haveapi 0.27.3 → 0.28.0

data/spec/action_state_spec.rb

@@ -2,6 +2,17 @@ require 'time'
 
 module ActionStateSpec
   FIXED_TIME = Time.utc(2020, 1, 1, 0, 0, 0)
+  User = Struct.new(:id)
+
+  class BasicProvider < HaveAPI::Authentication::Basic::Provider
+    protected
+
+    def find_user(_request, username, password)
+      return unless username == 'user' && password == 'pass'
+
+      User.new(1)
+    end
+  end
 
   class State
     attr_reader :id, :label, :created_at, :updated_at, :status, :progress, :poll_calls
@@ -209,6 +220,16 @@ describe HaveAPI::Resources::ActionState do
       expect(state.poll_calls).to eq(0)
     end
 
+    it 'rejects excessive poll timeout values' do
+      ActionStateSpec::Backend.add_state(ActionStateSpec::State.new(id: 1))
+
+      get_action '/v1/action_states/1/poll', action_state: { timeout: 31 }
+
+      expect(last_response.status).to eq(400)
+      expect(api_response).not_to be_ok
+      expect(api_response.errors[:timeout].first).to include('range <0, 30>')
+    end
+
     it 'poll returns immediately when update_in check mismatches' do
       state = ActionStateSpec::State.new(
         id: 1,
@@ -298,4 +319,35 @@ describe HaveAPI::Resources::ActionState do
       expect(api_response.message).to eq('not supported')
     end
   end
+
+  context 'with action_state backend and authentication' do
+    empty_api
+    use_version 1
+    default_version 1
+    action_state ActionStateSpec::Backend
+    auth_chain ActionStateSpec::BasicProvider
+
+    before do
+      ActionStateSpec::Backend.reset!
+      ActionStateSpec::Backend.add_state(ActionStateSpec::State.new(id: 1))
+      header 'Accept', 'application/json'
+    end
+
+    it 'requires authentication for action state resources' do
+      get_action '/v1/action_states'
+
+      expect(last_response.status).to eq(401)
+      expect(api_response).not_to be_ok
+      expect(ActionStateSpec::Backend.list_calls).to be_empty
+    end
+
+    it 'passes authenticated users to the action state backend' do
+      login('user', 'pass')
+      get_action '/v1/action_states'
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(ActionStateSpec::Backend.list_calls.last[:user].id).to eq(1)
+    end
+  end
 end

data/spec/authentication/basic_spec.rb

@@ -105,4 +105,33 @@ describe HaveAPI::Authentication::Basic::Provider do
     expect(api_response).to be_failed
     expect(seen_users.last).to be_nil
   end
+
+  it 'treats malformed Authorization headers as failed authentication' do
+    invalid = (+"Basic \xFF").force_encoding(Encoding::UTF_8)
+    header 'Authorization', invalid
+
+    call_api(:post, '/v1/secures/ping', {})
+
+    expect(last_response.status).to eq(401)
+    expect(api_response).to be_failed
+    expect(seen_users.last).to be_nil
+  end
+
+  it 'returns an authentication error envelope from _login' do
+    get '/_login'
+
+    expect(last_response.status).to eq(401)
+    expect(last_response.headers['www-authenticate']).to include('Basic realm=')
+    expect(api_response).to be_failed
+    expect(api_response.message).to include('authenticate')
+  end
+
+  it 'returns an authentication error envelope from _logout' do
+    get '/_logout'
+
+    expect(last_response.status).to eq(401)
+    expect(last_response.headers['www-authenticate']).to include('Basic realm=')
+    expect(api_response).to be_failed
+    expect(api_response.message).to include('authenticate')
+  end
 end

data/spec/authentication/oauth2_spec.rb

@@ -18,6 +18,122 @@ module AuthSpecOAuth2
   Provider = HaveAPI::Authentication::OAuth2.with_config(Config)
 end
 
