api-auth 2.5.0 → 2.6.0

data/lib/api_auth/request_drivers/faraday_env.rb

@@ -0,0 +1,102 @@
+module ApiAuth
+  module RequestDrivers # :nodoc:
+    # Internally, Faraday uses the class Faraday::Env to represent requests. The class is not meant
+    # to be directly exposed to users, but this is what Faraday middlewares work with. See
+    # <https://lostisland.github.io/faraday/middleware/>.
+    class FaradayEnv
+      include ApiAuth::Helpers
+
+      def initialize(env)
+        @env = env
+      end
+
+      def set_auth_header(header)
+        @env.request_headers['Authorization'] = header
+        @env
+      end
+
+      def calculated_hash
+        sha256_base64digest(body)
+      end
+
+      def populate_content_hash
+        return unless %w[POST PUT PATCH].include?(http_method)
+
+        @env.request_headers['X-Authorization-Content-SHA256'] = calculated_hash
+      end
+
+      def content_hash_mismatch?
+        if %w[POST PUT PATCH].include?(http_method)
+          calculated_hash != content_hash
+        else
+          false
+        end
+      end
+
+      def http_method
+        @env.method.to_s.upcase
+      end
+
+      def content_type
+        type = find_header(%w[CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE])
+
+        # When sending a body-less POST request, the Content-Type is set at the last minute by the
+        # Net::HTTP adapter, which states in the documentation for Net::HTTP#post:
+        #
+        # > You should set Content-Type: header field for POST. If no Content-Type: field given,
+        # > this method uses “application/x-www-form-urlencoded” by default.
+        #
+        # The same applies to PATCH and PUT. Hopefully the other HTTP adapters behave similarly.
+        #
+        type ||= 'application/x-www-form-urlencoded' if %w[POST PATCH PUT].include?(http_method)
+
+        type
+      end
+
+      def content_hash
+        find_header(%w[X-AUTHORIZATION-CONTENT-SHA256])
+      end
+
+      def original_uri
+        find_header(%w[X-ORIGINAL-URI X_ORIGINAL_URI HTTP_X_ORIGINAL_URI])
+      end
+
+      def request_uri
+        @env.url.request_uri
+      end
+
+      def set_date
+        @env.request_headers['Date'] = Time.now.utc.httpdate
+      end
+
+      def timestamp
+        find_header(%w[DATE HTTP_DATE])
+      end
+
+      def authorization_header
+        find_header(%w[Authorization AUTHORIZATION HTTP_AUTHORIZATION])
+      end
+
+      def body
+        body_source = @env.request_body
+        if body_source.respond_to?(:read)
+          result = body_source.read
+          body_source.rewind
+          result
+        else
+          body_source.to_s
+        end
+      end
+
+      def fetch_headers
+        capitalize_keys @env.request_headers
+      end
+
+      private
+
+      def find_header(keys)
+        keys.map { |key| @env.request_headers[key] }.compact.first
+      end
+    end
+  end
+end

data/lib/api_auth.rb

@@ -14,6 +14,7 @@ require 'api_auth/request_drivers/action_dispatch'
 require 'api_auth/request_drivers/rack'
 require 'api_auth/request_drivers/httpi'
 require 'api_auth/request_drivers/faraday'
+require 'api_auth/request_drivers/faraday_env'
 require 'api_auth/request_drivers/http'
 
 require 'api_auth/headers'

data/lib/faraday/api_auth/middleware.rb

@@ -0,0 +1,35 @@
+require 'api_auth'
+
+module Faraday
+  module ApiAuth
+    # Request middleware for Faraday. It takes the same arguments as ApiAuth.sign!.
+    #
+    # You will usually need to include it after the other middlewares since ApiAuth needs to hash
+    # the final request.
+    #
+    # Usage:
+    #
+    # ```ruby
+    # require 'faraday/api_auth'
+    #
+    # conn = Faraday.new do |f|
+    #   f.request :api_auth, access_id, secret_key
+    #   # Alternatively:
+    #   # f.use Faraday::ApiAuth::Middleware, access_id, secret_key
+    # end
+    # ```
+    #
+    class Middleware < Faraday::Middleware
+      def initialize(app, access_id, secret_key, options = {})
+        super(app)
+        @access_id = access_id
+        @secret_key = secret_key
+        @options = options
+      end
+
+      def on_request(env)
+        ::ApiAuth.sign!(env, @access_id, @secret_key, @options)
+      end
+    end
+  end
+end

data/lib/faraday/api_auth.rb

@@ -0,0 +1,8 @@
+require_relative 'api_auth/middleware'
+
+module Faraday
+  # Integrate ApiAuth into Faraday.
+  module ApiAuth
+    Faraday::Request.register_middleware(api_auth: Middleware)
+  end
+end

data/spec/api_auth_spec.rb

@@ -24,7 +24,7 @@ describe 'ApiAuth' do
   end
 
   describe '.sign!' do
-    let(:request) { RestClient::Request.new(url: 'http://google.com', method: :get) }
+    let(:request) { RestClient::Request.new(url: 'https://google.com', method: :get) }
     let(:headers) { ApiAuth::Headers.new(request) }
 
     it 'generates date header before signing' do
@@ -182,7 +182,7 @@ describe 'ApiAuth' do
     context 'normal APIAuth Auth header' do
       let(:request) do
         RestClient::Request.new(
-          url: 'http://google.com',
+          url: 'https://google.com',
           method: :get,
           headers: { authorization: 'APIAuth 1044:aGVsbG8gd29ybGQ=' }
         )
@@ -196,7 +196,7 @@ describe 'ApiAuth' do
     context 'Corporate prefixed APIAuth header' do
       let(:request) do
         RestClient::Request.new(
-          url: 'http://google.com',
+          url: 'https://google.com',
           method: :get,
           headers: { authorization: 'Corporate APIAuth 1044:aGVsbG8gd29ybGQ=' }
         )

data/spec/faraday_middleware_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+require 'faraday/api_auth'
+
+describe Faraday::ApiAuth::Middleware do
+  it 'adds the Authorization headers' do
+    conn = Faraday.new('http://localhost/') do |f|
+      f.request :api_auth, 'foo', 'secret', digest: 'sha256'
+      f.adapter :test do |stub|
+        stub.get('http://localhost/test') do |env|
+          [200, {}, env.request_headers['Authorization']]
+        end
+      end
+    end
+    response = conn.get('test', nil, { 'Date' => 'Tue, 02 Aug 2022 09:29:24 GMT' })
+    expect(response.body).to eq 'APIAuth-HMAC-SHA256 foo:Tn/lIZ9kphcO32DwG4wFHenqBt37miDEIkA5ykLgGiQ='
+  end
+end

data/spec/headers_spec.rb

@@ -8,7 +8,7 @@ describe ApiAuth::Headers do
       let(:uri) { '' }
 
       context 'uri with just host without /' do
-        let(:uri) { 'http://google.com'.freeze }
+        let(:uri) { 'https://google.com'.freeze }
 
         it 'return / as canonical string path' do
           expect(subject.canonical_string).to eq('GET,,,/,')
@@ -20,7 +20,7 @@ describe ApiAuth::Headers do
       end
 
       context 'uri with host and /' do
-        let(:uri) { 'http://google.com/'.freeze }
+        let(:uri) { 'https://google.com/'.freeze }
 
         it 'return / as canonical string path' do
           expect(subject.canonical_string).to eq('GET,,,/,')
@@ -31,8 +31,8 @@ describe ApiAuth::Headers do
         end
       end
 
