pact_broker 2.81.0 → 2.82.0

data/spec/fixtures/approvals/publish_contract_verification_already_exists.approved.json

@@ -30,7 +30,7 @@
     "status": 200,
     "headers": {
       "Content-Type": "application/hal+json;charset=utf-8",
-      "Content-Length": "2933"
+      "Content-Length": "2929"
     },
     "body": {
       "logs": [
@@ -55,12 +55,12 @@
           "deprecationWarning": "Replaced by notices"
         },
         {
-          "level": "warning",
+          "level": "prompt",
           "message": "  Next steps:",
           "deprecationWarning": "Replaced by notices"
         },
         {
-          "level": "warning",
+          "level": "prompt",
           "message": "    * Configure separate Bar pact verification build and webhook to trigger it when the pact content changes. See https://docs.pact.io/go/webhooks",
           "deprecationWarning": "Replaced by notices"
         }
@@ -83,11 +83,11 @@
           "text": "  Events detected: contract_published, contract_content_changed (pact content modified since previous publication for Foo version 1)"
         },
         {
-          "type": "warning",
+          "type": "prompt",
           "text": "  Next steps:"
         },
         {
-          "type": "warning",
+          "type": "prompt",
           "text": "    * Configure separate Bar pact verification build and webhook to trigger it when the pact content changes. See https://docs.pact.io/go/webhooks"
         }
       ],

