api-auth 2.5.1 → 2.6.0

data/spec/faraday_middleware_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+require 'faraday/api_auth'
+
+describe Faraday::ApiAuth::Middleware do
+  it 'adds the Authorization headers' do
+    conn = Faraday.new('http://localhost/') do |f|
+      f.request :api_auth, 'foo', 'secret', digest: 'sha256'
+      f.adapter :test do |stub|
+        stub.get('http://localhost/test') do |env|
+          [200, {}, env.request_headers['Authorization']]
+        end
+      end
+    end
+    response = conn.get('test', nil, { 'Date' => 'Tue, 02 Aug 2022 09:29:24 GMT' })
+    expect(response.body).to eq 'APIAuth-HMAC-SHA256 foo:Tn/lIZ9kphcO32DwG4wFHenqBt37miDEIkA5ykLgGiQ='
+  end
+end

data/spec/headers_spec.rb

@@ -8,7 +8,7 @@ describe ApiAuth::Headers do
       let(:uri) { '' }
 
       context 'uri with just host without /' do
-        let(:uri) { 'http://google.com'.freeze }
+        let(:uri) { 'https://google.com'.freeze }
 
         it 'return / as canonical string path' do
           expect(subject.canonical_string).to eq('GET,,,/,')
@@ -20,7 +20,7 @@ describe ApiAuth::Headers do
       end
 
       context 'uri with host and /' do
-        let(:uri) { 'http://google.com/'.freeze }
+        let(:uri) { 'https://google.com/'.freeze }
 
         it 'return / as canonical string path' do
           expect(subject.canonical_string).to eq('GET,,,/,')
@@ -31,8 +31,8 @@ describe ApiAuth::Headers do
         end
       end
 
-      context 'uri has a string matching http:// in it' do
-        let(:uri) { 'http://google.com/?redirect_to=https://www.example.com'.freeze }
+      context 'uri has a string matching https:// in it' do
+        let(:uri) { 'https://google.com/?redirect_to=https://www.example.com'.freeze }
 
         it 'return /?redirect_to=https://www.example.com as canonical string path' do
           expect(subject.canonical_string).to eq('GET,,,/?redirect_to=https://www.example.com,')
@@ -46,7 +46,7 @@ describe ApiAuth::Headers do
 
     context 'string construction' do
       context 'with a driver that supplies http_method' do
-        let(:request) { RestClient::Request.new(url: 'http://google.com', method: :get) }
+        let(:request) { RestClient::Request.new(url: 'https://google.com', method: :get) }
         subject(:headers) { described_class.new(request) }
         let(:driver) { headers.instance_variable_get('@request') }
 
@@ -161,7 +161,7 @@ describe ApiAuth::Headers do
     context 'no content hash already calculated' do
       let(:request) do
         RestClient::Request.new(
-          url: 'http://google.com',
+          url: 'https://google.com',
           method: :post,
           payload: "hello\nworld"
         )
@@ -176,7 +176,7 @@ describe ApiAuth::Headers do
     context 'hash already calculated' do
       let(:request) do
         RestClient::Request.new(
-          url: 'http://google.com',
+          url: 'https://google.com',
           method: :post,
           payload: "hello\nworld",
           headers: { 'X-Authorization-Content-SHA256' => 'abcd' }
@@ -191,7 +191,7 @@ describe ApiAuth::Headers do
   end
 
   describe '#content_hash_mismatch?' do
-    let(:request) { RestClient::Request.new(url: 'http://google.com', method: :get) }
+    let(:request) { RestClient::Request.new(url: 'https://google.com', method: :get) }
     subject(:headers) { described_class.new(request) }
     let(:driver) { headers.instance_variable_get('@request') }
 

data/spec/railtie_spec.rb

@@ -1,4 +1,5 @@
 require 'spec_helper'
+require 'action_controller/test_case'
 
 describe 'Rails integration' do
   API_KEY_STORE = { '1044' => 'l16imAXie1sRMcJODpOG7UwC1VyoqvO13jejkfpKWX4Z09W8DC9IrU23DvCwMry7pgSFW6c5S1GIfV0OY6F/vUA==' }.freeze
@@ -116,7 +117,7 @@ describe 'Rails integration' do
   describe 'Rails ActiveResource integration' do
     class TestResource < ActiveResource::Base
       with_api_auth '1044', API_KEY_STORE['1044']
-      self.site = 'http://localhost/'
+      self.site = 'https://localhost/'
       self.format = :xml
     end
 

data/spec/request_drivers/action_dispatch_spec.rb

@@ -5,6 +5,7 @@ if defined?(ActionDispatch::Request)
   describe ApiAuth::RequestDrivers::ActionDispatchRequest do
     let(:timestamp) { Time.now.utc.httpdate }
     let(:content_sha256) { '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' }
+    let(:content_md5) { '+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' }
 
     let(:request) do
       ActionDispatch::Request.new(
@@ -48,7 +49,26 @@ if defined?(ActionDispatch::Request)
       )
     end
 
+    let(:request_md5) do
+      ActionDispatch::Request.new(
+        'AUTHORIZATION' => 'APIAuth 1044:12345',
+        'PATH_INFO' => '/resource.xml',
+        'QUERY_STRING' => 'foo=bar&bar=foo',
+        'REQUEST_METHOD' => 'PUT',
+        'CONTENT_MD5' => content_md5,
+        'CONTENT_TYPE' => 'text/plain',
+        'CONTENT_LENGTH' => '11',
+        'HTTP_DATE' => timestamp,
+        'rack.input' => StringIO.new("hello\nworld")
+      )
+    end
+
     subject(:driven_request) { ApiAuth::RequestDrivers::ActionDispatchRequest.new(request) }
+    subject(:driven_request_md5) do
+      ApiAuth::RequestDrivers::ActionDispatchRequest.new(request_md5,
+                                                         authorize_md5: true)
+    end
+    subject(:driven_request_sha2_with_md5) { ApiAuth::RequestDrivers::ActionDispatchRequest.new(request, authorize_md5: true) }
 
     describe 'getting headers correctly' do
       it 'gets the content_type' do
@@ -69,6 +89,11 @@ if defined?(ActionDispatch::Request)
         expect(example_request.content_hash).to eq(content_sha256)
       end
 
+      it 'gets the content_hash for request_md5' do
+        example_request = ApiAuth::RequestDrivers::ActionDispatchRequest.new(request_md5, authorize_md5: true)
+        expect(example_request.content_hash).to eq(content_md5)
+      end
+
       it 'gets the request_uri' do
         expect(driven_request.request_uri).to eq('/resource.xml?foo=bar&bar=foo')
       end
@@ -83,13 +108,17 @@ if defined?(ActionDispatch::Request)
 
       describe '#calculated_hash' do
         it 'calculates hash from the body' do
-          expect(driven_request.calculated_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+          expect(driven_request.calculated_hash).to eq(['JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='])
+        end
+
+        it 'calculates hashes from the body with md5 compatibility option' do
+          expect(driven_request_md5.calculated_hash).to eq(%w[JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g= kZXQvrKoieG+Be1rsZVINw==])
         end
 
         it 'treats no body as empty string' do
           request.env['rack.input'] = StringIO.new
           request.env['CONTENT_LENGTH'] = 0
-          expect(driven_request.calculated_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
+          expect(driven_request.calculated_hash).to eq(['47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='])
         end
       end
 
@@ -141,12 +170,12 @@ if defined?(ActionDispatch::Request)
           it 'populates content hash' do
             request.env['REQUEST_METHOD'] = 'POST'
             driven_request.populate_content_hash
-            expect(request.env['X-AUTHORIZATION-CONTENT-SHA256']).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+            expect(request.env['X-AUTHORIZATION-CONTENT-SHA256']).to eq(['JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='])
           end
 
           it 'refreshes the cached headers' do
             driven_request.populate_content_hash
-            expect(driven_request.content_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+            expect(driven_request.content_hash).to eq(['JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='])
           end
         end
 
