hoodoo 1.0.4 → 1.0.5

data/spec/services/middleware/middleware_multi_local_spec.rb

@@ -4,13 +4,17 @@
 
 require 'spec_helper'
 
+# Used for X-Assume-Identity-Of testing to avoid magic value copy-and-paste.
+#
+VALID_ASSUMED_IDENTITY_HASH ||= { 'caller_id' => 'custom_caller_id' }
+
 # This gets inter-resource called from ...BImplementation. It expects search
 # data containing an 'offset' key and string/integer value. If > 0, an error
 # is triggered quoting the offset value in the reference data; else a hook
 # method is called that we can check with RSpec.
 #
 # It contains one public action, to test public-to-public calling from ...B.
-
+#
 class RSpecTestInterResourceCallsAImplementation < Hoodoo::Services::Implementation
 
   def list( context )
@@ -33,6 +37,8 @@ class RSpecTestInterResourceCallsAImplementation < Hoodoo::Services::Implementat
         :message => 'Returning error as requested',
         :reference => { :another => 'no other ident', :field_name => 'no ident' }
       )
+    elsif context.request.ident == 'hello_return_identity' || context.request.ident == 'hello_set_good_inter_resource_identity'
+      context.response.set_resource( { 'identity' => context.session.identity.to_h } )
     else
       context.response.set_resource( { 'inner' => 'shown' } )
     end
@@ -155,8 +161,18 @@ class RSpecTestInterResourceCallsBImplementation < Hoodoo::Services::Implementat
         {}
       )
     else
-      result = context.resource( :RSpecTestInterResourceCallsAResource ).show(
-        'hello' + context.request.ident,
+      resource = context.resource( :RSpecTestInterResourceCallsAResource )
+
+      if ( context.request.ident == 'set_bad_inter_resource_identity' )
+        resource.assume_identity_of = {
+          VALID_ASSUMED_IDENTITY_HASH.keys.first => Hoodoo::UUID.generate
+        }
+      elsif ( context.request.ident == 'set_good_inter_resource_identity' )
+        resource.assume_identity_of = VALID_ASSUMED_IDENTITY_HASH
+      end
+
+      result = resource.show(
+        'hello_' + context.request.ident,
         { :_embed => :foo }
       )
     end
@@ -177,7 +193,7 @@ class RSpecTestInterResourceCallsBImplementation < Hoodoo::Services::Implementat
     # in their top-level call with permission, 'body' will contain 'id'
     # and that'll be rejected if we pass it through an inter-resource call
     # (you must use the high-level interface to do that), assuming things
-    # are working properly andthe X-Resource-UUID specification is *not*
+    # are working properly and the X-Resource-UUID specification is *not*
     # automatically inherited to inter-resource endpoints.
     #
     # This is for *top level* calls specifying UUIDs to *this resource*.
@@ -234,7 +250,7 @@ class RSpecTestInterResourceCallsBImplementation < Hoodoo::Services::Implementat
   def update( context )
     expectable_hook( context )
     result = context.resource( :RSpecTestInterResourceCallsAResource ).update(
-      'hello' + context.request.ident,
+      'hello_' + context.request.ident,
       context.request.body,
       { :_embed => 'foo' }
     )
@@ -248,7 +264,7 @@ class RSpecTestInterResourceCallsBImplementation < Hoodoo::Services::Implementat
 
     expectable_hook( context )
     result = context.resource( :RSpecTestInterResourceCallsAResource ).delete(
-      'hello' + context.request.ident,
+      'hello_' + context.request.ident,
       { :_embed => [ :foo ] }
     )
     expectable_result_hook( result )
@@ -536,8 +552,8 @@ describe Hoodoo::Services::Middleware::InterResourceLocal do
         expect(context.owning_interaction.interaction_id).to eq(@interaction_id)
         expect(context.request.body).to be_nil
         expect(context.request.embeds).to eq(['foo'])
-        expect(context.request.uri_path_components).to eq(['helloworld'])
-        expect(context.request.ident).to eq('helloworld')
+        expect(context.request.uri_path_components).to eq(['hello_world'])
+        expect(context.request.ident).to eq('hello_world')
         expect(context.request.uri_path_extension).to eq('')
         expect(context.request.list.offset).to eq(0)
         expect(context.request.list.limit).to eq(50)
@@ -865,8 +881,8 @@ describe Hoodoo::Services::Middleware::InterResourceLocal do
         expect(context.owning_interaction.interaction_id).to eq(@interaction_id)
         expect(context.request.body).to eq({'sum' => 70})
         expect(context.request.embeds).to eq(['foo'])
-        expect(context.request.uri_path_components).to eq(['helloworld'])
-        expect(context.request.ident).to eq('helloworld')
+        expect(context.request.uri_path_components).to eq(['hello_world'])
+        expect(context.request.ident).to eq('hello_world')
         expect(context.request.locale).to eq(locale || 'en-nz')
         expect(context.request.dated_at).to eq(nil)      # Not used => expect 'nil'
         expect(context.request.dated_from).to eq(nil)    # Not used => expect 'nil'
@@ -943,8 +959,8 @@ describe Hoodoo::Services::Middleware::InterResourceLocal do
         expect(context.owning_interaction.interaction_id).to eq(@interaction_id)
         expect(context.request.body).to be_nil
         expect(context.request.embeds).to eq(['foo'])
-        expect(context.request.uri_path_components).to eq(['helloworld'])
-        expect(context.request.ident).to eq('helloworld')
+        expect(context.request.uri_path_components).to eq(['hello_world'])
+        expect(context.request.ident).to eq('hello_world')
         expect(context.request.locale).to eq(locale || 'en-nz')
         expect(context.request.dated_at).to eq(nil)      # Not used => expect 'nil'
         expect(context.request.dated_from).to eq(nil)    # Not used => expect 'nil'
@@ -1049,7 +1065,7 @@ describe Hoodoo::Services::Middleware::InterResourceLocal do
     # <- B
     expect_any_instance_of(RSpecTestInterResourceCallsBImplementation).to receive(:expectable_result_hook).once.and_call_original
 
-    get '/v1/rspec_test_inter_resource_calls_b/_return_error', nil, { 'CONTENT_TYPE' => 'application/json; charset=utf-8' }
+    get '/v1/rspec_test_inter_resource_calls_b/return_error', nil, { 'CONTENT_TYPE' => 'application/json; charset=utf-8' }
     expect(last_response.status).to eq(422)
     result = JSON.parse(last_response.body)
     expect( result[ 'errors' ] ).to_not be_nil
@@ -1060,6 +1076,122 @@ describe Hoodoo::Services::Middleware::InterResourceLocal do
     })
   end
 