data/spec/lib/pact_broker/api/middleware/basic_auth_spec.rb

@@ -0,0 +1,312 @@
+require "pact_broker/api/middleware/basic_auth"
+require "pact_broker/api/authorization/resource_access_policy"
+
+module PactBroker
+  module Api
+    module Middleware
+      describe "basic auth" do
+        let(:protected_app) { ->(_) { [200, {}, []]} }
+
+        let(:policy) { PactBroker::Api::Authorization::ResourceAccessPolicy.build(allow_public_read_access, allow_public_access_to_heartbeat, enable_public_badge_access) }
+        let(:app) { BasicAuth.new(protected_app, [write_username, write_password], [read_username, read_password], policy) }
+        let(:allow_public_read_access) { false }
+        let(:allow_public_read_access) { false }
+        let(:write_username) { "write_username" }
+        let(:write_password) { "write_password" }
+        let(:read_username) { "read_username" }
+        let(:read_password) { "read_password" }
+        let(:allow_public_access_to_heartbeat) { true }
+        let(:enable_public_badge_access) { true }
+
+        context "when requesting the heartbeat" do
+          let(:path) { "/diagnostic/status/heartbeat" }
+
+          context "when allow_public_access_to_heartbeat is true" do
+            context "when no credentials are used" do
+              it "allows GET" do
+                get path
+                expect(last_response.status).to eq 200
+              end
+            end
+          end
+
+          context "when allow_public_access_to_heartbeat is false" do
+            let(:allow_public_access_to_heartbeat) { false }
+
+            context "when no credentials are used" do
+              it "does not allow GET" do
+                get path
+                expect(last_response.status).to eq 401
+              end
+            end
+
+            context "when the correct credentials are used" do
+              it "allows GET" do
+                basic_authorize "read_username", "read_password"
+                get path
+                expect(last_response.status).to eq 200
+              end
+            end
+          end
+        end
+
+        context "when requesting a pact badge" do
+          context "when no credentials are used" do
+            it "allows GET" do
+              get "/pacts/provider/foo/consumer/bar/badge"
+              expect(last_response.status).to eq 200
+            end
+          end
+
+          context "when enable_public_badge_access=false" do
+            let(:enable_public_badge_access) { false }
+
+            it "does not allow GET" do
+              get "/pacts/provider/foo/consumer/bar/badge"
+              expect(last_response.status).to eq 401
+            end
+          end
+        end
+
+        context "when requesting a matrix badge" do
+          context "when no credentials are used" do
+            it "allows GET" do
+              get "/matrix/provider/foo/latest/dev/consumer/bar/latest/dev/badge"
+              expect(last_response.status).to eq 200
+            end
+          end
+        end
+
+        context "with the correct username and password for the write user" do
+          it "allows GET" do
+            basic_authorize "write_username", "write_password"
+            get "/"
+            expect(last_response.status).to eq 200
+          end
+
+          it "allows POST" do
+            basic_authorize "write_username", "write_password"
+            post "/"
+            expect(last_response.status).to eq 200
+          end
+
+          it "allows HEAD" do
+            basic_authorize "write_username", "write_password"
+            head "/"
+            expect(last_response.status).to eq 200
+          end
+
+          it "allows OPTIONS" do
+            basic_authorize "write_username", "write_password"
+            options "/"
+            expect(last_response.status).to eq 200
+          end
+
+          it "allows PUT" do
+            basic_authorize "write_username", "write_password"
+            delete "/"
+            expect(last_response.status).to eq 200
+          end
+
+          it "allows PATCH" do
+            basic_authorize "write_username", "write_password"
+            patch "/"
+            expect(last_response.status).to eq 200
+          end
+
+          it "allows DELETE" do
+            basic_authorize "write_username", "write_password"
+            delete "/"
+            expect(last_response.status).to eq 200
+          end
+        end
+
+        context "with the incorrect username for the write user" do
+          it "does not allow POST" do
+            basic_authorize "wrong_username", "write_password"
+            post "/"
+            expect(last_response.status).to eq 401
+          end
+        end
+
+        context "with the incorrect password for the write user" do
+          it "does not allow POST" do
+            basic_authorize "write_username", "wrong_password"
+            post "/"
+            expect(last_response.status).to eq 401
+          end
+        end
+
+        context "with the correct username and password for the read user" do
+          it "allows GET" do
+            basic_authorize "read_username", "read_password"
+            get "/"
+            expect(last_response.status).to eq 200
+          end
+
+          it "allows OPTIONS" do
+            basic_authorize "read_username", "read_password"
+            options "/"
+            expect(last_response.status).to eq 200
+          end
+
+          it "allows HEAD" do
+            basic_authorize "read_username", "read_password"
+            head "/"
+            expect(last_response.status).to eq 200
+          end
+
+          it "does not allow POST" do
+            basic_authorize "read_username", "read_password"
+            post "/"
+            expect(last_response.status).to eq 401
+          end
+
+          it "does not allow PUT" do
+            basic_authorize "read_username", "read_password"
+            put "/"
+            expect(last_response.status).to eq 401
+          end
+
+          it "does not allow PATCH" do
+            basic_authorize "read_username", "read_password"
+            patch "/"
+            expect(last_response.status).to eq 401
+          end
+
+          it "does not allow DELETE" do
+            basic_authorize "read_username", "read_password"
+            delete "/"
+            expect(last_response.status).to eq 401
+          end
+
+          it "allows POST to the pacts for verification endpoint" do
+            basic_authorize "read_username", "read_password"
+            post "/pacts/provider/Foo/for-verification"
+            expect(last_response.status).to eq 200
+          end
+        end
+
+        context "with the incorrect username and password for the write user" do
+          it "does not allow GET" do
+            basic_authorize "write_username", "wrongpassword"
+            get "/"
+            expect(last_response.status).to eq 401
+          end
+        end
+
+        context "with the incorrect username and password for the read user" do
+          it "does not allow GET" do
+            basic_authorize "read_username", "wrongpassword"
+            get "/"
+            expect(last_response.status).to eq 401
+          end
+        end
+
+        context "with a request to the badge URL" do
+          context "with no credentials" do
+            it "allows GET" do
+              get "/pacts/provider/foo/consumer/bar/badge"
+              expect(last_response.status).to eq 200
+            end
+          end
+        end
+
+        context "when there is no read only user configured" do
+          before do
+            allow($stdout).to receive(:puts)
+          end
+
+          let(:read_username) { nil }
+          let(:read_password) { nil }
+
+          context "when allow_public_read_access is false" do
+            context "with no credentials" do
+              it "does not allow a GET" do
+                get "/"
+                expect(last_response.status).to eq 401
+              end
+            end
+
+            context "with empty credentials" do
+              it "does not allow a GET" do
+                basic_authorize("", "")
+                get "/"
+                expect(last_response.status).to eq 401
+              end
+            end
+
+            context "with incorrect credentials" do
+              it "does not allow a GET" do
+                basic_authorize("foo", "bar")
+                get "/"
+                expect(last_response.status).to eq 401
+              end
+            end
+          end
+
+          context "when allow_public_read_access is true" do
+            let(:allow_public_read_access) { true }
+
+            context "with no credentials" do
+              it "allows a GET" do
+                get "/"
+                expect(last_response.status).to eq 200
+              end
+
+              it "does not allow POST" do
+                post "/"
+                expect(last_response.status).to eq 401
+              end
+            end
+
+            context "with empty credentials" do
+              before do
+                basic_authorize("", "")
+              end
+
+              it "allows a GET" do
+                get "/"
+                expect(last_response.status).to eq 200
+              end
+
+              it "does not allow POST" do
+                post "/"
+                expect(last_response.status).to eq 401
+              end
+            end
+
+            context "with incorrect credentials" do
+              before do
+                basic_authorize("foo", "bar")
+              end
+
+              it "allows a GET" do
+                get "/"
+                expect(last_response.status).to eq 200
+              end
+
+              it "does not allow POST" do
+                post "/"
+                expect(last_response.status).to eq 401
+              end
+            end
+          end
+        end
+
+        context "when the credentials are configured with empty strings" do
+          before do
+            basic_authorize("", "")
+          end
+
+          let(:write_username) { "" }
+          let(:write_password) { "" }
+
+          subject { get("/") }
+
+          its(:status) { is_expected.to eq 401 }
+        end
+      end
+    end
+  end
+end

data/spec/lib/pact_broker/api/resources/tag_spec.rb

@@ -4,7 +4,8 @@ module PactBroker
   module Api
     module Resources
       describe Tag do
-        let(:tag) { double("PactBroker::Domain::Tag") }
+        let(:tag) { double("PactBroker::Domain::Tag", version: version) }
+        let(:version) { double("version") }
         let(:tag_decorator) { instance_double("PactBroker::Api::Decorators::TagDecorator", :to_json => tag_json) }
         let(:tag_json) { {"some" => "tag"}.to_json }
         let(:tag_attributes) {
@@ -99,9 +100,10 @@ module PactBroker
             allow_any_instance_of(PactBroker::Api::Resources::Tag).to receive(:tag_url).and_return(tag_url)
             allow(Tags::Service).to receive(:find).and_return(tag)
             allow(PactBroker::Api::Decorators::TagDecorator).to receive(:new).and_return(tag_decorator)
-            allow_any_instance_of(described_class).to receive(:create_deployed_versions_for_tags?).and_return(create_deployed_versions_for_tags)
+            allow(deployed_version_service).to receive(:maybe_create_deployed_version_for_tag).and_return("uuid")
           end
 
+          let(:deployed_version_service) { class_double("PactBroker::Deployments::DeployedVersionService").as_stubbed_const }
           let(:tag_url) { "http://example.org/tag/url"}
           let(:create_deployed_versions_for_tags) { false }
 
@@ -118,12 +120,16 @@ module PactBroker
               expect(last_response.status).to be 200
             end
 
+            it "maybe creates a deployed version" do
+              expect(deployed_version_service).to receive(:maybe_create_deployed_version_for_tag).with(version, "prod")
+              subject
+            end
+
             it "renders the tag" do
               expect(tag_decorator).to receive(:to_json).with(user_options: hash_including(base_url: "http://example.org"))
               subject
               expect(last_response.body).to eq tag_json
             end
-
           end
 
           context "when the tag does not exist" do
@@ -137,6 +143,11 @@ module PactBroker
               subject
             end
 
+            it "maybe creates a deployed version" do
+              expect(deployed_version_service).to receive(:maybe_create_deployed_version_for_tag).with(version, "prod")
+              subject
+            end
+
             it "returns a 201" do
               subject
               expect(last_response.status).to be 201
@@ -148,42 +159,6 @@ module PactBroker
               expect(last_response.body).to eq tag_json
             end
           end
-
-          context "when create_deployed_versions_for_tags is true" do
-            before do
-              allow_any_instance_of(described_class).to receive(:environment_service).and_return(environment_service)
-              allow_any_instance_of(described_class).to receive(:deployed_version_service).and_return(deployed_version_service)
-              allow(environment_service).to receive(:find_by_name).and_return(environment)
-              allow(deployed_version_service).to receive(:next_uuid).and_return("uuid")
-              allow(tag).to receive(:version).and_return(version)
-            end
-            let(:environment_service) { class_double("PactBroker::Environments::Service").as_stubbed_const }
-            let(:deployed_version_service) { class_double("PactBroker::Deployments::DeployedVersionService").as_stubbed_const }
-            let(:environment) { nil }
-            let(:create_deployed_versions_for_tags) { true }
-            let(:version) { double("version") }
-
-            it "looks for a matching environment" do
-              expect(environment_service).to receive(:find_by_name).with("prod")
-              subject
-            end
-
-            context "when the tag name matches an existing environment" do
-              let(:environment) { double("environment") }
-
-              it "creates a deployed version" do
-                expect(deployed_version_service).to receive(:find_or_create).with(anything, version, environment, nil)
-                subject
-              end
-            end
-
-            context "when the tag name does not match an existing environment" do
-              it "does not create a deployed version" do
-                expect_any_instance_of(described_class).to_not receive(:deployed_version_service)
-                subject
-              end
-            end
-          end
         end
       end
     end

data/spec/lib/pact_broker/app_basic_auth_spec.rb

@@ -0,0 +1,122 @@
+require "pact_broker/app"
+require "anyway/testing/helpers"
+
+module PactBroker
+  describe App do
+    include Anyway::Testing::Helpers
+
+    before do
+      allow(PactBroker::DB).to receive(:run_migrations)
+    end
+
+    class TestApp2 < PactBroker::App
+      def configure_database_connection
+        # do nothing so we don't screw up our test connection
+      end
+    end
+
+    around do | example |
+      env_vars = {
+        "PACT_BROKER_BASIC_AUTH_ENABLED" => basic_auth_enabled,
+        "PACT_BROKER_BASIC_AUTH_USERNAME" => basic_auth_username,
+        "PACT_BROKER_BASIC_AUTH_PASSWORD" => basic_auth_password,
+        "PACT_BROKER_BASIC_AUTH_READ_ONLY_USERNAME" => basic_auth_read_only_username,
+        "PACT_BROKER_BASIC_AUTH_READ_ONLY_PASSWORD" => basic_auth_read_only_password,
+        "PACT_BROKER_ALLOW_PUBLIC_READ" => allow_public_read,
+        "PACT_BROKER_ENABLE_PUBLIC_BADGE_ACCESS" => enable_public_badge_access
+      }
+      with_env(env_vars, &example)
+    end
+
+    let(:basic_auth_enabled) { "true" }
+    let(:basic_auth_username) { "user" }
+    let(:basic_auth_password) { "pass" }
+    let(:basic_auth_read_only_username) { "rouser" }
+    let(:basic_auth_read_only_password) { "ropass" }
+    let(:allow_public_read) { "false" }
+    let(:enable_public_badge_access) { "false" }
+
+    let(:app) do
+      TestApp2.new do | configuration |
+        configuration.database_connection = PactBroker::DB.connection
+      end
+    end
+
+    subject { get("/") }
+
+    context "with correct write credentials" do
+      before do
+        basic_authorize "user", "pass"
+      end
+
+      its(:status) { is_expected.to eq 200 }
+    end
+
+    context "with correct read credentials" do
+      before do
+        basic_authorize "rouser", "ropass"
+      end
+
+      its(:status) { is_expected.to eq 200 }
+    end
+
+    context "with incorrect credentials" do
+      before do
+        basic_authorize "wrong", "pass"
+      end
+
+      its(:status) { is_expected.to eq 401 }
+    end
+
+    context "with no credentials" do
+      its(:status) { is_expected.to eq 401 }
+
+      context "when allow_public_read=true" do
+        let(:allow_public_read) { "true" }
+
+        its(:status) { is_expected.to eq 200 }
+      end
+    end
+
+    context "with basic auth enabled but no username or password configured" do
+      before do
+        basic_authorize "", ""
+      end
+
+      let(:basic_auth_username) { "" }
+      let(:basic_auth_password) { "" }
+
+      its(:status) { is_expected.to eq 401 }
+    end
+
+    context "with basic auth disabled" do
+      let(:basic_auth_enabled) { "false" }
+
+      context "with no credentials" do
+        its(:status) { is_expected.to eq 200 }
+      end
+    end
+
+    context "accessing a badge" do
+      before do
+        td.create_pact_with_hierarchy("foo", "1", "bar")
+      end
+
+      subject { get(PactBroker::Api::PactBrokerUrls.badge_url_for_latest_pact(td.and_return(:pact))) }
+
+      its(:status) { is_expected.to eq 401 }
+
+      context "with no basic auth configured" do
+        let(:basic_auth_enabled) { "false" }
+
+        its(:status) { is_expected.to eq 307 }
+      end
+
+      context "with public badge access enabled" do
+        let(:enable_public_badge_access) { "true" }
+
+        its(:status) { is_expected.to eq 307 }
+      end
+    end
+  end
+end