master_api_key 1.2.0 → 2.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/app/controllers/master_api_key/api_keys_controller.rb +70 -21
- data/app/models/master_api_key/api_key.rb +1 -1
- data/config/master_api_key.gemversion +1 -1
- data/config/routes.rb +3 -1
- data/db/migrate/20160429185913_add_read_write_access.rb +12 -0
- data/db/seeds.rb +2 -0
- data/lib/master_api_key.rb +4 -0
- data/lib/master_api_key/api_gatekeeper.rb +24 -3
- data/spec/controllers/master_api_key/api_keys_controller_spec.rb +269 -28
- data/spec/dummy/db/schema.rb +7 -5
- data/spec/dummy/log/development.log +31 -0
- data/spec/dummy/log/test.log +32670 -0
- data/spec/master_api_key/api_gatekeeper_spec.rb +125 -21
- data/spec/support/access_shared_examples.rb +39 -0
- data/spec/support/auth_shared_examples.rb +39 -0
- metadata +9 -6
- metadata.gz.sig +0 -0
- data/spec/requests/master_api_key/master_api_key_api_keys_spec.rb +0 -98
@@ -1,5 +1,6 @@
|
|
1
1
|
require 'rails_helper'
|
2
2
|
require 'master_api_key/api_gatekeeper'
|
3
|
+
require 'support/access_shared_examples'
|
3
4
|
|
4
5
|
RSpec.describe ApplicationController, :type => :controller do
|
5
6
|
context 'with fully configured controller' do
|
@@ -11,61 +12,164 @@ RSpec.describe ApplicationController, :type => :controller do
|
|
11
12
|
head(:ok)
|
12
13
|
end
|
13
14
|
end
|
15
|
+
|
16
|
+
def show
|
17
|
+
authorize_action do
|
18
|
+
head(:ok)
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
def create
|
23
|
+
authorize_action do
|
24
|
+
head(:ok)
|
25
|
+
end
|
26
|
+
end
|
27
|
+
|
28
|
+
def destroy
|
29
|
+
authorize_action do
|
30
|
+
head(:ok)
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
def edit
|
35
|
+
authorize_action do
|
36
|
+
head(:ok)
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
def new
|
41
|
+
authorize_action do
|
42
|
+
head(:ok)
|
43
|
+
end
|
44
|
+
end
|
45
|
+
|
46
|
+
def update
|
47
|
+
authorize_action do
|
48
|
+
head(:ok)
|
49
|
+
end
|
50
|
+
end
|
14
51
|
end
|
15
52
|
|
16
53
|
before(:each) do
|
54
|
+
|
17
55
|
end
|
18
56
|
|
19
57
|
context 'Without API TOKEN' do
|
20
58
|
it "should return 401 (:unauthorized) if 'X-API-TOKEN' isn't available" do
|
21
|
-
expect(controller).to receive(:on_authentication_failure)
|
59
|
+
expect(controller).to receive(:on_authentication_failure).and_call_original
|
22
60
|
|
23
|
-
|
24
|
-
end
|
61
|
+
get :index
|
25
62
|
|
26
|
-
|
27
|
-
expect(controller).to receive(:head).with(:unauthorized)
|
28
|
-
|
29
|
-
controller.index
|
63
|
+
expect(response).to have_http_status(401)
|
30
64
|
end
|
31
65
|
end
|
32
66
|
|
33
67
|
context 'With API Token' do
|
34
68
|
before(:each) do
|
35
|
-
@api_key = MasterApiKey::ApiKey.create!(:group => 'allowed_group')
|
69
|
+
@api_key = MasterApiKey::ApiKey.create!(:group => 'allowed_group', :read_access => true)
|
36
70
|
controller.request.headers['X-API-TOKEN'] = @api_key.api_token
|
37
71
|
end
|
38
72
|
|
39
73
|
it "should return 401 (:unauthorized) if the token can't be authenticated" do
|
40
74
|
controller.request.headers['X-API-TOKEN'] = @api_key.api_token + '_missing'
|
41
75
|
|
42
|
-
expect(controller).to receive(:on_authentication_failure)
|
76
|
+
expect(controller).to receive(:on_authentication_failure).and_call_original
|
77
|
+
|
78
|
+
get :index
|
43
79
|
|
44
|
-
|
80
|
+
expect(response).to have_http_status(401)
|
45
81
|
end
|
46
82
|
|
47
83
|
it "should return 403 (:forbidden) if the api token isn't authorized to access the group" do
|
48
|
-
restricted_api_key = MasterApiKey::ApiKey.create!(:group => 'not_allowed_group')
|
84
|
+
restricted_api_key = MasterApiKey::ApiKey.create!(:group => 'not_allowed_group', :read_access => true)
|
49
85
|
controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
|
50
86
|
|
51
87
|
expect(controller).to receive(:on_forbidden_request).and_call_original
|
52
|
-
expect(controller).to receive(:head).with(:forbidden)
|
53
88
|
|
54
|
-
|
89
|
+
get :index
|
90
|
+
|
91
|
+
expect(response).to have_http_status(403)
|
55
92
|
end
|
56
93
|
|
57
94
|
it 'should return 200 if the token is authenticated and authorized to access the controller' do
|
58
|
-
|
95
|
+
get :index
|
59
96
|
|
60
|
-
|
97
|
+
expect(response).to have_http_status(200)
|
61
98
|
end
|
62
99
|
|
63
100
|
it 'should return 200 even if the group is defined with a different character case' do
|
64
|
-
upper_case_api_key = MasterApiKey::ApiKey.create!(:group => 'ALLOWED_GROUP')
|
101
|
+
upper_case_api_key = MasterApiKey::ApiKey.create!(:group => 'ALLOWED_GROUP', :read_access => true)
|
65
102
|
controller.request.headers['X-API-TOKEN'] = upper_case_api_key.api_token
|
66
|
-
expect(controller).to receive(:head).with(:ok)
|
67
103
|
|
68
|
-
|
104
|
+
get :index
|
105
|
+
|
106
|
+
expect(response).to have_http_status(200)
|
107
|
+
end
|
108
|
+
end
|
109
|
+
|
110
|
+
context 'with access rights' do
|
111
|
+
context 'for index' do
|
112
|
+
before(:each) do
|
113
|
+
@action = lambda { get :index }
|
114
|
+
end
|
115
|
+
|
116
|
+
include_examples :read_access_rights, :allowed_group, :ok
|
117
|
+
end
|
118
|
+
|
119
|
+
context 'for show' do
|
120
|
+
before(:each) do
|
121
|
+
@action = lambda { get :show, :id => 1 }
|
122
|
+
end
|
123
|
+
|
124
|
+
include_examples :read_access_rights, :allowed_group, :ok
|
125
|
+
end
|
126
|
+
|
127
|
+
context 'for create' do
|
128
|
+
before(:each) do
|
129
|
+
@action = lambda { post :create}
|
130
|
+
end
|
131
|
+
|
132
|
+
include_examples :write_access_rights, :allowed_group, :ok
|
133
|
+
end
|
134
|
+
|
135
|
+
context 'for destroy' do
|
136
|
+
before(:each) do
|
137
|
+
@action = lambda { delete :destroy, :id => 1 }
|
138
|
+
end
|
139
|
+
|
140
|
+
include_examples :write_access_rights, :allowed_group, :ok
|
141
|
+
end
|
142
|
+
|
143
|
+
context 'for new' do
|
144
|
+
before(:each) do
|
145
|
+
@action = lambda { get :new, :id => 1}
|
146
|
+
end
|
147
|
+
|
148
|
+
include_examples :write_access_rights, :allowed_group, :ok
|
149
|
+
end
|
150
|
+
|
151
|
+
context 'for edit' do
|
152
|
+
before(:each) do
|
153
|
+
@action = lambda { post :edit, :id => 1 }
|
154
|
+
end
|
155
|
+
|
156
|
+
include_examples :write_access_rights, :allowed_group, :ok
|
157
|
+
end
|
158
|
+
|
159
|
+
context 'for put' do
|
160
|
+
before(:each) do
|
161
|
+
@action = lambda { put :update, :id => 1 }
|
162
|
+
end
|
163
|
+
|
164
|
+
include_examples :write_access_rights, :allowed_group, :ok
|
165
|
+
end
|
166
|
+
|
167
|
+
context 'for patch' do
|
168
|
+
before(:each) do
|
169
|
+
@action = lambda { patch :update, :id => 1 }
|
170
|
+
end
|
171
|
+
|
172
|
+
include_examples :write_access_rights, :allowed_group, :ok
|
69
173
|
end
|
70
174
|
end
|
71
175
|
end
|
@@ -81,13 +185,13 @@ RSpec.describe ApplicationController, :type => :controller do
|
|
81
185
|
end
|
82
186
|
|
83
187
|
before(:each) do
|
84
|
-
@api_key = MasterApiKey::ApiKey.create!(:group => 'allowed_group')
|
188
|
+
@api_key = MasterApiKey::ApiKey.create!(:group => 'allowed_group', :read_access => true)
|
85
189
|
controller.request.headers['X-API-TOKEN'] = @api_key.api_token
|
86
190
|
end
|
87
191
|
|
88
192
|
it 'should throw exception because the controller is not in a group but is using api authentication' do
|
89
193
|
expect{
|
90
|
-
|
194
|
+
get :index
|
91
195
|
}.to raise_error(ArgumentError)
|
92
196
|
end
|
93
197
|
end
|
@@ -128,7 +232,7 @@ RSpec.describe ApplicationController, :type => :controller do
|
|
128
232
|
|
129
233
|
before(:each) do
|
130
234
|
@allowed_filter = 'allowed_key'
|
131
|
-
@valid_api_key = ExtendedApiKey.create!(:group => 'allowed_group')
|
235
|
+
@valid_api_key = ExtendedApiKey.create!(:group => 'allowed_group', :read_access => true)
|
132
236
|
controller.request.headers['X-API-TOKEN'] = @valid_api_key.api_token
|
133
237
|
|
134
238
|
allow(MasterApiKey::ApiKey).to receive(:find_by_api_token).with(@valid_api_key.api_token).and_return(@valid_api_key)
|
@@ -0,0 +1,39 @@
|
|
1
|
+
shared_examples_for :read_access_rights do |group_name, success_code|
|
2
|
+
it "should return 403 (:forbidden) if the api token doesn't have read access" do
|
3
|
+
restricted_api_key = MasterApiKey::ApiKey.create!(:group => group_name, :write_access => true)
|
4
|
+
controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
|
5
|
+
|
6
|
+
@action.call
|
7
|
+
|
8
|
+
expect(response).to have_http_status(403)
|
9
|
+
end
|
10
|
+
|
11
|
+
it "should return :#{success_code} if the api token doesn't have write access" do
|
12
|
+
restricted_api_key = MasterApiKey::ApiKey.create!(:group => group_name, :read_access => true)
|
13
|
+
controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
|
14
|
+
|
15
|
+
@action.call
|
16
|
+
|
17
|
+
expect(response).to have_http_status(success_code)
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
shared_examples_for :write_access_rights do |group_name, success_code|
|
22
|
+
it "should return 403 (:forbidden) if the api token doesn't have write access" do
|
23
|
+
restricted_api_key = MasterApiKey::ApiKey.create!(:group => group_name, :read_access=> true)
|
24
|
+
controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
|
25
|
+
|
26
|
+
@action.call
|
27
|
+
|
28
|
+
expect(response).to have_http_status(403)
|
29
|
+
end
|
30
|
+
|
31
|
+
it "should return :#{success_code} if the api token doesn't have read access" do
|
32
|
+
restricted_api_key = MasterApiKey::ApiKey.create!(:group => group_name, :write_access => true)
|
33
|
+
controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
|
34
|
+
|
35
|
+
@action.call
|
36
|
+
|
37
|
+
expect(response).to have_http_status(success_code)
|
38
|
+
end
|
39
|
+
end
|
@@ -0,0 +1,39 @@
|
|
1
|
+
shared_examples_for :group_authorizations do |group_name, success_code|
|
2
|
+
it "should return #{success_code} when the api group '#{group_name}' is used" do
|
3
|
+
unrestricted_api_key = MasterApiKey::ApiKey.create!(group: group_name, read_access:true, write_access:true)
|
4
|
+
controller.request.headers['X-API-TOKEN'] = unrestricted_api_key.api_token
|
5
|
+
|
6
|
+
@action.call
|
7
|
+
|
8
|
+
expect(response).to have_http_status(success_code)
|
9
|
+
end
|
10
|
+
|
11
|
+
it "should return 403 when the api group '#{group_name}' is not used" do
|
12
|
+
restricted_api_key = MasterApiKey::ApiKey.create!(:group => "#{group_name}_wrong", read_access:true, write_access:true)
|
13
|
+
controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
|
14
|
+
|
15
|
+
@action.call
|
16
|
+
|
17
|
+
expect(response).to have_http_status(:forbidden)
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
shared_examples_for :api_authorizations do |group_name, success_code|
|
22
|
+
it "should return #{success_code} when a valid api token is used" do
|
23
|
+
unrestricted_api_key = MasterApiKey::ApiKey.create!(group: group_name, read_access:true, write_access:true)
|
24
|
+
controller.request.headers['X-API-TOKEN'] = unrestricted_api_key.api_token
|
25
|
+
|
26
|
+
@action.call
|
27
|
+
|
28
|
+
expect(response).to have_http_status(success_code)
|
29
|
+
end
|
30
|
+
|
31
|
+
it 'should return 401 when an invalid api token is not used' do
|
32
|
+
unrestricted_api_key = MasterApiKey::ApiKey.create!(group: group_name, read_access:true, write_access:true)
|
33
|
+
controller.request.headers['X-API-TOKEN'] = "#{unrestricted_api_key.api_token}_invalid"
|
34
|
+
|
35
|
+
@action.call
|
36
|
+
|
37
|
+
expect(response).to have_http_status(:unauthorized)
|
38
|
+
end
|
39
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: master_api_key
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 2.0.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Flynn Jones
|
@@ -73,7 +73,7 @@ cert_chain:
|
|
73
73
|
7xfdQKID/bwhqUq9whTwTX2J61RCxyS+eqIRfWOYAUphZanwFD9c3uNWa+8KAhC2
|
74
74
|
oHN/0fktfVzQYUsHnZ4=
|
75
75
|
-----END CERTIFICATE-----
|
76
|
-
date: 2016-
|
76
|
+
date: 2016-05-20 00:00:00.000000000 Z
|
77
77
|
dependencies:
|
78
78
|
- !ruby/object:Gem::Dependency
|
79
79
|
name: rails
|
@@ -81,7 +81,7 @@ dependencies:
|
|
81
81
|
requirements:
|
82
82
|
- - ">="
|
83
83
|
- !ruby/object:Gem::Version
|
84
|
-
version: '
|
84
|
+
version: '4.0'
|
85
85
|
- - "<"
|
86
86
|
- !ruby/object:Gem::Version
|
87
87
|
version: '5.0'
|
@@ -91,7 +91,7 @@ dependencies:
|
|
91
91
|
requirements:
|
92
92
|
- - ">="
|
93
93
|
- !ruby/object:Gem::Version
|
94
|
-
version: '
|
94
|
+
version: '4.0'
|
95
95
|
- - "<"
|
96
96
|
- !ruby/object:Gem::Version
|
97
97
|
version: '5.0'
|
@@ -156,6 +156,7 @@ files:
|
|
156
156
|
- db/migrate/20160330160153_add_group_column.rb
|
157
157
|
- db/migrate/20160407194542_require_group_attribute.rb
|
158
158
|
- db/migrate/20160411152807_create_master_key.rb
|
159
|
+
- db/migrate/20160429185913_add_read_write_access.rb
|
159
160
|
- db/seeds.rb
|
160
161
|
- lib/master_api_key.rb
|
161
162
|
- lib/master_api_key/api_gatekeeper.rb
|
@@ -194,8 +195,9 @@ files:
|
|
194
195
|
- spec/master_api_key/api_gatekeeper_spec.rb
|
195
196
|
- spec/rails_helper.rb
|
196
197
|
- spec/requests/master_api_key/integration_spec.rb
|
197
|
-
- spec/requests/master_api_key/master_api_key_api_keys_spec.rb
|
198
198
|
- spec/spec_helper.rb
|
199
|
+
- spec/support/access_shared_examples.rb
|
200
|
+
- spec/support/auth_shared_examples.rb
|
199
201
|
homepage: https://github.com/amplify-holding/master_api_key
|
200
202
|
licenses:
|
201
203
|
- MIT
|
@@ -254,5 +256,6 @@ test_files:
|
|
254
256
|
- spec/master_api_key/api_gatekeeper_spec.rb
|
255
257
|
- spec/rails_helper.rb
|
256
258
|
- spec/requests/master_api_key/integration_spec.rb
|
257
|
-
- spec/requests/master_api_key/master_api_key_api_keys_spec.rb
|
258
259
|
- spec/spec_helper.rb
|
260
|
+
- spec/support/access_shared_examples.rb
|
261
|
+
- spec/support/auth_shared_examples.rb
|
metadata.gz.sig
CHANGED
Binary file
|
@@ -1,98 +0,0 @@
|
|
1
|
-
require 'rails_helper'
|
2
|
-
|
3
|
-
RSpec.describe 'ApiKeys', type: :request do
|
4
|
-
describe 'POST /master_api_key/api_keys' do
|
5
|
-
before(:each) do
|
6
|
-
master_key = MasterApiKey::ApiKey.create!(:group => :master_key)
|
7
|
-
@headers = {
|
8
|
-
'X-API-TOKEN' => master_key.api_token
|
9
|
-
}
|
10
|
-
end
|
11
|
-
|
12
|
-
it 'should return 201 with properly formatted request' do
|
13
|
-
post '/master_api_key/api_keys', {:group => 'group_1'}, @headers
|
14
|
-
json_object = JSON.parse response.body
|
15
|
-
|
16
|
-
expect(response).to have_http_status(201)
|
17
|
-
expect(response.content_type).to eq 'application/json'
|
18
|
-
|
19
|
-
hash_verifier = {'group' => 'group_1'}
|
20
|
-
expect(json_object).to include 'apiKey'
|
21
|
-
expect(json_object['apiKey']).to include hash_verifier
|
22
|
-
expect(json_object['apiKey']).to include 'id', 'api_token'
|
23
|
-
expect(json_object['apiKey']['id']).to be_an(Integer)
|
24
|
-
expect(json_object['apiKey']['api_token']).to be_a(String)
|
25
|
-
end
|
26
|
-
|
27
|
-
it 'should return 400 with nil group' do
|
28
|
-
post '/master_api_key/api_keys', {:group => nil}, @headers
|
29
|
-
expect(response).to have_http_status(400)
|
30
|
-
end
|
31
|
-
|
32
|
-
it 'should return 400 if group param is missing' do
|
33
|
-
post '/master_api_key/api_keys', {}, @headers
|
34
|
-
expect(response).to have_http_status(400)
|
35
|
-
end
|
36
|
-
end
|
37
|
-
|
38
|
-
describe 'DELETE /master_api_key/api_keys/#id' do
|
39
|
-
before(:each) do
|
40
|
-
master_key = MasterApiKey::ApiKey.create!(:group => :master_key)
|
41
|
-
@headers = {
|
42
|
-
'X-API-TOKEN' => master_key.api_token
|
43
|
-
}
|
44
|
-
end
|
45
|
-
|
46
|
-
it 'should return 200 with properly formatted request' do
|
47
|
-
post '/master_api_key/api_keys', {:group => 'group_1'}, @headers
|
48
|
-
expect(response).to have_http_status(201)
|
49
|
-
|
50
|
-
json_object = JSON.parse response.body
|
51
|
-
|
52
|
-
id = json_object['apiKey']['id']
|
53
|
-
|
54
|
-
delete "/master_api_key/api_keys/#{id}", {}, @headers
|
55
|
-
expect(response).to have_http_status(200)
|
56
|
-
end
|
57
|
-
|
58
|
-
it 'should return 200 when there is nothing to remove' do
|
59
|
-
delete '/master_api_key/api_keys/100', {}, @headers
|
60
|
-
expect(response).to have_http_status(200)
|
61
|
-
end
|
62
|
-
end
|
63
|
-
|
64
|
-
describe 'DELETE /master_api_key/api_keys' do
|
65
|
-
before(:each) do
|
66
|
-
master_key = MasterApiKey::ApiKey.create!(:group => :master_key)
|
67
|
-
@headers = {
|
68
|
-
'X-API-TOKEN' => master_key.api_token
|
69
|
-
}
|
70
|
-
end
|
71
|
-
|
72
|
-
it 'should return 200 with properly formatted request' do
|
73
|
-
post '/master_api_key/api_keys', {:group => 'group_1'}, @headers
|
74
|
-
expect(response).to have_http_status(201)
|
75
|
-
|
76
|
-
json_object = JSON.parse response.body
|
77
|
-
api_token = json_object['apiKey']['api_token']
|
78
|
-
|
79
|
-
delete '/master_api_key/api_keys', {:api_token => api_token}, @headers
|
80
|
-
expect(response).to have_http_status(200)
|
81
|
-
end
|
82
|
-
|
83
|
-
it 'should return 200 when there is nothing to remove' do
|
84
|
-
delete '/master_api_key/api_keys' , {:api_token => 'nothing_to_see_here'}, @headers
|
85
|
-
expect(response).to have_http_status(200)
|
86
|
-
end
|
87
|
-
|
88
|
-
it 'should return 400 when the api_token is nil' do
|
89
|
-
delete '/master_api_key/api_keys' , {:api_token => nil}, @headers
|
90
|
-
expect(response).to have_http_status(400)
|
91
|
-
end
|
92
|
-
|
93
|
-
it 'should return 400 when the api_token param is missing' do
|
94
|
-
delete '/master_api_key/api_keys', {}, @headers
|
95
|
-
expect(response).to have_http_status(400)
|
96
|
-
end
|
97
|
-
end
|
98
|
-
end
|