castle-rb 3.6.2 → 4.0.0

data/spec/lib/castle/extractors/headers_spec.rb

@@ -1,78 +1,95 @@
 # frozen_string_literal: true
 
 describe Castle::Extractors::Headers do
-  subject(:headers) { described_class.new(request).call }
+  subject(:headers) { described_class.new(formatted_headers).call }
 
   let(:client_id) { 'abcd' }
-  let(:env) do
-    result = Rack::MockRequest.env_for(
-      '/',
-      'Action-Dispatch.request.content-Type' => 'application/json',
-      'HTTP_AUTHORIZATION' => 'Basic 123456',
-      'HTTP_COOKIE' => "__cid=#{client_id};other=efgh",
-      'HTTP_ACCEPT' => 'application/json',
-      'HTTP_X_FORWARDED_FOR' => '1.2.3.4',
-      'HTTP_USER_AGENT' => 'Mozilla 1234',
-      'TEST' => '1'
-    )
-    result[:HTTP_OK] = 'OK'
-    result
+  let(:formatted_headers) do
+    {
+      'Content-Length' => '0',
+      'Authorization' => 'Basic 123456',
+      'Cookie' => '__cid=abcd;other=efgh',
+      'Ok' => 'OK',
+      'Accept' => 'application/json',
+      'X-Forwarded-For' => '1.2.3.4',
+      'User-Agent' => 'Mozilla 1234'
+    }
+  end
+
+  after do
+    Castle.config.whitelisted = %w[]
+    Castle.config.blacklisted = %w[]
   end
-  let(:request) { Rack::Request.new(env) }
 
   context 'when whitelist is not set in the configuration' do
-    it do
-      is_expected.to eq('Accept' => 'application/json',
-                        'Authorization' => true,
-                        'Cookie' => true,
-                        'Content-Length' => '0',
-                        'Ok' => 'OK',
-                        'User-Agent' => 'Mozilla 1234',
-                        'X-Forwarded-For' => '1.2.3.4')
+    let(:result) do
+      {
+        'Accept' => 'application/json',
+        'Authorization' => true,
+        'Cookie' => true,
+        'Content-Length' => '0',
+        'Ok' => 'OK',
+        'User-Agent' => 'Mozilla 1234',
+        'X-Forwarded-For' => '1.2.3.4'
+      }
     end
+
+    it { expect(headers).to eq(result) }
   end
 
   context 'when whitelist is set in the configuration' do
     before { Castle.config.whitelisted = %w[Accept OK] }
 
-    it do
-      is_expected.to eq('Accept' => 'application/json',
-                        'Authorization' => true,
-                        'Cookie' => true,
-                        'Content-Length' => true,
-                        'Ok' => 'OK',
-                        'User-Agent' => 'Mozilla 1234',
-                        'X-Forwarded-For' => true)
+    let(:result) do
+      {
+        'Accept' => 'application/json',
+        'Authorization' => true,
+        'Cookie' => true,
+        'Content-Length' => true,
+        'Ok' => 'OK',
+        'User-Agent' => 'Mozilla 1234',
+        'X-Forwarded-For' => true
+      }
     end
+
+    it { expect(headers).to eq(result) }
   end
 
   context 'when blacklist is set in the configuration' do
     context 'with a User-Agent' do
+      let(:result) do
+        {
+          'Accept' => 'application/json',
+          'Authorization' => true,
+          'Cookie' => true,
+          'Content-Length' => '0',
+          'Ok' => 'OK',
+          'User-Agent' => 'Mozilla 1234',
+          'X-Forwarded-For' => '1.2.3.4'
+        }
+      end
+
       before { Castle.config.blacklisted = %w[User-Agent] }
 
-      it do
-        is_expected.to eq('Accept' => 'application/json',
-                          'Authorization' => true,
-                          'Cookie' => true,
-                          'Content-Length' => '0',
-                          'Ok' => 'OK',
-                          'User-Agent' => 'Mozilla 1234',
-                          'X-Forwarded-For' => '1.2.3.4')
-      end
+      it { expect(headers).to eq(result) }
     end
 
     context 'with a different header' do
+      let(:result) do
+        {
+          'Accept' => true,
+          'Authorization' => true,
+          'Cookie' => true,
+          'Content-Length' => '0',
+          'Ok' => 'OK',
+          'User-Agent' => 'Mozilla 1234',
+          'X-Forwarded-For' => '1.2.3.4'
+        }
+      end
+
       before { Castle.config.blacklisted = %w[Accept] }
 
-      it do
-        is_expected.to eq('Accept' => true,
-                          'Authorization' => true,
-                          'Cookie' => true,
-                          'Content-Length' => '0',
-                          'Ok' => 'OK',
-                          'User-Agent' => 'Mozilla 1234',
-                          'X-Forwarded-For' => '1.2.3.4')
-      end
+      it { expect(headers).to eq(result) }
     end
   end
 

data/spec/lib/castle/extractors/ip_spec.rb

@@ -1,27 +1,71 @@
 # frozen_string_literal: true
 
 describe Castle::Extractors::IP do
-  subject(:extractor) { described_class.new(request) }
-
-  let(:request) { Rack::Request.new(env) }
+  subject(:extractor) { described_class.new(headers) }
 
   describe 'ip' do
     context 'when regular ip' do
-      let(:env) { Rack::MockRequest.env_for('/', 'HTTP_X_FORWARDED_FOR' => '1.2.3.5') }
+      let(:headers) { { 'X-Forwarded-For' => '1.2.3.5' } }
 
       it { expect(extractor.call).to eql('1.2.3.5') }
     end
 
-    context 'when cf remote_ip' do
-      let(:env) do
-        Rack::MockRequest.env_for(
-          '/',
-          'HTTP_CF_CONNECTING_IP' => '1.2.3.4',
-          'HTTP_X_FORWARDED_FOR' => '1.2.3.5'
-        )
+    context 'when we need to use other ip header' do
+      let(:headers) do
+        { 'Cf-Connecting-Ip' => '1.2.3.4', 'X-Forwarded-For' => '1.1.1.1, 1.2.2.2, 1.2.3.5' }
+      end
+
+      context 'with uppercase format' do
+        before { Castle.config.ip_headers = %w[CF_CONNECTING_IP] }
+
+        it { expect(extractor.call).to eql('1.2.3.4') }
+      end
+
+      context 'with regular format' do
+        before { Castle.config.ip_headers = %w[Cf-Connecting-Ip] }
+
+        it { expect(extractor.call).to eql('1.2.3.4') }
+      end
+
+      context 'with value from trusted proxies' do
+        before do
+          Castle.config.ip_headers = %w[Cf-Connecting-Ip]
+          Castle.config.trusted_proxies = %w[1.2.3.4]
+        end
+
+        it { expect(extractor.call).to eql('1.2.3.5') }
       end
+    end
 
-      it { expect(extractor.call).to eql('1.2.3.4') }
+    context 'with all the trusted proxies' do
+      let(:http_x_header) do
+        '127.0.0.1,10.0.0.1,172.31.0.1,192.168.0.1,::1,fd00::,localhost,unix,unix:/tmp/sock'
+      end
+
+      let(:headers) { { 'Remote-Addr' => '127.0.0.1', 'X-Forwarded-For' => http_x_header } }
+
+      it 'fallbacks to remote_addr even if trusted proxy' do
+        expect(extractor.call).to eql('127.0.0.1')
+      end
+    end
+
+    context 'when list of not trusted ips provided in X_FORWARDED_FOR' do
+      let(:headers) do
+        {
+          'X-Forwarded-For' => '6.6.6.6, 2.2.2.3, 192.168.0.7',
+          'Client-Ip' => '6.6.6.6'
+        }
+      end
+
+      it 'does not allow to spoof ip' do
+        expect(extractor.call).to eql('2.2.2.3')
+      end
+
+      context 'when marked 2.2.2.3 as trusted proxy' do
+        before { Castle.config.trusted_proxies = [/^2.2.2.\d$/] }
+
+        it { expect(extractor.call).to eql('6.6.6.6') }
+      end
     end
   end
 end

data/spec/lib/castle/header_filter_spec.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+describe Castle::HeaderFilter do
+  subject(:headers) { described_class.new(request).call }
+
+  let(:client_id) { 'abcd' }
+  let(:env) do
+    Rack::MockRequest.env_for(
+      '/',
+      'Action-Dispatch.request.content-Type' => 'application/json',
+      'HTTP_AUTHORIZATION' => 'Basic 123456',
+      'HTTP_COOKIE' => "__cid=#{client_id};other=efgh",
+      'HTTP_OK' => 'OK',
+      'HTTP_ACCEPT' => 'application/json',
+      'HTTP_X_FORWARDED_FOR' => '1.2.3.4',
+      'HTTP_USER_AGENT' => 'Mozilla 1234',
+      'TEST' => '1',
+      'REMOTE_ADDR' => '1.2.3.4'
+    )
+  end
+  let(:filtered) do
+    {
+      'Accept' => 'application/json',
+      'Authorization' => 'Basic 123456',
+      'Cookie' => "__cid=#{client_id};other=efgh",
+      'Content-Length' => '0',
+      'Ok' => 'OK',
+      'User-Agent' => 'Mozilla 1234',
+      'Remote-Addr' => '1.2.3.4',
+      'X-Forwarded-For' => '1.2.3.4'
+    }
+  end
+  let(:request) { Rack::Request.new(env) }
+
+  context 'with list of header' do
+    it { expect(headers).to eq(filtered) }
+  end
+end

data/spec/lib/castle/header_formatter_spec.rb

@@ -19,7 +19,7 @@ describe Castle::HeaderFormatter do
     expect(formatter.call('httpX_teST')).to be_eql('Httpx-Test')
   end
 
