master_api_key 1.2.0 → 2.0.1

Sign up to get free protection for your applications and to get access to all the features.
@@ -1,5 +1,6 @@
1
1
  require 'rails_helper'
2
2
  require 'master_api_key/api_gatekeeper'
3
+ require 'support/access_shared_examples'
3
4
 
4
5
  RSpec.describe ApplicationController, :type => :controller do
5
6
  context 'with fully configured controller' do
@@ -11,61 +12,164 @@ RSpec.describe ApplicationController, :type => :controller do
11
12
  head(:ok)
12
13
  end
13
14
  end
15
+
16
+ def show
17
+ authorize_action do
18
+ head(:ok)
19
+ end
20
+ end
21
+
22
+ def create
23
+ authorize_action do
24
+ head(:ok)
25
+ end
26
+ end
27
+
28
+ def destroy
29
+ authorize_action do
30
+ head(:ok)
31
+ end
32
+ end
33
+
34
+ def edit
35
+ authorize_action do
36
+ head(:ok)
37
+ end
38
+ end
39
+
40
+ def new
41
+ authorize_action do
42
+ head(:ok)
43
+ end
44
+ end
45
+
46
+ def update
47
+ authorize_action do
48
+ head(:ok)
49
+ end
50
+ end
14
51
  end
15
52
 
16
53
  before(:each) do
54
+
17
55
  end
18
56
 
19
57
  context 'Without API TOKEN' do
20
58
  it "should return 401 (:unauthorized) if 'X-API-TOKEN' isn't available" do
21
- expect(controller).to receive(:on_authentication_failure)
59
+ expect(controller).to receive(:on_authentication_failure).and_call_original
22
60
 
23
- controller.index
24
- end
61
+ get :index
25
62
 
26
- it 'should render a response as unauthorized by default' do
27
- expect(controller).to receive(:head).with(:unauthorized)
28
-
29
- controller.index
63
+ expect(response).to have_http_status(401)
30
64
  end
31
65
  end
32
66
 
33
67
  context 'With API Token' do
34
68
  before(:each) do
35
- @api_key = MasterApiKey::ApiKey.create!(:group => 'allowed_group')
69
+ @api_key = MasterApiKey::ApiKey.create!(:group => 'allowed_group', :read_access => true)
36
70
  controller.request.headers['X-API-TOKEN'] = @api_key.api_token
37
71
  end
38
72
 
39
73
  it "should return 401 (:unauthorized) if the token can't be authenticated" do
40
74
  controller.request.headers['X-API-TOKEN'] = @api_key.api_token + '_missing'
41
75
 
42
- expect(controller).to receive(:on_authentication_failure)
76
+ expect(controller).to receive(:on_authentication_failure).and_call_original
77
+
78
+ get :index
43
79
 
44
- controller.index
80
+ expect(response).to have_http_status(401)
45
81
  end
46
82
 
47
83
  it "should return 403 (:forbidden) if the api token isn't authorized to access the group" do
48
- restricted_api_key = MasterApiKey::ApiKey.create!(:group => 'not_allowed_group')
84
+ restricted_api_key = MasterApiKey::ApiKey.create!(:group => 'not_allowed_group', :read_access => true)
49
85
  controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
50
86
 
51
87
  expect(controller).to receive(:on_forbidden_request).and_call_original
52
- expect(controller).to receive(:head).with(:forbidden)
53
88
 
54
- controller.index
89
+ get :index
90
+
91
+ expect(response).to have_http_status(403)
55
92
  end
56
93
 
57
94
  it 'should return 200 if the token is authenticated and authorized to access the controller' do
58
- expect(controller).to receive(:head).with(:ok)
95
+ get :index
59
96
 
60
- controller.index
97
+ expect(response).to have_http_status(200)
61
98
  end
62
99
 
63
100
  it 'should return 200 even if the group is defined with a different character case' do
64
- upper_case_api_key = MasterApiKey::ApiKey.create!(:group => 'ALLOWED_GROUP')
101
+ upper_case_api_key = MasterApiKey::ApiKey.create!(:group => 'ALLOWED_GROUP', :read_access => true)
65
102
  controller.request.headers['X-API-TOKEN'] = upper_case_api_key.api_token
66
- expect(controller).to receive(:head).with(:ok)
67
103
 
