app_identity 1.0.0

data/support/app_identity/support.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require "securerandom"
+require "digest/sha2"
+
+# This module should only be used by the unit tests and the test suite
+# generator.
+module AppIdentity::Support # :nodoc:
+  private
+
+  def make_app(version, fuzz = nil)
+    case version
+    when 1 then AppIdentity::App.new(v1_input(fuzz))
+    when 2 then AppIdentity::App.new(v2_input(fuzz))
+    when 3 then AppIdentity::App.new(v3_input(fuzz))
+    when 4 then AppIdentity::App.new(v4_input(fuzz))
+    end
+  end
+
+  def v1_input(fuzz = nil)
+    {version: 1, id: SecureRandom.uuid, secret: SecureRandom.hex(32)}.tap { |app|
+      app[:config] = {fuzz: fuzz} if fuzz
+    }
+  end
+
+  def v2_input(fuzz = nil)
+    v1_input(fuzz).merge(version: 2)
+  end
+
+  def v3_input(fuzz = nil)
+    v1_input(fuzz).merge(version: 3)
+  end
+
+  def v4_input(fuzz = nil)
+    v1_input(fuzz).merge(version: 4)
+  end
+
+  def v1(fuzz = nil)
+    @v1 ||= v1_input(fuzz)
+  end
+
+  def v1_app(fuzz = nil)
+    AppIdentity::App.new(v1(fuzz))
+  end
+
+  def v2(fuzz = nil)
+    @v2 ||= v2_input(fuzz)
+  end
+
+  def v2_app(fuzz = nil)
+    AppIdentity::App.new(v2)
+  end
+
+  def v3(fuzz = nil)
+    @v3 ||= v3_input(fuzz)
+  end
+
+  def v3_app(fuzz = nil)
+    AppIdentity::App.new(v3)
+  end
+
+  def v4(fuzz = nil)
+    @v4 ||= v4_input(fuzz)
+  end
+
+  def v4_app(fuzz = nil)
+    AppIdentity::App.new(v4)
+  end
+
+  def build_padlock(app, opts = {})
+    app_id = opts.delete(:id) { app.id }
+    nonce = opts.delete(:nonce) { "nonce" }
+    secret = opts.delete(:secret) { app.secret }
+    secret = secret.call if secret.respond_to?(:call)
+    version = opts.delete(:version) { app.version }
+
+    case version
+    when 1, 2
+      Digest::SHA256.hexdigest([app_id, nonce, secret].join(":")).upcase
+    when 3
+      Digest::SHA384.hexdigest([app_id, nonce, secret].join(":")).upcase
+    when 4
+      Digest::SHA512.hexdigest([app_id, nonce, secret].join(":")).upcase
+    end
+  end
+
+  def build_proof(app, padlock, opts = {})
+    app_id = opts.delete(:id) { app.id }
+    nonce = opts.delete(:nonce) { "nonce" }
+    version = opts.delete(:version) { 1 }
+
+    proof = version == 1 ? "#{app_id}:#{nonce}:#{padlock}" : "#{version}:#{app_id}:#{nonce}:#{padlock}"
+
+    Base64.urlsafe_encode64(proof)
+  end
+
+  def decode_to_parts(header)
+    Base64.decode64(header).split(":")
+  end
+
+  def timestamp_nonce(diff = nil, scale = :minutes)
+    ts = adjust(Time.now.utc, diff, scale)
+
+    ts.strftime("%Y%m%dT%H%M%S.%6NZ")
+  end
+
+  def adjust(ts, diff, scale)
+    return ts if diff.nil?
+
+    case scale
+    when :second, :seconds
+      ts + diff
+    when :minute, :minutes
+      ts + (diff * 60)
+    when :hour, :hours
+      ts + (diff * 60 * 60)
+    end
+  end
+end

data/test/minitest_helper.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift(File.expand_path("../../support", __FILE__))
+
+gem "minitest"
+
+require "minitest/autorun"
+
+require "app_identity"
+require "app_identity/support"
+
+module Minitest::AppIdentityExtensions
+  def assert_exception_message(message, *types, &block)
+    msg = types.last if types.last.is_a?(String)
+
+    types = [AppIdentity::Error] if types.empty?
+
+    result = assert_raises(*types, &block)
+    assert_equal message, result.message, msg
+  end
+
+  Minitest::Test.send(:include, self)
+  Minitest::Test.send(:include, AppIdentity::Support)
+end

