master_api_key 1.2.0 → 2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9f75677aba0568a14af93356d92719e7bd4f9747
-  data.tar.gz: c98007363459cb0f65fa503a5e5328035977d78d
+  metadata.gz: d0cff3200309d508ad6502fe55696994199253c0
+  data.tar.gz: 286d74139877380870179c6072da522cd264af71
 SHA512:
-  metadata.gz: 03edcd5e444de7703abea5851f4bc9251d5862a3d08daa2acb74efcc7210cd20e2083eda3edc0cf51cbf25d520a6683f3de9ac5663ae606a0b8d3ac03528f3bf
-  data.tar.gz: 6ecf94acdaeb3047f1522b69f12f3ce6dfd7d53a931cc5df323429cd4a290228bdfc384ff0000c5ee38caa5f8fa693816d20cb18a53c30c844eecc310e70312a
+  metadata.gz: aaf0adfc3781b6915d600519f73e128d5d28e9599a8b0b9731becee4bb91a767f4dd6da1d0aff50d5d1f3c5a25f48ee80bac65626cfa45821237c9c949543bc0
+  data.tar.gz: 209db5a8c3577db0533bae9843f4a228bfeabd59cb9bd44ba49bb8adf9f3030acd17fb34ef5cb768a580ba4ce12a8bd25bf127f6f6bae9e8449bc837691f2326

data/app/controllers/master_api_key/api_keys_controller.rb

@@ -4,43 +4,92 @@ module MasterApiKey
   class ApiKeysController < ApplicationController
     belongs_to_api_group :master_key
     skip_before_filter  :verify_authenticity_token
-    before_filter :authorize_action
+    authorize_with :authorizers => [:write_authorizer], :only => [:update_by_access_token, :destroy_by_access_token]
 
-    # POST /api_keys
+    rescue_from ActionController::ParameterMissing do |exception|
+      respond_with_error(exception.message, :bad_request)
+    end
+
+    rescue_from ArgumentError do |exception|
+      respond_with_error(exception.message, :bad_request)
+    end
+
+    #GET /api_keys
+    def index
+      found_api_key = ApiKey.find_by_api_token(access_token_param)
+
+      check_presence_before_action(found_api_key) do |api_key|
+        render json: { api_key: api_key}, status: :ok
+      end
+    end
+
+    #POST /api_keys
     def create
-      begin
-        @api_key = ApiKey.create! do |api_key|
-          api_key.group = group_param
+      authorizers = authorizer_params
+      created_api_key = ApiKey.create! do |api_key|
+        api_key.group = group_param
+        unless authorizers.nil?
+          access_types = [TrueClass, FalseClass]
+          read_access = authorizers[:read_access]
+          write_access = authorizers[:write_access]
+          api_key.read_access = enforce_param_type(read_access, :read_access, *access_types) unless read_access.nil?
+          api_key.write_access = enforce_param_type(write_access, :write_access, *access_types) unless write_access.nil?
         end
-        render json: { apiKey: @api_key}, status: :created
-      rescue ActionController::ParameterMissing => e
-        respond_with_error(e.message, :bad_request)
+      end
+
+      render json: { api_key: created_api_key}, status: :created
+    end
+
+    #PATCH /api_keys/
+    def update_by_access_token
+      updated_api_key = ApiKey.find_by_api_token(access_token_param)
+
+      check_presence_before_action(updated_api_key) do |api_key|
+        api_key.update_attributes(required_auth_params)
+        render json: { api_key: api_key}, status: :ok
       end
     end
 
     # DELETE /api_keys/1
+    #deprecated
     def destroy
-      begin
-        ApiKey.delete_all(['id = ?', access_id_param])
-        head :ok
-      rescue ActionController::ParameterMissing => e
-        respond_with_error(e.message, :bad_request)
-      end
+      ApiKey.delete_all(['id = ?', access_id_param])
+      message = 'This method has been deprecated since this is less secure than access by token. It will be removed in v2.0.0'
+      render text: message, status: :ok
     end
 
