bot-away 1.1.0 → 1.2.0

data/spec/spec_helper.rb

@@ -1,11 +1,112 @@
+ENV['RAILS_ENV'] ||= 'test'
+
 require 'rubygems'
 require 'action_controller'
 require 'action_view'
 
-ActionController::Routing::Routes.load!
-ActionController::Base.session = { :key => "_myapp_session", :secret => "12345"*6 }
+begin
+  # rails 2.x
+  ActionController::Routing::Routes.load!
+  ActionController::Base.session = { :key => "_myapp_session", :secret => "12345"*6 }
+  ActionController::Base.view_paths << File.expand_path(File.join(File.dirname(__FILE__), "support/views"))
+  RAILS_VERSION = "2.3"
+rescue
+  # rails 3
+  #require 'active_record/railtie'
+  require 'action_controller/railtie'
+  require 'action_mailer/railtie'
+  require 'active_resource/railtie'
+  require 'rails/test_unit/railtie'
+
+  # stub out the csrf token so that it always produces a predictable (testable) result
+  module ActionView
+    # = Action View CSRF Helper
+    module Helpers
+      module CsrfHelper
+        # Returns a meta tag with the cross-site request forgery protection token
+        # for forms to use. Place this in your head.
+        def csrf_meta_tag
+          if protect_against_forgery?
+            %(<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="1234"/>).html_safe
+          end
+        end
+      end
+    end
+  end
+
+  class BotAwayApp < Rails::Application
+    config.session_store :cookie_store, :key => "_myapp_session", :secret => "12345"*6
+    paths.app.views = File.expand_path(File.join(File.dirname(__FILE__), "support/views"))
+    config.active_support.deprecation = :stderr
+  end
+  BotAwayApp.initialize!
+  BotAwayApp.routes.draw do
+    match '/:controller/:action'
+  end
+  
+  RAILS_VERSION = "3.0"
+end
 
 require File.join(File.dirname(__FILE__), '../lib/bot-away')
+require File.join(File.dirname(__FILE__), "rspec_version")
+
+class MockObject
+  attr_accessor :method_name
+  
+  def id
+    1
+  end
+  
+  # for testing grouped_collection_select
+  def object_name
+    [self]
+  end
+
+  def initialize
+    @method_name = 'method_value'
+  end
+end
+
+
+if RSPEC_VERSION < "2.0"
+  Spec::Runner.configure do |config|
+    config.before(:each) do
+      BotAway.reset!
+    end
+  end
+  
+  if defined?(ActionController::TestProcess)
+    # note that this only matters for TEST requests; real ones use the params parser.
+    module ActionController::TestProcess
+      def process_with_deobfuscation(action, parameters = nil, session = nil, flash = nil, http_method = 'GET')
+        process_without_deobfuscation(action, parameters, session, flash, http_method)
+        @request.parameters.replace(BotAway::ParamParser.new(@request.ip, @request.params).params)
+      end
+    
+      alias_method_chain :process, :deobfuscation
+    end
+  end
+else
+  require 'rspec/rails'
+  
+  # note that this only matters for TEST requests; real ones use the params parser.
+  module ActionController::TestCase::Behavior
+    def process_with_deobfuscation(action, parameters = nil, session = nil, flash = nil, http_method = 'GET')
+      process_without_deobfuscation(action, parameters, session, flash, http_method)
+      request.parameters.replace(BotAway::ParamParser.new(request.ip, request.params).params)
+    end
+    
+    alias_method_chain :process, :deobfuscation
+  end
+      
+  RSpec.configure do |config|
+    config.before(:each) do
+      BotAway.reset!
+      # BotAway doesn't work without forgery protection, and RSpec-Rails 2 disables it. Lost way too many hours on this.
+      ActionController::Base.allow_forgery_protection = true
+    end
+  end
+end
 
