drillbit 0.0.1

data/spec/drillbit/matchers/version_spec.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+require 'spec_helper'
+require 'drillbit/requests/base'
+require 'drillbit/matchers/version'
+
+module          Drillbit
+module          Matchers
+RSpec.describe  Version do
+  context 'when the version is passed in the accept header' do
+    it 'does not match if the subdomain is API but the requested version does not ' \
+       'equal the version constraint' do
+
+      env = {
+        'HTTP_X_APPLICATION_NAME' => 'westeros',
+        'HTTP_ACCEPT'             => 'application/vnd.westeros+redkeep;version=10.0',
+      }
+      request = Requests::Base.resolve(env)
+
+      matcher = Version.new(version_constraint: '10.1')
+
+      expect(matcher.matches?(request)).to be_a FalseClass
+    end
+
+    it 'does match if the subdomain is API and the requested version equals the ' \
+       'version constraint' do
+
+      env = {
+        'HTTP_X_APPLICATION_NAME' => 'westeros',
+        'HTTP_ACCEPT'             => 'application/vnd.westeros+redkeep;version=10.0',
+      }
+      request = Requests::Base.resolve(env)
+
+      matcher = Version.new(version_constraint: '10.0')
+
+      expect(matcher.matches?(request)).to be_a TrueClass
+    end
+  end
+
+  context 'when the version is not passed in the accept header' do
+    it 'does not match if the subdomain is API but the requested version does not ' \
+       'equal the version constraint' do
+
+      env = {
+        'HTTP_X_APPLICATION_NAME' => 'westeros',
+        'HTTP_ACCEPT'             => 'application/vnd.westeros+redkeep',
+      }
+      request = Requests::Base.resolve(env)
+
+      matcher = Version.new(version_constraint: '10.1',
+                            default_version:    '10.0')
+
+      expect(matcher.matches?(request)).to be_a FalseClass
+    end
+
+    it 'does match if the subdomain is API and the requested version equals the ' \
+       'version constraint' do
+
+      env = {
+        'HTTP_X_APPLICATION_NAME' => 'westeros',
+        'HTTP_ACCEPT'             => 'application/vnd.westeros+redkeep',
+      }
+      request = Requests::Base.resolve(env)
+
+      matcher = Version.new(version_constraint: '10.0',
+                            default_version:    '10.0')
+
+      expect(matcher.matches?(request)).to be_a TrueClass
+    end
+  end
+
+  it 'matches the default version in the configuration if none is passed in' do
+    Drillbit.configuration.default_api_version = '100.0'
+
+    env = {
+      'HTTP_X_APPLICATION_NAME' => 'westeros',
+      'HTTP_ACCEPT'             => 'application/vnd.westeros+redkeep',
+    }
+    request = Requests::Base.resolve(env)
+
+    matcher = Version.new(version_constraint: '100.0')
+
+    expect(matcher.matches?(request)).to be_a TrueClass
+  end
+end
+end
+end

data/spec/drillbit/middleware/api_request_spec.rb

@@ -0,0 +1,220 @@
+# frozen_string_literal: true
+require 'spec_helper'
+require 'drillbit/middleware/api_request'
+
+# rubocop:disable Metrics/LineLength
+module          Drillbit
+module          Middleware
+RSpec.describe  ApiRequest, singletons: Erratum::Configuration do
+  let(:app) { ->(_env) { [200, {}, 'response'] } }
+
+  before(:each) do
+    Erratum.configuration.url_mappings = {
+      'external_documentation_urls'  => {
+        'errors.responses.invalid_subdomain' => 'http://example.com/foo',
+      },
+      'developer_documentation_urls' => {
+        'errors.responses.invalid_subdomain' => 'http://example.com/foo',
+      },
+    }
+
+    Drillbit.configure do |config|
+      config.allowed_subdomains     = %w{api westeros}
+      config.allowed_api_subdomains = %w{api}
+      config.application_name       = 'westeros'
+    end
+  end
+
+  it 'allows requests for allowed subdomains without accept headers' do
+    api_request_middleware = ApiRequest.new(app)
+
+    request = {
+      'HTTP_HOST'    => 'westeros.example.com',
+      'HTTP_ACCEPT'  => '',
+      'QUERY_STRING' => '',
+    }
+
+    status, headers, response = api_request_middleware.call(request)
+
+    expect(status).to   eql 200
+    expect(headers).to  eql({})
+    expect(response).to eql 'response'
+  end
+
+  it 'does not allow requests if they are not for an allowed subdomain' do
+    api_request_middleware = ApiRequest.new(app)
+
+    request = {
+      'HTTP_HOST'    => 'notvalid.example.com',
+      'HTTP_ACCEPT'  => '',
+      'QUERY_STRING' => 'first=my_param&accept=application/vnd.silent+redkeep;version=1.0.0',
+    }
+
+    status, headers, response = api_request_middleware.call(request)
+
+    expect(status).to                 eql 404
+    expect(headers).to                eql({})
+    expect(JSON.load(response[0])).to include(
+      'errors' => [
+                    {
+                      'id'     => match(/[a-z0-9\-]+/),
+                      'links'  => {
+                        'about'         => nil,
+                        'documentation' => nil,
+                      },
+                      'status' => 404,
