mandrill-rails 0.0.4 → 1.0.0

data/.travis.yml

@@ -2,10 +2,12 @@
 # see http://travis-ci.org/evendis/mandrill-rails
 language: ruby
 rvm:
-  - 1.8.7
-  - 1.9.2
+  # removing 1.8 and 1.9.2 tests because we don't really care anymore and activesupport 4 won't like them
+  #- 1.8.7
+  #- 1.9.2
+  #- jruby-18mode
   - 1.9.3
+  - 2.0.0
   # - rbx-18mode # removing for now; travis is having chronic intermittent issues building this properly at the moment
   - rbx-19mode
-  - jruby-18mode
   - jruby-19mode

data/CHANGELOG

@@ -1,3 +1,6 @@
-0.0.4
-===================================================================
+== 1.0.0
+* added support for Mandrill webhook authentication (thanks to @zshannon for the contribution)
+* stepped to 1.0.0 (applying Semantic Versioning principles; see http://semver.org/)
+
+== 0.0.4
 * removed manadrill gem as a dependency (thanks to @ssaunier for highlighting this)

data/Guardfile

@@ -1,7 +1,7 @@
 # A sample Guardfile
 # More info at https://github.com/guard/guard#readme
 
-guard 'rspec', :version => 2 do
+guard 'rspec', :version => 2, :all_on_start => false, :all_after_pass => false do
   watch(%r{^spec/.+_spec\.rb$})
   watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
   watch('spec/spec_helper.rb')  { "spec" }

data/README.rdoc

@@ -11,9 +11,9 @@ FYI, {Mandrill}[http://mandrill.com/] is the transactional email service by the
 
 == Requirements and Known Limitations
 
-* Tested with MRI 1.8.7, 1.9.2, 1.9.3, Rubinius (1.9 mode), JRuby (1.8 and 1.9 mode).
-* Rubinius 1.8 mode build temporarily removed since travis is having intermittent problems with this config.
-* Requires Rails >= 3.0.3 (including 3.1 and 3.2).
+* Tested with MRI 1.9.3, 2.0.0, Rubinius (1.9 mode), JRuby (1.9 mode).
+* MRI 1.8.7, 1.9.2, JRuby 1.8 mode and Rubinius 1.8 mode do work but you must force activesupport < 4.
+* Requires Rails >= 3.0.3 (including 3.1, 3.2 and 4).
 
 Food for thought (upcoming features maybe)..
 * some generators may be handy to avoid the manual coding to wire up web hooks
@@ -112,6 +112,46 @@ your handler individually.
 
 And if you don't care to handle a specific payload type - then just don't implement the associated handler.
 
+=== How can I authenticate Mandrill Webhooks?
+
+Mandrill now supports {webhook authentication}[http://help.mandrill.com/entries/23704122-Authenticating-webhook-requests] which can help prevent unauthorised posting to your webhook handlers. You can lookup and reset your API keys on the
+{Mandrill WebHook settings}[https://mandrillapp.com/settings/webhooks] page.
+
+If you do not configure your webhook API key, then the handlers will continue to work fine - they just won't be authenticated.
+
+To enable authentication, use the <tt>authenticate_with_mandrill_keys!</tt> method to set your API key. It is recommended you pull
+your API keys from environment settings, or use some other means to avoid committing the API keys in your source code.
+
+For example, to handle inbound email:
+
+    class InboxController < ApplicationController
+      include Mandrill::Rails::WebHookProcessor
+      authenticate_with_mandrill_keys! 'YOUR_MANDRILL_WEBHOOK_KEY'
+
+      def handle_inbound(event_payload)
+        # .. handler methods will only be called if authentication has succeeded.
+      end
+
+    end
+
+=== How can I authenticate multiple Mandrill Webhooks in the same controller?
+
+Sometimes you may have more than one WebHook sending requests to a single controller, for example if you have one handling 'click' events, and another sending inbound email. Mandrill assigns separate API keys to each of these.
+
+In this case, just add all the valid API keys you will allow with <tt>authenticate_with_mandrill_keys!</tt>, for example:
+
+    class InboxController < ApplicationController
+      include Mandrill::Rails::WebHookProcessor
+      authenticate_with_mandrill_keys! 'MANDRILL_CLICK_WEBHOOK_KEY', 'MANDRILL_INBOUND_WEBHOOK_KEY', 'ANOTHER_WEBHOOK_KEY'
+
+      def handle_inbound(event_payload)
+      end
+
+      def handle_click(event_payload)
+      end
+
+    end
+
 === How do I pull apart the event_payload?
 
