RubyGems - hoodoo - Versions diffs - 2.8.0 → 2.9.0 - Mend

hoodoo 2.8.0 → 2.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/hoodoo/services/middleware/middleware.rb +3 -0
data/lib/hoodoo/version.rb +2 -2
data/spec/services/middleware/middleware_assumed_identity_spec.rb +400 -243
data/spec/transient_store/transient_store/mocks/redis_spec.rb +11 -0
metadata +2 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8faac53f6f7027ef0eb75a9bbf911b3206914880261b44be9cef926b6449623b
-  data.tar.gz: 2e285f61106912bb90aa10f251bcd36d284d649c8199270cb75f8232562a0472
+  metadata.gz: 18fc233fa796b76a8275e120ca461c417262e23ead78bc600171506feb851b13
+  data.tar.gz: 3c8aaa457667904c1fb073e8423241f6455f3e78b1339ab36b99f7601481fb50
 SHA512:
-  metadata.gz: 5c47a9c16545aac86f9ddb7af7017aab704a106427f6dfae2e091d081ba999861dfa35cefe7a820b82d3c62d651dc070a2d43630c8134e043d33fcd365e0f769
-  data.tar.gz: a7db2209730adaa2dd3235a4ac66c21b4194f3135ef585f75e957e484258100636532b458a88bd83188107efc9b66610cc925184d397822162e009820233797d
+  metadata.gz: ecb400413ec681232584714aa0b58efc50ec8c15eacc2814372c38fee617c99d83c7899cd807dfdda9469f91790cda63f39958f11acb37a8015564b019a9bebf
+  data.tar.gz: 8280be1231ab84f35fccf6872eea53923040229e6355afe891bd356a6b2fc7d1e608a5725ab26d3ec13e459a0b8806a9896190c921d5f0d10f9d6435a3bfe8b0

data/lib/hoodoo/services/middleware/middleware.rb CHANGED

@@ -2266,6 +2266,9 @@ module Hoodoo; module Services
             return nil
           end
+        elsif rules_value == '*'
+          identity_overrides[ rules_key ] = input_value
         elsif rules_value.is_a?( Hash )
           if rules_value.has_key?( input_value )
             identity_overrides[ rules_key ] = input_value

data/lib/hoodoo/version.rb CHANGED

@@ -12,11 +12,11 @@ module Hoodoo
   # The Hoodoo gem version. If this changes, be sure to re-run
   # <tt>bundle install</tt> or <tt>bundle update</tt>.
   #
-  VERSION = '2.8.0'
+  VERSION = '2.9.0'
   # The Hoodoo gem date. If this changes, be sure to re-run
   # <tt>bundle install</tt> or <tt>bundle update</tt>.
   #
-  DATE = '2018-08-07'
+  DATE = '2018-08-21'
 end

data/spec/services/middleware/middleware_assumed_identity_spec.rb CHANGED

@@ -152,279 +152,436 @@ describe Hoodoo::Services::Middleware do
     end
     context 'with flat rules' do
-      before :each do
-        @test_session.scoping.authorised_http_headers = [ 'X-Assume-Identity-Of' ]
-        @test_session.scoping.authorised_identities   =
-        {
-          'account_id' => [ '20', '21', '22' ],
-          'member_id'  => [ '1', '2', '3', '4', '5', '6' ],
-          'device_id'  => [ 'A', 'B' ]
-        }
-        Hoodoo::Services::Middleware.set_test_session( @test_session )
-      end
-      it 'rejects bad account ID' do
-        result = show( { 'account_id' => 'bad' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'account_id,bad' )
-      end
+      context 'and no wildcards' do
+        before :each do
+          @test_session.scoping.authorised_http_headers = [ 'X-Assume-Identity-Of' ]
+          @test_session.scoping.authorised_identities   =
+          {
+            'account_id' => [ '20', '21', '22' ],
+            'member_id'  => [ '1', '2', '3', '4', '5', '6' ],
+            'device_id'  => [ 'A', 'B' ]
+          }
-      it 'rejects bad member ID' do
-        result = show( { 'member_id' => 'bad' }, 403 )
+          Hoodoo::Services::Middleware.set_test_session( @test_session )
+        end
+        it 'rejects bad account ID' do
+          result = show( { 'account_id' => 'bad' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'account_id,bad' )
+        end
+        it 'rejects bad member ID' do
+          result = show( { 'member_id' => 'bad' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,bad' )
+        end
+        it 'rejects bad device ID' do
+          result = show( { 'device_id' => 'bad' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id,bad' )
+        end
+        # Belt-and-braces check that multiple bad items are still rejected,
+        # but don't have any expectations about which one gets picked out
+        # in the 'reference' field.
+        #
+        it 'rejects bad combinations' do
+          result = show( { 'account_id' => 'bad', 'member_id' => 'bad', 'device_id' => 'bad' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'    ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+        end
+        it 'rejects bad IDs amongst good' do
+          result = show( { 'account_id' => '21', 'member_id' => 'bad', 'device_id' => 'A' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,bad' )
+        end
+        # Each 'show' must be in its own test so that the test session data
+        # gets reset in between; otherwise, the *same* session identity is
+        # being successively merged/updated under test, since it's a single
+        # object that's reused rather than a new loaded-in session.
+        #
+        it 'accepts one good ID (1)' do
+          result = show( { 'account_id' => '22' }, 200 )
+        end
+        it 'accepts one good ID (2)' do
+          result = show( { 'member_id'  => '1'  }, 200 )
+        end
+        it 'accepts one good ID (3)' do
+          result = show( { 'device_id'  => 'B'  }, 200 )
+        end
+        it 'accepts many good IDs' do
+          result = show( { 'account_id' => '22', 'member_id' => '1', 'device_id' => 'B' }, 200 )
+        end
+        it 'accepts encoded names' do
+          get(
+            '/v1/rspec_assumed_identity/hello',
+            nil,
+            {
+              'CONTENT_TYPE'              => 'application/json; charset=utf-8',
+              'HTTP_X_ASSUME_IDENTITY_OF' => 'a%63%63ount_id=22'
+            }
+          )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,bad' )
-      end
+          expect( last_response.status ).to eq( 200 )
+        end
-      it 'rejects bad device ID' do
-        result = show( { 'device_id' => 'bad' }, 403 )
+        it 'accepts encoded values' do
+          get(
+            '/v1/rspec_assumed_identity/hello',
+            nil,
+            {
+              'CONTENT_TYPE'              => 'application/json; charset=utf-8',
+              'HTTP_X_ASSUME_IDENTITY_OF' => 'account_id=%32%32'
+            }
+          )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id,bad' )
-      end
+          expect( last_response.status ).to eq( 200 )
+        end
-      # Belt-and-braces check that multiple bad items are still rejected,
-      # but don't have any expectations about which one gets picked out
-      # in the 'reference' field.
-      #
-      it 'rejects bad combinations' do
-        result = show( { 'account_id' => 'bad', 'member_id' => 'bad', 'device_id' => 'bad' }, 403 )
+        it 'rejects an unknown name' do
+          result = show( { 'another_id' => 'A155C' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'    ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-      end
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+        end
-      it 'rejects bad IDs amongst good' do
-        result = show( { 'account_id' => '21', 'member_id' => 'bad', 'device_id' => 'A' }, 403 )
+        it 'rejects unknown names' do
+          result = show( { 'another_id' => 'A155C', 'additional_id' => 'iiv' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,bad' )
-      end
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'additional_id\\,another_id' )
+        end
-      # Each 'show' must be in its own test so that the test session data
-      # gets reset in between; otherwise, the *same* session identity is
-      # being successively merged/updated under test, since it's a single
-      # object that's reused rather than a new loaded-in session.
-      #
-      it 'accepts one good ID (1)' do
-        result = show( { 'account_id' => '22' }, 200 )
-      end
-      it 'accepts one good ID (2)' do
-        result = show( { 'member_id'  => '1'  }, 200 )
-      end
-      it 'accepts one good ID (3)' do
-        result = show( { 'device_id'  => 'B'  }, 200 )
-      end
+        it 'rejects an unknown name amongst a known name' do
+          result = show( { 'another_id' => 'A155C', 'account_id' => '22' }, 403 )
-      it 'accepts many good IDs' do
-        result = show( { 'account_id' => '22', 'member_id' => '1', 'device_id' => 'B' }, 200 )
-      end
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+        end
-      it 'accepts encoded names' do
-        get(
-          '/v1/rspec_assumed_identity/hello',
-          nil,
-          {
-            'CONTENT_TYPE'              => 'application/json; charset=utf-8',
-            'HTTP_X_ASSUME_IDENTITY_OF' => 'a%63%63ount_id=22'
-          }
-        )
+        it 'rejects an unknown name amongst known names' do
+          result = show( { 'another_id' => 'A155C', 'account_id' => '22', 'member_id' => '1' }, 403 )
-        expect( last_response.status ).to eq( 200 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+        end
       end
-      it 'accepts encoded values' do
-        get(
-          '/v1/rspec_assumed_identity/hello',
-          nil,
+      context 'and wildcards' do
+        before :each do
+          @test_session.scoping.authorised_http_headers = [ 'X-Assume-Identity-Of' ]
+          @test_session.scoping.authorised_identities   =
           {
-            'CONTENT_TYPE'              => 'application/json; charset=utf-8',
-            'HTTP_X_ASSUME_IDENTITY_OF' => 'account_id=%32%32'
+            'account_id' => [ '20', '21', '22' ],
+            'member_id'  => '*',
+            'device_id'  => [ 'A', 'B' ]
           }
-        )
-        expect( last_response.status ).to eq( 200 )
-      end
-      it 'rejects an unknown name' do
-        result = show( { 'another_id' => 'A155C' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
-      end
-      it 'rejects unknown names' do
-        result = show( { 'another_id' => 'A155C', 'additional_id' => 'iiv' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'additional_id\\,another_id' )
-      end
-      it 'rejects an unknown name amongst a known name' do
-        result = show( { 'another_id' => 'A155C', 'account_id' => '22' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
-      end
-      it 'rejects an unknown name amongst known names' do
-        result = show( { 'another_id' => 'A155C', 'account_id' => '22', 'member_id' => '1' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+          Hoodoo::Services::Middleware.set_test_session( @test_session )
+        end
+        it 'rejects bad account ID' do
+          result = show( { 'account_id' => 'bad' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'account_id,bad' )
+        end
+        it 'rejects bad device ID' do
+          result = show( { 'device_id' => 'bad' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id,bad' )
+        end
+        it 'rejects bad combinations' do
+          result = show( { 'account_id' => 'bad', 'member_id' => 'hit_wildcard', 'device_id' => 'bad' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'    ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+        end
+        it 'rejects bad IDs amongst good' do
+          result = show( { 'account_id' => '21', 'member_id' => 'hit_wildcard', 'device_id' => 'bad' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id,bad' )
+        end
+        it 'accepts wildcard combinations' do
+          result = show( { 'account_id' => '21', 'member_id' => 'hit_wildcard', 'device_id' => 'A' }, 200 )
+        end
+        it 'accepts one good ID (1)' do
+          result = show( { 'account_id' => '22' }, 200 )
+        end
+        it 'accepts one good ID (2)' do
+          result = show( { 'member_id'  => 'hit_wildcard'  }, 200 )
+        end
+        it 'accepts one good ID (3)' do
+          result = show( { 'device_id'  => 'B'  }, 200 )
+        end
+        it 'accepts many good IDs' do
+          result = show( { 'account_id' => '22', 'member_id' => '1', 'device_id' => 'B' }, 200 )
+        end
       end
     end
     context 'with deep rules' do
-      before :each do
-        @test_session.scoping.authorised_http_headers = [ 'X-Assume-Identity-Of' ]
-        @test_session.scoping.authorised_identities   =
-        {
-          'account_id' =>
+      context 'and no wildcards' do
+        before :each do
+          @test_session.scoping.authorised_http_headers = [ 'X-Assume-Identity-Of' ]
+          @test_session.scoping.authorised_identities   =
           {
-            '20' => { 'member_id' => [ '1', '2' ] },
-            '21' => { 'member_id' => [ '3', '4' ] },
-            '22' =>
+            'account_id' =>
             {
-              'member_id' =>
+              '20' => { 'member_id' => [ '1', '2' ] },
+              '21' => { 'member_id' => [ '3', '4' ] },
+              '22' =>
               {
-                '5' => { 'device_id' => [ 'A' ] },
-                '6' => { 'device_id' => [ 'B' ] }
+                'member_id' =>
+                {
+                  '5' => { 'device_id' => [ 'A' ] },
+                  '6' => { 'device_id' => [ 'B' ] }
+                }
               }
             }
           }
-        }
-        Hoodoo::Services::Middleware.set_test_session( @test_session )
-      end
-      it 'rejects bad account ID' do
-        result = show( { 'account_id' => 'bad' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'account_id,bad' )
-      end
-      it 'rejects bad member ID' do
-        result = show( { 'account_id' => '20', 'member_id' => 'bad' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,bad' )
-      end
-      it 'rejects bad device ID' do
-        result = show( { 'account_id' => '22', 'member_id' => '5', 'device_id' => 'bad' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id,bad' )
-      end
-      it 'rejects attempt to use device ID when not listed in rules' do
-        result = show( { 'account_id' => '21', 'member_id' => '4', 'device_id' => 'A' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id' )
-      end
-      it 'rejects an ID that is present but listed under a different key' do
-        result = show( { 'account_id' => '20', 'member_id' => '4' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,4' )
-      end
-      it 'rejects an ID that is present but not top-level' do
-        result = show( { 'member_id' => '1' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id' )
-      end
-      # Each 'show' must be in its own test so that the test session data
-      # gets reset in between; otherwise, the *same* session identity is
-      # being successively merged/updated under test, since it's a single
-      # object that's reused rather than a new loaded-in session.
-      #
-      it 'accepts a subset of good IDs (1)' do
-        result = show( { 'account_id' => '22' }, 200 )
-      end
-      it 'accepts a subset of good IDs (2)' do
-        result = show( { 'account_id' => '22', 'member_id' => '5' }, 200 )
-      end
-      it 'accepts many good IDs (1)' do
-        result = show( { 'account_id' => '20', 'member_id' => '2' }, 200 )
-      end
-      it 'accepts many good IDs (2)' do
-        result = show( { 'account_id' => '22', 'member_id' => '6', 'device_id' => 'B' }, 200 )
-      end
-      it 'rejects an unknown name' do
-        result = show( { 'another_id' => 'A155C' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
-      end
-      it 'rejects unknown names' do
-        result = show( { 'another_id' => 'A155C', 'additional_id' => 'iiv' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'additional_id\\,another_id' )
-      end
-      it 'rejects an unknown name amongst a known name' do
-        result = show( { 'another_id' => 'A155C', 'account_id' => '22' }, 403 )
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
-      end
-      it 'rejects an unknown name amongst known names' do
-        result = show( { 'another_id' => 'A155C', 'account_id' => '22', 'member_id' => '6' }, 403 )
+          Hoodoo::Services::Middleware.set_test_session( @test_session )
+        end
+        it 'rejects bad account ID' do
+          result = show( { 'account_id' => 'bad' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'account_id,bad' )
+        end
+        it 'rejects bad member ID' do
+          result = show( { 'account_id' => '20', 'member_id' => 'bad' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,bad' )
+        end
+        it 'rejects bad device ID' do
+          result = show( { 'account_id' => '22', 'member_id' => '5', 'device_id' => 'bad' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id,bad' )
+        end
+        it 'rejects attempt to use device ID when not listed in rules' do
+          result = show( { 'account_id' => '21', 'member_id' => '4', 'device_id' => 'A' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id' )
+        end
+        it 'rejects an ID that is present but listed under a different key' do
+          result = show( { 'account_id' => '20', 'member_id' => '4' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,4' )
+        end
+        it 'rejects an ID that is present but not top-level' do
+          result = show( { 'member_id' => '1' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id' )
+        end
+        it 'accepts a subset of good IDs (1)' do
+          result = show( { 'account_id' => '22' }, 200 )
+        end
+        it 'accepts a subset of good IDs (2)' do
+          result = show( { 'account_id' => '22', 'member_id' => '5' }, 200 )
+        end
+        it 'accepts many good IDs (1)' do
+          result = show( { 'account_id' => '20', 'member_id' => '2' }, 200 )
+        end
+        it 'accepts many good IDs (2)' do
+          result = show( { 'account_id' => '22', 'member_id' => '6', 'device_id' => 'B' }, 200 )
+        end
+        it 'rejects an unknown name' do
+          result = show( { 'another_id' => 'A155C' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+        end
+        it 'rejects unknown names' do
+          result = show( { 'another_id' => 'A155C', 'additional_id' => 'iiv' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'additional_id\\,another_id' )
+        end
+        it 'rejects an unknown name amongst a known name' do
+          result = show( { 'another_id' => 'A155C', 'account_id' => '22' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+        end
+        it 'rejects an unknown name amongst known names' do
+          result = show( { 'another_id' => 'A155C', 'account_id' => '22', 'member_id' => '6' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+        end
+      end
+      context 'and wildcards' do
+        before :each do
+          @test_session.scoping.authorised_http_headers = [ 'X-Assume-Identity-Of' ]
+          @test_session.scoping.authorised_identities   =
+          {
+            'account_id' =>
+            {
+              '20' => { 'member_id' => [ '1', '2' ] },
+              '21' => { 'member_id' => '*' },
+              '22' =>
+              {
+                'member_id' =>
+                {
+                  '5' => { 'device_id' => [ 'A' ] },
+                  '6' => { 'device_id' => [ 'B' ] }
+                }
+              }
+            }
+          }
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+          Hoodoo::Services::Middleware.set_test_session( @test_session )
+        end
+        it 'rejects bad account ID' do
+          result = show( { 'account_id' => 'bad' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'account_id,bad' )
+        end
+        it 'rejects bad member ID' do
+          result = show( { 'account_id' => '20', 'member_id' => 'bad' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,bad' )
+        end
+        it 'rejects bad device ID' do
+          result = show( { 'account_id' => '22', 'member_id' => '5', 'device_id' => 'bad' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id,bad' )
+        end
+        it 'rejects attempt to use device ID when not listed in rules' do
+          result = show( { 'account_id' => '21', 'member_id' => '4', 'device_id' => 'A' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id' )
+        end
+        it 'rejects an ID that is present but listed under a different key' do
+          result = show( { 'account_id' => '20', 'member_id' => '4' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,4' )
+        end
+        it 'rejects an ID that is present but not top-level' do
+          result = show( { 'member_id' => '1' }, 403 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id' )
+        end
+        it 'accepts a subset of good IDs (1)' do
+          result = show( { 'account_id' => '22' }, 200 )
+        end
+        it 'accepts a subset of good IDs (2)' do
+          result = show( { 'account_id' => '22', 'member_id' => '5' }, 200 )
+        end
+        it 'accepts many good IDs (1)' do
+          result = show( { 'account_id' => '20', 'member_id' => '2' }, 200 )
+        end
+        it 'accepts many good IDs (2)' do
+          result = show( { 'account_id' => '22', 'member_id' => '6', 'device_id' => 'B' }, 200 )
+        end
+        it 'accepts wildcard names' do
+          result = show( { 'account_id' => '21', 'member_id' => 'hit_wildcard' }, 200 )
+        end
       end
     end
     context 'with malformed rules' do

data/spec/transient_store/transient_store/mocks/redis_spec.rb CHANGED

@@ -25,6 +25,17 @@ describe Hoodoo::TransientStore::Mocks::Redis do
     end
   end
+  context 'deprecated interfaces in Redis' do
+    it 'supports Array-like "set" and "get"' do
+      mock_redis_instance = Hoodoo::TransientStore::Mocks::Redis.new
+      key                 = Hoodoo::UUID.generate()
+      value               = Hoodoo::UUID.generate()
+      mock_redis_instance[ key ] = value
+      expect( mock_redis_instance[ key ] ).to eq( value )
+    end
+  end
   context 'approximate old behaviour by' do
     it 'using the mock client in test mode if there is an empty host' do
       expect_any_instance_of( Hoodoo::TransientStore::Mocks::Redis ).to receive( :initialize ).once.and_call_original()

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hoodoo
 version: !ruby/object:Gem::Version
-  version: 2.8.0
+  version: 2.9.0
 platform: ruby
 authors:
 - Loyalty New Zealand
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-08-07 00:00:00.000000000 Z
+date: 2018-08-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack