grape-security 0.8.0

data/lib/grape/middleware/globals.rb

@@ -0,0 +1,13 @@
+require 'grape/middleware/base'
+
+module Grape
+  module Middleware
+    class Globals < Base
+      def before
+        @env['grape.request'] = Grape::Request.new(@env)
+        @env['grape.request.headers'] = request.headers
+        @env['grape.request.params'] = request.params if @env['rack.input']
+      end
+    end
+  end
+end

data/lib/grape/middleware/versioner.rb

@@ -0,0 +1,32 @@
+# Versioners set env['api.version'] when a version is defined on an API and
+# on the requests. The current methods for determining version are:
+#
+#   :header - version from HTTP Accept header.
+#   :path   - version from uri. e.g. /v1/resource
+#   :param  - version from uri query string, e.g. /v1/resource?apiver=v1
+#
+# See individual classes for details.
+module Grape
+  module Middleware
+    module Versioner
+      module_function
+
+      # @param strategy [Symbol] :path, :header or :param
+      # @return a middleware class based on strategy
+      def using(strategy)
+        case strategy
+        when :path
+          Path
+        when :header
+          Header
+        when :param
+          Param
+        when :accept_version_header
+          AcceptVersionHeader
+        else
+          raise Grape::Exceptions::InvalidVersionerOption.new(strategy)
+        end
+      end
+    end
+  end
+end

data/lib/grape/middleware/versioner/accept_version_header.rb

@@ -0,0 +1,67 @@
+require 'grape/middleware/base'
+
+module Grape
+  module Middleware
+    module Versioner
+      # This middleware sets various version related rack environment variables
+      # based on the HTTP Accept-Version header
+      #
+      # Example: For request header
+      #    Accept-Version: v1
+      #
+      # The following rack env variables are set:
+      #
+      #    env['api.version']  => 'v1'
+      #
+      # If version does not match this route, then a 406 is raised with
+      # X-Cascade header to alert Rack::Mount to attempt the next matched
+      # route.
+      class AcceptVersionHeader < Base
+        def before
+          potential_version = (env['HTTP_ACCEPT_VERSION'] || '').strip
+
+          if strict?
+            # If no Accept-Version header:
+            if potential_version.empty?
+              throw :error, status: 406, headers: error_headers, message: 'Accept-Version header must be set.'
+            end
+          end
+
+          unless potential_version.empty?
+            # If the requested version is not supported:
+            unless versions.any? { |v| v.to_s == potential_version }
+              throw :error, status: 406, headers: error_headers, message: 'The requested version is not supported.'
+            end
+
+            env['api.version'] = potential_version
+          end
+        end
+
+        private
+
+        def versions
+          options[:versions] || []
+        end
+
+        def strict?
+          options[:version_options] && options[:version_options][:strict]
+        end
+
+        # By default those errors contain an `X-Cascade` header set to `pass`, which allows nesting and stacking
+        # of routes (see [Rack::Mount](https://github.com/josh/rack-mount) for more information). To prevent
+        # this behavior, and not add the `X-Cascade` header, one can set the `:cascade` option to `false`.
+        def cascade?
+          if options[:version_options] && options[:version_options].key?(:cascade)
+            !!options[:version_options][:cascade]
+          else
+            true
+          end
+        end
+
+        def error_headers
+          cascade? ? { 'X-Cascade' => 'pass' } : {}
+        end
+      end
+    end
+  end
+end

data/lib/grape/middleware/versioner/header.rb

@@ -0,0 +1,132 @@
+require 'grape/middleware/base'
+
+module Grape
+  module Middleware
+    module Versioner
+      # This middleware sets various version related rack environment variables
+      # based on the HTTP Accept header with the pattern:
+      # application/vnd.:vendor-:version+:format
+      #
+      # Example: For request header
+      #    Accept: application/vnd.mycompany-v1+json
+      #
+      # The following rack env variables are set:
+      #
+      #    env['api.type']    => 'application'
+      #    env['api.subtype'] => 'vnd.mycompany-v1+json'
+      #    env['api.vendor]   => 'mycompany'
+      #    env['api.version]  => 'v1'
+      #    env['api.format]   => 'format'
+      #
+      # If version does not match this route, then a 406 is raised with
+      # X-Cascade header to alert Rack::Mount to attempt the next matched
+      # route.
+      class Header < Base
+        def before
+          begin
+            header = Rack::Accept::MediaType.new env['HTTP_ACCEPT']
+          rescue RuntimeError => e
+            throw :error, status: 406, headers: error_headers, message: e.message
+          end
+
+          if strict?
+            # If no Accept header:
+            if header.qvalues.empty?
+              throw :error, status: 406, headers: error_headers, message: 'Accept header must be set.'
+            end
+            # Remove any acceptable content types with ranges.
+            header.qvalues.reject! do |media_type, _|
+              Rack::Accept::Header.parse_media_type(media_type).find { |s| s == '*' }
+            end
+            # If all Accept headers included a range:
+            if header.qvalues.empty?
+              throw :error, status: 406, headers: error_headers, message: 'Accept header must not contain ranges ("*").'
+            end
+          end
+
+          media_type = header.best_of available_media_types
+
+          if media_type
+            type, subtype = Rack::Accept::Header.parse_media_type media_type
+            env['api.type']    = type
+            env['api.subtype'] = subtype
+
+            if /\Avnd\.([a-z0-9*.]+)(?:-([a-z0-9*\-.]+))?(?:\+([a-z0-9*\-.+]+))?\z/ =~ subtype
+              env['api.vendor']  = $1
+              env['api.version'] = $2
+              env['api.format']  = $3  # weird that Grape::Middleware::Formatter also does this
+            end
+          # If none of the available content types are acceptable:
+          elsif strict?
+            throw :error, status: 406, headers: error_headers, message: '406 Not Acceptable'
+          # If all acceptable content types specify a vendor or version that doesn't exist:
+          elsif header.values.all? { |header_value| has_vendor?(header_value) || version?(header_value) }
+            throw :error, status: 406, headers: error_headers, message: 'API vendor or version not found.'
+          end
+        end
+
+        private
+
+        def available_media_types
+          available_media_types = []
+
+          content_types.each do |extension, media_type|
+            versions.reverse.each do |version|
+              available_media_types += ["application/vnd.#{vendor}-#{version}+#{extension}", "application/vnd.#{vendor}-#{version}"]
+            end
+            available_media_types << "application/vnd.#{vendor}+#{extension}"
+          end
+
+          available_media_types << "application/vnd.#{vendor}"
+
+          content_types.each do |_, media_type|
+            available_media_types << media_type
+          end
+
+          available_media_types = available_media_types.flatten
+        end
+
+        def versions
+          options[:versions] || []
+        end
+
+        def vendor
+          options[:version_options] && options[:version_options][:vendor]
+        end
+
+        def strict?
+          options[:version_options] && options[:version_options][:strict]
+        end
+
+        # By default those errors contain an `X-Cascade` header set to `pass`, which allows nesting and stacking
+        # of routes (see [Rack::Mount](https://github.com/josh/rack-mount) for more information). To prevent
+        # this behavior, and not add the `X-Cascade` header, one can set the `:cascade` option to `false`.
+        def cascade?
+          if options[:version_options] && options[:version_options].key?(:cascade)
+            !!options[:version_options][:cascade]
+          else
+            true
+          end
+        end
+
+        def error_headers
+          cascade? ? { 'X-Cascade' => 'pass' } : {}
+        end
+
+        # @param [String] media_type a content type
+        # @return [Boolean] whether the content type sets a vendor
+        def has_vendor?(media_type)
+          _, subtype = Rack::Accept::Header.parse_media_type media_type
+          subtype[/\Avnd\.[a-z0-9*.]+/]
+        end
+
+        # @param [String] media_type a content type
+        # @return [Boolean] whether the content type sets an API version
+        def version?(media_type)
+          _, subtype = Rack::Accept::Header.parse_media_type media_type
+          subtype[/\Avnd\.[a-z0-9*.]+-[a-z0-9*\-.]+/]
+        end
+      end
+    end
+  end
+end

data/lib/grape/middleware/versioner/param.rb

@@ -0,0 +1,42 @@
+require 'grape/middleware/base'
+
+module Grape
+  module Middleware
+    module Versioner
+      # This middleware sets various version related rack environment variables
+      # based on the request parameters and removes that parameter from the
+      # request parameters for subsequent middleware and API.
+      # If the version substring does not match any potential initialized
+      # versions, a 404 error is thrown.
+      # If the version substring is not passed the version (highest mounted)
+      # version will be used.
+      #
+      # Example: For a uri path
+      #   /resource?apiver=v1
+      #
+      # The following rack env variables are set and path is rewritten to
+      # '/resource':
+      #
+      #   env['api.version'] => 'v1'
+      class Param < Base
+        def default_options
+          {
+            parameter: "apiver"
+          }
+        end
+
+        def before
+          paramkey = options[:parameter]
+          potential_version = Rack::Utils.parse_nested_query(env['QUERY_STRING'])[paramkey]
+          unless potential_version.nil?
+            if options[:versions] && !options[:versions].find { |v| v.to_s == potential_version }
+              throw :error, status: 404, message: "404 API Version Not Found", headers: { 'X-Cascade' => 'pass' }
+            end
+            env['api.version'] = potential_version
+            env['rack.request.query_hash'].delete(paramkey) if env.key? 'rack.request.query_hash'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grape/middleware/versioner/path.rb