68
- controller.index
104
+ get :index
105
+
106
+ expect(response).to have_http_status(200)
107
+ end
108
+ end
109
+
110
+ context 'with access rights' do
111
+ context 'for index' do
112
+ before(:each) do
113
+ @action = lambda { get :index }
114
+ end
115
+
116
+ include_examples :read_access_rights, :allowed_group, :ok
117
+ end
118
+
119
+ context 'for show' do
120
+ before(:each) do
121
+ @action = lambda { get :show, :id => 1 }
122
+ end
123
+
124
+ include_examples :read_access_rights, :allowed_group, :ok
125
+ end
126
+
127
+ context 'for create' do
128
+ before(:each) do
129
+ @action = lambda { post :create}
130
+ end
131
+
132
+ include_examples :write_access_rights, :allowed_group, :ok
133
+ end
134
+
135
+ context 'for destroy' do
136
+ before(:each) do
137
+ @action = lambda { delete :destroy, :id => 1 }
138
+ end
139
+
140
+ include_examples :write_access_rights, :allowed_group, :ok
141
+ end
142
+
143
+ context 'for new' do
144
+ before(:each) do
145
+ @action = lambda { get :new, :id => 1}
146
+ end
147
+
148
+ include_examples :write_access_rights, :allowed_group, :ok
149
+ end
150
+
151
+ context 'for edit' do
152
+ before(:each) do
153
+ @action = lambda { post :edit, :id => 1 }
154
+ end
155
+
156
+ include_examples :write_access_rights, :allowed_group, :ok
157
+ end
158
+
159
+ context 'for put' do
160
+ before(:each) do
161
+ @action = lambda { put :update, :id => 1 }
162
+ end
163
+
164
+ include_examples :write_access_rights, :allowed_group, :ok
165
+ end
166
+
167
+ context 'for patch' do
168
+ before(:each) do
169
+ @action = lambda { patch :update, :id => 1 }
170
+ end
171
+
172
+ include_examples :write_access_rights, :allowed_group, :ok
69
173
  end
70
174
  end
71
175
  end
@@ -81,13 +185,13 @@ RSpec.describe ApplicationController, :type => :controller do
81
185
  end
82
186
 
83
187
  before(:each) do
84
- @api_key = MasterApiKey::ApiKey.create!(:group => 'allowed_group')
188
+ @api_key = MasterApiKey::ApiKey.create!(:group => 'allowed_group', :read_access => true)
85
189
  controller.request.headers['X-API-TOKEN'] = @api_key.api_token
86
190
  end
87
191
 
88
192
  it 'should throw exception because the controller is not in a group but is using api authentication' do
89
193
  expect{
90
- controller.index
194
+ get :index
91
195
  }.to raise_error(ArgumentError)
92
196
  end
93
197
  end
@@ -128,7 +232,7 @@ RSpec.describe ApplicationController, :type => :controller do
128
232
 
129
233
  before(:each) do
130
234
  @allowed_filter = 'allowed_key'
131
- @valid_api_key = ExtendedApiKey.create!(:group => 'allowed_group')
235
+ @valid_api_key = ExtendedApiKey.create!(:group => 'allowed_group', :read_access => true)
132
236
  controller.request.headers['X-API-TOKEN'] = @valid_api_key.api_token
133
237
 