-  it 'removes HTTP_' do
+  it 'capitalizes' do
     expect(formatter.call(:clearance)).to be_eql('Clearance')
   end
 end

data/spec/lib/castle/utils/cloner_spec.rb

@@ -10,6 +10,7 @@ describe Castle::Utils::Cloner do
     let(:cloned) { cloner.call(first) }
 
     before { cloned }
+
     it do
       nested[:test] = 'sample'
       expect(cloned).to be_eql(result)

data/spec/lib/castle/utils/timestamp_spec.rb

@@ -1,17 +1,16 @@
 # frozen_string_literal: true
 
 describe Castle::Utils::Timestamp do
-  subject { described_class.call }
+  subject(:timestamp) { described_class.call }
 
   let(:time_string) { '2018-01-10T14:14:24.407Z' }
   let(:time) { Time.parse(time_string) }
 
   before { Timecop.freeze(time) }
+
   after { Timecop.return }
 
   describe '#call' do
-    it do
-      is_expected.to eql(time_string)
-    end
+    it { expect(timestamp).to eql(time_string) }
   end
 end

data/spec/lib/castle/utils_spec.rb

@@ -48,7 +48,7 @@ describe Castle::Utils do
     end
   end
 
-  describe '#deep_symbolize_keys' do
+  describe '#cloner' do
     subject { described_class.deep_symbolize_keys!(Castle::Utils::Cloner.call(hash)) }
 
     context 'when nested_symbols' do

data/spec/lib/castle/validators/not_supported_spec.rb

@@ -8,9 +8,7 @@ describe Castle::Validators::NotSupported do
       let(:keys) { %i[first second] }
 
       it do
-        expect do
-          call
-        end.to raise_error(
+        expect { call }.to raise_error(
           Castle::InvalidParametersError,
           'first is/are not supported'
         )

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: castle-rb
 version: !ruby/object:Gem::Version
-  version: 3.6.2
+  version: 4.0.0
 platform: ruby
 authors:
 - Johan Brissmyr
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-24 00:00:00.000000000 Z
-dependencies: []
+date: 2020-03-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: appraisal
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Castle protects your users from account compromise
 email: johan@castle.io
 executables: []
@@ -35,10 +49,12 @@ files:
 - lib/castle/context/merger.rb
 - lib/castle/context/sanitizer.rb
 - lib/castle/errors.rb
+- lib/castle/events.rb
 - lib/castle/extractors/client_id.rb
 - lib/castle/extractors/headers.rb
 - lib/castle/extractors/ip.rb
 - lib/castle/failover_auth_response.rb
+- lib/castle/header_filter.rb
 - lib/castle/header_formatter.rb
 - lib/castle/review.rb
 - lib/castle/secure_mode.rb
@@ -53,6 +69,10 @@ files:
 - lib/castle/validators/not_supported.rb
 - lib/castle/validators/present.rb
 - lib/castle/version.rb
+- spec/integration/rails/rails_spec.rb
+- spec/integration/rails/support/all.rb
+- spec/integration/rails/support/application.rb
+- spec/integration/rails/support/home_controller.rb
 - spec/lib/castle/api/request/build_spec.rb
 - spec/lib/castle/api/request_spec.rb
 - spec/lib/castle/api/response_spec.rb
@@ -68,9 +88,11 @@ files:
 - spec/lib/castle/context/default_spec.rb
 - spec/lib/castle/context/merger_spec.rb
 - spec/lib/castle/context/sanitizer_spec.rb
+- spec/lib/castle/events_spec.rb
 - spec/lib/castle/extractors/client_id_spec.rb
 - spec/lib/castle/extractors/headers_spec.rb
 - spec/lib/castle/extractors/ip_spec.rb
+- spec/lib/castle/header_filter_spec.rb
 - spec/lib/castle/header_formatter_spec.rb
 - spec/lib/castle/review_spec.rb
 - spec/lib/castle/secure_mode_spec.rb
@@ -108,6 +130,10 @@ specification_version: 4
 summary: Castle
 test_files:
 - spec/spec_helper.rb
+- spec/integration/rails/support/application.rb
+- spec/integration/rails/support/all.rb
+- spec/integration/rails/support/home_controller.rb
+- spec/integration/rails/rails_spec.rb
 - spec/lib/castle_spec.rb
 - spec/lib/castle/review_spec.rb
 - spec/lib/castle/client_spec.rb
@@ -125,6 +151,7 @@ test_files:
 - spec/lib/castle/api/request_spec.rb
 - spec/lib/castle/api/response_spec.rb
 - spec/lib/castle/api/request/build_spec.rb
+- spec/lib/castle/header_filter_spec.rb
 - spec/lib/castle/commands/review_spec.rb
 - spec/lib/castle/commands/authenticate_spec.rb
 - spec/lib/castle/commands/track_spec.rb
@@ -137,3 +164,4 @@ test_files:
 - spec/lib/castle/extractors/client_id_spec.rb
 - spec/lib/castle/utils_spec.rb
 - spec/lib/castle/secure_mode_spec.rb
+- spec/lib/castle/events_spec.rb