@@ -154,12 +183,12 @@ if defined?(ActionDispatch::Request)
           it 'populates content hash' do
             request.env['REQUEST_METHOD'] = 'PUT'
             driven_request.populate_content_hash
-            expect(request.env['X-AUTHORIZATION-CONTENT-SHA256']).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+            expect(request.env['X-AUTHORIZATION-CONTENT-SHA256']).to eq(['JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='])
           end
 
           it 'refreshes the cached headers' do
             driven_request.populate_content_hash
-            expect(driven_request.content_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+            expect(driven_request.content_hash).to eq(['JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='])
           end
         end
 
@@ -200,73 +229,129 @@ if defined?(ActionDispatch::Request)
       context 'when getting' do
         before do
           request.env['REQUEST_METHOD'] = 'GET'
+          request_md5.env['REQUEST_METHOD'] = 'GET'
         end
 
         it 'is false' do
           expect(driven_request.content_hash_mismatch?).to be false
         end
+
+        it 'is false with md5' do
+          expect(driven_request_md5.content_hash_mismatch?).to be false
+        end
+
+        it 'is false with sha2 and md5 compatibility on' do
+          expect(driven_request_sha2_with_md5.content_hash_mismatch?).to be false
+        end
       end
 
       context 'when posting' do
         before do
           request.env['REQUEST_METHOD'] = 'POST'
+          request_md5.env['REQUEST_METHOD'] = 'POST'
         end
 
         context 'when calculated matches sent' do
           before do
             request.env['X-AUTHORIZATION-CONTENT-SHA256'] = 'JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='
+            request_md5.env['CONTENT_MD5'] = 'kZXQvrKoieG+Be1rsZVINw=='
           end
 
           it 'is false' do
             expect(driven_request.content_hash_mismatch?).to be false
           end
+
+          it 'is false with md5' do
+            expect(driven_request_md5.content_hash_mismatch?).to be false
+          end
+
+          it 'is false with sha2 and md5 compatibility on' do
+            expect(driven_request_sha2_with_md5.content_hash_mismatch?).to be false
+          end
         end
 
         context "when calculated doesn't match sent" do
           before do
             request.env['X-AUTHORIZATION-CONTENT-SHA256'] = '3'
+            request_md5.env['CONTENT_MD5'] = '3'
           end
 
           it 'is true' do
             expect(driven_request.content_hash_mismatch?).to be true
           end
+
+          it 'is true with md5' do
+            expect(driven_request.content_hash_mismatch?).to be true
+          end
+
+          it 'is true with sha2 and md5 compatibility on' do
+            expect(driven_request_sha2_with_md5.content_hash_mismatch?).to be true
+          end
         end
       end
 
       context 'when putting' do
         before do
           request.env['REQUEST_METHOD'] = 'PUT'
+          request_md5.env['REQUEST_METHOD'] = 'PUT'
         end
 
         context 'when calculated matches sent' do
           before do
             request.env['X-AUTHORIZATION-CONTENT-SHA256'] = 'JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='
+            request_md5.env['CONTENT_MD5'] = 'kZXQvrKoieG+Be1rsZVINw=='
           end
 
           it 'is false' do
             expect(driven_request.content_hash_mismatch?).to be false
           end
+
+          it 'is false with md5' do
+            expect(driven_request_md5.content_hash_mismatch?).to be false
+          end
+
+          it 'is false with sha2 and md5 compatibility on' do
+            expect(driven_request_sha2_with_md5.content_hash_mismatch?).to be false
+          end
         end
 
         context "when calculated doesn't match sent" do
           before do
             request.env['X-AUTHORIZATION-CONTENT-SHA256'] = '3'
+            request_md5.env['CONTENT_MD5'] = '3'
           end
 
           it 'is true' do
             expect(driven_request.content_hash_mismatch?).to be true
           end
+
+          it 'is true with md5' do
+            expect(driven_request_md5.content_hash_mismatch?).to be true
+          end
+
+          it 'is true with sha2 and md5 compatibility on' do
+            expect(driven_request_sha2_with_md5.content_hash_mismatch?).to be true
+          end
         end
       end
 
       context 'when deleting' do
         before do
           request.env['REQUEST_METHOD'] = 'DELETE'
+          request_md5.env['REQUEST_METHOD'] = 'DELETE'
         end
 
         it 'is false' do
           expect(driven_request.content_hash_mismatch?).to be false
         end
+
+        it 'is false with md5' do
+          expect(driven_request_md5.content_hash_mismatch?).to be false
+        end
+
+        it 'is false with sha2 and md5 compatibility on' do
+          expect(driven_request_sha2_with_md5.content_hash_mismatch?).to be false
+        end
       end
     end
 

data/spec/request_drivers/faraday_env_spec.rb

@@ -0,0 +1,188 @@
+require 'spec_helper'
+
+describe ApiAuth::RequestDrivers::FaradayEnv do
+  let(:timestamp) { Time.now.utc.httpdate }
+
+  let(:request) do
+    Faraday::Env.new(verb, body, URI(uri), {}, Faraday::Utils::Headers.new(headers))
+  end
+
+  let(:verb) { :put }
+  let(:uri) { 'https://localhost/resource.xml?foo=bar&bar=foo' }
+  let(:body) { "hello\nworld" }
+
+  let(:headers) do
+    {
+      'Authorization' => 'APIAuth 1044:12345',
+      'X-Authorization-Content-SHA256' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
+      'content-type' => 'text/plain',
+      'date' => timestamp
+    }
+  end
+
+  subject(:driven_request) { described_class.new(request) }
+
+  describe 'getting headers correctly' do
+    it 'gets the content_type' do
+      expect(driven_request.content_type).to eq('text/plain')
+    end
+
+    context 'without Content-Type' do
+      let(:headers) { {} }
+
+      it 'defaults to url-encoded' do
+        expect(driven_request.content_type).to eq 'application/x-www-form-urlencoded'
+      end
+    end
+
+    it 'gets the content_hash' do
+      expect(driven_request.content_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
+    end
+
+    it 'gets the request_uri' do
+      expect(driven_request.request_uri).to eq('/resource.xml?foo=bar&bar=foo')
+    end
+
+    it 'gets the timestamp' do
+      expect(driven_request.timestamp).to eq(timestamp)
+    end
+
+    it 'gets the authorization_header' do
+      expect(driven_request.authorization_header).to eq('APIAuth 1044:12345')
+    end
+
+    describe '#calculated_hash' do
+      it 'calculates hash from the body' do
+        expect(driven_request.calculated_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+        expect(driven_request.body.bytesize).to eq(11)
+      end
+
+      context 'no body' do
+        let(:body) { nil }
+
+        it 'treats no body as empty string' do
+          expect(driven_request.calculated_hash).to eq('47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=')
+          expect(driven_request.body.bytesize).to eq(0)
+        end
+      end
+
+      context 'multipart content' do
+        let(:body) { File.new('spec/fixtures/upload.png') }
+
+        it 'calculates correctly for multipart content' do
+          expect(driven_request.calculated_hash).to eq('AlKDe7kjMQhuKgKuNG8I7GA93MasHcaVJkJLaUT7+dY=')
+          expect(driven_request.body.bytesize).to eq(5112)
+        end
+      end
+    end
+
+    describe 'http_method' do
+      context 'when put request' do
+        let(:verb) { :put }
+
+        it 'returns upcased put' do
+          expect(driven_request.http_method).to eq('PUT')
+        end
+      end
+
+      context 'when get request' do
+        let(:verb) { :get }
+
+        it 'returns upcased get' do
+          expect(driven_request.http_method).to eq('GET')
+        end
+      end
+    end
+  end
+
+  describe 'setting headers correctly' do
+    let(:headers) do
+      {
+        'content-type' => 'text/plain'
+      }
+    end
+
+    describe '#populate_content_hash' do
+      context 'when request type has no body' do
+        let(:verb) { :get }
+
+        it "doesn't populate content hash" do
+          driven_request.populate_content_hash
+          expect(request.request_headers['X-Authorization-Content-SHA256']).to be_nil
+        end
+      end
+
+      context 'when request type has a body' do
+        let(:verb) { :put }
+
+        it 'populates content hash' do
+          driven_request.populate_content_hash
+          expect(request.request_headers['X-Authorization-Content-SHA256']).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+        end
+
+        it 'refreshes the cached headers' do
+          driven_request.populate_content_hash
+          expect(driven_request.content_hash).to eq('JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g=')
+        end
+      end
+    end
+
+    describe '#set_date' do
+      before do
+        allow(Time).to receive_message_chain(:now, :utc, :httpdate).and_return(timestamp)
+      end
+
+      it 'sets the date header of the request' do
+        driven_request.set_date
+        expect(request.request_headers['DATE']).to eq(timestamp)
+      end
+    end
+
+    describe '#set_auth_header' do
+      it 'sets the auth header' do
+        driven_request.set_auth_header('APIAuth 1044:54321')
+        expect(request.request_headers['Authorization']).to eq('APIAuth 1044:54321')
+      end
+    end
+  end
+
+  describe 'content_hash_mismatch?' do
+    context 'when request type has no body' do
+      let(:verb) { :get }
+
+      it 'is false' do
+        expect(driven_request.content_hash_mismatch?).to be false
+      end
+    end
+
+    context 'when request type has a body' do
+      let(:verb) { :put }
+
+      context 'when calculated matches sent' do
+        before do
+          request.request_headers['X-Authorization-Content-SHA256'] = 'JsYKYdAdtYNspw/v1EpqAWYgQTyO9fJZpsVhLU9507g='
+        end
+
+        it 'is false' do
+          expect(driven_request.content_hash_mismatch?).to be false
+        end
+      end
+
+      context "when calculated doesn't match sent" do
+        before do
+          request['X-Authorization-Content-SHA256'] = '3'
+        end
+
+        it 'is true' do
+          expect(driven_request.content_hash_mismatch?).to be true
+        end
+      end
+    end
+  end
+
+  describe 'fetch_headers' do
+    it 'returns request headers' do
+      expect(driven_request.fetch_headers).to include('CONTENT-TYPE' => 'text/plain')
+    end
+  end
+end

data/spec/request_drivers/http_spec.rb

@@ -13,7 +13,7 @@ describe ApiAuth::RequestDrivers::HttpRequest do
   end
 
   let(:verb) { :put }
-  let(:uri) { 'http://localhost/resource.xml?foo=bar&bar=foo' }
+  let(:uri) { 'https://localhost/resource.xml?foo=bar&bar=foo' }
   let(:body) { "hello\nworld" }
 
   let(:headers) do

data/spec/request_drivers/httpi_spec.rb

@@ -4,7 +4,7 @@ describe ApiAuth::RequestDrivers::HttpiRequest do
   let(:timestamp) { Time.now.utc.httpdate }
 
   let(:request) do
-    httpi_request = HTTPI::Request.new('http://localhost/resource.xml?foo=bar&bar=foo')
+    httpi_request = HTTPI::Request.new('https://localhost/resource.xml?foo=bar&bar=foo')
     httpi_request.headers.merge!('Authorization' => 'APIAuth 1044:12345',
                                  'X-Authorization-Content-SHA256' => '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
                                  'content-type' => 'text/plain',
@@ -56,7 +56,7 @@ describe ApiAuth::RequestDrivers::HttpiRequest do
 
   describe 'setting headers correctly' do
     let(:request) do
-      httpi_request = HTTPI::Request.new('http://localhost/resource.xml?foo=bar&bar=foo')
+      httpi_request = HTTPI::Request.new('https://localhost/resource.xml?foo=bar&bar=foo')
       httpi_request.headers['content-type'] = 'text/plain'
       httpi_request
     end