hoodoo 2.8.0 → 2.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8faac53f6f7027ef0eb75a9bbf911b3206914880261b44be9cef926b6449623b
-  data.tar.gz: 2e285f61106912bb90aa10f251bcd36d284d649c8199270cb75f8232562a0472
+  metadata.gz: 18fc233fa796b76a8275e120ca461c417262e23ead78bc600171506feb851b13
+  data.tar.gz: 3c8aaa457667904c1fb073e8423241f6455f3e78b1339ab36b99f7601481fb50
 SHA512:
-  metadata.gz: 5c47a9c16545aac86f9ddb7af7017aab704a106427f6dfae2e091d081ba999861dfa35cefe7a820b82d3c62d651dc070a2d43630c8134e043d33fcd365e0f769
-  data.tar.gz: a7db2209730adaa2dd3235a4ac66c21b4194f3135ef585f75e957e484258100636532b458a88bd83188107efc9b66610cc925184d397822162e009820233797d
+  metadata.gz: ecb400413ec681232584714aa0b58efc50ec8c15eacc2814372c38fee617c99d83c7899cd807dfdda9469f91790cda63f39958f11acb37a8015564b019a9bebf
+  data.tar.gz: 8280be1231ab84f35fccf6872eea53923040229e6355afe891bd356a6b2fc7d1e608a5725ab26d3ec13e459a0b8806a9896190c921d5f0d10f9d6435a3bfe8b0

data/lib/hoodoo/services/middleware/middleware.rb

@@ -2266,6 +2266,9 @@ module Hoodoo; module Services
             return nil
           end
 
+        elsif rules_value == '*'
+          identity_overrides[ rules_key ] = input_value
+
         elsif rules_value.is_a?( Hash )
           if rules_value.has_key?( input_value )
             identity_overrides[ rules_key ] = input_value

data/lib/hoodoo/version.rb

@@ -12,11 +12,11 @@ module Hoodoo
   # The Hoodoo gem version. If this changes, be sure to re-run
   # <tt>bundle install</tt> or <tt>bundle update</tt>.
   #
-  VERSION = '2.8.0'
+  VERSION = '2.9.0'
 
   # The Hoodoo gem date. If this changes, be sure to re-run
   # <tt>bundle install</tt> or <tt>bundle update</tt>.
   #
-  DATE = '2018-08-07'
+  DATE = '2018-08-21'
 
 end

data/spec/services/middleware/middleware_assumed_identity_spec.rb

@@ -152,279 +152,436 @@ describe Hoodoo::Services::Middleware do
     end
 
     context 'with flat rules' do
-      before :each do
-        @test_session.scoping.authorised_http_headers = [ 'X-Assume-Identity-Of' ]
-        @test_session.scoping.authorised_identities   =
-        {
-          'account_id' => [ '20', '21', '22' ],
-          'member_id'  => [ '1', '2', '3', '4', '5', '6' ],
-          'device_id'  => [ 'A', 'B' ]
-        }
-
-        Hoodoo::Services::Middleware.set_test_session( @test_session )
-      end
-
-      it 'rejects bad account ID' do
-        result = show( { 'account_id' => 'bad' }, 403 )
-
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'account_id,bad' )
-      end
+      context 'and no wildcards' do
+        before :each do
+          @test_session.scoping.authorised_http_headers = [ 'X-Assume-Identity-Of' ]
+          @test_session.scoping.authorised_identities   =
+          {
+            'account_id' => [ '20', '21', '22' ],
+            'member_id'  => [ '1', '2', '3', '4', '5', '6' ],
+            'device_id'  => [ 'A', 'B' ]
+          }
 
-      it 'rejects bad member ID' do
-        result = show( { 'member_id' => 'bad' }, 403 )
+          Hoodoo::Services::Middleware.set_test_session( @test_session )
+        end
+
+        it 'rejects bad account ID' do
+          result = show( { 'account_id' => 'bad' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'account_id,bad' )
+        end
+
+        it 'rejects bad member ID' do
+          result = show( { 'member_id' => 'bad' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,bad' )
+        end
+
+        it 'rejects bad device ID' do
+          result = show( { 'device_id' => 'bad' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id,bad' )
+        end
+
+        # Belt-and-braces check that multiple bad items are still rejected,
+        # but don't have any expectations about which one gets picked out
+        # in the 'reference' field.
+        #
+        it 'rejects bad combinations' do
+          result = show( { 'account_id' => 'bad', 'member_id' => 'bad', 'device_id' => 'bad' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'    ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+        end
+
+        it 'rejects bad IDs amongst good' do
+          result = show( { 'account_id' => '21', 'member_id' => 'bad', 'device_id' => 'A' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,bad' )
+        end
+
+        # Each 'show' must be in its own test so that the test session data
+        # gets reset in between; otherwise, the *same* session identity is
+        # being successively merged/updated under test, since it's a single
+        # object that's reused rather than a new loaded-in session.
+        #
+        it 'accepts one good ID (1)' do
+          result = show( { 'account_id' => '22' }, 200 )
+        end
+        it 'accepts one good ID (2)' do
+          result = show( { 'member_id'  => '1'  }, 200 )
+        end
+        it 'accepts one good ID (3)' do
+          result = show( { 'device_id'  => 'B'  }, 200 )
+        end
+        it 'accepts many good IDs' do
+          result = show( { 'account_id' => '22', 'member_id' => '1', 'device_id' => 'B' }, 200 )
+        end
+
+        it 'accepts encoded names' do
+          get(
+            '/v1/rspec_assumed_identity/hello',
+            nil,
+            {
+              'CONTENT_TYPE'              => 'application/json; charset=utf-8',
+              'HTTP_X_ASSUME_IDENTITY_OF' => 'a%63%63ount_id=22'
+            }
+          )
 
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,bad' )
-      end
+          expect( last_response.status ).to eq( 200 )
+        end
 
-      it 'rejects bad device ID' do
-        result = show( { 'device_id' => 'bad' }, 403 )
+        it 'accepts encoded values' do
+          get(
+            '/v1/rspec_assumed_identity/hello',
+            nil,
+            {
+              'CONTENT_TYPE'              => 'application/json; charset=utf-8',
+              'HTTP_X_ASSUME_IDENTITY_OF' => 'account_id=%32%32'
+            }
+          )
 
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id,bad' )
-      end
+          expect( last_response.status ).to eq( 200 )
+        end
 
-      # Belt-and-braces check that multiple bad items are still rejected,
-      # but don't have any expectations about which one gets picked out
-      # in the 'reference' field.
-      #
-      it 'rejects bad combinations' do
-        result = show( { 'account_id' => 'bad', 'member_id' => 'bad', 'device_id' => 'bad' }, 403 )
+        it 'rejects an unknown name' do
+          result = show( { 'another_id' => 'A155C' }, 403 )
 
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'    ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-      end
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+        end
 
-      it 'rejects bad IDs amongst good' do
-        result = show( { 'account_id' => '21', 'member_id' => 'bad', 'device_id' => 'A' }, 403 )
+        it 'rejects unknown names' do
+          result = show( { 'another_id' => 'A155C', 'additional_id' => 'iiv' }, 403 )
 
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,bad' )
-      end
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'additional_id\\,another_id' )
+        end
 
-      # Each 'show' must be in its own test so that the test session data
-      # gets reset in between; otherwise, the *same* session identity is
-      # being successively merged/updated under test, since it's a single
-      # object that's reused rather than a new loaded-in session.
-      #
-      it 'accepts one good ID (1)' do
-        result = show( { 'account_id' => '22' }, 200 )
-      end
-      it 'accepts one good ID (2)' do
-        result = show( { 'member_id'  => '1'  }, 200 )
-      end
-      it 'accepts one good ID (3)' do
-        result = show( { 'device_id'  => 'B'  }, 200 )
-      end
+        it 'rejects an unknown name amongst a known name' do
+          result = show( { 'another_id' => 'A155C', 'account_id' => '22' }, 403 )
 
-      it 'accepts many good IDs' do
-        result = show( { 'account_id' => '22', 'member_id' => '1', 'device_id' => 'B' }, 200 )
-      end
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+        end
 
-      it 'accepts encoded names' do
-        get(
-          '/v1/rspec_assumed_identity/hello',
-          nil,
-          {
-            'CONTENT_TYPE'              => 'application/json; charset=utf-8',
-            'HTTP_X_ASSUME_IDENTITY_OF' => 'a%63%63ount_id=22'
-          }
-        )
+        it 'rejects an unknown name amongst known names' do
+          result = show( { 'another_id' => 'A155C', 'account_id' => '22', 'member_id' => '1' }, 403 )
 
-        expect( last_response.status ).to eq( 200 )
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+        end
       end
 
-      it 'accepts encoded values' do
-        get(
-          '/v1/rspec_assumed_identity/hello',
-          nil,
+      context 'and wildcards' do
+        before :each do
+          @test_session.scoping.authorised_http_headers = [ 'X-Assume-Identity-Of' ]
+          @test_session.scoping.authorised_identities   =
           {
-            'CONTENT_TYPE'              => 'application/json; charset=utf-8',
-            'HTTP_X_ASSUME_IDENTITY_OF' => 'account_id=%32%32'
+            'account_id' => [ '20', '21', '22' ],
+            'member_id'  => '*',
+            'device_id'  => [ 'A', 'B' ]
           }
-        )
-
-        expect( last_response.status ).to eq( 200 )
-      end
-
-      it 'rejects an unknown name' do
-        result = show( { 'another_id' => 'A155C' }, 403 )
-
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
-      end
-
-      it 'rejects unknown names' do
-        result = show( { 'another_id' => 'A155C', 'additional_id' => 'iiv' }, 403 )
 
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'additional_id\\,another_id' )
-      end
-
-      it 'rejects an unknown name amongst a known name' do
-        result = show( { 'another_id' => 'A155C', 'account_id' => '22' }, 403 )
-
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
-      end
-
-      it 'rejects an unknown name amongst known names' do
-        result = show( { 'another_id' => 'A155C', 'account_id' => '22', 'member_id' => '1' }, 403 )
-
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+          Hoodoo::Services::Middleware.set_test_session( @test_session )
+        end
+
+        it 'rejects bad account ID' do
+          result = show( { 'account_id' => 'bad' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'account_id,bad' )
+        end
+
+        it 'rejects bad device ID' do
+          result = show( { 'device_id' => 'bad' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id,bad' )
+        end
+
+        it 'rejects bad combinations' do
+          result = show( { 'account_id' => 'bad', 'member_id' => 'hit_wildcard', 'device_id' => 'bad' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'    ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+        end
+
+        it 'rejects bad IDs amongst good' do
+          result = show( { 'account_id' => '21', 'member_id' => 'hit_wildcard', 'device_id' => 'bad' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id,bad' )
+        end
+
+        it 'accepts wildcard combinations' do
+          result = show( { 'account_id' => '21', 'member_id' => 'hit_wildcard', 'device_id' => 'A' }, 200 )
+        end
+
+        it 'accepts one good ID (1)' do
+          result = show( { 'account_id' => '22' }, 200 )
+        end
+        it 'accepts one good ID (2)' do
+          result = show( { 'member_id'  => 'hit_wildcard'  }, 200 )
+        end
+        it 'accepts one good ID (3)' do
+          result = show( { 'device_id'  => 'B'  }, 200 )
+        end
+        it 'accepts many good IDs' do
+          result = show( { 'account_id' => '22', 'member_id' => '1', 'device_id' => 'B' }, 200 )
+        end
       end
     end
 
     context 'with deep rules' do
-      before :each do
-        @test_session.scoping.authorised_http_headers = [ 'X-Assume-Identity-Of' ]
-        @test_session.scoping.authorised_identities   =
-        {
-          'account_id' =>
+      context 'and no wildcards' do
+        before :each do
+          @test_session.scoping.authorised_http_headers = [ 'X-Assume-Identity-Of' ]
+          @test_session.scoping.authorised_identities   =
           {
-            '20' => { 'member_id' => [ '1', '2' ] },
-            '21' => { 'member_id' => [ '3', '4' ] },
-            '22' =>
+            'account_id' =>
             {
-              'member_id' =>
+              '20' => { 'member_id' => [ '1', '2' ] },
+              '21' => { 'member_id' => [ '3', '4' ] },
+              '22' =>
               {
-                '5' => { 'device_id' => [ 'A' ] },
-                '6' => { 'device_id' => [ 'B' ] }
+                'member_id' =>
+                {
+                  '5' => { 'device_id' => [ 'A' ] },
+                  '6' => { 'device_id' => [ 'B' ] }
+                }
               }
             }
           }
-        }
-
-        Hoodoo::Services::Middleware.set_test_session( @test_session )
-      end
-
-      it 'rejects bad account ID' do
-        result = show( { 'account_id' => 'bad' }, 403 )
-
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'account_id,bad' )
-      end
-
-      it 'rejects bad member ID' do
-        result = show( { 'account_id' => '20', 'member_id' => 'bad' }, 403 )
-
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,bad' )
-      end
-
-      it 'rejects bad device ID' do
-        result = show( { 'account_id' => '22', 'member_id' => '5', 'device_id' => 'bad' }, 403 )
-
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id,bad' )
-      end
-
-      it 'rejects attempt to use device ID when not listed in rules' do
-        result = show( { 'account_id' => '21', 'member_id' => '4', 'device_id' => 'A' }, 403 )
-
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id' )
-      end
-
-      it 'rejects an ID that is present but listed under a different key' do
-        result = show( { 'account_id' => '20', 'member_id' => '4' }, 403 )
-
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,4' )
-      end
-
-      it 'rejects an ID that is present but not top-level' do
-        result = show( { 'member_id' => '1' }, 403 )
-
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id' )
-      end
-
-      # Each 'show' must be in its own test so that the test session data
-      # gets reset in between; otherwise, the *same* session identity is
-      # being successively merged/updated under test, since it's a single
-      # object that's reused rather than a new loaded-in session.
-      #
-      it 'accepts a subset of good IDs (1)' do
-        result = show( { 'account_id' => '22' }, 200 )
-      end
-      it 'accepts a subset of good IDs (2)' do
-        result = show( { 'account_id' => '22', 'member_id' => '5' }, 200 )
-      end
-      it 'accepts many good IDs (1)' do
-        result = show( { 'account_id' => '20', 'member_id' => '2' }, 200 )
-      end
-      it 'accepts many good IDs (2)' do
-        result = show( { 'account_id' => '22', 'member_id' => '6', 'device_id' => 'B' }, 200 )
-      end
-
-      it 'rejects an unknown name' do
-        result = show( { 'another_id' => 'A155C' }, 403 )
-
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
-      end
-
-      it 'rejects unknown names' do
-        result = show( { 'another_id' => 'A155C', 'additional_id' => 'iiv' }, 403 )
-
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'additional_id\\,another_id' )
-      end
-
-      it 'rejects an unknown name amongst a known name' do
-        result = show( { 'another_id' => 'A155C', 'account_id' => '22' }, 403 )
-
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
-      end
 
-      it 'rejects an unknown name amongst known names' do
-        result = show( { 'another_id' => 'A155C', 'account_id' => '22', 'member_id' => '6' }, 403 )
+          Hoodoo::Services::Middleware.set_test_session( @test_session )
+        end
+
+        it 'rejects bad account ID' do
+          result = show( { 'account_id' => 'bad' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'account_id,bad' )
+        end
+
+        it 'rejects bad member ID' do
+          result = show( { 'account_id' => '20', 'member_id' => 'bad' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,bad' )
+        end
+
+        it 'rejects bad device ID' do
+          result = show( { 'account_id' => '22', 'member_id' => '5', 'device_id' => 'bad' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id,bad' )
+        end
+
+        it 'rejects attempt to use device ID when not listed in rules' do
+          result = show( { 'account_id' => '21', 'member_id' => '4', 'device_id' => 'A' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id' )
+        end
+
+        it 'rejects an ID that is present but listed under a different key' do
+          result = show( { 'account_id' => '20', 'member_id' => '4' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,4' )
+        end
+
+        it 'rejects an ID that is present but not top-level' do
+          result = show( { 'member_id' => '1' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id' )
+        end
+
+        it 'accepts a subset of good IDs (1)' do
+          result = show( { 'account_id' => '22' }, 200 )
+        end
+        it 'accepts a subset of good IDs (2)' do
+          result = show( { 'account_id' => '22', 'member_id' => '5' }, 200 )
+        end
+        it 'accepts many good IDs (1)' do
+          result = show( { 'account_id' => '20', 'member_id' => '2' }, 200 )
+        end
+        it 'accepts many good IDs (2)' do
+          result = show( { 'account_id' => '22', 'member_id' => '6', 'device_id' => 'B' }, 200 )
+        end
+
+        it 'rejects an unknown name' do
+          result = show( { 'another_id' => 'A155C' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+        end
+
+        it 'rejects unknown names' do
+          result = show( { 'another_id' => 'A155C', 'additional_id' => 'iiv' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'additional_id\\,another_id' )
+        end
+
+        it 'rejects an unknown name amongst a known name' do
+          result = show( { 'another_id' => 'A155C', 'account_id' => '22' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+        end
+
+        it 'rejects an unknown name amongst known names' do
+          result = show( { 'another_id' => 'A155C', 'account_id' => '22', 'member_id' => '6' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+        end
+      end
+
+      context 'and wildcards' do
+        before :each do
+          @test_session.scoping.authorised_http_headers = [ 'X-Assume-Identity-Of' ]
+          @test_session.scoping.authorised_identities   =
+          {
+            'account_id' =>
+            {
+              '20' => { 'member_id' => [ '1', '2' ] },
+              '21' => { 'member_id' => '*' },
+              '22' =>
+              {
+                'member_id' =>
+                {
+                  '5' => { 'device_id' => [ 'A' ] },
+                  '6' => { 'device_id' => [ 'B' ] }
+                }
+              }
+            }
+          }
 
-        expect( result[ 'kind' ] ).to eq( 'Errors' )
-        expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
-        expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
-        expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'another_id' )
+          Hoodoo::Services::Middleware.set_test_session( @test_session )
+        end
+
+        it 'rejects bad account ID' do
+          result = show( { 'account_id' => 'bad' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'account_id,bad' )
+        end
+
+        it 'rejects bad member ID' do
+          result = show( { 'account_id' => '20', 'member_id' => 'bad' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,bad' )
+        end
+
+        it 'rejects bad device ID' do
+          result = show( { 'account_id' => '22', 'member_id' => '5', 'device_id' => 'bad' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id,bad' )
+        end
+
+        it 'rejects attempt to use device ID when not listed in rules' do
+          result = show( { 'account_id' => '21', 'member_id' => '4', 'device_id' => 'A' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'device_id' )
+        end
+
+        it 'rejects an ID that is present but listed under a different key' do
+          result = show( { 'account_id' => '20', 'member_id' => '4' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests a prohibited identity quantity' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id,4' )
+        end
+
+        it 'rejects an ID that is present but not top-level' do
+          result = show( { 'member_id' => '1' }, 403 )
+
+          expect( result[ 'kind' ] ).to eq( 'Errors' )
+          expect( result[ 'errors' ][ 0 ][ 'code'      ] ).to eq( 'platform.forbidden' )
+          expect( result[ 'errors' ][ 0 ][ 'message'   ] ).to eq( 'X-Assume-Identity-Of header value requests prohibited identity name(s)' )
+          expect( result[ 'errors' ][ 0 ][ 'reference' ] ).to eq( 'member_id' )
+        end
+
+        it 'accepts a subset of good IDs (1)' do
+          result = show( { 'account_id' => '22' }, 200 )
+        end
+        it 'accepts a subset of good IDs (2)' do
+          result = show( { 'account_id' => '22', 'member_id' => '5' }, 200 )
+        end
+        it 'accepts many good IDs (1)' do
+          result = show( { 'account_id' => '20', 'member_id' => '2' }, 200 )
+        end
+        it 'accepts many good IDs (2)' do
+          result = show( { 'account_id' => '22', 'member_id' => '6', 'device_id' => 'B' }, 200 )
+        end
+        it 'accepts wildcard names' do
+          result = show( { 'account_id' => '21', 'member_id' => 'hit_wildcard' }, 200 )
+        end
       end
-
     end
 
     context 'with malformed rules' do

data/spec/transient_store/transient_store/mocks/redis_spec.rb

@@ -25,6 +25,17 @@ describe Hoodoo::TransientStore::Mocks::Redis do
     end
   end
 
+  context 'deprecated interfaces in Redis' do
+    it 'supports Array-like "set" and "get"' do
+      mock_redis_instance = Hoodoo::TransientStore::Mocks::Redis.new
+      key                 = Hoodoo::UUID.generate()
+      value               = Hoodoo::UUID.generate()
+
+      mock_redis_instance[ key ] = value
+      expect( mock_redis_instance[ key ] ).to eq( value )
+    end
+  end
+
   context 'approximate old behaviour by' do
     it 'using the mock client in test mode if there is an empty host' do
       expect_any_instance_of( Hoodoo::TransientStore::Mocks::Redis ).to receive( :initialize ).once.and_call_original()

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hoodoo
 version: !ruby/object:Gem::Version
-  version: 2.8.0
+  version: 2.9.0
 platform: ruby
 authors:
 - Loyalty New Zealand
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-08-07 00:00:00.000000000 Z
+date: 2018-08-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack