stitches 3.0.0

data/lib/stitches/generator_files/spec/features/api_spec.rb

@@ -0,0 +1,96 @@
+require 'spec_helper.rb'
+
+feature "general API stuff" do
+  scenario "good request" do
+    headers = TestHeaders.new
+    post "/api/ping", {}.to_json, headers.headers
+
+    expect(response.response_code).to eq(201)
+    expect(JSON.parse(response.body)["ping"]["status"]).to eq("ok")
+  end
+
+  scenario "good request to v2" do
+    headers = TestHeaders.new(version: 2)
+    post "/api/ping", {}.to_json, headers.headers
+
+    expect(response.response_code).to eq(201)
+    expect(JSON.parse(response.body)["ping"]["status_v2"]).to eq("ok")
+  end
+
+  scenario "good request with custom status" do
+    headers = TestHeaders.new
+    post "/api/ping", {status: 200}.to_json, headers.headers
+
+    expect(response.response_code).to eq(200)
+    expect(JSON.parse(response.body)["ping"]["status"]).to eq("ok")
+  end
+
+  scenario "request with user error" do
+    headers = TestHeaders.new
+    post "/api/ping", {error: "OH NOES!"}.to_json, headers.headers
+
+    expect(response).to have_api_error(code: "test", message: "OH NOES!")
+  end
+
+  scenario "no auth header given" do
+    headers = TestHeaders.new(api_client: nil)
+    post "/api/ping", {}.to_json, headers.headers
+
+    expect(response).to have_auth_error
+  end
+
+  scenario "weird auth header given" do
+    headers = TestHeaders.new(api_client: ["Basic","foo:bar"])
+    post "/api/ping", {}.to_json, headers.headers
+
+    expect(response).to have_auth_error
+  end
+
+  scenario "bad key given" do
+    headers = TestHeaders.new(api_client: "foobar")
+    post "/api/ping", {}.to_json, headers.headers
+
+    expect(response).to have_auth_error
+  end
+
+  scenario "no version" do
+    headers = TestHeaders.new(version: nil)
+    post "/api/ping", {}.to_json, headers.headers
+
+    expect(response.response_code).to eq(406)
+  end
+
+  scenario "version we don't support" do
+    headers = TestHeaders.new(version: 999)
+    expect {
+      post "/api/ping", {}.to_json, headers.headers
+    }.to raise_error(ActionController::RoutingError)
+  end
+
+  scenario "wrong mime type" do
+    headers = TestHeaders.new(mime_type: "application/foobar")
+    post "/api/ping", {}.to_json, headers.headers
+
+    expect(response.response_code).to eq(406)
+  end
+
+  RSpec::Matchers.define :have_auth_error do
+    match do |response|
+      correct_code,correct_header = evaluate_response(response)
+      correct_code && correct_header
+    end
+
+    failure_message_for_should do
+      correct_code,_ = evaluate_response(response)
+      if correct_code
+        "Expected WWW-Authenticate header to be 'CustomKeyAuth realm=#{Rails.application.class.parent.to_s}', but was #{response['WWW-Authenticate']}"
+      else
+        "Expected response to be 401, but was #{response.response_code}"
+      end
+    end
+
+    def evaluate_response(response)
+      [response.response_code == 401, response.headers["WWW-Authenticate"] == "CustomKeyAuth realm=#{Rails.application.class.parent.to_s}" ]
+    end
+  end
+end

data/lib/stitches/railtie.rb

@@ -0,0 +1,9 @@
+require 'stitches/api_key'
+require 'stitches/valid_mime_type'
+
+module Stitches
+  class Railtie < Rails::Railtie
+    config.app_middleware.use "Stitches::ApiKey"
+    config.app_middleware.use "Stitches::ValidMimeType"
+  end
+end

data/lib/stitches/render_timestamps_in_iso8601_in_json.rb

@@ -0,0 +1,9 @@
+require 'active_support/time_with_zone'
+
+class ActiveSupport::TimeWithZone
+  # We want dates to be a) in UTC and b) in ISO8601 always
+  def as_json(options = {})
+    utc.iso8601
+  end
+end
+

data/lib/stitches/spec.rb

@@ -0,0 +1,4 @@
+require 'stitches/spec/be_iso_8601_utc_encoded'
+require 'stitches/spec/have_api_error'
+require 'stitches/spec/api_clients'
+require 'stitches/spec/test_headers'

data/lib/stitches/spec/api_clients.rb

@@ -0,0 +1,5 @@
+module ApiClients
+  def api_client(name: "test")
+    ::ApiClient.where(name: name).first or ::ApiClient.create!(name: name).reload
+  end
+end

data/lib/stitches/spec/be_iso_8601_utc_encoded.rb

@@ -0,0 +1,10 @@
+RSpec::Matchers.define :be_iso8601_utc_encoded do 
+  match do |string|
+    string =~ /^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d[Zz]$/
+  end
+
+  failure_message_for_should do |string|
+    "'#{string}' doesn't look like a UTC IS8601-encoded date"
+  end
+end
+

data/lib/stitches/spec/have_api_error.rb

@@ -0,0 +1,50 @@
+# Expects a web response to have an error in our given format
+RSpec::Matchers.define :have_api_error do |expected_fields|
+  match do |response|
+    if response.response_code == (expected_fields[:status] || 422)
+      error = extract_error(response,expected_fields)
+      if error
+        expected_code = expected_fields.fetch(:code)
+        expected_message = expected_fields.fetch(:message)
+        error["code"] == expected_code && message_matches(error["message"],expected_message)
+      else
+        false
+      end
+    else
+      false
+    end
+  end
+
+  def extract_error(response,expected_fields)
+    parsed_response = JSON.parse(response.body)
+    parsed_response["errors"].detect { |error|
+      error["code"] == expected_fields.fetch(:code)
+    }
+  end
+
+  def message_matches(message,expected_message)
+    if expected_message.kind_of?(Regexp)
+      message =~ expected_message
+    else
+      message == expected_message
+    end
+  end
+
+  failure_message do |response|
+    if response.response_code != (expected_fields[:status] || 422)
+      "HTTP status was #{response.response_code} and not 422"
+    else
+      error = extract_error(response,expected_fields)
+      if error
+        if error["code"] != expected_fields.fetch(:code)
+          "Expected code to be '#{expected_fields[:code]}', but was '#{error['code']}'"
+        else
+          "Expected message to be '#{expected_fields[:message]}', but was '#{error['message']}'"
+        end
+      else
+        "Could not find an error for code #{expected_fields[:code]} from #{response.body}"
+      end
+    end
+  end
+end
+

data/lib/stitches/spec/test_headers.rb

@@ -0,0 +1,51 @@
+class TestHeaders
+  include ApiClients
+  def initialize(options={})
+    full_mimetype = mime_type(options)
+    @headers = {
+      "Accept"       => full_mimetype,
+      "Content-Type" => full_mimetype,
+    }.tap { |headers|
+      set_authorization_header(headers,options)
+    }
+  end
+
+  def headers
+    @headers
+  end
+
+private
+
+  def mime_type(options)
+    version_number = if options.key?(:version)
+      options.delete(:version)
+    else
+      "1"
+    end
+    version = "; version=#{version_number}" if version_number
+
+    mime_type = if options.key?(:mime_type)
+                  options.delete(:mime_type)
+                else
+                  "application/json"
+                end
+
+    "#{mime_type}#{version}"
+  end
+
+  def set_authorization_header(headers,options)
+    api_client_key = if options.key?(:api_client)
+                       options.delete(:api_client).try(:key)
+                     else
+                       api_client.key
+                     end
+    if api_client_key
+      if api_client_key.kind_of?(Array)
+        headers["Authorization"] = api_client_key.join(" ")
+      else
+        headers["Authorization"] = "CustomKeyAuth key=#{api_client_key}"
+      end
+    end
+  end
+
+end