-      context 'uri has a string matching http:// in it' do
-        let(:uri) { 'http://google.com/?redirect_to=https://www.example.com'.freeze }
+      context 'uri has a string matching https:// in it' do
+        let(:uri) { 'https://google.com/?redirect_to=https://www.example.com'.freeze }
 
         it 'return /?redirect_to=https://www.example.com as canonical string path' do
           expect(subject.canonical_string).to eq('GET,,,/?redirect_to=https://www.example.com,')
@@ -46,7 +46,7 @@ describe ApiAuth::Headers do
 
     context 'string construction' do
       context 'with a driver that supplies http_method' do
-        let(:request) { RestClient::Request.new(url: 'http://google.com', method: :get) }
+        let(:request) { RestClient::Request.new(url: 'https://google.com', method: :get) }
         subject(:headers) { described_class.new(request) }
         let(:driver) { headers.instance_variable_get('@request') }
 
@@ -161,7 +161,7 @@ describe ApiAuth::Headers do
     context 'no content hash already calculated' do
       let(:request) do
         RestClient::Request.new(
-          url: 'http://google.com',
+          url: 'https://google.com',
           method: :post,
           payload: "hello\nworld"
         )
@@ -176,7 +176,7 @@ describe ApiAuth::Headers do
     context 'hash already calculated' do
       let(:request) do
         RestClient::Request.new(
-          url: 'http://google.com',
+          url: 'https://google.com',
           method: :post,
           payload: "hello\nworld",
           headers: { 'X-Authorization-Content-SHA256' => 'abcd' }
@@ -191,7 +191,7 @@ describe ApiAuth::Headers do
   end
 
   describe '#content_hash_mismatch?' do
-    let(:request) { RestClient::Request.new(url: 'http://google.com', method: :get) }
+    let(:request) { RestClient::Request.new(url: 'https://google.com', method: :get) }
     subject(:headers) { described_class.new(request) }
     let(:driver) { headers.instance_variable_get('@request') }
 

data/spec/railtie_spec.rb

@@ -1,4 +1,5 @@
 require 'spec_helper'
+require 'action_controller/test_case'
 
 describe 'Rails integration' do
   API_KEY_STORE = { '1044' => 'l16imAXie1sRMcJODpOG7UwC1VyoqvO13jejkfpKWX4Z09W8DC9IrU23DvCwMry7pgSFW6c5S1GIfV0OY6F/vUA==' }.freeze
@@ -116,7 +117,7 @@ describe 'Rails integration' do
   describe 'Rails ActiveResource integration' do
     class TestResource < ActiveResource::Base
       with_api_auth '1044', API_KEY_STORE['1044']
-      self.site = 'http://localhost/'
+      self.site = 'https://localhost/'
       self.format = :xml
     end
 

data/spec/request_drivers/action_controller_spec.rb

@@ -4,6 +4,7 @@ if defined?(ActionController::Request)
 
   describe ApiAuth::RequestDrivers::ActionControllerRequest do
     let(:timestamp) { Time.now.utc.httpdate }
+    let(:content_sha256) { '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' }
 
     let(:request) do
       ActionController::Request.new(
@@ -11,7 +12,35 @@ if defined?(ActionController::Request)
         'PATH_INFO' => '/resource.xml',
         'QUERY_STRING' => 'foo=bar&bar=foo',
         'REQUEST_METHOD' => 'PUT',
-        'X-Authorization-Content-SHA256' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
+        'HTTP_X_AUTHORIZATION_CONTENT_SHA256' => content_sha256,
+        'CONTENT_TYPE' => 'text/plain',
+        'CONTENT_LENGTH' => '11',
+        'HTTP_DATE' => timestamp,
+        'rack.input' => StringIO.new("hello\nworld")
+      )
+    end
+
+    let(:request2) do
+      ActionController::Request.new(
+        'AUTHORIZATION' => 'APIAuth 1044:12345',
+        'PATH_INFO' => '/resource.xml',
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'REQUEST_METHOD' => 'PUT',
+        'X_AUTHORIZATION_CONTENT_SHA256' => content_sha256,
+        'CONTENT_TYPE' => 'text/plain',
+        'CONTENT_LENGTH' => '11',
+        'HTTP_DATE' => timestamp,
+        'rack.input' => StringIO.new("hello\nworld")
+      )
+    end
+
+    let(:request3) do
+      ActionController::Request.new(
+        'AUTHORIZATION' => 'APIAuth 1044:12345',
+        'PATH_INFO' => '/resource.xml',
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'REQUEST_METHOD' => 'PUT',
+        'X-AUTHORIZATION-CONTENT-SHA256' => content_sha256,
         'CONTENT_TYPE' => 'text/plain',
         'CONTENT_LENGTH' => '11',
         'HTTP_DATE' => timestamp,
@@ -27,7 +56,17 @@ if defined?(ActionController::Request)
       end
 
       it 'gets the content_hash' do
-        expect(driven_request.content_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
+        expect(driven_request.content_hash).to eq(content_sha256)
+      end
+
+      it 'gets the content_hash for request 2' do
+        example_request = ApiAuth::RequestDrivers::ActionControllerRequest.new(request2)
+        expect(example_request.content_hash).to eq(content_sha256)
+      end
+
+      it 'gets the content_hash for request 3' do
+        example_request = ApiAuth::RequestDrivers::ActionControllerRequest.new(request3)
+        expect(example_request.content_hash).to eq(content_sha256)
       end
 
       it 'gets the request_uri' do
@@ -50,7 +89,7 @@ if defined?(ActionController::Request)
         it 'treats no body as empty string' do
           request.env['rack.input'] = StringIO.new
           request.env['CONTENT_LENGTH'] = 0
-          expect(driven_request.calculated_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
+          expect(driven_request.calculated_hash).to eq(content_sha256)
         end
       end
 

data/spec/request_drivers/action_dispatch_spec.rb

@@ -4,6 +4,8 @@ if defined?(ActionDispatch::Request)
 
   describe ApiAuth::RequestDrivers::ActionDispatchRequest do
     let(:timestamp) { Time.now.utc.httpdate }
+    let(:content_sha256) { '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' }
+    let(:content_md5) { '+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' }
 
     let(:request) do
       ActionDispatch::Request.new(
@@ -11,7 +13,49 @@ if defined?(ActionDispatch::Request)
         'PATH_INFO' => '/resource.xml',
         'QUERY_STRING' => 'foo=bar&bar=foo',
         'REQUEST_METHOD' => 'PUT',
-        'X-Authorization-Content-SHA256' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
+        'HTTP_X_AUTHORIZATION_CONTENT_SHA256' => content_sha256,
+        'CONTENT_TYPE' => 'text/plain',
+        'CONTENT_LENGTH' => '11',
+        'HTTP_DATE' => timestamp,
+        'rack.input' => StringIO.new("hello\nworld")
+      )
+    end
+
+    let(:request2) do
+      ActionDispatch::Request.new(
+        'AUTHORIZATION' => 'APIAuth 1044:12345',
+        'PATH_INFO' => '/resource.xml',
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'REQUEST_METHOD' => 'PUT',
+        'X_AUTHORIZATION_CONTENT_SHA256' => content_sha256,
+        'CONTENT_TYPE' => 'text/plain',
+        'CONTENT_LENGTH' => '11',
+        'HTTP_DATE' => timestamp,
+        'rack.input' => StringIO.new("hello\nworld")
+      )
+    end
+
+    let(:request3) do
+      ActionDispatch::Request.new(
+        'AUTHORIZATION' => 'APIAuth 1044:12345',
+        'PATH_INFO' => '/resource.xml',
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'REQUEST_METHOD' => 'PUT',
+        'X-AUTHORIZATION-CONTENT-SHA256' => content_sha256,
+        'CONTENT_TYPE' => 'text/plain',
+        'CONTENT_LENGTH' => '11',
+        'HTTP_DATE' => timestamp,
+        'rack.input' => StringIO.new("hello\nworld")
+      )
+    end
+
+    let(:request_md5) do
+      ActionDispatch::Request.new(
+        'AUTHORIZATION' => 'APIAuth 1044:12345',
+        'PATH_INFO' => '/resource.xml',
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'REQUEST_METHOD' => 'PUT',
+        'CONTENT_MD5' => content_md5,
         'CONTENT_TYPE' => 'text/plain',
         'CONTENT_LENGTH' => '11',
         'HTTP_DATE' => timestamp,
@@ -20,6 +64,11 @@ if defined?(ActionDispatch::Request)
     end
 
