stitches 4.0.0 → 4.2.0.RC1

data/lib/stitches/api_key.rb

@@ -25,12 +25,12 @@ module Stitches
     def do_call(env)
       authorization = env["HTTP_AUTHORIZATION"]
       if authorization
-        if authorization =~ /#{@configuration.custom_http_auth_scheme}\s+key=(.*)\s*$/
+        if authorization =~ /#{configuration.custom_http_auth_scheme}\s+key=(.*)\s*$/
           key = $1
-          client = Stitches::ApiClientAccessWrapper.fetch_for_key(key)
+          client = Stitches::ApiClientAccessWrapper.fetch_for_key(key, configuration)
           if client.present?
-            env[@configuration.env_var_to_hold_api_client_primary_key] = client.id
-            env[@configuration.env_var_to_hold_api_client] = client
+            env[configuration.env_var_to_hold_api_client_primary_key] = client.id
+            env[configuration.env_var_to_hold_api_client] = client
             @app.call(env)
           else
             unauthorized_response("key invalid")
@@ -59,7 +59,7 @@ module Stitches
     def unauthorized_response(reason)
       status = 401
       body = "Unauthorized - #{reason}"
-      header = { "WWW-Authenticate" => "#{@configuration.custom_http_auth_scheme} realm=#{rails_app_module}" }
+      header = { "WWW-Authenticate" => "#{configuration.custom_http_auth_scheme} realm=#{rails_app_module}" }
       Rack::Response.new(body, status, header).finish
     end
 

data/lib/stitches/configuration.rb

@@ -15,8 +15,12 @@ class Stitches::Configuration
     @env_var_to_hold_api_client= NonNullString.new("env_var_to_hold_api_client","STITCHES_API_CLIENT")
     @max_cache_ttl = NonNullInteger.new("max_cache_ttl", 0)
     @max_cache_size = NonNullInteger.new("max_cache_size", 0)
+    @disabled_key_leniency_in_seconds = ActiveSupport::Duration.days(3)
+    @disabled_key_leniency_error_log_threshold_in_seconds = ActiveSupport::Duration.days(2)
   end
 
+  attr_accessor :disabled_key_leniency_in_seconds, :disabled_key_leniency_error_log_threshold_in_seconds
+
   # A RegExp that allows URLS around the mime type and api key requirements.
   # nil means that ever request must have a proper mime type and api key.
   attr_reader :allowlist_regexp

data/lib/stitches/generator_files/db/migrate/add_disabled_at_to_api_clients.rb

@@ -0,0 +1,9 @@
+<% if Rails::VERSION::MAJOR >= 5 %>
+class AddEnabledToApiClients < ActiveRecord::Migration[<%= Rails::VERSION::MAJOR %>.<%= Rails::VERSION::MINOR %>]
+<% else %>
+class AddEnabledToApiClients < ActiveRecord::Migration
+<% end %>
+  def change
+    add_column :api_clients, :disabled_at, "timestamp with time zone", null: true
+  end
+end

data/lib/stitches/generator_files/db/migrate/create_api_clients.rb

@@ -9,6 +9,7 @@ class CreateApiClients < ActiveRecord::Migration
       t.column :key, "uuid default uuid_generate_v4()", null: false
       t.column :enabled, :bool, null: false, default: true
       t.column :created_at, "timestamp with time zone default now()", null: false
+      t.column :disabled_at, "timestamp with time zone", null: true
     end
     add_index :api_clients, [:name]
     add_index :api_clients, [:key], unique: true

data/lib/stitches/valid_mime_type.rb

@@ -1,19 +1,26 @@
 require_relative 'allowlist_middleware'
 module Stitches
-  # A middleware that requires all API calls to be for versioned JSON.  This means that the Accept
-  # header (available to Rack apps as HTTP_ACCEPT) should be like so:
+  # A middleware that requires all API calls to be for versioned JSON or Protobuf.
+  #
+  # This means that the Accept header (available to Rack apps as HTTP_ACCEPT) should be like so:
   #
   #     application/json; version=1
   #
   # This just checks that you've specified some numeric version.  ApiVersionConstraint should be used
   # to "lock down" the versions you accept.
+  # 
+  # Or in the case of a protobuf encoded payload the header should be like so:
+  #
+  #     application/protobuf
+  #
+  # There isn't an accepted standard for protobuf encoded payloads but this form is common.
   class ValidMimeType < Stitches::AllowlistMiddleware
 
   protected
 
     def do_call(env)
       accept = String(env["HTTP_ACCEPT"])
-      if accept =~ %r{application/json} && accept =~ %r{version=\d+}
+      if (%r{application/json}.match?(accept) && %r{version=\d+}.match?(accept)) || %r{application/protobuf}.match?(accept)
         @app.call(env)
       else
         not_acceptable_response(accept)
@@ -24,7 +31,7 @@ module Stitches
 
     def not_acceptable_response(accept_header)
       status = 406
-      body = "Not Acceptable - '#{accept_header}' didn't have the right mime type or version number. We only accept application/json with a version"
+      body = "Not Acceptable - '#{accept_header}' didn't have the right mime type or version number. We only accept application/json with a version or application/protobuf"
       header = { "WWW-Authenticate" => accept_header }
       Rack::Response.new(body, status, header).finish
     end

data/lib/stitches/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stitches
-  VERSION = '4.0.0'
+  VERSION = '4.2.0.RC1'
 end

data/lib/stitches_norailtie.rb

@@ -14,6 +14,7 @@ require 'stitches/errors'
 require 'stitches/api_generator'
 require 'stitches/add_deprecation_generator'
 require 'stitches/add_enabled_to_api_clients_generator'
+require 'stitches/add_disabled_at_to_api_clients_generator'
 require 'stitches/api_version_constraint'
 require 'stitches/api_key'
 require 'stitches/deprecation'

data/owners.json

@@ -1,7 +1,7 @@
 {
   "owners": [
     {
-      "team": "devex"
+      "team": "eng-runtime"
     }
   ]
 }

data/spec/api_key_middleware_spec.rb

@@ -0,0 +1,368 @@
+require 'rails_helper'
+require 'securerandom'
+
+class FakeLogger
+  # This shouldn't be needed but there's a weird mocking conflict with kernal warn method otherwise
+  def warn(message)
+  end
+end
+
+RSpec.describe "/api/hellos", type: :request do
+  let(:uuid) { api_client.key }
+  let(:auth_header) { "MyAwesomeInternalScheme key=#{uuid}" }
+  let(:allowlist) { nil }
+
+  before do
+    Stitches.configuration.reset_to_defaults!
+    Stitches.configuration.custom_http_auth_scheme = 'MyAwesomeInternalScheme'
+    Stitches.configuration.allowlist_regexp = allowlist if allowlist
+    Stitches::ApiClientAccessWrapper.clear_api_cache
+  end
+
+  def execute_call(auth: auth_header)
+    headers = {
+      "Accept" => "application/json; version=1"
+    }
+    headers["Authorization"] = auth if auth
+
+    get "/api/hellos", headers: headers
+  end
+
+  def expect_unauthorized
+    expect(response.body).to include "Unauthorized"
+    expect(response.status).to eq 401
+    expect(response.headers["WWW-Authenticate"]).to eq("MyAwesomeInternalScheme realm=FakeApp")
+  end
+
+  context "with modern schema" do
+    let(:api_client_enabled) { true }
+    let(:disabled_at) { nil }
+    let!(:api_client) {
+      uuid = SecureRandom.uuid
+      ApiClient.create(name: "MyApiClient", key: SecureRandom.uuid, enabled: false, created_at: 20.days.ago, disabled_at: 15.days.ago)
+      ApiClient.create(name: "MyApiClient", key: uuid, enabled: api_client_enabled, created_at: 10.days.ago, disabled_at: disabled_at)
+    }
+
+    context "when path is not on allowlist" do
+      context "when api_client is valid" do
+        it "executes the correct controller" do
+          execute_call
+
+          expect(response.body).to include "Hello"
+        end
+
+        it "saves the api_client information used" do
+          execute_call
+
+          expect(response.body).to include "MyApiClient"
+          expect(response.body).to include "#{api_client.id}"
+        end
+
+        context "caching is enabled" do
+          before do
+            allow(ApiClient).to receive(:find_by).and_call_original
+
+            Stitches.configure do |config|
+              config.max_cache_ttl  = 5
+              config.max_cache_size = 10
+            end
+          end
+
+          it "only gets the the api_client information once" do
+            execute_call
+            execute_call
+
+            expect(response.body).to include "#{api_client.id}"
+            expect(ApiClient).to have_received(:find_by).once
+          end
+        end
+      end
+
+      context "when api client key does not match" do
+        let(:uuid) { SecureRandom.uuid } # random uuid
+
+        it "rejects request" do
+          execute_call
+
+          expect_unauthorized
+        end
+      end
+
+      context "when api client key not enabled" do
+        let(:api_client_enabled) { false }
+
+        context "when disabled_at is not set" do
+          it "rejects request" do
+            execute_call
+
+            expect_unauthorized
+          end
+        end
+
+        context "when disabled_at is set to a time older than three days ago" do
+          let(:disabled_at) { 4.day.ago }
+
+          it "allows the call" do
+            execute_call
+
+            expect_unauthorized
+          end
+        end
+
+        context "when disabled_at is set to a recent time" do
+          let(:disabled_at) { 1.day.ago }
+
+          it "allows the call" do
+            execute_call
+
+            expect(response.body).to include "Hello"
+            expect(response.body).to include "MyApiClient"
+            expect(response.body).to include "#{api_client.id}"
+          end
+
+          it "warns about the disabled key to log writer when available" do
+            stub_const("StitchFix::Logger::LogWriter", FakeLogger.new)
+            allow(StitchFix::Logger::LogWriter).to receive(:warn)
+
+            execute_call
+
+            expect(StitchFix::Logger::LogWriter).to have_received(:warn).once
+          end
+
+          it "warns about the disabled key to the Rails.logger" do
+            allow(Rails.logger).to receive(:warn)
+            allow(Rails.logger).to receive(:error)
+
+            execute_call
+
+            expect(Rails.logger).to have_received(:warn).once
+            expect(Rails.logger).not_to have_received(:error)
+          end
+        end
+
+        context "when disabled_at is set to a dangerously long time" do
+          let(:disabled_at) { 52.hours.ago }
+
+          it "allows the call" do
+            execute_call
+
+            expect(response.body).to include "Hello"
+            expect(response.body).to include "MyApiClient"
+            expect(response.body).to include "#{api_client.id}"
+          end
+
+          it "logs error about the disabled key to log writer when available" do
+            stub_const("StitchFix::Logger::LogWriter", FakeLogger.new)
+            allow(StitchFix::Logger::LogWriter).to receive(:error)
+
+            execute_call
+
+            expect(StitchFix::Logger::LogWriter).to have_received(:error).once
+          end
+
+          it "logs error about the disabled key to the Rails.logger" do
+            allow(Rails.logger).to receive(:warn)
+            allow(Rails.logger).to receive(:error)
+
+            execute_call
+
+            expect(Rails.logger).to have_received(:error).once
+            expect(Rails.logger).not_to have_received(:warn)
+          end
+        end
+
+        context "when disabled_at is set to an unacceptably long time" do
+          let(:disabled_at) { 5.days.ago }
+
+          it "forbids the call" do
+            execute_call
+
+            expect_unauthorized
+          end
+
+          it "logs error about the disabled key to log writer when available" do
+            stub_const("StitchFix::Logger::LogWriter", FakeLogger.new)
+            allow(StitchFix::Logger::LogWriter).to receive(:error)
+
+            execute_call
+
+            expect(StitchFix::Logger::LogWriter).to have_received(:error).once
+          end
+
+          it "logs error about the disabled key to the Rails.logger" do
+            allow(Rails.logger).to receive(:warn)
+            allow(Rails.logger).to receive(:error)
+
+            execute_call
+
+            expect(Rails.logger).to have_received(:error).once
+            expect(Rails.logger).not_to have_received(:warn)
+          end
+        end
+
+        context "custom leniency is set" do
+          before do
+            Stitches.configuration.disabled_key_leniency_in_seconds = 100
+            Stitches.configuration.disabled_key_leniency_error_log_threshold_in_seconds = 50
+          end
+
+          context "when disabled_at is set to an unacceptably long time" do
+            let(:disabled_at) { 101.seconds.ago }
+
+            it "forbids the call" do
+              allow(Rails.logger).to receive(:error)
+              execute_call
+
+              expect_unauthorized
+              expect(Rails.logger).to have_received(:error).once
+            end
+          end
+
+          context "when disabled_at is set to a dangerously long time" do
+            let(:disabled_at) { 75.seconds.ago }
+
+            it "allows the call" do
+              allow(Rails.logger).to receive(:error)
+
+              execute_call
+
+              expect(response.body).to include "Hello"
+              expect(Rails.logger).to have_received(:error).once
+            end
+          end
+
+          context "when disabled_at is set to a short time ago" do
+            let(:disabled_at) { 25.seconds.ago }
+
+            it "allows the call" do
+              allow(Rails.logger).to receive(:warn)
+
+              execute_call
+
+              expect(response.body).to include "Hello"
+              expect(Rails.logger).to have_received(:warn).once
+            end
+          end
+        end
+      end
+
+      context "when authorization header is missing" do
+        it "rejects request" do
+          execute_call(auth: nil)
+
+          expect_unauthorized
+        end
+      end
+
+      context "when scheme does not match" do
+        it "rejects request" do
+          execute_call(auth: "OtherScheme key=#{uuid}")
+
+          expect_unauthorized
+        end
+      end
+    end
+
+    context "when path is on allowlist" do
+      let(:allowlist) { /.*hello.*/ }
+
+      context "when api_client is valid" do
+        it "executes the correct controller" do
+          execute_call
+
+          expect(response.body).to include "Hello"
+        end
+
+        it "does not save the api_client information used" do
+          execute_call
+
+          expect(response.body).to include "NameNotFound"
+          expect(response.body).to include "IdNotFound"
+        end
+      end
+
+      context "when api client key does not match" do
+        let(:uuid) { SecureRandom.uuid } # random uuid
+
+        it "executes the correct controller" do
+          execute_call
+
+          expect(response.body).to include "Hello"
+        end
+      end
+    end
+  end
+
+  context "when schema is old and missing disabled_at field" do
+    around(:each) do |example|
+      load 'fake_app/db/schema_missing_disabled_at.rb'
+      ApiClient.reset_column_information
+      example.run
+      load 'fake_app/db/schema_modern.rb'
+      ApiClient.reset_column_information
+    end
+
+    context "when api_client is valid" do
+      let!(:api_client) {
+        uuid = SecureRandom.uuid
+        ApiClient.create(name: "MyApiClient", key: uuid, created_at: Time.now(), enabled: true)
+      }
+
+      it "executes the correct controller" do
+        execute_call
+
+        expect(response.body).to include "Hello"
+      end
+
+      it "saves the api_client information used" do
+        execute_call
+
+        expect(response.body).to include "MyApiClient"
+        expect(response.body).to include "#{api_client.id}"
+      end
+    end
+
+    context "when api_client is not enabled" do
+      let!(:api_client) {
+        uuid = SecureRandom.uuid
+        ApiClient.create(name: "MyApiClient", key: uuid, created_at: Time.now(), enabled: false)
+      }
+
+      it "rejects request" do
+        execute_call
+
+        expect_unauthorized
+      end
+    end
+  end
+
+  context "when schema is old and missing enabled field" do
+    around(:each) do |example|
+      load 'fake_app/db/schema_missing_enabled.rb'
+      ApiClient.reset_column_information
+      example.run
+      load 'fake_app/db/schema_modern.rb'
+      ApiClient.reset_column_information
+    end
+
+    let!(:api_client) {
+      uuid = SecureRandom.uuid
+      ApiClient.create(name: "MyApiClient", key: uuid, created_at: Time.now())
+    }
+
+    context "when api_client is valid" do
+      it "executes the correct controller" do
+        execute_call
+
+        expect(response.body).to include "Hello"
+      end
+
+      it "saves the api_client information used" do
+        execute_call
+
+        expect(response.body).to include "MyApiClient"
+        expect(response.body).to include "#{api_client.id}"
+      end
+    end
+  end
+end