 Dir[File.join(File.dirname(__FILE__), 'support/**/*.rb')].each do |fi|
   require fi

data/spec/support/obfuscation_helper.rb

@@ -1,68 +1,123 @@
 module ObfuscationHelper
-  def includes_honeypot(object_name, method_name)
-    it "includes a honeypot called #{object_name}[#{method_name}]" do
-      subject.should include_honeypot(object_name, method_name)
-    end
-  end
-
-  def is_obfuscated_as(id, name)
-    it "is obfuscated as #{id}, #{name}" do
-      subject.should be_obfuscated_as(id, name)
-    end
+  def controller_class
+    TestController
   end
 
   def dump
-    returning(yield) { |x| puts x }
+    result = yield
+    puts result if ENV['DUMP']
+    result
   end
-
+  
+  if RAILS_VERSION >= "3.0"
+    def self.included(base)
+      base.before(:each) do
+        session[:_csrf_token] = '1234'
+        controller.stub!(:protect_from_forgery?).and_return(true)
+        if respond_to?(:view)
+          controller.request.path_parameters["action"] ||= "index"
+          controller.action_name ||= "index"
+          view.stub!(:request_forgery_protection_token).and_return(:authenticity_token)
+          view.stub!(:form_authenticity_token).and_return('1234')
+        else
+#          response.stub!(:request_forgery_protection_token).and_return(:authenticity_token)
+#          response.stub!(:form_authenticity_token).and_return('1234')
+        end
+      end
+    end
+  end
+  
   def builder
     return @builder if @builder
-    response = TestController.call(Rack::MockRequest.env_for('/').merge({'REQUEST_URI' => '/',
-                                                                         'REMOTE_ADDR' => '127.0.0.1'}))
-    response.template.controller.request_forgery_protection_token = :authenticity_token
-    response.template.controller.session[:_csrf_token] = '1234'
-    @builder = ActionView::Helpers::FormBuilder.new(:object_name, MockObject.new, response.template, {}, proc {})
-  end
-
-  def obfuscates(method, options = {}, unused = nil)
-    if !options.kind_of?(Hash)
-      options = { :obfuscated_id => options, :obfuscated_name => unused }
-    end
-    
-    obfuscated_id   = options[:obfuscated_id] || self.obfuscated_id
-    obfuscated_name = options[:obfuscatd_name] || self.obfuscated_name
-    
-    value = yield
-    context "##{method}" do
-      subject { proc { dump { value } } }
-
-      if options[:name]
-        includes_honeypot(options[:name], nil)
-      else
-        includes_honeypot(options[:object_name] || object_name, options[:method_name] || method_name)
-      end
-      is_obfuscated_as(obfuscated_id, obfuscated_name)
+    if RAILS_VERSION < "3.0"
+      response = TestController.call(Rack::MockRequest.env_for('/').merge({'REQUEST_URI' => '/',
+                                                                           'REMOTE_ADDR' => '127.0.0.1'}))
+      response.template.controller.request_forgery_protection_token = :authenticity_token
+      response.template.controller.session[:_csrf_token] = '1234'
+      @builder = ActionView::Helpers::FormBuilder.new(:object_name, MockObject.new, response.template, {}, proc {})
+    else
+      @builder = ActionView::Base.default_form_builder.new(:object_name, MockObject.new, view, {}, proc {})
     end
   end
-
+  
+  # this is the obfuscated version of the string "object_name_method_name"
   def obfuscated_id
-    "e21372563297c728093bf74c3cb6b96c"
+    self.class.obfuscated_id
   end
-
+  
+  # this is the obfuscated version of the string "object_name[method_name]"
   def obfuscated_name
-    "a0844d45bf150668ff1d86a6eb491969"
+    self.class.obfuscated_name
   end
 
   def object_name
-    "object_name"
+    self.class.object_name
   end
-
+  
   def method_name
-    "method_name"
+    self.class.method_name
+  end
+  
+  module ClassMethods
+    def includes_honeypot(object_name, method_name)
+      it "includes a honeypot called #{object_name}[#{method_name}]" do
+        subject.should include_honeypot(object_name, method_name)
+      end
+    end
+
+    def is_obfuscated_as(id, name)
+      it "is obfuscated as #{id}, #{name}" do
+        subject.should be_obfuscated_as(id, name)
+      end
+    end
+  
+    def obfuscates(method, options = {}, unused = nil, &block)
+      if !options.kind_of?(Hash)
+        options = { :obfuscated_id => options, :obfuscated_name => unused }
+      end
+      
+      obfuscated_id   = options[:obfuscated_id]  || self.obfuscated_id
+      obfuscated_name = options[:obfuscatd_name] || self.obfuscated_name
+      
+      context "##{method}" do
+        before(:each) { @obfuscates_value = instance_eval(&block) }
+        subject { proc { dump { @obfuscates_value } } }
+        
+        if options[:name]
+          includes_honeypot(options[:name], nil)
+        else
+          includes_honeypot(options[:object_name] || object_name, options[:method_name] || method_name)
+        end
+        is_obfuscated_as(obfuscated_id, obfuscated_name)
+      end
+    end
+
+    def obfuscated_id
+      RAILS_VERSION >= "3.0" ? "f51a02a636f507f1bd64722451b71297" : "e21372563297c728093bf74c3cb6b96c"
+    end
+  
+    def obfuscated_name
+      RAILS_VERSION >= "3.0" ? "cd538a9170613d6dedbcc54a0aa24881" : "a0844d45bf150668ff1d86a6eb491969"
+    end
+    
+    def object_name
+      "object_name"
+    end
+  
+    def method_name
+      "method_name"
+    end
   end
 end
 
