haveapi 0.27.2 → 0.28.0

data/spec/action/runtime_spec.rb

@@ -30,6 +30,289 @@ describe HaveAPI::Action do
           end
         end
 
+        define_action(:OptionalShape) do
+          route 'optional_shape'
+          http_method :post
+          authorize { allow }
+
+          input do
+            string :label
+          end
+
+          output do
+            bool :ok
+          end
+
+          def exec
+            { ok: true }
+          end
+        end
+
+        define_action(:Batch) do
+          route 'batch'
+          http_method :post
+          authorize { allow }
+
+          input(:hash_list) do
+            string :label, required: true
+          end
+
+          meta(:global) do
+            input do
+              bool :confirmed, required: true
+            end
+          end
+
+          output(:hash) do
+            integer :count
+          end
+
+          def exec
+            { count: input.size }
+          end
+        end
+
+        define_action(:OutputOnlyObjectMeta) do
+          route 'output_only_object_meta'
+          http_method :post
+          authorize { allow }
+
+          input do
+            string :msg
+          end
+
+          meta(:object) do
+            output do
+              string :etag
+            end
+          end
+
+          output do
+            string :msg
+          end
+
+          def exec
+            { msg: input[:msg] }
+          end
+        end
+
+        define_action(:DigitPath) do
+          route 'ipv4/{ip4_id}'
+          http_method :get
+
+          authorize do |_user, path_params|
+            deny if path_params['ip4_id'] == '1'
+
+            allow
+          end
+
+          output do
+            string :value
+          end
+
+          def exec
+            { value: 'ok' }
+          end
+        end
+
+        define_action(:ColonPath) do
+          route 'accounts/:account_id/secret'
+          http_method :get
+
+          authorize do |_user, path_params|
+            deny unless path_params['account_id'] == '1'
+
+            allow
+          end
+
+          output do
+            string :value
+          end
+
+          def exec
+            { value: params['account_id'] }
+          end
+        end
+
+        define_action(:BodyShadow) do
+          route 'profiles/{profile_id}'
+          http_method :put
+
+          authorize do |_user, path_params|
+            deny unless path_params['profile_id'] == '2'
+
+            allow
+          end
+
+          input do
+            string :name
+          end
+
+          output do
+            string :route_profile_id
+          end
+
+          def exec
+            { route_profile_id: params['profile_id'] }
+          end
+        end
+
+        define_action(:FilteredDefault) do
+          route 'filtered_default'
+          http_method :post
+
+          authorize do
+            input blacklist: [:admin]
+            allow
+          end
+
+          input do
+            string :name
+            bool :admin, default: true, fill: true
+          end
+
+          output do
+            bool :saw_admin
+            bool :admin
+          end
+
+          def exec
+            { saw_admin: input.has_key?(:admin), admin: input[:admin] }
+          end
+        end
+
+        define_action(:MetadataInput) do
+          route 'metadata_input'
+          http_method :post
+
+          authorize do
+            input blacklist: [:confirmed]
+            allow
+          end
+
+          meta(:global) do
+            input do
+              bool :confirmed
+            end
+          end
+
+          output do
+            bool :saw_confirmed
+          end
+
+          def exec
+            { saw_confirmed: meta.has_key?(:confirmed) }
+          end
+        end
+
+        define_action(:MetadataOutput) do
+          route 'metadata_output'
+          http_method :post
+
+          authorize do
+            output blacklist: [:secret_status]
+            allow
+          end
+
+          meta(:global) do
+            output do
+              string :public_status
+              string :secret_status
+            end
+          end
+
+          output do
+            bool :ok
+          end
+
+          def exec
+            set_meta(public_status: 'queued', secret_status: 'internal-token')
+            { ok: true }
+          end
+        end
+
+        define_action(:UnnamespacedInput) do
+          route 'unnamespaced_input'
+          http_method :post
+
+          authorize do
+            input blacklist: [:secret]
+            allow
+          end
+
+          input(:hash, namespace: false) do
+            string :public
+            string :secret
+          end
+
+          output do
+            bool :params_saw_secret
+            bool :input_saw_secret
+          end
+
+          def exec
+            {
+              params_saw_secret: params.has_key?(:secret),
+              input_saw_secret: input.has_key?(:secret)
+            }
+          end
+        end
+
+        define_action(:TopLevelBody) do
+          route 'top_level_body'
+          http_method :post
+
+          authorize do
+            input blacklist: [:secret]
+            allow
+          end
+
+          input do
+            string :public
+            string :secret
+          end
+
+          output do
+            bool :params_saw_secret
+            bool :input_saw_secret
+          end
+
+          def exec
+            {
+              params_saw_secret: params.has_key?(:secret),
+              input_saw_secret: input.has_key?(:secret)
+            }
+          end
+        end
+
+        define_action(:Closed) do
+          route 'closed'
+          http_method :post
+          auth false
+
+          output do
+            bool :ok
+          end
+
+          def exec
+            { ok: true }
+          end
+        end
+
+        define_action(:Show) do
+          route '{test_id}'
+          http_method :get
+          authorize { allow }
+
+          output do
+            string :id
+          end
+
+          def exec
+            { id: params['test_id'] }
+          end
+        end
+
         define_action(:Order) do
           http_method :post
           authorize { allow }
@@ -164,6 +447,149 @@ describe HaveAPI::Action do
       expect(api_response.response).to have_key(:_meta)
     end
 
+    it 'rejects optional-only input namespaces with invalid shapes' do
+      call_api([:Test], :optional_shape, { test: 'not-a-hash' })
+
+      expect(last_response.status).to eq(400)
+      expect(api_response).not_to be_ok
+      expect(api_response.message).to eq('invalid input layout')
+    end
+
+    it 'rejects list inputs with invalid element shapes' do
+      call_api([:Test], :batch, { tests: ['not-a-hash'], _meta: { confirmed: true } })
+
+      expect(last_response.status).to eq(400)
+      expect(api_response).not_to be_ok
+      expect(api_response.message).to eq('invalid input layout')
+    end
+
+    it 'validates global metadata on list input actions' do
+      call_api([:Test], :batch, { tests: [{ label: 'one' }] })
+
+      expect(last_response.status).to eq(400)
+      expect(api_response).not_to be_ok
+      expect(api_response.errors[:confirmed]).to include('required parameter missing')
+
+      call_api([:Test], :batch, { tests: [{ label: 'one' }], _meta: { confirmed: 'maybe' } })
+
+      expect(last_response.status).to eq(400)
+      expect(api_response).not_to be_ok
+      expect(api_response.errors[:confirmed].first).to include('not a valid boolean')
+    end
+
+    it 'rejects malformed metadata namespaces' do
+      call_api([:Test], :echo, { test: { msg: 'hi' }, _meta: 'not-a-hash' })
+
+      expect(last_response.status).to eq(400)
+      expect(api_response).not_to be_ok
+      expect(api_response.message).to eq('invalid input layout')
+    end
+
+    it 'ignores object metadata definitions without input' do
+      call_api([:Test], :output_only_object_meta, {
+        test: {
+          msg: 'hi',
+          _meta: {
+            etag: 'client-value'
+          }
+        }
+      })
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test][:msg]).to eq('hi')
+    end
+
+    it 'uses path parameters containing digits for authorization' do
+      get '/v1/tests/ipv4/1', {}, input: ''
+
+      expect(last_response.status).to eq(403)
+      expect(api_response).not_to be_ok
+    end
+
+    it 'uses colon-style route parameters for authorization' do
+      get '/v1/tests/accounts/2/secret', {}, input: ''
+
+      expect(last_response.status).to eq(403)
+      expect(api_response).not_to be_ok
+    end
+
+    it 'does not let JSON body keys shadow route parameters for authorization' do
+      call_api(:put, '/v1/tests/profiles/1', {
+        profile_id: '2',
+        test: {
+          name: 'attacker'
+        }
+      })
+
+      expect(last_response.status).to eq(403)
+      expect(api_response).not_to be_ok
+    end
+
+    it 'does not reintroduce filtered input defaults' do
+      call_api([:Test], :filtered_default, { test: { name: 'acct' } })
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test][:saw_admin]).to be(false)
+    end
+
+    it 'applies input authorization filters to metadata input' do
+      call_api([:Test], :metadata_input, { _meta: { confirmed: true } })
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test][:saw_confirmed]).to be(false)
+    end
+
+    it 'applies output authorization filters to global metadata' do
+      call_api([:Test], :metadata_output, {})
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response.response[:_meta]).to include(public_status: 'queued')
+      expect(api_response.response[:_meta]).not_to have_key(:secret_status)
+    end
+
+    it 'filters unnamespaced input in the safe params view' do
+      call_api([:Test], :unnamespaced_input, { public: 'ok', secret: 'hidden' })
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test][:params_saw_secret]).to be(false)
+      expect(api_response[:test][:input_saw_secret]).to be(false)
+    end
+
+    it 'does not expose top-level JSON keys outside the input namespace as safe params' do
+      call_api([:Test], :top_level_body, {
+        secret: 'top-level hidden',
+        test: {
+          public: 'ok',
+          secret: 'nested hidden'
+        }
+      })
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test][:params_saw_secret]).to be(false)
+      expect(api_response[:test][:input_saw_secret]).to be(false)
+    end
+
+    it 'denies OPTIONS for actions without an authorization block without raising' do
+      call_api(:options, '/v1/tests/closed?method=POST')
+
+      expect(last_response.status).to eq(403)
+      expect(api_response).not_to be_ok
+    end
+
+    it 'rejects invalid route argument encoding in action descriptions' do
+      call_api(:options, '/v1/tests/%FF?method=GET')
+
+      expect(last_response.status).to eq(400)
+      expect(api_response).not_to be_ok
+      expect(api_response.message).to eq('invalid path parameter encoding')
+    end
+
     it 'runs prepare, pre_exec, exec in order' do
       action_class(:order).calls.clear
 

data/spec/action_state_spec.rb

@@ -2,6 +2,17 @@ require 'time'
 
 module ActionStateSpec
   FIXED_TIME = Time.utc(2020, 1, 1, 0, 0, 0)
+  User = Struct.new(:id)
+
+  class BasicProvider < HaveAPI::Authentication::Basic::Provider
+    protected
+
+    def find_user(_request, username, password)
+      return unless username == 'user' && password == 'pass'
+
+      User.new(1)
+    end
+  end
 
   class State
     attr_reader :id, :label, :created_at, :updated_at, :status, :progress, :poll_calls
@@ -209,6 +220,16 @@ describe HaveAPI::Resources::ActionState do
       expect(state.poll_calls).to eq(0)
     end
 
+    it 'rejects excessive poll timeout values' do
+      ActionStateSpec::Backend.add_state(ActionStateSpec::State.new(id: 1))
+
+      get_action '/v1/action_states/1/poll', action_state: { timeout: 31 }
+
+      expect(last_response.status).to eq(400)
+      expect(api_response).not_to be_ok
+      expect(api_response.errors[:timeout].first).to include('range <0, 30>')
+    end
+
     it 'poll returns immediately when update_in check mismatches' do
       state = ActionStateSpec::State.new(
         id: 1,
@@ -298,4 +319,35 @@ describe HaveAPI::Resources::ActionState do
       expect(api_response.message).to eq('not supported')
     end
   end
+
+  context 'with action_state backend and authentication' do
+    empty_api
+    use_version 1
+    default_version 1
+    action_state ActionStateSpec::Backend
+    auth_chain ActionStateSpec::BasicProvider
+
+    before do
+      ActionStateSpec::Backend.reset!
+      ActionStateSpec::Backend.add_state(ActionStateSpec::State.new(id: 1))
+      header 'Accept', 'application/json'
+    end
+
+    it 'requires authentication for action state resources' do
+      get_action '/v1/action_states'
+
+      expect(last_response.status).to eq(401)
+      expect(api_response).not_to be_ok
+      expect(ActionStateSpec::Backend.list_calls).to be_empty
+    end
+
+    it 'passes authenticated users to the action state backend' do
+      login('user', 'pass')
+      get_action '/v1/action_states'
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(ActionStateSpec::Backend.list_calls.last[:user].id).to eq(1)
+    end
+  end
 end

data/spec/authentication/basic_spec.rb

@@ -105,4 +105,33 @@ describe HaveAPI::Authentication::Basic::Provider do
     expect(api_response).to be_failed
     expect(seen_users.last).to be_nil
   end
+
+  it 'treats malformed Authorization headers as failed authentication' do
+    invalid = (+"Basic \xFF").force_encoding(Encoding::UTF_8)
+    header 'Authorization', invalid
+
+    call_api(:post, '/v1/secures/ping', {})
+
+    expect(last_response.status).to eq(401)
+    expect(api_response).to be_failed
+    expect(seen_users.last).to be_nil
+  end
+
+  it 'returns an authentication error envelope from _login' do
+    get '/_login'
+
+    expect(last_response.status).to eq(401)
+    expect(last_response.headers['www-authenticate']).to include('Basic realm=')
+    expect(api_response).to be_failed
+    expect(api_response.message).to include('authenticate')
+  end
+
+  it 'returns an authentication error envelope from _logout' do
+    get '/_logout'
+
+    expect(last_response.status).to eq(401)
+    expect(last_response.headers['www-authenticate']).to include('Basic realm=')
+    expect(api_response).to be_failed
+    expect(api_response.message).to include('authenticate')
+  end
 end