spree_gladly 1.0.0

data/app/services/auth/authorization_header.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Auth
+  class AuthorizationHeader
+    AUTHORIZATION_HEADER_FORMAT =
+      /\ASigningAlgorithm=([[-a-z0-9]]+), SignedHeaders=([[-a-z0-9;]]+), Signature=([[a-f0-9]]+)\Z/.freeze
+
+    attr_reader :signing_algorithm_name, :signing_algorithm, :signed_headers, :signature
+
+    def initialize(header)
+      match = AUTHORIZATION_HEADER_FORMAT.match(header)
+      raise HeaderParseError, 'Unsupported Gladly-Authorization header format' if match.nil?
+
+      @signing_algorithm_name = match[1]
+      @signing_algorithm = parse_signing_algorithm!(@signing_algorithm_name.gsub('hmac-', ''))
+      @signed_headers = parse_headers!(match[2])
+      @signature = match[3]
+    end
+
+    private
+
+    def parse_signing_algorithm!(value)
+      OpenSSL::Digest.new(value)
+    rescue RuntimeError
+      raise HeaderParseError, "Unsupported signing algorithm (#{value})"
+    end
+
+    def parse_headers!(value)
+      headers = value.split(';')
+      raise HeaderParseError, 'Signed headers should be sorted' unless headers == headers.sort
+
+      headers
+    end
+  end
+end

data/app/services/auth/error.rb

@@ -0,0 +1,4 @@
+module Auth
+  class Error < StandardError
+  end
+end

data/app/services/auth/header_parse_error.rb

@@ -0,0 +1,4 @@
+module Auth
+  class HeaderParseError < Auth::Error
+  end
+end

data/app/services/auth/invalid_signature_error.rb

@@ -0,0 +1,4 @@
+module Auth
+  class InvalidSignatureError < Auth::Error
+  end
+end

data/app/services/auth/missing_key_error.rb

@@ -0,0 +1,4 @@
+module Auth
+  class MissingKeyError < Auth::Error
+  end
+end

data/app/services/auth/request_normalizer.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Auth
+  class RequestNormalizer
+    def initialize(signed_headers)
+      @signed_headers = signed_headers
+    end
+
+    def normalize(request)
+      <<~NORMALIZED.chomp
+        #{request.method}
+        #{request.original_fullpath}
+
+        #{normalize_headers(request.headers)}
+
+        #{normalize_signed_headers}
+        #{normalize_body(request.body.read)}
+      NORMALIZED
+    end
+
+    private
+
+    def normalize_headers(headers)
+      @signed_headers
+        .map { |header| "#{header}:#{headers.fetch(header, '')}" }
+        .join("\n")
+    end
+
+    def normalize_signed_headers
+      @signed_headers.join(';')
+    end
+
+    def normalize_body(body)
+      OpenSSL::Digest.new('sha256').hexdigest(body)
+    end
+  end
+end

data/app/services/auth/signature_validator.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module Auth
+  class SignatureValidator
+    def initialize(key = nil, threshold = nil)
+      @key = key
+      @threshold = threshold
+    end
+
+    def validate(request)
+      raise Auth::MissingKeyError, 'Signing Key is not set' unless @key.present?
+
+      authorization_header = authorization_header(request)
+      time_header = time_header(request)
+
+      validate_time!(time_header)
+
+      validate_signature!(request, authorization_header, time_header)
+    end
+
+    private
+
+    def validate_time!(time_header)
+      return true unless @threshold.positive?
+
+      return true if time_header.time + @threshold >= Time.now.utc
+
+      raise Auth::InvalidSignatureError, 'Signature is too old'
+    end
+
+    def validate_signature!(request, authorization_header, time_header)
+      string_to_be_signed = string_to_be_signed(authorization_header, time_header, request)
+      salted_key = OpenSSL::HMAC.digest(authorization_header.signing_algorithm, @key, time_header.date)
+      signature = OpenSSL::HMAC.hexdigest(authorization_header.signing_algorithm, salted_key, string_to_be_signed)
+
+      return true if ActiveSupport::SecurityUtils.secure_compare(signature, authorization_header.signature)
+
+      raise Auth::InvalidSignatureError, 'Signature is incorrect'
+    end
+
+    def string_to_be_signed(authorization_header, time_header, request)
+      [
+        authorization_header.signing_algorithm_name,
+        time_header.timestamp,
+        normalized_request_hash(authorization_header, request)
+      ].join("\n")
+    end
+
+    def authorization_header(request)
+      AuthorizationHeader.new(fetch_header(request, 'Gladly-Authorization'))
+    end
+
+    def time_header(request)
+      TimeHeader.new(fetch_header(request, 'Gladly-Time'))
+    end
+
+    def fetch_header(request, header)
+      request.headers.fetch(header)
+    rescue KeyError
+      raise HeaderParseError, "#{header} header is missing"
+    end
+
+    def normalized_request_hash(authorization_header, request)
+      normalized_request = RequestNormalizer.new(authorization_header.signed_headers).normalize(request)
+      OpenSSL::Digest.new('sha256').hexdigest(normalized_request)
+    end
+  end
+end

data/app/services/auth/time_header.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Auth
+  class TimeHeader
+    TIME_HEADER_FORMAT = /\A(\d{8})T\d{6}Z\Z/.freeze
+    TIME_STRPTIME_FORMAT = '%Y%m%dT%H%M%SZ%Z'
+
+    attr_reader :timestamp, :date, :time
+
+    def initialize(header)
+      match = TIME_HEADER_FORMAT.match(header)
+      raise HeaderParseError, 'Unsupported Gladly-Time header format' if match.nil?
+
+      @timestamp = match[0]
+      @date = match[1]
+      @time = Time.strptime(utc_timestamp, TIME_STRPTIME_FORMAT)
+    end
+
+    private
+
+    def utc_timestamp
+      "#{@timestamp}+0000"
+    end
+  end
+end

data/app/validators/lookup_validator.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+class LookupValidator
+  def call(params)
+    errors = []
+
+    errors += validate_lookup_level(params)
+    errors += validate_unique_match_required(params)
+    errors += validate_query_emails(params)
+    errors += validate_query_phones(params)
+    errors += validate_query_name(params)
+    errors += validate_query_external_customer_id(params)
+
+    ValidationResult.new(errors)
+  end
+
+  private
+
+  def validate_lookup_level(params)
+    lookup_level = params[:lookupLevel]
+
+    return [%i[lookupLevel missing]] if lookup_level.nil?
+    return [%i[lookupLevel invalid]] unless lookup_level =~ /\A(?:basic|detailed)\Z/i
+
+    []
+  end
+
+  def validate_unique_match_required(params)
+    unique_match_required = params[:uniqueMatchRequired]
+
+    return [%i[uniqueMatchRequired missing]] if unique_match_required.nil?
+
+    if detailed_lookup?(params)
+      return [%i[uniqueMatchRequired not_true]] unless unique_match_required.in?([true, 'true'])
+    else
+      return [%i[uniqueMatchRequired invalid]] unless unique_match_required.in?([true, false, 'true', 'false'])
+    end
+
+    []
+  end
+
+  def validate_query_emails(params)
+    emails = params.dig(:query, :emails)
+
+    return [] if emails.nil? || string_or_array_of_strings?(emails)
+
+    [%i[query_emails invalid]]
+  end
+
+  def validate_query_phones(params)
+    phones = params.dig(:query, :phones)
+
+    return [] if phones.nil? || string_or_array_of_strings?(phones)
+
+    [%i[query_phones invalid]]
+  end
+
+  def validate_query_name(params)
+    name = params.dig(:query, :name)
+
+    return [] if name.nil? || nonempty_string?(name)
+
+    [%i[query_name invalid]]
+  end
+
+  def validate_query_external_customer_id(params)
+    id = params.dig(:query, :externalCustomerId)
+
+    return [%i[query_externalCustomerId missing]] if detailed_lookup?(params) && id.nil?
+    return [%i[query_externalCustomerId invalid]] if id.present? && !nonempty_string?(id)
+
+    []
+  end
+
+  def detailed_lookup?(params)
+    params[:lookupLevel] =~ /\Adetailed\Z/i
+  end
+
+  def nonempty_string?(value)
+    value.is_a?(String) && !value.empty?
+  end
+
+  def string_or_array_of_strings?(value)
+    return true if nonempty_string?(value)
+    return true if value.is_a?(Array) && value.all? { |v| nonempty_string?(v) }
+
+    false
+  end
+end

data/app/validators/validation_result.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class ValidationResult
+  attr_reader :errors
+
+  def initialize(errors)
+    @errors = errors
+  end
+
+  def success?
+    errors.empty?
+  end
+
+  def format_errors
+    @errors.map do |error|
+      attr, code = error
+
+      {
+        attr: attr.to_s,
+        code: code.to_s,
+        detail: Spree.t("spree_gladly.errors.#{attr}.#{code}")
+      }
+    end
+  end
+end

data/app/views/spree/admin/gladly_settings/edit.html.erb

@@ -0,0 +1,25 @@
+<% content_for :page_title do %>
+  <%= Spree.t('spree_gladly.settings') %>
+<% end %>
+
+<h1><%= Spree.t('spree_gladly.settings') %></h1>
+
+<%= form_tag(admin_gladly_settings_path, method: :put, id: :gladly_settings_form) do %>
+  <div class="yui-g">
+    <div class="yui-u first">
+      <fieldset>
+        <p>
+          <label><%= Spree.t('spree_gladly.signing_key') %></label><br />
+          <%= text_field_tag('signing_key', @signing_key, size: 46, maxlength: 256, class: 'form-control') %>
+        </p>
+
+        <p>
+          <label><%= Spree.t('spree_gladly.signing_threshold') %></label><br />
+          <%= number_field_tag('signing_threshold', @signing_threshold, min: 1, class: 'form-control') %>
+        </p>
+      </fieldset>
+    </div>
+  </div>
+
+  <p class="form-buttons"><%= button Spree.t('actions.update'), 'save.svg', 'submit', {class: 'btn-success'} %></p>
+<% end %>

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "spree_gladly"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/config/locales/en.yml

@@ -0,0 +1,25 @@
+en:
+  spree:
+    spree_gladly:
+      settings: Gladly Settings
+      signing_key: Signing Key
+      signing_threshold: Signing Threshold
+      signing_threshold_error: Signing Threshold should be empty, 0 or positive
+      save_success: Updated Gladly configuration
+      errors:
+        lookupLevel:
+          missing: lookupLevel must be present
+          invalid: lookupLevel must be BASIC or DETAILED
+        uniqueMatchRequired:
+          missing: uniqueMatchRequired must be present
+          invalid: uniqueMatchRequired must be true or false
+          not_true: uniqueMatchRequired must be true for Detailed Lookup
+        query_emails:
+          invalid: query emails must be a nonempty string or an array of nonempty strings
+        query_phones:
+          invalid: query phones must be a nonempty string or an array of nonempty strings
+        query_name:
+          invalid: query name must be a nonempty string
+        query_externalCustomerId:
+          missing: query externalCustomerId must be present for Detailed Lookup
+          invalid: query externalCustomerId must be a nonempty string

data/config/routes.rb

@@ -0,0 +1,13 @@
+Spree::Core::Engine.add_routes do
+  namespace :admin do
+    resource :gladly_settings, only: %i[edit update]
+  end
+
+  namespace :api, defaults: { format: 'json' } do
+    namespace :v1 do
+      resource :customers, only: [] do
+        post :lookup
+      end
+    end
+  end
+end

data/gemfiles/spree_3_0.gemfile

@@ -0,0 +1,16 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails-controller-testing"
+gem "sqlite3", "~> 1.3.6"
+gem "sprockets", "~> 3.7.2"
+gem "spree_core", "~> 3.0.0"
+gem "spree_backend", "~> 3.0.0"
+gem "pg", "~> 0.18"
+gem "factory_girl"
+gem "rails_test_params_backport"
+gem "rubocop"
+gem "sass-rails"
+
+gemspec path: "../"

data/gemfiles/spree_3_1.gemfile

@@ -0,0 +1,16 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails-controller-testing"
+gem "sqlite3", "~> 1.3.6"
+gem "sprockets", "~> 3.7.2"
+gem "spree_core", "~> 3.1.0"
+gem "spree_backend", "~> 3.1.0"
+gem "pg", "~> 0.18"
+gem "factory_girl"
+gem "rails_test_params_backport"
+gem "sass-rails"
+gem "rubocop"
+
+gemspec path: "../"