lockbox_middleware 1.3.0 → 1.3.1

data/LICENSE

@@ -15,10 +15,10 @@ modification, are permitted provided that the following conditions are met:
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
+DISCLAIMED. IN NO EVENT SHALL THE DEMOCRATIC NATIONAL COMMITTEE BE LIABLE FOR ANY
 DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/lib/lockbox_middleware.rb

@@ -1,6 +1,7 @@
 require 'httparty'
 require 'lockbox_cache'
 require 'auth-hmac'
+require 'digest/md5'
 
 class LockBox
   include HTTParty
@@ -129,7 +130,8 @@ class LockBox
     headers = {}
     headers['Referer'] = "#{env['rack.url_scheme']}://#{env['SERVER_NAME']}#{env['PATH_INFO']}"
     headers['Referer'] << "?#{env['QUERY_STRING']}" unless env['QUERY_STRING'].blank?
-    {'Content-Type' => 'Content-Type', 'Content-MD5' => 'Content-MD5', 'Date' => 'HTTP_DATE', 'Method' => 'REQUEST_METHOD', 'Authorization' => 'HTTP_AUTHORIZATION'}.each_pair do |h,e|
+    headers['X-Referer-Content-MD5'] = Digest::MD5.hexdigest(Rack::Request.new(env).body.read) if env['CONTENT_TYPE']
+    {'Content-Type' => 'CONTENT_TYPE', 'Date' => 'HTTP_DATE', 'Method' => 'REQUEST_METHOD', 'Authorization' => 'HTTP_AUTHORIZATION'}.each_pair do |h,e|
       headers["X-Referer-#{h}"] = env[e] unless env[e].blank?
     end
     headers

data/spec/lib/lockbox_middleware_spec.rb

@@ -1,6 +1,8 @@
 require 'spec_helper'
 require 'rack/test'
 require 'lockbox_middleware'
+require 'digest/md5'
+require 'cgi'
 
 describe 'LockBox' do
   include Rack::Test::Methods
@@ -194,7 +196,7 @@ describe 'LockBox' do
   
   end
   
-  context "hitting API actions with HMAC auth" do
+  context "hitting API actions via GET requests with HMAC auth" do
     before :each do
       successful_response = mock("MockResponse")
       successful_response.stubs(:code).returns(200)
@@ -236,7 +238,54 @@ describe 'LockBox' do
       last_response.status.should == 401
     end
   end
-  
+
+  context "hitting API actions via POST requests with HMAC auth" do
+    before :each do
+      @content = "" # TODO: Rack::Test sucks at some stuff, like setting the request body when making a POST
+      @content_md5 = Digest::MD5.hexdigest(CGI::escape(@content))
+      
+      successful_response = mock("MockResponse")
+      successful_response.stubs(:code).returns(200)
+      successful_response.stubs(:headers).returns({'Cache-Control' => 'public, no-cache'})
+      Time.stubs(:now).returns(Time.parse("2010-05-10 16:30:00 EDT"))
+      valid_headers = {'X-Referer-Method' => 'POST', 'X-Referer-Content-Type' => 'application/x-www-form-urlencoded', 'X-Referer-Date' => [Time.now.httpdate], 'X-Referer-Authorization' => ['AuthHMAC key-id:+qPzK7cJdJbhsiCRcXa8A8LLrF8='], 'Referer' => 'http://example.org/api/some_controller/some_action', 'X-Referer-Content-MD5' => @content_md5}
+      LockBox.stubs(:get).with("/authentication/hmac", {:headers => valid_headers, :request => {:application_name => 'test'}}).returns(successful_response)
+      
+      bad_response = mock("MockResponse")
+      bad_response.stubs(:code).returns(401)
+      bad_response.stubs(:headers).returns({'Cache-Control' => 'public, no-cache'})
+      invalid_headers = {'X-Referer-Method' => 'POST', 'X-Referer-Content-Type' => 'application/x-www-form-urlencoded', 'X-Referer-Date' => [Time.now.httpdate], 'X-Referer-Authorization' => ['AuthHMAC key-id:u2Jlv0f6ZG59HQNGk+Bgq3/vHvM='], 'Referer' => 'http://example.org/api/some_controller/some_action', 'X-Referer-Content-MD5' => @content_md5}
+      LockBox.stubs(:get).with("/authentication/hmac", {:headers => invalid_headers, :request => {:application_name => 'test'}}).returns(bad_response)
+      
+      @path = "/api/some_controller/some_action"
+      
+      hmac_request = Net::HTTP::Post.new(@path, {'Date' => Time.now.httpdate})
+      hmac_request.body = @content
+      store = mock("MockStore")
+      store.stubs(:[]).with('key-id').returns("123456")
+      authhmac = AuthHMAC.new(store)
+      authhmac.sign!(hmac_request, 'key-id')
+      @hmac_headers = hmac_request.to_hash
+    end
+    
+    it "should return 200 for an HMAC request with a valid auth header" do
+      @hmac_headers.each_pair do |key,value|
+        header key, value
+      end
+      post @path, @content
+      last_response.status.should == 200
+    end
+    
+    it "should return 401 for an HMAC request with an invalid auth header" do
+      @hmac_headers['authorization'] = ['AuthHMAC key-id:u2Jlv0f6ZG59HQNGk+Bgq3/vHvM=']
+      @hmac_headers.each_pair do |key,value|
+        header key, value
+      end
+      post @path, @content
+      last_response.status.should == 401
+    end
+  end
+
   context "hitting actions without API" do
   
     it "should not try to authenticate a request that doesn't start with /api" do

data/spec/support/helper_methods.rb

@@ -26,6 +26,6 @@ module HelperMethods
    end
 
    def admin_login
-     @request.env['HTTP_AUTHORIZATION'] = 'Basic ' + Base64::encode64("admin:10ckb0X")
+     @request.env['HTTP_AUTHORIZATION'] = 'Basic ' + Base64::encode64("admin:somethingcute")
    end
 end

metadata

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments: 
   - 1
   - 3
-  - 0
-  version: 1.3.0
+  - 1
+  version: 1.3.1
 platform: ruby
 authors: 
 - Chris Gill
@@ -17,7 +17,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-08-05 00:00:00 -04:00
+date: 2010-08-11 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency