machina-auth 0.1.1 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6d5387129c66f965ee5575eec314c27e3142884f5645e528e75c069d89989be1
-  data.tar.gz: b9b4f8301d4e6050199331d0bb2a7afe884ab889828618ef2ac6c16dcc6fb537
+  metadata.gz: 72016a1f127a752307bd3351a7179bd514a07f01257141b5976c24512f9a58ab
+  data.tar.gz: 49e3d3a871defaf71cc93405268d6935afdbe97131b5f565fcf74fa7d336c8fa
 SHA512:
-  metadata.gz: 67f43248481837cc6d930b8afd5649c802df1c3643bd79229ee607449a9f914e3d4c3b0f14dafde06f0128436f1379911552746920ef5b5503b0dd03800268cb
-  data.tar.gz: bd763c044617cf3b33381bc548b53e4301265d9533264b74f38fc7b51d1355cd1935b6a969842c8ff95c6516352f8f777a1447bd055594c42f1593390a197bda
+  metadata.gz: 1b1ca73243c466e604fd6922c9f60ea716d264e7dac913093fdbcaca1fa4e18b5aea6318eae5d5f04fc5809644680c6b39147339f2fa95358da4e74238efee88
+  data.tar.gz: 78582e31a57898eacd0a5abfb4c4bb812eb6683420549590a88ffbe8ffa0ded22e091cdf093f76ef3db75675719d81b4dc7de05482a7babc5d364f03e56d4b2f

data/lib/machina/configuration.rb

@@ -10,10 +10,12 @@ module Machina
                   :product_slug,
                   :cache_store,
                   :cache_ttl,
-                  :manifest
+                  :manifest,
+                  :skip_paths
 
     def initialize
       @cache_ttl = 5.minutes
+      @skip_paths = []
     end
   end
 end

data/lib/machina/middleware/authentication.rb

@@ -11,6 +11,9 @@ module Machina
 
       def call(env)
         request = ActionDispatch::Request.new(env)
+
+        return @app.call(env) if skip_path?(request)
+
         token = extract_token(request)
 
         return @app.call(env) if token.blank?
@@ -30,6 +33,25 @@ module Machina
 
       private
 
+      # Checks whether the request matches any configured skip path.
+      #
+      # Strings match as path prefixes. Regexes match against both the
+      # request path and the full URL, allowing pattern-based exclusions
+      # on host, path, or any combination.
+      def skip_path?(request)
+        return false if Machina.config.skip_paths.blank?
+
+        path = request.path
+        url  = request.url
+
+        Machina.config.skip_paths.any? do |pattern|
+          case pattern
+          when Regexp then pattern.match?(path) || pattern.match?(url)
+          when String then path.start_with?(pattern)
+          end
+        end
+      end
+
       def extract_token(request)
         request.cookies['machina_session'] ||
           extract_bearer(request) ||

data/lib/machina/permission_sync.rb

@@ -3,25 +3,54 @@
 module Machina
   # Reads the local permission manifest (machina.yml) and synchronises it
   # with the Machina Console so the Console knows which permissions exist.
+  #
+  # Supports flat manifests, environment-scoped manifests, and ERB
+  # interpolation.
   class PermissionSync
     def self.call!
       new.call!
     end
 
     def call!
-      manifest = YAML.load_file(Machina.config.manifest)
+      manifest = load_manifest
 
-      product_id = manifest['product_id'] || Machina.config.product_id
+      product_id = manifest[:product_id] || Machina.config.product_id
       if product_id.blank?
-        raise Machina::ConfigurationError,
-              'product_id is required for permission sync (set in machina.yml or Machina.config)'
+        raise Machina::ConfigurationError, 'product_id is required for permission sync (set in machina.yml or Machina.config)'
       end
 
       Machina.identity_client.sync_permissions(
         product_id:,
-        permissions: manifest.fetch('permissions'),
-        policies: manifest.fetch('policies', []),
+        permissions: manifest.fetch(:permissions),
+        policies: manifest.fetch(:policies, []),
       )
     end
+
+    private
+
+    # Loads the manifest YAML with ERB support and optional environment scoping.
+    #
+    # Tries +Rails.application.config_for+ first, which handles ERB evaluation
+    # and environment scoping (e.g. +test:+, +production:+, +shared:+ keys).
+    # Falls back to direct ERB + YAML parsing for flat manifests that have no
+    # environment keys.
+    def load_manifest
+      path = Pathname.new(Machina.config.manifest)
+
+      result = Rails.application.config_for(path)
+      return result if result.present?
+
+      parse_flat_manifest(path)
+    end
+
+    # Parses a flat (non-environment-scoped) manifest with ERB support.
+    #
+    # @param path [Pathname] absolute path to the YAML file
+    # @return [ActiveSupport::OrderedOptions]
+    def parse_flat_manifest(path)
+      raw = ERB.new(path.read).result
+      data = YAML.safe_load(raw, permitted_classes: [Symbol]).deep_symbolize_keys
+      ActiveSupport::OrderedOptions.new.update(data)
+    end
   end
 end