data/test/test_app_identity.rb

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+
+require "minitest_helper"
+
+class TestAppIdentity < Minitest::Test
+  def subject
+    @subject ||= AppIdentity::Internal.send(:new)
+  end
+
+  def test_generate_v1_proof
+    proof = subject.generate_proof!(v1)
+    refute_nil proof
+    assert_equal 3, decode_to_parts(proof).length
+  end
+
+  def test_generate_valid_v1_proof
+    proof = subject.generate_proof!(v1)
+    assert_equal v1_app.verify, subject.verify_proof!(proof, v1)
+  end
+
+  def test_generate_v2_proof
+    proof = subject.generate_proof!(v2_app)
+    refute_nil proof
+    assert_equal 4, decode_to_parts(proof).length
+  end
+
+  def test_generate_valid_v2_proof
+    proof = subject.generate_proof!(v2)
+    assert_equal v2_app.verify, subject.verify_proof!(proof, v2)
+  end
+
+  def test_generate_valid_v3_proof
+    proof = subject.generate_proof!(v3)
+    assert_equal v3_app.verify, subject.verify_proof!(proof, v3)
+  end
+
+  def test_verify_fails_if_not_base64
+    assert_exception_message("proof must have 3 parts (version 1) or 4 parts (any version)") {
+      subject.verify_proof!("not base64", v1)
+    }
+  end
+
+  def test_verify_fail_on_insufficent_parts
+    assert_exception_message("proof must have 3 parts (version 1) or 4 parts (any version)") {
+      subject.verify_proof!(Base64.urlsafe_encode64("a:b"), v1)
+    }
+  end
+
+  def test_verify_fail_on_bad_v1_nonce
+    padlock = build_padlock(v1_app, nonce: "n:once")
+    proof = build_proof(v1_app, padlock, nonce: "n:once")
+
+    assert_exception_message("version cannot be converted to an integer") {
+      subject.verify_proof!(proof, v1)
+    }
+  end
+
+  def test_verify_fail_on_bad_v2_nonce_format
+    padlock = build_padlock(v1_app)
+    proof = build_proof(v1_app, padlock, version: 2)
+
+    assert_exception_message("nonce does not look like a timestamp") {
+      subject.verify_proof!(proof, v1)
+    }
+  end
+
+  def test_verify_fail_on_v2_nonce_out_of_fuzz
+    nonce = timestamp_nonce(-11, :minutes)
+    padlock = build_padlock(v1_app, nonce: nonce, version: 2)
+    proof = build_proof(v1_app, padlock, version: 2, nonce: nonce)
+
+    assert_exception_message("nonce is invalid") {
+      subject.verify_proof!(proof, v1)
+    }
+  end
+
+  def test_verify_fail_on_v1_nonce_for_v2_app
+    padlock = build_padlock(v2_app, version: 1)
+    proof = build_proof(v2_app, padlock, version: 1)
+
+    assert_exception_message("proof and app version mismatch") {
+      subject.verify_proof!(proof, v2)
+    }
+  end
+
+  def test_verify_success_v1
+    padlock = build_padlock(v1_app)
+    proof = build_proof(v1_app, padlock)
+
+    assert_equal v1_app.verify, subject.verify_proof!(proof, v1)
+  end
+
+  def test_verify_success_v2_default_fuzz
+    nonce = timestamp_nonce(-6, :minutes)
+    padlock = build_padlock(v2_app, nonce: nonce)
+    proof = build_proof(v2_app, padlock, version: 2, nonce: nonce)
+
+    assert_equal v2_app.verify, subject.verify_proof!(proof, v2)
+  end
+
+  def test_verify_success_v2_custom_fuzz
+    nonce = timestamp_nonce(-2, :minutes)
+    padlock = build_padlock(v2_app(300), nonce: nonce)
+    proof = build_proof(v2_app, padlock, version: 2, nonce: nonce)
+
+    assert_equal v2_app.verify, subject.verify_proof!(proof, v2)
+  end
+
+  def test_verify_fail_on_different_app_ids
+    padlock = build_padlock(v1_app, id: "00000000-0000-0000-0000-000000000000")
+    proof = build_proof(v1_app, padlock, id: "00000000-0000-0000-0000-000000000000")
+
+    assert_exception_message("proof and app do not match") {
+      subject.verify_proof!(proof, v1)
+    }
+  end
+
+  def test_verify_fail_on_bad_padlock
+    padlock = build_padlock(v1_app, nonce: "foo")
+    proof = build_proof(v1_app, padlock)
+
+    assert_nil subject.verify_proof!(proof, v1)
+  end
+end