+module AuthSpecOAuth2Security
+  User = Struct.new(:id, :login)
+  AuthResult = Struct.new(:authenticated, :complete, :cancel, :params)
+
+  class Client < HaveAPI::Authentication::OAuth2::Client
+    def initialize # rubocop:disable Lint/MissingSuper
+      @client_id = 'client'
+      @redirect_uri = 'https://client.example/callback'
+    end
+
+    def check_secret(client_secret)
+      raise TypeError, "client_secret must be a String, got #{client_secret.class}" unless client_secret.is_a?(String)
+
+      client_secret == 'secret'
+    end
+  end
+
+  class Authorization < HaveAPI::Authentication::OAuth2::Authorization
+    def initialize( # rubocop:disable Lint/MissingSuper
+      redirect_uri: 'https://client.example/callback',
+      code_challenge: nil,
+      code_challenge_method: nil
+    )
+      @redirect_uri = redirect_uri
+      @code_challenge = code_challenge
+      @code_challenge_method = code_challenge_method
+    end
+
+    def check_code_validity(redirect_uri)
+      raise TypeError, "redirect_uri must be a String, got #{redirect_uri.class}" unless redirect_uri.is_a?(String)
+
+      redirect_uri == @redirect_uri
+    end
+  end
+
+  class Config < HaveAPI::Authentication::OAuth2::Config
+    class << self
+      attr_accessor :authorization
+      attr_reader :client_lookups, :revocations
+
+      def reset!
+        @authorization = Authorization.new
+        @client_lookups = []
+        @revocations = []
+      end
+    end
+
+    def base_url
+      'https://api.example'
+    end
+
+    def find_user_by_access_token(_request, access_token)
+      raise TypeError, "access_token must be a String, got #{access_token.class}" unless access_token.is_a?(String)
+
+      access_token == 'abc' ? User.new(1, 'user') : nil
+    end
+
+    def find_client_by_id(client_id)
+      raise TypeError, "client_id must be a String, got #{client_id.class}" unless client_id.is_a?(String)
+
+      self.class.client_lookups << client_id
+      client_id == 'client' ? Client.new : nil
+    end
+
+    def handle_get_authorize(oauth2_request:, **)
+      AuthResult.new(true, true, false, oauth2_params(oauth2_request))
+    end
+
+    def get_authorization_code(auth_res)
+      self.class.authorization = Authorization.new(
+        redirect_uri: auth_res.params[:redirect_uri],
+        code_challenge: auth_res.params[:code_challenge],
+        code_challenge_method: auth_res.params[:code_challenge_method]
+      )
+      'code'
+    end
+
+    def find_authorization_by_code(_client, code)
+      raise TypeError, "code must be a String, got #{code.class}" unless code.is_a?(String)
+
+      code == 'code' ? self.class.authorization : nil
+    end
+
+    def find_authorization_by_refresh_token(_client, refresh_token)
+      raise TypeError, "refresh_token must be a String, got #{refresh_token.class}" unless refresh_token.is_a?(String)
+
+      refresh_token == 'refresh-token' ? Authorization.new : nil
+    end
+
+    def get_tokens(_authorization, _request)
+      ['access-token', Time.now + 3600, 'refresh-token']
+    end
+
+    def refresh_tokens(_authorization, _request)
+      ['access-token-2', Time.now + 3600, 'refresh-token-2']
+    end
+
+    def handle_post_revoke(_request, token, token_type_hint: nil, client: nil)
+      raise TypeError, "token must be a String, got #{token.class}" unless token.is_a?(String)
+      if !token_type_hint.nil? && !token_type_hint.is_a?(String)
+        raise TypeError, "token_type_hint must be a String, got #{token_type_hint.class}"
+      end
+
+      self.class.revocations << {
+        token:,
+        token_type_hint:,
+        client_id: client&.client_id
+      }
+
+      token_type_hint == 'unsupported' ? :unsupported : :revoked
+    end
+  end
+
+  Provider = HaveAPI::Authentication::OAuth2.with_config(Config)
+end
+
 describe HaveAPI::Authentication::OAuth2 do
   describe 'smoke' do
     api do
@@ -102,6 +218,25 @@ describe HaveAPI::Authentication::OAuth2 do
       expect(api_response.message).to match(/too many|multiple/i)
     end
 
