Merge pull request #215 from dsthode/fix-sinatra-4-1-host-authorization

Fix sinatra 4.1 host authorization
dasch · Dec 3, 2024 · 95172ee · 95172ee
2 parents 24093ce + c2da963
commit 95172ee
Show file tree

Hide file tree

Showing 7 changed files with 26 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## Unreleased
 
 - Add `compatibility_issues` method to `ConfluentSchemaRegistry` to debug compatibility issues between a schema versions for a given subject (#212)
+- Update tests to support `sinatra` version 4.1 that includes a new `host_authorization` parameter to permit only authorized requests
 
 ## v1.17.0
 

diff --git a/README.md b/README.md
@@ -273,17 +273,23 @@ fake schema registry server depends on Sinatra but it is _not_ listed as a runti
 dependency for AvroTurf. Sinatra must be added to your Gemfile or gemspec in order
 to use the fake server.
 
+Given the recent update in `sinatra` to fix [CVE-2024-21510](https://github.com/advisories/GHSA-hxx2-7vcw-mqr3) that included a new `HostAuthorization` middleware, the `FakeConfluentSchemaRegistryServer` is provided as a base implementation that has to be inherited into a new class and configured by the user so requests are properly authorised to the test registry host.
+
 Example using RSpec:
 
 ```ruby
 require 'avro_turf/test/fake_confluent_schema_registry_server'
 require 'webmock/rspec'
 
+class AuthorizedFakeConfluentSchemaRegistryServer < FakeConfluentSchemaRegistryServer
+  set :host_authentication, permitted_hosts: ['registry.example.com']
+end
+
 # within an example
 let(:registry_url) { "http://registry.example.com" }
 before do
-  stub_request(:any, /^#{registry_url}/).to_rack(FakeConfluentSchemaRegistryServer)
-  FakeConfluentSchemaRegistryServer.clear
+  stub_request(:any, /^#{registry_url}/).to_rack(AuthorizedFakeConfluentSchemaRegistryServer)
+  AuthorizedFakeConfluentSchemaRegistryServer.clear
 end
 
 # Messaging objects created with the same registry_url will now use the fake server.

diff --git a/spec/messaging_spec.rb b/spec/messaging_spec.rb
@@ -1,7 +1,5 @@
 require 'webmock/rspec'
 require 'avro_turf/messaging'
-require 'avro_turf/test/fake_confluent_schema_registry_server'
-require 'avro_turf/test/fake_prefixed_confluent_schema_registry_server'
 
 describe AvroTurf::Messaging do
   let(:registry_url) { "http://registry.example.com" }
@@ -61,8 +59,8 @@
   end
 
   before do
-    stub_request(:any, /^#{registry_url}/).to_rack(FakeConfluentSchemaRegistryServer)
-    FakeConfluentSchemaRegistryServer.clear
+    stub_request(:any, /^#{registry_url}/).to_rack(AuthorizedFakeConfluentSchemaRegistryServer)
+    AuthorizedFakeConfluentSchemaRegistryServer.clear
   end
 
   before do
@@ -474,8 +472,8 @@
     }
 
     before do
-      stub_request(:any, /^#{registry_url}/).to_rack(FakePrefixedConfluentSchemaRegistryServer)
-      FakePrefixedConfluentSchemaRegistryServer.clear
+      stub_request(:any, /^#{registry_url}/).to_rack(AuthorizedFakePrefixedConfluentSchemaRegistryServer)
+      AuthorizedFakePrefixedConfluentSchemaRegistryServer.clear
     end
 
     it_behaves_like "encoding and decoding with the schema from schema store"

diff --git a/spec/support/authorized_fake_confluent_schema_registry_server.rb b/spec/support/authorized_fake_confluent_schema_registry_server.rb
@@ -0,0 +1,5 @@
+require 'avro_turf/test/fake_confluent_schema_registry_server'
+
+class AuthorizedFakeConfluentSchemaRegistryServer < FakeConfluentSchemaRegistryServer
+  set :host_authorization, permitted_hosts: ['example.org', 'registry.example.com']
+end
diff --git a/spec/support/authorized_fake_prefixed_confluent_schema_registry_server.rb b/spec/support/authorized_fake_prefixed_confluent_schema_registry_server.rb
@@ -0,0 +1,5 @@
+require 'avro_turf/test/fake_prefixed_confluent_schema_registry_server'
+
+class AuthorizedFakePrefixedConfluentSchemaRegistryServer < FakePrefixedConfluentSchemaRegistryServer
+  set :host_authorization, permitted_hosts: ['example.org', 'registry.example.com']
+end
diff --git a/spec/support/confluent_schema_registry_context.rb b/spec/support/confluent_schema_registry_context.rb
@@ -26,9 +26,9 @@
   before do
     stub_request(:any, /^#{registry_url}/)
       .with(headers: headers)
-      .to_rack(FakeConfluentSchemaRegistryServer)
+      .to_rack(AuthorizedFakeConfluentSchemaRegistryServer)
 
-    FakeConfluentSchemaRegistryServer.clear
+    AuthorizedFakeConfluentSchemaRegistryServer.clear
   end
 
   describe "#register and #fetch" do

diff --git a/spec/test/fake_confluent_schema_registry_server_spec.rb b/spec/test/fake_confluent_schema_registry_server_spec.rb
@@ -1,10 +1,9 @@
 require 'rack/test'
-require 'avro_turf/test/fake_confluent_schema_registry_server'
 
 describe FakeConfluentSchemaRegistryServer do
   include Rack::Test::Methods
 
-  def app; described_class; end
+  def app; AuthorizedFakeConfluentSchemaRegistryServer; end
 
   describe 'POST /subjects/:subject/versions' do
     it 'returns the same schema ID when invoked with same schema and same subject' do