contentful-scheduler 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bd007e6c6d4a25ead5ebc991d556bcf0c54999ff
-  data.tar.gz: d1c46c66389f3e0e3156a74452c481677471df8e
+  metadata.gz: f3171ffa6b6fee5eb141d60da86e954868dbfd5e
+  data.tar.gz: 2afa33f5a560b6f330b337b10a9cd4edb2082fd1
 SHA512:
-  metadata.gz: a93a782354a79b12c9c939ff29574a6fd647544865fad71447c5bac64af3f08e30ef666bb3a34581a835a4e95fb96918b1530e96558d11169e7cc6765b854ee2
-  data.tar.gz: f7a8ed7913141c24f9fc040d17232d451842a6ce4d4f4f80781b7158ea3990ce651466bcdef68eb299d85c9d2a32846ff593e12a6755ce276f9b62ee61f24f6a
+  metadata.gz: 91dd5e9622d174eefaccb065e09a27d40d683b978567f795ebba156679bb624aa7eb0500ae93245186eea6756519c6178861c14b8d0d1b52fa13879db62ad818
+  data.tar.gz: ba0f65329a151445be938e9301e5710c895e0a61569afc20a83c5d2ece65864230c49bdd21de8a195a093068895db3c4af587ed59c47c3853597db625db83791

data/CHANGELOG.md

@@ -2,6 +2,13 @@
 
 ## Unreleased
 
+## 0.4.0
+### Fixed
+* Fixed User Agent Header to comply with specification.
+
+### Added
+* Added authentication mechanisms. [#9](https://github.com/contentful/contentful-scheduler.rb/issues/9)
+
 ## 0.3.0
 ### Added
 * Added possibility to republish already published content. [#5](https://github.com/contentful/contentful-scheduler.rb/issues/5)
@@ -9,7 +16,7 @@
 ## 0.2.1
 
 ### Fixed
-* Fix time parsing.
+* Fixed time parsing.
 
 ## 0.2.0
 

data/README.md

@@ -13,8 +13,7 @@ entries for scheduled publishing.
 `contentful-scheduler` provides a web endpoint to receive webhook calls from Contentful.
 
 Every time the endpoint recieves a call it looks for the value of the field defined in the configuration.
-If the value is a time in the future -- and if the entry has not already been published -- it will schedule
-the entry for publishing at the specified time.
+If the value is a time in the future it will schedule the entry for publishing at the specified time.
 
 A background worker based on the popular `resque` gem will then proceed to actually make the publish call
 against the Content Management API at the due time. For this the Entries you wish to publish require a
@@ -92,7 +91,10 @@ config = {
   spaces: {
     'YOUR_SPACE_ID' => {
       publish_field: 'publishDate', # It specifies the field ID for your Publish Date in your Content Type
-      management_token: 'YOUR_TOKEN'
+      management_token: 'YOUR_TOKEN',
+      auth: { # This is optional
+        # ... content in this section will be explained in a separate section ...
+      }
     }
   },
 }
@@ -153,6 +155,96 @@ Under the space settings menu choose webhook and add a new webhook pointing to `
 
 Keep in mind that if you modify the defaults, the URL should be changed to the values specified in the configuration.
 
+## Authentication
+
+You may want to provide an additional layer of security to your scheduler server, therefore an additional option to add space based authentication is provided.
+
+There are two available authentication methods. Static string matching and lambda validations, which will be explained in the next section.
+
+Any of both mechanisms require you to add additional headers to your webhook set up, which can be done through the [Contentful Web App](https://app.contentful.com),
+or through the [CMA](https://www.contentful.com/developers/docs/references/content-management-api/#/reference/webhooks/webhook/create-update-a-webhook/console/ruby).
+
+### Authentication via static token matching
+
+The simplest authentication mechanism, is to provide a static set of valid strings that are considered valid when found in a determined header.
+
+For example:
+
+```ruby
+config = {
+  # ... the rest of the config ...
+  spaces: {
+    'my_space' => {
+      # ... the rest of the space specific configuration ...
+      auth: {
+        key: 'X-Webhook-Server-Auth-Header',
+        valid_tokens: ['some_valid_static_token']
+      }
+    }
+  }
+}
+```
+
+The above example, whenever your webhook sends the `X-Webhook-Server-Auth-Header` with a value of `some_valid_static_token`,
+it will accept the request and queue your webhook for processing.
+
+You can provide multiple or a single token. If a single token is provided, it's not necessary to include it in an array.
+
+### Authentication via lambda
+
+A more complicated solution, but far more secure, is the ability to execute a lambda as the validator function.
+This allows you define a function for authentication. This function can call an external authentication service,
+make checks against a database or do internal processing.
+
+The function must return a truthy/falsey value in order for the authentication to be successful/unsuccessful.
+
+For example, we validate that the token provided is either `foo` or `bar`:
+
+```ruby
+config = {
+  # ... the rest of the config ...
+  spaces: {
+    'my_space' => {
+      # ... the rest of the space specific configuration ...
+      auth: {
+        key: 'X-Webhook-Server-Auth-Header',
+        validation: -> (value) { /^(foo|bar)$/ =~ value }
+      }
+    }
+  }
+}
+```
+
+Or a more complicated example, checking if the header is a valid OAuth token, and then making a request to our OAuth database.
+For this example we'll consider you have a table called `tokens` and are using [DataMapper](https://datamapper.org) as a ORM,
+and have a `valid?` method checking if the token is not expired.
+
+```ruby
+config = {
+  # ... the rest of the config ...
+  spaces: {
+    'my_space' => {
+      # ... the rest of the space specific configuration ...
+      auth: {
+        key: 'X-Webhook-Server-Auth-Header',
+        validation: proc do |value|
+          return false unless /^Bearer \w+/ =~ value
+
+          token = Token.first(token: value.gsub('Bearer ', ''))
+
+          return false if token.nil?
+
+          token.valid?
+        end
+      }
+    }
+  }
+}
+```
+
+If you have multiple spaces and all share the same auth strategy, you can extract the authentication method to a variable,
+and assign it to all the applicable spaces in order to reduce the code duplication.
+
 ## Running in Heroku
 
 Heroku offers various Redis plugins, select the one of your liking, add the credentials into your configuration, and proceed to

data/lib/contentful/scheduler/auth.rb

@@ -0,0 +1,64 @@
+module Contentful
+  module Scheduler
+    class Auth
+      attr_reader :webhook
+
+      def initialize(webhook)
+        @webhook = webhook
+      end
+
+      def auth
+        return true if auth_config.nil?
+
+        return verify_key_value_config if key_value_config?
+        return verify_lambda_config if lambda_config?
+
+        false
+      end
+
+      private
+
+      def key_value_config?
+        auth_config.key?(:key) && auth_config.key?(:valid_tokens)
+      end
+
+      def verify_key_value_config
+        value = webhook.raw_headers[auth_config[:key]]
+
+        return false if value.nil?
+
+        valid_tokens = auth_config[:valid_tokens]
+
+        return valid_tokens.include?(value) if valid_tokens.is_a?(::Array)
+        valid_tokens == value
+      end
+
+      def lambda_config?
+        auth_config.key?(:key) && auth_config.key?(:validation)
+      end
+
+      def verify_lambda_config
+        value = webhook.raw_headers[auth_config[:key]]
+
+        return false if value.nil?
+
+        validation = auth_config[:validation]
+
+        return false unless validation.is_a?(::Proc)
+
+        validation[value]
+      end
+
+      def auth_config
+        ::Contentful::Scheduler.config
+          .fetch(:spaces, {})
+          .fetch(space_id, {})
+          .fetch(:auth, nil)
+      end
+
+      def space_id
+        webhook.space_id
+      end
+    end
+  end
+end

data/lib/contentful/scheduler/controller.rb

@@ -1,4 +1,5 @@
 require 'contentful/webhook/listener'
+require_relative 'auth'
 require_relative 'queue'
 
 module Contentful
@@ -7,6 +8,11 @@ module Contentful
       def create
         return unless webhook.entry?
 
+        if !Auth.new(webhook).auth
+          logger.warn "Skipping - Authentication failed for Space: #{webhook.space_id} - Entry: #{webhook.id}"
+          return
+        end
+
         logger.info "Queueing - Space: #{webhook.space_id} - Entry: #{webhook.id}"
 
         Queue.instance(logger).update_or_create(webhook)
@@ -18,6 +24,11 @@ module Contentful
       def delete
         return unless webhook.entry?
 
+        if !Auth.new(webhook).auth
+          logger.warn "Skipping - Authentication failed for Space: #{webhook.space_id} - Entry: #{webhook.id}"
+          return
+        end
+
         logger.info "Unqueueing - Space: #{webhook.space_id} - Entry: #{webhook.id}"
 
         Queue.instance(logger).remove(webhook)

data/lib/contentful/scheduler/tasks/publish.rb

@@ -10,7 +10,7 @@ module Contentful
           client = ::Contentful::Management::Client.new(
             token,
             raise_errors: true,
-            application_name: 'contentful-scheduler',
+            application_name: 'contentful.scheduler',
             application_version: Contentful::Scheduler::VERSION
           )
           client.entries.find(space_id, entry_id).publish

data/lib/contentful/scheduler/version.rb

@@ -1,5 +1,5 @@
 module Contentful
   module Scheduler
-    VERSION = "0.3.0"
+    VERSION = "0.4.0"
   end
 end

data/spec/contentful/scheduler/auth_spec.rb

@@ -0,0 +1,67 @@
+require 'spec_helper'
+
+describe Contentful::Scheduler::Auth do
+  before :each do
+    Contentful::Scheduler.config = base_config
+  end
+
+  describe 'auth' do
+    context 'when no auth is provided' do
+      it 'always returns true' do
+        webhook = WebhookDouble.new('id', 'no_auth')
+        expect(described_class.new(webhook).auth).to be_truthy
+      end
+    end
+
+    context 'when providing token array auth' do
+      it 'false when key not found' do
+        webhook = WebhookDouble.new('id', 'valid_token_array')
+        expect(described_class.new(webhook).auth).to be_falsey
+      end
+
+      it 'false when key found but value not matched' do
+        webhook = WebhookDouble.new('id', 'valid_token_array', {}, {}, {'auth' => 'not_valid'})
+        expect(described_class.new(webhook).auth).to be_falsey
+      end
+
+      it 'true when key found and value matched' do
+        webhook = WebhookDouble.new('id', 'valid_token_array', {}, {}, {'auth' => 'test_1'})
+        expect(described_class.new(webhook).auth).to be_truthy
+      end
+    end
+
+    context 'when providing token string auth' do
+      it 'false when key not found' do
+        webhook = WebhookDouble.new('id', 'valid_token_string')
+        expect(described_class.new(webhook).auth).to be_falsey
+      end
+
+      it 'false when key found but value not matched' do
+        webhook = WebhookDouble.new('id', 'valid_token_string', {}, {}, {'auth' => 'not_valid'})
+        expect(described_class.new(webhook).auth).to be_falsey
+      end
+
+      it 'true when key found and value matched' do
+        webhook = WebhookDouble.new('id', 'valid_token_string', {}, {}, {'auth' => 'test_2'})
+        expect(described_class.new(webhook).auth).to be_truthy
+      end
+    end
+
+    context 'when providing lambda auth' do
+      it 'false when key not found' do
+        webhook = WebhookDouble.new('id', 'lambda_auth')
+        expect(described_class.new(webhook).auth).to be_falsey
+      end
+
+      it 'false when key found but value not matched' do
+        webhook = WebhookDouble.new('id', 'lambda_auth', {}, {}, {'auth' => 'not_valid'})
+        expect(described_class.new(webhook).auth).to be_falsey
+      end
+
+      it 'true when key found and value matched' do
+        webhook = WebhookDouble.new('id', 'lambda_auth', {}, {}, {'auth' => 'test'})
+        expect(described_class.new(webhook).auth).to be_truthy
+      end
+    end
+  end
+end

data/spec/contentful/scheduler/controller_spec.rb

@@ -9,6 +9,10 @@ describe Contentful::Scheduler::Controller do
   let(:queue) { ::Contentful::Scheduler::Queue.instance }
   subject { described_class.new server, logger, timeout }
 