@@ -0,0 +1,52 @@
+require 'grape/middleware/base'
+
+module Grape
+  module Middleware
+    module Versioner
+      # This middleware sets various version related rack environment variables
+      # based on the uri path and removes the version substring from the uri
+      # path. If the version substring does not match any potential initialized
+      # versions, a 404 error is thrown.
+      #
+      # Example: For a uri path
+      #   /v1/resource
+      #
+      # The following rack env variables are set and path is rewritten to
+      # '/resource':
+      #
+      #   env['api.version'] => 'v1'
+      #
+      class Path < Base
+        def default_options
+          {
+            pattern: /.*/i
+          }
+        end
+
+        def before
+          path = env['PATH_INFO'].dup
+
+          if prefix && path.index(prefix) == 0
+            path.sub!(prefix, '')
+            path = Rack::Mount::Utils.normalize_path(path)
+          end
+
+          pieces = path.split('/')
+          potential_version = pieces[1]
+          if potential_version =~ options[:pattern]
+            if options[:versions] && !options[:versions].find { |v| v.to_s == potential_version }
+              throw :error, status: 404, message: "404 API Version Not Found"
+            end
+            env['api.version'] = potential_version
+          end
+        end
+
+        private
+
+        def prefix
+          Rack::Mount::Utils.normalize_path(options[:prefix].to_s) if options[:prefix]
+        end
+      end
+    end
+  end
+end

data/lib/grape/namespace.rb

@@ -0,0 +1,23 @@
+module Grape
+  class Namespace
+    attr_reader :space, :options
+
+    # options:
+    #   requirements: a hash
+    def initialize(space, options = {})
+      @space, @options = space.to_s, options
+    end
+
+    def requirements
+      options[:requirements] || {}
+    end
+
+    def self.joined_space(settings)
+      settings.gather(:namespace).map(&:space).join("/")
+    end
+
+    def self.joined_space_path(settings)
+      Rack::Mount::Utils.normalize_path(joined_space(settings))
+    end
+  end
+end

data/lib/grape/parser/base.rb

@@ -0,0 +1,29 @@
+module Grape
+  module Parser
+    module Base
+      class << self
+        PARSERS = {
+          json: Grape::Parser::Json,
+          jsonapi: Grape::Parser::Json,
+          xml: Grape::Parser::Xml
+        }
+
+        def parsers(options)
+          PARSERS.merge(options[:parsers] || {})
+        end
+
+        def parser_for(api_format, options = {})
+          spec = parsers(options)[api_format]
+          case spec
+          when nil
+            nil
+          when Symbol
+            method(spec)
+          else
+            spec
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grape/parser/json.rb

@@ -0,0 +1,11 @@
+module Grape
+  module Parser
+    module Json
+      class << self
+        def call(object, env)
+          MultiJson.load(object)
+        end
+      end
+    end
+  end
+end

data/lib/grape/parser/xml.rb

@@ -0,0 +1,11 @@
+module Grape
+  module Parser
+    module Xml
+      class << self
+        def call(object, env)
+          MultiXml.parse(object)
+        end
+      end
+    end
+  end
+end

data/lib/grape/path.rb

@@ -0,0 +1,70 @@
+module Grape
+  class Path
+    def self.prepare(raw_path, namespace, settings)
+      Path.new(raw_path, namespace, settings).path_with_suffix
+    end
+
+    attr_reader :raw_path, :namespace, :settings
+
+    def initialize(raw_path, namespace, settings)
+      @raw_path = raw_path
+      @namespace = namespace
+      @settings = settings
+    end
+
+    def mount_path
+      split_setting(:mount_path, '/')
+    end
+
+    def root_prefix
+      split_setting(:root_prefix, '/')
+    end
+
+    def uses_path_versioning?
+      !!(settings[:version] && settings[:version_options][:using] == :path)
+    end
+
+    def has_namespace?
+      namespace && namespace.to_s =~ /^\S/ && namespace != '/'
+    end
+
+    def has_path?
+      raw_path && raw_path.to_s =~ /^\S/ && raw_path != '/'
+    end
+
+    def suffix
+      if !uses_path_versioning? || (has_namespace? || has_path?)
+        '(.:format)'
+      else
+        '(/.:format)'
+      end
+    end
+
+    def path
+      Rack::Mount::Utils.normalize_path(parts.join('/'))
+    end
+
+    def path_with_suffix
+      "#{path}#{suffix}"
+    end
+
+    def to_s
+      path_with_suffix
+    end
+
+    private
+
+    def parts
+      parts = [mount_path, root_prefix].compact
+      parts << ':version' if uses_path_versioning?
+      parts << namespace.to_s
+      parts << raw_path.to_s
+      parts.flatten.reject { |part| part == '/' }
+    end
+
+    def split_setting(key, delimiter)
+      return if settings[key].nil?
+      settings[key].to_s.split("/")
+    end
+  end
+end