RubyGems - grape-security - Versions diffs - 0.8.0 - Mend

grape-security 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (115) hide show

checksums.yaml +7 -0
data/.gitignore +45 -0
data/.rspec +2 -0
data/.rubocop.yml +70 -0
data/.travis.yml +18 -0
data/.yardopts +2 -0
data/CHANGELOG.md +314 -0
data/CONTRIBUTING.md +118 -0
data/Gemfile +21 -0
data/Guardfile +14 -0
data/LICENSE +20 -0
data/README.md +1777 -0
data/RELEASING.md +105 -0
data/Rakefile +69 -0
data/UPGRADING.md +124 -0
data/grape-security.gemspec +39 -0
data/grape.png +0 -0
data/lib/grape.rb +99 -0
data/lib/grape/api.rb +646 -0
data/lib/grape/cookies.rb +39 -0
data/lib/grape/endpoint.rb +533 -0
data/lib/grape/error_formatter/base.rb +31 -0
data/lib/grape/error_formatter/json.rb +15 -0
data/lib/grape/error_formatter/txt.rb +16 -0
data/lib/grape/error_formatter/xml.rb +15 -0
data/lib/grape/exceptions/base.rb +66 -0
data/lib/grape/exceptions/incompatible_option_values.rb +10 -0
data/lib/grape/exceptions/invalid_formatter.rb +10 -0
data/lib/grape/exceptions/invalid_versioner_option.rb +10 -0
data/lib/grape/exceptions/invalid_with_option_for_represent.rb +10 -0
data/lib/grape/exceptions/missing_mime_type.rb +10 -0
data/lib/grape/exceptions/missing_option.rb +10 -0
data/lib/grape/exceptions/missing_vendor_option.rb +10 -0
data/lib/grape/exceptions/unknown_options.rb +10 -0
data/lib/grape/exceptions/unknown_validator.rb +10 -0
data/lib/grape/exceptions/validation.rb +26 -0
data/lib/grape/exceptions/validation_errors.rb +43 -0
data/lib/grape/formatter/base.rb +31 -0
data/lib/grape/formatter/json.rb +12 -0
data/lib/grape/formatter/serializable_hash.rb +35 -0
data/lib/grape/formatter/txt.rb +11 -0
data/lib/grape/formatter/xml.rb +12 -0
data/lib/grape/http/request.rb +26 -0
data/lib/grape/locale/en.yml +32 -0
data/lib/grape/middleware/auth/base.rb +30 -0
data/lib/grape/middleware/auth/basic.rb +13 -0
data/lib/grape/middleware/auth/digest.rb +13 -0
data/lib/grape/middleware/auth/oauth2.rb +83 -0
data/lib/grape/middleware/base.rb +62 -0
data/lib/grape/middleware/error.rb +89 -0
data/lib/grape/middleware/filter.rb +17 -0
data/lib/grape/middleware/formatter.rb +150 -0
data/lib/grape/middleware/globals.rb +13 -0
data/lib/grape/middleware/versioner.rb +32 -0
data/lib/grape/middleware/versioner/accept_version_header.rb +67 -0
data/lib/grape/middleware/versioner/header.rb +132 -0
data/lib/grape/middleware/versioner/param.rb +42 -0
data/lib/grape/middleware/versioner/path.rb +52 -0
data/lib/grape/namespace.rb +23 -0
data/lib/grape/parser/base.rb +29 -0
data/lib/grape/parser/json.rb +11 -0
data/lib/grape/parser/xml.rb +11 -0