+                      'code'   => 'errors.invalid_subdomain',
+                      'title'  => 'Invalid Subdomain',
+                      'detail' => 'The resource you attempted to access is either not authorized ' \
+                                  'for the authenticated user or does not exist.',
+                      'source' => {
+                        'http_host' => 'notvalid.example.com',
+                      },
+                    },
+                  ],
+    )
+  end
+
+  it 'does not allow requests if they are for an allowed subdomain but does ' \
+     'not have a valid accept header' do
+
+    api_request_middleware = ApiRequest.new(app)
+
+    request = {
+      'HTTP_HOST'    => 'api.example.com',
+      'HTTP_ACCEPT'  => '',
+      'QUERY_STRING' => 'first=my_param&accept=application/vnd.silent+redkeep;version=1.0.0',
+    }
+
+    status, headers, response = api_request_middleware.call(request)
+
+    expect(status).to                 eql 400
+    expect(headers).to                eql({})
+    expect(JSON.load(response[0])).to include(
+      'errors' => [
+                    {
+                      'id'     => match(/[a-z0-9\-]+/),
+                      'links'  => {
+                        'about'         => nil,
+                        'documentation' => nil,
+                      },
+                      'status' => 400,
+                      'code'   => 'errors.invalid_api_request',
+                      'title'  => 'Invalid API Request',
+                      'detail' => 'The accept header that you passed in the request cannot be ' \
+                                  'parsed, please refer to the documentation to verify.',
+                      'source' => {
+                        'accept_header' => '',
+                      },
+                    },
+                  ],
+    )
+  end
+
+  it 'does allow requests if both the subdomain and the accept header are valid' do
+    api_request_middleware = ApiRequest.new(app)
+
+    request = {
+      'HTTP_HOST'    => 'api.example.com',
+      'HTTP_ACCEPT'  => 'application/vnd.westeros+redkeep;version=1.0.0',
+      'QUERY_STRING' => 'first=my_param&accept=application/vnd.westeros+redkeep;version=1.0.0',
+    }
+
+    status, headers, response = api_request_middleware.call(request)
+
+    expect(status).to   eql 200
+    expect(headers).to  eql({})
+    expect(response).to eql 'response'
+  end
+
+  it 'does allow requests if the subdomain, the accept header and the token are valid' do
+    Drillbit.configuration.token_private_key = test_private_key
+    api_request_middleware = ApiRequest.new(app)
+
+    request = {
+      'HTTP_HOST'          => 'api.example.com',
+      'HTTP_ACCEPT'        => 'application/vnd.westeros+redkeep;version=1.0.0',
+      'HTTP_AUTHORIZATION' => "Token #{valid_jwe_token}",
+      'QUERY_STRING'       => 'accept=application/vnd.westeros+redkeep;version=1.0.0',
+    }
+
+    status, headers, response = api_request_middleware.call(request)
+
+    expect(status).to   eql 200
+    expect(headers).to  eql({})
+    expect(response).to eql 'response'
+  end
+
+  it 'returns the proper response if the token is invalid' do
+    Drillbit.configuration.token_private_key = test_private_key
+    api_request_middleware = ApiRequest.new(app)
+
+    request = {
+      'HTTP_HOST'          => 'api.example.com',
+      'HTTP_ACCEPT'        => 'application/vnd.westeros+redkeep;version=1.0.0',
+      'HTTP_AUTHORIZATION' => "Token #{invalid_jwe_token}",
+      'QUERY_STRING'       => 'accept=application/vnd.westeros+redkeep;version=1.0.0',
+    }
+
+    _status, _headers, response = api_request_middleware.call(request)
+
+    expect(response.first).to include 'errors.invalid_token'
+  end
+
+  it 'converts JSON API compliant dasherized query params to underscored' do
+    app                    = ->(env) { [200, env, 'response'] }
+    api_request_middleware = ApiRequest.new(app)
+
+    request = {
+      'HTTP_HOST'    => 'api.example.com',
+      'HTTP_ACCEPT'  => 'application/vnd.westeros+redkeep;version=1.0.0',
+      'QUERY_STRING' => 'hello-there=bob-jones&'     \
+                        'nice-to-meet=you-bob&'      \
+                        'hows-the-weather=today-bob',
+    }
+
+    _status, headers, _response = api_request_middleware.call(request)
+
+    expect(headers['QUERY_STRING']).to eql 'hello_there=bob-jones&' \
+                                           'nice_to_meet=you-bob&'  \
+                                           'hows_the_weather=today-bob'
+  end
+
+  it 'properly converts the content type for Rails when it is the only one' do
+    api_request_middleware = ApiRequest.new(app)
+
+    request = {
+      'CONTENT_TYPE' => 'application/vnd.api+json',
+      'HTTP_HOST'    => 'westeros.example.com',
+      'HTTP_ACCEPT'  => '',
+      'QUERY_STRING' => '',
+    }
+
+    allow(app).to receive(:call)
+
+    _response = api_request_middleware.call(request)
+
+    expect(app).to have_received(:call).
+                   with(a_hash_including('CONTENT_TYPE' => 'application/json'))
+  end
+
+  it 'properly converts the content type for Rails when it is not the only one' do
+    api_request_middleware = ApiRequest.new(app)
+
+    request = {
+      'CONTENT_TYPE' => 'application/vnd.api+json;other',
+      'HTTP_HOST'    => 'westeros.example.com',
+      'HTTP_ACCEPT'  => '',
+      'QUERY_STRING' => '',
+    }
+
+    allow(app).to receive(:call)
+
+    _response = api_request_middleware.call(request)
+
+    expect(app).to have_received(:call).
+                   with(a_hash_including('CONTENT_TYPE' => 'application/json;other'))
+  end
+end
+end
+end

data/spec/drillbit/parameters_spec.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+require 'spec_helper'
+require 'drillbit/parameters'
+
+module          Drillbit
+RSpec.describe  Parameters do
+  it 'can underscore the first parameter' do
+    query_params = 'hello-there=bob-jones'
+
+    expect(Parameters.process(query_params)).to eql 'hello_there=bob-jones'
+  end
+
+  it 'does not touch params with no dashes' do
+    query_params = 'hello_there=bob-jones'
+
+    expect(Parameters.process(query_params)).to eql 'hello_there=bob-jones'
+  end
+
+  it 'can underscore a middle parameter and a parameter at the end' do
+    query_params = 'hello-there=bob-jones&nice-to-meet=you-bob&hows-the-weather=today-bob'
+
+    expect(Parameters.process(query_params)).to eql 'hello_there=bob-jones&'     \
+                                                    'nice_to_meet=you-bob&'      \
+                                                    'hows_the_weather=today-bob'
+  end
+
+  it 'can handle weirdly formatted parameters' do
+    query_params = 'hello-there=bob-jones&nice-to-meet=you-bob&='
+
+    expect(Parameters.process(query_params)).to eql 'hello_there=bob-jones&'     \
+                                                    'nice_to_meet=you-bob&='
+  end
+
+  it 'can handle parameters with no values' do
+    query_params = 'hello-there&nice-to-meet=you-bob&='
+
+    expect(Parameters.process(query_params)).to eql 'hello_there&' \
+                                                    'nice_to_meet=you-bob&='
+  end
+
+  it 'can handle values with no parameter name' do
+    query_params = 'hello-there=bob-jones&=you-bob&nice-to-meet=you-bob&='
+
+    expect(Parameters.process(query_params)).to eql 'hello_there=bob-jones&' \
+                                                    '=you-bob&'              \
+                                                    'nice_to_meet=you-bob&='
+  end
+end
+end

data/spec/drillbit/requests/base_spec.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+require 'ostruct'
+require 'spec_helper'
+require 'drillbit/requests/base'
+
+module          Drillbit
+module          Requests
+RSpec.describe  Base do
+  it 'can resolve itself by returning itself' do
+    raw_request      = Base.new(token_private_key: '', request: {})
+    resolved_request = Base.resolve(raw_request)
+
+    expect(resolved_request).to eql raw_request
+  end
+
+  it 'can resolve a Rails request' do
+    raw_request = OpenStruct.new(
+                         headers: {},
+                         params:  {},
+    )
+    resolved_request = Base.resolve(raw_request)
+
+    expect(resolved_request).to be_a Requests::Rails
+  end
+
+  it 'can resolve a Rack request' do
+    raw_request      = {
+      'HTTP_ACCEPT'  => 'accept_string',
+      'QUERY_STRING' => '',
+    }
+    resolved_request = Base.resolve(raw_request)
+
+    expect(resolved_request).to be_a Requests::Rack
+  end
+end
+end
+end

data/spec/drillbit/requests/rack_spec.rb

@@ -0,0 +1,253 @@
+# frozen_string_literal: true
+require 'spec_helper'
+require 'drillbit/requests/rack'
+
+# rubocop:disable Metrics/LineLength
+module          Drillbit
+module          Requests
+RSpec.describe  Rack do
+  it 'finds the accept header from the headers if it is valid' do
+    raw_request = {
+      'HTTP_ACCEPT'             => 'application/vnd.westeros+redkeep;version=10.0',
+      'QUERY_STRING'            => '',
+      'HTTP_X_APPLICATION_NAME' => 'westeros',
+    }
+    request = Rack.new(request: raw_request)
+
+    expect(request.accept_header.to_s).to eql 'application/vnd.westeros+redkeep;version=10.0'
+  end
+
+  it 'finds the accept header from the headers if it is invalid but there is no ' \
+     'accept header in the params' do
+
+    raw_request = {
+      'HTTP_ACCEPT'             => 'invalid/vnd.westeros+redkeep;version=10.0',
+      'QUERY_STRING'            => '',
+      'HTTP_X_APPLICATION_NAME' => 'westeros',
+    }
+    request = Rack.new(request: raw_request)
+
+    expect(request.accept_header.to_s).to eql 'invalid/vnd.westeros+redkeep;version=10.0'
+  end
+
+  it 'finds the accept header from the params if it is valid' do
+    raw_request = {
+      'HTTP_ACCEPT'             => '',
+      'QUERY_STRING'            => 'accept=application/vnd.westeros+redkeep;version=10.0',
+      'HTTP_X_APPLICATION_NAME' => 'westeros',
+    }
+    request = Rack.new(request: raw_request)
+
+    expect(request.accept_header.to_s).to eql 'application/vnd.westeros+redkeep;version=10.0'
+  end
+
+  it 'finds the accept header from the query string if it is encoded' do
+    raw_request = {
+      'HTTP_ACCEPT'             => '',
+      'QUERY_STRING'            => 'accept=application%2Fvnd.westeros%2Bredkeep%3Bversion%3D10.0',
+      'HTTP_X_APPLICATION_NAME' => 'westeros',
+    }
+    request = Rack.new(request: raw_request)
+
+    expect(request.accept_header.to_s).to eql 'application/vnd.westeros+redkeep;version=10.0'
+  end
+  # rubocop:enable Metrics/LineLength
+
+  it 'finds the authorization token from the header' do
+    raw_request = {
+      'HTTP_AUTHORIZATION' => "Token #{valid_jwe_token}",
+      'QUERY_STRING'       => '',
+    }
+    request = Rack.new(token_private_key: test_private_key,
+                       request:           raw_request)
+
+    expect(request.authorization_token).to      be_valid
+    expect(request.authorization_token.to_h).to eql(
+      [
+        { 'bar' => 'baz' },
+        { 'typ' => 'JWT', 'alg' => 'RS256' },
+      ],
+    )
+  end
+
+  it 'finds the Base64 token from the header' do
+    raw_request = {
+      'HTTP_AUTHORIZATION' => "Basic #{valid_b64_token}",
+      'QUERY_STRING'       => '',
+    }
+    request = Rack.new(token_private_key: test_private_key,
+                       request:           raw_request)
+
+    expect(request.authorization_token).to      be_valid
+    expect(request.authorization_token.to_h).to eql(
+      [
+        { 'token' => valid_b64_token },
+        { 'typ'   => 'base64' },
+      ],
+    )
+  end
+
+  it 'finds a null token from the header if there is no header' do
+    raw_request = {
+      'HTTP_AUTHORIZATION' => '',
+      'QUERY_STRING'       => '',
+    }
+    request = Rack.new(token_private_key: test_private_key,
+                       request:           raw_request)
+
+    expect(request.authorization_token).to be_valid
+    expect(request.authorization_token).to be_blank
+  end
+
+  it 'ignores incorrectly passed in tokens since we do not know what to do' do
+    raw_request = {
+      'HTTP_AUTHORIZATION' => valid_jwe_token.to_s,
+      'QUERY_STRING'       => '',
+    }
+    request = Rack.new(token_private_key: test_private_key,
+                       request:           raw_request)
+
+    expect(request.authorization_token).to be_valid
+    expect(request.authorization_token).to be_blank
+  end
+
+  it 'finds the authorization token from the params if the authorization token from ' \
+     'the header is invalid and the authorization token from the params is valid' do
+
+    raw_request = {
+      'HTTP_AUTHORIZATION' => "Token #{invalid_jwe_token}",
+      'QUERY_STRING'       => "token_jwt=#{valid_jwe_token}",
+    }
+    request = Rack.new(token_private_key: test_private_key,
+                       request:           raw_request)
+
+    expect(request.authorization_token).to      be_valid
+    expect(request.authorization_token.to_h).to eql(
+      [
+        { 'bar' => 'baz' },
+        { 'typ' => 'JWT', 'alg' => 'RS256' },
+      ],
+    )
+  end
+
+  it 'finds the authorization token from the params if the authorization token from ' \
+     'the header is not present and the authorization token from the params is valid' do
+
+    raw_request = {
+      'QUERY_STRING' => "token_jwt=#{valid_jwe_token}",
+    }
+    request = Rack.new(token_private_key: test_private_key,
+                       request:           raw_request)
+
+    expect(request.authorization_token).to      be_valid
+    expect(request.authorization_token.to_h).to eql(
+      [
+        { 'bar' => 'baz' },
+        { 'typ' => 'JWT', 'alg' => 'RS256' },
+      ],
+    )
+  end
+
+  it 'is a null authorization token if neither authorization token is present' do
+    raw_request = {
+      'QUERY_STRING' => '',
+    }
+    request = Rack.new(token_private_key: test_private_key,
+                       request:           raw_request)
+
+    expect(request.authorization_token).to      be_valid
+    expect(request.authorization_token.to_h).to eql([{}, {}])
+  end
+
+  it 'finds the JSON web token from the params' do
+    raw_request = {
+      'QUERY_STRING' => "token_jwt=#{valid_jwe_token}",
+    }
+    request = Rack.new(token_private_key: test_private_key,
+                       request:           raw_request)
+
+    expect(request.authorization_token).to      be_valid
+    expect(request.authorization_token.to_h).to eql(
+      [
+        { 'bar' => 'baz' },
+        { 'typ' => 'JWT', 'alg' => 'RS256' },
+      ],
+    )
+  end
+
+  it 'finds the generic Base64 web token from the params' do
+    raw_request = {
+      'QUERY_STRING' => "token_b64=#{valid_b64_token}",
+    }
+    request = Rack.new(request: raw_request)
+
+    expect(request.authorization_token).to      be_valid
+    expect(request.authorization_token.to_h).to eql(
+      [
+        { 'token' => valid_b64_token },
+        { 'typ'   => 'base64' },
+      ],
+    )
+  end
+
+  it 'finds invalid tokens from the params' do
+    raw_request = {
+      'QUERY_STRING' => 'token_b64=bla.h',
+    }
+    request = Rack.new(request: raw_request)
+
+    expect(request.authorization_token_from_params).not_to be_valid
+    expect(request.authorization_token_from_params).not_to be_blank
+
+    raw_request = {
+      'QUERY_STRING' => "token_jwt=#{invalid_jwe_token}",
+    }
+    request = Rack.new(token_private_key: test_private_key,
+                       request:           raw_request)
+
+    expect(request.authorization_token_from_params).not_to be_valid
+    expect(request.authorization_token_from_params).not_to be_blank
+  end
+
+  it 'finds the null token from the params if nothing is passed in' do
+    raw_request = {
+      'QUERY_STRING' => 'token_b64=',
+    }
+    request = Rack.new(request: raw_request)
+
+    expect(request.authorization_token_from_params).to be_valid
+    expect(request.authorization_token_from_params).to be_blank
+
+    raw_request = {
+      'QUERY_STRING' => 'token_jwt=',
+    }
+    request = Rack.new(request: raw_request)
+
+    expect(request.authorization_token_from_params).to be_valid
+    expect(request.authorization_token_from_params).to be_blank
+
+    raw_request = {
+      'QUERY_STRING' => '',
+    }
+    request = Rack.new(request: raw_request)
+
+    expect(request.authorization_token_from_params).to be_valid
+    expect(request.authorization_token_from_params).to be_blank
+  end
+
+  it 'defaults to the application name in the configuration if none is found in ' \
+     'the header' do
+
+    Drillbit.configuration.application_name = 'redkeep'
+
+    raw_request = {
+      'HTTP_ACCEPT'  => '',
+      'QUERY_STRING' => 'accept=application/vnd.redkeep+zion;version=10.0',
+    }
+    request = Rack.new(request: raw_request)
+
+    expect(request.accept_header.to_s).to eql 'application/vnd.redkeep+zion;version=10.0'
+  end
+end
+end
+end