hawk-auth 0.0.0 → 0.1.0

data/spec/server_spec.rb

@@ -0,0 +1,290 @@
+require 'spec_helper'
+require 'support/shared_examples/authorization_header'
+
+describe Hawk::Server do
+  let(:credentials) do
+    {
+      :id => '123456',
+      :key => '2983d45yun89q',
+      :algorithm => algorithm
+    }
+  end
+
+  describe ".authenticate" do
+    let(:credentials_lookup) do
+      lambda { |id|
+        if id == credentials[:id]
+          credentials
+        end
+      }
+    end
+
+    let(:nonce_lookup) do
+      lambda { |nonce| nil }
+    end
+
+    let(:payload) {}
+    let(:ext) {}
+    let(:timestamp) { Time.now.to_i }
+    let(:nonce) { 'Ygvqdz' }
+
+    let(:input) do
+      _input = {
+        :method => 'POST',
+        :path => '/somewhere/over/the/rainbow',
+        :host => 'example.net',
+        :port => 80,
+        :content_type => 'text/plain',
+        :credentials_lookup => credentials_lookup,
+        :nonce_lookup => nonce_lookup
+      }
+      _input[:payload] = payload if payload
+      _input
+    end
+
+    let(:client_input) do
+      _input = input.merge(
+        :credentials => credentials,
+        :ts => timestamp,
+        :nonce => nonce
+      )
+      _input[:ext] = ext if ext
+      _input
+    end
+
+    let(:expected_mac) { Hawk::Crypto.mac(client_input) }
+    let(:expected_hash) { client_input[:payload] ? Hawk::Crypto.hash(client_input) : nil }
+
+    let(:authorization_header) do
+      parts = []
+      parts << %(id="#{credentials[:id]}")
+      parts << %(ts="#{timestamp}")
+      parts << %(nonce="#{nonce}") if nonce
+      parts << %(hash="#{expected_hash}") if expected_hash
+      parts << %(mac="#{expected_mac}")
+      parts << %(ext="#{ext}") if ext
+      "Hawk #{parts.join(', ')}"
+    end
+
+    shared_examples "an authorization request header authenticator" do
+      it_behaves_like "an authorization header authenticator"
+
+      context "when unidentified id" do
+        let(:credentials_lookup) do
+          lambda { |id| }
+        end
+
+        it "returns error object" do
+          actual = described_class.authenticate(authorization_header, input)
+          expect(actual).to be_a(Hawk::AuthenticationFailure)
+          expect(actual.key).to eql(:id)
+          expect(actual.message).to_not eql(nil)
+        end
+      end
+
+      context "when stale timestamp" do
+        context "when too old" do
+          let(:timestamp) { Time.now.to_i - 1001 }
+
+          it "returns error object" do
+            actual = described_class.authenticate(authorization_header, input)
+            expect(actual).to be_a(Hawk::AuthenticationFailure)
+            expect(actual.key).to eql(:ts)
+            expect(actual.message).to_not eql(nil)
+          end
+        end
+
+        context "when too far in the future" do
+          let(:timestamp) { Time.now.to_i + 1001 }
+
+          it "returns error object" do
+            actual = described_class.authenticate(authorization_header, input)
+            expect(actual).to be_a(Hawk::AuthenticationFailure)
+            expect(actual.key).to eql(:ts)
+            expect(actual.message).to_not eql(nil)
+          end
+        end
+
+        context "when invalid content type" do
+          let(:payload) { 'baz' }
+          before do
+            client_input[:content_type] = 'application/foo'
+          end
+
+          it "returns error object" do
+            actual = described_class.authenticate(authorization_header, input)
+            expect(actual).to be_a(Hawk::AuthenticationFailure)
+            expect(actual.key).to eql(:mac)
+            expect(actual.message).to_not eql(nil)
+          end
+        end
+
+        context "when nonce missing" do
+          let(:nonce) { nil }
+
+          it "returns error object" do
+            actual = described_class.authenticate(authorization_header, input)
+            expect(actual).to be_a(Hawk::AuthenticationFailure)
+            expect(actual.key).to eql(:nonce)
+            expect(actual.message).to_not eql(nil)
+          end
+        end
+      end
+
+      context "when replay" do
+        let(:nonce_lookup) do
+          lambda do |nonce|
+            true
+          end
+        end
+
+        it "returns error object" do
+          actual = described_class.authenticate(authorization_header, input)
+          expect(actual).to be_a(Hawk::AuthenticationFailure)
+          expect(actual.key).to eql(:nonce)
+          expect(actual.message).to_not eql(nil)
+        end
+      end
+
+      context "when no credentials_lookup given" do
+        before do
+          input.delete(:credentials_lookup)
+        end
+
+        it "returns error object" do
+          actual = described_class.authenticate(authorization_header, input)
+          expect(actual).to be_a(Hawk::AuthenticationFailure)
+          expect(actual.key).to eql(:id)
+          expect(actual.message).to_not eql(nil)
+        end
+      end
+    end
+
+    context "when using sha256" do
+      let(:algorithm) { "sha256" }
+
+      it_behaves_like "an authorization request header authenticator"
+    end
+
+    context "when using sha1" do
+      let(:algorithm) { "sha1" }
+
+      it_behaves_like "an authorization request header authenticator"
+    end
+  end
+
+  describe ".build_authorization_header" do
+    let(:expected_mac) { Hawk::Crypto.mac(input) }
+    let(:expected_hash) { input[:payload] ? Hawk::Crypto.hash(input) : nil }
+    let(:timestamp) { Time.now.to_i }
+    let(:nonce) { 'Ygvqdz' }
+
+    let(:input) do
+      _input = {
+        :credentials => credentials,
+        :ts => timestamp,
+        :method => 'POST',
+        :path => '/somewhere/over/the/rainbow',
+        :host => 'example.net',
+        :port => 80,
+        :payload => 'something to write about',
+        :ext => 'Bazinga!'
+      }
+      _input[:nonce] = nonce if nonce
+      _input
+    end
+
+    let(:expected_output_parts) do
+      parts = []
+      parts << %(hash="#{expected_hash}") if input[:payload]
+      parts << %(ext="#{input[:ext]}") if input[:ext]
+      parts << %(mac="#{expected_mac}")
+      parts
+    end
+
+    let(:expected_output) do
+      "Hawk #{expected_output_parts.join(', ')}"
+    end
+
+    context "when using sha256" do
+      let(:algorithm) { "sha256" }
+
+      it_behaves_like "an authorization header builder"
+    end
+
+    context "when using sha1" do
+      let(:algorithm) { "sha1" }
+
+      it_behaves_like "an authorization header builder"
+    end
+  end
+
+  describe ".authenticate_bewit" do
+    let(:credentials_lookup) do
+      lambda { |id|
+        if id == credentials[:id]
+          credentials
+        end
+      }
+    end
+
+    let(:algorithm) { "sha256" }
+
+    let(:input) do
+      {
+        :credentials_lookup => credentials_lookup,
+        :method => 'GET',
+        :path => "/resource/4?a=1&bewit=#{bewit}&b=2",
+        :host => 'example.com',
+        :port => 80,
+      }
+    end
+
+    let(:bewit) { "MTIzNDU2XDQ1MTkzMTE0NThcYkkwanFlS1prUHE0V1hRMmkxK0NrQ2lOanZEc3BSVkNGajlmbElqMXphWT1cc29tZS1hcHAtZGF0YQ" }
+
+    let(:now) { 1365711458 }
+    before do
+      Time.stubs(:now).returns(Time.at(now))
+    end
+
+    context "when valid" do
+      it "returns credentials" do
+        expect(described_class.authenticate_bewit(bewit, input)).to eql(credentials)
+      end
+    end
+
+    context "when invalid format" do
+      let(:bewit) { "invalid-bewit" }
+
+      it "returns error object" do
+        actual = described_class.authenticate_bewit(bewit, input)
+        expect(actual).to be_a(Hawk::AuthenticationFailure)
+        expect(actual.key).to eql(:id)
+        expect(actual.message).to_not eql(nil)
+      end
+    end
+
+    context "when invalid ext" do
+      let(:bewit) { "MTIzNDU2XDQ1MTkzMTE0NThcVTN4dVF5TEVXUGNOa3Q4Vm5oRy9BSDg4VERQZXlKT2JKeGVNb0tkZWZUQT1caW52YWxpZCBleHQ" }
+
+      it "returns error object" do
+        actual = described_class.authenticate_bewit(bewit, input)
+        expect(actual).to be_a(Hawk::AuthenticationFailure)
+        expect(actual.key).to eql(:bewit)
+        expect(actual.message).to_not eql(nil)
+      end
+    end
+
+    context "when stale timestamp" do
+      let(:now) { 4519311459 }
+
+      it "returns error object" do
+        actual = described_class.authenticate_bewit(bewit, input)
+        expect(actual).to be_a(Hawk::AuthenticationFailure)
+        expect(actual.key).to eql(:ts)
+        expect(actual.message).to_not eql(nil)
+      end
+    end
+  end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,12 @@
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+
+require 'bundler/setup'
+require 'hawk'
+
+RSpec.configure do |config|
+  config.mock_with :mocha
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+end

data/spec/support/shared_examples/authorization_header.rb

@@ -0,0 +1,154 @@
+shared_examples "an authorization header builder" do
+  returns_valid_authorization_header = proc do
+    it "returns valid authorization header" do
+      actual = described_class.build_authorization_header(input)
+
+      expected_output_parts.each do |expected_part|
+        matcher = Regexp === expected_part ? expected_part : Regexp.new(Regexp.escape(expected_part))
+        expect(actual).to match(matcher)
+      end
+
+      expect(actual).to eql(expected_output)
+    end
+  end
+
+  context "with full options", &returns_valid_authorization_header
+
+  context "without ext" do
+    before do
+      input.delete(:ext)
+    end
+    context '', &returns_valid_authorization_header
+  end
+
+  context "without payload" do
+    before do
+      input.delete(:payload)
+    end
+    context '', &returns_valid_authorization_header
+  end
+
+  context "without ts" do
+    before do
+      input.delete(:ts)
+    end
+    context '', &returns_valid_authorization_header
+  end
+
+  %w( method path host port ).each do |missing_option|
+    context "when missing #{missing_option} option" do
+      before do
+        input.delete(missing_option.to_sym)
+      end
+
+      it "raises MissingOptionError" do
+        expect { described_class.build_authorization_header(input) }.to raise_error(Hawk::AuthorizationHeader::MissingOptionError)
+      end
+    end
+  end
+
+  context "with invalid credentials" do
+    context "when missing id" do
+      before do
+        credentials.delete(:id)
+      end
+
+      it "raises InvalidCredentialsError" do
+        expect { described_class.build_authorization_header(input) }.to raise_error(Hawk::AuthorizationHeader::InvalidCredentialsError)
+      end
+    end
+
+    context "when missing key" do
+      before do
+        credentials.delete(:key)
+      end
+
+      it "raises InvalidCredentialsError" do
+        expect { described_class.build_authorization_header(input) }.to raise_error(Hawk::AuthorizationHeader::InvalidCredentialsError)
+      end
+    end
+
+    context "when missing algorithm" do
+      before do
+        credentials.delete(:algorithm)
+      end
+
+      it "raises InvalidCredentialsError" do
+        expect { described_class.build_authorization_header(input) }.to raise_error(Hawk::AuthorizationHeader::InvalidCredentialsError)
+      end
+    end
+
+    context "when invalid algorithm" do
+      before do
+        credentials[:algorithm] = 'foobar'
+      end
+
+      it "raises InvalidAlgorithmError" do
+        expect { described_class.build_authorization_header(input) }.to raise_error(Hawk::AuthorizationHeader::InvalidAlgorithmError)
+      end
+    end
+  end
+end
+
+shared_examples "an authorization header authenticator" do
+  context "with valid authorization header" do
+    it "returns credentials object" do
+      expect(described_class.authenticate(authorization_header, input)).to eql(credentials)
+    end
+
+    context "when hash present" do
+      let(:payload) { 'something to write about' }
+
+      it "returns credentials object" do
+        expect(described_class.authenticate(authorization_header, input)).to eql(credentials)
+      end
+    end
+
+    context "when ext present" do
+      let(:ext) { 'some random ext' }
+
+      it "returns credentials object" do
+        expect(described_class.authenticate(authorization_header, input)).to eql(credentials)
+      end
+    end
+  end
+
+  context "with invalid authorization header" do
+    context "when invalid mac" do
+      let(:expected_mac) { 'foobar' }
+
+      it "returns error object" do
+        actual = described_class.authenticate(authorization_header, input)
+        expect(actual).to be_a(Hawk::AuthenticationFailure)
+        expect(actual.key).to eql(:mac)
+        expect(actual.message).to_not eql(nil)
+      end
+    end
+
+    context "when invalid hash" do
+      let(:expected_hash) { 'foobar' }
+      let(:payload) { 'baz' }
+
+      it "returns error object" do
+        actual = described_class.authenticate(authorization_header, input)
+        expect(actual).to be_a(Hawk::AuthenticationFailure)
+        expect(actual.key).to eql(:hash)
+        expect(actual.message).to_not eql(nil)
+      end
+    end
+
+    context "when invalid ext" do
+      before do
+        client_input[:ext] = 'something else'
+      end
+
+      it "returns error object" do
+        actual = described_class.authenticate(authorization_header, input)
+        expect(actual).to be_a(Hawk::AuthenticationFailure)
+        expect(actual.key).to eql(:mac)
+        expect(actual.message).to_not eql(nil)
+      end
+    end
+  end
+end
+