rack-signature 0.0.8 → 0.1.2

data/test/test_helper.rb

@@ -1,6 +1,65 @@
+# encoding: UTF-8
 require 'minitest/autorun'
 require 'rack/test'
 require 'rack/mock'
 require 'digest/sha2'
 require 'securerandom'
+require 'pathname'
+require 'json'
 require_relative '../lib/rack/signature/test_helpers'
+
+module TestHelper
+  def read_json(filename)
+    datapath.join("#{filename}.json").read
+  end
+
+  def datapath
+    Pathname.new('.').dirname.expand_path.join('test')
+  end
+
+  def sorted_nested_string
+    "company=Datsun&maintenance=false&record[address][street]=123 Here&record[person][age]=22&record[person][area]=everywhere&record[person][name]=John&record[person][occupation][length_of_employment]=12 years&record[person][occupation][name]=Janitor&record[relatives][][parent_siblings]=aunts, uncles&record[relatives][][parent_siblings_children]=cousins&record[relatives][][siblings]=brothers, sisters"
+  end
+
+  def sorted_nested_hash
+      {
+        "company" => "Datsun",
+        "maintenance" => false,
+        "record"  => {
+          "address"   => { "street" => "123 Here" },
+          "person"    => {
+                          "age"         => 22,
+                          "area"        => "everywhere",
+                          "name"        => "John",
+                          "occupation"  => {
+                                            "length_of_employment"  => "12 years",
+                                            "name"                  => "Janitor",
+                          }
+          },
+
+          "relatives" => [
+                          { "parent_siblings"           => "aunts, uncles" },
+                          { "parent_siblings_children"  => "cousins" },
+                          { "siblings"                  => "brothers, sisters" }
+          ]
+        },
+      }
+  end
+
+  def nested_hash
+      { "record" => {
+          "person"    => {"name"        => "John",
+                          "age"         => 22,
+                          "occupation"  => {"name"                  => "Janitor",
+                                            "length_of_employment"  => "12 years"},
+                          "area"        => "everywhere" },
+          "relatives" => [{ "siblings"                  => "brothers, sisters" },
+                          { "parent_siblings"           => "aunts, uncles" },
+                          { "parent_siblings_children"  => "cousins" }],
+          "address"   => { "street" => "123 Here" }
+        },
+        "company" => "Datsun",
+        "maintenance" => false
+      }
+  end
+end

data/test/verify_test.rb

@@ -1,98 +1,278 @@
+# encoding: UTF-8
 require_relative '../lib/rack/signature'
 require 'test_helper'
+require 'active_support/json'
 
-describe "Verifying a signed request" do
+describe "Verifying a signed requests" do
   include Rack::Signature::TestHelpers
-
   TOKEN = ::SecureRandom.hex(8)
-  def setup
-    @klass_options = {klass: DemoClass, method: :get_shared_token, header_token: 'LOCKER-API-KEY'}
-    @uri, @headers, @params, @env, @sig, @msg= setup_request("http://example.com/api/login",
-      {"Content-Type"   => "application/json",
-      "REQUEST_METHOD"  => "POST",
-      "LOCKER-API-KEY"  => '123',
-      input: "password=123456&email=me@home.com&name=me&age=1"
-      }, TOKEN)
+  class DemoClass
+    def self.get_shared_token(token = '')
+      return "1" if token.nil?
+      TOKEN
+    end
+  end
+  let(:klass_options) do
+    {klass: DemoClass, method: :get_shared_token, header_token: 'HTTP_LOCKER_API_KEY', debug: false}
   end
-
   let(:app)             { lambda { |env| [200, {}, ['Hello World']] } }
-  let(:rack_signature)  { Rack::Signature.new(app, @klass_options) }
+  let(:rack_signature)  { Rack::Signature.new(app, klass_options) }
   let(:mock_request)    { Rack::MockRequest.new(rack_signature) }
 
-  class DemoClass
-    def self.get_shared_token(token = '')
-      TOKEN if token
+  describe "when it is a POST via JSON" do
+    let(:uri) { "http://example.com/api/login" }
+    let(:body) do
+      { password: '123456', email: 'me@home.com', name: 'some dude', age: 1 }
     end
-  end
 
-  let(:uri) { @uri }
-  let(:signature) { @sig }
-  let(:headers) { @headers }
-  let(:query_params) { @params }
-  let(:env) { @env }
+    def request_array
+      setup_request(uri, {
+        "CONTENT_TYPE"    => "application/json",
+        "REQUEST_METHOD"  => "POST",
+        "HTTP_LOCKER_API_KEY"  => "123",
+        input: convert_hash_to_string(body)
+      }, TOKEN)
+    end
+    let(:expected_env)    { request_array[:env] }
+    let(:expected_msg)    { request_array[:message] }
+    let(:expected_sig)    { request_array[:signature] }
+
+    describe "a successful JSON POST" do
+      let(:mock_response) do
+        mock_request.post(uri,{
+          "CONTENT_TYPE"    => "application/json",
+          "REQUEST_METHOD"  => "POST",
+          "HTTP_LOCKER_API_KEY"  => "123",
+          "HTTP_X_AUTH_SIG"      => expected_sig,
+          input: convert_hash_to_string(body)
+        })
+      end
 
-  describe "when a request is made without a signature" do
-    before {
-      @response = mock_request.get '/api/login?password=123456&email=me@home.com'
-    }
-    let(:response) { @response }
+      it 'will return a 200 Status' do
+        assert_equal 200, mock_response.status
+      end
 
-    it 'returns a 403 status' do
-      assert_equal 403, response.status
+      it 'will have a response body' do
+        assert_equal 'Hello World', mock_response.body
+      end
+
+      it 'has the correct built message' do
+        received = 'POST/api/loginexample.com{"age":"1","email":"me@home.com","name":"some dude","password":"123456"}'
+        assert_equal received, expected_msg
+      end
     end
 
-    it 'returns "Invalid Signature" as the response body' do
-      assert_equal 'Invalid Signature', response.body
+    describe "when the query string is tampered with during a JSON POST" do
+      let(:mock_response) do
+        mock_request.post(uri,{
+          "CONTENT_TYPE"    => "application/json",
+          "REQUEST_METHOD"  => "POST",
+          "HTTP_LOCKER_API_KEY"  => "123",
+          "HTTP_X_AUTH_SIG"      => expected_sig,
+          input: convert_hash_to_string(body.merge(email: 'attacker@home.com'))
+        })
+      end
+
+      it 'will return a 401 Status' do
+        assert_equal 401, mock_response.status
+      end
+
+      it 'will have a response body denying access' do
+        assert_equal 'Access Denied', mock_response.body
+      end
+
+      it 'has the correct built message' do
+        assert_match "some dude", expected_msg
+      end
+    end
+  end
+
+  describe "when it is a GET via JSON" do
+    let(:uri) { "http://example.com/api/login" }
+    let(:body) do
+      { password: '123456', email: 'me@home.com', name: 'some dude', age: 1 }
+    end
+
+    def request_array
+      setup_request(uri, {
+        "CONTENT_TYPE"    => "application/json",
+        "REQUEST_METHOD"  => "GET",
+        "HTTP_LOCKER_API_KEY"  => "123",
+        "QUERY_STRING"    => convert_hash_to_string(body)
+      }, TOKEN)
+    end
+    let(:expected_env)    { request_array[:env] }
+    let(:expected_msg)    { request_array[:message] }
+    let(:expected_sig)    { request_array[:signature] }
+
+    describe "a successful JSON GET request" do
+      let(:mock_response) do
+        mock_request.post(uri,{
+          "CONTENT_TYPE"    => "application/json",
+          "REQUEST_METHOD"  => "GET",
+          "HTTP_LOCKER_API_KEY"  => "123",
+          "QUERY_STRING"    => convert_hash_to_string(body),
+          "HTTP_X_AUTH_SIG"      => expected_sig
+        })
+      end
+
+      it 'will return a 200 Status' do
+        assert_equal 200, mock_response.status
+      end
+
+      it 'will have a response body' do
+        assert_equal 'Hello World', mock_response.body
+      end
+
+      it 'has the correct built message' do
+        assert_match "some dude", expected_msg
+      end
     end
 
