RubyGems - rack-restrict_access - Versions diffs - 0.0.1 - Mend

rack-restrict_access 0.0.1

Files changed (16) hide show

checksums.yaml +7 -0
data/.gitignore +17 -0
data/Gemfile +4 -0
data/LICENSE.txt +22 -0
data/README.md +177 -0
data/Rakefile +1 -0
data/lib/rack/restrict_access.rb +313 -0
data/lib/rack/restrict_access/version.rb +5 -0
data/rack-restrict_access.gemspec +29 -0
data/spec/allow_filter_spec.rb +54 -0
data/spec/block_filter_spec.rb +82 -0
data/spec/filter_spec.rb +392 -0
data/spec/restrict_access_spec.rb +311 -0
data/spec/restrict_filter_spec.rb +175 -0
data/spec/spec_helper.rb +2 -0
metadata +179 -0

data/spec/restrict_access_spec.rb ADDED Viewed

@@ -0,0 +1,311 @@
+require 'spec_helper'
+describe Rack::RestrictAccess do
+  describe "initialize" do
+    it "should save the app as an instance variable" do
+      fake_app = double("app")
+      rs = Rack::RestrictAccess.new(fake_app)
+      expect(rs.instance_variable_get(:@app)).to eq(fake_app)
+    end
+    it "should set default @options" do
+      fake_app = double("app")
+      rs = Rack::RestrictAccess.new(fake_app)
+      expect(rs.instance_variable_get(:@options)).to eq({enabled: true, auth: true})
+    end
+    it "should execute block if given" do
+      expect_any_instance_of(Rack::RestrictAccess).to receive(:some_method)
+      fake_app = double("app")
+      Rack::RestrictAccess.new(fake_app) do
+        some_method
+      end
+    end
+  end
+  describe "options" do
+    it "should override current options" do
+      fake_app = double("app")
+      rs = Rack::RestrictAccess.new(fake_app) do
+        options auth: false
+      end
+      expect(rs.instance_variable_get(:@options)).to eq({enabled: true, auth: false})
+    end
+  end
+  describe "block" do
+    let (:fake_app) { double("app") }
+    it "should add a BlockFilter to block_filters" do
+      rs1 = Rack::RestrictAccess.new(fake_app)
+      expect(rs1.send(:block_filters)).to be_empty
+      rs1.block do
+      end
+      expect(rs1.send(:block_filters).length).to eq(1)
+      expect(rs1.send(:block_filters).all? {|f| f.is_a? Rack::RestrictAccess::BlockFilter }).to be true
+      rs2 = Rack::RestrictAccess.new(fake_app) do
+        block do
+        end
+      end
+      expect(rs2.send(:block_filters).length).to eq(1)
+      expect(rs2.send(:block_filters).all? {|f| f.is_a? Rack::RestrictAccess::BlockFilter }).to be true
+    end
+    it "should call given block on new BlockFilter" do
+      expect_any_instance_of(Rack::RestrictAccess::BlockFilter).to receive(:bogus_method)
+      Rack::RestrictAccess.new(fake_app) do
+        block do
+          bogus_method
+        end
+      end
+    end
+    it "should continue to add BlockFilters to block_filters if called repeatedly" do
+      rs = Rack::RestrictAccess.new(fake_app)
+      expect(rs.send(:block_filters)).to be_empty
+      rs.block do
+      end
+      expect(rs.send(:block_filters).length).to eq(1)
+      expect(rs.send(:block_filters).all? {|f| f.is_a? Rack::RestrictAccess::BlockFilter }).to be true
+      rs.block do
+      end
+      expect(rs.send(:block_filters).length).to eq(2)
+      expect(rs.send(:block_filters).all? {|f| f.is_a? Rack::RestrictAccess::BlockFilter }).to be true
+    end
+  end
+  describe "restrict" do
+    let (:fake_app) { double("app") }
+    it "should add a RestrictFilter to restrict_filters" do
+      rs1 = Rack::RestrictAccess.new(fake_app)
+      expect(rs1.send(:restrict_filters)).to eq([])
+      rs1.restrict do
+      end
+      expect(rs1.send(:restrict_filters).length).to eq(1)
+      expect(rs1.send(:restrict_filters).all? {|f| f.is_a? Rack::RestrictAccess::RestrictFilter }).to be true
+      rs2 = Rack::RestrictAccess.new(fake_app) do
+        restrict do
+        end
+      end
+      expect(rs2.send(:restrict_filters).length).to eq(1)
+      expect(rs2.send(:restrict_filters).all? {|f| f.is_a? Rack::RestrictAccess::RestrictFilter }).to be true
+    end
+    it "should call given block on new RestrictFilter" do
+      expect_any_instance_of(Rack::RestrictAccess::RestrictFilter).to receive(:bogus_method)
+      Rack::RestrictAccess.new(fake_app) do
+        restrict do
+          bogus_method
+        end
+      end
+    end
+    it "should continue to add RestrictFilters to restrict_filters if called repeatedly" do
+      rs = Rack::RestrictAccess.new(fake_app)
+      expect(rs.send(:restrict_filters)).to be_empty
+      rs.restrict do
+      end
+      expect(rs.send(:restrict_filters).length).to eq(1)
+      expect(rs.send(:restrict_filters).all? {|f| f.is_a? Rack::RestrictAccess::RestrictFilter }).to be true
+      rs.restrict do
+      end
+      expect(rs.send(:restrict_filters).length).to eq(2)
+      expect(rs.send(:restrict_filters).all? {|f| f.is_a? Rack::RestrictAccess::RestrictFilter }).to be true
+    end
+  end
+  describe "call" do
+    let(:fake_app) { double("app") }
+    it "should allow access by default" do
+      rs = Rack::RestrictAccess.new(fake_app)
+      expect(rs.send(:block_filters)).to eq([])
+      expect(rs.send(:allow_filters)).to eq([])
+      expect(rs.send(:restrict_filters)).to eq([])
+      expect(fake_app).to receive(:call).and_return([200, {"Content-Type" => "text/html"}, ["body"]])
+      expect(rs.call({})).to eq([200, {"Content-Type" => "text/html"}, ["body"]])
+    end
+    it "should block access when a BlockFilter applies to given path" do
+      env = {'PATH_INFO' => '/admin'}
+      rs = Rack::RestrictAccess.new(fake_app) do
+        block do
+          resources '/admin'
+        end
+      end
+      expect(rs.call(env)).to eq([403, {"Content-Type" => "text/html"}, ["<h1>Forbidden</h1>"]])
+      rs2 = Rack::RestrictAccess.new(fake_app) do
+        block do
+          all_resources!
+        end
+      end
+      expect(rs2.call(env)).to eq([403, {"Content-Type" => "text/html"}, ["<h1>Forbidden</h1>"]])
+    end
+    it "should block access when a BlockFilter applies to origin ip" do
+      env = {'REMOTE_ADDR' => '192.168.0.1'}
+      rs = Rack::RestrictAccess.new(fake_app) do
+        block do
+          origin_ips '192.168.0.1'
+        end
+      end
+      expect(rs.call(env)).to eq([403, {"Content-Type" => "text/html"}, ["<h1>Forbidden</h1>"]])
+    end
+    it "should restrict access when a RestrictFilter applies to given path" do
+      env = {'PATH_INFO' => '/admin'}
+      rs = Rack::RestrictAccess.new(fake_app) do
+        restrict do
+          resources '/admin'
+          credentials username: 'admin', password: 'pass'
+        end
+      end
+      expect(rs.call(env)).to eq([401, {"Content-Type"=>"text/plain", "Content-Length"=>"0", "WWW-Authenticate"=>"Basic realm=\"\""}, []])
+    end
+    it "should restrict access when a RestrictFilter applies to origin ip" do
+      env = {'REMOTE_ADDR' => '192.168.0.1'}
+      rs = Rack::RestrictAccess.new(fake_app) do
+        restrict do
+          origin_ips '192.168.0.1'
+          credentials username: 'admin', password: 'pass'
+        end
+      end
+      expect(rs.call(env)).to eq([401, {"Content-Type"=>"text/plain", "Content-Length"=>"0", "WWW-Authenticate"=>"Basic realm=\"\""}, []])
+    end
+    it "should not restrict access when RestrictFilter does not have any credentials to compare" do
+      env = {"PATH_INFO" => "/admin"}
+      rs = Rack::RestrictAccess.new(fake_app) do
+        restrict do
+          all_resources!