data/lib/stitches/valid_mime_type.rb

@@ -0,0 +1,32 @@
+require_relative 'whitelisting_middleware'
+module Stitches
+  # A middleware that requires all API calls to be for versioned JSON.  This means that the Accept
+  # header (available to Rack apps as HTTP_ACCEPT) should be like so:
+  #
+  #     application/json; version=1
+  #
+  # This just checks that you've specified some numeric version.  ApiVersionConstraint should be used
+  # to "lock down" the versions you accept.
+  class ValidMimeType < Stitches::WhitelistingMiddleware
+
+  protected
+
+    def do_call(env)
+      accept = String(env["HTTP_ACCEPT"])
+      if accept =~ %r{application/json} && accept =~ %r{version=\d+}
+        @app.call(env)
+      else
+        NotAcceptableResponse.new(accept)
+      end
+    end
+
+    private
+
+    class NotAcceptableResponse < Rack::Response
+      def initialize(accept_header)
+        super("Not Acceptable - '#{accept_header}' didn't have the right mime type or version number. We only accept application/json with a version", 406)
+      end
+    end
+
+  end
+end

data/lib/stitches/version.rb

@@ -0,0 +1,3 @@
+module Stitches
+  VERSION = '3.0.0'
+end

data/lib/stitches/whitelisting_middleware.rb

@@ -0,0 +1,29 @@
+module Stitches
+  # A middleware that will skip its behavior if the path matches a white-listed URL
+  class WhitelistingMiddleware
+    def initialize(app, options={})
+
+      @app           = app
+      @configuration = options[:configuration] ||  Stitches.configuration
+      @except        = options[:except]        || @configuration.whitelist_regexp
+
+      unless @except.nil? || @except.is_a?(Regexp)
+        raise ":except must be a Regexp"
+      end
+    end
+    def call(env)
+      if @except && @except.match(env["PATH_INFO"])
+        @app.call(env)
+      else
+        do_call(env)
+      end
+    end
+
+  protected
+
+    def do_call(env)
+      raise 'subclass must implement'
+    end
+
+  end
+end

data/lib/stitches_norailtie.rb

@@ -0,0 +1,17 @@
+module Stitches
+  def self.configure(&block)
+    block.(configuration)
+  end
+
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+end
+require 'stitches/configuration'
+require 'stitches/render_timestamps_in_iso8601_in_json'
+require 'stitches/error'
+require 'stitches/errors'
+require 'stitches/api_generator'
+require 'stitches/api_version_constraint'
+require 'stitches/api_key'
+require 'stitches/valid_mime_type'

data/spec/api_key_spec.rb

@@ -0,0 +1,200 @@
+require 'spec_helper.rb'
+
+module MyApp
+  class Application
+  end
+end
+
+unless defined? ApiClient
+  class ApiClient
+  end
+end
+
+describe Stitches::ApiKey do
+  let(:app) { double("rack app") }
+  let(:api_clients) {
+    [
+      double(ApiClient, id: 42)
+    ]
+  }
+  
+  before do
+    Stitches.configuration.reset_to_defaults!
+    Stitches.configuration.custom_http_auth_scheme = 'MyAwesomeInternalScheme'
+    fake_rails_app = MyApp::Application.new
+    allow(Rails).to receive(:application).and_return(fake_rails_app)
+    allow(app).to receive(:call).with(env)
+    allow(ApiClient).to receive(:where).and_return(api_clients)
+  end
+
+  subject(:middleware) { described_class.new(app, namespace: "/api") }
+
+  shared_examples "an unauthorized response" do
+    it "returns a 401" do
+      expect(@response.status).to eq(401)
+    end
+    it "sets the proper header" do
+      expect(@response.headers["WWW-Authenticate"]).to eq("MyAwesomeInternalScheme realm=MyApp")
+    end
+    it "stops the call chain preventing anything from happening" do
+      expect(app).not_to have_received(:call)
+    end
+    it "sends a reasonable message" do
+      expect(@response.body).to eq([expected_body])
+    end
+  end
+
+  describe "#call" do
+    context "not in namespace" do
+      context "not whitelisted" do
+        let(:env) {
+          {
+            "PATH_INFO" => "/index/apifoolingyou/home",
+          }
+        }
+
+        before do
+          @response = middleware.call(env)
+        end
+
+        it_behaves_like "an unauthorized response" do
+          let(:expected_body) { "Unauthorized - no authorization header" }
+        end
+      end
+      context "whitelisting" do
+        context "whitelist is explicit in middleware usage" do
+          before do
+            @response = middleware.call(env)
+          end
+          context "passes the whitelist" do
+            subject(:middleware) { described_class.new(app, except: %r{\A/resque\/.*\Z}) }
+            let(:env) {
+              {
+                "PATH_INFO" => "/resque/overview"
+              }
+            }
+            it "calls through to the rest of the chain" do
+              expect(app).to have_received(:call).with(env)
+            end
+          end
+
+          context "fails the whitelist" do
+            subject(:middleware) { described_class.new(app, except: %r{\A/resque\/.*\Z}) }
+            let(:env) {
+              {
+                "PATH_INFO" => "//resque/overview" # subtle
+              }
+            }
+            it_behaves_like "an unauthorized response" do
+              let(:expected_body) { "Unauthorized - no authorization header" }
+            end
+          end
+          context "except: is not given a regexp" do
+            let(:env) {
+              {
+                "PATH_INFO" => "//resque/overview" # subtle
+              }
+            }
+            it "blows up" do
+              expect {
+                described_class.new(app, except: "/resque")
+              }.to raise_error(/must be a Regexp/i)
+            end
+          end
+        end
+        context "whitelist is implicit from the configuration" do
+
+          before do
+            Stitches.configuration.whitelist_regexp = %r{\A/resque/.*\Z}
+            @response = middleware.call(env)
+          end
+
+          context "passes the whitelist" do
+            subject(:middleware) { described_class.new(app) }
+            let(:env) {
+              {
+                "PATH_INFO" => "/resque/overview"
+              }
+            }
+            it "calls through to the rest of the chain" do
+              expect(app).to have_received(:call).with(env)
+            end
+          end
+
+          context "fails the whitelist" do
+            subject(:middleware) { described_class.new(app) }
+            let(:env) {
+              {
+                "PATH_INFO" => "//resque/overview" # subtle
+              }
+            }
+            it_behaves_like "an unauthorized response" do
+              let(:expected_body) { "Unauthorized - no authorization header" }
+            end
+          end
+        end
+      end
+    end
+
+    context "valid key" do
+      let(:env) {
+        {
+          "PATH_INFO" => "/api/ping",
+          "HTTP_AUTHORIZATION" => "MyAwesomeInternalScheme key=foobar",
+        }
+      }
+
+      before do
+        @response = middleware.call(env)
+      end
+      it "calls through to the rest of the chain" do
+        expect(app).to have_received(:call).with(env)
+      end
+
+      it "sets the api_client's ID in the environment" do
+        expect(env[Stitches.configuration.env_var_to_hold_api_client_primary_key]).to eq(api_clients.first.id)
+      end
+    end
+
+    context "unauthorized responses" do
+      before do
+        @response = middleware.call(env)
+        @response.finish
+      end
+      context "invalid key" do
+        let(:env) {
+          {
+            "PATH_INFO" => "/api/ping",
+            "HTTP_AUTHORIZATION" => "MyAwesomeInternalScheme key=foobar",
+          }
+        }
+        let(:api_clients) { [] }
+
+        it_behaves_like "an unauthorized response" do
+          let(:expected_body) { "Unauthorized - key invalid" }
+        end
+      end
+      context "bad authorization type" do
+        let(:env) {
+          {
+            "PATH_INFO" => "/api/ping",
+            "HTTP_AUTHORIZATION" => "foobar",
+          }
+        }
+        it_behaves_like "an unauthorized response" do
+          let(:expected_body) { "Unauthorized - bad authorization type" }
+        end
+      end
+      context "no auth header" do
+        let(:env) {
+          {
+            "PATH_INFO" => "/api/ping",
+          }
+        }
+        it_behaves_like "an unauthorized response" do
+          let(:expected_body) { "Unauthorized - no authorization header" }
+        end
+      end
+    end
+  end
+end