From 339f272ef033f375a7d7400c1996bee17c570d6b Mon Sep 17 00:00:00 2001
From: "viktor.szell" <viktor.szell@emarsys.com>
Date: Fri, 2 Aug 2024 14:49:58 +0200
Subject: [PATCH] SECURITY-9707: add option to not to use escher because of
 service mesh

Co-authored-by: Istvan Demeter <istvan.demeter@emarsys.com>
---
 lib/session_validator/client.rb       | 10 +++++---
 session-validator-client.gemspec      |  2 +-
 spec/session_validator/client_spec.rb | 34 ++++++++++++++++++++++++---
 3 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/lib/session_validator/client.rb b/lib/session_validator/client.rb
index e5f6e86..82fe41d 100644
--- a/lib/session_validator/client.rb
+++ b/lib/session_validator/client.rb
@@ -15,6 +15,10 @@ class SessionValidator::Client
   SERVICE_REQUEST_TIMEOUT = 2.freeze
   NETWORK_ERRORS = Faraday::Retry::Middleware::DEFAULT_EXCEPTIONS + [Faraday::ConnectionFailed] - ['Timeout::Error']
 
+  def initialize(use_escher: true)
+    @use_escher = use_escher
+  end
+
   def valid?(msid)
     response_status = client.get("/sessions/#{msid}", nil, headers).status
     (200..299).include?(response_status) || (500..599).include?(response_status)
@@ -23,7 +27,7 @@ def valid?(msid)
   end
 
   def filter_invalid(msids)
-    response = client.post("/sessions/filter", JSON.generate({msids: msids}), headers)
+    response = client.post("/sessions/filter", JSON.generate({ msids: msids }), headers)
     if response.status == 200
       JSON.parse(response.body)
     else
@@ -40,7 +44,7 @@ def client
       faraday.options[:open_timeout] = SERVICE_REQUEST_TIMEOUT
       faraday.options[:timeout] = SERVICE_REQUEST_TIMEOUT
       faraday.request :retry, interval: 0.05, interval_randomness: 0.5, backoff_factor: 2, methods: [:get, :post], exceptions: NETWORK_ERRORS
-      faraday.use Faraday::Middleware::Escher::RequestSigner, escher_config
+      faraday.use(Faraday::Middleware::Escher::RequestSigner, escher_config) if @use_escher
       faraday.adapter Faraday.default_adapter
     end
   end
@@ -67,6 +71,6 @@ def escher_config
   end
 
   def headers
-    {"content-type" => "application/json"}
+    { "content-type" => "application/json" }
   end
 end
diff --git a/session-validator-client.gemspec b/session-validator-client.gemspec
index fba93cb..4973b2f 100644
--- a/session-validator-client.gemspec
+++ b/session-validator-client.gemspec
@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name        = "session-validator-client"
-  s.version     = "5.0.0"
+  s.version     = "5.1.0"
   s.summary     = "Ruby client for Emarsys session validator service"
   s.authors     = ["Emarsys Technologies Ltd."]
   s.email       = "security@emarsys.com"
diff --git a/spec/session_validator/client_spec.rb b/spec/session_validator/client_spec.rb
index a06bddd..23c93df 100644
--- a/spec/session_validator/client_spec.rb
+++ b/spec/session_validator/client_spec.rb
@@ -12,7 +12,35 @@
     before do
       stub_const 'ENV', ENV.to_h.merge('SESSION_VALIDATOR_URL' => service_url)
       allow(::Escher::Keypool).to receive_message_chain(:new, :get_active_key).with("session_validator")
-                                    .and_return(escher_keypool)
+                                                                              .and_return(escher_keypool)
+    end
+
+    context "when use_escher is true (default)" do
+      it "uses escher middleware to sign the request" do
+        http_request.to_return status: [200, "OK"]
+
+        validation
+
+        assert_requested(:get, "#{service_url}/sessions/#{msid}") do |req|
+          headers = req.headers.keys.map(&:downcase)
+          expect(headers).to include('x-ems-auth', 'x-ems-date')
+        end
+      end
+    end
+
+    context "when use_escher is false" do
+      subject(:validation) { SessionValidator::Client.new(use_escher: false).valid? msid }
+
+      it "uses escher middleware to sign the request" do
+        http_request.to_return status: [200, "OK"]
+
+        validation
+
+        assert_requested(:get, "#{service_url}/sessions/#{msid}") do |req|
+          headers = req.headers.keys.map(&:downcase)
+          expect(headers).not_to include('x-ems-auth', 'x-ems-date')
+        end
+      end
     end
 
     context "when msid is valid" do
@@ -66,7 +94,7 @@
     before do
       stub_const 'ENV', ENV.to_h.merge('SESSION_VALIDATOR_URL' => service_url)
       allow(::Escher::Keypool).to receive_message_chain(:new, :get_active_key).with("session_validator")
-                                      .and_return(escher_keypool)
+                                                                              .and_return(escher_keypool)
     end
 
     context "when request times out" do
@@ -87,7 +115,7 @@
       before { http_request.to_return body: JSON.generate(invalid_msids) }
 
       it { is_expected.to have_requested(:post, "#{service_url}/sessions/filter").
-          with(body: JSON.generate({msids: msids})) }
+        with(body: JSON.generate({ msids: msids })) }
     end
 
     context "when response status code is not 200 OK" do