+        end
+      end
+      expect(fake_app).to receive(:call).with(env).and_return([200, {"Content-Type" => "text/html"}, ["body"]])
+      expect(rs.call(env)).to eq([200, {"Content-Type" => "text/html"}, ["body"]])
+    end
+    it "shoud not restrict access when @options[:auth_enabled] is not true" do
+      env = {"PATH_INFO" => "/admin"}
+      rs = Rack::RestrictAccess.new(fake_app) do
+        restrict do
+          all_resources!
+        end
+      end
+      expect(fake_app).to receive(:call).and_return([200, {"Content-Type" => "text/html"}, ["body"]])
+      expect(rs.call(env)).to eq([200, {"Content-Type" => "text/html"}, ["body"]])
+    end
+    it "should allow access when an AllowFilter applies to given path" do
+      env = {"PATH_INFO" => "/admin"}
+      expect(fake_app).to receive(:call).with(env).exactly(2).times.and_return([200, {"Content-Type" => "text/html"}, ["body"]])
+      rs1 = Rack::RestrictAccess.new(fake_app) do
+        block do
+          all_resources!
+        end
+        restrict do
+          all_resources!
+        end
+        allow do
+          resources "/admin"
+        end
+      end
+      expect(rs1.call(env)).to eq([200, {"Content-Type" => "text/html"}, ["body"]])
+      rs2 = Rack::RestrictAccess.new(fake_app) do
+        block do
+          all_resources!
+        end
+        restrict do
+          all_resources!
+        end
+        allow do
+          all_resources!
+        end
+      end
+      expect(rs2.call(env)).to eq([200, {"Content-Type" => "text/html"}, ["body"]])
+    end
+    it "should allow access when an AllowFilter applies to origin ip" do
+      env = {"REMOTE_ADDR" => "192.168.0.1"}
+      expect(fake_app).to receive(:call).with(env).and_return([200, {"Content-Type" => "text/html"}, ["body"]])
+      rs1 = Rack::RestrictAccess.new(fake_app) do
+        block do
+          all_resources!
+        end
+        restrict do
+          all_resources!
+        end
+        allow do
+          origin_ips "192.168.0.1"
+        end
+      end
+      expect(rs1.call(env)).to eq([200, {"Content-Type" => "text/html"}, ["body"]])
+    end
+    it "should follow the following precedence: AllowFilters > BlockFilters > RestrictFilters" do
+      env = {"REMOTE_ADDR" => "192.168.0.1", "PATH_INFO" => "/admin"}
+      success_response = [200, {"Content-Type" => "text/html"}, ["body"]]
+      blocked_response = [403, {"Content-Type" => "text/html"}, ["<h1>Forbidden</h1>"]]
+      restricted_response = [401, {"Content-Type"=>"text/plain", "Content-Length"=>"0", "WWW-Authenticate"=>"Basic realm=\"\""}, []]
+      expect(fake_app).to receive(:call).with(env).exactly(1).times.and_return(success_response)
+      allow_rs = Rack::RestrictAccess.new(fake_app) do
+        block do
+          all_resources!
+        end
+        restrict do
+          all_resources!
+        end
+        allow do
+          all_resources!
+        end
+      end
+      expect(allow_rs.call(env)).to eq(success_response)
+      block_rs = Rack::RestrictAccess.new(fake_app) do
+        restrict do
+          all_resources!
+        end
+        block do
+          all_resources!
+        end
+      end
+      expect(block_rs.call(env)).to eq(blocked_response)
+      restrict_rs = Rack::RestrictAccess.new(fake_app) do
+        restrict do
+          all_resources!
+          credentials username: 'user', password: '123'
+        end
+      end
+      expect(restrict_rs.call(env)).to eq(restricted_response)
+    end
+    it "should allow access if @options[:enabled] is false" do
+      rs = Rack::RestrictAccess.new(fake_app) do
+        options enabled: false
+        block do
+          all_resources!