+    it 'ignores structured access_token query values before backend lookup' do
+      expect do
+        call_api(:post, '/v1/secures/ping?access_token[]=abc', {})
+      end.not_to raise_error
+
+      expect(last_response.status).to eq(401)
+      expect(api_response).to be_failed
+    end
+
+    it 'treats malformed bearer headers as failed authentication' do
+      invalid = (+"Bearer \xFF").force_encoding(Encoding::UTF_8)
+      header 'Authorization', invalid
+
+      call_api(:post, '/v1/secures/ping', {})
+
+      expect(last_response.status).to eq(401)
+      expect(api_response).to be_failed
+    end
+
     it 'exposes oauth2 provider in version description' do
       call_api(:options, '/v1/')
 
@@ -124,4 +259,198 @@ describe HaveAPI::Authentication::OAuth2 do
       expect(desc[:revoke_url]).to end_with(desc[:revoke_path])
     end
   end
+
+  describe 'endpoint hardening' do
+    api do
+      define_resource(:Secure) do
+        version 1
+
+        define_action(:Ping) do
+          route 'ping'
+          http_method :post
+          auth true
+
+          input(:hash) {}
+          output(:hash) { integer :user_id }
+          authorize { allow }
+
+          def exec
+            { user_id: current_user.id }
+          end
+        end
+      end
+    end
+
+    default_version 1
+    auth_chain AuthSpecOAuth2Security::Provider
+
+    before do
+      AuthSpecOAuth2Security::Config.reset!
+    end
+
+    def oauth_json
+      JSON.parse(last_response.body)
+    end
+
+    it 'requires a verifier when a stored PKCE challenge omits the method' do
+      AuthSpecOAuth2Security::Config.authorization =
+        AuthSpecOAuth2Security::Authorization.new(code_challenge: 'expected-verifier')
+
+      post '/_auth/oauth2/token', {
+        grant_type: 'authorization_code',
+        code: 'code',
+        redirect_uri: 'https://client.example/callback',
+        client_id: 'client',
+        client_secret: 'secret'
+      }
+
+      expect(last_response.status).to eq(400)
+      expect(oauth_json['error']).to eq('invalid_grant')
+
+      post '/_auth/oauth2/token', {
+        grant_type: 'authorization_code',
+        code: 'code',
+        redirect_uri: 'https://client.example/callback',
+        client_id: 'client',
+        client_secret: 'secret',
+        code_verifier: 'expected-verifier'
+      }
+
+      expect(last_response.status).to eq(200)
+      expect(oauth_json['access_token']).to eq('access-token')
+    end
+
+    it 'preserves omitted PKCE methods as plain in authorization params' do
+      get '/_auth/oauth2/authorize', {
+        response_type: 'code',
+        client_id: 'client',
+        redirect_uri: 'https://client.example/callback',
+        code_challenge: 'expected-verifier'
+      }
+
+      expect(last_response.status).to eq(302)
+      authorization = AuthSpecOAuth2Security::Config.authorization
+      expect(authorization.code_challenge).to eq('expected-verifier')
+      expect(authorization.code_challenge_method).to eq('plain')
+    end
+
+    it 'rejects structured authorization endpoint parameters' do
+      [
+        { response_type: 'code', 'client_id' => ['client'], redirect_uri: 'https://client.example/callback' },
+        { response_type: 'code', client_id: 'client', 'redirect_uri' => ['https://client.example/callback'] },
+        {
+          response_type: 'code',
+          client_id: 'client',
+          redirect_uri: 'https://client.example/callback',
+          code_challenge: 'expected-verifier',
+          'code_challenge_method' => ['plain']
+        }
+      ].each do |request_params|
+        AuthSpecOAuth2Security::Config.client_lookups.clear
+        get '/_auth/oauth2/authorize', request_params
+
+        expect(last_response.status).to eq(400)
+        expect(oauth_json['error']).to eq('invalid_request')
+        expect(AuthSpecOAuth2Security::Config.client_lookups).to be_empty
+      end
+    end
+
+    it 'returns controlled errors for authorization protocol failures' do