+  context 'X-Assume-Identity-Of' do
+    context 'top-level use permitted' do
+      before :each do
+        @old_test_session = Hoodoo::Services::Middleware.test_session()
+
+        test_session          = @old_test_session.dup
+        test_session.identity = test_session.identity.dup
+        test_session.scoping  = test_session.scoping.dup
+
+        test_session.scoping.authorised_http_headers = [ 'X-Assume-Identity-Of' ]
+        test_session.scoping.authorised_identities   = {
+          VALID_ASSUMED_IDENTITY_HASH.keys.first =>
+          [ VALID_ASSUMED_IDENTITY_HASH.values.first ]
+        }
+
+        Hoodoo::Services::Middleware.set_test_session( test_session )
+      end
+
+      after :each do
+        Hoodoo::Services::Middleware.set_test_session( @old_test_session )
+      end
+
+      context 'when in use at top level' do
+        it 'sees correct identity in the downstream resource' do
+          get(
+            '/v1/rspec_test_inter_resource_calls_b/return_identity',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_ASSUME_IDENTITY_OF' => URI.encode_www_form( VALID_ASSUMED_IDENTITY_HASH )
+            }
+          )
+
+          result = JSON.parse( last_response.body )
+          expect( result[ 'result' ][ 'identity' ] ).to eq( VALID_ASSUMED_IDENTITY_HASH )
+        end
+
+        it 'cannot set an illegal identity in the inter-resource call' do
+          get(
+            '/v1/rspec_test_inter_resource_calls_b/set_bad_inter_resource_identity',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_ASSUME_IDENTITY_OF' => URI.encode_www_form( VALID_ASSUMED_IDENTITY_HASH )
+            }
+          )
+
+          expect( last_response.status ).to eq( 403 )
+          result = JSON.parse( last_response.body )
+          expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+        end
+      end
+
+      context 'in inter-resource call only' do
+        identity_hash = { 'caller_id' => 'custom_caller_id' }
+
+        it 'can still set identity for the downstream resource' do
+          get(
+            '/v1/rspec_test_inter_resource_calls_b/set_good_inter_resource_identity',
+            nil,
+            { 'CONTENT_TYPE' => 'application/json; charset=utf-8' }
+          )
+
+          result = JSON.parse( last_response.body )
+          expect( result[ 'result' ][ 'identity' ] ).to eq( VALID_ASSUMED_IDENTITY_HASH )
+        end
+
+        it 'cannot set an illegal identity for the downstream resource' do
+          get(
+            '/v1/rspec_test_inter_resource_calls_b/set_bad_inter_resource_identity',
+            nil,
+            { 'CONTENT_TYPE' => 'application/json; charset=utf-8' }
+          )
+
+          expect( last_response.status ).to eq( 403 )
+          result = JSON.parse( last_response.body )
+          expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+        end
+      end
+    end
+
+    context 'top-level use prohibited' do
+      before :each do
+        @old_test_session = Hoodoo::Services::Middleware.test_session()
+
+        test_session          = @old_test_session.dup
+        test_session.identity = test_session.identity.dup
+        test_session.scoping  = test_session.scoping.dup
+
+        test_session.scoping.authorised_http_headers = [] # NO ALLOWED HEADERS
+        test_session.scoping.authorised_identities   = { 'caller_id' => [ 'custom_caller_id' ] }
+
+        Hoodoo::Services::Middleware.set_test_session( test_session )
+      end
+
+      after :each do
+        Hoodoo::Services::Middleware.set_test_session( @old_test_session )
+      end
+
+      # middleware_assumed_identity_spec.rb already comprehensively tests
+      # top-level calls, so just do the inter-resource check here.
+      #
+      it 'cannot override a valid identity in inter-resource calls' do
+        get(
+          '/v1/rspec_test_inter_resource_calls_b/set_good_inter_resource_identity',
+          nil,
+          { 'CONTENT_TYPE' => 'application/json; charset=utf-8' }
+        )
+
+        expect( last_response.status ).to eq( 403 )
+        result = JSON.parse( last_response.body )
+        expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Action not authorized' )
+      end
+    end
+  end
+
   it 'should get told if an action is not supported' do
     expect_any_instance_of(RSpecTestInterResourceCallsCImplementation).to_not receive(:show)
     expect_any_instance_of(RSpecTestInterResourceCallsCImplementation).to_not receive(:expectable_hook)

data/spec/services/middleware/middleware_multi_remote_spec.rb

@@ -8,9 +8,13 @@
 require 'spec_helper'
 require 'json'
 