+        end
+      end
+      expect(rs.instance_variable_get(:@options)[:enabled]).to be false
+      expect(fake_app).to receive(:call).and_return([200, {"Content-Type" => "text/html"}, ["body"]])
+      expect(rs.call({})).to eq([200, {"Content-Type" => "text/html"}, ["body"]])
+    end
+  end
+end

data/spec/restrict_filter_spec.rb ADDED Viewed

@@ -0,0 +1,175 @@
+require 'spec_helper'
+describe Rack::RestrictAccess::RestrictFilter do
+  it "should inherit from Filter" do
+    expect(Rack::RestrictAccess::RestrictFilter.superclass).to eq(Rack::RestrictAccess::Filter)
+  end
+  describe "initialize" do
+    it "should set defaults" do
+      restrict_filter = Rack::RestrictAccess::RestrictFilter.new
+      expect(restrict_filter.instance_variable_get(:@ips)).to eq([])
+      expect(restrict_filter.instance_variable_get(:@resources)).to eq([])
+      expect(restrict_filter.instance_variable_get(:@credentials)).to eq([])
+    end
+  end
+  describe "credentials" do
+    it "should do nothing if given no arguments" do
+      restrict_filter = Rack::RestrictAccess::RestrictFilter.new do
+        credentials
+      end
+      expect(restrict_filter.instance_variable_get(:@credentials))
+        .to eq([])
+    end
+    it "should save hash of username password pair to @credentials" do
+      restrict_filter = Rack::RestrictAccess::RestrictFilter.new do
+        credentials(username: 'admin', password: 'pass123')
+      end
+      expect(restrict_filter.instance_variable_get(:@credentials))
+        .to eq([{username: /^admin$/, password: /^pass123$/}])
+    end
+    it "should accept regexp values" do
+      restrict_filter = Rack::RestrictAccess::RestrictFilter.new do
+        credentials(username: /admin$/, password: /^pass/)
+      end
+      expect(restrict_filter.instance_variable_get(:@credentials))
+        .to eq([{username: /admin$/, password: /^pass/}])
+    end
+    it "should handle multiple hashes" do
+      creds1 = {username: 'u1', password: 'pass1'}
+      creds2 = {username: 'u2', password: 'pass2'}
+      restrict_filter = Rack::RestrictAccess::RestrictFilter.new do
+        credentials creds1, creds2
+      end
+      expect(restrict_filter.instance_variable_get(:@credentials))
+        .to eq([{username: /^u1$/, password: /^pass1$/}, {username: /^u2$/, password: /^pass2$/}])
+    end
+    it "should handle an array of hashes" do
+      cred_hashes = []
+      cred_hashes << {username: 'u1', password: 'pass1'}
+      cred_hashes << {username: /u2/, password: /pass2/}
+      restrict_filter = Rack::RestrictAccess::RestrictFilter.new do
+        credentials cred_hashes
+      end
+      expect(restrict_filter.instance_variable_get(:@credentials))
+        .to eq([{username: /^u1$/, password: /^pass1$/}, {username: /u2/, password: /pass2/}])
+    end
+    it "should handle delimited strings" do
+      simple_string = 'uname,pass'
+      restrict_filter1 = Rack::RestrictAccess::RestrictFilter.new do
+        credentials simple_string
+      end
+      expect(restrict_filter1.instance_variable_get(:@credentials))
+        .to eq([{username: /^uname$/, password: /^pass$/}])
+      longer_string = 'user1,pass1;user2,pass2'
+      restrict_filter2 = Rack::RestrictAccess::RestrictFilter.new do
+        credentials longer_string
+      end
+      expect(restrict_filter2.instance_variable_get(:@credentials))
+        .to eq([{username: /^user1$/, password: /^pass1$/}, {username: /^user2$/, password: /^pass2$/}])
+      complex_string = 'username1:password1 | username2 : password2|username3:password3'
+      restrict_filter3 = Rack::RestrictAccess::RestrictFilter.new do
+        credentials complex_string, credentials_delimiter: /\s*:\s*/, credential_pair_delimiter: /\s*\|\s*/
+      end
+      expect(restrict_filter3.instance_variable_get(:@credentials))
+        .to eq([{username: /^username1$/, password: /^password1$/}, {username: /^username2$/, password: /^password2$/}, {username: /^username3$/, password: /^password3$/}])
+    end
+    it "should handle multiple delimited strings" do
+      simple_string = 'uname,pass'
+      longer_string = 'user1,pass1;user2,pass2'
+      longest_string = 'username1,password1;username2,password2;username3,password3'
+      restrict_filter3 = Rack::RestrictAccess::RestrictFilter.new do
+        credentials simple_string, longer_string, longest_string
+      end
+      expect(restrict_filter3.instance_variable_get(:@credentials))
+        .to eq([{username: /^uname$/, password: /^pass$/},