+  before :each do
+    Contentful::Scheduler.config = base_config
+  end
+
   describe 'events' do
     [:create, :save, :auto_save, :unarchive].each do |event|
       it "creates or updates webhook metadata in publish queue on #{event}" do
@@ -42,5 +46,19 @@ describe Contentful::Scheduler::Controller do
         end
       end
     end
+
+    describe 'auth' do
+      context 'on auth failure' do
+        let(:body) { {sys: { id: 'invalid_auth', space: { sys: { id: 'valid_token_string' } } }, fields: {} } }
+
+        it 'will stop the queueing process' do
+          expect(queue).not_to receive(:update_or_create)
+
+          headers['X-Contentful-Topic'] = "ContentfulManagement.Entry.save"
+          request = RequestDummy.new(headers, body)
+          subject.respond(request, MockResponse.new).join
+        end
+      end
+    end
   end
 end

data/spec/contentful/scheduler/queue_spec.rb

@@ -1,67 +1,27 @@
 require 'spec_helper'
 
-class WebhookDouble
-  attr_reader :id, :space_id, :sys, :fields
-  def initialize(id, space_id, sys = {}, fields = {})
-    @id = id
-    @space_id = space_id
-    @sys = sys
-    @fields = fields
-  end
-end
-
 describe Contentful::Scheduler::Queue do
-  let(:config) {
-    {
-      logger: ::Contentful::Scheduler::DEFAULT_LOGGER,
-      endpoint: ::Contentful::Scheduler::DEFAULT_ENDPOINT,
-      port: ::Contentful::Scheduler::DEFAULT_PORT,
-      redis: {
-        host: 'localhost',
-        port: 12341,
-        password: 'foobar'
-      },
-      spaces: {
-        'foo' => {
-          publish_field: 'my_field',
-          management_token: 'foo'
-        }
-      }
-    }
-  }
-
+  let(:config) { base_config }
   subject { described_class.instance }
 
   before :each do
     allow(Resque).to receive(:redis=)
     described_class.class_variable_set(:@@instance, nil)
-    ::Contentful::Scheduler.config = config
+
+    ::Contentful::Scheduler.class_variable_set(:@@config, base_config)
   end
 
   describe 'singleton' do
     it 'creates an instance if not initialized' do
-      queue = described_class.instance
-      expect(queue).to be_a described_class
+      expect(subject).to be_a described_class
     end
 
     it 'reuses same instance' do
-      queue = described_class.instance
-
-      expect(queue).to eq described_class.instance
-    end
-  end
-
-  describe 'attributes' do
-    it '.config' do
-      expect(subject.config).to eq config
+      expect(subject).to eq described_class.instance
     end
   end
 
   describe 'instance methods' do
-    it '#spaces' do
-      expect(subject.spaces).to eq config[:spaces]
-    end
-
     it '#webhook_publish_field?' do
       expect(subject.webhook_publish_field?(
         WebhookDouble.new('bar', 'foo', {}, {'my_field' => 'something'})

data/spec/contentful/scheduler/tasks/publish_spec.rb

@@ -21,22 +21,22 @@ describe Contentful::Scheduler::Tasks::Publish do
   let(:mock_entry) { MockEntry.new }
 
   before :each do
-    ::Contentful::Scheduler.class_variable_set(:@@config, {management_token: 'foobar'})
+    ::Contentful::Scheduler.config = base_config
   end
 
   describe 'class methods' do
     it '::perform' do
       expect(::Contentful::Management::Client).to receive(:new).with(
-        'foobar',
+        'foo',
         raise_errors: true,
-        application_name: 'contentful-scheduler',
+        application_name: 'contentful.scheduler',
         application_version: Contentful::Scheduler::VERSION
       ) { mock_client }
       expect(mock_client).to receive(:entries) { mock_entries }
       expect(mock_entries).to receive(:find).with('foo', 'bar') { mock_entry }
       expect(mock_entry).to receive(:publish)
 
-      described_class.perform('foo', 'bar', ::Contentful::Scheduler.config[:management_token])
+      described_class.perform('foo', 'bar', ::Contentful::Scheduler.config[:spaces]['foo'][:management_token])
     end
   end
 end

data/spec/spec_helper.rb

@@ -40,6 +40,17 @@ class RequestDummy
   end
 end
 
+class WebhookDouble
+  attr_reader :id, :space_id, :sys, :fields, :raw_headers
+  def initialize(id, space_id, sys = {}, fields = {}, headers = {})
+    @id = id
+    @space_id = space_id
+    @sys = sys
+    @fields = fields
+    @raw_headers = headers
+  end
+end
+
 class Contentful::Webhook::Listener::Controllers::Wait
   @@sleeping = false
 
@@ -54,6 +65,53 @@ class Contentful::Webhook::Listener::Controllers::Wait
   end
 end
 
+def base_config
+  {
+    logger: ::Contentful::Scheduler::DEFAULT_LOGGER,
+    endpoint: ::Contentful::Scheduler::DEFAULT_ENDPOINT,
+    port: ::Contentful::Scheduler::DEFAULT_PORT,
+    redis: {
+      host: 'localhost',
+      port: 12341,
+      password: 'foobar'
+    },
+    spaces: {
+      'foo' => {
+        publish_field: 'my_field',
+        management_token: 'foo'
+      },
+      'no_auth' => {
+        publish_field: 'my_field',
+        management_token: 'foo'
+      },
+      'valid_token_array' => {
+        publish_field: 'my_field',
+        management_token: 'foo',
+        auth: {
+          key: 'auth',
+          valid_tokens: ['test_1']
+        }
+      },
+      'valid_token_string' => {
+        publish_field: 'my_field',
+        management_token: 'foo',
+        auth: {
+          key: 'auth',
+          valid_tokens: 'test_2'
+        }
+      },
+      'lambda_auth' => {
+        publish_field: 'my_field',
+        management_token: 'foo',
+        auth: {
+          key: 'auth',
+          validation: -> (value) { value.size == 4 }
+        }
+      }
+    }
+  }
+end
+
 RSpec.configure do |config|
   config.filter_run :focus => true
   config.run_all_when_everything_filtered = true

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: contentful-scheduler
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Contentful GmbH (David Litvak Bruno0
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-02-06 00:00:00.000000000 Z
+date: 2018-02-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: contentful-webhook-listener
@@ -201,11 +201,13 @@ files:
 - example/Rakefile
 - example/config.ru
 - lib/contentful/scheduler.rb
+- lib/contentful/scheduler/auth.rb
 - lib/contentful/scheduler/controller.rb
 - lib/contentful/scheduler/queue.rb
 - lib/contentful/scheduler/tasks.rb
 - lib/contentful/scheduler/tasks/publish.rb
 - lib/contentful/scheduler/version.rb
+- spec/contentful/scheduler/auth_spec.rb
 - spec/contentful/scheduler/controller_spec.rb
 - spec/contentful/scheduler/queue_spec.rb
 - spec/contentful/scheduler/tasks/publish_spec.rb
@@ -236,6 +238,7 @@ signing_key:
 specification_version: 4
 summary: Customizable Scheduler for Contentful Entries.
 test_files:
+- spec/contentful/scheduler/auth_spec.rb
 - spec/contentful/scheduler/controller_spec.rb
 - spec/contentful/scheduler/queue_spec.rb
 - spec/contentful/scheduler/tasks/publish_spec.rb