-Spec::Runner.configure do |config|
-  config.extend  ObfuscationHelper
-  config.include ObfuscationHelper
+if RSPEC_VERSION < "2.0"
+  Spec::Runner.configure do |config|
+    config.extend  ObfuscationHelper::ClassMethods
+    config.include ObfuscationHelper
+  end
+else
+  RSpec.configure do |config|
+    config.extend ObfuscationHelper::ClassMethods
+    config.include ObfuscationHelper
+  end
 end

data/spec/support/rails/mock_logger.rb

@@ -0,0 +1,21 @@
+require 'spec/mocks'
+
+module Rails
+  class << self
+    def logger
+      return @logger if @logger
+      @logger = Object.new
+      klass = class << @logger; self; end
+      if RSPEC_VERSION < "2.0"
+        klass.send(:include, Spec::Mocks::Methods)
+      else
+      end
+      
+      def @logger.debug(message); end
+      def @logger.info(message); end
+      def @logger.error(message); end
+      def @logger.warn(message); end
+      @logger
+    end
+  end
+end

data/spec/support/test_controller.rb

@@ -0,0 +1,28 @@
+class Post
+  attr_reader :subject, :body, :subscribers
+  
+  if defined?(ActiveModel)
+    extend ActiveModel::Naming
+    
+    def to_key
+      [1]
+    end
+  end
+end
+
+class ApplicationController < ActionController::Base
+  
+end
+
+class TestController < ApplicationController
+  def index
+  end
+
+  def model_form
+    @post = Post.new
+  end
+
+  def proc_form
+    render :text => params.to_yaml
+  end
+end

data/spec/{lib → views/lib}/action_view/helpers/instance_tag_spec.rb

@@ -1,23 +1,29 @@
 require 'spec_helper'
 
-def template
-  return @response if @response
-  @response = TestController.call(Rack::MockRequest.env_for('/').merge({'REQUEST_URI' => '/',
-                                                                     'REMOTE_ADDR' => '127.0.0.1'}))
-  @response.template.controller.request_forgery_protection_token = :authenticity_token
-  @response.template.controller.session[:_csrf_token] = '1234'
-  @response.template
-end
-
-def mock_object
-  @mock_object ||= MockObject.new
-end
+describe ActionView::Helpers::InstanceTag do
+  if method_defined?(:controller)
+    def template
+      view
+    end
+  else
+    def template
+      return @response if @response
+      @response = TestController.call(Rack::MockRequest.env_for('/').merge({'REQUEST_URI' => '/',
+                                                                            'REMOTE_ADDR' => '127.0.0.1'}))
+      @response.template.controller.request_forgery_protection_token = :authenticity_token
+      @response.template.controller.session[:_csrf_token] = '1234'
+      @response.template
+    end
+  end
+  
+  def mock_object
+    @mock_object ||= MockObject.new
+  end
 
-def default_instance_tag
-  ActionView::Helpers::InstanceTag.new("object_name", "method_name", template, mock_object)
-end
+  def default_instance_tag
+    ActionView::Helpers::InstanceTag.new("object_name", "method_name", template, mock_object)
+  end
 
