feat: if write credentials are specified, but not read credentials, t…

…hen allow public read access
pact-foundation · Oct 6, 2019 · f95db01 · f95db01
1 parent c72f804
commit f95db01
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 10 deletions.
diff --git a/pact_broker/basic_auth.rb b/pact_broker/basic_auth.rb
@@ -19,9 +19,14 @@ def initialize(app, write_user_username, write_user_password, read_user_username
       username == @write_user_username && password == @write_user_password
     end
 
-    @app_with_read_auth = Rack::Auth::Basic.new(app, "Restricted area") do |username, password|
-      (username == @write_user_username && password == @write_user_password) ||
-        (username == @read_user_username && password == @read_user_password)
+    @app_with_read_auth = if read_user_username && read_user_username.size > 0
+      Rack::Auth::Basic.new(app, "Restricted area") do |username, password|
+        (username == @write_user_username && password == @write_user_password) ||
+          (username == @read_user_username && password == @read_user_password)
+      end
+    else
+      puts "WARN: Public read access is enabled as no PACT_BROKER_BASIC_AUTH_READ_ONLY_USERNAME has been set"
+      app
     end
   end
 

diff --git a/spec/basic_auth_spec.rb b/spec/basic_auth_spec.rb
@@ -7,7 +7,9 @@
 
   let(:protected_app) { ->(env) { [200, {}, []]} }
 
-  let(:app) { BasicAuth.new(protected_app, 'write_username', 'write_password', 'read_username', 'read_password', allow_public_access_to_heartbeat) }
+  let(:app) { BasicAuth.new(protected_app, 'write_username', 'write_password', read_username, read_password, allow_public_access_to_heartbeat) }
+  let(:read_username) { 'read_username' }
+  let(:read_password) { 'read_password' }
   let(:allow_public_access_to_heartbeat) { true }
 
 
@@ -174,20 +176,25 @@
   end
 
   context "when there is no read only user configured" do
-    let(:app) { BasicAuth.new(protected_app, 'write_username', 'write_password', nil, nil, allow_public_access_to_heartbeat) }
+    before do
+      allow($stdout).to receive(:puts)
+    end
+
+    let(:read_username) { '' }
+    let(:read_password) { '' }
 
     context "with no credentials" do
-      it "does not allow GET" do
+      it "allows a GET" do
         get "/"
-        expect(last_response.status).to eq 401
+        expect(last_response.status).to eq 200
       end
     end
 
-    context "with credentials" do
-      it "does not allow GET" do
+    context "with incorrect credentials" do
+      it "allows a GET" do
         basic_authorize "foo", "bar"
         get "/"
-        expect(last_response.status).to eq 401
+        expect(last_response.status).to eq 200
       end
     end
   end