+# Used for X-Assume-Identity-Of testing to avoid magic value copy-and-paste.
+#
+VALID_ASSUMED_IDENTITY_HASH ||= { 'caller_id' => 'custom_caller_id' }
+
 # First, a test service comprised of a couple of 'echo' variants which we use
 # to make sure they're both correctly stored in the DRb registry.
-
+#
 class TestEchoImplementation < Hoodoo::Services::Implementation
 
   public
@@ -41,8 +45,10 @@ class TestEchoImplementation < Hoodoo::Services::Implementation
           :message => 'Returning error as requested',
           :reference => { :another => 'no other ident', :field_name => 'no ident' }
         )
-      elsif context.request.uri_path_components[ 0 ] == 'return_invalid_json'
+      elsif context.request.uri_path_components[ 0 ] == 'return_invalid_data'
         context.response.body = 'Hello, world'
+      elsif context.request.ident == 'return_identity' || context.request.ident == 'set_good_inter_resource_identity'
+        context.response.body = { 'identity' => context.session.identity.to_h }
       else
         context.response.body = { 'show' => TestEchoImplementation.to_h( context ) }
       end
@@ -208,6 +214,14 @@ class TestCallImplementation < Hoodoo::Services::Implementation
         context.resource( :TestEcho, 2 )
       end
 
+      if ( context.request.ident == 'set_bad_inter_resource_identity' )
+        resource.assume_identity_of = {
+          VALID_ASSUMED_IDENTITY_HASH.keys.first => Hoodoo::UUID.generate
+        }
+      elsif ( context.request.ident == 'set_good_inter_resource_identity' )
+        resource.assume_identity_of = VALID_ASSUMED_IDENTITY_HASH
+      end
+
       result = resource.show(
         context.request.uri_path_components.join( ',' ),
         {
@@ -1067,6 +1081,135 @@ describe Hoodoo::Services::Middleware do
       expect(result['errors'][0]['code']).to eq('generic.invalid_string')
     end
 
+    it 'gets the correct type back when an inter-resource remote call returns invalid data' do
+      expect_any_instance_of( TestCallImplementation ).to receive( :expectable_result_hook ) do | instance, result |
+        expect( result ).to be_a( Hoodoo::Client::AugmentedHash )
+        expect( result.platform_errors.has_errors? ).to eq( true )
+      end
+
+      get( '/v1/test_call/return_invalid_data', nil, headers_for() )
+
+      result = JSON.parse(last_response.body)
+      expect(result['errors'][0]['code']).to eq('platform.fault')
+      expect(result['errors'][0]['message']).to eq('Could not parse body data returned from inter-resource call despite receiving HTTP status code 200')
+    end
+
+    context 'X-Assume-Identity-Of' do
+      context 'top-level use permitted' do
+        before :each do
+          @old_test_session = Hoodoo::Services::Middleware.test_session()
+
+          test_session          = @old_test_session.dup
+          test_session.identity = test_session.identity.dup
+          test_session.scoping  = test_session.scoping.dup
+
+          test_session.scoping.authorised_http_headers = [ 'X-Assume-Identity-Of' ]
+          test_session.scoping.authorised_identities   = {
+            VALID_ASSUMED_IDENTITY_HASH.keys.first =>
+            [ VALID_ASSUMED_IDENTITY_HASH.values.first ]
+          }
+
+          Hoodoo::Services::Middleware.set_test_session( test_session )
+        end
+
+        after :each do
+          Hoodoo::Services::Middleware.set_test_session( @old_test_session )
+        end
+
+        context 'when in use at top level' do
+          it 'sees correct identity in the downstream resource' do
+            get(
+              '/v1/test_call/return_identity',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_ASSUME_IDENTITY_OF' => URI.encode_www_form( VALID_ASSUMED_IDENTITY_HASH )
+              }
+            )
+
+            result = JSON.parse( last_response.body )
+            expect( result[ 'show' ][ 'identity' ] ).to eq( VALID_ASSUMED_IDENTITY_HASH )
+          end
+
+          it 'cannot set an illegal identity in the inter-resource call' do
+            get(
+              '/v1/test_call/set_bad_inter_resource_identity',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_ASSUME_IDENTITY_OF' => URI.encode_www_form( VALID_ASSUMED_IDENTITY_HASH )
+              }
+            )
+
+            expect( last_response.status ).to eq( 403 )
+            result = JSON.parse( last_response.body )
+            expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          end
+        end
+
+        context 'in inter-resource call only' do
+          identity_hash = { 'caller_id' => 'custom_caller_id' }
+
+          it 'can still set identity for the downstream resource' do
+            get(
+              '/v1/test_call/set_good_inter_resource_identity',
+              nil,
+              { 'CONTENT_TYPE' => 'application/json; charset=utf-8' }
+            )
+
+            result = JSON.parse( last_response.body )
+            expect( result[ 'show' ][ 'identity' ] ).to eq( VALID_ASSUMED_IDENTITY_HASH )
+          end
+
+          it 'cannot set an illegal identity for the downstream resource' do
+            get(
+              '/v1/test_call/set_bad_inter_resource_identity',
+              nil,
+              { 'CONTENT_TYPE' => 'application/json; charset=utf-8' }
+            )
+
+            expect( last_response.status ).to eq( 403 )
+            result = JSON.parse( last_response.body )
+            expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          end
+        end
+      end
+
+      context 'top-level use prohibited' do
+        before :each do
+          @old_test_session = Hoodoo::Services::Middleware.test_session()
+
+          test_session          = @old_test_session.dup
+          test_session.identity = test_session.identity.dup
+          test_session.scoping  = test_session.scoping.dup
+
+          test_session.scoping.authorised_http_headers = [] # NO ALLOWED HEADERS
+          test_session.scoping.authorised_identities   = { 'caller_id' => [ 'custom_caller_id' ] }
+
+          Hoodoo::Services::Middleware.set_test_session( test_session )
+        end
+
+        after :each do
+          Hoodoo::Services::Middleware.set_test_session( @old_test_session )
+        end
+
+        # middleware_assumed_identity_spec.rb already comprehensively tests
+        # top-level calls, so just do the inter-resource check here.
+        #
+        it 'cannot override a valid identity in inter-resource calls' do
+          get(
+            '/v1/test_call/set_good_inter_resource_identity',
+            nil,
+            { 'CONTENT_TYPE' => 'application/json; charset=utf-8' }
+          )
+
+          expect( last_response.status ).to eq( 403 )
+          result = JSON.parse( last_response.body )
+          expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Action not authorized' )
+        end
+      end
+    end
+
     def create_things( locale: nil, dated_from: nil, deja_vu: nil, resource_uuid: nil )
       post(
         '/v1/test_call.tar.gz',

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hoodoo
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 1.0.5
 platform: ruby
 authors:
 - Loyalty New Zealand
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-11 00:00:00.000000000 Z
+date: 2016-01-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: uuidtools
@@ -463,6 +463,7 @@ files:
 - spec/services/middleware/exception_reporting/exception_reporting_spec.rb
 - spec/services/middleware/exception_reporting/reporters/airbrake_reporter_spec.rb
 - spec/services/middleware/exception_reporting/reporters/raygun_reporter_spec.rb
+- spec/services/middleware/middleware_assumed_identity_spec.rb
 - spec/services/middleware/middleware_cors_spec.rb
 - spec/services/middleware/middleware_create_update_spec.rb
 - spec/services/middleware/middleware_dated_at_spec.rb
@@ -591,6 +592,7 @@ test_files:
 - spec/services/middleware/exception_reporting/exception_reporting_spec.rb
 - spec/services/middleware/exception_reporting/reporters/airbrake_reporter_spec.rb
 - spec/services/middleware/exception_reporting/reporters/raygun_reporter_spec.rb
+- spec/services/middleware/middleware_assumed_identity_spec.rb
 - spec/services/middleware/middleware_cors_spec.rb
 - spec/services/middleware/middleware_create_update_spec.rb
 - spec/services/middleware/middleware_dated_at_spec.rb