch?).to be false
+            expect(driven_request.content_hash_mismatch?).to be false
           end
         end
 
         context "when calculated doesn't match sent" do
           before do
-            request.env['CONTENT_MD5'] = '3'
+            request.env['X-Authorization-Content-SHA256'] = '3'
           end
 
           it 'is true' do
-            expect(driven_request.md5_mismatch?).to be true
+            expect(driven_request.content_hash_mismatch?).to be true
           end
         end
       end
@@ -201,21 +240,21 @@ if defined?(ActionController::Request)
 
         context 'when calculated matches sent' do
           before do
-            request.env['CONTENT_MD5'] = 'kZXQvrKoieG+Be1rsZVINw=='
+            request.env['X-Authorization-Content-SHA256'] = 'JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='
           end
 
           it 'is false' do
-            expect(driven_request.md5_mismatch?).to be false
+            expect(driven_request.content_hash_mismatch?).to be false
           end
         end
 
         context "when calculated doesn't match sent" do
           before do
-            request.env['CONTENT_MD5'] = '3'
+            request.env['X-Authorization-Content-SHA256'] = '3'
           end
 
           it 'is true' do
-            expect(driven_request.md5_mismatch?).to be true
+            expect(driven_request.content_hash_mismatch?).to be true
           end
         end
       end
@@ -226,7 +265,7 @@ if defined?(ActionController::Request)
         end
 
         it 'is false' do
-          expect(driven_request.md5_mismatch?).to be false
+          expect(driven_request.content_hash_mismatch?).to be false
         end
       end
     end

data/spec/request_drivers/action_dispatch_spec.rb

@@ -4,6 +4,7 @@ if defined?(ActionDispatch::Request)
 
   describe ApiAuth::RequestDrivers::ActionDispatchRequest do
     let(:timestamp) { Time.now.utc.httpdate }
+    let(:content_sha256) { '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' }
 
     let(:request) do
       ActionDispatch::Request.new(
@@ -11,7 +12,35 @@ if defined?(ActionDispatch::Request)
         'PATH_INFO' => '/resource.xml',
         'QUERY_STRING' => 'foo=bar&bar=foo',
         'REQUEST_METHOD' => 'PUT',
-        'CONTENT_MD5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+        'HTTP_X_AUTHORIZATION_CONTENT_SHA256' => content_sha256,
+        'CONTENT_TYPE' => 'text/plain',
+        'CONTENT_LENGTH' => '11',
+        'HTTP_DATE' => timestamp,
+        'rack.input' => StringIO.new("hello\nworld")
+      )
+    end
+
+    let(:request2) do
+      ActionDispatch::Request.new(
+        'AUTHORIZATION' => 'APIAuth 1044:12345',
+        'PATH_INFO' => '/resource.xml',
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'REQUEST_METHOD' => 'PUT',
+        'X_AUTHORIZATION_CONTENT_SHA256' => content_sha256,
+        'CONTENT_TYPE' => 'text/plain',
+        'CONTENT_LENGTH' => '11',
+        'HTTP_DATE' => timestamp,
+        'rack.input' => StringIO.new("hello\nworld")
+      )
+    end
+
+    let(:request3) do
+      ActionDispatch::Request.new(
+        'AUTHORIZATION' => 'APIAuth 1044:12345',
+        'PATH_INFO' => '/resource.xml',
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'REQUEST_METHOD' => 'PUT',
+        'X-AUTHORIZATION-CONTENT-SHA256' => content_sha256,
         'CONTENT_TYPE' => 'text/plain',
         'CONTENT_LENGTH' => '11',
         'HTTP_DATE' => timestamp,
@@ -26,8 +55,18 @@ if defined?(ActionDispatch::Request)
         expect(driven_request.content_type).to eq('text/plain')
       end
 
-      it 'gets the content_md5' do
-        expect(driven_request.content_md5).to eq('1B2M2Y8AsgTpgAmY7PhCfg==')
+      it 'gets the content_hash' do
+        expect(driven_request.content_hash).to eq(content_sha256)
+      end
+
+      it 'gets the content_hash for request 2' do
+        example_request = ApiAuth::RequestDrivers::ActionDispatchRequest.new(request2)
+        expect(example_request.content_hash).to eq(content_sha256)
+      end
+
+      it 'gets the content_hash for request 3' do
+        example_request = ApiAuth::RequestDrivers::ActionDispatchRequest.new(request3)
+        expect(example_request.content_hash).to eq(content_sha256)
       end
 
       it 'gets the request_uri' do
@@ -42,15 +81,15 @@ if defined?(ActionDispatch::Request)
         expect(driven_request.authorization_header).to eq('APIAuth 1044:12345')
       end
 
-      describe '#calculated_md5' do
-        it 'calculates md5 from the body' do
-          expect(driven_request.calculated_md5).to eq('kZXQvrKoieG+Be1rsZVINw==')
+      describe '#calculated_hash' do
+        it 'calculates hash from the body' do
+          expect(driven_request.calculated_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
         end
 
         it 'treats no body as empty string' do
           request.env['rack.input'] = StringIO.new
           request.env['CONTENT_LENGTH'] = 0
-          expect(driven_request.calculated_md5).to eq('1B2M2Y8AsgTpgAmY7PhCfg==')
+          expect(driven_request.calculated_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
         end
       end
 
@@ -89,46 +128,46 @@ if defined?(ActionDispatch::Request)
         )
       end
 
-      describe '#populate_content_md5' do
+      describe '#populate_content_hash' do
         context 'when getting' do
-          it "doesn't populate content-md5" do
+          it "doesn't populate content hash" do
             request.env['REQUEST_METHOD'] = 'GET'
-            driven_request.populate_content_md5
-            expect(request.env['Content-MD5']).to be_nil
+            driven_request.populate_content_hash
+            expect(request.env['X-AUTHORIZATION-CONTENT-SHA256']).to be_nil
           end
         end
 
         context 'when posting' do
-          it 'populates content-md5' do
+          it 'populates content hash' do
             request.env['REQUEST_METHOD'] = 'POST'
-            driven_request.populate_content_md5
-            expect(request.env['Content-MD5']).to eq('kZXQvrKoieG+Be1rsZVINw==')
+            driven_request.populate_content_hash
+            expect(request.env['X-AUTHORIZATION-CONTENT-SHA256']).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
           end
 
           it 'refreshes the cached headers' do
-            driven_request.populate_content_md5
-            expect(driven_request.content_md5).to eq('kZXQvrKoieG+Be1rsZVINw==')
+            driven_request.populate_content_hash
+            expect(driven_request.content_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
           end
         end
 
         context 'when putting' do
-          it 'populates content-md5' do
+          it 'populates content hash' do
             request.env['REQUEST_METHOD'] = 'PUT'
-            driven_request.populate_content_md5
-            expect(request.env['Content-MD5']).to eq('kZXQvrKoieG+Be1rsZVINw==')
+            driven_request.populate_content_hash
+            expect(request.env['X-AUTHORIZATION-CONTENT-SHA256']).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
           end
 
           it 'refreshes the cached headers' do
-            driven_request.populate_content_md5
-            expect(driven_request.content_md5).to eq('kZXQvrKoieG+Be1rsZVINw==')
+            driven_request.populate_content_hash
+            expect(driven_request.content_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
           end
         end
 
         context 'when deleting' do
-          it "doesn't populate content-md5" do
+          it "doesn't populate content hash" do
             request.env['REQUEST_METHOD'] = 'DELETE'
-            driven_request.populate_content_md5
-            expect(request.env['Content-MD5']).to be_nil
+            driven_request.populate_content_hash
+            expect(request.env['X-AUTHORIZATION-CONTENT-SHA256']).to be_nil
           end
         end
       end
@@ -157,14 +196,14 @@ if defined?(ActionDispatch::Request)
       end
     end
 
-    describe 'md5_mismatch?' do
+    describe 'content_hash_mismatch?' do
       context 'when getting' do
         before do
           request.env['REQUEST_METHOD'] = 'GET'
         end
 
         it 'is false' do
-          expect(driven_request.md5_mismatch?).to be false
+          expect(driven_request.content_hash_mismatch?).to be false
         end
       end
 
@@ -175,21 +214,21 @@ if defined?(ActionDispatch::Request)
 
         context 'when calculated matches sent' do
           before do
-            request.env['CONTENT_MD5'] = 'kZXQvrKoieG+Be1rsZVINw=='
+            request.env['X-AUTHORIZATION-CONTENT-SHA256'] = 'JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='
           end
 
           it 'is false' do
-            expect(driven_request.md5_mismatch?).to be false
+            expect(driven_request.content_hash_mismatch?).to be false
           end
         end
 
         context "when calculated doesn't match sent" do
           before do
-            request.env['CONTENT_MD5'] = '3'
+            request.env['X-AUTHORIZATION-CONTENT-SHA256'] = '3'
           end
 
           it 'is true' do
-            expect(driven_request.md5_mismatch?).to be true
+            expect(driven_request.content_hash_mismatch?).to be true
           end
         end
       end
@@ -201,21 +240,21 @@ if defined?(ActionDispatch::Request)
 
         context 'when calculated matches sent' do
           before do
-            request.env['CONTENT_MD5'] = 'kZXQvrKoieG+Be1rsZVINw=='
+            request.env['X-AUTHORIZATION-CONTENT-SHA256'] = 'JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='
           end
 
           it 'is false' do
-            expect(driven_request.md5_mismatch?).to be false
+            expect(driven_request.content_hash_mismatch?).to be false
           end
         end
 
         context "when calculated doesn't match sent" do
           before do
-            request.env['CONTENT_MD5'] = '3'
+            request.env['X-AUTHORIZATION-CONTENT-SHA256'] = '3'
           end
 
           it 'is true' do
-            expect(driven_request.md5_mismatch?).to be true
+            expect(driven_request.content_hash_mismatch?).to be true
           end
         end
       end
@@ -226,7 +265,7 @@ if defined?(ActionDispatch::Request)
         end
 
         it 'is false' do
-          expect(driven_request.md5_mismatch?).to be false
+          expect(driven_request.content_hash_mismatch?).to be false
         end
       end
     end

data/spec/request_drivers/curb_spec.rb

@@ -6,7 +6,7 @@ describe ApiAuth::RequestDrivers::CurbRequest do
   let(:request) do
     headers = {
       'Authorization' => 'APIAuth 1044:12345',
-      'Content-MD5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+      'X-Authorization-Content-SHA256' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
       'Content-Type' => 'text/plain',
       'Date' => timestamp
     }
@@ -22,8 +22,8 @@ describe ApiAuth::RequestDrivers::CurbRequest do
       expect(driven_request.content_type).to eq('text/plain')
     end
 
-    it 'gets the content_md5' do
-      expect(driven_request.content_md5).to eq('1B2M2Y8AsgTpgAmY7PhCfg==')
+    it 'gets the content_hash' do
+      expect(driven_request.content_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
     end
 
     it 'gets the request_uri' do
@@ -55,10 +55,10 @@ describe ApiAuth::RequestDrivers::CurbRequest do
       end
     end
 
-    describe '#populate_content_md5' do
+    describe '#populate_content_hash' do
       it 'is a no-op' do
-        expect(driven_request.populate_content_md5).to be_nil
-        expect(request.headers['Content-MD5']).to be_nil
+        expect(driven_request.populate_content_hash).to be_nil
+        expect(request.headers['X-Authorization-Content-SHA256']).to be_nil
       end
     end
 
@@ -86,9 +86,9 @@ describe ApiAuth::RequestDrivers::CurbRequest do
     end
   end
 
-  describe 'md5_mismatch?' do
+  describe 'content_hash_mismatch?' do
     it 'is always false' do
-      expect(driven_request.md5_mismatch?).to be false
+      expect(driven_request.content_hash_mismatch?).to be false
     end
   end