-    it 'returns the correct header' do
-      expected_header = {"Content-Type"=>"text/html", "Content-Length"=>"17"}
-      assert_equal expected_header, response.header
+    describe "when the query string is tampered with during a JSON GET request" do
+      let(:mock_response) do
+        mock_request.post(uri,{
+          "CONTENT_TYPE"    => "application/json",
+          "REQUEST_METHOD"  => "GET",
+          "HTTP_LOCKER_API_KEY"  => "123",
+          "QUERY_STRING"    => convert_hash_to_string(body.merge(password: 654321)),
+          "HTTP_X_AUTH_SIG"      => expected_sig
+        })
+      end
+
+      it 'will return a 401 Status' do
+        assert_equal 401, mock_response.status
+      end
+
+      it 'will have a response body denying access' do
+        assert_equal 'Access Denied', mock_response.body
+      end
+
+      it 'has the correct built message' do
+        assert_match "some dude", expected_msg
+      end
     end
   end
 
-  describe "when a requests is sent with a valid signature" do
-    let(:response) do
-      mock_request.post(uri,
-        "Content-Type"    => "application/json",
+  describe "when using unicode json with ActiveSupport involvement" do
+    let(:uri) { "http://example.com/api/register" }
+    let(:body) do
+      { password: '123456', email: "namệ@hõmệ.com", name: "sõmệ dưdệ:", age: 1 }
+    end
+
+    def request_array
+      setup_request(uri, {
+        "CONTENT_TYPE"    => "application/json; charset=utf-8",
         "REQUEST_METHOD"  => "POST",
-        "LOCKER-API-KEY"  => '123',
-        "X-Auth-Sig"      => signature,
-        input: "password=123456&email=me@home.com&name=me&age=1")
+        input: ActiveSupport::JSON.encode(body)
+      }, "1")
+    end
+    let(:expected_env)    { request_array[:env] }
+    let(:expected_msg)    { request_array[:message] }
+    let(:expected_sig)    { request_array[:signature] }
+    let(:expected_key)    { request_array[:key] }
+
+    let(:mock_response) do
+      mock_request.post(uri,{
+        "CONTENT_TYPE"    => "application/json; charset=utf-8",
+        "REQUEST_METHOD"  => "POST",
+        "HTTP_X_AUTH_SIG" => expected_sig,
+        input: ActiveSupport::JSON.encode(body)
+      })
     end
 
     it 'will return a 200 status' do
-      assert_equal 200, response.status
+      assert_equal 200, mock_response.status
     end
 
-    it 'will call the next rack app' do
-      assert_equal 'Hello World', response.body
+    it 'will have a response body' do
+      assert_equal 'Hello World', mock_response.body
+    end
+
+    it 'has the correct built message' do
+      assert_equal "POST/api/registerexample.com{\"age\":1,\"email\":\"namệ@hõmệ.com\",\"name\":\"sõmệ dưdệ:\",\"password\":\"123456\"}", expected_msg
     end
   end
 
+  describe "when using unicode json without ActiveSupport involvement" do
+    let(:uri) { "http://example.com/api/register" }
+    let(:body) do
+      { password: '123456', email: "namệ@hõmệ.com", name: "sõmệ dưdệ:", age: 1 }
+    end
 
-  describe "when a requests is sent with a tampered signature" do
-    let(:response) do
-      mock_request.post(uri,
-        {"Content-Type"   => "application/json",
+    def request_array
+      setup_request(uri, {
+        "CONTENT_TYPE"    => "application/json; charset=utf-8",
         "REQUEST_METHOD"  => "POST",
-        "LOCKER-API-KEY"  => '123',
-        "X-Auth-Sig"      => signature,
-        input: "password=1234567&email=me@home.com&name=me&age=1"})
+        input: body.to_json
+      }, "1")
     end
+    let(:expected_env)    { request_array[:env] }
+    let(:expected_msg)    { request_array[:message] }
+    let(:expected_sig)    { request_array[:signature] }
+    let(:expected_key)    { request_array[:key] }
 
-    it 'returns a 403 status' do
-      assert_equal 403, response.status
+    let(:mock_response) do
+      mock_request.post(uri,{
+        "CONTENT_TYPE"    => "application/json; charset=utf-8",
+        "REQUEST_METHOD"  => "POST",
+        "HTTP_X_AUTH_SIG" => expected_sig,
+        input: body.to_json
+      })
     end
 
-    it 'returns "Invalid Signature" as the response body' do
-      assert_equal 'Invalid Signature', response.body
+    it 'will return a 200 status' do
+      assert_equal 200, mock_response.status
+    end
+
+    it 'will have a response body' do
+      assert_equal 'Hello World', mock_response.body
     end
 
-    it 'returns the correct header' do
-      expected_header = {"Content-Type"=>"text/html", "Content-Length"=>"17"}
-      assert_equal expected_header, response.header
+    it 'has the correct built message' do
+      assert_equal "POST/api/registerexample.com{\"age\":1,\"email\":\"namệ@hõmệ.com\",\"name\":\"sõmệ dưdệ:\",\"password\":\"123456\"}", expected_msg
     end
   end
 
+  describe "when there is not token" do
+    let(:uri) { "http://example.com/api/register" }
+    let(:body) do
+      { password: '123456', email: 'me@home.com', name: 'some dude', age: 1 }
+    end
+
+    def request_array
+      setup_request(uri, {
+        "CONTENT_TYPE"    => "application/json",
+        "REQUEST_METHOD"  => "POST",
+        "QUERY_STRING"    => convert_hash_to_string(body)
+      }, "1")
+    end
+    let(:expected_env)    { request_array[:env] }
+    let(:expected_msg)    { request_array[:message] }
+    let(:expected_sig)    { request_array[:signature] }
+    let(:expected_key)    { request_array[:key] }
+
+    describe "when no token is required, but the request must still be signed" do
+      let(:mock_response) do
+        mock_request.post(uri,{
+          "CONTENT_TYPE"    => "application/json",
+          "REQUEST_METHOD"  => "POST",
+          "QUERY_STRING"    => convert_hash_to_string(body),
+          "HTTP_X_AUTH_SIG" => expected_sig
+        })
+      end
+
+      it 'will return a 200 status' do
+        assert_equal 200, mock_response.status
+      end
+
+      it 'will have a response body' do
+        assert_equal 'Hello World', mock_response.body
+      end
+
+      it 'has the correct built message' do
+        assert_equal "POST/api/registerexample.comage=1&email=me@home.com&name=some dude&password=123456", expected_msg
+      end
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-signature
 version: !ruby/object:Gem::Version
-  version: 0.0.8
+  version: 0.1.2
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-12-13 00:00:00.000000000 Z
+date: 2013-01-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -75,6 +75,22 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: active_support
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Rack Middleware for verifying signed requests
 email:
 - robert@codewranglers.org
@@ -90,13 +106,22 @@ files:
 - Rakefile
 - lib/rack/signature.rb
 - lib/rack/signature/build_message.rb
+- lib/rack/signature/build_post_body.rb
+- lib/rack/signature/deep_merge.rb
 - lib/rack/signature/hmac_signature.rb
+- lib/rack/signature/sort_query_params.rb
 - lib/rack/signature/test_helpers.rb
 - lib/rack/signature/verify.rb
 - lib/rack/signature/version.rb
 - rack-signature.gemspec
+- test/array_of_hashes.json
 - test/build_message_test.rb
+- test/build_post_body_test.rb
+- test/data.json
+- test/deep_merge_test.rb
 - test/hmac_signature_test.rb
+- test/ordered_json_data.json
+- test/sort_query_params_test.rb
 - test/test_helper.rb
 - test/verify_test.rb
 homepage: ''
@@ -119,13 +144,18 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 1.8.23
 signing_key: 
 specification_version: 3
 summary: Rack Middleware for verifying signed requests
 test_files:
+- test/array_of_hashes.json
 - test/build_message_test.rb
+- test/build_post_body_test.rb
+- test/data.json
+- test/deep_merge_test.rb
 - test/hmac_signature_test.rb
+- test/ordered_json_data.json
+- test/sort_query_params_test.rb
 - test/test_helper.rb
 - test/verify_test.rb
-has_rdoc: