stitches 4.0.1 → 4.2.0.RC2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1224843bf19c711e4058e54025f2507fe4dd0085fb5afdd57d5d383bf8d1b03e
-  data.tar.gz: 8f2c1f7f053d711e6419b8e19c23cc123ce7164513b7cb3978091d081612001a
+  metadata.gz: 781cc5ec8996b5c726e7e214d69c5d780ddbf4818fb9b0cb5ce15de6bb6e829c
+  data.tar.gz: f482c0e9a21b84330add05e8c9a2bfd3ef5986ac60f7f22766f79f480d1e2a4b
 SHA512:
-  metadata.gz: f16b168bf89994f06816661fb0dda066c248a3c55a22bdeebebf32d4a0e784368b41a460f25a84c9e0c4a694b37d372a24cf739171191925f31df7df7a562be6
-  data.tar.gz: 053d0ae0e44945437218bc87206038029065b0ff8b6f8321bbad8b878024bddb16432b0f23136286e6019805a716d541a37a2d5382479b9216a9cde0104bf5d9
+  metadata.gz: d71dfb5cc76e1d753d1b25e3a8e278097167f07e8f43e7f276041c043960bf3ba551d47cd3ba90a4d94d56538a217d4c55156b5d5cb59273aa104086852d4a26
+  data.tar.gz: fb6c236f22a81f1cb7373f3d50d6dc907e7ba2c684a07dc1f5ce94ac7e9b6039dda780821d763912dbb39139fc00b27e2d254c525b7ac9da3d1011a5f4bec9b3

data/.circleci/config.yml

@@ -5,7 +5,7 @@ version: 2
 jobs:
   generate-and-push-docs:
     docker:
-    - image: circleci/ruby:2.7.2
+    - image: circleci/ruby:3.0.0
       auth:
         username: "$DOCKERHUB_USERNAME"
         password: "$DOCKERHUB_PASSWORD"
@@ -26,7 +26,7 @@ jobs:
           docs:push; fi
   release:
     docker:
-    - image: circleci/ruby:2.7.2
+    - image: circleci/ruby:3.0.0
       auth:
         username: "$DOCKERHUB_USERNAME"
         password: "$DOCKERHUB_PASSWORD"
@@ -41,14 +41,14 @@ jobs:
     - run:
         name: Build/release gem to artifactory
         command: bundle exec rake push_artifactory
-  ruby-2.7.2-rails-6.0:
+  ruby-3.0.0-rails-6.1:
     docker:
-    - image: circleci/ruby:2.7.2
+    - image: circleci/ruby:3.0.0
       auth:
         username: "$DOCKERHUB_USERNAME"
         password: "$DOCKERHUB_PASSWORD"
       environment:
-        BUNDLE_GEMFILE: Gemfile.rails-6.0
+        BUNDLE_GEMFILE: Gemfile.rails-6.1
     working_directory: "~/stitches"
     steps:
     - checkout
@@ -67,18 +67,18 @@ jobs:
           fi
     - run:
         name: Notify Pager Duty
-        command: bundle exec y-notify "#devex-alerts"
+        command: bundle exec y-notify "#eng-runtime-alerts"
         when: on_fail
     - store_test_results:
         path: "/tmp/test-results"
-  ruby-2.6.6-rails-6.0:
+  ruby-2.7.2-rails-6.1:
     docker:
-    - image: circleci/ruby:2.6.6
+    - image: circleci/ruby:2.7.2
       auth:
         username: "$DOCKERHUB_USERNAME"
         password: "$DOCKERHUB_PASSWORD"
       environment:
-        BUNDLE_GEMFILE: Gemfile.rails-6.0
+        BUNDLE_GEMFILE: Gemfile.rails-6.1
     working_directory: "~/stitches"
     steps:
     - checkout
@@ -97,18 +97,18 @@ jobs:
           fi
     - run:
         name: Notify Pager Duty
-        command: bundle exec y-notify "#devex-alerts"
+        command: bundle exec y-notify "#eng-runtime-alerts"
         when: on_fail
     - store_test_results:
         path: "/tmp/test-results"
-  ruby-2.7.2-rails-5.2:
+  ruby-3.0.0-rails-6.0:
     docker:
-    - image: circleci/ruby:2.7.2
+    - image: circleci/ruby:3.0.0
       auth:
         username: "$DOCKERHUB_USERNAME"
         password: "$DOCKERHUB_PASSWORD"
       environment:
-        BUNDLE_GEMFILE: Gemfile.rails-5.2
+        BUNDLE_GEMFILE: Gemfile.rails-6.0
     working_directory: "~/stitches"
     steps:
     - checkout
@@ -127,18 +127,18 @@ jobs:
           fi
     - run:
         name: Notify Pager Duty
-        command: bundle exec y-notify "#devex-alerts"
+        command: bundle exec y-notify "#eng-runtime-alerts"
         when: on_fail
     - store_test_results:
         path: "/tmp/test-results"
-  ruby-2.6.6-rails-5.2:
+  ruby-2.7.2-rails-6.0:
     docker:
-    - image: circleci/ruby:2.6.6
+    - image: circleci/ruby:2.7.2
       auth:
         username: "$DOCKERHUB_USERNAME"
         password: "$DOCKERHUB_PASSWORD"
       environment:
-        BUNDLE_GEMFILE: Gemfile.rails-5.2
+        BUNDLE_GEMFILE: Gemfile.rails-6.0
     working_directory: "~/stitches"
     steps:
     - checkout
@@ -157,7 +157,7 @@ jobs:
           fi
     - run:
         name: Notify Pager Duty
-        command: bundle exec y-notify "#devex-alerts"
+        command: bundle exec y-notify "#eng-runtime-alerts"
         when: on_fail
     - store_test_results:
         path: "/tmp/test-results"
@@ -168,10 +168,10 @@ workflows:
     - release:
         context: org-global
         requires:
+        - ruby-3.0.0-rails-6.1
+        - ruby-2.7.2-rails-6.1
+        - ruby-3.0.0-rails-6.0
         - ruby-2.7.2-rails-6.0
-        - ruby-2.6.6-rails-6.0
-        - ruby-2.7.2-rails-5.2
-        - ruby-2.6.6-rails-5.2
         filters:
           tags:
             only: /^[0-9]+\.[0-9]+\.[0-9]+(\.?(RC|rc)[-\.]?\w*)?$/
@@ -186,22 +186,22 @@ workflows:
             only: /^[0-9]+\.[0-9]+\.[0-9]+(\.?(RC|rc)[-\.]?\w*)?$/
           branches:
             ignore: /.*/
-    - ruby-2.7.2-rails-6.0:
+    - ruby-3.0.0-rails-6.1:
         context: org-global
         filters:
           tags:
             only: &1 /.*/
-    - ruby-2.6.6-rails-6.0:
+    - ruby-2.7.2-rails-6.1:
         context: org-global
         filters:
           tags:
             only: *1
-    - ruby-2.7.2-rails-5.2:
+    - ruby-3.0.0-rails-6.0:
         context: org-global
         filters:
           tags:
             only: *1
-    - ruby-2.6.6-rails-5.2:
+    - ruby-2.7.2-rails-6.0:
         context: org-global
         filters:
           tags:
@@ -215,11 +215,11 @@ workflows:
             only:
             - master
     jobs:
-    - ruby-2.7.2-rails-6.0:
+    - ruby-3.0.0-rails-6.1:
         context: org-global
-    - ruby-2.6.6-rails-6.0:
+    - ruby-2.7.2-rails-6.1:
         context: org-global
-    - ruby-2.7.2-rails-5.2:
+    - ruby-3.0.0-rails-6.0:
         context: org-global
-    - ruby-2.6.6-rails-5.2:
+    - ruby-2.7.2-rails-6.0:
         context: org-global

data/.github/CODEOWNERS

@@ -8,4 +8,4 @@
 # This file uses the GitHub CODEOWNERS convention to assign PR reviewers:
 # https://help.github.com/articles/about-codeowners/
 
-* @brettfishman @bwebster @stitchfix/devex
+* @brettfishman @bwebster @stitchfix/runtime-infrastructure

data/.gitignore

@@ -1,5 +1,6 @@
 pkg
 spec/reports
+spec/fake_app/log/
 .vimrc
 *.sw?
 .idea/

data/.ruby-version

@@ -1 +1 @@
-2.7.2
+ruby-2.7.2

data/Gemfile.rails-6.1

@@ -0,0 +1,7 @@
+# DO NOT MODIFY - this is managed by Git Reduce in goro
+#
+source 'https://stitchfix01.jfrog.io/stitchfix01/api/gems/eng-gems/'
+
+gemspec
+
+gem 'rails', '~> 6.1.0'

data/README.md

@@ -35,7 +35,7 @@ Then, set it up:
 
 ### Upgrading from an older version
 
-- When upgrading to version 4.0.0 you may now take advantage of an in-memory cache
+- When upgrading to version 4.0.0 and above you may now take advantage of an in-memory cache
 
 You can enabled it like so
 
@@ -46,18 +46,46 @@ Stitches.configure do |config|
 end
 ```
 
-- If you have a version lower than 3.3.0, you need to run two generators, one of which creates a new database migration on your
-  `api_clients` table:
+You can also set a leniency for disabled API keys, which will allow old API keys to continue to be used if they have a
+`disabled_at` field set as long as the leniency is not exceeded. Note that if the `disabled_at` field is not populated
+the behavior will remain the same as it always was, and the request will be denied when the `enabled` field is set to
+`true`. If Stitches allows a call due to leniency settings, a log message will be generated with a severity depending on
+how long ago the API key was disabled.
+
+```ruby
+Stitches.configure do |config|
+  config.disabled_key_leniency_in_seconds = 3 * 24 * 60 * 60 # Time in seconds, defaults to three days 
+  config.disabled_key_leniency_error_log_threshold_in_seconds = 2 * 24 * 60 * 60 # Time in seconds, defaults to two days 
+end
+```
+
+If a disabled key is used within the `disabled_key_leniency_in_seconds`, it will be allowed. 
+
+Anytime a disabled key is used a log will be generated. If it is before the 
+`disabled_key_leniency_error_log_threshold_in_seconds` it will be a warning log message, if it is after that, it will be
+an error message. `disabled_key_leniency_error_log_threshold_in_seconds` should never be a greater number than 
+`disabled_key_leniency_in_seconds`, as this provides an escallating series of warnings before finally disabling access.
+
+- If you are upgrading from a version older than 3.3.0 you need to run three generators, two of which create database
+  migrations on your `api_clients` table:
 
   ```
   > bin/rails generate stitches:add_enabled_to_api_clients
   > bin/rails generate stitches:add_deprecation
+  > bin/rails generate stitches:add_disabled_at_to_api_clients
   ```
 
-- If you have a version lower than 3.6.0, you need to run one generator:
+- If you are upgrading from a version between 3.3.0 and 3.5.0 you need to run two generators:
 
   ```
   > bin/rails generate stitches:add_deprecation
+  > bin/rails generate stitches:add_disabled_at_to_api_clients
+  ```
+
+- If you are upgrading from a version between 3.6.0 and 4.0.2 you need to run one generator:
+
+  ```
+  > bin/rails generate stitches:add_disabled_at_to_api_clients
   ```
 
 ## Example Microservice Endpoint
@@ -143,6 +171,10 @@ Also, the integration test does a lot of "testing the implementation", but since
 failing with a successful result, we have to make sure that the various `inject_into_file` calls are actually working. Do not do
 any fancy refactors here, just keep it up to date.
 
+## Releases
+
+See the release process for open source gems in the Stitch Fix engineering wiki under technical topics.
+
 ---
 
 Provided with love by your friends at [Stitch Fix Engineering](http://technology.stitchfix.com)

data/lib/stitches/add_disabled_at_to_api_clients_generator.rb

@@ -0,0 +1,18 @@
+require 'rails/generators'
+
+module Stitches
+  class AddDisabledAtToApiClientsGenerator < Rails::Generators::Base
+    include Rails::Generators::Migration
+
+    source_root(File.expand_path(File.join(File.dirname(__FILE__),"generator_files")))
+
+    def self.next_migration_number(path)
+      Time.now.utc.strftime("%Y%m%d%H%M%S")
+    end
+
+    desc "Upgrade your api_clients table so it includes the `disabled_at` field"
+    def update_api_clients_table
+      migration_template "db/migrate/add_disabled_at_to_api_clients.rb", "db/migrate/add_disabled_at_to_api_clients.rb"
+    end
+  end
+end

data/lib/stitches/allowlist_middleware.rb

@@ -3,15 +3,14 @@ module Stitches
   class AllowlistMiddleware
     def initialize(app, options={})
       @app           = app
-      @configuration = options[:configuration] ||  Stitches.configuration
-      @except        = options[:except]        || @configuration.allowlist_regexp
+      @configuration = options[:configuration]
+      @except        = options[:except]
 
-      unless @except.nil? || @except.is_a?(Regexp)
-        raise ":except must be a Regexp"
-      end
+      allowlist_regex
     end
+
     def call(env)
-      if @except && @except.match(env["PATH_INFO"])
+      if allowlist_regex && allowlist_regex.match(env["PATH_INFO"])
         @app.call(env)
       else
         do_call(env)
@@ -24,5 +23,20 @@ module Stitches
       raise 'subclass must implement'
     end
 
+    def configuration
+      @configuration || Stitches.configuration
+    end
+
+  private
+
+    def allowlist_regex
+      regex = @except || configuration.allowlist_regexp
+
+      if !regex.nil? && !regex.is_a?(Regexp)
+        raise ":except must be a Regexp"
+      end
+
+      regex
+    end
   end
 end

data/lib/stitches/api_client_access_wrapper.rb

@@ -2,26 +2,57 @@ require 'lru_redux'
 
 module Stitches::ApiClientAccessWrapper
 
-  def self.fetch_for_key(key)
+  def self.fetch_for_key(key, configuration)
     if cache_enabled
-      fetch_for_key_from_cache(key)
+      fetch_for_key_from_cache(key, configuration)
     else
-      fetch_for_key_from_db(key)
+      fetch_for_key_from_db(key, configuration)
     end
   end
 
-  def self.fetch_for_key_from_cache(key)
+  def self.fetch_for_key_from_cache(key, configuration)
     api_key_cache.getset(key) do
-      fetch_for_key_from_db(key)
+      fetch_for_key_from_db(key, configuration)
     end
   end
 
-  def self.fetch_for_key_from_db(key)
-    if ::ApiClient.column_names.include?("enabled")
-      ::ApiClient.find_by(key: key, enabled: true)
+  def self.fetch_for_key_from_db(key, configuration)
+    api_client = ::ApiClient.find_by(key: key)
+    return unless api_client
+
+    unless api_client.respond_to?(:enabled?)
+      logger.warn('api_keys is missing "enabled" column.  Run "rails g stitches:add_enabled_to_api_clients"')
+      return api_client
+    end
+
+    unless api_client.respond_to?(:disabled_at)
+      logger.warn('api_keys is missing "disabled_at" column.  Run "rails g stitches:add_disabled_at_to_api_clients"')
+    end
+
+    return api_client if api_client.enabled?
+
+    disabled_at = api_client.respond_to?(:disabled_at) ? api_client.disabled_at : nil
+    if disabled_at && disabled_at > configuration.disabled_key_leniency_in_seconds.seconds.ago
+      message = "Allowing disabled ApiClient: #{api_client.name} with key #{api_client.key} disabled at #{disabled_at}"
+      if disabled_at > configuration.disabled_key_leniency_error_log_threshold_in_seconds.seconds.ago
+        logger.warn(message)
+      else
+        logger.error(message)
+      end
+      return api_client
+    else
+      logger.error("Rejecting disabled ApiClient: #{api_client.name} with key #{api_client.key}")
+    end
+    nil
+  end
+
+  def self.logger
+    if defined?(StitchFix::Logger::LogWriter)
+      StitchFix::Logger::LogWriter
+    elsif defined?(Rails.logger)
+      Rails.logger
     else
-      ActiveSupport::Deprecation.warn('api_keys is missing "enabled" column.  Run "rails g stitches:add_enabled_to_api_clients"')
-      ::ApiClient.find_by(key: key)
+      ::Logger.new('/dev/null')
     end
   end
 
@@ -39,4 +70,4 @@ module Stitches::ApiClientAccessWrapper
   def self.cache_enabled
     Stitches.configuration.max_cache_ttl.positive?
   end
-end
+end

data/lib/stitches/api_key.rb

@@ -25,12 +25,12 @@ module Stitches
     def do_call(env)
       authorization = env["HTTP_AUTHORIZATION"]
       if authorization
-        if authorization =~ /#{@configuration.custom_http_auth_scheme}\s+key=(.*)\s*$/
+        if authorization =~ /#{configuration.custom_http_auth_scheme}\s+key=(.*)\s*$/
           key = $1
-          client = Stitches::ApiClientAccessWrapper.fetch_for_key(key)
+          client = Stitches::ApiClientAccessWrapper.fetch_for_key(key, configuration)
           if client.present?
-            env[@configuration.env_var_to_hold_api_client_primary_key] = client.id
-            env[@configuration.env_var_to_hold_api_client] = client
+            env[configuration.env_var_to_hold_api_client_primary_key] = client.id
+            env[configuration.env_var_to_hold_api_client] = client
             @app.call(env)
           else
             unauthorized_response("key invalid")
@@ -59,7 +59,7 @@ module Stitches
     def unauthorized_response(reason)
       status = 401
       body = "Unauthorized - #{reason}"
-      header = { "WWW-Authenticate" => "#{@configuration.custom_http_auth_scheme} realm=#{rails_app_module}" }
+      header = { "WWW-Authenticate" => "#{configuration.custom_http_auth_scheme} realm=#{rails_app_module}" }
       Rack::Response.new(body, status, header).finish
     end
 

data/lib/stitches/configuration.rb

@@ -15,8 +15,12 @@ class Stitches::Configuration
     @env_var_to_hold_api_client= NonNullString.new("env_var_to_hold_api_client","STITCHES_API_CLIENT")
     @max_cache_ttl = NonNullInteger.new("max_cache_ttl", 0)
     @max_cache_size = NonNullInteger.new("max_cache_size", 0)
+    @disabled_key_leniency_in_seconds = ActiveSupport::Duration.days(3)
+    @disabled_key_leniency_error_log_threshold_in_seconds = ActiveSupport::Duration.days(2)
   end
 
+  attr_accessor :disabled_key_leniency_in_seconds, :disabled_key_leniency_error_log_threshold_in_seconds
+
   # A RegExp that allows URLS around the mime type and api key requirements.
   # nil means that ever request must have a proper mime type and api key.
   attr_reader :allowlist_regexp