master_api_key 1.2.0 → 2.0.1

data/spec/master_api_key/api_gatekeeper_spec.rb

@@ -1,5 +1,6 @@
 require 'rails_helper'
 require 'master_api_key/api_gatekeeper'
+require 'support/access_shared_examples'
 
 RSpec.describe ApplicationController, :type => :controller do
   context 'with fully configured controller' do
@@ -11,61 +12,164 @@ RSpec.describe ApplicationController, :type => :controller do
           head(:ok)
         end
       end
+
+      def show
+        authorize_action do
+          head(:ok)
+        end
+      end
+
+      def create
+        authorize_action do
+          head(:ok)
+        end
+      end
+
+      def destroy
+        authorize_action do
+          head(:ok)
+        end
+      end
+
+      def edit
+        authorize_action do
+          head(:ok)
+        end
+      end
+
+      def new
+        authorize_action do
+          head(:ok)
+        end
+      end
+
+      def update
+        authorize_action do
+          head(:ok)
+        end
+      end
     end
 
     before(:each) do
+
     end
 
     context 'Without API TOKEN' do
       it "should return 401 (:unauthorized) if 'X-API-TOKEN' isn't available" do
-        expect(controller).to receive(:on_authentication_failure)
+        expect(controller).to receive(:on_authentication_failure).and_call_original
 
-        controller.index
-      end
+        get :index
 
-      it 'should render a response as unauthorized by default' do
-        expect(controller).to receive(:head).with(:unauthorized)
-
-        controller.index
+        expect(response).to have_http_status(401)
       end
     end
 
     context 'With API Token' do
       before(:each) do
-        @api_key = MasterApiKey::ApiKey.create!(:group => 'allowed_group')
+        @api_key = MasterApiKey::ApiKey.create!(:group => 'allowed_group', :read_access => true)
         controller.request.headers['X-API-TOKEN'] = @api_key.api_token
       end
 
       it "should return 401 (:unauthorized) if the token can't be authenticated" do
         controller.request.headers['X-API-TOKEN'] = @api_key.api_token + '_missing'
 
-        expect(controller).to receive(:on_authentication_failure)
+        expect(controller).to receive(:on_authentication_failure).and_call_original
+
+        get :index
 
-        controller.index
+        expect(response).to have_http_status(401)
       end
 
       it "should return 403 (:forbidden) if the api token isn't authorized to access the group" do
-        restricted_api_key = MasterApiKey::ApiKey.create!(:group => 'not_allowed_group')
+        restricted_api_key = MasterApiKey::ApiKey.create!(:group => 'not_allowed_group', :read_access => true)
         controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
 
         expect(controller).to receive(:on_forbidden_request).and_call_original
-        expect(controller).to receive(:head).with(:forbidden)
 
-        controller.index
+        get :index
+
+        expect(response).to have_http_status(403)
       end
 
       it 'should return 200 if the token is authenticated and authorized to access the controller' do
-        expect(controller).to receive(:head).with(:ok)
+        get :index
 
-        controller.index
+        expect(response).to have_http_status(200)
       end
 
       it 'should return 200 even if the group is defined with a different character case' do
-        upper_case_api_key = MasterApiKey::ApiKey.create!(:group => 'ALLOWED_GROUP')
+        upper_case_api_key = MasterApiKey::ApiKey.create!(:group => 'ALLOWED_GROUP', :read_access => true)
         controller.request.headers['X-API-TOKEN'] = upper_case_api_key.api_token
-        expect(controller).to receive(:head).with(:ok)
 
-        controller.index
+        get :index
+
+        expect(response).to have_http_status(200)
+      end
+    end
+
+    context 'with access rights' do
+      context 'for index' do
+        before(:each) do
+          @action = lambda { get :index }
+        end
+
+        include_examples :read_access_rights, :allowed_group, :ok
+      end
+
+      context 'for show' do
+        before(:each) do
+          @action = lambda { get :show, :id => 1 }
+        end
+
+        include_examples :read_access_rights, :allowed_group, :ok
+      end
+
+      context 'for create' do
+        before(:each) do
+          @action = lambda { post :create}
+        end
+
+        include_examples :write_access_rights, :allowed_group, :ok
+      end
+
+      context 'for destroy' do
+        before(:each) do
+          @action = lambda { delete :destroy, :id => 1 }
+        end
+
+        include_examples :write_access_rights, :allowed_group, :ok
+      end
+
+      context 'for new' do
+        before(:each) do
+          @action = lambda { get :new, :id => 1}
+        end
+
+        include_examples :write_access_rights, :allowed_group, :ok
+      end
+
+      context 'for edit' do
+        before(:each) do
+          @action = lambda { post :edit, :id => 1 }
+        end
+
+        include_examples :write_access_rights, :allowed_group, :ok
+      end
+
+      context 'for put' do
+        before(:each) do
+          @action = lambda { put :update, :id => 1 }
+        end
+
+        include_examples :write_access_rights, :allowed_group, :ok
+      end
+
+      context 'for patch' do
+        before(:each) do
+          @action = lambda { patch :update, :id => 1 }
+        end
+
+        include_examples :write_access_rights, :allowed_group, :ok
       end
     end
   end
@@ -81,13 +185,13 @@ RSpec.describe ApplicationController, :type => :controller do
     end
 
     before(:each) do
-      @api_key = MasterApiKey::ApiKey.create!(:group => 'allowed_group')
+      @api_key = MasterApiKey::ApiKey.create!(:group => 'allowed_group', :read_access => true)
       controller.request.headers['X-API-TOKEN'] = @api_key.api_token
     end
 
     it 'should throw exception because the controller is not in a group but is using api authentication' do
       expect{
-        controller.index
+        get :index
       }.to raise_error(ArgumentError)
     end
   end
@@ -128,7 +232,7 @@ RSpec.describe ApplicationController, :type => :controller do
 
     before(:each) do
       @allowed_filter = 'allowed_key'
-      @valid_api_key = ExtendedApiKey.create!(:group => 'allowed_group')
+      @valid_api_key = ExtendedApiKey.create!(:group => 'allowed_group', :read_access => true)
       controller.request.headers['X-API-TOKEN'] = @valid_api_key.api_token
 
       allow(MasterApiKey::ApiKey).to receive(:find_by_api_token).with(@valid_api_key.api_token).and_return(@valid_api_key)

data/spec/support/access_shared_examples.rb

@@ -0,0 +1,39 @@
+shared_examples_for :read_access_rights do |group_name, success_code|
+  it "should return 403 (:forbidden) if the api token doesn't have read access" do
+    restricted_api_key = MasterApiKey::ApiKey.create!(:group => group_name, :write_access => true)
+    controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
+
+    @action.call
+
+    expect(response).to have_http_status(403)
+  end
+
+  it "should return :#{success_code} if the api token doesn't have write access" do
+    restricted_api_key = MasterApiKey::ApiKey.create!(:group => group_name, :read_access => true)
+    controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
+
+    @action.call
+
+    expect(response).to have_http_status(success_code)
+  end
+end
+
+shared_examples_for :write_access_rights do |group_name, success_code|
+  it "should return 403 (:forbidden) if the api token doesn't have write access" do
+    restricted_api_key = MasterApiKey::ApiKey.create!(:group => group_name, :read_access=> true)
+    controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
+
+    @action.call
+
+    expect(response).to have_http_status(403)
+  end
+
+  it "should return :#{success_code} if the api token doesn't have read access" do
+    restricted_api_key = MasterApiKey::ApiKey.create!(:group => group_name, :write_access => true)
+    controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
+
+    @action.call
+
+    expect(response).to have_http_status(success_code)
+  end
+end

data/spec/support/auth_shared_examples.rb

@@ -0,0 +1,39 @@
+shared_examples_for :group_authorizations do |group_name, success_code|
+  it "should return #{success_code} when the api group '#{group_name}' is used" do
+    unrestricted_api_key = MasterApiKey::ApiKey.create!(group: group_name, read_access:true, write_access:true)
+    controller.request.headers['X-API-TOKEN'] = unrestricted_api_key.api_token
+
+    @action.call
+
+    expect(response).to have_http_status(success_code)
+  end
+
+  it "should return 403 when the api group '#{group_name}' is not used" do
+    restricted_api_key = MasterApiKey::ApiKey.create!(:group => "#{group_name}_wrong", read_access:true, write_access:true)
+    controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
+
+    @action.call
+
+    expect(response).to have_http_status(:forbidden)
+  end
+end
+
+shared_examples_for :api_authorizations do |group_name, success_code|
+  it "should return #{success_code} when a valid api token is used" do
+    unrestricted_api_key = MasterApiKey::ApiKey.create!(group: group_name, read_access:true, write_access:true)
+    controller.request.headers['X-API-TOKEN'] = unrestricted_api_key.api_token
+
+    @action.call
+
+    expect(response).to have_http_status(success_code)
+  end
+
+  it 'should return 401 when an invalid api token is not used' do
+    unrestricted_api_key = MasterApiKey::ApiKey.create!(group: group_name, read_access:true, write_access:true)
+    controller.request.headers['X-API-TOKEN'] = "#{unrestricted_api_key.api_token}_invalid"
+
+    @action.call
+
+    expect(response).to have_http_status(:unauthorized)
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: master_api_key
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 2.0.1
 platform: ruby
 authors:
 - Flynn Jones
@@ -73,7 +73,7 @@ cert_chain:
   7xfdQKID/bwhqUq9whTwTX2J61RCxyS+eqIRfWOYAUphZanwFD9c3uNWa+8KAhC2
   oHN/0fktfVzQYUsHnZ4=
   -----END CERTIFICATE-----
-date: 2016-04-28 00:00:00.000000000 Z
+date: 2016-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -81,7 +81,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '4.0'
     - - "<"
       - !ruby/object:Gem::Version
         version: '5.0'
@@ -91,7 +91,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '4.0'
     - - "<"
       - !ruby/object:Gem::Version
         version: '5.0'
@@ -156,6 +156,7 @@ files:
 - db/migrate/20160330160153_add_group_column.rb
 - db/migrate/20160407194542_require_group_attribute.rb
 - db/migrate/20160411152807_create_master_key.rb
+- db/migrate/20160429185913_add_read_write_access.rb
 - db/seeds.rb
 - lib/master_api_key.rb
 - lib/master_api_key/api_gatekeeper.rb
@@ -194,8 +195,9 @@ files:
 - spec/master_api_key/api_gatekeeper_spec.rb
 - spec/rails_helper.rb
 - spec/requests/master_api_key/integration_spec.rb
-- spec/requests/master_api_key/master_api_key_api_keys_spec.rb
 - spec/spec_helper.rb
+- spec/support/access_shared_examples.rb
+- spec/support/auth_shared_examples.rb
 homepage: https://github.com/amplify-holding/master_api_key
 licenses:
 - MIT
@@ -254,5 +256,6 @@ test_files:
 - spec/master_api_key/api_gatekeeper_spec.rb
 - spec/rails_helper.rb
 - spec/requests/master_api_key/integration_spec.rb
-- spec/requests/master_api_key/master_api_key_api_keys_spec.rb
 - spec/spec_helper.rb
+- spec/support/access_shared_examples.rb
+- spec/support/auth_shared_examples.rb

data/spec/requests/master_api_key/master_api_key_api_keys_spec.rb

@@ -1,98 +0,0 @@
-require 'rails_helper'
-
-RSpec.describe 'ApiKeys', type: :request do
-  describe 'POST /master_api_key/api_keys' do
-    before(:each) do
-      master_key = MasterApiKey::ApiKey.create!(:group => :master_key)
-      @headers = {
-          'X-API-TOKEN' => master_key.api_token
-      }
-    end
-
-    it 'should return 201 with properly formatted request' do
-      post '/master_api_key/api_keys', {:group => 'group_1'}, @headers
-      json_object = JSON.parse response.body
-
-      expect(response).to have_http_status(201)
-      expect(response.content_type).to eq 'application/json'
-
-      hash_verifier = {'group' => 'group_1'}
-      expect(json_object).to include 'apiKey'
-      expect(json_object['apiKey']).to include hash_verifier
-      expect(json_object['apiKey']).to include 'id', 'api_token'
-      expect(json_object['apiKey']['id']).to be_an(Integer)
-      expect(json_object['apiKey']['api_token']).to be_a(String)
-    end
-
-    it 'should return 400 with nil group' do
-      post '/master_api_key/api_keys', {:group => nil}, @headers
-      expect(response).to have_http_status(400)
-    end
-
-    it 'should return 400 if group param is missing' do
-      post '/master_api_key/api_keys', {}, @headers
-      expect(response).to have_http_status(400)
-    end
-  end
-
-  describe 'DELETE /master_api_key/api_keys/#id' do
-    before(:each) do
-      master_key = MasterApiKey::ApiKey.create!(:group => :master_key)
-      @headers = {
-          'X-API-TOKEN' => master_key.api_token
-      }
-    end
-
-    it 'should return 200 with properly formatted request' do
-      post '/master_api_key/api_keys', {:group => 'group_1'}, @headers
-      expect(response).to have_http_status(201)
-
-      json_object = JSON.parse response.body
-
-      id = json_object['apiKey']['id']
-
-      delete "/master_api_key/api_keys/#{id}", {}, @headers
-      expect(response).to have_http_status(200)
-    end
-
-    it 'should return 200 when there is nothing to remove' do
-      delete '/master_api_key/api_keys/100', {}, @headers
-      expect(response).to have_http_status(200)
-    end
-  end
-
-  describe 'DELETE /master_api_key/api_keys' do
-    before(:each) do
-      master_key = MasterApiKey::ApiKey.create!(:group => :master_key)
-      @headers = {
-          'X-API-TOKEN' => master_key.api_token
-      }
-    end
-
-    it 'should return 200 with properly formatted request' do
-      post '/master_api_key/api_keys', {:group => 'group_1'}, @headers
-      expect(response).to have_http_status(201)
-
-      json_object = JSON.parse response.body
-      api_token = json_object['apiKey']['api_token']
-
-      delete '/master_api_key/api_keys', {:api_token => api_token}, @headers
-      expect(response).to have_http_status(200)
-    end
-
-    it 'should return 200 when there is nothing to remove' do
-      delete '/master_api_key/api_keys' , {:api_token => 'nothing_to_see_here'}, @headers
-      expect(response).to have_http_status(200)
-    end
-
-    it 'should return 400 when the api_token is nil' do
-      delete '/master_api_key/api_keys' , {:api_token => nil}, @headers
-      expect(response).to have_http_status(400)
-    end
-
-    it 'should return 400 when the api_token param is missing' do
-      delete '/master_api_key/api_keys', {}, @headers
-      expect(response).to have_http_status(400)
-    end
-  end
-end