RubyGems - grape-security - Versions diffs - 0.8.0 - Mend

grape-security 0.8.0

Files changed (115) hide show

checksums.yaml +7 -0
data/.gitignore +45 -0
data/.rspec +2 -0
data/.rubocop.yml +70 -0
data/.travis.yml +18 -0
data/.yardopts +2 -0
data/CHANGELOG.md +314 -0
data/CONTRIBUTING.md +118 -0
data/Gemfile +21 -0
data/Guardfile +14 -0
data/LICENSE +20 -0
data/README.md +1777 -0
data/RELEASING.md +105 -0
data/Rakefile +69 -0
data/UPGRADING.md +124 -0
data/grape-security.gemspec +39 -0
data/grape.png +0 -0
data/lib/grape.rb +99 -0
data/lib/grape/api.rb +646 -0
data/lib/grape/cookies.rb +39 -0
data/lib/grape/endpoint.rb +533 -0
data/lib/grape/error_formatter/base.rb +31 -0
data/lib/grape/error_formatter/json.rb +15 -0
data/lib/grape/error_formatter/txt.rb +16 -0
data/lib/grape/error_formatter/xml.rb +15 -0
data/lib/grape/exceptions/base.rb +66 -0
data/lib/grape/exceptions/incompatible_option_values.rb +10 -0
data/lib/grape/exceptions/invalid_formatter.rb +10 -0
data/lib/grape/exceptions/invalid_versioner_option.rb +10 -0
data/lib/grape/exceptions/invalid_with_option_for_represent.rb +10 -0
data/lib/grape/exceptions/missing_mime_type.rb +10 -0
data/lib/grape/exceptions/missing_option.rb +10 -0
data/lib/grape/exceptions/missing_vendor_option.rb +10 -0
data/lib/grape/exceptions/unknown_options.rb +10 -0
data/lib/grape/exceptions/unknown_validator.rb +10 -0
data/lib/grape/exceptions/validation.rb +26 -0
data/lib/grape/exceptions/validation_errors.rb +43 -0
data/lib/grape/formatter/base.rb +31 -0
data/lib/grape/formatter/json.rb +12 -0
data/lib/grape/formatter/serializable_hash.rb +35 -0
data/lib/grape/formatter/txt.rb +11 -0
data/lib/grape/formatter/xml.rb +12 -0
data/lib/grape/http/request.rb +26 -0
data/lib/grape/locale/en.yml +32 -0
data/lib/grape/middleware/auth/base.rb +30 -0
data/lib/grape/middleware/auth/basic.rb +13 -0
data/lib/grape/middleware/auth/digest.rb +13 -0
data/lib/grape/middleware/auth/oauth2.rb +83 -0
data/lib/grape/middleware/base.rb +62 -0
data/lib/grape/middleware/error.rb +89 -0
data/lib/grape/middleware/filter.rb +17 -0
data/lib/grape/middleware/formatter.rb +150 -0
data/lib/grape/middleware/globals.rb +13 -0
data/lib/grape/middleware/versioner.rb +32 -0
data/lib/grape/middleware/versioner/accept_version_header.rb +67 -0
data/lib/grape/middleware/versioner/header.rb +132 -0
data/lib/grape/middleware/versioner/param.rb +42 -0
data/lib/grape/middleware/versioner/path.rb +52 -0
data/lib/grape/namespace.rb +23 -0
data/lib/grape/parser/base.rb +29 -0
data/lib/grape/parser/json.rb +11 -0
data/lib/grape/parser/xml.rb +11 -0
data/lib/grape/path.rb +70 -0
data/lib/grape/route.rb +27 -0
data/lib/grape/util/content_types.rb +18 -0
data/lib/grape/util/deep_merge.rb +23 -0
data/lib/grape/util/hash_stack.rb +120 -0
data/lib/grape/validations.rb +322 -0
data/lib/grape/validations/coerce.rb +63 -0
data/lib/grape/validations/default.rb +25 -0
data/lib/grape/validations/exactly_one_of.rb +26 -0
data/lib/grape/validations/mutual_exclusion.rb +25 -0
data/lib/grape/validations/presence.rb +16 -0
data/lib/grape/validations/regexp.rb +12 -0
data/lib/grape/validations/values.rb +23 -0
data/lib/grape/version.rb +3 -0
data/spec/grape/api_spec.rb +2571 -0
data/spec/grape/endpoint_spec.rb +784 -0
data/spec/grape/entity_spec.rb +324 -0
data/spec/grape/exceptions/invalid_formatter_spec.rb +18 -0
data/spec/grape/exceptions/invalid_versioner_option_spec.rb +18 -0
data/spec/grape/exceptions/missing_mime_type_spec.rb +18 -0
data/spec/grape/exceptions/missing_option_spec.rb +18 -0
data/spec/grape/exceptions/unknown_options_spec.rb +18 -0
data/spec/grape/exceptions/unknown_validator_spec.rb +18 -0
data/spec/grape/exceptions/validation_errors_spec.rb +19 -0
data/spec/grape/middleware/auth/basic_spec.rb +31 -0
data/spec/grape/middleware/auth/digest_spec.rb +47 -0
data/spec/grape/middleware/auth/oauth2_spec.rb +135 -0
data/spec/grape/middleware/base_spec.rb +58 -0
data/spec/grape/middleware/error_spec.rb +45 -0
data/spec/grape/middleware/exception_spec.rb +184 -0
data/spec/grape/middleware/formatter_spec.rb +258 -0
data/spec/grape/middleware/versioner/accept_version_header_spec.rb +121 -0
data/spec/grape/middleware/versioner/header_spec.rb +302 -0
data/spec/grape/middleware/versioner/param_spec.rb +58 -0
data/spec/grape/middleware/versioner/path_spec.rb +44 -0
data/spec/grape/middleware/versioner_spec.rb +22 -0
data/spec/grape/path_spec.rb +229 -0
data/spec/grape/util/hash_stack_spec.rb +132 -0
data/spec/grape/validations/coerce_spec.rb +208 -0
data/spec/grape/validations/default_spec.rb +123 -0
data/spec/grape/validations/exactly_one_of_spec.rb +71 -0
data/spec/grape/validations/mutual_exclusion_spec.rb +61 -0
data/spec/grape/validations/presence_spec.rb +142 -0
data/spec/grape/validations/regexp_spec.rb +40 -0
data/spec/grape/validations/values_spec.rb +152 -0
data/spec/grape/validations/zh-CN.yml +10 -0
data/spec/grape/validations_spec.rb +994 -0
data/spec/shared/versioning_examples.rb +121 -0
data/spec/spec_helper.rb +26 -0
data/spec/support/basic_auth_encode_helpers.rb +3 -0
data/spec/support/content_type_helpers.rb +11 -0
data/spec/support/versioned_helpers.rb +50 -0
metadata +421 -0

data/spec/grape/middleware/auth/basic_spec.rb ADDED

@@ -0,0 +1,31 @@
+require 'spec_helper'
+require 'base64'
+describe Grape::Middleware::Auth::Basic do
+  def app
+    Rack::Builder.new do |b|
+      b.use Grape::Middleware::Error
+      b.use(Grape::Middleware::Auth::Basic) do |u, p|
+        u && p && u == p
+      end
+      b.run lambda { |env| [200, {}, ["Hello there."]] }
+    end
+  end
+  it 'throws a 401 if no auth is given' do
+    @proc = lambda { false }
+    get '/whatever'
+    expect(last_response.status).to eq(401)
+  end
+  it 'authenticates if given valid creds' do
+    get '/whatever', {}, 'HTTP_AUTHORIZATION' => encode_basic_auth('admin', 'admin')
+    expect(last_response.status).to eq(200)
+  end
+  it 'throws a 401 is wrong auth is given' do
+    get '/whatever', {}, 'HTTP_AUTHORIZATION' => encode_basic_auth('admin', 'wrong')
+    expect(last_response.status).to eq(401)
+  end
+end

data/spec/grape/middleware/auth/digest_spec.rb ADDED

@@ -0,0 +1,47 @@
+require 'spec_helper'
+RSpec::Matchers.define :be_challenge do
+  match do |actual_response|
+    actual_response.status == 401 &&
+    actual_response['WWW-Authenticate'] =~ /^Digest / &&
+    actual_response.body.empty?
+  end
+end
+class Test < Grape::API
+  http_digest(realm: 'Test Api', opaque: 'secret') do |username|
+    { 'foo' => 'bar' }[username]
+  end
+  get '/test' do
+    [{ hey: 'you' }, { there: 'bar' }, { foo: 'baz' }]
+  end
+end
+describe Grape::Middleware::Auth::Digest do
+  def app
+    Test
+  end
+  it 'is a digest authentication challenge' do
+    get '/test'
+    expect(last_response).to be_challenge
+  end
+  it 'throws a 401 if no auth is given' do
+    get '/test'
+    expect(last_response.status).to eq(401)
+  end
+  it 'authenticates if given valid creds' do
+    digest_authorize "foo", "bar"
+    get '/test'
+    expect(last_response.status).to eq(200)
+  end
+  it 'throws a 401 if given invalid creds' do
+    digest_authorize "bar", "foo"
+    get '/test'
+    expect(last_response.status).to eq(401)
+  end
+end

data/spec/grape/middleware/auth/oauth2_spec.rb ADDED

@@ -0,0 +1,135 @@
+require 'spec_helper'
+describe Grape::Middleware::Auth::OAuth2 do
+  class FakeToken
+    attr_accessor :token
+    def self.verify(token)
+      FakeToken.new(token) if !!token && %w(g e).include?(token[0..0])
+    end
+    def initialize(token)
+      @token = token
+    end
+    def expired?
+      @token[0..0] == 'e'
+    end
+    def permission_for?(env)
+      env['PATH_INFO'] == '/forbidden' ? false : true
+    end
+  end
+  def app
+    Rack::Builder.app do
+      use Grape::Middleware::Auth::OAuth2, token_class: 'FakeToken'
+      run lambda { |env| [200, {}, [(env['api.token'].token if env['api.token'])]] }
+    end
+  end
+  context 'with the token in the query string' do
+    context 'and a valid token' do
+      before { get '/awesome?access_token=g123' }
+      it 'sets env["api.token"]' do
+        expect(last_response.body).to eq('g123')
+      end
+    end
+    context 'and an invalid token' do
+      before do
+        @err = catch :error do
+          get '/awesome?access_token=b123'
+        end
+      end
+      it 'throws an error' do
+        expect(@err[:status]).to eq(401)
+      end
+      it 'sets the WWW-Authenticate header in the response' do
+        expect(@err[:headers]['WWW-Authenticate']).to eq("OAuth realm='OAuth API', error='invalid_grant'")
+      end
+    end
+  end
+  context 'with an expired token' do
+    before do
+      @err = catch :error do
+        get '/awesome?access_token=e123'
+      end
+    end
+    it 'throws an error' do
+      expect(@err[:status]).to eq(401)
+    end
+    it 'sets the WWW-Authenticate header in the response to error' do
+      expect(@err[:headers]['WWW-Authenticate']).to eq("OAuth realm='OAuth API', error='invalid_grant'")
+    end
+  end
+  %w(HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION REDIRECT_X_HTTP_AUTHORIZATION).each do |head|
+    context "with the token in the #{head} header" do
+      before do
+        get '/awesome', {}, head => 'OAuth g123'
+      end
+      it 'sets env["api.token"]' do
+        expect(last_response.body).to eq('g123')
+      end
+    end
+  end
+  context 'with the token in the POST body' do
+    before do
+      post '/awesome', 'access_token' => 'g123'
+    end
+    it 'sets env["api.token"]' do
+      expect(last_response.body).to eq('g123')
+    end
+  end
+  context 'when accessing something outside its scope' do
+    before do
+      @err = catch :error do
+        get '/forbidden?access_token=g123'
+      end
+    end
+    it 'throws an error' do
+      expect(@err[:status]).to eq(403)
+    end
+    it 'sets the WWW-Authenticate header in the response to error' do
+      expect(@err[:headers]['WWW-Authenticate']).to eq("OAuth realm='OAuth API', error='insufficient_scope'")
+    end
+  end
+  context 'when authorization is not required' do
+    def app
+      Rack::Builder.app do
+        use Grape::Middleware::Auth::OAuth2, token_class: 'FakeToken', required: false
+        run lambda { |env| [200, {}, [(env['api.token'].token if env['api.token'])]] }
+      end
+    end
+    context 'with no token' do
+      before { post '/awesome' }
+      it 'succeeds anyway' do
+        expect(last_response.status).to eq(200)
+      end
+    end
+    context 'with a valid token' do
+      before { get '/awesome?access_token=g123' }
+      it 'sets env["api.token"]' do
+        expect(last_response.body).to eq('g123')
+      end
+    end
+  end
+end

data/spec/grape/middleware/base_spec.rb ADDED

@@ -0,0 +1,58 @@
+require 'spec_helper'
+describe Grape::Middleware::Base do
+  subject { Grape::Middleware::Base.new(blank_app) }
+  let(:blank_app) { lambda { |_| [200, {}, 'Hi there.'] } }
+  before do
+    # Keep it one object for testing.
+    allow(subject).to receive(:dup).and_return(subject)
+  end
+  it 'has the app as an accessor' do
+    expect(subject.app).to eq(blank_app)
+  end
+  it 'calls through to the app' do
+    expect(subject.call({})).to eq([200, {}, 'Hi there.'])
+  end
+  context 'callbacks' do
+    it 'calls #before' do
+      expect(subject).to receive(:before)
+    end
+    it 'calls #after' do
+      expect(subject).to receive(:after)
+    end
+    after { subject.call!({}) }
+  end
+  it 'is able to access the response' do
+    subject.call({})
+    expect(subject.response).to be_kind_of(Rack::Response)
+  end
+  context 'options' do
+    it 'persists options passed at initialization' do
+      expect(Grape::Middleware::Base.new(blank_app, abc: true).options[:abc]).to be true
+    end
+    context 'defaults' do
+      class ExampleWare < Grape::Middleware::Base
+        def default_options
+          { monkey: true }
+        end
+      end
+      it 'persists the default options' do
+        expect(ExampleWare.new(blank_app).options[:monkey]).to be true
+      end
+      it 'overrides default options when provided' do
+        expect(ExampleWare.new(blank_app, monkey: false).options[:monkey]).to be false
+      end
+    end
+  end
+end

data/spec/grape/middleware/error_spec.rb ADDED

@@ -0,0 +1,45 @@
+require 'spec_helper'
+describe Grape::Middleware::Error do
+  class ErrApp
+    class << self
+      attr_accessor :error
+      attr_accessor :format
+      def call(env)
+        throw :error, error
+      end
+    end
+  end
+  def app
+    Rack::Builder.app do
+      use Grape::Middleware::Error, default_message: 'Aww, hamburgers.'
+      run ErrApp
+    end
+  end
+  it 'sets the status code appropriately' do
+    ErrApp.error = { status: 410 }
+    get '/'
+    expect(last_response.status).to eq(410)
+  end
+  it 'sets the error message appropriately' do
+    ErrApp.error = { message: 'Awesome stuff.' }
+    get '/'
+    expect(last_response.body).to eq('Awesome stuff.')
+  end
+  it 'defaults to a 500 status' do
+    ErrApp.error = {}
+    get '/'
+    expect(last_response.status).to eq(500)
+  end
+  it 'has a default message' do
+    ErrApp.error = {}
+    get '/'
+    expect(last_response.body).to eq('Aww, hamburgers.')
+  end
+end

data/spec/grape/middleware/exception_spec.rb ADDED

@@ -0,0 +1,184 @@
+require 'spec_helper'
+require 'active_support/core_ext/hash'
+describe Grape::Middleware::Error do
+  # raises a text exception
+  class ExceptionApp
+    class << self
+      def call(env)
+        raise "rain!"
+      end
+    end
+  end
+  # raises a hash error
+  class ErrorHashApp
+    class << self
+      def error!(message, status)
+        throw :error, message: { error: message, detail: "missing widget" }, status: status
+      end
+      def call(env)
+        error!("rain!", 401)
+      end
+    end
+  end
+  # raises an error!
+  class AccessDeniedApp
+    class << self
+      def error!(message, status)
+        throw :error, message: message, status: status
+      end
+      def call(env)
+        error!("Access Denied", 401)
+      end
+    end
+  end
+  # raises a custom error
+  class CustomError < Grape::Exceptions::Base
+  end
+  class CustomErrorApp
+    class << self
+      def call(env)
+        raise CustomError, status: 400, message: 'failed validation'
+      end
+    end
+  end
+  attr_reader :app
+  it 'does not trap errors by default' do
+    @app ||= Rack::Builder.app do
+      use Grape::Middleware::Error
+      run ExceptionApp
+    end
+    expect { get '/' }.to raise_error
+  end
+  context 'with rescue_all set to true' do
+    it 'sets the message appropriately' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true
+        run ExceptionApp
+      end
+      get '/'
+      expect(last_response.body).to eq("rain!")
+    end
+    it 'defaults to a 500 status' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true
+        run ExceptionApp
+      end
+      get '/'
+      expect(last_response.status).to eq(500)
+    end
+    it 'is possible to specify a different default status code' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true, default_status: 500
+        run ExceptionApp
+      end
+      get '/'
+      expect(last_response.status).to eq(500)
+    end
+    it 'is possible to return errors in json format' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true, format: :json
+        run ExceptionApp
+      end
+      get '/'
+      expect(last_response.body).to eq('{"error":"rain!"}')
+    end
+    it 'is possible to return hash errors in json format' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true, format: :json
+        run ErrorHashApp
+      end
+      get '/'
+      expect(['{"error":"rain!","detail":"missing widget"}',
+              '{"detail":"missing widget","error":"rain!"}']).to include(last_response.body)
+    end
+    it 'is possible to return errors in jsonapi format' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true, format: :jsonapi
+        run ExceptionApp
+      end
+      get '/'
+      expect(last_response.body).to eq('{"error":"rain!"}')
+    end
+    it 'is possible to return hash errors in jsonapi format' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true, format: :jsonapi
+        run ErrorHashApp
+      end
+      get '/'
+      expect(['{"error":"rain!","detail":"missing widget"}',
+              '{"detail":"missing widget","error":"rain!"}']).to include(last_response.body)
+    end
+    it 'is possible to return errors in xml format' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true, format: :xml
+        run ExceptionApp
+      end
+      get '/'
+      expect(last_response.body).to eq("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<error>\n  <message>rain!</message>\n</error>\n")
+    end
+    it 'is possible to return hash errors in xml format' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true, format: :xml
+        run ErrorHashApp
+      end
+      get '/'
+      expect(["<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<error>\n  <detail>missing widget</detail>\n  <error>rain!</error>\n</error>\n",
+              "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<error>\n  <error>rain!</error>\n  <detail>missing widget</detail>\n</error>\n"]).to include(last_response.body)
+    end
+    it 'is possible to specify a custom formatter' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: true,
+                                      format: :custom,
+                                      error_formatters: {
+                                        custom: lambda { |message, backtrace, options, env|
+                                          { custom_formatter: message }.inspect
+                                        }
+                                      }
+        run ExceptionApp
+      end
+      get '/'
+      expect(last_response.body).to eq('{:custom_formatter=>"rain!"}')
+    end
+    it 'does not trap regular error! codes' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error
+        run AccessDeniedApp
+      end
+      get '/'
+      expect(last_response.status).to eq(401)
+    end
+    it 'responds to custom Grape exceptions appropriately' do
+      @app ||= Rack::Builder.app do
+        use Grape::Middleware::Error, rescue_all: false
+        run CustomErrorApp
+      end
+      get '/'
+      expect(last_response.status).to eq(400)
+      expect(last_response.body).to eq('failed validation')
+    end
+  end
+end