workarea-basic_auth 1.1.1

data/test/dummy/config/initializers/application_controller_renderer.rb

@@ -0,0 +1,6 @@
+# Be sure to restart your server when you modify this file.
+
+# ApplicationController.renderer.defaults.merge!(
+#   http_host: 'example.org',
+#   https: false
+# )

data/test/dummy/config/initializers/assets.rb

@@ -0,0 +1,11 @@
+# Be sure to restart your server when you modify this file.
+
+# Version of your assets, change this if you want to expire all your assets.
+Rails.application.config.assets.version = "1.0"
+
+# Add additional assets to the asset load path
+# Rails.application.config.assets.paths << Emoji.images_path
+
+# Precompile additional assets.
+# application.js, application.css, and all non-JS/CSS in app/assets folder are already added.
+# Rails.application.config.assets.precompile += %w( search.js )

data/test/dummy/config/initializers/backtrace_silencers.rb

@@ -0,0 +1,7 @@
+# Be sure to restart your server when you modify this file.
+
+# You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
+# Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
+
+# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
+# Rails.backtrace_cleaner.remove_silencers!

data/test/dummy/config/initializers/cookies_serializer.rb

@@ -0,0 +1,5 @@
+# Be sure to restart your server when you modify this file.
+
+# Specify a serializer for the signed and encrypted cookie jars.
+# Valid options are :json, :marshal, and :hybrid.
+Rails.application.config.action_dispatch.cookies_serializer = :json

data/test/dummy/config/initializers/filter_parameter_logging.rb

@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Configure sensitive parameters which will be filtered from the log file.
+Rails.application.config.filter_parameters += [:password]

data/test/dummy/config/initializers/inflections.rb

@@ -0,0 +1,16 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new inflection rules using the following format. Inflections
+# are locale specific, and you may define rules for as many different
+# locales as you wish. All of these examples are active by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.plural /^(ox)$/i, '\1en'
+#   inflect.singular /^(ox)en/i, '\1'
+#   inflect.irregular 'person', 'people'
+#   inflect.uncountable %w( fish sheep )
+# end
+
+# These inflection rules are supported but not enabled by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.acronym 'RESTful'
+# end

data/test/dummy/config/initializers/mime_types.rb

@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Add new mime types for use in respond_to blocks:
+# Mime::Type.register "text/richtext", :rtf

data/test/dummy/config/initializers/new_framework_defaults.rb

@@ -0,0 +1,21 @@
+# Be sure to restart your server when you modify this file.
+#
+# This file contains migration options to ease your Rails 5.0 upgrade.
+#
+# Read the Guide for Upgrading Ruby on Rails for more info on each option.
+
+# Enable per-form CSRF tokens. Previous versions had false.
+Rails.application.config.action_controller.per_form_csrf_tokens = true
+
+# Enable origin-checking CSRF mitigation. Previous versions had false.
+Rails.application.config.action_controller.forgery_protection_origin_check = true
+
+# Make Ruby 2.4 preserve the timezone of the receiver when calling `to_time`.
+# Previous versions had false.
+ActiveSupport.to_time_preserves_timezone = true
+
+# Require `belongs_to` associations by default. Previous versions had false.
+# Rails.application.config.active_record.belongs_to_required_by_default = true
+
+# Configure SSL options to enable HSTS with subdomains. Previous versions had false.
+Rails.application.config.ssl_options = { hsts: { subdomains: true } }

data/test/dummy/config/initializers/session_store.rb

@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.session_store :cookie_store, key: "_dummy_session"

data/test/dummy/config/initializers/workarea.rb

@@ -0,0 +1,4 @@
+Workarea.configure do |config|
+  # Basic site info
+  config.site_name = "WebLinc Basic Auth"
+end

data/test/dummy/config/initializers/wrap_parameters.rb

@@ -0,0 +1,14 @@
+# Be sure to restart your server when you modify this file.
+
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+  wrap_parameters format: [:json]
+end
+
+# To enable root element in JSON for ActiveRecord objects.
+# ActiveSupport.on_load(:active_record) do
+#   self.include_root_in_json = true
+# end

data/test/dummy/config/locales/en.yml

@@ -0,0 +1,23 @@
+# Files in the config/locales directory are used for internationalization
+# and are automatically loaded by Rails. If you want to use locales other
+# than English, add the necessary files in this directory.
+#
+# To use the locales, use `I18n.t`:
+#
+#     I18n.t 'hello'
+#
+# In views, this is aliased to just `t`:
+#
+#     <%= t('hello') %>
+#
+# To use a different locale, set it with `I18n.locale`:
+#
+#     I18n.locale = :es
+#
+# This would use the information in config/locales/es.yml.
+#
+# To learn more, please read the Rails Internationalization guide
+# available at http://guides.rubyonrails.org/i18n.html.
+
+en:
+  hello: "Hello world"

data/test/dummy/config/puma.rb

@@ -0,0 +1,47 @@
+# Puma can serve each request in a thread from an internal thread pool.
+# The `threads` method setting takes two numbers a minimum and maximum.
+# Any libraries that use thread pools should be configured to match
+# the maximum value specified for Puma. Default is set to 5 threads for minimum
+# and maximum, this matches the default thread size of Active Record.
+#
+threads_count = ENV.fetch("RAILS_MAX_THREADS") { 5 }.to_i
+threads threads_count, threads_count
+
+# Specifies the `port` that Puma will listen on to receive requests, default is 3000.
+#
+port        ENV.fetch("PORT") { 3000 }
+
+# Specifies the `environment` that Puma will run in.
+#
+environment ENV.fetch("RAILS_ENV") { "development" }
+
+# Specifies the number of `workers` to boot in clustered mode.
+# Workers are forked webserver processes. If using threads and workers together
+# the concurrency of the application would be max `threads` * `workers`.
+# Workers do not work on JRuby or Windows (both of which do not support
+# processes).
+#
+# workers ENV.fetch("WEB_CONCURRENCY") { 2 }
+
+# Use the `preload_app!` method when specifying a `workers` number.
+# This directive tells Puma to first boot the application and load code
+# before forking the application. This takes advantage of Copy On Write
+# process behavior so workers use less memory. If you use this option
+# you need to make sure to reconnect any threads in the `on_worker_boot`
+# block.
+#
+# preload_app!
+
+# The code in the `on_worker_boot` will be called if you are using
+# clustered mode by specifying a number of `workers`. After each worker
+# process is booted this block will be run, if you are using `preload_app!`
+# option you will want to use this block to reconnect to any threads
+# or connections that may have been created at application boot, Ruby
+# cannot share connections between processes.
+#
+# on_worker_boot do
+#   ActiveRecord::Base.establish_connection if defined?(ActiveRecord)
+# end
+
+# Allow puma to be restarted by `rails restart` command.
+plugin :tmp_restart

data/test/dummy/config/routes.rb

@@ -0,0 +1,5 @@
+Rails.application.routes.draw do
+  mount Workarea::Core::Engine => "/"
+  mount Workarea::Admin::Engine => "/admin", as: "admin"
+  mount Workarea::Storefront::Engine => "/", as: "storefront"
+end

data/test/dummy/config/secrets.yml

@@ -0,0 +1,22 @@
+# Be sure to restart your server when you modify this file.
+
+# Your secret key is used for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+# You can use `rails secret` to generate a secure secret key.
+
+# Make sure the secrets in this file are kept private
+# if you're sharing your code publicly.
+
+development:
+  secret_key_base: e3136ca2a4ab2bb5ea181b14ff500ae40db8718fb990d590bfed3774247d430c805c45686322f93e8a746d034fa1fba9ef00a9ce7a35aee9339675ccb0426121
+
+test:
+  secret_key_base: 8183e0351525142fce68cf619e94c68caa017c9b90c03183d288ee4a32283d77838eb94bc252e5159eabf3e20a77f8df9466b5056e14b59631dfa592b67e9bbd
+
+# Do not keep production secrets in the repository,
+# instead read values from the environment.
+production:
+  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

data/test/dummy/config/spring.rb

@@ -0,0 +1,6 @@
+%w(
+  .ruby-version
+  .rbenv-vars
+  tmp/restart.txt
+  tmp/caching-dev.txt
+).each { |path| Spring.watch(path) }

data/test/dummy/db/seeds.rb

@@ -0,0 +1,2 @@
+require "workarea/seeds"
+Workarea::Seeds.run

data/test/factories/workarea/testing/basic_auth_helper.rb

@@ -0,0 +1,21 @@
+module Workarea
+  module Testing
+    module BasicAuthHelper
+      def encode_password(username, password)
+        Base64.encode64("#{username}:#{password}")
+      end
+
+      def build_request(path, method = "GET")
+        Rack::Request.new(
+          Rack::MockRequest.env_for(path, "REQUEST_METHOD" => method)
+        )
+      end
+
+      def build_response(path, method = "GET")
+        Rack::Response.new(
+          Rack::MockRequest.env_for(path, "REQUEST_METHOD" => method)
+        )
+      end
+    end
+  end
+end

data/test/lib/workarea/basic_auth/middleware_test.rb

@@ -0,0 +1,149 @@
+require "test_helper"
+
+module Workarea
+  module BasicAuth
+    class MiddlewareTest < Workarea::TestCase
+      include Workarea::Testing::BasicAuthHelper
+
+      setup :turn_on_basic_auth
+      teardown :turn_off_basic_auth
+
+      def middleware
+        @middleware ||= BasicAuth::Middleware.new(Rails.application)
+      end
+
+      def turn_on_basic_auth
+        Workarea.config.basic_auth.enabled = true
+        Workarea.config.basic_auth.user = "thomas"
+        Workarea.config.basic_auth.pass = "vendetta"
+        Workarea.config.basic_auth.protect_routes = BasicAuth::SimpleRouteSet.new
+        Workarea.config.basic_auth.exclude_routes = BasicAuth::SimpleRouteSet.new
+      end
+
+      def turn_off_basic_auth
+        Workarea.config.basic_auth.enabled = false
+      end
+
+      def test_unathorized_users_doesnt_do_anything_if_basic_auth_is_disabled
+        Workarea.config.basic_auth.enabled = false
+
+        env = Rack::MockRequest.env_for("/")
+        response = Rack::Response.new(middleware.call(env))
+
+        assert_equal(200, response.status)
+      end
+
+      def test_unathorized_users_returns_200_if_route_is_unprotected
+        env = Rack::MockRequest.env_for("/login")
+        get_login = Rack::Response.new(middleware.call(env))
+
+        assert_equal(200, get_login.status)
+      end
+
+      def test_unauthorized_users_returns_200_if_ip_is_whitelisted
+        ip_addr = Workarea.config.basic_auth.whitelisted_ips.first.to_s
+        env = Rack::MockRequest.env_for("/login", 'REMOTE_ADDR' => ip_addr)
+        get_login = Rack::Response.new(middleware.call(env))
+
+        assert_equal(200, get_login.status)
+      end
+
+      def test_unathorized_users_returns_401_for_all_http_methods_on_a_path_by_default
+        Workarea.config.basic_auth.protect_routes.add("/login")
+
+        env = Rack::MockRequest.env_for("/login")
+        get_login = Rack::MockResponse.new(*middleware.call(env))
+
+        env = Rack::MockRequest.env_for("/login", method: :post)
+        post_login = Rack::MockResponse.new(*middleware.call(env))
+
+        env = Rack::MockRequest.env_for("/login", method: :head)
+        head_login = Rack::MockResponse.new(*middleware.call(env))
+
+        assert_equal(401, get_login.status)
+        assert_equal(401, post_login.status)
+        assert_equal(401, head_login.status)
+      end
+
+      def test_unathorized_users_returns_401_for_specific_http_methods_on_a_path
+        Workarea.config.basic_auth.protect_routes.add("/login", :post)
+
+        env = Rack::MockRequest.env_for("/login")
+        get_login = Rack::MockResponse.new(*middleware.call(env))
+
+        env = Rack::MockRequest.env_for("/login", method: :post)
+        post_login = Rack::MockResponse.new(*middleware.call(env))
+
+        assert_equal(200, get_login.status)
+        assert_equal(401, post_login.status)
+      end
+
+      def test_unathorized_users_protects_wildcard_routes
+        Workarea.config.basic_auth.protect_routes.add("/*")
+
+        env = Rack::MockRequest.env_for("/login")
+        get_login = Rack::MockResponse.new(*middleware.call(env))
+
+        env = Rack::MockRequest.env_for("/login", method: :post)
+        post_login = Rack::MockResponse.new(*middleware.call(env))
+
+        env = Rack::MockRequest.env_for("/products/my-product")
+        get_product = Rack::MockResponse.new(*middleware.call(env))
+
+        assert_equal(401, get_login.status)
+        assert_equal(401, post_login.status)
+        assert_equal(401, get_product.status)
+      end
+
+      def test_unathorized_users_allows_route_exclusions
+        Workarea.config.basic_auth.protect_routes.add("/*")
+        Workarea.config.basic_auth.exclude_routes.add("/contact")
+
+        env = Rack::MockRequest.env_for("/login")
+        get_login = Rack::MockResponse.new(*middleware.call(env))
+
+        env = Rack::MockRequest.env_for("/contact")
+        get_contact = Rack::MockResponse.new(*middleware.call(env))
+
+        assert_equal(401, get_login.status)
+        assert_equal(200, get_contact.status)
+      end
+
+      def test_unathorized_users_works_properly_with_a_health_check
+        Workarea.config.basic_auth.protect_routes.add("/*")
+        Workarea.config.basic_auth.exclude_routes.add("/health_check")
+
+        env = Rack::MockRequest.env_for("/health_check")
+        health_check = Rack::MockResponse.new(*middleware.call(env))
+
+        assert_equal(200, health_check.status)
+      end
+
+      def test_authorized_users_lets_authorized_users_access_all_routes
+        Workarea.config.basic_auth.protect_routes.add("/*")
+
+        env = Rack::MockRequest.env_for("/contact")
+        bad = Rack::MockResponse.new(*middleware.call(env))
+        assert_equal(401, bad.status)
+
+        encoded_pass = encode_password("thomas", "vendetta")
+        env_opts = { "HTTP_AUTHORIZATION" => "Basic #{encoded_pass}" }
+
+        env = Rack::MockRequest.env_for("/login", env_opts)
+        good = Rack::MockResponse.new(*middleware.call(env))
+        assert_equal(200, good.status)
+      end
+
+      def test_authorized_users_renders_401_with_invalid_credentials
+        Workarea.config.basic_auth.protect_routes.add("/*")
+
+        encoded_pass = encode_password("notavalid", "password")
+        env_opts = { "HTTP_AUTHORIZATION" => "Basic #{encoded_pass}" }
+
+        env = Rack::MockRequest.env_for("/contact", env_opts)
+        bad = Rack::MockResponse.new(*middleware.call(env))
+        assert_equal(401, bad.status)
+      end
+    end
+  end
+end

data/test/lib/workarea/basic_auth/path_test.rb

@@ -0,0 +1,50 @@
+require "test_helper"
+require "rack/mock"
+
+module Workarea
+  module BasicAuth
+    class PathTest < Workarea::TestCase
+      include Workarea::Testing::BasicAuthHelper
+
+      def test_matches_a_pathname_and_all_http_methods_by_default
+        path = Path.new("/products")
+
+        get = build_request("/products")
+        post = build_request("/products", "POST")
+        options = build_request("/products", "OPTIONS")
+        head = build_request("/products", "HEAD")
+
+        bad = build_request("/wat")
+
+        assert path.matches?(get)
+        assert path.matches?(post)
+        assert path.matches?(options)
+        assert path.matches?(head)
+
+        refute path.matches?(bad)
+      end
+
+      def test_matches_a_pathname_and_a_specific_request_method
+        path = Path.new("/products", :post, :head)
+
+        get = build_request("/products")
+        post = build_request("/products", "POST")
+        head = build_request("/products", "HEAD")
+
+        refute path.matches?(get)
+        assert path.matches?(post)
+        assert path.matches?(head)
+      end
+
+      def test_matches_wildcards
+        path = Path.new("/api/v2/*")
+
+        good = build_request("/api/v2/wat/sup")
+        bad = build_request("/api/v1/wat/sup")
+
+        assert path.matches?(good)
+        refute path.matches?(bad)
+      end
+    end
+  end
+end