+      get '/_auth/oauth2/authorize', {
+        response_type: 'code',
+        redirect_uri: 'https://client.example/callback'
+      }
+
+      expect(last_response.status).to eq(400)
+      expect(oauth_json['error']).to eq('invalid_request')
+
+      get '/_auth/oauth2/authorize', {
+        response_type: 'bogus',
+        client_id: 'client',
+        redirect_uri: 'https://client.example/callback'
+      }
+
+      expect(last_response.status).to eq(400)
+      expect(oauth_json['error']).to eq('unsupported_response_type')
+    end
+
+    it 'rejects structured token endpoint parameters before callbacks' do
+      [
+        { grant_type: 'authorization_code', 'client_id' => ['client'], client_secret: 'secret', code: 'code' },
+        { grant_type: 'authorization_code', client_id: 'client', 'client_secret' => ['secret'], code: 'code' },
+        { grant_type: 'authorization_code', client_id: 'client', client_secret: 'secret', 'code' => ['code'] },
+        {
+          grant_type: 'authorization_code',
+          client_id: 'client',
+          client_secret: 'secret',
+          code: 'code',
+          'redirect_uri' => ['https://client.example/callback']
+        },
+        { grant_type: 'refresh_token', client_id: 'client', client_secret: 'secret', 'refresh_token' => ['refresh-token'] },
+        { grant_type: 'authorization_code', client_id: 'client', client_secret: 'secret', code: 'code', 'code_verifier' => ['verifier'] }
+      ].each do |request_params|
+        AuthSpecOAuth2Security::Config.client_lookups.clear
+        post '/_auth/oauth2/token', request_params
+
+        expect(last_response.status).to eq(400)
+        expect(oauth_json['error']).to eq('invalid_request')
+        expect(AuthSpecOAuth2Security::Config.client_lookups).to be_empty
+      end
+    end
+
+    it 'requires OAuth2 client authentication before revocation' do
+      post '/_auth/oauth2/revoke', {
+        token: 'victim-refresh-token',
+        token_type_hint: 'refresh_token'
+      }
+
+      expect(last_response.status).to eq(401)
+      expect(oauth_json['error']).to eq('invalid_client')
+      expect(AuthSpecOAuth2Security::Config.revocations).to be_empty
+    end
+
+    it 'rejects malformed revoke requests before callbacks' do
+      [
+        { token_type_hint: 'access_token', client_id: 'client', client_secret: 'secret' },
+        { 'token' => ['abc'], client_id: 'client', client_secret: 'secret' },
+        { token: 'abc', 'token_type_hint' => ['refresh_token'], client_id: 'client', client_secret: 'secret' }
+      ].each do |request_params|
+        post '/_auth/oauth2/revoke', request_params
+
+        expect(last_response.status).to eq(400)
+        expect(oauth_json['error']).to eq('invalid_request')
+        expect(AuthSpecOAuth2Security::Config.revocations).to be_empty
+      end
+    end
+
+    it 'revokes only after valid client authentication' do
+      post '/_auth/oauth2/revoke', {
+        token: 'victim-refresh-token',
+        token_type_hint: 'refresh_token',
+        client_id: 'client',
+        client_secret: 'secret'
+      }
+
+      expect(last_response.status).to eq(200)
+      expect(AuthSpecOAuth2Security::Config.revocations).to contain_exactly(
+        {
+          token: 'victim-refresh-token',
+          token_type_hint: 'refresh_token',
+          client_id: 'client'
+        }
+      )
+    end
+
+    it 'returns OAuth2 errors for unsupported revoke token hints' do
+      post '/_auth/oauth2/revoke', {
+        token: 'victim-refresh-token',
+        token_type_hint: 'unsupported',
+        client_id: 'client',
+        client_secret: 'secret'
+      }
+
+      expect(last_response.status).to eq(400)
+      expect(oauth_json['error']).to eq('unsupported_token_type')
+    end
+  end
 end

data/spec/authentication/token_spec.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+# rubocop:disable RSpec/MultipleDescribes
+# rubocop:disable RSpec/RepeatedExampleGroupDescription
+
 require 'spec_helper'
 require 'securerandom'
 
@@ -8,8 +11,13 @@ module AuthSpecToken
 
   class Config < HaveAPI::Authentication::Token::Config
     class << self
+      attr_accessor :raise_on_find, :raise_on_renew, :raise_on_revoke
+
       def reset!
         @tokens = {}
+        @raise_on_find = false
+        @raise_on_renew = false
+        @raise_on_revoke = false
       end
 
       def tokens
@@ -39,6 +47,8 @@ module AuthSpecToken
 
     renew do
       handle do |_req, res|
+        raise HaveAPI::AuthenticationError, 'renew rejected' if Config.raise_on_renew
+
         res.valid_to = Time.now + 3600
         res.ok
       end
@@ -46,12 +56,17 @@ module AuthSpecToken
 
     revoke do
       handle do |req, res|
+        raise HaveAPI::AuthenticationError, 'revoke rejected' if Config.raise_on_revoke
+
         Config.tokens.delete(req.token)
         res.ok
       end
     end
 
     def find_user_by_token(_request, token)
+      raise TypeError, "token must be a String, got #{token.class}" unless token.is_a?(String)
+      raise HaveAPI::AuthenticationError, 'backend rejected token' if self.class.raise_on_find
+
       self.class.tokens[token]
     end
   end
@@ -125,6 +140,23 @@ describe HaveAPI::Authentication::Token do
     expect(api_response[:token][:token]).to be_a(String)
   end
 
+  it 'rejects token request intervals outside policy bounds' do
+    [-1, 0, 86_401].each do |interval|
+      call_api(:post, '/_auth/token/tokens', {
+        token: {
+          user: 'user',
+          password: 'pass',
+          lifetime: 'fixed',
+          interval:
+        }
+      })
+
+      expect(last_response.status).to eq(400)
+      expect(api_response).to be_failed
+      expect(api_response.errors[:interval]).not_to be_empty
+    end
+  end
+
   it 'returns 401 for protected action without token' do
     call_api(:post, '/v1/secures/ping', {})
 
@@ -164,6 +196,26 @@ describe HaveAPI::Authentication::Token do
     expect(api_response.message).to match(/too many|multiple/i)
   end
 
+  it 'ignores structured token query values before backend lookup' do
+    expect do
+      call_api(:post, '/v1/secures/ping?_auth_token[]=abc', {})
+    end.not_to raise_error
+
+    expect(last_response.status).to eq(401)
+    expect(api_response).to be_failed
+  end
+
+  it 'treats AuthenticationError from token lookup as failed authentication' do
+    token = request_token!
+    AuthSpecToken::Config.raise_on_find = true
+
+    header AuthSpecToken::Config.http_header, token
+    call_api(:post, '/v1/secures/ping', {})
+
+    expect(last_response.status).to eq(401)
+    expect(api_response).to be_failed
+  end
+
   it 'returns 400 for revoke when multiple tokens are provided' do
     token = request_token!
     param = AuthSpecToken::Config.query_parameter.to_s
@@ -203,6 +255,27 @@ describe HaveAPI::Authentication::Token do
     expect(last_response.status).to eq(401)
   end
 
