castle-rb 3.6.2 → 4.3.0

data/spec/lib/castle/extractors/ip_spec.rb

@@ -1,27 +1,104 @@
 # frozen_string_literal: true
 
 describe Castle::Extractors::IP do
-  subject(:extractor) { described_class.new(request) }
-
-  let(:request) { Rack::Request.new(env) }
+  subject(:extractor) { described_class.new(headers) }
 
   describe 'ip' do
+    after do
+      Castle.config.ip_headers = []
+      Castle.config.trusted_proxies = []
+    end
+
     context 'when regular ip' do
-      let(:env) { Rack::MockRequest.env_for('/', 'HTTP_X_FORWARDED_FOR' => '1.2.3.5') }
+      let(:headers) { { 'X-Forwarded-For' => '1.2.3.5' } }
 
       it { expect(extractor.call).to eql('1.2.3.5') }
     end
 
-    context 'when cf remote_ip' do
-      let(:env) do
-        Rack::MockRequest.env_for(
-          '/',
-          'HTTP_CF_CONNECTING_IP' => '1.2.3.4',
-          'HTTP_X_FORWARDED_FOR' => '1.2.3.5'
-        )
+    context 'when we need to use other ip header' do
+      let(:headers) do
+        { 'Cf-Connecting-Ip' => '1.2.3.4', 'X-Forwarded-For' => '1.1.1.1, 1.2.2.2, 1.2.3.5' }
+      end
+
+      context 'with uppercase format' do
+        before { Castle.config.ip_headers = %w[CF_CONNECTING_IP X-Forwarded-For] }
+
+        it { expect(extractor.call).to eql('1.2.3.4') }
+      end
+
+      context 'with regular format' do
+        before { Castle.config.ip_headers = %w[Cf-Connecting-Ip X-Forwarded-For] }
+
+        it { expect(extractor.call).to eql('1.2.3.4') }
+      end
+
+      context 'with value from trusted proxies it get seconds header' do
+        before do
+          Castle.config.ip_headers = %w[Cf-Connecting-Ip X-Forwarded-For]
+          Castle.config.trusted_proxies = %w[1.2.3.4]
+        end
+
+        it { expect(extractor.call).to eql('1.2.3.5') }
+      end
+    end
+
+    context 'with all the trusted proxies' do
+      let(:http_x_header) do
+        '127.0.0.1,10.0.0.1,172.31.0.1,192.168.0.1'
       end
 
-      it { expect(extractor.call).to eql('1.2.3.4') }
+      let(:headers) { { 'Remote-Addr' => '127.0.0.1', 'X-Forwarded-For' => http_x_header } }
+
+      it 'fallbacks to first available header when all headers are marked trusted proxy' do
+        expect(extractor.call).to eql('127.0.0.1')
+      end
+    end
+
+    context 'with trust_proxy_chain option' do
+      let(:http_x_header) do
+        '6.6.6.6, 2.2.2.3, 6.6.6.5'
+      end
+
+      let(:headers) { { 'Remote-Addr' => '6.6.6.4', 'X-Forwarded-For' => http_x_header } }
+
+      before { Castle.config.trust_proxy_chain = true }
+
+      it 'selects first available header' do
+        expect(extractor.call).to eql('6.6.6.6')
+      end
+    end
+
+    context 'with trusted_proxy_depth option' do
+      let(:http_x_header) do
+        '6.6.6.6, 2.2.2.3, 6.6.6.5'
+      end
+
+      let(:headers) { { 'Remote-Addr' => '6.6.6.4', 'X-Forwarded-For' => http_x_header } }
+
+      before { Castle.config.trusted_proxy_depth = 1 }
+
+      it 'selects first available header' do
+        expect(extractor.call).to eql('2.2.2.3')
+      end
+    end
+
+    context 'when list of not trusted ips provided in X_FORWARDED_FOR' do
+      let(:headers) do
+        {
+          'X-Forwarded-For' => '6.6.6.6, 2.2.2.3, 192.168.0.7',
+          'Client-Ip' => '6.6.6.6'
+        }
+      end
+
+      it 'does not allow to spoof ip' do
+        expect(extractor.call).to eql('2.2.2.3')
+      end
+
+      context 'when marked 2.2.2.3 as trusted proxy' do
+        before { Castle.config.trusted_proxies = [/^2.2.2.\d$/] }
+
+        it { expect(extractor.call).to eql('6.6.6.6') }
+      end
     end
   end
 end

data/spec/lib/castle/headers_filter_spec.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+describe Castle::HeadersFilter do
+  subject(:headers) { described_class.new(request).call }
+
+  let(:env) do
+    result = Rack::MockRequest.env_for(
+      '/',
+      'Action-Dispatch.request.content-Type' => 'application/json',
+      'HTTP_AUTHORIZATION' => 'Basic 123456',
+      'HTTP_COOKIE' => '__cid=abcd;other=efgh',
+      'HTTP_ACCEPT' => 'application/json',
+      'HTTP_X_FORWARDED_FOR' => '1.2.3.4',
+      'HTTP_USER_AGENT' => 'Mozilla 1234',
+      'TEST' => '1',
+      'REMOTE_ADDR' => '1.2.3.4'
+    )
+    result[:HTTP_OK] = 'OK'
+    result
+  end
+  let(:filtered) do
+    {
+      'Accept' => 'application/json',
+      'Authorization' => 'Basic 123456',
+      'Cookie' => '__cid=abcd;other=efgh',
+      'Content-Length' => '0',
+      'Ok' => 'OK',
+      'User-Agent' => 'Mozilla 1234',
+      'Remote-Addr' => '1.2.3.4',
+      'X-Forwarded-For' => '1.2.3.4'
+    }
+  end
+  let(:request) { Rack::Request.new(env) }
+
+  context 'with list of header' do
+    it { expect(headers).to eq(filtered) }
+  end
+end

data/spec/lib/castle/{header_formatter_spec.rb → headers_formatter_spec.rb}

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-describe Castle::HeaderFormatter do
-  subject(:formatter) { described_class.new }
+describe Castle::HeadersFormatter do
+  subject(:formatter) { described_class }
 
   it 'removes HTTP_' do
     expect(formatter.call('HTTP_X_TEST')).to be_eql('X-Test')
@@ -19,7 +19,7 @@ describe Castle::HeaderFormatter do
     expect(formatter.call('httpX_teST')).to be_eql('Httpx-Test')
   end
 
-  it 'removes HTTP_' do
+  it 'capitalizes' do
     expect(formatter.call(:clearance)).to be_eql('Clearance')
   end
 end

data/spec/lib/castle/utils/cloner_spec.rb

@@ -10,6 +10,7 @@ describe Castle::Utils::Cloner do
     let(:cloned) { cloner.call(first) }
 
     before { cloned }
+
     it do
       nested[:test] = 'sample'
       expect(cloned).to be_eql(result)

data/spec/lib/castle/utils/timestamp_spec.rb

@@ -1,17 +1,16 @@
 # frozen_string_literal: true
 
 describe Castle::Utils::Timestamp do
-  subject { described_class.call }
+  subject(:timestamp) { described_class.call }
 
   let(:time_string) { '2018-01-10T14:14:24.407Z' }
   let(:time) { Time.parse(time_string) }
 
   before { Timecop.freeze(time) }
+
   after { Timecop.return }
 
   describe '#call' do
-    it do
-      is_expected.to eql(time_string)
-    end
+    it { expect(timestamp).to eql(time_string) }
   end
 end

data/spec/lib/castle/utils_spec.rb

@@ -48,7 +48,7 @@ describe Castle::Utils do
     end
   end
 
-  describe '#deep_symbolize_keys' do
+  describe '#cloner' do
     subject { described_class.deep_symbolize_keys!(Castle::Utils::Cloner.call(hash)) }
 
     context 'when nested_symbols' do

data/spec/lib/castle/validators/not_supported_spec.rb

@@ -8,9 +8,7 @@ describe Castle::Validators::NotSupported do
       let(:keys) { %i[first second] }
 
       it do
-        expect do
-          call
-        end.to raise_error(
+        expect { call }.to raise_error(
           Castle::InvalidParametersError,
           'first is/are not supported'
         )

data/spec/spec_helper.rb

@@ -16,8 +16,7 @@ WebMock.disable_net_connect!(allow_localhost: true)
 
 RSpec.configure do |config|
   config.before do
-    Castle.instance_variable_set(:@configuration, Castle::Configuration.new)
-
+    Castle.config.reset
     Castle.configure do |cfg|
       cfg.api_secret = 'secret'
     end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: castle-rb
 version: !ruby/object:Gem::Version
-  version: 3.6.2
+  version: 4.3.0
 platform: ruby
 authors:
 - Johan Brissmyr
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-24 00:00:00.000000000 Z
-dependencies: []
+date: 2020-05-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: appraisal
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Castle protects your users from account compromise
 email: johan@castle.io
 executables: []
@@ -21,8 +35,8 @@ files:
 - lib/castle.rb
 - lib/castle/api.rb
 - lib/castle/api/request.rb
-- lib/castle/api/request/build.rb
 - lib/castle/api/response.rb
+- lib/castle/api/session.rb
 - lib/castle/client.rb
 - lib/castle/command.rb
 - lib/castle/commands/authenticate.rb
@@ -35,11 +49,13 @@ files:
 - lib/castle/context/merger.rb
 - lib/castle/context/sanitizer.rb
 - lib/castle/errors.rb
+- lib/castle/events.rb
 - lib/castle/extractors/client_id.rb
 - lib/castle/extractors/headers.rb
 - lib/castle/extractors/ip.rb
 - lib/castle/failover_auth_response.rb
-- lib/castle/header_formatter.rb
+- lib/castle/headers_filter.rb
+- lib/castle/headers_formatter.rb
 - lib/castle/review.rb
 - lib/castle/secure_mode.rb
 - lib/castle/support/hanami.rb
@@ -53,9 +69,13 @@ files:
 - lib/castle/validators/not_supported.rb
 - lib/castle/validators/present.rb
 - lib/castle/version.rb
-- spec/lib/castle/api/request/build_spec.rb
+- spec/integration/rails/rails_spec.rb
+- spec/integration/rails/support/all.rb
+- spec/integration/rails/support/application.rb
+- spec/integration/rails/support/home_controller.rb
 - spec/lib/castle/api/request_spec.rb
 - spec/lib/castle/api/response_spec.rb
+- spec/lib/castle/api/session_spec.rb
 - spec/lib/castle/api_spec.rb
 - spec/lib/castle/client_spec.rb
 - spec/lib/castle/command_spec.rb
@@ -68,10 +88,12 @@ files:
 - spec/lib/castle/context/default_spec.rb
 - spec/lib/castle/context/merger_spec.rb
 - spec/lib/castle/context/sanitizer_spec.rb
+- spec/lib/castle/events_spec.rb
 - spec/lib/castle/extractors/client_id_spec.rb
 - spec/lib/castle/extractors/headers_spec.rb
 - spec/lib/castle/extractors/ip_spec.rb
-- spec/lib/castle/header_formatter_spec.rb
+- spec/lib/castle/headers_filter_spec.rb
+- spec/lib/castle/headers_formatter_spec.rb
 - spec/lib/castle/review_spec.rb
 - spec/lib/castle/secure_mode_spec.rb
 - spec/lib/castle/utils/cloner_spec.rb
@@ -102,14 +124,19 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.1.3
 signing_key: 
 specification_version: 4
 summary: Castle
 test_files:
 - spec/spec_helper.rb
+- spec/integration/rails/support/application.rb
+- spec/integration/rails/support/all.rb
+- spec/integration/rails/support/home_controller.rb
+- spec/integration/rails/rails_spec.rb
 - spec/lib/castle_spec.rb
 - spec/lib/castle/review_spec.rb
+- spec/lib/castle/headers_filter_spec.rb
 - spec/lib/castle/client_spec.rb
 - spec/lib/castle/context/default_spec.rb
 - spec/lib/castle/context/merger_spec.rb
@@ -117,14 +144,14 @@ test_files:
 - spec/lib/castle/api_spec.rb
 - spec/lib/castle/configuration_spec.rb
 - spec/lib/castle/version_spec.rb
-- spec/lib/castle/header_formatter_spec.rb
 - spec/lib/castle/utils/cloner_spec.rb
 - spec/lib/castle/utils/timestamp_spec.rb
 - spec/lib/castle/utils/merger_spec.rb
 - spec/lib/castle/command_spec.rb
+- spec/lib/castle/headers_formatter_spec.rb
+- spec/lib/castle/api/session_spec.rb
 - spec/lib/castle/api/request_spec.rb
 - spec/lib/castle/api/response_spec.rb
-- spec/lib/castle/api/request/build_spec.rb
 - spec/lib/castle/commands/review_spec.rb
 - spec/lib/castle/commands/authenticate_spec.rb
 - spec/lib/castle/commands/track_spec.rb
@@ -137,3 +164,4 @@ test_files:
 - spec/lib/castle/extractors/client_id_spec.rb
 - spec/lib/castle/utils_spec.rb
 - spec/lib/castle/secure_mode_spec.rb
+- spec/lib/castle/events_spec.rb

data/lib/castle/api/request/build.rb

@@ -1,27 +0,0 @@
-# frozen_string_literal: true
-
-module Castle
-  module API
-    # generate api request
-    module Request
-      module Build
-        class << self
-          def call(command, headers, api_secret)
-            request = Net::HTTP.const_get(
-              command.method.to_s.capitalize
-            ).new("/#{Castle.config.url_prefix}/#{command.path}", headers)
-
-            unless command.method == :get
-              request.body = ::Castle::Utils.replace_invalid_characters(
-                command.data
-              ).to_json
-            end
-
-            request.basic_auth('', api_secret)
-            request
-          end
-        end
-      end
-    end
-  end
-end

data/lib/castle/header_formatter.rb

@@ -1,9 +0,0 @@
-# frozen_string_literal: true
-
-module Castle
-  class HeaderFormatter
-    def call(header)
-      header.to_s.gsub(/^HTTP(?:_|-)/i, '').split(/_|-/).map(&:capitalize).join('-')
-    end
-  end
-end

data/spec/lib/castle/api/request/build_spec.rb

@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-
-describe Castle::API::Request::Build do
-  subject(:call) { described_class.call(command, headers, api_secret) }
-
-  let(:headers) { { 'SAMPLE-HEADER' => '1' } }
-  let(:api_secret) { 'secret' }
-
-  describe 'call' do
-    context 'when get' do
-      let(:command) { Castle::Commands::Review.build(review_id) }
-      let(:review_id) { SecureRandom.uuid }
-
-      it { expect(call.body).to be_nil }
-      it { expect(call.method).to eql('GET') }
-      it { expect(call.path).to eql("/v1/#{command.path}") }
-      it { expect(call.to_hash).to have_key('authorization') }
-      it { expect(call.to_hash).to have_key('sample-header') }
-      it { expect(call.to_hash['sample-header']).to eql(['1']) }
-    end
-
-    context 'when post' do
-      let(:time) { Time.now.utc.iso8601(3) }
-      let(:command) { Castle::Commands::Track.new({}).build(event: '$login.succeeded', name: "\xC4") }
-      let(:expected_body) do
-        {
-          event: '$login.succeeded',
-          name: "�",
-          context: {},
-          sent_at: time
-        }
-      end
-
-      before { allow(Castle::Utils::Timestamp).to receive(:call).and_return(time) }
-
-      it { expect(call.body).to be_eql(expected_body.to_json) }
-      it { expect(call.method).to eql('POST') }
-      it { expect(call.path).to eql("/v1/#{command.path}") }
-      it { expect(call.to_hash).to have_key('authorization') }
-      it { expect(call.to_hash).to have_key('sample-header') }
-      it { expect(call.to_hash['sample-header']).to eql(['1']) }
-    end
-  end
-end