-describe ActionView::Helpers::InstanceTag do
   subject { default_instance_tag }
 
   context "with a valid text area tag" do
@@ -39,17 +45,17 @@ describe ActionView::Helpers::InstanceTag do
     end
 
     it "should obfuscate tag name" do
-      subject.obfuscated_tag(*@tag_options).should =~ /name="a0844d45bf150668ff1d86a6eb491969"/
+      subject.obfuscated_tag(*@tag_options).should =~ /name="#{obfuscated_name}"/
     end
 
     it "should obfuscate tag id" do
-      subject.obfuscated_tag(*@tag_options).should =~ /id="e21372563297c728093bf74c3cb6b96c"/
-    end
-
-    it "should not obfuscate tag value" do
-      subject.obfuscated_tag(*@tag_options).should_not =~ /value="5a6a50d5fd0b5c8b1190d87eb0057e47"/
+      subject.obfuscated_tag(*@tag_options).should =~ /id="#{obfuscated_id}"/
     end
 
+#    it "should not obfuscate tag value" do
+#      subject.obfuscated_tag(*@tag_options).should =~ /value="@tag_options"/
+#    end
+#
     it "should include unobfuscated tag value" do
       subject.obfuscated_tag(*@tag_options).should =~ /value="method_value"/
     end

data/spec/views/lib/disabled_for_spec.rb

@@ -0,0 +1,101 @@
+require 'spec_helper'
+
+describe "Bot-Away" do
+  # Basically we're just switching BA on and off, so we only need 2 sets of tests: what to expect when it's on, and
+  # what to expect when it's off. The rest of this file just flips the switches.
+  
+  def test_params
+    {"model"=>"User", "commit"=>"Sign in",
+     "authenticity_token"=>"XBQEDkXrm4E8U9slBX45TWNx7TPcx8ww2FSJRy/XXg4=",
+     "action"=>"index", "controller"=>"test", "user"=>{"username"=>"admin", "password"=>"Admin01"}
+    }
+  end
+  
+  def self.it_should_be_disabled
+    it "should not obfuscate the field, because it should be disabled" do
+      builder.text_field('method_name').should_not match(/name="#{obfuscated_name}/)
+    end
+    
+    it "should not drop invalid params, because it should be disabled" do
+      parms = BotAway::ParamParser.new('127.0.0.1', test_params).params
+      parms.should == test_params
+    end
+
+    it "should be disabled" do
+      BotAway.disabled_for?(:controller => 'test', :action => "index").should == true
+    end
+  end
+  
+  def self.it_should_be_enabled
+    it "should obfuscate the field, because it should be enabled" do
+      builder.text_field('method_name').should be_obfuscated_as(obfuscated_id, obfuscated_name)
+    end
+    
+    it "should drop invalid params, because it should be enabled" do
+      parms = BotAway::ParamParser.new('127.0.0.1', test_params).params
+      parms.should_not == test_params
+    end
+
+    it "should be disabled" do
+      BotAway.disabled_for?(:controller => 'test', :action => "index").should == false
+    end
+  end
+  
+  # flip-switching begins
+  
+  context "with matching controller name" do
+    context "and no action" do
+      before(:each) { BotAway.disabled_for :controller => 'test' }
+      it_should_be_disabled
+    end
+    
+    context "and matching action" do
+      before(:each) { BotAway.disabled_for :controller => 'test', :action => 'index' }
+      it_should_be_disabled
+    end
+    
+    context "and not matching action" do
+      before(:each) { BotAway.disabled_for :controller => 'test', :action => 'create' }
+      it_should_be_enabled
+    end
+  end
+  
+  context "with not matching controller name" do
+    context "and no action" do
+      before(:each) { BotAway.disabled_for :controller => 'users' }
+      it_should_be_enabled
+    end
+    
+    context "and matching action" do
+      before(:each) { BotAway.disabled_for :controller => 'users', :action => 'index' }
+      it_should_be_enabled
+    end
+    
+    context "and not matching action" do
+      before(:each) { BotAway.disabled_for :controller => 'users', :action => 'create' }
+      it_should_be_enabled
+    end
+  end
+
+  context "with no controller name" do
+    context "and matching action" do
+      before(:each) { BotAway.disabled_for :action => 'index' }
+      it_should_be_disabled
+    end
+    
+    context "and not matching action" do
+      before(:each) { BotAway.disabled_for :action => 'create' }
+      it_should_be_enabled
+    end
+  end
+  
+  context "with matching mode" do
+    before(:each) { BotAway.disabled_for :mode => ENV['RAILS_ENV'] }
+    it_should_be_disabled
+  end
+
+  context "with not matching mode" do
+    before(:each) { BotAway.disabled_for :mode => "this_is_not_#{ENV['RAILS_ENV']}" }
+    it_should_be_enabled
+  end
+end