134
238
  allow(MasterApiKey::ApiKey).to receive(:find_by_api_token).with(@valid_api_key.api_token).and_return(@valid_api_key)
@@ -0,0 +1,39 @@
1
+ shared_examples_for :read_access_rights do |group_name, success_code|
2
+ it "should return 403 (:forbidden) if the api token doesn't have read access" do
3
+ restricted_api_key = MasterApiKey::ApiKey.create!(:group => group_name, :write_access => true)
4
+ controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
5
+
6
+ @action.call
7
+
8
+ expect(response).to have_http_status(403)
9
+ end
10
+
11
+ it "should return :#{success_code} if the api token doesn't have write access" do
12
+ restricted_api_key = MasterApiKey::ApiKey.create!(:group => group_name, :read_access => true)
13
+ controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
14
+
15
+ @action.call
16
+
17
+ expect(response).to have_http_status(success_code)
18
+ end
19
+ end
20
+
21
+ shared_examples_for :write_access_rights do |group_name, success_code|
22
+ it "should return 403 (:forbidden) if the api token doesn't have write access" do
23
+ restricted_api_key = MasterApiKey::ApiKey.create!(:group => group_name, :read_access=> true)
24
+ controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
25
+
26
+ @action.call
27
+
28
+ expect(response).to have_http_status(403)
29
+ end
30
+
31
+ it "should return :#{success_code} if the api token doesn't have read access" do
32
+ restricted_api_key = MasterApiKey::ApiKey.create!(:group => group_name, :write_access => true)
33
+ controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
34
+
35
+ @action.call
36
+
37
+ expect(response).to have_http_status(success_code)
38
+ end
39
+ end
@@ -0,0 +1,39 @@
1
+ shared_examples_for :group_authorizations do |group_name, success_code|
2
+ it "should return #{success_code} when the api group '#{group_name}' is used" do
3
+ unrestricted_api_key = MasterApiKey::ApiKey.create!(group: group_name, read_access:true, write_access:true)
4
+ controller.request.headers['X-API-TOKEN'] = unrestricted_api_key.api_token
5
+
6
+ @action.call
7
+
8
+ expect(response).to have_http_status(success_code)
9
+ end
10
+
11
+ it "should return 403 when the api group '#{group_name}' is not used" do
12
+ restricted_api_key = MasterApiKey::ApiKey.create!(:group => "#{group_name}_wrong", read_access:true, write_access:true)
13
+ controller.request.headers['X-API-TOKEN'] = restricted_api_key.api_token
14
+
15
+ @action.call
16
+
17
+ expect(response).to have_http_status(:forbidden)
18
+ end
19
+ end
20
+
21
+ shared_examples_for :api_authorizations do |group_name, success_code|
22
+ it "should return #{success_code} when a valid api token is used" do
23
+ unrestricted_api_key = MasterApiKey::ApiKey.create!(group: group_name, read_access:true, write_access:true)
24
+ controller.request.headers['X-API-TOKEN'] = unrestricted_api_key.api_token
25
+
26
+ @action.call
27
+
28
+ expect(response).to have_http_status(success_code)
29
+ end
30
+
31
+ it 'should return 401 when an invalid api token is not used' do
32
+ unrestricted_api_key = MasterApiKey::ApiKey.create!(group: group_name, read_access:true, write_access:true)
33
+ controller.request.headers['X-API-TOKEN'] = "#{unrestricted_api_key.api_token}_invalid"
34
+
35
+ @action.call
36
+
37
+ expect(response).to have_http_status(:unauthorized)
38
+ end
39
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: master_api_key
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.0
4
+ version: 2.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Flynn Jones
@@ -73,7 +73,7 @@ cert_chain:
73
73
  7xfdQKID/bwhqUq9whTwTX2J61RCxyS+eqIRfWOYAUphZanwFD9c3uNWa+8KAhC2
74
74
  oHN/0fktfVzQYUsHnZ4=
75
75
  -----END CERTIFICATE-----
76
- date: 2016-04-28 00:00:00.000000000 Z
76
+ date: 2016-05-20 00:00:00.000000000 Z
77
77
  dependencies:
78
78
  - !ruby/object:Gem::Dependency
79
79
  name: rails
@@ -81,7 +81,7 @@ dependencies:
81
81
  requirements:
82
82
  - - ">="
83
83
  - !ruby/object:Gem::Version
84
- version: '3.0'
84
+ version: '4.0'
85
85
  - - "<"
86
86
  - !ruby/object:Gem::Version
87
87
  version: '5.0'
@@ -91,7 +91,7 @@ dependencies:
91
91
  requirements:
92
92
  - - ">="
93
93
  - !ruby/object:Gem::Version
94
- version: '3.0'
94
+ version: '4.0'
95
95
  - - "<"
96
96
  - !ruby/object:Gem::Version
97
97
  version: '5.0'
@@ -156,6 +156,7 @@ files:
156
156
  - db/migrate/20160330160153_add_group_column.rb
157
157
  - db/migrate/20160407194542_require_group_attribute.rb
158