 The <tt>event_payload</tt> object passed to our handler represents a single event and is packaged
@@ -224,6 +264,7 @@ and {MailChimp}[https://rubygems.org/search?utf8=%E2%9C%93&query=mailchimp] gems
 If you need direct API integration in addition to Mandrill::Rails features,
 you can choose to add whichever best meets your needs and use as normal.
 
+
 == Contributing to Mandrill::Rails
 
 * Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet

data/lib/mandrill-rails.rb

@@ -1,6 +1,6 @@
 require 'json'
-require 'active_support/concern'
-require 'active_support/dependencies'
+require 'openssl'
+require 'active_support/core_ext'
 
 require "mandrill-rails/version"
 require 'mandrill/web_hook'

data/lib/mandrill-rails/version.rb

@@ -3,5 +3,5 @@ module Mandrill
   end
 end
 unless defined?(Mandrill::Rails::VERSION)
-  Mandrill::Rails::VERSION = "0.0.4"
+  Mandrill::Rails::VERSION = "1.0.0"
 end

data/lib/mandrill-rails/web_hook_processor.rb

@@ -35,20 +35,60 @@ module Mandrill::Rails::WebHookProcessor
 
   included do
     skip_before_filter :verify_authenticity_token
+    before_filter :authenticate_mandrill_request!, :only => [:create]
   end
 
-  # Returns 200 and does nothing else (this is a test done by the mandrill service)
+  module ClassMethods
+    # Gets/sets the current Mandrill WebHook Authentication key(s).
+    # Returns the current WebHook key(s) as an Array if called with no parameters.
+    # If called with parameters, add the params to the WebHook key array.
+    # If called with nil as the parameters, clears the WebHook key array.
+    def authenticate_with_mandrill_keys!(*keys)
+      @mandrill_webhook_keys ||= []
+      if keys.present?
+        if keys.compact.present?
+          @mandrill_webhook_keys.concat(keys.flatten)
+        else
+          @mandrill_webhook_keys = []
+        end
+      end
+      @mandrill_webhook_keys
+    end
+
+    # Gets the current Mandrill WebHook Authentication key(s).
+    def mandrill_webhook_keys
+      authenticate_with_mandrill_keys!
+    end
+
+    # Command: directly assigns the WebHook key array to +keys+.
+    def mandrill_webhook_keys=(keys)
+      @mandrill_webhook_keys = Array(keys)
+    end
+
+  end
+
+  # Handles controller :show action (corresponds to a Mandrill "are you there?" test ping).
+  # Returns 200 and does nothing else.
   def show
     head(:ok)
   end
 
+  # Handles controller :create action (corresponds to a POST from Mandrill).
   def create
-    if processor = Mandrill::WebHook::Processor.new(params)
-      processor.callback_host = self
-      processor.run!
-    end
+    processor = Mandrill::WebHook::Processor.new(params, self)
+    processor.run!
     head(:ok)
   end
 
+  def authenticate_mandrill_request!
+    expected_signature = request.headers['HTTP_X_MANDRILL_SIGNATURE']
+    mandrill_webhook_keys = self.class.mandrill_webhook_keys
+    if Mandrill::WebHook::Processor.authentic?(expected_signature,mandrill_webhook_keys,request.original_url,request.params)
+      true
+    else
+      head(:forbidden, :text => "Mandrill signature did not match.")
+      false
+    end
+  end
 
-end
+end

data/lib/mandrill/web_hook/processor.rb

@@ -1,11 +1,19 @@
 class Mandrill::WebHook::Processor
 
-  attr_accessor :mandrill_events, :callback_host
+  attr_accessor :params, :callback_host, :mandrill_events
 
   # Command initialise the processor with +params+ Hash.
-  # +params+ is expected to contain an array of mandrill_events
-  def initialize(params={})
-    @mandrill_events = JSON.parse(params['mandrill_events'] || '[]')
+  # +params+ is expected to contain an array of mandrill_events.
+  # +callback_host+ is a handle to the controller making the request.
+  def initialize(params={},callback_host=nil)
+    @params = params
+    @callback_host = callback_host
+  end
+
+  def mandrill_events
+    @mandrill_events ||= JSON.parse(params['mandrill_events'] || '[]')
+  rescue
+    @mandrill_events = []
   end
 
   # Command: processes all +mandrill_events+
@@ -28,4 +36,29 @@ class Mandrill::WebHook::Processor
     Mandrill::WebHook::EventDecorator[raw_event_payload]
   end
 
+  class << self
+
+    # Returns true if +params+ sent to +original_url+ are authentic given +expected_signature+ and +mandrill_webhook_keys+.
+    def authentic?(expected_signature, mandrill_webhook_keys, original_url, params)
+      result = true
+      Array(mandrill_webhook_keys).each do |key|
+        signature = generate_signature(key, original_url, params)
+        result = (signature == expected_signature)
+        break if result
+      end
+      result
+    end
+
+    # Method described in docs: http://help.mandrill.com/entries/23704122-Authenticating-webhook-requests
+    def generate_signature(webhook_key, original_url, params)
+      signed_data = original_url.dup
+      params.except(:action, :controller).keys.sort.each do |key|
+        signed_data << key
+        signed_data << params[key]
+      end
+      Base64.encode64("#{OpenSSL::HMAC.digest('sha1', webhook_key, signed_data)}").strip
+    end
+
+  end
+
 end

data/spec/fixtures/webhook_examples/click_with_signature.json

@@ -0,0 +1,21 @@
+[
+  {
+    "private_key": "ntynTMaFpM_octE5R1DKAw",
+    "original_url": "http://requestb.in/q9a918q9",
+    "headers" : {
+      "X-Mandrill-Signature": "7rUa4lNJitlb178MgGOcHO6T4Bg=",
+      "Content-Type": "application/x-www-form-urlencoded",
+      "Host": "requestb.in",
+      "Connection": "close",
+      "Content-Length": 4091,
+      "User-Agent": "Mandrill-Webhook/1.0",
+      "Accept": "*/*"
+    },
+    "raw_params": {
+      "mandrill_events": "%5B%7B%22event%22%3A%22click%22%2C%22msg%22%3A%7B%22ts%22%3A1365109999%2C%22subject%22%3A%22This+an+example+webhook+message%22%2C%22email%22%3A%22example.webhook%40mandrillapp.com%22%2C%22sender%22%3A%22example.sender%40mandrillapp.com%22%2C%22tags%22%3A%5B%22webhook-example%22%5D%2C%22opens%22%3A%5B%7B%22ts%22%3A1365111111%7D%5D%2C%22clicks%22%3A%5B%7B%22ts%22%3A1365111111%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fmandrill.com%22%7D%5D%2C%22state%22%3A%22sent%22%2C%22metadata%22%3A%7B%22user_id%22%3A111%7D%2C%22_id%22%3A%22exampleaaaaaaaaaaaaaaaaaaaaaaaaa%22%2C%22_version%22%3A%22exampleaaaaaaaaaaaaaaa%22%7D%2C%22ip%22%3A%22127.0.0.1%22%2C%22location%22%3A%7B%22country_short%22%3A%22US%22%2C%22country%22%3A%22United+States%22%2C%22region%22%3A%22Oklahoma%22%2C%22city%22%3A%22Oklahoma+City%22%2C%22latitude%22%3A35.4675598145%2C%22longitude%22%3A-97.5164337158%2C%22postal_code%22%3A%2273101%22%2C%22timezone%22%3A%22-05%3A00%22%7D%2C%22user_agent%22%3A%22Mozilla%5C%2F5.0+%28Macintosh%3B+U%3B+Intel+Mac+OS+X+10.6%3B+en-US%3B+rv%3A1.9.1.8%29+Gecko%5C%2F20100317+Postbox%5C%2F1.1.3%22%2C%22user_agent_parsed%22%3A%7B%22type%22%3A%22Email+Client%22%2C%22ua_family%22%3A%22Postbox%22%2C%22ua_name%22%3A%22Postbox+1.1.3%22%2C%22ua_version%22%3A%221.1.3%22%2C%22ua_url%22%3A%22http%3A%5C%2F%5C%2Fwww.postbox-inc.com%5C%2F%22%2C%22ua_company%22%3A%22Postbox%2C+Inc.%22%2C%22ua_company_url%22%3A%22http%3A%5C%2F%5C%2Fwww.postbox-inc.com%5C%2F%22%2C%22ua_icon%22%3A%22http%3A%5C%2F%5C%2Fcdn.mandrill.com%5C%2Fimg%5C%2Femail-client-icons%5C%2Fpostbox.png%22%2C%22os_family%22%3A%22OS+X%22%2C%22os_name%22%3A%22OS+X+10.6+Snow+Leopard%22%2C%22os_url%22%3A%22http%3A%5C%2F%5C%2Fwww.apple.com%5C%2Fosx%5C%2F%22%2C%22os_company%22%3A%22Apple+Computer%2C+Inc.%22%2C%22os_company_url%22%3A%22http%3A%5C%2F%5C%2Fwww.apple.com%5C%2F%22%2C%22os_icon%22%3A%22http%3A%5C%2F%5C%2Fcdn.mandrill.com%5C%2Fimg%5C%2Femail-client-icons%5C%2Fmacosx.png%22%2C%22mobile%22%3Afalse%7D%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fmandrill.com%22%2C%22ts%22%3A1379233940%7D%2C%7B%22event%22%3A%22click%22%2C%22msg%22%3A%7B%22ts%22%3A1365109999%2C%22subject%22%3A%22This+an+example+webhook+message%22%2C%22email%22%3A%22example.webhook%40mandrillapp.com%22%2C%22sender%22%3A%22example.sender%40mandrillapp.com%22%2C%22tags%22%3A%5B%22webhook-example%22%5D%2C%22opens%22%3A%5B%7B%22ts%22%3A1365111111%7D%5D%2C%22clicks%22%3A%5B%7B%22ts%22%3A1365111111%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fmandrill.com%22%7D%5D%2C%22state%22%3A%22sent%22%2C%22metadata%22%3A%7B%22user_id%22%3A111%7D%2C%22_id%22%3A%22exampleaaaaaaaaaaaaaaaaaaaaaaaaa%22%2C%22_version%22%3A%22exampleaaaaaaaaaaaaaaa%22%7D%2C%22ip%22%3A%22127.0.0.1%22%2C%22location%22%3A%7B%22country_short%22%3A%22US%22%2C%22country%22%3A%22United+States%22%2C%22region%22%3A%22Oklahoma%22%2C%22city%22%3A%22Oklahoma+City%22%2C%22latitude%22%3A35.4675598145%2C%22longitude%22%3A-97.5164337158%2C%22postal_code%22%3A%2273101%22%2C%22timezone%22%3A%22-05%3A00%22%7D%2C%22user_agent%22%3A%22Mozilla%5C%2F5.0+%28Macintosh%3B+U%3B+Intel+Mac+OS+X+10.6%3B+en-US%3B+rv%3A1.9.1.8%29+Gecko%5C%2F20100317+Postbox%5C%2F1.1.3%22%2C%22user_agent_parsed%22%3A%7B%22type%22%3A%22Email+Client%22%2C%22ua_family%22%3A%22Postbox%22%2C%22ua_name%22%3A%22Postbox+1.1.3%22%2C%22ua_version%22%3A%221.1.3%22%2C%22ua_url%22%3A%22http%3A%5C%2F%5C%2Fwww.postbox-inc.com%5C%2F%22%2C%22ua_company%22%3A%22Postbox%2C+Inc.%22%2C%22ua_company_url%22%3A%22http%3A%5C%2F%5C%2Fwww.postbox-inc.com%5C%2F%22%2C%22ua_icon%22%3A%22http%3A%5C%2F%5C%2Fcdn.mandrill.com%5C%2Fimg%5C%2Femail-client-icons%5C%2Fpostbox.png%22%2C%22os_family%22%3A%22OS+X%22%2C%22os_name%22%3A%22OS+X+10.6+Snow+Leopard%22%2C%22os_url%22%3A%22http%3A%5C%2F%5C%2Fwww.apple.com%5C%2Fosx%5C%2F%22%2C%22os_company%22%3A%22Apple+Computer%2C+Inc.%22%2C%22os_company_url%22%3A%22http%3A%5C%2F%5C%2Fwww.apple.com%5C%2F%22%2C%22os_icon%22%3A%22http%3A%5C%2F%5C%2Fcdn.mandrill.com%5C%2Fimg%5C%2Femail-client-icons%5C%2Fmacosx.png%22%2C%22mobile%22%3Afalse%7D%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fmandrill.com%22%2C%22ts%22%3A1379233940%7D%5D"
+    },
+    "params": {
+      "mandrill_events": [{"event":"click","msg":{"ts":1365109999,"subject":"This an example webhook message","email":"example.webhook@mandrillapp.com","sender":"example.sender@mandrillapp.com","tags":["webhook-example"],"opens":[{"ts":1365111111}],"clicks":[{"ts":1365111111,"url":"http:\/\/mandrill.com"}],"state":"sent","metadata":{"user_id":111},"_id":"exampleaaaaaaaaaaaaaaaaaaaaaaaaa","_version":"exampleaaaaaaaaaaaaaaa"},"ip":"127.0.0.1","location":{"country_short":"US","country":"United States","region":"Oklahoma","city":"Oklahoma City","latitude":35.4675598145,"longitude":-97.5164337158,"postal_code":"73101","timezone":"-05:00"},"user_agent":"Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.8) Gecko\/20100317 Postbox\/1.1.3","user_agent_parsed":{"type":"Email Client","ua_family":"Postbox","ua_name":"Postbox 1.1.3","ua_version":"1.1.3","ua_url":"http:\/\/www.postbox-inc.com\/","ua_company":"Postbox, Inc.","ua_company_url":"http:\/\/www.postbox-inc.com\/","ua_icon":"http:\/\/cdn.mandrill.com\/img\/email-client-icons\/postbox.png","os_family":"OS X","os_name":"OS X 10.6 Snow Leopard","os_url":"http:\/\/www.apple.com\/osx\/","os_company":"Apple Computer, Inc.","os_company_url":"http:\/\/www.apple.com\/","os_icon":"http:\/\/cdn.mandrill.com\/img\/email-client-icons\/macosx.png","mobile":false},"url":"http:\/\/mandrill.com","ts":1379233940},{"event":"click","msg":{"ts":1365109999,"subject":"This an example webhook message","email":"example.webhook@mandrillapp.com","sender":"example.sender@mandrillapp.com","tags":["webhook-example"],"opens":[{"ts":1365111111}],"clicks":[{"ts":1365111111,"url":"http:\/\/mandrill.com"}],"state":"sent","metadata":{"user_id":111},"_id":"exampleaaaaaaaaaaaaaaaaaaaaaaaaa","_version":"exampleaaaaaaaaaaaaaaa"},"ip":"127.0.0.1","location":{"country_short":"US","country":"United States","region":"Oklahoma","city":"Oklahoma City","latitude":35.4675598145,"longitude":-97.5164337158,"postal_code":"73101","timezone":"-05:00"},"user_agent":"Mozilla\/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.8) Gecko\/20100317 Postbox\/1.1.3","user_agent_parsed":{"type":"Email Client","ua_family":"Postbox","ua_name":"Postbox 1.1.3","ua_version":"1.1.3","ua_url":"http:\/\/www.postbox-inc.com\/","ua_company":"Postbox, Inc.","ua_company_url":"http:\/\/www.postbox-inc.com\/","ua_icon":"http:\/\/cdn.mandrill.com\/img\/email-client-icons\/postbox.png","os_family":"OS X","os_name":"OS X 10.6 Snow Leopard","os_url":"http:\/\/www.apple.com\/osx\/","os_company":"Apple Computer, Inc.","os_company_url":"http:\/\/www.apple.com\/","os_icon":"http:\/\/cdn.mandrill.com\/img\/email-client-icons\/macosx.png","mobile":false},"url":"http:\/\/mandrill.com","ts":1379233940}]
+    }
+  }
+]

data/spec/mandrill-rails/web_hook_processor_spec.rb

@@ -1,17 +1,76 @@
 require 'spec_helper'
 
 class WebHookProcessorTestHarness
-  def self.skip_before_filter(*args) ; end
+  # Mock some controller behaviour
+  # TODO: we should probably really start using a real controller harness for testing
+  def self.skip_before_filter(*args) ; @skip_before_filter_settings = args; end
+  def self.skip_before_filter_settings ; @skip_before_filter_settings; end
+  def self.before_filter(*args) ; @before_filter_settings = args ; end
+  def self.before_filter_settings ; @before_filter_settings; end
   def head(*args) ; end
-  attr_accessor :params
+  attr_accessor :params, :request
 
   include Mandrill::Rails::WebHookProcessor
 end
 
 describe Mandrill::Rails::WebHookProcessor do
-  let(:processor_instance) { WebHookProcessorTestHarness.new }
-  let(:params) { {} }
-  before { processor_instance.params = params}
+  let(:processor_class) { WebHookProcessorTestHarness }
+  let(:processor_instance) { processor_class.new }
+  before do
+    processor_class.authenticate_with_mandrill_keys! nil
+  end
+
+  describe "##skip_before_filter settings" do
+    subject { processor_class.skip_before_filter_settings }
+    it { should eql([:verify_authenticity_token]) }
+  end
+
+  describe "##before_filter settings" do
+    subject { processor_class.before_filter_settings }
+    it { should eql([:authenticate_mandrill_request!, {:only=>[:create]}]) }
+  end
+
+  describe "##authenticate_with_mandrill_keys!" do
+    subject { processor_class.mandrill_webhook_keys }
+    it { should eql([]) }
+    context "when set with a single value" do
+      let(:key_a) { "key_a" }
+      before { processor_class.authenticate_with_mandrill_keys! key_a }
+      it { should eql([key_a]) }
+      context "then called with nil" do
+        before { processor_class.authenticate_with_mandrill_keys! nil }
+        it { should eql([]) }
+      end
+    end
+    context "when set with a list of values" do
+      let(:key_a) { "key_a" }
+      let(:key_b) { "key_b" }
+      before { processor_class.authenticate_with_mandrill_keys! key_a, key_b }
+      it { should eql([key_a,key_b]) }
+    end
+    context "when set with an explicit array of values" do
+      let(:key_a) { "key_a" }
+      let(:key_b) { "key_b" }
+      before { processor_class.authenticate_with_mandrill_keys! [key_a, key_b] }
+      it { should eql([key_a,key_b]) }
+    end
+  end
+
+  describe "#mandrill_webhook_keys" do
+    subject { processor_class.mandrill_webhook_keys }
+    it { should eql([]) }
+    context "when set with mandrill_webhook_keys=" do
+      let(:expected_value) { [1,2,3] }
+      before { processor_class.mandrill_webhook_keys = expected_value }
+      it { should eql(expected_value) }
+    end
+    context "when set with authenticate_with_mandrill_keys!" do
+      let(:expected_value) { [4,5,6] }
+      before { processor_class.authenticate_with_mandrill_keys! expected_value }
+      it { should eql(expected_value) }
+    end
+  end
+
 
