From f95db01659280fffa3cc48cd73f38a9840b4f0c3 Mon Sep 17 00:00:00 2001
From: Beth Skurrie <beth@bethesque.com>
Date: Mon, 7 Oct 2019 08:40:30 +1100
Subject: [PATCH] feat: if write credentials are specified, but not read
 credentials, then allow public read access

---
 pact_broker/basic_auth.rb | 11 ++++++++---
 spec/basic_auth_spec.rb   | 21 ++++++++++++++-------
 2 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/pact_broker/basic_auth.rb b/pact_broker/basic_auth.rb
index 45b5f82..e7ce4df 100644
--- a/pact_broker/basic_auth.rb
+++ b/pact_broker/basic_auth.rb
@@ -19,9 +19,14 @@ def initialize(app, write_user_username, write_user_password, read_user_username
       username == @write_user_username && password == @write_user_password
     end
 
-    @app_with_read_auth = Rack::Auth::Basic.new(app, "Restricted area") do |username, password|
-      (username == @write_user_username && password == @write_user_password) ||
-        (username == @read_user_username && password == @read_user_password)
+    @app_with_read_auth = if read_user_username && read_user_username.size > 0
+      Rack::Auth::Basic.new(app, "Restricted area") do |username, password|
+        (username == @write_user_username && password == @write_user_password) ||
+          (username == @read_user_username && password == @read_user_password)
+      end
+    else
+      puts "WARN: Public read access is enabled as no PACT_BROKER_BASIC_AUTH_READ_ONLY_USERNAME has been set"
+      app
     end
   end
 
diff --git a/spec/basic_auth_spec.rb b/spec/basic_auth_spec.rb
index d396289..5f4a136 100644
--- a/spec/basic_auth_spec.rb
+++ b/spec/basic_auth_spec.rb
@@ -7,7 +7,9 @@
 
   let(:protected_app) { ->(env) { [200, {}, []]} }
 
-  let(:app) { BasicAuth.new(protected_app, 'write_username', 'write_password', 'read_username', 'read_password', allow_public_access_to_heartbeat) }
+  let(:app) { BasicAuth.new(protected_app, 'write_username', 'write_password', read_username, read_password, allow_public_access_to_heartbeat) }
+  let(:read_username) { 'read_username' }
+  let(:read_password) { 'read_password' }
   let(:allow_public_access_to_heartbeat) { true }
 
 
@@ -174,20 +176,25 @@
   end
 
   context "when there is no read only user configured" do
-    let(:app) { BasicAuth.new(protected_app, 'write_username', 'write_password', nil, nil, allow_public_access_to_heartbeat) }
+    before do
+      allow($stdout).to receive(:puts)
+    end
+
+    let(:read_username) { '' }
+    let(:read_password) { '' }
 
     context "with no credentials" do
-      it "does not allow GET" do
+      it "allows a GET" do
         get "/"
-        expect(last_response.status).to eq 401
+        expect(last_response.status).to eq 200
       end
     end
 
-    context "with credentials" do
-      it "does not allow GET" do
+    context "with incorrect credentials" do
+      it "allows a GET" do
         basic_authorize "foo", "bar"
         get "/"
-        expect(last_response.status).to eq 401
+        expect(last_response.status).to eq 200
       end
     end
   end