158
  - db/migrate/20160411152807_create_master_key.rb
159
+ - db/migrate/20160429185913_add_read_write_access.rb
159
160
  - db/seeds.rb
160
161
  - lib/master_api_key.rb
161
162
  - lib/master_api_key/api_gatekeeper.rb
@@ -194,8 +195,9 @@ files:
194
195
  - spec/master_api_key/api_gatekeeper_spec.rb
195
196
  - spec/rails_helper.rb
196
197
  - spec/requests/master_api_key/integration_spec.rb
197
- - spec/requests/master_api_key/master_api_key_api_keys_spec.rb
198
198
  - spec/spec_helper.rb
199
+ - spec/support/access_shared_examples.rb
200
+ - spec/support/auth_shared_examples.rb
199
201
  homepage: https://github.com/amplify-holding/master_api_key
200
202
  licenses:
201
203
  - MIT
@@ -254,5 +256,6 @@ test_files:
254
256
  - spec/master_api_key/api_gatekeeper_spec.rb
255
257
  - spec/rails_helper.rb
256
258
  - spec/requests/master_api_key/integration_spec.rb
257
- - spec/requests/master_api_key/master_api_key_api_keys_spec.rb
258
259
  - spec/spec_helper.rb
260
+ - spec/support/access_shared_examples.rb
261
+ - spec/support/auth_shared_examples.rb
metadata.gz.sig CHANGED
Binary file
@@ -1,98 +0,0 @@
1
- require 'rails_helper'
2
-
3
- RSpec.describe 'ApiKeys', type: :request do
4
- describe 'POST /master_api_key/api_keys' do
5
- before(:each) do
6
- master_key = MasterApiKey::ApiKey.create!(:group => :master_key)
7
- @headers = {
8
- 'X-API-TOKEN' => master_key.api_token
9
- }
10
- end
11
-
12
- it 'should return 201 with properly formatted request' do
13
- post '/master_api_key/api_keys', {:group => 'group_1'}, @headers
14
- json_object = JSON.parse response.body
15
-
16
- expect(response).to have_http_status(201)
17
- expect(response.content_type).to eq 'application/json'
18
-
19
- hash_verifier = {'group' => 'group_1'}
20
- expect(json_object).to include 'apiKey'
21
- expect(json_object['apiKey']).to include hash_verifier
22
- expect(json_object['apiKey']).to include 'id', 'api_token'
23
- expect(json_object['apiKey']['id']).to be_an(Integer)
24
- expect(json_object['apiKey']['api_token']).to be_a(String)
25
- end
26
-
27
- it 'should return 400 with nil group' do
28
- post '/master_api_key/api_keys', {:group => nil}, @headers
29
- expect(response).to have_http_status(400)
30
- end
31
-
32
- it 'should return 400 if group param is missing' do
33
- post '/master_api_key/api_keys', {}, @headers
34
- expect(response).to have_http_status(400)
35
- end
36
- end
37
-
38
- describe 'DELETE /master_api_key/api_keys/#id' do
39
- before(:each) do
40
- master_key = MasterApiKey::ApiKey.create!(:group => :master_key)
41
- @headers = {
42
- 'X-API-TOKEN' => master_key.api_token
43
- }
44
- end
45
-
46
- it 'should return 200 with properly formatted request' do
47
- post '/master_api_key/api_keys', {:group => 'group_1'}, @headers
48
- expect(response).to have_http_status(201)
49
-
50
- json_object = JSON.parse response.body
51
-
52
- id = json_object['apiKey']['id']
53
-
54
- delete "/master_api_key/api_keys/#{id}", {}, @headers
55
- expect(response).to have_http_status(200)
56
- end
57
-
58
- it 'should return 200 when there is nothing to remove' do
59
- delete '/master_api_key/api_keys/100', {}, @headers
60
- expect(response).to have_http_status(200)
61
- end
62
- end
63
-
64
- describe 'DELETE /master_api_key/api_keys' do
65
- before(:each) do
66
- master_key = MasterApiKey::ApiKey.create!(:group => :master_key)
67
- @headers = {
68
- 'X-API-TOKEN' => master_key.api_token
69
- }
70
- end
71
-
72
- it 'should return 200 with properly formatted request' do
73
- post '/master_api_key/api_keys', {:group => 'group_1'}, @headers
74
- expect(response).to have_http_status(201)
75
-
76
- json_object = JSON.parse response.body
77
- api_token = json_object['apiKey']['api_token']
78
-
79
- delete '/master_api_key/api_keys', {:api_token => api_token}, @headers
80
- expect(response).to have_http_status(200)
81
- end
82
-
83
- it 'should return 200 when there is nothing to remove' do
84
- delete '/master_api_key/api_keys' , {:api_token => 'nothing_to_see_here'}, @headers
85
- expect(response).to have_http_status(200)
86
- end
87
-
88
- it 'should return 400 when the api_token is nil' do
89
- delete '/master_api_key/api_keys' , {:api_token => nil}, @headers
90
- expect(response).to have_http_status(400)
91
- end
92
-
93
- it 'should return 400 when the api_token param is missing' do
94
- delete '/master_api_key/api_keys', {}, @headers
95
- expect(response).to have_http_status(400)
96
- end
97
- end
98
- end