   subject { processor_instance }
 
@@ -23,11 +82,58 @@ describe Mandrill::Rails::WebHookProcessor do
   end
 
   describe "#create" do
+    let(:params) { {} }
+    before do
+      processor_instance.params = params
+    end
     it "should return head(:ok)" do
-      Mandrill::WebHook::Processor.any_instance.should_receive(:run!)
       processor_instance.should_receive(:head).with(:ok)
+      Mandrill::WebHook::Processor.any_instance.should_receive(:run!)
       processor_instance.create
     end
   end
 
+  describe "#authenticate_mandrill_request! (protected)" do
+    let(:example_payload) { webhook_example_event('click_with_signature') }
+    let(:expected_signature) { example_payload['headers']['X-Mandrill-Signature'] }
+    let(:original_url) { example_payload['original_url'] }
+    let(:valid_webhook_key) { example_payload['private_key'] }
+    let(:raw_params) { example_payload['raw_params'] }
+    let(:params) { {} }
+    let(:headers) { { 'HTTP_X_MANDRILL_SIGNATURE' => expected_signature} }
+    let(:request) { double() }
+    before do
+      request.stub(:original_url).and_return(original_url)
+      request.stub(:params).and_return(raw_params)
+      request.stub(:headers).and_return(headers)
+      processor_instance.request = request
+      processor_instance.params = params
+    end
+    subject { processor_instance.send(:authenticate_mandrill_request!) }
+
+    context "when authentication not enabled" do
+      it { should be_true }
+    end
+    context "when authentication enabled" do
+      before do
+        processor_class.authenticate_with_mandrill_keys! mandrill_webhook_keys
+      end
+      context "with valid key" do
+        let(:mandrill_webhook_keys) { valid_webhook_key }
+        it { should be_true }
+      end
+      context "with mix of valid and invalid keys" do
+        let(:mandrill_webhook_keys) { ['bogative',valid_webhook_key] }
+        it { should be_true }
+      end
+      context "with invalid key" do
+        let(:mandrill_webhook_keys) { 'bogative' }
+        it "should call head(:forbidden) and return false" do
+          processor_instance.should_receive(:head).with(:forbidden, :text => "Mandrill signature did not match.")
+          subject.should be_false
+        end
+      end
+    end
+  end
+
 end

data/spec/mandrill/web_hook/processor_spec.rb

@@ -3,12 +3,13 @@ require 'spec_helper'
 describe Mandrill::WebHook::Processor do
 
   let(:params) { {} }
-  let(:processor) { Mandrill::WebHook::Processor.new(params) }
+  let(:processor_class) { Mandrill::WebHook::Processor }
+  let(:processor) { processor_class.new(params) }
 
   describe "#run!" do
     context "with inbound events" do
       before do
-        Mandrill::WebHook::Processor.stub(:handle_inbound)
+        processor_class.stub(:handle_inbound)
       end
       let(:event1) { { "event" => "inbound" } }
       let(:event2) { { "event" => "inbound" } }
@@ -18,6 +19,21 @@ describe Mandrill::WebHook::Processor do
         processor.run!
       end
     end
+    context "with callback host" do
+      let(:callback_host) do
+        host = double()
+        host.stub(:handle_inbound)
+        host
+      end
+      let(:processor) { processor_class.new(params,callback_host) }
+      let(:event1) { { "event" => "inbound" } }
+      let(:event2) { { "event" => "inbound" } }
+      let(:params) { { "mandrill_events" => [event1,event2].to_json } }
+      it "should pass event payload to the handler" do
+        callback_host.should_receive(:handle_inbound).twice
+        processor.run!
+      end
+    end
   end
 
   describe "#wrap_payload" do
@@ -26,4 +42,41 @@ describe Mandrill::WebHook::Processor do
     its(:class) { should eql(Mandrill::WebHook::EventDecorator) }
   end
 
+  describe "##authentic?" do
+    let(:example_payload) { webhook_example_event('click_with_signature') }
+    let(:expected_signature) { example_payload['headers']['X-Mandrill-Signature'] }
+    let(:original_url) { example_payload['original_url'] }
+    let(:webhook_key) { example_payload['private_key'] }
+    let(:mandrill_webhook_keys) { [webhook_key] }
+    let(:params) { example_payload['raw_params'] }
+    subject { processor_class.authentic?(expected_signature, mandrill_webhook_keys, original_url, params) }
+    context "when valid" do
+      it { should be_true }
+    end
+    context "when no keys" do
+      let(:mandrill_webhook_keys) { [] }
+      it { should be_true }
+    end
+    context "when keys don't match" do
+      let(:mandrill_webhook_keys) { ['bogative'] }
+      it { should be_false }
+    end
+    context "when signature don't match" do
+      let(:expected_signature) { 'bogative' }
+      it { should be_false }
+    end
+
+
+  end
+
+  describe "##generate_signature" do
+    let(:example_payload) { webhook_example_event('click_with_signature') }
+    let(:expected_signature) { example_payload['headers']['X-Mandrill-Signature'] }
+    let(:original_url) { example_payload['original_url'] }
+    let(:webhook_key) { example_payload['private_key'] }
+    let(:params) { example_payload['raw_params'] }
+    subject { processor_class.generate_signature(webhook_key, original_url, params) }
+    it { should eql(expected_signature) }
+  end
+
 end

data/spec/support/fixtures_helper.rb

@@ -15,7 +15,11 @@ module FixturesHelper
 
   # Returns the JSON representation of an +sample_name+ event
   def webhook_example_event(sample_name)
-    webhook_example_events(sample_name).first
+    data = webhook_example_events(sample_name).first
+    if data['raw_params'] && (mandrill_events_data = data['raw_params']['mandrill_events'])
+      data['raw_params']['mandrill_events'] = URI.decode_www_form_component(mandrill_events_data)
+    end
+    data
   end
 
   def payload_examples_path

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mandrill-rails
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 1.0.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-04-29 00:00:00.000000000 Z
+date: 2013-09-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -115,7 +115,6 @@ extensions: []
 extra_rdoc_files: []
 files:
 - .gitignore
-- .rspec
 - .travis.yml
 - CHANGELOG
 - Gemfile
@@ -135,6 +134,7 @@ files:
 - spec/fixtures/payload_examples/sample.pdf
 - spec/fixtures/payload_examples/sample.txt
 - spec/fixtures/webhook_examples/click.json
+- spec/fixtures/webhook_examples/click_with_signature.json
 - spec/fixtures/webhook_examples/inbound.json
 - spec/fixtures/webhook_examples/inbound_reply.json
 - spec/fixtures/webhook_examples/inbound_with_multiple_attachments.json
@@ -168,7 +168,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.23
+rubygems_version: 1.8.25
 signing_key: 
 specification_version: 3
 summary: Provides webhook processing and event decoration to make using Mandrill with
@@ -178,6 +178,7 @@ test_files:
 - spec/fixtures/payload_examples/sample.pdf
 - spec/fixtures/payload_examples/sample.txt
 - spec/fixtures/webhook_examples/click.json
+- spec/fixtures/webhook_examples/click_with_signature.json
 - spec/fixtures/webhook_examples/inbound.json
 - spec/fixtures/webhook_examples/inbound_reply.json
 - spec/fixtures/webhook_examples/inbound_with_multiple_attachments.json

data/.rspec

@@ -1 +0,0 @@
---color