hoodoo 1.0.4 → 1.0.5

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    ZTQ3MTIxMDliMDRhYjA0ZTQyNTkxZTQ5NDFjMzBkNGZmMzA0MGU1MA==
+    YzEwZWNjMTA5OTJhODlhN2VkZGQxMDQ0NzNhOGVjZjUxMTM2ZmM1Nw==
   data.tar.gz: !binary |-
-    MzM3MTY2NzNjNjg5YWVmOGY0NTZkYTUzMDMxOGRmZDc0ODg3YmZkNA==
+    OTA1MzJjZTZlYzFhY2FiNWUxZWM3MDBiN2QwYzEwNDYyNDM2Y2ZjOA==
 SHA512:
   metadata.gz: !binary |-
-    MGFhZmZkNTQ4OTc1OGZlMDMyZGNkZWM1Mzk1OTk4NTg2M2U1NTMzZmFmZjY5
-    YjkyNWQxNGNlNTg1MGI2MTk1MDBjZGI1MTJiMzViMGU2NjgzODVlMDdlMTkx
-    ZDUxYzRmNTkxZjQ3OTc3MThkMjE0MWFkZmMxNGI3NzZiOTU5NTA=
+    ZDQ4YmVkYmQ3YWEwMWY1NGU1ZDZlYTA2NjAxNzM2NTFiYzk5NjI1NTNmZWE0
+    NGYwYjhlMmIxZmY0YTViZjk4Zjg4ODgzODRjNGQ5MDhmNjEwZjVmZDJhM2Yx
+    ODQzZjliM2NhYTE1NTQ2ZjdjNzk1YTZmNmE3NTM2MGQ2NWFhNjE=
   data.tar.gz: !binary |-
-    N2RhYzdlNDVmYjVhMWIwMjMzNWNmZTI5YzE1NTc0MWI5ZjQ4NjU3YTBjMDg0
-    MDQ1MzdiMzYxMDgyMjFiNDc2ZWMyMjUwY2NhNWE2NmNlMTU0MDE1NTY4M2Vk
-    ZDVkZjMwMzE4ZmEyMzY4NmM2Yzk0ZDA0ODQ1ZGRmOTUwNzRhZTE=
+    ODhiYjgzMTFmYTZhOGFhZGM4NDM2OWU3N2MwNjE3OGVhMTk0MGFkNGFhZTg5
+    Y2E5Mzg0YjI3OTBkNzcyNjJhZGI5MjYyN2M5YTYxOWYyYjVjMTgxMGRiM2Ix
+    MGQ4YTBiNWY4MzMzNTI3NWJkODI3ZTE0YWJmYjlkYjI3YWQ4MTg=

data/lib/hoodoo/client/headers.rb

@@ -35,6 +35,29 @@ module Hoodoo
       #
       UUID_HEADER_PROC = -> ( value ) { value }
 
+      # Used by HEADER_TO_PROPERTY; this Proc when called with some non-nil
+      # value from an HTTP header containing URL-encoded simple key/value
+      # pair data returns a decoded Hash of key/value pairs. Use URL encoding
+      # in the HTTP header value as per:
+      #
+      # http://www.w3.org/TR/html5/forms.html#url-encoded-form-data
+      #
+      # Invalid input will produce unusual results, e.g. an empty Hash or a
+      # Hash where certain keys may have empty string values.
+      #
+      KVP_PROPERTY_PROC = -> ( value ) {
+        Hash[ URI.decode_www_form( value ) ]
+      }
+
+      # Used by HEADER_TO_PROPERTY; this Proc when called with some non-nested
+      # Hash evaluates to a URL-encoded form data String as per:
+      #
+      # http://www.w3.org/TR/html5/forms.html#url-encoded-form-data
+      #
+      KVP_HEADER_PROC = -> ( value ) {
+        URI.encode_www_form( value )
+      }
+
       # Used by HEADER_TO_PROPERTY; this Proc when called with some non-nil
       # value from an HTTP header representing a Date/Time in a supported
       # format, evaluates to either a parsed DateTime instance or +nil+ if the
@@ -152,6 +175,16 @@ module Hoodoo
           :secured       => true,
         },
 
+        'HTTP_X_ASSUME_IDENTITY_OF' => {
+          :property      => :assume_identity_of,
+          :property_proc => KVP_PROPERTY_PROC,
+          :header        => 'X-Assume-Identity-Of',
+          :header_proc   => KVP_HEADER_PROC,
+
+          :secured       => true,
+          :auto_transfer => true,
+        },
+
         'HTTP_X_DATED_AT' => {
           :property      => :dated_at,
           :property_proc => DATETIME_IN_PAST_ONLY_PROPERTY_PROC,

data/lib/hoodoo/services/middleware/middleware.rb

@@ -758,6 +758,10 @@ module Hoodoo; module Services
 
       return add_local_errors.call() if local_response.halt_processing?
 
+      deal_with_x_assume_identity_of( local_interaction )
+
+      return add_local_errors.call() if local_response.halt_processing?
+
       # Construct the local request details.
 
       local_request.uri_path_components = upc
@@ -1186,7 +1190,7 @@ module Hoodoo; module Services
       end
 
       if secure == false || level == :error
-        body = ''
+        body = String.new
         rack_data[ 2 ].each { | thing | body << thing.to_s }
 
         if interaction.context.response.halt_processing?
@@ -1547,10 +1551,13 @@ module Hoodoo; module Services
 
       # Load the session and then, in the context of a loaded session, process
       # any remaining extension ("X-...") HTTP headers, checking up on secured
-      # headers in passing.
+      # headers in passing. There's special handling for X-Assume-Identity-Of,
+      # which may update the session data loaded into 'interaction' with new
+      # identity information.
 
       load_session_into( interaction )
       deal_with_x_headers( interaction )
+      deal_with_x_assume_identity_of( interaction )
 
       return nil
     end
@@ -1934,6 +1941,167 @@ module Hoodoo; module Services
       end
     end
 
+    # The X-Assume-Identity-Of secured HTTP header allows a caller to specify
+    # values for parts of their session's "identity" section, based upon
+    # permitted values described in their session's "scoping" section. This
+    # method assumes that the permission to use the header in the first place
+    # has already been established by #deal_with_x_headers and, as a result,
+    # relevant property information has been written into the request object.
+    #
+    # The header's value is parsed and checked against the session scoping
+    # data. If everything looks good, the loaded session's identity is
+    # updated accordingly. If there are any problems, one or more errors will
+    # be added to the interaction's context's response object.
+    #
+    # +interaction+:: Hoodoo::Services::Middleware::Interaction instance
+    #                 describing the current interaction. Updated on exit.
+    #
+    def deal_with_x_assume_identity_of( interaction )
+
+      # Header not in use? Exit now.
+      #
+      return if interaction.context.request.assume_identity_of.nil?
+
+      input_hash = interaction.context.request.assume_identity_of
+      rules_hash = interaction.context.session.scoping.authorised_identities rescue {}
+
+      if ( input_hash.empty? )
+        interaction.context.response.errors.add_error(
+          'generic.malformed',
+          {
+            :message   => "X-Assume-Identity-Of header value is malformed",
+            :reference => { :header_value => ( interaction.context.request.assume_identity_of rescue 'unknown' ) }
+          }
+        )
+      end
+
+      return if interaction.context.response.halt_processing?
+
+      identity_overrides = validate_x_assume_identity_of( interaction, input_hash, rules_hash )
+
+      return if interaction.context.response.halt_processing?
+
+      identity_overrides.each do | key, value |
+        interaction.context.session.identity.send( "#{ key }=", value )
+      end
+    end
+
+    # Back-end to #deal_with_x_assume_identity_of which recursively processes
+    # a rule set against a value from the X-Assume-Identity-Of HTTP header and
+    # either updates the interaction's context's response object with error
+    # details if anything is wrong, or returns a flat Hash of keys and values
+    # to (over-)write in the session's identity section.
+    #
+    # +interaction+:: Hoodoo::Services::Middleware::Interaction instance
+    #                 describing the current interaction. Will be updated on
+    #                 exit if errors occur.
+    #
+    # +input_hash+::  Header value for X-Assume-Identity-Of processed into a
+    #                 flat Hash of String keys and String values.
+    #
+    # +rules_hash+::  Rules Hash from the session scoping data - usually its
+    #                 "authorised_identities" key - or a sub-hash from nested
+    #                 data during recursive calls.
+    #
+    # +recursive+::   Top-level callers MUST omit this parameter. Internal
+    #                 recursive callers MUST set this to +true+.
+    #
+    def validate_x_assume_identity_of( interaction, input_hash, rules_hash, recursive = false )
+      identity_overrides = {}
+
+      unless rules_hash.is_a?( Hash )
+        interaction.context.response.errors.add_error(
+          'generic.malformed',
+          :message => "X-Assume-Identity-Of header cannot be processed because of malformed scoping rules in Session's associated Caller",
+        )
+
+        return nil
+      end
+
+      rules_hash.each do | rules_key, rules_value |
+
+        next unless input_hash.has_key?( rules_key )
+        input_value = input_hash[ rules_key ]
+
+        unless input_value.is_a?( String )
+          raise "Internal error - internal validation input value for X-Assume-Identity-Of is not a String"
+        end
+
+        if rules_value.is_a?( Array )
+          if rules_value.include?( input_value )
+            identity_overrides[ rules_key ] = input_value
+          else
+            interaction.context.response.errors.add_error(
+              'platform.forbidden',
+              {
+                :message   => "X-Assume-Identity-Of header value requests a prohibited identity quantity",
+                :reference =>
+                {
+                  :name  => rules_key,
+                  :value => input_value
+                }
+              }
+            )
+            return nil
+          end
+
+        elsif rules_value.is_a?( Hash )
+          if rules_value.has_key?( input_value )
+            identity_overrides[ rules_key ] = input_value
+
+            nested_identity_overrides = validate_x_assume_identity_of(
+              interaction,
+              input_hash,
+              rules_value[ input_value ],
+              true
+            )
+
+            return if nested_identity_overrides.nil?
+            identity_overrides.merge!( nested_identity_overrides )
+
+          else
+            interaction.context.response.errors.add_error(
+              'platform.forbidden',
+              {
+                :message   => "X-Assume-Identity-Of header value requests a prohibited identity quantity",
+                :reference =>
+                {
+                  :name  => rules_key,
+                  :value => input_value
+                }
+              }
+            )
+            return nil
+
+          end
+
+        else
+          interaction.context.response.errors.add_error(
+            'generic.malformed',
+            :message => "X-Assume-Identity-Of header cannot be processed because of malformed scoping rules in Session's associated Caller",
+          )
+          return nil
+
+        end
+      end
+
+      unless recursive || ( input_hash.keys - identity_overrides.keys ).empty?
+        interaction.context.response.errors.add_error(
+          'platform.forbidden',
+          {
+            :message   => "X-Assume-Identity-Of header value requests prohibited identity name(s)",
+            :reference =>
+            {
+              :names => ( input_hash.keys - identity_overrides.keys ).sort().join( ',' )
+            }
+          }
+        )
+        return nil
+      end
+
+      return identity_overrides
+    end
+
     # Preprocessing stage that sets up common headers required in any response.
     # May vary according to inbound content type requested. If processing was
     # aborted early (e.g. missing inbound Content-Type) we may fall to defaults.
@@ -1941,7 +2109,8 @@ module Hoodoo; module Services
     # (At the time of writing, platform documentations say we're JSON only - but
     # there's an strong chance of e.g. XML representation being demanded later).
     #
-    # +response+:: Hoodoo::Services::Response instance to update.
+    # +interaction+:: Hoodoo::Services::Middleware::Interaction instance
+    #                 describing the current interaction. Updated on exit.
     #
     def set_common_response_headers( interaction )
       interaction.context.response.add_header( 'X-Interaction-ID', interaction.interaction_id )

data/lib/hoodoo/version.rb

@@ -12,6 +12,6 @@ module Hoodoo
   # The Hoodoo gem version. If this changes, ensure that the date in
   # "hoodoo.gemspec" is correct and run "bundle install" (or "update").
   #
-  VERSION = '1.0.4'
+  VERSION = '1.0.5'
 
 end

data/spec/client/client_spec.rb

@@ -146,20 +146,22 @@ class RSpecClientTestTargetImplementation < Hoodoo::Services::Implementation
       # if adding things.
 
       {
-        'id'            => context.request.ident                 ||
-                           context.request.body.try( :[], 'id' ) ||
-                           Hoodoo::UUID.generate(),
-
-        'created_at'    => Time.now.utc.iso8601,
-        'kind'          => 'RSpecClientTestTarget',
-        'language'      => context.request.locale,
-
-        'embeds'        => context.request.embeds,
-        'body_hash'     => context.request.body,
-        'dated_at'      => context.request.dated_at.nil?   ? nil : Hoodoo::Utilities.nanosecond_iso8601( context.request.dated_at   ),
-        'dated_from'    => context.request.dated_from.nil? ? nil : Hoodoo::Utilities.nanosecond_iso8601( context.request.dated_from ),
-        'resource_uuid' => context.request.resource_uuid,
-        'deja_vu'       => context.request.deja_vu,
+        'id'                 => context.request.ident                 ||
+                                context.request.body.try( :[], 'id' ) ||
+                                Hoodoo::UUID.generate(),
+
+        'created_at'         => Time.now.utc.iso8601,
+        'kind'               => 'RSpecClientTestTarget',
+        'language'           => context.request.locale,
+
+        'embeds'             => context.request.embeds,
+        'body_hash'          => context.request.body,
+        'dated_at'           => context.request.dated_at.nil?   ? nil : Hoodoo::Utilities.nanosecond_iso8601( context.request.dated_at   ),
+        'dated_from'         => context.request.dated_from.nil? ? nil : Hoodoo::Utilities.nanosecond_iso8601( context.request.dated_from ),
+        'resource_uuid'      => context.request.resource_uuid,
+        'deja_vu'            => context.request.deja_vu,
+        'assume_identity_of' => context.request.assume_identity_of,
+        'actual_identity'    => ( context.session.identity.to_h rescue nil ),
       }
     end
 end
@@ -213,6 +215,8 @@ describe Hoodoo::Client do
     @old_test_session = Hoodoo::Services::Middleware.test_session()
     @port = spec_helper_start_svc_app_in_thread_for( RSpecClientTestService )
     @https_port = spec_helper_start_svc_app_in_thread_for( RSpecClientTestService, true )
+    @authorised_identities = { 'member_id' => [ '23', '24' ] }
+    @example_authorised_identity = { 'member_id' => '23' }
   end
 
   after :all do
@@ -249,15 +253,17 @@ describe Hoodoo::Client do
     # "def option_based_expectations" later in this file. Be careful
     # to follow the naming convention evident below if adding things.
 
-    @expected_dated_at      = @dated_at.nil?   ? nil : Hoodoo::Utilities.nanosecond_iso8601( @dated_at   )
-    @expected_dated_from    = @dated_from.nil? ? nil : Hoodoo::Utilities.nanosecond_iso8601( @dated_from )
-    @expected_resource_uuid = @resource_uuid
-    @expected_deja_vu       = @deja_vu != true ? nil : true
+    @expected_dated_at           = @dated_at.nil?   ? nil : Hoodoo::Utilities.nanosecond_iso8601( @dated_at   )
+    @expected_dated_from         = @dated_from.nil? ? nil : Hoodoo::Utilities.nanosecond_iso8601( @dated_from )
+    @expected_resource_uuid      = @resource_uuid
+    @expected_assume_identity_of = @assume_identity_of
+    @expected_deja_vu            = @deja_vu != true ? nil : true
 
-    endpoint_opts[ :dated_at      ] = @dated_at      unless @dated_at.nil?
-    endpoint_opts[ :dated_from    ] = @dated_from    unless @dated_from.nil?
-    endpoint_opts[ :resource_uuid ] = @resource_uuid unless @resource_uuid.nil?
-    endpoint_opts[ :deja_vu       ] = @deja_vu       if     @deja_vu == true
+    endpoint_opts[ :dated_at           ] = @dated_at           unless @dated_at.nil?
+    endpoint_opts[ :dated_from         ] = @dated_from         unless @dated_from.nil?
+    endpoint_opts[ :resource_uuid      ] = @resource_uuid      unless @resource_uuid.nil?
+    endpoint_opts[ :assume_identity_of ] = @assume_identity_of unless @assume_identity_of.nil?
+    endpoint_opts[ :deja_vu            ] = @deja_vu            if     @deja_vu == true
 
     if rand( 2 ) == 0
       override_locale          = SecureRandom.urlsafe_base64( 2 )
@@ -508,6 +514,8 @@ describe Hoodoo::Client do
           case property
             when :resource_uuid
               @resource_uuid = Hoodoo::UUID.generate
+            when :assume_identity_of
+              @assume_identity_of = @example_authorised_identity
             else
               raise "Update client_spec.rb with new secured properties for test"
           end
@@ -725,8 +733,10 @@ describe Hoodoo::Client do
     context 'and with secured option' do
       before :each do
         test_session = @old_test_session.dup
+        test_session.identity = OpenStruct.new
         test_session.scoping = @old_test_session.scoping.dup
         test_session.scoping.authorised_http_headers = []
+        test_session.scoping.authorised_identities = @authorised_identities
 
         Hoodoo::Client::Headers::HEADER_TO_PROPERTY.each do | rack_header, description |
           next unless description[ :secured ] == true
@@ -750,6 +760,8 @@ describe Hoodoo::Client do
           case property
             when :resource_uuid
               @resource_uuid = Hoodoo::UUID.generate
+            when :assume_identity_of
+              @assume_identity_of = @example_authorised_identity
             else
               raise "Update client_spec.rb with new secured properties for test"
           end
@@ -763,6 +775,8 @@ describe Hoodoo::Client do
           result     = @endpoint.show( mock_ident )
 
           expect( result.platform_errors.has_errors? ).to eq( false )
+
+          option_based_expectations( result )
         end
       end
 
@@ -781,6 +795,36 @@ describe Hoodoo::Client do
         expect( result.platform_errors.has_errors? ).to eq( false )
         expect( result[ 'id' ] ).to eq( @resource_uuid )
       end
+
+      context "'assume_identity_of' in use" do
+        it 'but invalid' do
+          @assume_identity_of = { 'invalid' => 'Hoodoo::UUID.generate' }
+
+          set_vars_for(
+            base_uri:     "http://localhost:#{ @port }",
+            auto_session: false
+          )
+
+          result = @endpoint.create( { 'hello' => 'world' } )
+
+          expect( result.platform_errors.has_errors? ).to eq( true )
+          expect( result.platform_errors.errors[ 0 ][ 'code' ] ).to eq( 'platform.forbidden' )
+        end
+
+        it 'and valid' do
+          @assume_identity_of = @example_authorised_identity
+
+          set_vars_for(
+            base_uri:     "http://localhost:#{ @port }",
+            auto_session: false
+          )
+
+          result = @endpoint.create( { 'hello' => 'world' } )
+
+          expect( result.platform_errors.has_errors? ).to eq( false )
+          expect( result[ 'actual_identity' ] ).to eq( @example_authorised_identity )
+        end
+      end
     end
   end
 

data/spec/client/headers_spec.rb

@@ -23,6 +23,35 @@ describe Hoodoo::Client::Headers do
     end
   end
 
+  context 'for URL encoded data' do
+    before :each do
+      @test_hash =
+      {
+        'foo' => "hello, world; this & that = foo! \r\t",
+        'bar' => "foo;bar=baz & this + UTF-8 / emoji 😀"
+      }
+
+      @test_string = URI::encode_www_form( @test_hash )
+    end
+
+    context 'KVP_PROPERTY_PROC' do
+      it 'converts valid values' do
+        expect( described_class::KVP_PROPERTY_PROC.call( @test_string ) ).to eq( @test_hash )
+      end
+
+      it 'does not raise exceptions for invalid values' do
+        expect( described_class::KVP_PROPERTY_PROC.call( ''      ) ).to eq( {} )
+        expect( described_class::KVP_PROPERTY_PROC.call( 'hello' ) ).to eq( { 'hello' => '' } )
+      end
+    end
+
+    context 'KVP_HEADER_PROC' do
+      it 'converts values' do
+        expect( described_class::KVP_HEADER_PROC.call( @test_hash ) ).to eq( @test_string )
+      end
+    end
+  end
+
   context 'DATETIME_IN_PAST_ONLY_PROPERTY_PROC' do
     it 'converts valid values' do
       date_time = DateTime.now - 10.seconds