From dca2eca67c10fcb01bf5b3b414f5d757964a310b Mon Sep 17 00:00:00 2001 From: Ilya Zhitomirskiy Date: Tue, 14 Jun 2011 15:36:05 -0700 Subject: [PATCH] cucumber specs are green --- Gemfile | 2 +- Gemfile.lock | 7 ++- app/controllers/authorizations_controller.rb | 17 ++++++- spec/chubbies/Gemfile | 2 +- spec/chubbies/Gemfile.lock | 11 +++-- spec/chubbies/config.ru | 3 +- .../authorizations_controller_spec.rb | 48 ++++++++++++++----- 7 files changed, 65 insertions(+), 25 deletions(-) diff --git a/Gemfile b/Gemfile index 69413e3a1..7ff8ef2d5 100644 --- a/Gemfile +++ b/Gemfile @@ -94,5 +94,5 @@ group :test do gem 'rspec-instafail', '>= 0.1.7', :require => false gem 'fuubar' - gem 'diaspora-client', :git => 'git@github.com:diaspora/diaspora-client.git' + gem 'diaspora-client', :path => "~/workspace/diaspora-client" # :git => 'git@github.com:diaspora/diaspora-client.git' end diff --git a/Gemfile.lock b/Gemfile.lock index b59cc2ebe..3a87666d5 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -37,9 +37,8 @@ GIT addressable (>= 2.1.1) eventmachine (>= 0.12.9) -GIT - remote: git@github.com:diaspora/diaspora-client.git - revision: c84fe1090fcbc16407582deca804fad48bf11ead +PATH + remote: ~/workspace/diaspora-client specs: diaspora-client (0.0.0) activerecord @@ -391,7 +390,7 @@ GEM typhoeus (0.2.4) mime-types mime-types - tzinfo (0.3.27) + tzinfo (0.3.28) uuidtools (2.1.2) vegas (0.1.8) rack (>= 1.0.0) diff --git a/app/controllers/authorizations_controller.rb b/app/controllers/authorizations_controller.rb index 84cf1718e..70f4d8a88 100644 --- a/app/controllers/authorizations_controller.rb +++ b/app/controllers/authorizations_controller.rb @@ -53,10 +53,23 @@ class AuthorizationsController < ApplicationController redirect_to authorizations_path end + # @param [String] enc_signed_string A Base64 encoded string with app_url;pod_url;time;nonce + # @param [String] sig A Base64 encoded signature of the decoded signed_string with public_key. + # @param [String] public_key The application's public key to verify sig with. + def verify( enc_signed_string, sig, public_key) + signed_string = Base64.decode64(enc_signed_string) + split = signed_string.split(';') + time = split[2] + nonce = split[3] + return "invalid time" unless valid_time?(time) + return 'invalid nonce' unless valid_nonce?(nonce) + return 'invalid signature' unless verify_signature(signed_string, Base64.decode64(sig), public_key) + 'ok' + end def verify_signature(challenge, signature, serialized_pub_key) public_key = OpenSSL::PKey::RSA.new(serialized_pub_key) - public_key.verify(OpenSSL::Digest::SHA256.new, Base64.decode64(signature), challenge) + public_key.verify(OpenSSL::Digest::SHA256.new, signature, challenge) end def valid_time?(time) @@ -64,7 +77,7 @@ class AuthorizationsController < ApplicationController end def valid_nonce?(nonce) - OAuth2::Provider.client_class.where(:nonce => nonce).first.nil? + !OAuth2::Provider.client_class.exists?(:nonce => nonce) end end diff --git a/spec/chubbies/Gemfile b/spec/chubbies/Gemfile index 2a4a28031..4e64d6968 100644 --- a/spec/chubbies/Gemfile +++ b/spec/chubbies/Gemfile @@ -7,4 +7,4 @@ gem 'json' gem 'shotgun' gem 'sqlite3' gem 'activerecord', '3.0.3' -gem 'diaspora-client', :git => 'git@github.com:diaspora/diaspora-client.git' +gem 'diaspora-client', :path => "~/workspace/diaspora-client" #:git => 'git@github.com:diaspora/diaspora-client.git' diff --git a/spec/chubbies/Gemfile.lock b/spec/chubbies/Gemfile.lock index 632b8aec0..4e8d13a30 100644 --- a/spec/chubbies/Gemfile.lock +++ b/spec/chubbies/Gemfile.lock @@ -1,9 +1,9 @@ -GIT - remote: git@github.com:diaspora/diaspora-client.git - revision: c84fe1090fcbc16407582deca804fad48bf11ead +PATH + remote: ~/workspace/diaspora-client specs: diaspora-client (0.0.0) activerecord + em-synchrony faraday oauth2 sinatra @@ -21,9 +21,12 @@ GEM arel (~> 2.0.2) tzinfo (~> 0.3.23) activesupport (3.0.3) - addressable (2.2.4) + addressable (2.2.6) arel (2.0.10) builder (2.1.2) + em-synchrony (0.2.0) + eventmachine (>= 0.12.9) + eventmachine (0.12.10) faraday (0.6.1) addressable (~> 2.2.4) multipart-post (~> 1.1.0) diff --git a/spec/chubbies/config.ru b/spec/chubbies/config.ru index af1d14c6f..6a2479450 100644 --- a/spec/chubbies/config.ru +++ b/spec/chubbies/config.ru @@ -1,3 +1,4 @@ -require 'app' +require File.dirname(__FILE__) + '/app' +require "bundler/setup" run Chubbies::App diff --git a/spec/controllers/authorizations_controller_spec.rb b/spec/controllers/authorizations_controller_spec.rb index 8bc702b54..7f958366f 100644 --- a/spec/controllers/authorizations_controller_spec.rb +++ b/spec/controllers/authorizations_controller_spec.rb @@ -9,6 +9,10 @@ describe AuthorizationsController do sign_in :user, alice @controller.stub(:current_user).and_return(alice) + @time = Time.now + Time.stub(:now).and_return(@time) + @nonce = 'asdfsfasf' + @signable_string = ["http://chubbi.es/",'http://pod.pod/',"#{Time.now.to_i}", @nonce].join(';') end describe '#token' do @@ -28,18 +32,27 @@ describe AuthorizationsController do end it 'fetches the manifest' do + @controller.stub!(:verify).and_return('ok') post :token, @params_hash end it 'creates a client application' do + @controller.stub!(:verify).and_return('ok') lambda { post :token, @params_hash }.should change(OAuth2::Provider.client_class, :count).by(1) end + it 'does not create a client if verification fails' do + @controller.stub!(:verify).and_return('invalid signature') + lambda { + post :token, @params_hash + }.should_not change(OAuth2::Provider.client_class, :count) + end + it 'verifies the signable string validity(time,nonce,sig)' do - post :token, @params_hash.merge!({:signed_string => 'signable_string', :signature => 'sig'}) - @controller.should_receive(:verify).with('signable_string', 'sig', 'public_key!') + @controller.should_receive(:verify).with('signed_string', 'sig', 'public_key!') + post :token, @params_hash.merge!({:signed_string => 'signed_string', :signature => 'sig'}) end end @@ -76,37 +89,48 @@ describe AuthorizationsController do end describe '#verify' do - it 'checks for valid time' - it 'checks the signature' - it 'checks for valid nonce' + before do + @controller.stub!(:verify_signature) + @sig = Base64.encode64('sig') + end + it 'checks for valid time' do + @controller.should_receive(:valid_time?).with(@time.to_i.to_s) + @controller.verify(Base64.encode64(@signable_string), @sig, 'public_key!') + end + + it 'checks the signature' do + @controller.should_receive(:verify_signature).with(@signable_string, 'sig', 'public_key!') + @controller.verify(Base64.encode64(@signable_string), @sig, 'public_key!') + end + + it 'checks for valid nonce' do + @controller.should_receive(:valid_nonce?).with(@nonce) + @controller.verify(Base64.encode64(@signable_string), @sig, 'public_key!') + end end describe '#verify_signature' do before do @private_key = OpenSSL::PKey::RSA.new(File.read(Rails.root + "spec/chubbies/chubbies.private.pem")) - @signable_string = ["http://chubbi.es/",'http://pod.pod/',"#{Time.now.to_i}",'asdfsfasf'].join(';') @sig = @private_key.sign(OpenSSL::Digest::SHA256.new, @signable_string) end it 'returns true if the signature is valid' do @public_key = File.read(Rails.root + "spec/chubbies/chubbies.public.pem") - @controller.verify_signature(@signable_string, Base64.encode64(@sig), @public_key).should be_true + @controller.verify_signature(@signable_string, @sig, @public_key).should be_true end it 'returns false if the signature is invalid' do @signable_string = "something else" @public_key = File.read(Rails.root + "spec/chubbies/chubbies.public.pem") - @controller.verify_signature(@signable_string, Base64.encode64(@sig), @public_key).should be_false + @controller.verify_signature(@signable_string, @sig, @public_key).should be_false end end describe "valid_time?" do - before do - @time = Time.now - Time.stub(:now).and_return(@time) - end + it "returns true if time is within the last 5 minutes" do @controller.valid_time?(@time - 4.minutes - 59.seconds).should be_true