data/lib/grape/path.rb +70 -0
data/lib/grape/route.rb +27 -0
data/lib/grape/util/content_types.rb +18 -0
data/lib/grape/util/deep_merge.rb +23 -0
data/lib/grape/util/hash_stack.rb +120 -0
data/lib/grape/validations.rb +322 -0
data/lib/grape/validations/coerce.rb +63 -0
data/lib/grape/validations/default.rb +25 -0
data/lib/grape/validations/exactly_one_of.rb +26 -0
data/lib/grape/validations/mutual_exclusion.rb +25 -0
data/lib/grape/validations/presence.rb +16 -0
data/lib/grape/validations/regexp.rb +12 -0
data/lib/grape/validations/values.rb +23 -0
data/lib/grape/version.rb +3 -0
data/spec/grape/api_spec.rb +2571 -0
data/spec/grape/endpoint_spec.rb +784 -0
data/spec/grape/entity_spec.rb +324 -0
data/spec/grape/exceptions/invalid_formatter_spec.rb +18 -0
data/spec/grape/exceptions/invalid_versioner_option_spec.rb +18 -0
data/spec/grape/exceptions/missing_mime_type_spec.rb +18 -0
data/spec/grape/exceptions/missing_option_spec.rb +18 -0
data/spec/grape/exceptions/unknown_options_spec.rb +18 -0
data/spec/grape/exceptions/unknown_validator_spec.rb +18 -0
data/spec/grape/exceptions/validation_errors_spec.rb +19 -0
data/spec/grape/middleware/auth/basic_spec.rb +31 -0
data/spec/grape/middleware/auth/digest_spec.rb +47 -0
data/spec/grape/middleware/auth/oauth2_spec.rb +135 -0
data/spec/grape/middleware/base_spec.rb +58 -0
data/spec/grape/middleware/error_spec.rb +45 -0
data/spec/grape/middleware/exception_spec.rb +184 -0
data/spec/grape/middleware/formatter_spec.rb +258 -0
data/spec/grape/middleware/versioner/accept_version_header_spec.rb +121 -0
data/spec/grape/middleware/versioner/header_spec.rb +302 -0
data/spec/grape/middleware/versioner/param_spec.rb +58 -0
data/spec/grape/middleware/versioner/path_spec.rb +44 -0
data/spec/grape/middleware/versioner_spec.rb +22 -0
data/spec/grape/path_spec.rb +229 -0
data/spec/grape/util/hash_stack_spec.rb +132 -0
data/spec/grape/validations/coerce_spec.rb +208 -0
data/spec/grape/validations/default_spec.rb +123 -0
data/spec/grape/validations/exactly_one_of_spec.rb +71 -0
data/spec/grape/validations/mutual_exclusion_spec.rb +61 -0
data/spec/grape/validations/presence_spec.rb +142 -0
data/spec/grape/validations/regexp_spec.rb +40 -0
data/spec/grape/validations/values_spec.rb +152 -0
data/spec/grape/validations/zh-CN.yml +10 -0
data/spec/grape/validations_spec.rb +994 -0
data/spec/shared/versioning_examples.rb +121 -0
data/spec/spec_helper.rb +26 -0
data/spec/support/basic_auth_encode_helpers.rb +3 -0
data/spec/support/content_type_helpers.rb +11 -0
data/spec/support/versioned_helpers.rb +50 -0
metadata +421 -0

data/spec/grape/middleware/auth/basic_spec.rb ADDED

@@ -0,0 +1,31 @@
+require 'spec_helper'
+require 'base64'
+describe Grape::Middleware::Auth::Basic do
+  def app
+    Rack::Builder.new do |b|
+      b.use Grape::Middleware::Error
+      b.use(Grape::Middleware::Auth::Basic) do |u, p|
+        u && p && u == p
+      end
+      b.run lambda { |env| [200, {}, ["Hello there."]] }
+    end
+  end
+  it 'throws a 401 if no auth is given' do
+    @proc = lambda { false }
+    get '/whatever'
+    expect(last_response.status).to eq(401)
+  end
+  it 'authenticates if given valid creds' do
+    get '/whatever', {}, 'HTTP_AUTHORIZATION' => encode_basic_auth('admin', 'admin')
+    expect(last_response.status).to eq(200)
+  end
+  it 'throws a 401 is wrong auth is given' do
+    get '/whatever', {}, 'HTTP_AUTHORIZATION' => encode_basic_auth('admin', 'wrong')
+    expect(last_response.status).to eq(401)
+  end
+end

data/spec/grape/middleware/auth/digest_spec.rb ADDED

@@ -0,0 +1,47 @@
+require 'spec_helper'
+RSpec::Matchers.define :be_challenge do
+  match do |actual_response|
+    actual_response.status == 401 &&
+    actual_response['WWW-Authenticate'] =~ /^Digest / &&
+    actual_response.body.empty?
+  end
+end
+class Test < Grape::API
+  http_digest(realm: 'Test Api', opaque: 'secret') do |username|
+    { 'foo' => 'bar' }[username]
+  end
+  get '/test' do
+    [{ hey: 'you' }, { there: 'bar' }, { foo: 'baz' }]
+  end
+end
+describe Grape::Middleware::Auth::Digest do
+  def app
+    Test
+  end
+  it 'is a digest authentication challenge' do
+    get '/test'
+    expect(last_response).to be_challenge
+  end
+  it 'throws a 401 if no auth is given' do
+    get '/test'
+    expect(last_response.status).to eq(401)
+  end
+  it 'authenticates if given valid creds' do
+    digest_authorize "foo", "bar"
+    get '/test'
+    expect(last_response.status).to eq(200)
+  end
+  it 'throws a 401 if given invalid creds' do
+    digest_authorize "bar", "foo"
+    get '/test'
+    expect(last_response.status).to eq(401)
+  end
+end

data/spec/grape/middleware/auth/oauth2_spec.rb ADDED

@@ -0,0 +1,135 @@
+require 'spec_helper'
+describe Grape::Middleware::Auth::OAuth2 do
+  class FakeToken
+    attr_accessor :token
+    def self.verify(token)
+      FakeToken.new(token) if !!token && %w(g e).include?(token[0..0])
+    end
+    def initialize(token)
+      @token = token
+    end
+    def expired?
+      @token[0..0] == 'e'
+    end
+    def permission_for?(env)
+      env['PATH_INFO'] == '/forbidden' ? false : true
+    end
+  end
+  def app
+    Rack::Builder.app do
+      use Grape::Middleware::Auth::OAuth2, token_class: 'FakeToken'
+      run lambda { |env| [200, {}, [(env['api.token'].token if env['api.token'])]] }
+    end
+  end
+  context 'with the token in the query string' do
+    context 'and a valid token' do
+      before { get '/awesome?access_token=g123' }
+      it 'sets env["api.token"]' do
+        expect(last_response.body).to eq('g123')
+      end
+    end
+    context 'and an invalid token' do
+      before do
+        @err = catch :error do
+          get '/awesome?access_token=b123'
+        end
+      end
+      it 'throws an error' do
+        expect(@err[:status]).to eq(401)
+      end
+      it 'sets the WWW-Authenticate header in the response' do
+        expect(@err[:headers]['WWW-Authenticate']).to eq("OAuth realm='OAuth API', error='invalid_grant'")
+      end
+    end
+  end
+  context 'with an expired token' do
+    before do
+      @err = catch :error do
+        get '/awesome?access_token=e123'
+      end
+    end
+    it 'throws an error' do
+      expect(@err[:status]).to eq(401)
+    end
+    it 'sets the WWW-Authenticate header in the response to error' do
+      expect(@err[:headers]['WWW-Authenticate']).to eq("OAuth realm='OAuth API', error='invalid_grant'")
+    end
+  end
+  %w(HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION REDIRECT_X_HTTP_AUTHORIZATION).each do |head|
+    context "with the token in the #{head} header" do
+      before do
+        get '/awesome', {}, head => 'OAuth g123'
+      end
+      it 'sets env["api.token"]' do
+        expect(last_response.body).to eq('g123')
+      end
+    end
+  end
+  context 'with the token in the POST body' do
+    before do
+      post '/awesome', 'access_token' => 'g123'
+    end
+    it 'sets env["api.token"]' do
+      expect(last_response.body).to eq('g123')
+    end
+  end
+  context 'when accessing something outside its scope' do
+    before do
+      @err = catch :error do
+        get '/forbidden?access_token=g123'
+      end
+    end
+    it 'throws an error' do
+      expect(@err[:status]).to eq(403)
+    end
+    it 'sets the WWW-Authenticate header in the response to error' do
+      expect(@err[:headers]['WWW-Authenticate']).to eq("OAuth realm='OAuth API', error='insufficient_scope'")
+    end
+  end
+  context 'when authorization is not required' do
+    def app
+      Rack::Builder.app do
+        use Grape::Middleware::Auth::OAuth2, token_class: 'FakeToken', required: false
+        run lambda { |env| [200, {}, [(env['api.token'].token if env['api.token'])]] }
+      end
+    end
+    context 'with no token' do
+      before { post '/awesome' }
+      it 'succeeds anyway' do
+        expect(last_response.status).to eq(200)
+      end
+    end
+    context 'with a valid token' do
+      before { get '/awesome?access_token=g123' }
+      it 'sets env["api.token"]' do
+        expect(last_response.body).to eq('g123')
+      end
+    end
+  end
+end