     subject(:driven_request) { ApiAuth::RequestDrivers::ActionDispatchRequest.new(request) }
+    subject(:driven_request_md5) do
+      ApiAuth::RequestDrivers::ActionDispatchRequest.new(request_md5,
+                                                         authorize_md5: true)
+    end
+    subject(:driven_request_sha2_with_md5) { ApiAuth::RequestDrivers::ActionDispatchRequest.new(request, authorize_md5: true) }
 
     describe 'getting headers correctly' do
       it 'gets the content_type' do
@@ -27,7 +76,22 @@ if defined?(ActionDispatch::Request)
       end
 
       it 'gets the content_hash' do
-        expect(driven_request.content_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
+        expect(driven_request.content_hash).to eq(content_sha256)
+      end
+
+      it 'gets the content_hash for request 2' do
+        example_request = ApiAuth::RequestDrivers::ActionDispatchRequest.new(request2)
+        expect(example_request.content_hash).to eq(content_sha256)
+      end
+
+      it 'gets the content_hash for request 3' do
+        example_request = ApiAuth::RequestDrivers::ActionDispatchRequest.new(request3)
+        expect(example_request.content_hash).to eq(content_sha256)
+      end
+
+      it 'gets the content_hash for request_md5' do
+        example_request = ApiAuth::RequestDrivers::ActionDispatchRequest.new(request_md5, authorize_md5: true)
+        expect(example_request.content_hash).to eq(content_md5)
       end
 
       it 'gets the request_uri' do
@@ -44,13 +108,17 @@ if defined?(ActionDispatch::Request)
 
       describe '#calculated_hash' do
         it 'calculates hash from the body' do
-          expect(driven_request.calculated_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+          expect(driven_request.calculated_hash).to eq(['JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='])
+        end
+
+        it 'calculates hashes from the body with md5 compatibility option' do
+          expect(driven_request_md5.calculated_hash).to eq(%w[JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g= kZXQvrKoieG+Be1rsZVINw==])
         end
 
         it 'treats no body as empty string' do
           request.env['rack.input'] = StringIO.new
           request.env['CONTENT_LENGTH'] = 0
-          expect(driven_request.calculated_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
+          expect(driven_request.calculated_hash).to eq(['47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='])
         end
       end
 
@@ -102,12 +170,12 @@ if defined?(ActionDispatch::Request)
           it 'populates content hash' do
             request.env['REQUEST_METHOD'] = 'POST'
             driven_request.populate_content_hash
-            expect(request.env['X-AUTHORIZATION-CONTENT-SHA256']).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+            expect(request.env['X-AUTHORIZATION-CONTENT-SHA256']).to eq(['JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='])
           end
 
           it 'refreshes the cached headers' do
             driven_request.populate_content_hash
-            expect(driven_request.content_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+            expect(driven_request.content_hash).to eq(['JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='])
           end
         end
 
@@ -115,12 +183,12 @@ if defined?(ActionDispatch::Request)
           it 'populates content hash' do
             request.env['REQUEST_METHOD'] = 'PUT'
             driven_request.populate_content_hash
-            expect(request.env['X-AUTHORIZATION-CONTENT-SHA256']).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+            expect(request.env['X-AUTHORIZATION-CONTENT-SHA256']).to eq(['JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='])
           end
 
           it 'refreshes the cached headers' do
             driven_request.populate_content_hash
-            expect(driven_request.content_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+            expect(driven_request.content_hash).to eq(['JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='])
           end
         end
 