data/test/test_app_identity_app.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require "minitest_helper"
+
+class TestAppIdentityApp < Minitest::Test
+  def subject
+    AppIdentity::App
+  end
+
+  def test_fails_with_no_app_and_no_block
+    assert_exception_message("app cannot be created from input (missing value :id)") {
+      subject.new(Object.new)
+    }
+  end
+
+  def test_id_validation
+    assert_exception_message("id must not be nil") {
+      subject.new({id: nil})
+    }
+    assert_exception_message("id must not be an empty string") {
+      subject.new({id: ""})
+    }
+    assert_exception_message("id must not contain colons") {
+      subject.new({id: "1:1"})
+    }
+  end
+
+  def test_secret_validation
+    assert_exception_message("secret must not be nil") {
+      subject.new({id: 1, secret: nil})
+    }
+    assert_exception_message("secret must not be an empty string") {
+      subject.new({id: 1, secret: ""})
+    }
+    assert_exception_message("secret must be a binary string value") {
+      subject.new({id: 1, secret: 3})
+    }
+  end
+
+  def test_version_validation
+    assert_exception_message("version must not be nil") {
+      subject.new({id: 1, secret: "a", version: nil})
+    }
+    assert_exception_message("version cannot be converted to an integer") {
+      subject.new({id: 1, secret: "a", version: ""})
+    }
+    assert_exception_message("version cannot be converted to an integer") {
+      subject.new({id: 1, secret: "a", version: "3.5"})
+    }
+    assert_exception_message("version must be a positive integer") {
+      subject.new({id: 1, secret: "a", version: 3.5})
+    }
+  end
+
+  def test_config_validation
+    assert_exception_message("config must be nil or a map") {
+      subject.new({id: 1, secret: "a", version: 1, config: 3})
+    }
+  end
+
+  def test_create_from_block
+    assert subject.new(-> { {id: 1, secret: "a", version: 1} }).frozen?
+  end
+end

data/test/test_app_identity_rack_middleware.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require "minitest_helper"
+
+require "app_identity/rack_middleware"
+require "rack/test"
+require "rack/mock"
+
+class TestKineticApplicationRackMiddleware < Minitest::Test
+  include Rack::Test::Methods
+
+  HEADER = "HTTP_X_APP_IDENTITY"
+
+  attr_reader :options
+
+  def setup
+    @options = {headers: ["x-app-identity"], apps: [v1]}
+  end
+
+  def app
+    options = @options
+    @_app ||= Rack::Builder.new do
+      use AppIdentity::RackMiddleware, options
+
+      run ->(_) { [200, {"Content-Type" => "text/plain"}, ["OK"]] }
+    end
+  end
+
+  def test_empty_headers
+    get "/"
+    refute last_response.successful?
+  end
+
+  def test_invalid_proof
+    get "/", {}, {HEADER => "invalid proof"}
+    refute last_response.successful?
+  end
+
+  def test_invalid_app_header
+    get "/", {}, {HEADER => AppIdentity.generate_proof(v2)}
+    refute last_response.successful?
+  end
+
+  def test_valid_app_header
+    get "/", {}, {HEADER => AppIdentity.generate_proof(v1)}
+    assert last_response.successful?
+  end
+
+  def test_valid_app_v2_header
+    options[:apps] = [v2]
+    get "/", {}, {HEADER => AppIdentity.generate_proof(v2)}
+    assert last_response.successful?
+  end
+
+  def test_valid_app_v3_header
+    options[:apps] = [v3]
+    get "/", {}, {HEADER => AppIdentity.generate_proof(v3)}
+    assert last_response.successful?
+  end
+
+  def test_valid_app_v4_header
+    options[:apps] = [v4]
+    get "/", {}, {HEADER => AppIdentity.generate_proof(v4)}
+    assert last_response.successful?
+  end
+
+  def test_valid_app_header_from_list
+    options[:apps] = [v1_app, v2_app]
+    get "/", {}, {HEADER => AppIdentity.generate_proof(v2)}
+    assert last_response.successful?
+  end
+
+  def test_valid_app_multiple_headers
+    options[:apps] = [v1_app, v2_app]
+    options[:headers] = %w[x-app-identity app-identity]
+
+    get "/", {}, {
+      HEADER => AppIdentity.generate_proof(v2),
+      "HTTP_APP_IDENTITY" => AppIdentity.generate_proof(v1)
+    }
+
+    assert last_response.successful?
+  end
+
+  def test_alternate_header
+    options[:headers] = ["identity-widget"]
+    get "/", {}, {"HTTP_IDENTITY_WIDGET" => AppIdentity.generate_proof(v1)}
+    assert last_response.successful?
+  end
+end