+  it 'returns controlled errors when renew and revoke handlers reject authentication' do
+    token = request_token!
+
+    AuthSpecToken::Config.raise_on_renew = true
+    header AuthSpecToken::Config.http_header, token
+    call_api(:post, '/_auth/token/tokens/renew', {})
+
+    expect(last_response.status).to eq(200)
+    expect(api_response).to be_failed
+    expect(api_response.message).to eq('renew rejected')
+
+    AuthSpecToken::Config.raise_on_renew = false
+    AuthSpecToken::Config.raise_on_revoke = true
+    header AuthSpecToken::Config.http_header, token
+    call_api(:post, '/_auth/token/tokens/revoke', {})
+
+    expect(last_response.status).to eq(200)
+    expect(api_response).to be_failed
+    expect(api_response.message).to eq('revoke rejected')
+  end
+
   it 'requires auth for OPTIONS on revoke path, but not on request path' do
     call_api(:options, '/_auth/token/tokens?method=POST')
     expect(last_response.status).to eq(200)
@@ -231,3 +304,125 @@ describe HaveAPI::Authentication::Token do
     expect(auth[:token][:resources]).to have_key(:token)
   end
 end
+
+module AuthSpecTokenCrossProvider
+  User = Struct.new(:id, :login)
+
+  class << self
+    def reset!
+      tokens.replace(
+        'victim-token' => User.new(1, 'victim'),
+        'attacker-token' => User.new(2, 'attacker')
+      )
+      revoked.clear
+    end
+
+    def tokens
+      @tokens ||= {}
+    end
+
+    def revoked
+      @revoked ||= []
+    end
+  end
+
+  class BasicProvider < HaveAPI::Authentication::Basic::Provider
+    protected
+
+    def find_user(_request, username, password)
+      return User.new(2, 'attacker') if username == 'attacker' && password == 'pass'
+
+      nil
+    end
+  end
+
+  class TokenConfig < HaveAPI::Authentication::Token::Config
+    request do
+      handle do |_req, res|
+        res.error = 'not used'
+        res
+      end
+    end
+
+    renew do
+      handle do |_req, res|
+        res.ok
+      end
+    end
+
+    revoke do
+      handle do |req, res|
+        AuthSpecTokenCrossProvider.revoked << {
+          current_user: req.user.login,
+          token: req.token
+        }
+        AuthSpecTokenCrossProvider.tokens.delete(req.token)
+        res.ok
+      end
+    end
+
+    def find_user_by_token(_request, token)
+      AuthSpecTokenCrossProvider.tokens[token]
+    end
+  end
+
+  TokenProvider = HaveAPI::Authentication::Token.with_config(TokenConfig)
+end
+
+describe HaveAPI::Authentication::Token do
+  api do
+    define_resource(:Secure) do
+      version 1
+
+      define_action(:Whoami) do
+        route 'whoami'
+        http_method :post
+        auth true
+
+        input(:hash) {}
+        output(:hash) { string :login }
+        authorize { allow }
+
+        def exec
+          { login: current_user.login }
+        end
+      end
+    end
+  end
+
+  default_version 1
+  auth_chain [
+    AuthSpecTokenCrossProvider::BasicProvider,
+    AuthSpecTokenCrossProvider::TokenProvider
+  ]
+
+  before do
+    AuthSpecTokenCrossProvider.reset!
+  end
+
+  it 'uses the token provider user for renew and revoke actions' do
+    login('attacker', 'pass')
+    call_api(:post, '/_auth/token/tokens/revoke?_auth_token=victim-token', {})
+
+    expect(last_response.status).to eq(200)
+    expect(api_response).to be_ok
+    expect(AuthSpecTokenCrossProvider.revoked).to contain_exactly(
+      {
+        current_user: 'victim',
+        token: 'victim-token'
+      }
+    )
+  end
+
+  it 'rejects token actions authenticated only by another provider' do
+    login('attacker', 'pass')
+    call_api(:post, '/_auth/token/tokens/revoke', {})
+
+    expect(last_response.status).to eq(401)
+    expect(api_response).to be_failed
+    expect(AuthSpecTokenCrossProvider.revoked).to be_empty
+  end
+end
+
+# rubocop:enable RSpec/RepeatedExampleGroupDescription
+# rubocop:enable RSpec/MultipleDescribes