@@ -161,73 +229,129 @@ if defined?(ActionDispatch::Request)
       context 'when getting' do
         before do
           request.env['REQUEST_METHOD'] = 'GET'
+          request_md5.env['REQUEST_METHOD'] = 'GET'
         end
 
         it 'is false' do
           expect(driven_request.content_hash_mismatch?).to be false
         end
+
+        it 'is false with md5' do
+          expect(driven_request_md5.content_hash_mismatch?).to be false
+        end
+
+        it 'is false with sha2 and md5 compatibility on' do
+          expect(driven_request_sha2_with_md5.content_hash_mismatch?).to be false
+        end
       end
 
       context 'when posting' do
         before do
           request.env['REQUEST_METHOD'] = 'POST'
+          request_md5.env['REQUEST_METHOD'] = 'POST'
         end
 
         context 'when calculated matches sent' do
           before do
             request.env['X-AUTHORIZATION-CONTENT-SHA256'] = 'JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='
+            request_md5.env['CONTENT_MD5'] = 'kZXQvrKoieG+Be1rsZVINw=='
           end
 
           it 'is false' do
             expect(driven_request.content_hash_mismatch?).to be false
           end
+
+          it 'is false with md5' do
+            expect(driven_request_md5.content_hash_mismatch?).to be false
+          end
+
+          it 'is false with sha2 and md5 compatibility on' do
+            expect(driven_request_sha2_with_md5.content_hash_mismatch?).to be false
+          end
         end
 
         context "when calculated doesn't match sent" do
           before do
             request.env['X-AUTHORIZATION-CONTENT-SHA256'] = '3'
+            request_md5.env['CONTENT_MD5'] = '3'
           end
 
           it 'is true' do
             expect(driven_request.content_hash_mismatch?).to be true
           end
+
+          it 'is true with md5' do
+            expect(driven_request.content_hash_mismatch?).to be true
+          end
+
+          it 'is true with sha2 and md5 compatibility on' do
+            expect(driven_request_sha2_with_md5.content_hash_mismatch?).to be true
+          end
         end
       end
 
       context 'when putting' do
         before do
           request.env['REQUEST_METHOD'] = 'PUT'
+          request_md5.env['REQUEST_METHOD'] = 'PUT'
         end
 
         context 'when calculated matches sent' do
           before do
             request.env['X-AUTHORIZATION-CONTENT-SHA256'] = 'JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='
+            request_md5.env['CONTENT_MD5'] = 'kZXQvrKoieG+Be1rsZVINw=='
           end
 
           it 'is false' do
             expect(driven_request.content_hash_mismatch?).to be false
           end
+
+          it 'is false with md5' do
+            expect(driven_request_md5.content_hash_mismatch?).to be false
+          end
+
+          it 'is false with sha2 and md5 compatibility on' do
+            expect(driven_request_sha2_with_md5.content_hash_mismatch?).to be false
+          end
         end
 
         context "when calculated doesn't match sent" do
           before do
             request.env['X-AUTHORIZATION-CONTENT-SHA256'] = '3'
+            request_md5.env['CONTENT_MD5'] = '3'
           end
 
           it 'is true' do
             expect(driven_request.content_hash_mismatch?).to be true
           end
+
+          it 'is true with md5' do
+            expect(driven_request_md5.content_hash_mismatch?).to be true
+          end
+
+          it 'is true with sha2 and md5 compatibility on' do
+            expect(driven_request_sha2_with_md5.content_hash_mismatch?).to be true
+          end
         end
       end
 
       context 'when deleting' do
         before do
           request.env['REQUEST_METHOD'] = 'DELETE'
+          request_md5.env['REQUEST_METHOD'] = 'DELETE'
         end
 
         it 'is false' do
           expect(driven_request.content_hash_mismatch?).to be false
         end
+
+        it 'is false with md5' do
+          expect(driven_request_md5.content_hash_mismatch?).to be false
+        end
+
+        it 'is false with sha2 and md5 compatibility on' do
+          expect(driven_request_sha2_with_md5.content_hash_mismatch?).to be false
+        end
       end
     end