data/spec/grape/middleware/base_spec.rb ADDED

@@ -0,0 +1,58 @@
+require 'spec_helper'
+describe Grape::Middleware::Base do
+  subject { Grape::Middleware::Base.new(blank_app) }
+  let(:blank_app) { lambda { |_| [200, {}, 'Hi there.'] } }
+  before do
+    # Keep it one object for testing.
+    allow(subject).to receive(:dup).and_return(subject)
+  end
+  it 'has the app as an accessor' do
+    expect(subject.app).to eq(blank_app)
+  end
+  it 'calls through to the app' do
+    expect(subject.call({})).to eq([200, {}, 'Hi there.'])
+  end
+  context 'callbacks' do
+    it 'calls #before' do
+      expect(subject).to receive(:before)
+    end
+    it 'calls #after' do
+      expect(subject).to receive(:after)
+    end
+    after { subject.call!({}) }
+  end
+  it 'is able to access the response' do
+    subject.call({})
+    expect(subject.response).to be_kind_of(Rack::Response)
+  end
+  context 'options' do
+    it 'persists options passed at initialization' do
+      expect(Grape::Middleware::Base.new(blank_app, abc: true).options[:abc]).to be true
+    end
+    context 'defaults' do
+      class ExampleWare < Grape::Middleware::Base
+        def default_options
+          { monkey: true }
+        end
+      end
+      it 'persists the default options' do
+        expect(ExampleWare.new(blank_app).options[:monkey]).to be true
+      end
+      it 'overrides default options when provided' do
+        expect(ExampleWare.new(blank_app, monkey: false).options[:monkey]).to be false
+      end
+    end
+  end
+end

data/spec/grape/middleware/error_spec.rb ADDED

@@ -0,0 +1,45 @@
+require 'spec_helper'
+describe Grape::Middleware::Error do
+  class ErrApp
+    class << self
+      attr_accessor :error
+      attr_accessor :format
+      def call(env)
+        throw :error, error
+      end
+    end
+  end
+  def app
+    Rack::Builder.app do
+      use Grape::Middleware::Error, default_message: 'Aww, hamburgers.'
+      run ErrApp
+    end
+  end
+  it 'sets the status code appropriately' do
+    ErrApp.error = { status: 410 }
+    get '/'
+    expect(last_response.status).to eq(410)
+  end
+  it 'sets the error message appropriately' do
+    ErrApp.error = { message: 'Awesome stuff.' }
+    get '/'
+    expect(last_response.body).to eq('Awesome stuff.')
+  end
+  it 'defaults to a 500 status' do
+    ErrApp.error = {}
+    get '/'
+    expect(last_response.status).to eq(500)
+  end
+  it 'has a default message' do
+    ErrApp.error = {}
+    get '/'
+    expect(last_response.body).to eq('Aww, hamburgers.')
+  end
+end

data/spec/grape/middleware/exception_spec.rb ADDED

@@ -0,0 +1,184 @@
+require 'spec_helper'
+require 'active_support/core_ext/hash'
+describe Grape::Middleware::Error do
+  # raises a text exception
+  class ExceptionApp
+    class << self
+      def call(env)
+        raise "rain!"
+      end
+    end
+  end
+  # raises a hash error
+  class ErrorHashApp
+    class << self
+      def error!(message, status)
+        throw :error, message: { error: message, detail: "missing widget" }, status: status
+      end
+      def call(env)
+        error!("rain!", 401)
+      end
+    end
+  end
+  # raises an error!
+  class AccessDeniedApp
+    class << self
+      def error!(message, status)
+        throw :error, message: message, status: status
+      end
+      def call(env)
+        error!("Access Denied", 401)
+      end
+    end
+  end
+  # raises a custom error
+  class CustomError < Grape::Exceptions::Base
+  end
+  class CustomErrorApp
+    class << self
+      def call(env)
+        raise CustomError, status: 400, message: 'failed validation'
+      end
+    end
+  end
+  attr_reader :app
+  it 'does not trap errors by default' do
+    @app ||= Rack::Builder.app do
+      use Grape::Middleware::Error
+      run ExceptionApp
+    end
+    expect { get '/' }.to raise_error
+  end
+  context 'with rescue_all set to true' do
+    it 'sets the message appropriately' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true
+        run ExceptionApp
+      end
+      get '/'
+      expect(last_response.body).to eq("rain!")
+    end
+    it 'defaults to a 500 status' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true
+        run ExceptionApp
+      end
+      get '/'
+      expect(last_response.status).to eq(500)
+    end
+    it 'is possible to specify a different default status code' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true, default_status: 500
+        run ExceptionApp
+      end
+      get '/'
+      expect(last_response.status).to eq(500)
+    end
+    it 'is possible to return errors in json format' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true, format: :json
+        run ExceptionApp
+      end
+      get '/'
+      expect(last_response.body).to eq('{"error":"rain!"}')
+    end
+    it 'is possible to return hash errors in json format' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true, format: :json
+        run ErrorHashApp
+      end
+      get '/'
+      expect(['{"error":"rain!","detail":"missing widget"}',
+              '{"detail":"missing widget","error":"rain!"}']).to include(last_response.body)
+    end
+    it 'is possible to return errors in jsonapi format' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true, format: :jsonapi
+        run ExceptionApp
+      end
+      get '/'
+      expect(last_response.body).to eq('{"error":"rain!"}')
+    end
+    it 'is possible to return hash errors in jsonapi format' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true, format: :jsonapi
+        run ErrorHashApp
+      end
+      get '/'
+      expect(['{"error":"rain!","detail":"missing widget"}',
+              '{"detail":"missing widget","error":"rain!"}']).to include(last_response.body)
+    end
+    it 'is possible to return errors in xml format' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true, format: :xml
+        run ExceptionApp
+      end
+      get '/'
+      expect(last_response.body).to eq("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<error>\n  <message>rain!</message>\n</error>\n")
+    end
+    it 'is possible to return hash errors in xml format' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true, format: :xml
+        run ErrorHashApp
+      end
+      get '/'
+      expect(["<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<error>\n  <detail>missing widget</detail>\n  <error>rain!</error>\n</error>\n",
+              "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<error>\n  <error>rain!</error>\n  <detail>missing widget</detail>\n</error>\n"]).to include(last_response.body)
+    end
+    it 'is possible to specify a custom formatter' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true,
+                                      format: :custom,
+                                      error_formatters: {
+                                        custom: lambda { |message, backtrace, options, env|
+                                          { custom_formatter: message }.inspect
+                                        }
+                                      }
+        run ExceptionApp
+      end
+      get '/'
+      expect(last_response.body).to eq('{:custom_formatter=>"rain!"}')
+    end
+    it 'does not trap regular error! codes' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error
+        run AccessDeniedApp
+      end
+      get '/'
+      expect(last_response.status).to eq(401)
+    end
+    it 'responds to custom Grape exceptions appropriately' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: false
+        run CustomErrorApp
+      end
+      get '/'
+      expect(last_response.status).to eq(400)
+      expect(last_response.body).to eq('failed validation')
+    end
+  end
+end