robust_client_socket 0.5.2

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/test_*.rb"]
+end
+
+task default: :test

data/lib/robust_client_socket/configuration.rb

@@ -0,0 +1,67 @@
+module RobustClientSocket
+  module Configuration
+    MIN_KEY_SIZE = 2048
+
+    attr_reader :configuration, :configured
+
+    def configure
+      @configuration ||= ConfigStore.new
+      yield(configuration)
+      validate_keys_security!
+
+      @configured = true
+    end
+
+    def correct_configuration?
+      return false unless configuration.services.is_a?(Hash)
+      return false if configuration.services.empty?
+      return false if configuration.client_name.nil?
+
+      configuration.services.all? do |_, creds|
+        creds.key?(:base_uri) && creds.key?(:public_key)
+      end
+    end
+
+    def configured?
+      !!@configured && correct_configuration?
+    end
+
+    private
+
+    def validate_keys_security!
+      configuration.services.each do |service_name, creds|
+        next unless creds[:public_key]
+
+        key = OpenSSL::PKey::RSA.new(creds[:public_key])
+        key_bits = key.n.num_bits
+
+        if key_bits < MIN_KEY_SIZE
+          raise SecurityError,
+            "RSA key size for #{service_name} (#{key_bits} bits) below minimum (#{MIN_KEY_SIZE} bits)"
+        end
+
+        raise SecurityError, "Invalid public key for #{service_name}" unless key.public?
+      rescue OpenSSL::PKey::RSAError => e
+        raise SecurityError, "Invalid public key for #{service_name}: #{e.message}"
+      end
+    end
+  end
+
+  class ConfigStore
+    attr_reader :services
+    attr_accessor :client_name, :header_name
+
+    def initialize
+      @services = {}
+      @client_name = nil
+    end
+
+    def method_missing(name, *args) # rubocop:disable Style/MissingRespondToMissing
+      if name.end_with?('=')
+        @services[name.to_s.delete_suffix('=').to_sym] = args.first.is_a?(Hash) && args.pop
+      else
+        super
+      end
+    end
+  end
+end

data/lib/robust_client_socket/http/client.rb

@@ -0,0 +1,90 @@
+module RobustClientSocket
+  module HTTP
+    class Client
+      include Helpers
+      include HTTParty
+      include HTTPartyOverrides
+
+      singleton_class.attr_accessor :credentials, :client_name, :header_name
+
+      InsecureConnectionError = Class.new(StandardError)
+      InvalidCredentialsError = Class.new(StandardError)
+
+      class << self
+        def init(credentials:, client_name:, header_name: nil)
+          validate_credentials!(credentials)
+
+          if credentials.fetch(:ssl_verify, false)
+            configure_ssl!(credentials)
+            enforce_https!(credentials)
+          end
+
+          self.credentials = credentials
+          self.client_name = client_name
+          self.header_name = header_name
+
+          base_uri credentials[:base_uri]
+          headers robust_headers
+          configure_timeouts(credentials)
+        end
+
+        private
+
+        def validate_credentials!(credentials)
+          required_keys = [:base_uri, :public_key]
+          missing = required_keys - credentials.keys
+
+          raise InvalidCredentialsError, "Missing keys: #{missing.join(', ')}" if missing.any?
+          raise InvalidCredentialsError, "base_uri cannot be empty" if credentials[:base_uri].to_s.strip.empty?
+          raise InvalidCredentialsError, "public_key cannot be empty" if credentials[:public_key].to_s.strip.empty?
+        end
+
+        def enforce_https!(credentials)
+          return if credentials[:base_uri].start_with?('https://')
+          return unless production?
+
+          raise InsecureConnectionError,
+            "HTTPS required in production. Use https:// instead of #{credentials[:base_uri]}"
+        end
+
+        def configure_ssl!(credentials)
+          default_options.update(
+            verify: true,
+            ssl_version: :TLSv1_2,
+            ciphers: ssl_ciphers(credentials),
+            verify_mode: OpenSSL::SSL::VERIFY_PEER
+          )
+        end
+
+        def ssl_ciphers(credentials)
+          ciphers = credentials.fetch(:ciphers,
+            %w[ECDHE-RSA-AES128-GCM-SHA256
+               ECDHE-RSA-AES256-GCM-SHA384
+               ECDHE-ECDSA-AES128-GCM-SHA256
+               ECDHE-ECDSA-AES256-GCM-SHA384].join(':')
+          )
+
+          return ciphers if ciphers.is_a?(String)
+          return ArgumentError, "Ciphers must be Array or String" unless ciphers.is_a?(Array)
+
+          ciphers.join(':')
+        end
+
+        def configure_timeouts(credentials)
+          default_options.update(
+            timeout: credentials.fetch(:timeout, 10),
+            open_timeout: credentials.fetch(:open_timeout, 5)
+          )
+        end
+
+        def production?
+          if defined? Rails
+            Rails.env.production?
+          else
+            ENV.fetch("RACK_ENV", "development") == 'production'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/robust_client_socket/http/helpers.rb

@@ -0,0 +1,68 @@
+module RobustClientSocket
+  module HTTP
+    module Helpers
+      def self.included(base)
+        base.extend(PrivateClassMethods)
+        base.private_class_method(*PrivateClassMethods.instance_methods(false))
+      end
+    end
+
+    module PrivateClassMethods
+      MIN_KEY_SIZE = 2048
+
+      def robust_headers
+        {
+          'Content-Type' => 'application/json',
+          'Accept' => 'application/json',
+          'User-Agent' => "RobustClientSocket/#{RobustClientSocket::VERSION}"
+        }
+      end
+
+      def secure_token
+        encrypted_data(app_token)
+      end
+
+      def encrypted_data(data)
+        validate_key_security!
+
+        encrypted = rsa_key.public_encrypt(
+          data,
+          OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
+        )
+
+        ::Base64.strict_encode64(encrypted)
+      rescue OpenSSL::PKey::RSAError => e
+        raise SecurityError, "Encryption failed: #{e.message}"
+      end
+
+      def rsa_key
+        @rsa_key ||= begin
+          key = OpenSSL::PKey::RSA.new(public_key)
+          raise SecurityError, "Invalid public key" unless key.public?
+          key
+        end
+      end
+
+      def validate_key_security!
+        key_bits = rsa_key.n.num_bits
+
+        if key_bits < MIN_KEY_SIZE
+          raise SecurityError,
+            "RSA key size (#{key_bits} bits) below minimum (#{MIN_KEY_SIZE} bits)"
+        end
+      end
+
+      def public_key
+        credentials[:public_key]
+      end
+
+      def app_token
+        "#{client_name}_#{time_now_in_utc}"
+      end
+
+      def time_now_in_utc
+        Time.now.utc.to_i
+      end
+    end
+  end
+end

data/lib/robust_client_socket/http/httparty_overrides.rb

@@ -0,0 +1,20 @@
+module RobustClientSocket
+  module HTTP
+    # This allows us to set dynamic headers every time we make a request
+    module HTTPartyOverrides
+      DEFAULT_HEADER_NAME = 'Secure-Token'.freeze
+
+      def self.included(base)
+        base.singleton_class.prepend(ClassMethods)
+        base.private_class_method(*ClassMethods.instance_methods(false))
+      end
+
+      module ClassMethods
+        def perform_request(http_method, path, options, &)
+          headers[header_name || DEFAULT_HEADER_NAME] = secure_token
+          super
+        end
+      end
+    end
+  end
+end

data/lib/robust_client_socket.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require_relative 'version'
+require_relative 'robust_client_socket/configuration'
+
+module RobustClientSocket
+  extend RobustClientSocket::Configuration
+
+  module_function
+
+  def load! # rubocop:disable Metrics/AbcSize
+    raise 'You must configure RobustClientSocket first!' unless configured?
+
+    require 'openssl'
+    require 'httparty'
+    require 'base64'
+    require 'oj'
+
+    require_relative 'robust_client_socket/http/httparty_overrides'
+    require_relative 'robust_client_socket/http/helpers'
+    require_relative 'robust_client_socket/http/client'
+
+    configuration.services.each do |key, value|
+      client = Class.new(RobustClientSocket::HTTP::Client)
+      client.init(credentials: value, client_name: configuration.client_name, header_name: configuration.header_name)
+      const_set(key.to_s.split('_').map(&:capitalize).join, client)
+    end
+  end
+end

