Authorizations on kinesis (#20)

* add basic auth to kinesis controller and update staging credentials * including basic authntication to application_controller * update check on dev * update specs to check for basic auth * update kinesis positive case spec to use basic auth
zooniverse · Jul 31, 2023 · 16807bb · 16807bb
1 parent b2d4283
commit 16807bb
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 3 deletions.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class ApplicationController < ActionController::API
+  include ActionController::HttpAuthentication::Basic
+  include ActionController::HttpAuthentication::Basic::ControllerMethods
   include Pundit::Authorization
   class ValidationError < StandardError; end
   class Unauthorized < StandardError; end

diff --git a/app/controllers/kinesis_controller.rb b/app/controllers/kinesis_controller.rb
@@ -1,15 +1,43 @@
 # frozen_string_literal: true
 
 class KinesisController < ApplicationController
+  before_action :require_http_basic_authentication
+
   def create
-    # TODO: Authorizations on Kinesis
     skip_authorization
     kinesis_stream.create_events(params['payload'])
     head :no_content
   end
 
   private
 
+  def require_http_basic_authentication
+    if !has_basic_credentials?(request)
+      allow_unauthenticated_request?
+    elsif authenticate_with_http_basic { |user, pass| authenticate(user, pass) }
+      true
+    else
+      head :forbidden
+    end
+  end
+
+  def authenticate(given_username, given_password)
+    desired_username = Rails.application.credentials.kinesis_username
+    desired_password = Rails.application.credentials.kinesis_password
+    if desired_username.present? || desired_password.present?
+      given_username == desired_username && given_password == desired_password
+    else
+      # If no credentials configured in dev/test, don't require authentication
+      allow_unauthenticated_request?
+    end
+  end
+
+  def allow_unauthenticated_request?
+    return true if Rails.env.development? || Rails.env.test?
+
+    head :forbidden
+  end
+
   def kinesis_stream
     KinesisStream.new
   end

diff --git a/config/credentials/staging.yml.enc b/config/credentials/staging.yml.enc
@@ -1 +1 @@
-A1WAdL/tz7ko6K8vbvwsZrYU2/gYUX7lhE36XDwXp1BhYKmsbxUleZdOyvRQ+EF5otrKf7j2UvhMcJOVeTM/AmtYNzOgI0TCsLGIjStAopSisNPCcW1+damRg5TVDgXpROyJvyynXNwZVSfIAINgrJFy1cyjoFkI0b4vKXrdOKD5/PJKKeyzpNvE2wrhsmYV7BVI/yiIYiKav9EswTl0urzyTewUBGdGx+/quUfT4wjWlnuwsNKIqOjL+cqSGaXFRTcxxVEgbk7FU3YpH+ELBIjcUNPhr3iFY9pYDub3sImMShH6omsOLnyutvQFe1b3UXeIybkIpjTpoSjLu37Hu8tNH/dx4WL4iKKv+/h4d2BIolaaNfQbkrJzq7pJFjmHVS0xVQObbu/1PtaniLyETgJgQdxGPvGsg9GDsfwwYfR1fnw0TilTiT4Mdmo6qDQA2bXK--O7qpb1vRzIYbyJGv--DlNaSvhtvVRZOvvPOoOndA==
+II+6JZW9k90zgr2aCaLZI2Xql7gsWKQTpsekQ8EijEC9d4ftBGo9PojC4TlyiGxU80tIpQZ7ZyGfazDOq/l2FtqppIWMJHRYrUfwaklVoeBvIGRtWhWIL5UqchuKBHVLH6XXuzhQ10ZnTolCDnKKVL6/F78j1HtPFf/zyZ8CjKH3gn/+Ot8Z5hGvzPBDJwpUgkEPk1PC7TrcfaBnyLX8J/ukT2Tl8XpGY27VnanXwNWP6GBDfnEobciJMYEDuHkaKuB/fiP1hxl7OHk86JIUO2TBZoQt4yOFWk7ugBjpHryn5m+cYhgjJYvlmfXYndKqKtd/3JYmerbZdO8N6eqFPrih/sinbfyy5n1WxD0oKRUFaKKEuE4U/IMHv3rEPIgA//zM1WK1XdZXZ/i4e9d2jhlNWJZf7OC/WXOw0wmfhqfMXbpRSBWUW8pHAbwtieDgLusyynGHrPhCNlzfOxmcO4a6GmAxR7Ji0sA+Dvm/ysjk+RqS1tDsWYWsH0hH993UitKCw83fy5R6RTgRH8eaicm1+3c85hp4lupJlKyNqOb8KOk413O88hJz7OH17yCOeg6HrHrClkmwj8XNKO4YbKRdZVsGZlOULfCdgFUrqQ==--tKUnDNwupKCZZfnq--N4g56vr1FAxDxrvnp9D57A==
diff --git a/spec/requests/kinesis_spec.rb b/spec/requests/kinesis_spec.rb
@@ -4,13 +4,33 @@
 
 RSpec.describe 'Kinesis', type: :request do
   it 'processes the stream events' do
+    allow(Rails.application.credentials).to receive(:kinesis_username).and_return('test_basic_auth')
+    allow(Rails.application.credentials).to receive(:kinesis_password).and_return('test_basic_auth123')
     comment_payload = File.read(Rails.root.join('spec/fixtures/example_kinesis_comment_payload.json'))
     classification_payload = File.read(Rails.root.join('spec/fixtures/example_kinesis_classification_payload.json'))
     post '/kinesis', headers: { 'CONTENT_TYPE' => 'application/json' },
-                     params: "{\"payload\": [#{comment_payload}, #{classification_payload}]}"
+                     params: "{\"payload\": [#{comment_payload}, #{classification_payload}]}",
+                     env: { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials('test_basic_auth', 'test_basic_auth123') }
     expect(response.status).to eq(204)
     expect(CommentEvent.count).to eq(1)
     expect(ClassificationEvent.count).to eq(1)
     expect(ClassificationUserGroup.count).to eq(2)
   end
+
+  it 'requires HTTP Basic auth' do
+    allow(Rails.application.credentials).to receive(:kinesis_username).and_return('test_basic_auth')
+    allow(Rails.application.credentials).to receive(:kinesis_password).and_return('test_basic_auth123')
+    post '/kinesis', headers: { 'CONTENT_TYPE' => 'application/json' },
+                     params: '{"payload": []}',
+                     env: { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials('wrong', 'incorrect') }
+    expect(response.status).to eq(403)
+  end
+
+  it 'returns 403 forbidden when no credentials given in non-dev env' do
+    allow(Rails.env).to receive(:development?).and_return(false)
+    allow(Rails.env).to receive(:test?).and_return(false)
+    post '/kinesis', headers: { 'CONTENT_TYPE' => 'application/json' },
+                     params: '{"payload": []}'
+    expect(response.status).to eq(403)
+  end
 end