+          {username: /^user1$/, password: /^pass1$/}, {username: /^user2$/, password: /^pass2$/},
+          {username: /^username1$/, password: /^password1$/}, {username: /^username2$/, password: /^password2$/}, {username: /^username3$/, password: /^password3$/}])
+    end
+    it "should handle an array of delimited strings and/or hashes" do
+      arr = []
+      arr << 'uname,pass'
+      arr << 'user1,pass1;user2,pass2'
+      arr << 'username1,password1;username2,password2;username3,password3'
+      restrict_filter3 = Rack::RestrictAccess::RestrictFilter.new do
+        credentials arr
+      end
+      expect(restrict_filter3.instance_variable_get(:@credentials))
+        .to eq([{username: /^uname$/, password: /^pass$/},
+          {username: /^user1$/, password: /^pass1$/}, {username: /^user2$/, password: /^pass2$/},
+          {username: /^username1$/, password: /^password1$/}, {username: /^username2$/, password: /^password2$/}, {username: /^username3$/, password: /^password3$/}])
+    end
+    it "should handle multiple arrays of delimited strings/hashes" do
+      arr1 = []
+      arr1 << 'uname,pass'
+      arr1 << 'user1,pass1;user2,pass2'
+      arr1 << 'username1,password1;username2,password2;username3,password3'
+      arr2 = []
+      arr2 << 'uname2,pass2'
+      arr2 << 'user21,pass21;user22,pass22'
+      arr2 << 'username21,password21;username22,password22;username23,password23'
+      restrict_filter3 = Rack::RestrictAccess::RestrictFilter.new do
+        credentials arr1, arr2
+      end
+      expect(restrict_filter3.instance_variable_get(:@credentials))
+        .to eq([{username: /^uname$/, password: /^pass$/},
+          {username: /^user1$/, password: /^pass1$/}, {username: /^user2$/, password: /^pass2$/},
+          {username: /^username1$/, password: /^password1$/}, {username: /^username2$/, password: /^password2$/}, {username: /^username3$/, password: /^password3$/},
+          {username: /^uname2$/, password: /^pass2$/},
+          {username: /^user21$/, password: /^pass21$/}, {username: /^user22$/, password: /^pass22$/},
+          {username: /^username21$/, password: /^password21$/}, {username: /^username22$/, password: /^password22$/}, {username: /^username23$/, password: /^password23$/}])
+    end
+    it "should continue to add to @credentials if called repeatedly" do
+      arr1 = []
+      arr1 << 'uname,pass'
+      arr1 << 'user1,pass1;user2,pass2'
+      arr1 << 'username1,password1;username2,password2;username3,password3'
+      arr2 = []
+      arr2 << 'uname2,pass2'
+      arr2 << 'user21,pass21;user22,pass22'
+      arr2 << 'username21,password21;username22,password22;username23,password23'
+      restrict_filter3 = Rack::RestrictAccess::RestrictFilter.new do
+        credentials arr1
+      end
+      restrict_filter3.credentials arr2
+      expect(restrict_filter3.instance_variable_get(:@credentials))
+        .to eq([{username: /^uname$/, password: /^pass$/},
+          {username: /^user1$/, password: /^pass1$/}, {username: /^user2$/, password: /^pass2$/},
+          {username: /^username1$/, password: /^password1$/}, {username: /^username2$/, password: /^password2$/}, {username: /^username3$/, password: /^password3$/},
+          {username: /^uname2$/, password: /^pass2$/},
+          {username: /^user21$/, password: /^pass21$/}, {username: /^user22$/, password: /^pass22$/},
+          {username: /^username21$/, password: /^password21$/}, {username: /^username22$/, password: /^password22$/}, {username: /^username23$/, password: /^password23$/}])
+    end
+  end
+  describe "credentials_match?" do
+    it "should return true if @credentials contains given username, password pair" do
+      restrict_filter = Rack::RestrictAccess::RestrictFilter.new do
+        credentials({username: 'admin1', password: 'hard_to_guess'}, {username: 'admin2', password: 'hard_to_guess2'})
+      end
+      expect(restrict_filter.credentials_match?(username: 'admin2', password: 'hard_to_guess2')).to be true
+    end
+    it "should return false if @credentials does not contain given username, password pair" do
+      restrict_filter = Rack::RestrictAccess::RestrictFilter.new do
+        credentials(username: 'admin1', password: 'hard_to_guess')
+      end
+      expect(restrict_filter.credentials_match?(username: 'adminfalse', password: 'hard_to_guess2')).to be false
+      expect(restrict_filter.credentials_match?(username: 'admin2', password: '')).to be false
+    end
+  end
+end