data/lib/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module RobustClientSocket
+  VERSION = '0.5.2'
+end

data/robust_client_socket.gemspec

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require "./lib/version.rb"
+
+Gem::Specification.new do |spec|
+  spec.name = "robust_client_socket"
+  spec.version = RobustClientSocket::VERSION
+  spec.authors = ["Taras Zhuk"]
+  spec.email = ["tee0zed@gmail.com"]
+  spec.summary = "Robust Client Socket"
+  spec.description = "Methods that should be used to interact with Robust inner ecosystem."
+  spec.required_ruby_version = ">= 2.7.7"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (File.expand_path(f) == __FILE__) ||
+        f.start_with?(*%w[features/ .git .circleci Gemfile])
+    end
+  end
+  spec.require_paths = %w[lib config]
+  spec.add_dependency 'oj'
+  spec.add_dependency 'httparty'
+  spec.add_dependency 'rspec'
+  spec.add_dependency 'rake'
+
+  # Uncomment to register a new dependency of your gem
+  # spec.add_dependency "example-gem", "~> 1.0"
+
+  # For more information and examples about making a new gem, check out our
+  # guide at: https://bundler.io/guides/creating_gem.html
+end

data/spec/lib/payrent_client_socket/http/client_spec.rb

@@ -0,0 +1,137 @@
+require 'spec_helper'
+require 'httparty'
+require './lib/version.rb'
+require './lib/robust_client_socket/http/helpers'
+require './lib/robust_client_socket/http/httparty_overrides'
+require './lib/robust_client_socket/http/client'
+
+RSpec.describe RobustClientSocket::HTTP::Client do
+  let(:credentials) do
+    {
+      base_uri: 'https://example.com',
+      public_key: OpenSSL::PKey::RSA.new(2048).public_key.to_s
+    }
+  end
+  let(:client_name) { 'test_client' }
+  let(:header_name) { 'Custom-Token' }
+
+  after(:each) do
+    # Reset HTTParty default_options to avoid test pollution
+    described_class.default_options.delete(:verify)
+    described_class.default_options.delete(:verify_mode)
+    described_class.default_options.delete(:ssl_version)
+    described_class.default_options.delete(:ciphers)
+  end
+
+  describe '.init' do
+    context 'with valid HTTPS credentials' do
+      it 'sets credentials' do
+        described_class.init(credentials: credentials, client_name: client_name)
+        expect(described_class.credentials).to eq(credentials)
+      end
+
+      it 'sets client_name' do
+        described_class.init(credentials: credentials, client_name: client_name)
+        expect(described_class.client_name).to eq(client_name)
+      end
+
+      it 'sets custom header_name' do
+        described_class.init(credentials: credentials, client_name: client_name, header_name: header_name)
+        expect(described_class.header_name).to eq(header_name)
+      end
+
+      it 'sets base_uri' do
+        described_class.init(credentials: credentials, client_name: client_name)
+        expect(described_class.base_uri).to eq('https://example.com')
+      end
+
+      it 'configures SSL verification when ssl_verify is enabled' do
+        ssl_credentials = credentials.merge(ssl_verify: true)
+        described_class.init(credentials: ssl_credentials, client_name: client_name)
+        expect(described_class.default_options[:verify]).to be true
+        expect(described_class.default_options[:verify_mode]).to eq(OpenSSL::SSL::VERIFY_PEER)
+      end
+
+      it 'does not configure SSL verification when ssl_verify is not set' do
+        described_class.init(credentials: credentials, client_name: client_name)
+        expect(described_class.default_options[:verify]).to be_nil
+      end
+    end
+