data/lib/machina/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Machina
-  VERSION = '0.1.1'
+  VERSION = '0.1.2'
 end

data/spec/machina/middleware/skip_paths_spec.rb

@@ -0,0 +1,198 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe Machina::Middleware::Authentication, 'skip_paths' do
+  let(:app) do
+    lambda do |_env|
+      auth = Machina::Current.authorized
+      body = JSON.generate(user_id: auth&.user_id, permissions: auth&.permissions)
+      [200, { 'Content-Type' => 'application/json' }, [body]]
+    end
+  end
+  let(:middleware) { described_class.new(app) }
+  let(:identity_client) { instance_double(Machina::IdentityClient) }
+  let(:bearer_header) { { 'HTTP_AUTHORIZATION' => 'Bearer ps_123' } }
+
+  before do
+    allow(Machina).to receive(:identity_client).and_return(identity_client)
+    allow(identity_client).to receive(:resolve_session)
+  end
+
+  # -- Happy path: skipped routes pass through without resolution -----------
+
+  context 'with a string skip path' do
+    before { Machina.config.skip_paths = ['/webhooks'] }
+
+    it 'passes through without resolving the token' do
+      env = Rack::MockRequest.env_for('/webhooks', bearer_header)
+
+      status, _headers, body = middleware.call(env)
+
+      expect(status).to eq(200)
+      expect(JSON.parse(body.first)['user_id']).to be_nil
+      expect(identity_client).not_to have_received(:resolve_session)
+    end
+  end
+
+  context 'with a regex skip path' do
+    before { Machina.config.skip_paths = [%r{\A/callbacks/}] }
+
+    it 'passes through without resolving the token' do
+      env = Rack::MockRequest.env_for('/callbacks/stripe', bearer_header)
+
+      status, = middleware.call(env)
+
+      expect(status).to eq(200)
+      expect(identity_client).not_to have_received(:resolve_session)
+    end
+  end
+
+  # -- Prefix matching for strings -----------------------------------------
+
+  context 'when request path is a sub-path of a string skip path' do
+    before { Machina.config.skip_paths = ['/webhooks'] }
+
+    it 'skips nested paths' do
+      env = Rack::MockRequest.env_for('/webhooks/stripe/events', bearer_header)
+
+      status, = middleware.call(env)
+
+      expect(status).to eq(200)
+      expect(identity_client).not_to have_received(:resolve_session)
+    end
+  end
+
+  # -- Non-matching routes still resolve ------------------------------------
+
+  context 'when the path does not match any skip path' do
+    before do
+      Machina.config.skip_paths = ['/webhooks']
+      allow(identity_client).to receive(:resolve_session).with('ps_123').and_return(
+        Machina::IdentityClient::Response.new(status: 200, body: MockResponses.session_resolution),
+      )
+    end
+
+    it 'resolves the token normally' do
+      env = Rack::MockRequest.env_for('/api/resources', bearer_header)
+
+      status, _headers, body = middleware.call(env)
+
+      expect(status).to eq(200)
+      expect(JSON.parse(body.first)['user_id']).to eq(MockResponses.session_resolution['data']['user']['id'])
+      expect(identity_client).to have_received(:resolve_session).once
+    end
+  end
+
+  # -- Multiple skip paths -------------------------------------------------
+
+  context 'with multiple skip paths (mixed strings and regexes)' do
+    before { Machina.config.skip_paths = ['/webhooks', %r{\A/callbacks/\w+\z}] }
+
+    it 'skips a request matching the string entry' do
+      env = Rack::MockRequest.env_for('/webhooks', bearer_header)
+      middleware.call(env)
+      expect(identity_client).not_to have_received(:resolve_session)
+    end
+
+    it 'skips a request matching the regex entry' do
+      env = Rack::MockRequest.env_for('/callbacks/stripe', bearer_header)
+      middleware.call(env)
+      expect(identity_client).not_to have_received(:resolve_session)
+    end
+
+    it 'does not skip a request matching neither entry' do
+      env = Rack::MockRequest.env_for('/api/resources', bearer_header)
+      middleware.call(env)
+      expect(identity_client).to have_received(:resolve_session).once
+    end
+  end
+
+  # -- Edge cases: near-miss paths -----------------------------------------
+
+  context 'when the path is a near-miss of a string skip path' do
+    before { Machina.config.skip_paths = ['/webhooks'] }
+
+    it 'does not skip /webhook (no trailing s)' do
+      env = Rack::MockRequest.env_for('/webhook', bearer_header)
+      middleware.call(env)
+      expect(identity_client).to have_received(:resolve_session).once
+    end
+
+    it 'does not skip /other-webhooks (different prefix)' do
+      env = Rack::MockRequest.env_for('/other-webhooks', bearer_header)
+      middleware.call(env)
+      expect(identity_client).to have_received(:resolve_session).once
+    end
+  end
+
+  # -- Edge case: regex against full URL ------------------------------------
+
+  context 'with a regex that matches the full request URL' do
+    before { Machina.config.skip_paths = [/stripe\.com/] }
+
+    it 'matches against the full URL when present' do
+      env = Rack::MockRequest.env_for('https://api.stripe.com/webhooks', bearer_header)
+
+      status, = middleware.call(env)
+
+      expect(status).to eq(200)
+      expect(identity_client).not_to have_received(:resolve_session)
+    end
+  end
+
+  # -- Edge case: string against full URL -----------------------------------
+
+  context 'with a string skip path checked against a full URL' do
+    before { Machina.config.skip_paths = ['/webhooks'] }
+
+    it 'still matches the path portion of a full URL' do
+      env = Rack::MockRequest.env_for('https://myapp.com/webhooks/events', bearer_header)
+
+      status, = middleware.call(env)
+
+      expect(status).to eq(200)
+      expect(identity_client).not_to have_received(:resolve_session)
+    end
+  end
+
+  # -- Edge case: empty skip_paths (default) --------------------------------
+
+  context 'when skip_paths is empty (default)' do
+    it 'resolves tokens on all paths' do
+      env = Rack::MockRequest.env_for('/webhooks', bearer_header)
+      middleware.call(env)
+      expect(identity_client).to have_received(:resolve_session).once
+    end
+  end
+
+  # -- Edge case: no token on a skipped path --------------------------------
+
+  context 'when a skipped path has no token' do
+    before { Machina.config.skip_paths = ['/webhooks'] }
+
+    it 'passes through without attempting resolution' do
+      env = Rack::MockRequest.env_for('/webhooks')
+
+      status, = middleware.call(env)
+
+      expect(status).to eq(200)
+      expect(identity_client).not_to have_received(:resolve_session)
+    end
+  end
+
+  # -- Edge case: query string on a skipped path ----------------------------
+
+  context 'when a skipped path has query parameters' do
+    before { Machina.config.skip_paths = ['/webhooks'] }
+
+    it 'still skips (query string does not affect path matching)' do
+      env = Rack::MockRequest.env_for('/webhooks?verify=true', bearer_header)
+
+      status, = middleware.call(env)
+
+      expect(status).to eq(200)
+      expect(identity_client).not_to have_received(:resolve_session)
+    end
+  end
+end

data/spec/machina/permission_sync_spec.rb

@@ -3,21 +3,21 @@
 require_relative '../rails_helper'
 
 RSpec.describe Machina::PermissionSync do
+  let(:client) { instance_double(Machina::IdentityClient) }
+
   before do
     Machina.config.product_id = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
-  end
-
-  it 'loads manifests and forwards them to the identity client' do
-    client = instance_double(Machina::IdentityClient)
     allow(Machina).to receive(:identity_client).and_return(client)
     allow(client).to receive(:sync_permissions)
+  end
 
+  it 'loads manifests and forwards them to the identity client' do
     described_class.call!
 
     expect(client).to have_received(:sync_permissions).with(
       product_id: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
-      permissions: [{ 'key' => 'sessions.view', 'description' => 'View sessions' }],
-      policies: [{ 'name' => 'Viewer', 'api_name' => 'viewer', 'permissions' => ['sessions.view'] }],
+      permissions: [{ key: 'sessions.view', description: 'View sessions' }],
+      policies: [{ name: 'Viewer', api_name: 'viewer', permissions: ['sessions.view'] }],
     )
   end
 
@@ -26,4 +26,167 @@ RSpec.describe Machina::PermissionSync do
 
     expect { described_class.call! }.to raise_error(Machina::ConfigurationError, /product_id is required/)
   end
+
+  context 'with a flat (non-environment-scoped) manifest' do
+    let(:tmpfile) do
+      file = Tempfile.new(['machina', '.yml'])
+      file.write(<<~YAML)
+        product_id: flat-product-id
+
+        permissions:
+          - key: items.view
+            description: View items
+
+        policies:
+          - name: Reader
+            api_name: reader
+            permissions:
+              - items.view
+      YAML
+      file.close
+      file
+    end
+
+    before { Machina.config.manifest = tmpfile.path }
+    after { tmpfile.unlink }
+
+    it 'loads the manifest as top-level keys' do
+      described_class.call!
+
+      expect(client).to have_received(:sync_permissions).with(
+        product_id: 'flat-product-id',
+        permissions: [{ key: 'items.view', description: 'View items' }],
+        policies: [{ name: 'Reader', api_name: 'reader', permissions: ['items.view'] }],
+      )
+    end
+  end
+
+  context 'with an environment-scoped manifest' do
+    let(:tmpfile) do
+      file = Tempfile.new(['machina', '.yml'])
+      file.write(<<~YAML)
+        test:
+          product_id: test-product-id
+          permissions:
+            - key: reports.view
+              description: View reports
+          policies: []
+
+        production:
+          product_id: prod-product-id
+          permissions:
+            - key: reports.view
+              description: View reports
+            - key: reports.edit
+              description: Edit reports
+          policies: []
+      YAML
+      file.close
+      file
+    end
+
+    before do
+      Machina.config.manifest = tmpfile.path
+      Machina.config.product_id = nil
+    end
+
+    after { tmpfile.unlink }
+
+    it 'loads the manifest scoped to the current Rails environment' do
+      described_class.call!
+
+      expect(client).to have_received(:sync_permissions).with(
+        product_id: 'test-product-id',
+        permissions: [{ key: 'reports.view', description: 'View reports' }],
+        policies: [],
+      )
+    end
+  end
+
+  context 'with an ERB manifest' do
+    let(:tmpfile) do
+      file = Tempfile.new(['machina', '.yml'])
+      file.write(<<~'YAML')
+        product_id: <%= "erb-product-id" %>
+
+        permissions:
+          - key: tasks.view
+            description: View tasks
+
+        policies: []
+      YAML
+      file.close
+      file
+    end
+
+    before do
+      Machina.config.manifest = tmpfile.path
+      Machina.config.product_id = nil
+    end
+
+    after { tmpfile.unlink }
+
+    it 'evaluates ERB before parsing YAML' do
+      described_class.call!
+
+      expect(client).to have_received(:sync_permissions).with(
+        product_id: 'erb-product-id',
+        permissions: [{ key: 'tasks.view', description: 'View tasks' }],
+        policies: [],
+      )
+    end
+  end
+
+  context 'when manifest product_id is absent but config product_id is set' do
+    let(:tmpfile) do
+      file = Tempfile.new(['machina', '.yml'])
+      file.write(<<~YAML)
+        permissions:
+          - key: items.view
+            description: View items
+        policies: []
+      YAML
+      file.close
+      file
+    end
+
+    before { Machina.config.manifest = tmpfile.path }
+    after { tmpfile.unlink }
+
+    it 'falls back to Machina.config.product_id' do
+      described_class.call!
+
+      expect(client).to have_received(:sync_permissions).with(
+        product_id: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
+        permissions: [{ key: 'items.view', description: 'View items' }],
+        policies: [],
+      )
+    end
+  end
+
+  context 'when policies key is omitted from manifest' do
+    let(:tmpfile) do
+      file = Tempfile.new(['machina', '.yml'])
+      file.write(<<~YAML)
+        permissions:
+          - key: items.view
+            description: View items
+      YAML
+      file.close
+      file
+    end
+
+    before { Machina.config.manifest = tmpfile.path }
+    after { tmpfile.unlink }
+
+    it 'defaults policies to an empty array' do
+      described_class.call!
+
+      expect(client).to have_received(:sync_permissions).with(
+        product_id: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
+        permissions: [{ key: 'items.view', description: 'View items' }],
+        policies: [],
+      )
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: machina-auth
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - ZAR
@@ -179,6 +179,7 @@ files:
 - spec/machina/controller_helpers_spec.rb
 - spec/machina/identity_client_spec.rb
 - spec/machina/middleware/authentication_spec.rb
+- spec/machina/middleware/skip_paths_spec.rb
 - spec/machina/permission_sync_spec.rb
 - spec/machina/test_helpers_spec.rb
 - spec/machina/webhook_receiver_spec.rb