ey_gatekeeper 0.1.34

data/spec/access_control_list_spec.rb

@@ -0,0 +1,192 @@
+require 'spec_helper'
+
+describe EY::GateKeeper::AccessControlList do
+  context "with a control for a collection" do
+    it "allows access to the collection" do
+      acl('xdna://foobar' => 'GET').allow?('GET', '/foobar').should be_true
+    end
+
+    it "denies access to the collection for a method that's not listed" do
+      acl('xdna://foobar' => 'GET').allow?('POST', '/foobar').should be_false
+    end
+
+    it "denies access to a collection with a longer name" do
+      acl('xdna://foobarbaz' => 'GET').allow?('GET', '/foobar').should be_false
+    end
+  end
+
+  context "with conflicting controls" do
+    it "allows access based on the more specific control" do
+      acl('xdna://foobar' => [], 'xdna://foobar/baz' => 'GET').allow?('GET', '/foobar/baz').should be_true
+    end
+
+    it "denies access based on the less specific control" do
+      acl = acl('xdna://foobar' => [], 'xdna://foobar/baz' => 'GET')
+      acl.allow?('GET', '/foobar').should be_false
+      acl.allow?('GET', '/foobar/foo').should be_false
+    end
+  end
+
+  context "with a control requiring the search parameter" do
+    it "allows access to the collection when the search parameter is specified" do
+      acl('xdna://foobar?search' => 'GET').allow?('GET', '/foobar?search=foo').should be_true
+    end
+
+    it "allows access to the collection when the search parameter is specified with other parameters" do
+      acl('xdna://foobar?search' => 'GET').allow?('GET', '/foobar?search=foo&limit=10').should be_true
+    end
+
+    it "denies access to the collection when the search parameter is not specified" do
+      acl('xdna://foobar?search' => 'GET').allow?('GET', '/foobar').should be_false
+    end
+
+    it "denies access to the collection when a parameter other than search is specified" do
+      acl('xdna://foobar?search' => 'GET').allow?('GET', '/foobar?limit=10').should be_false
+    end
+  end
+
+  context "with a control requiring the search and derp parameters" do
+    it "allows access to the collection when the both parameters are specified" do
+      acl('xdna://foobar?search&derp' => 'GET').allow?('GET', '/foobar?search=foo&derp=bar').should be_true
+    end
+
+    it "allows access to the collection when both parameters are specified with other parameters" do
+      acl('xdna://foobar?search&derp' => 'GET').allow?('GET', '/foobar?search=foo&derp=bar&limit=10').should be_true
+    end
+
+    it "denies access to the collection when both parameters are not specified" do
+      acl('xdna://foobar?search&derp' => 'GET').allow?('GET', '/foobar').should be_false
+    end
+
+    it "denies access to the collection when a parameter other than the required two are specified" do
+      acl('xdna://foobar?search&derp' => 'GET').allow?('GET', '/foobar?limit=10').should be_false
+    end
+  end
+
+  context "with a global control" do
+    it "allows access" do
+      acl('xdna://' => 'GET').allow?('GET', '/whatever').should be_true
+    end
+  end
+
+  context "with underscores" do
+    it "doesn't barf" do
+      expect {
+        acl('xdna://cloudkit_token_auth_tokens?foo' => 'GET').allow?('GET', '/cloudkit_token_auth_tokens?foo=bar')
+      }.to_not raise_error
+    end
+  end
+
+  context "with spaces" do
+    it "doesn't barf" do
+      expect {
+        acl('xdna://pools' => 'GET').allow?('GET', '/pools/Foo Bar')
+      }.to_not raise_error
+    end
+  end
+
+  describe "intersection" do
+    context "with 2 basic acls sets that match" do
+      subject { acl('xdna://foo' => 'GET') & acl('xdna://foo' => 'GET') }
+
+      it "should produce an acl with the same methods" do
+        subject.to_hash.should == { 'xdna://foo' => ['GET'] }
+      end
+    end
+
+    context "with 2 basic acls sets where one has no methods" do
+      subject { acl('xdna://foo' => 'GET') & acl('xdna://foo' => []) }
+
+      it "should produce an acl with no permissions" do
+        subject.to_hash.should == { 'xdna://foo' => [] }
+      end
+    end
+
+    context "with 2 different acl sets with the same paths, but different methods" do
+      subject do
+        acl('xdna://foo' => 'GET') & acl('xdna://foo' => ['GET','PUT'])
+      end
+
+      it "should produce an acl set with the least permissive methods" do
+        subject.to_hash.should == { 'xdna://foo' => ['GET'] }
+      end
+    end
+
+    context "with 2 different acl sets with different path" do
+      subject do
+        acl('xdna://foo' => 'GET') & acl('xdna://bar' => ['GET','PUT'])
+      end
+
+      it "should produce an empty list" do
+        subject.to_hash.should == {}
+      end
+    end
+
+    context "with multiple acess controls in each list" do
+      subject do
+        acl('xdna://foo' => 'GET', 'xdna://bar' => 'GET') &
+          acl('xdna://bar' => ['GET','PUT'])
+      end
+
+      it "should produce an acl set with the least permissive methods" do
+        subject.to_hash.should == {
+          'xdna://bar' => ['GET']
+        }
+      end
+    end
+
+    context "with paths that are subpaths of others" do
+      context "in an easy case" do
+        subject do
+          acl('xdna://' => ['GET', 'PUT']) &
+            acl('xdna://foos' => 'GET')
+        end
+
+        it "should produce an acl set that allows GET on /foos" do
+          subject.to_hash.should == {
+            'xdna://foos' => ['GET']
+          }
+        end
+      end
+
+      context "with a more interesting case" do
+        subject do
+          acl('xdna://' => ['GET', 'PUT']) &
+            acl('xdna://foos' => 'GET', 'xdna://foos/bar' => 'PUT')
+        end
+
+        it "should produce an acl set that allows things" do
+          subject.to_hash.should == {
+            'xdna://foos' => ['GET'],
+            'xdna://foos/bar' => ['PUT']
+          }
+        end
+      end
+
+      context "with a path that starts with part of a another path" do
+        subject do
+          acl('xdna://foos' => ['GET']) &
+            acl('xdna://foosbars' => ['GET'])
+        end
+
+        it "should produce the right acl set" do
+          subject.to_hash.should == {}
+        end
+      end
+    end
+  end
+
+  describe "#to_hash" do
+    it "converts to a hash" do
+      acl('xdna://foo' => ['GET', 'PUT'], 'xdna://bar' => [], 'xdna://baz?foo' => ['POST']).to_hash.should == {
+        'xdna://foo' => ['GET', 'PUT'],
+        'xdna://bar' => [],
+        'xdna://baz?foo' => ['POST']
+      }
+    end
+  end
+
+  def acl(data)
+    described_class.new(data)
+  end
+end

data/spec/auth_service_spec.rb

@@ -0,0 +1,332 @@
+require 'spec_helper'
+
+describe "authentication and authorization behavior" do
+  context "with roles" do
+    before { create_test_roles }
+
+    context "a key with the role Test1" do
+      before do
+        create_key_with_roles("Test1")
+      end
+
+      let(:key) { find_key(test_key, test_secret) }
+
+      specify { key['access_controls'].should == { "xdna://" => [] } }
+      specify { key['gatekeeper_roles'].should == ["/gatekeeper_roles/Test1"] }
+
+      let(:token) { find_token(get_token(test_key, test_secret)["token"]).parsed_content }
+
+      specify { token['access_controls'].should == test_role_1_access_controls.merge(key['access_controls']) }
+    end
+
+    context "a key with the roles [Test1, Test2]" do
+      before do
+        create_key_with_roles("Test1","Test2")
+      end
+
+      let(:key) { find_key(test_key, test_secret) }
+
+      specify { key['access_controls'].should == { "xdna://" => [] } }
+      specify { key['gatekeeper_roles'].should == ["/gatekeeper_roles/Test1", "/gatekeeper_roles/Test2"] }
+
+      let(:token) { find_token(get_token(test_key, test_secret)["token"]).parsed_content }
+
+      specify { token['access_controls'].should == test_role_1_access_controls.merge(test_role_2_access_controls.merge(key['access_controls'])) }
+    end
+
+    context "a key with the roles [Test2, Test1]" do
+      before do
+        create_key_with_roles("Test2","Test1")
+      end
+
+      let(:key) { find_key(test_key, test_secret) }
+
+      specify { key['access_controls'].should == { "xdna://" => [] } }
+      specify { key['gatekeeper_roles'].should == ["/gatekeeper_roles/Test2", "/gatekeeper_roles/Test1"] }
+
+      let(:token) { find_token(get_token(test_key, test_secret)["token"]).parsed_content }
+
+      specify { token['access_controls'].should == test_role_2_access_controls.merge(test_role_1_access_controls.merge(key['access_controls'])) }
+    end
+  end
+
+  it "allows a request to /cloudkit-meta with no token" do
+    get '/cloudkit-meta'
+
+    last_response.status.should == 200
+  end
+
+  it "allows a request to /cloudkit-meta with a token that has no access" do
+    token_data = get_token
+    restrict_token(token_data['token'])
+
+    get '/cloudkit-meta', {}, {
+      'HTTP_AUTH_TOKEN' => token_data['token']
+    }
+
+    last_response.status.should == 200
+  end
+
+  it "returns 401 with a header set when invalid authentication info is given" do
+    get '/_authenticate', {}, {
+      'HTTP_AUTHORIZATION' => 'foobar'
+    }
+
+    last_response.status.should == 401
+    last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'invalid authentication info'
+  end
+
+  it "returns 401 with a header set when no authentication info is given" do
+    get '/_authenticate'
+
+    last_response.status.should == 401
+    last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'no authentication info'
+  end
+
+  it "returns 200 with token data when valid authentication info is given" do
+    token_data = get_token
+    token_data.should include('expires')
+    token_data.should include('token')
+  end
+
+  it "returns 401 with a header set when no token is specifed" do
+    get '/foobars'
+
+    last_response.status.should == 401
+    last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'no token specified'
+  end
+
+  it "returns 401 with a header set when an invalid token is specified" do
+    get '/foobars', {}, {
+      'HTTP_AUTH_TOKEN' => 'foobar'
+    }
+
+    last_response.status.should == 401
+    last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'invalid token specified'
+  end
+
+  it "passes the request through when a valid token is specified" do
+    token_data = get_token
+
+    get '/domains', {}, {
+      'HTTP_AUTH_TOKEN' => token_data['token']
+    }
+
+    last_response.status.should == 200
+  end
+
+  it "passes the request through when a valid impersonation token is specified" do
+    token_data = get_token
+    impersonation_token_data = get_token
+
+    get '/domains', {}, {
+      'HTTP_AUTH_TOKEN' => token_data['token'],
+      'HTTP_X_IMPERSONATION_TOKEN' => impersonation_token_data['token']
+    }
+
+    last_response.status.should == 200
+  end
+
+  it "returns 401 with a header set when an invalid impersonation token is specified" do
+    token_data = get_token
+
+    get '/domains', {}, {
+      'HTTP_AUTH_TOKEN' => token_data['token'],
+      'HTTP_X_IMPERSONATION_TOKEN' => 'foobar'
+    }
+
+    last_response.status.should == 401
+    last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'invalid impersonation token specified'
+  end
+
+  it "returns 401 with a header set when an invalid token is specified with a valid impersonation token" do
+    impersonation_token_data = get_token
+
+    get '/domains', {}, {
+      'HTTP_AUTH_TOKEN' => 'foobar',
+      'HTTP_X_IMPERSONATION_TOKEN' => impersonation_token_data['token']
+    }
+
+    last_response.status.should == 401
+    last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'invalid token specified'
+  end
+
+  it "returns 401 with a header set when an expired token is specified" do
+    token_data = get_token
+
+    expire_token(token_data['token'])
+
+    get '/domains', {}, {
+      'HTTP_AUTH_TOKEN' => token_data['token'],
+    }
+
+    last_response.status.should == 401
+    last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'expired token specified'
+  end
+
+  it "returns 401 with a header set when an expired impersonation token is specified" do
+    token_data = get_token
+    impersonation_token_data = get_token
+    expire_token(impersonation_token_data['token'])
+
+    get '/domains', {}, {
+      'HTTP_AUTH_TOKEN' => token_data['token'],
+      'HTTP_X_IMPERSONATION_TOKEN' => impersonation_token_data['token']
+    }
+
+    last_response.status.should == 401
+    last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'expired impersonation token specified'
+  end
+
+  it "returns 401 with a header set when an expired token and a non-expired impersonation token are specified" do
+    token_data = get_token
+    impersonation_token_data = get_token
+    expire_token(token_data['token'])
+
+    get '/domains', {}, {
+      'HTTP_AUTH_TOKEN' => token_data['token'],
+      'HTTP_X_IMPERSONATION_TOKEN' => impersonation_token_data['token']
+    }
+
+    last_response.status.should == 401
+    last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'expired token specified'
+  end
+
+  it "returns 401 with a header set when using a valid token without sufficient access" do
+    token_data = get_token
+    restrict_token(token_data['token'])
+
+    get '/domains', {}, {
+      'HTTP_AUTH_TOKEN' => token_data['token']
+    }
+
+    last_response.status.should == 401
+    last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'token has insufficient access'
+  end
+
+  it "returns 401 with a header set when using a valid impersonation token without sufficient access" do
+    token_data = get_token
+    impersonation_token_data = get_token
+    restrict_token(impersonation_token_data['token'])
+
+    get '/domains', {}, {
+      'HTTP_AUTH_TOKEN' => token_data['token'],
+      'HTTP_X_IMPERSONATION_TOKEN' => impersonation_token_data['token']
+    }
+
+    last_response.status.should == 401
+    last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'impersonation token has insufficient access'
+  end
+
+  describe "/_effective_access_controls" do
+    it "returns the effective access controls when given a valid token" do
+      token_data = get_token
+
+      get '/_effective_access_controls', {}, {
+        'HTTP_AUTH_TOKEN' => token_data['token']
+      }
+
+      last_response.status.should == 200
+      last_response.content_type.should == 'application/json'
+      JSON.parse(last_response.body).should == {
+        "xdna://"=>["GET", "HEAD", "PUT", "POST", "DELETE", "OPTIONS"]
+      }
+    end
+
+    it "returns the effective access controls when given a valid token and a valid impersonation token" do
+      token_data = get_token
+      impersonation_token_data = get_token
+      restrict_token(impersonation_token_data['token'])
+
+      get '/_effective_access_controls', {}, {
+        'HTTP_AUTH_TOKEN' => token_data['token'],
+        'HTTP_X_IMPERSONATION_TOKEN' => impersonation_token_data['token']
+      }
+
+      last_response.status.should == 200
+      last_response.content_type.should == 'application/json'
+      JSON.parse(last_response.body).should == {}
+    end
+
+    it "returns 401 with a header set when no token is specifed" do
+      get '/_effective_access_controls'
+
+      last_response.status.should == 401
+      last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'no token specified'
+    end
+
+    it "returns 401 with a header set when an invalid token is specified" do
+      get '/_effective_access_controls', {}, {
+        'HTTP_AUTH_TOKEN' => 'foobar'
+      }
+
+      last_response.status.should == 401
+      last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'invalid token specified'
+    end
+
+    it "returns 401 with a header set when an invalid impersonation token is specified" do
+      token_data = get_token
+
+      get '/_effective_access_controls', {}, {
+        'HTTP_AUTH_TOKEN' => token_data['token'],
+        'HTTP_X_IMPERSONATION_TOKEN' => 'foobar'
+      }
+
+      last_response.status.should == 401
+      last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'invalid impersonation token specified'
+    end
+
+    it "returns 401 with a header set when an invalid token is specified with a valid impersonation token" do
+      impersonation_token_data = get_token
+
+      get '/_effective_access_controls', {}, {
+        'HTTP_AUTH_TOKEN' => 'foobar',
+        'HTTP_X_IMPERSONATION_TOKEN' => impersonation_token_data['token']
+      }
+
+      last_response.status.should == 401
+      last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'invalid token specified'
+    end
+
+    it "returns 401 with a header set when an expired token is specified" do
+      token_data = get_token
+
+      expire_token(token_data['token'])
+
+      get '/_effective_access_controls', {}, {
+        'HTTP_AUTH_TOKEN' => token_data['token'],
+      }
+
+      last_response.status.should == 401
+      last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'expired token specified'
+    end
+
+    it "returns 401 with a header set when an expired impersonation token is specified" do
+      token_data = get_token
+      impersonation_token_data = get_token
+      expire_token(impersonation_token_data['token'])
+
+      get '/_effective_access_controls', {}, {
+        'HTTP_AUTH_TOKEN' => token_data['token'],
+        'HTTP_X_IMPERSONATION_TOKEN' => impersonation_token_data['token']
+      }
+
+      last_response.status.should == 401
+      last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'expired impersonation token specified'
+    end
+
+    it "returns 401 with a header set when an expired token and a non-expired impersonation token are specified" do
+      token_data = get_token
+      impersonation_token_data = get_token
+      expire_token(token_data['token'])
+
+      get '/_effective_access_controls', {}, {
+        'HTTP_AUTH_TOKEN' => token_data['token'],
+        'HTTP_X_IMPERSONATION_TOKEN' => impersonation_token_data['token']
+      }
+
+      last_response.status.should == 401
+      last_response.headers['X-Gatekeeper-Authentication-Error'].should == 'expired token specified'
+    end
+  end
+end

data/spec/consumer_spec.rb

@@ -0,0 +1,80 @@
+require File.join(File.dirname(__FILE__), 'spec_helper')
+
+describe EY::GateKeeper::Client::Consumer do
+  subject { EY::GateKeeper.new }
+
+  it "properly authenticates with the master user" do
+    subject.get('/domains').status.should == 200
+  end
+
+  it "properly clears the mock store" do
+    subject.post('/test_class', {}, { 'foo' => 'bar' }.to_json)
+    JSON.parse(subject.get('/test_class').body)['total'].should == 1
+
+    EY::GateKeeper.reset!
+
+    subject.get('/test_class').status.should == 401
+  end
+
+  it "automatically fetches a new token when the client sees it has expired" do
+    subject.get('/domains').status.should == 200
+    first_token = subject.token.token
+
+    subject.token.token_data['expires'] = 0
+
+    subject.get('/domains').status.should == 200
+    subject.token.token.should_not == first_token
+  end
+
+  it "automatically fetches a new token when the server says it has expired" do
+    subject.get('/domains').status.should == 200
+    first_token = subject.token.token
+
+    expire_token(first_token)
+
+    subject.get('/domains').status.should == 200
+    subject.token.token.should_not == first_token
+  end
+
+  it "doesn't automatically fetch a new token when the server says it has insufficient access" do
+    subject.get('/domains').status.should == 200
+    token = subject.token.token
+
+    restrict_token(token)
+
+    subject.get('/domains').status.should == 401
+    subject.token.token.should == token
+  end
+
+  it "doesn't automatically fetch a new token when the server says the impersonation token has insufficient access" do
+    impersonation_token_data = get_token
+    subject.impersonate! impersonation_token_data['token']
+
+    subject.get('/domains').status.should == 200
+    token = subject.token.token
+
+    restrict_token(impersonation_token_data['token'])
+
+    subject.get('/domains').status.should == 401
+    subject.token.token.should == token
+  end
+
+  describe "#effective_access_controls" do
+    it "returns the effective access controls of the session" do
+      subject.effective_access_controls.should == {
+        "xdna://"=>["GET", "HEAD", "PUT", "POST", "DELETE", "OPTIONS"]
+      }
+    end
+
+    it "returns an empty hash if something goes wrong" do
+      subject.get('/domains').status.should == 200
+      subject.token.token_data['token'] = 'foobar'
+
+      subject.effective_access_controls.should == {}
+    end
+  end
+
+  def auth_store
+    @store ||= EY::GateKeeper::AuthStore.new
+  end
+end

data/spec/fallback_spec.rb

@@ -0,0 +1,76 @@
+require File.join(File.dirname(__FILE__), 'spec_helper')
+
+describe EY::GateKeeper::Client::Consumer do
+
+  context "with invalid credentials" do
+    subject { EY::GateKeeper.new('foo', 'bar') }
+    it "responds with a 401" do
+      subject.get('/domains').status.should == 401
+    end
+  end
+
+  context "with the master credentials" do
+    subject { EY::GateKeeper.new }
+    it "responds with a 200" do
+      subject.get('/domains').status.should == 200
+    end
+  end
+
+  context "with valid credentials" do
+    subject { EY::GateKeeper.new('foo','bar') }
+    before do
+      key_data = {
+        'key' => 'foo',
+        'secret' => 'bar',
+        'access_controls' => {
+          'xdna://domains' => ['GET'],
+          'xdna://domains/1' => ['GET', 'PUT'],
+          'xdna://domains/2' => ['PUT'],
+          'xdna://pools?search' => ['GET'],
+          'xdna://pools/1' => ['PUT', 'GET'],
+          'xdna://pools/2' => ['PUT']
+        },
+        'cloudkit_user' => 'xcloud',
+        'user' => 'id://foo'
+      }.to_json
+      store = EY::GateKeeper::AuthStore.new
+      store.post('/gatekeeper_credentials', :json => key_data)
+    end
+
+    context "with permissions to get a collection" do
+      it "responds with a 200" do
+        subject.get('/domains').status.should == 200
+      end
+
+      it "filters results" do
+        subject.put('/domains/1', {}, { 'foo' => 'bar' }.to_json)
+        subject.put('/domains/2', {}, { 'foo' => 'bar' }.to_json)
+
+        JSON.parse(subject.get('/domains').body)['uris'].should == ['/domains/1']
+      end
+    end
+
+    context "with permissions to only search a collection" do
+      before do
+        subject.put('/pools/1', {}, { 'foo' => 'bar' }.to_json)
+        subject.put('/pools/2', {}, { 'foo' => 'bar' }.to_json)
+      end
+
+      it "responds with a 401 when getting the collection itself" do
+        subject.get('/pools').status.should == 401
+      end
+
+      it "filters results" do
+        query = URI.escape({ 'foo' => 'bar' }.to_json)
+        JSON.parse(subject.get("/pools?search=#{query}").body)['uris'].should == ['/pools/1']
+      end
+    end
+
+    context "without permissions to get a collection" do
+      it "responds with a 401" do
+        subject.get('/instances').status.should == 401
+      end
+    end
+  end
+
+end