+    context 'in production with non-HTTPS base_uri and ssl_verify enabled' do
+      let(:http_credentials) { credentials.merge(base_uri: 'http://example.com', ssl_verify: true) }
+
+      before do
+        allow(described_class).to receive(:production?).and_return(true)
+      end
+
+      it 'raises InsecureConnectionError' do
+        expect {
+          described_class.init(credentials: http_credentials, client_name: client_name)
+        }.to raise_error(RobustClientSocket::HTTP::Client::InsecureConnectionError, /HTTPS required in production/)
+      end
+    end
+
+    context 'in production with non-HTTPS base_uri and ssl_verify disabled' do
+      let(:http_credentials) { credentials.merge(base_uri: 'http://example.com', ssl_verify: false) }
+
+      before do
+        allow(described_class).to receive(:production?).and_return(true)
+      end
+
+      it 'allows HTTP when ssl_verify is false' do
+        expect {
+          described_class.init(credentials: http_credentials, client_name: client_name)
+        }.not_to raise_error
+      end
+    end
+
+    context 'in development with HTTP base_uri' do
+      let(:http_credentials) { credentials.merge(base_uri: 'http://example.com') }
+
+      before do
+        allow(described_class).to receive(:production?).and_return(false)
+      end
+
+      it 'allows HTTP' do
+        expect {
+          described_class.init(credentials: http_credentials, client_name: client_name)
+        }.not_to raise_error
+      end
+    end
+  end
+end
+
+RSpec.describe RobustClientSocket::HTTP::Client do
+  describe '.production?' do
+    context 'when Rails is defined' do
+      let(:rails_stub) { double('Rails') }
+      let(:rails_env) { double('env', production?: true) }
+
+      before do
+        stub_const('Rails', rails_stub)
+        allow(rails_stub).to receive(:env).and_return(rails_env)
+      end
+
+      it 'delegates to Rails.production?' do
+        expect(described_class.send(:production?)).to be true
+      end
+    end
+
+    context 'when Rails is not defined' do
+      before do
+        hide_const('Rails') if defined?(Rails)
+      end
+
+      it 'checks RACK_ENV for production' do
+        allow(ENV).to receive(:fetch).with('RACK_ENV', 'development').and_return('production')
+        expect(described_class.send(:production?)).to be true
+      end
+
+      it 'defaults to development' do
+        allow(ENV).to receive(:fetch).with('RACK_ENV', 'development').and_return('development')
+        expect(described_class.send(:production?)).to be false
+      end
+    end
+  end
+end

data/spec/lib/payrent_client_socket.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+require './lib/robust_client_socket.rb'
+
+RSpec.describe RobustClientSocket do
+  describe '.load' do
+    before do
+      RobustClientSocket.configure do |config|
+        config.service_one = {
+          base_uri: 'https://example1.com',
+          public_key: 'public_key'
+        }
+        config.service_two = {
+          base_uri: 'https://example2.com',
+          public_key: 'public_key'
+        }
+      end
+    end
+
+    it 'loads services as separate classes' do
+      RobustClientSocket.load!
+      expect(RobustClientSocket::ServiceOne).to be_a(Class)
+      expect(RobustClientSocket::ServiceTwo).to be_a(Class)
+    end
+
+    it 'loads services with correct base_uri' do
+      RobustClientSocket.load!
+      expect(RobustClientSocket::ServiceOne.base_uri).to eq('https://example1.com')
+      expect(RobustClientSocket::ServiceTwo.base_uri).to eq('https://example2.com')
+    end
+  end
+end

data/spec/lib/robust_client_socket/configuration_spec.rb

@@ -0,0 +1,131 @@
+require 'spec_helper'
+require './lib/robust_client_socket/configuration.rb'
+
+RSpec.describe RobustClientSocket::Configuration do
+  let(:dummy_class) { Class.new { extend RobustClientSocket::Configuration } }
+
+  before { allow(dummy_class).to receive(:correct_configuration?).and_return(true) }
+
+  describe '#configure' do
+    let(:public_key) { OpenSSL::PKey::RSA.generate(2048).public_key.to_pem }
+
+    it 'yields the configuration object to the block' do
+      dummy_class.configure do |config|
+        config.client_name = 'test'
+        config.service = { base_uri: 'https://example.com', public_key: public_key }
+        expect(config).to be_a(RobustClientSocket::ConfigStore)
+      end
+    end
+
+    it 'sets the configured flag to true' do
+      dummy_class.configure do |config|
+        config.client_name = 'test'
+        config.service = { base_uri: 'https://example.com', public_key: public_key }
+      end
+      expect(dummy_class.configured?).to eq(true)
+    end
+
+    context 'with invalid key size' do
+      let(:small_key) { OpenSSL::PKey::RSA.generate(1024).public_key.to_pem }
+
+      it 'raises SecurityError' do
+        expect {
+          dummy_class.configure do |config|
+            config.client_name = 'test'
+            config.service = { base_uri: 'https://example.com', public_key: small_key }
+          end
+        }.to raise_error(SecurityError, /below minimum/)
+      end
+    end
+  end
+
+  describe '#configured?' do
+    let(:public_key) { OpenSSL::PKey::RSA.generate(2048).public_key.to_pem }
+
+    it 'returns false if not configured' do
+      expect(dummy_class.configured?).to eq(false)
+    end
+
+    it 'returns true if configured' do
+      dummy_class.configure do |config|
+        config.client_name = 'test'
+        config.service = { base_uri: 'https://example.com', public_key: public_key }
+      end
+      expect(dummy_class.configured?).to eq(true)
+    end
+  end
+
+  describe '#correct_configuration?' do
+    let(:public_key) { OpenSSL::PKey::RSA.generate(2048).public_key.to_pem }
+
+    before { allow(dummy_class).to receive(:correct_configuration?).and_call_original }
+
+    it 'returns false if services is empty' do
+      dummy_class.configure { |config| }
+      expect(dummy_class.correct_configuration?).to eq(false)
+    end
+
+    it 'returns false if creds is missing base_uri' do
+      dummy_class.configure { |config| config.service = { public_key: public_key } }
+      expect(dummy_class.correct_configuration?).to eq(false)
+    end
+
+    it 'returns false if creds is missing public_key' do
+      dummy_class.configure { |config| config.service = { base_uri: 'base_uri' } }
+      expect(dummy_class.correct_configuration?).to eq(false)
+    end
+
+    it 'returns true if creds is correct' do
+      dummy_class.configure do |config|
+        config.client_name = 'sample'
+        config.service = { base_uri: 'base_uri', public_key: public_key }
+      end
+      expect(dummy_class.correct_configuration?).to eq(true)
+    end
+  end
+end
+
+RSpec.describe RobustClientSocket::ConfigStore do
+  subject(:config_store) { described_class.new }
+
+  it 'has attribute keychain' do
+    config_store.service = { uri: 'uri' }
+    expect(config_store.services).to eq({ service: { uri: 'uri' } })
+  end
+
+  describe '#initialize' do
+    it 'initializes services as empty hash' do
+      expect(config_store.services).to eq({})
+    end
+
+    it 'initializes client_name as nil' do
+      expect(config_store.client_name).to be_nil
+    end
+  end
+
+  describe '#method_missing' do
+    context 'with setter method' do
+      it 'adds service to services hash' do
+        config_store.api_service = { base_uri: 'https://api.example.com', public_key: 'key' }
+        expect(config_store.services[:api_service]).to eq({ base_uri: 'https://api.example.com', public_key: 'key' })
+      end
+
+      it 'rejects non-hash values' do
+        config_store.api_service = 'string_value'
+        expect(config_store.services[:api_service]).to be false
+      end
+    end
+  end
+
+  describe 'accessors' do
+    it 'allows setting client_name' do
+      config_store.client_name = 'test_client'
+      expect(config_store.client_name).to eq('test_client')
+    end
+
+    it 'allows setting header_name' do
+      config_store.header_name = 'Custom-Header'
+      expect(config_store.header_name).to eq('Custom-Header')
+    end
+  end
+end