     # DELETE /api_keys
     def destroy_by_access_token
-      begin
-        Rails.logger.warn "the api token is #{access_token_param}"
-        ApiKey.delete_all(['api_token = ?', access_token_param])
-        head :ok
-      rescue ActionController::ParameterMissing => e
-        respond_with_error(e.message, :bad_request)
-      end
+      Rails.logger.warn "The api token is #{access_token_param}"
+      ApiKey.delete_all(['api_token = ?', access_token_param])
+      head :ok
     end
 
     private
 
+    def enforce_param_type(param, param_name,  *types)
+      raise ArgumentError.new "Type parameter #{param_name} type should be #{types} " unless types.any? do |type|
+        param.is_a? type
+      end
+      param
+    end
+
+    def check_presence_before_action(api_key)
+      if api_key.present?
+        yield(api_key)
+      else
+        head :not_found
+      end
+    end
+
+    def required_auth_params
+      params.require(:authorizations).permit(:read_access, :write_access)
+    end
+
+    def authorizer_params
+      params.permit(:authorizations => [:read_access, :write_access])[:authorizations]
+    end
+
     def group_param
       params.require(:group)
     end

data/app/models/master_api_key/api_key.rb

@@ -4,7 +4,7 @@ module MasterApiKey
     before_create :generate_api_token
 
     def as_json(options = {})
-      super(options.reverse_merge({only: [:id, :api_token, :group]}))
+      super(options.reverse_merge({only: [:id, :api_token, :group, :read_access, :write_access]}))
     end
 
     private

data/config/master_api_key.gemversion

@@ -1 +1 @@
-1.2.0
+2.0.1

data/config/routes.rb

@@ -1,5 +1,7 @@
 
 MasterApiKey::Engine.routes.draw do
-  delete '/api_keys', to: 'api_keys#destroy_by_access_token'
+  delete :api_keys, to: 'api_keys#destroy_by_access_token'
+  get :api_keys, to: 'api_keys#index'
+  patch :api_keys, to: 'api_keys#update_by_access_token'
   resources :api_keys, only: [:create, :destroy]
 end

data/db/migrate/20160429185913_add_read_write_access.rb

@@ -0,0 +1,12 @@
+class AddReadWriteAccess < ActiveRecord::Migration
+
+  def up
+    add_column :master_api_key_api_keys, :read_access, :boolean, :default => false, :null => false
+    add_column :master_api_key_api_keys, :write_access, :boolean, :default => false, :null => false
+    MasterApiKey::ApiKey.update_all(:read_access => true, :write_access => true)
+  end
+
+  def down
+    remove_columns :master_api_key_api_keys, :read_access, :write_access
+  end
+end

data/db/seeds.rb

@@ -8,5 +8,7 @@
 unless MasterApiKey::ApiKey.where(:group => :master_key).count > 0
   MasterApiKey::ApiKey.create do |master_key|
     master_key.group = :master_key
+    master_key.read_access = true
+    master_key.write_access = true
   end
 end

data/lib/master_api_key.rb

@@ -2,3 +2,7 @@ require 'master_api_key/api_gatekeeper'
 require 'master_api_key/engine'
 
 ActionController::Base.send :include, MasterApiKey::ApiGatekeeper
+ActionController::Base.class_exec do
+  authorize_with :authorizers => [:write_authorizer], :only => [:create, :update, :destroy, :new, :edit]
+  authorize_with :authorizers => [:read_authorizer], :only => [:index, :show]
+end

data/lib/master_api_key/api_gatekeeper.rb

@@ -29,8 +29,11 @@ module MasterApiKey
 
     def passes_authorizers?(authorizers)
       method_definitions = authorizers.respond_to?(:inject) ? authorizers : [authorizers]
-      method_definitions.inject(true) do |authorized, authorizer|
-        authorized &= self.send(authorizer)
+      method_definitions.inject(true) do |is_authorized, authorizer|
+        was_authorized = is_authorized
+        is_authorized &= self.send(authorizer)
+        log_failed_authorization(authorizer, is_authorized, was_authorized)
+        is_authorized
       end
     end
 
@@ -56,10 +59,28 @@ module MasterApiKey
       head(:forbidden)
     end
 
+    protected
+
+    def write_authorizer
+      @api_key.write_access
+    end
+
+    def read_authorizer
+      @api_key.read_access
+    end
+
     private
 
+    def log_failed_authorization(authorizer, is_authorized, was_authorized)
+      unless was_authorized == is_authorized
+        Rails.logger.info "#{authorizer} failed for user of api token #{@api_key.api_token}"
+      end
+    end
+
     def authorized_with_group?
-      @api_key.group.casecmp(self.api_group.to_s) == 0
+      is_authorized = @api_key.group.casecmp(self.api_group.to_s) == 0
+      log_failed_authorization(:authorized_with_group?, is_authorized, true)
+      is_authorized
     end
 
     def user_authenticated?

data/spec/controllers/master_api_key/api_keys_controller_spec.rb

@@ -1,21 +1,84 @@
 require 'rails_helper'
+require 'support/access_shared_examples'
+require 'support/auth_shared_examples'
 
 module MasterApiKey
   RSpec.describe ApiKeysController, type: :controller do
-
     before(:each) do
       @routes = Engine.routes
     end
 
-    # This should return the minimal set of values that should be in the session
-    # in order to pass any filters (e.g. authentication) defined in
-    # ApiKeysController. Be sure to keep this updated too.
-    let(:valid_session) { {} }
+    describe 'GET #index' do
+      context 'with master key' do
+        before(:each) do
+          @master_key = ApiKey.create!(:group => :master_key, :read_access => true, :write_access => true)
+          controller.request.headers['X-API-TOKEN'] = @master_key.api_token
+        end
+
+        context 'with valid params' do
+          before(:each) do
+            @group_name = 'group_1'
+            @api_key = ApiKey.create!(:group => @group_name, write_access: true)
+            @valid_attributes = {:api_token => @api_key.api_token}
+          end
+
+          it 'should return valid json of api_key' do
+            get :index, @valid_attributes
+
+            json_object = (JSON.parse response.body).with_indifferent_access
+            expect(json_object[:api_key][:api_token]).to eq @api_key.api_token
+            expect(json_object[:api_key][:group]).to eq @group_name
+            expect(json_object[:api_key][:read_access]).to be_falsey
+            expect(json_object[:api_key][:write_access]).to be_truthy
+          end
+
+          it "should return 404 when the key doesn't exist" do
+            get :index, @valid_attributes.merge(:api_token => 'invalid_token')
+
+            expect(response).to have_http_status(404)
+          end
+
+          context 'for access rights' do
+            before(:each) do
+              @action = lambda { get :index, @valid_attributes }
+            end
+
+            include_examples :read_access_rights, :master_key, :ok
+          end
+
+          context 'for group authorizations' do
+            before(:each) do
+              @api_key = ApiKey.create!(:group => @group_name)
+              @action = lambda { get :index, @valid_attributes }
+            end
+
+            include_examples :group_authorizations, :master_key, :ok
+          end
+
+          context 'for api authentication' do
+            before(:each) do
+              @api_key = ApiKey.create!(:group => @group_name)
+              @action = lambda { get :index, @valid_attributes }
+            end
+
+            include_examples :api_authorizations, :master_key, :ok
+          end
+        end
+
+        context 'with invalid params' do
+          it "should raise missing param exception when the required param api_token isn't one of the params" do
+            get :index, {:wrong_param => 'invalid_token'}
+
+            expect(response).to have_http_status(400)
+          end
+        end
+      end
+    end
 
     describe 'POST #create' do
       context 'with master key' do
         before(:each) do
-          @master_key = ApiKey.create!(:group => :master_key)
+          @master_key = ApiKey.create!(:group => :master_key, :read_access => true, :write_access => true)
           controller.request.headers['X-API-TOKEN'] = @master_key.api_token
         end
 
@@ -36,6 +99,53 @@ module MasterApiKey
             expect(assigns(:api_key)).to be_a(ApiKey)
             expect(assigns(:api_key)).to be_persisted
           end
+
+          it 'assigns a new api key with default read/write access' do
+            post :create, @valid_attributes
+
+            json_object = (JSON.parse response.body).with_indifferent_access
+            created_key = ApiKey.find_by_api_token(json_object[:api_key][:api_token])
+
+            expect(created_key.group).to eq(@valid_attributes[:group])
+            expect(created_key.read_access).to be_falsey
+            expect(created_key.write_access).to be_falsey
+          end
+
+          it 'assigns a new api key with read/write access' do
+            post :create, @valid_attributes.merge(authorizations:{ read_access: true, write_access: true })
+
+            json_object = (JSON.parse response.body).with_indifferent_access
+            created_key = ApiKey.find_by_api_token(json_object[:api_key][:api_token])
+
+            expect(created_key.group).to eq(@valid_attributes[:group])
+            expect(created_key.read_access).to be_truthy
+            expect(created_key.write_access).to be_truthy
+          end
+
+          context 'for group authorizations' do
+            before(:each) do
+              @api_key = ApiKey.create!(:group => 'group_1')
+              @action = lambda { post :create, @valid_attributes }
+            end
+
+            include_examples :group_authorizations, :master_key, :created
+          end
+
+          context 'for access rights' do
+            before(:each) do
+              @action = lambda { post :create, @valid_attributes }
+            end
+
+            include_examples :write_access_rights, :master_key, :created
+          end
+
+          context 'for api authentication' do
+            before(:each) do
+              @action = lambda { post :create, @valid_attributes }
+            end
+
+            include_examples :api_authorizations, :master_key, :created
+          end
         end
 
         context 'with invalid params' do
@@ -46,29 +156,124 @@ module MasterApiKey
             expect {
               post :create, {:group => nil}
             }.to_not change(ApiKey, :count)
+
+            expect(response).to have_http_status(400)
           end
 
           it 'should not change ApiKey count when group param does not exist' do
             expect {
               post :create, {}
             }.to_not change(ApiKey, :count)
+
+            expect(response).to have_http_status(400)
+          end
+
+          it "should not change ApiKey count when read param isn't a boolean" do
+            expect {
+              post :create, {:group => 'group_name', authorizations: { read_access: 'wrong type' }}
+            }.to_not change(ApiKey, :count)
+
+            expect(response).to have_http_status(400)
+          end
+
+          it "should not change ApiKey count when write param isn't a boolean" do
+            expect {
+              post :create, {:group => 'group_name', authorizations: { write_access: 'wrong type'}}
+            }.to_not change(ApiKey, :count)
+
+            expect(response).to have_http_status(400)
           end
         end
       end
+    end
 
-      context 'with incorrect api key' do
+    describe 'PATCH #update' do
+      context 'with master key' do
         before(:each) do
-          @master_key = ApiKey.create!(:group => :wrong_group)
+          @master_key = ApiKey.create!(:group => :master_key, :read_access => true, :write_access => true)
           controller.request.headers['X-API-TOKEN'] = @master_key.api_token
-          @valid_attributes = {:group => 'group_1'}
         end
 
-        it 'fails to create a new ApiKey' do
-          expect {
-            post :create, @valid_attributes
-          }.to_not change(ApiKey, :count)
+        context 'with valid params' do
+          before(:each) do
+            @api_key = ApiKey.create!(:group => :group_1)
+            @valid_attributes = { api_token: @api_key.api_token, authorizations: { read_access:true }}
+          end
 
-          expect(response.status).to be 403
+          it 'should update the api key so read access is false and write access is true' do
+            patch :update_by_access_token, @valid_attributes.merge(authorizations: { read_access:false, write_access:true })
+
+            json_object = (JSON.parse response.body).with_indifferent_access
+            updated_key = ApiKey.find_by_api_token(json_object[:api_key][:api_token])
+
+            expect(updated_key.read_access).to be_falsey
+            expect(updated_key.write_access).to be_truthy
+          end
+
+          it 'should not update the api key group' do
+            patch :update_by_access_token,  @valid_attributes.merge({:group => :group_2, authorizations:{read_access:true}})
+
+            json_object = (JSON.parse response.body).with_indifferent_access
+            updated_key = ApiKey.find_by_api_token(json_object[:api_key][:api_token])
+
+            expect(updated_key.group).to eq('group_1')
+            expect(updated_key.read_access).to be_truthy
+            expect(updated_key.write_access).to be_falsey
+          end
+
+          context 'for group authorizations' do
+            before(:each) do
+              @action = lambda { patch :update_by_access_token, @valid_attributes }
+            end
+
+            include_examples :group_authorizations, :master_key, :ok
+          end
+
+          context 'for access rights' do
+            before(:each) do
+              @action = lambda { patch :update_by_access_token, @valid_attributes }
+            end
+
+            include_examples :write_access_rights, :master_key, :ok
+          end
+
+          context 'for api authentication' do
+            before(:each) do
+              @action = lambda { patch :update_by_access_token, @valid_attributes }
+            end
+
+            include_examples :api_authorizations, :master_key, :ok
+          end
+        end
+
+        context 'with invalid params' do
+          it 'should return 400 if there are no authorizations' do
+            patch :update_by_access_token, { authorizations:{} }
+
+            expect(response).to have_http_status(400)
+          end
+
+          it "should return 400 if the authorizations json doesn't exist" do
+            patch :update_by_access_token, {}
+
+            expect(response).to have_http_status(400)
+          end
+
+          it "should not change ApiKey count when read param isn't a boolean" do
+            expect {
+              patch :update_by_access_token, {authorizations: { read_access: 'wrong type' }}
+            }.to_not change(ApiKey, :count)
+
+            expect(response).to have_http_status(400)
+          end
+
+          it "should not change ApiKey count when write param isn't a boolean" do
+            expect {
+              patch :update_by_access_token, {authorizations: { write_access: 'wrong type'}}
+            }.to_not change(ApiKey, :count)
+
+            expect(response).to have_http_status(400)
+          end
         end
       end
     end
@@ -76,7 +281,7 @@ module MasterApiKey
     describe 'DELETE #destroy' do
       context 'with master key' do
         before(:each) do
-          @master_key = ApiKey.create(:group => :master_key)
+          @master_key = ApiKey.create(:group => :master_key, :read_access => true, :write_access => true)
           @api_key = ApiKey.create!(:group => 'group_1')
           controller.request.headers['X-API-TOKEN'] = @master_key.api_token
         end
@@ -100,29 +305,65 @@ module MasterApiKey
 
           expect(response).to be_success
         end
+
+        context 'for access rights for removal by id' do
+          before(:each) do
+            @action = lambda { delete :destroy, {id: @api_key.to_param.to_i} }
+          end
+
+          include_examples :write_access_rights, :master_key, :ok
+        end
+
+        context 'for access rights for removal by token' do
+          before(:each) do
+            @action = lambda { delete :destroy_by_access_token, {api_token: @api_key.api_token} }
+          end
+
+          include_examples :write_access_rights, :master_key, :ok
+        end
       end
 
-      context 'with incorrect api key' do
+      context 'for group authorizations' do
         before(:each) do
-          @master_key = ApiKey.create!(:group => :wrong_group)
           @api_key = ApiKey.create!(:group => 'group_1')
-          controller.request.headers['X-API-TOKEN'] = @master_key.api_token
         end
 
-        it 'fails to destroy the ApiKey by id' do
-          expect {
-            delete :destroy, {:id => @api_key.to_param.to_i}
-          }.to_not change(ApiKey, :count)
+        context 'with delete by id' do
+          before(:each) do
+            @action = lambda { delete :destroy, {:id => @api_key.to_param.to_i} }
+          end
+          include_examples :group_authorizations, :master_key, :ok
 
-          expect(response.status).to be 403
         end
 
-        it 'fails to destroy the ApiKey by api token' do
-          expect {
-            delete :destroy_by_access_token, {:api_token => @api_key.api_token}
-          }.to_not change(ApiKey, :count)
+        context 'with delete by api token' do
+          before(:each) do
+            @action = lambda { delete :destroy_by_access_token, {:api_token => @api_key.api_token} }
+          end
+
+          include_examples :group_authorizations, :master_key, :ok
+        end
+      end
+
+      context 'for api authorizations' do
+        before(:each) do
+          @api_key = ApiKey.create!(:group => 'group_1')
+        end
+
+        context 'with delete by id' do
+          before(:each) do
+            @action = lambda { delete :destroy, {:id => @api_key.to_param.to_i} }
+          end
+
+          include_examples :api_authorizations, :master_key, :ok
+        end
+
+        context 'with delete by api token' do
+          before(:each) do
+            @action = lambda { delete :destroy_by_access_token, {:api_token => @api_key.api_token} }
+          end
 
-          expect(response.status).to be 403
+          include_examples :api_authorizations, :master_key, :ok
         end
       end
     end