bot-away 1.2.0 → 2.0.0

data/lib/bot-away/param_parser.rb

@@ -15,7 +15,6 @@ module BotAway
       
       if authenticity_token
         if catch(:bastard) { deobfuscate! } == :took_the_bait
-          #params.clear
           # don't clear the controller or action keys, as Rails 3 needs them
           params.keys.each { |key| params.delete(key) unless %w(controller action).include?(key) }
           params[:suspected_bot] = true
@@ -35,7 +34,8 @@ module BotAway
           deobfuscate!(value, object_name ? "#{object_name}[#{key}]" : key)
         else
           if object_name && !BotAway.excluded?(:object_name => object_name, :method_name => key)
-            if value.blank? && params.keys.include?(spun_key = spinner.encode("#{object_name}[#{key}]"))
+            spun_key = spinner.encode("#{object_name}[#{key}]")
+            if value.blank? && params.keys.include?(spun_key)
               current[key] = params.delete(spun_key)
             else
               #puts "throwing on #{object_name}[#{key}] because its not blank" if !value.blank?

data/lib/bot-away/railtie.rb

@@ -0,0 +1,10 @@
+require 'rails/engine'
+require 'rails/version'
+
+class BotAway::Railtie < Rails::Engine
+  if Rails::VERSION::MINOR == 0 # Rails 3.0.x
+    paths.config.locales    = File.expand_path("../locale/honeypots.yml", File.dirname(__FILE__))
+  else
+    paths["config/locales"] = File.expand_path("../locale/honeypots.yml", File.dirname(__FILE__))
+  end
+end

data/lib/bot-away/test_case.rb

@@ -0,0 +1,58 @@
+module BotAway::TestCase
+  autoload :ControllerTestCase,  'bot-away/test_case/controller_test_case'
+  autoload :InstanceTagTestCase, 'bot-away/test_case/instance_tag_test_case'
+  autoload :MockObject,          'bot-away/test_case/mock_object'
+  autoload :Matchers,            'bot-away/test_case/matchers'
+  
+  def builder
+    @builder ||= ActionView::Base.default_form_builder.new(object_name, mock_object, view, {}, proc {})
+  end
+
+  def enable_forgery_protection
+    # BotAway doesn't work without forgery protection, and RSpec-Rails 2 disables it.
+    # Lost way too many hours on this.
+    # Note: This has to happen in spec file because RSpec2 sets a before block, which runs
+    # after the ones set by config.
+    Rails.application.config.allow_forgery_protection = true
+    ActionController::Base.allow_forgery_protection = true
+  end
+  
+  def disable_forgery_protection
+    Rails.application.config.allow_forgery_protection = false
+    ActionController::Base.allow_forgery_protection = false
+  end
+  
+  def mock_object
+    @mock_object ||= MockObject.new
+  end
+
+  def obfuscated_id
+    "f51a02a636f507f1bd64722451b71297"
+  end
+
+  def obfuscated_name
+    "cd538a9170613d6dedbcc54a0aa24881"
+  end
+  
+  def object_name
+    "object_name"
+  end
+
+  def method_name
+    "method_name"
+  end
+  
+  def tag_id
+    "#{object_name}_#{method_name}"
+  end
+  
+  def tag_name
+    "#{object_name}[#{method_name}]"
+  end
+
+  def dump
+    result = yield
+    puts result if ENV['DUMP']
+    result
+  end
+end

data/lib/bot-away/test_case/controller_test_case.rb

@@ -0,0 +1,11 @@
+module BotAway::TestCase::ControllerTestCase
+  # note that this only matters for TEST requests; real ones use the params parser.
+  module ::ActionController::TestCase::Behavior
+    def process_with_deobfuscation(action, parameters = nil, session = nil, flash = nil, http_method = 'GET')
+      parameters = BotAway::ParamParser.new(request.ip, (parameters || {}).with_indifferent_access).params
+      process_without_deobfuscation(action, parameters, session, flash, http_method)
+    end
+
+    alias_method_chain :process, :deobfuscation
+  end
+end

data/lib/bot-away/test_case/instance_tag_test_case.rb

@@ -0,0 +1,15 @@
+module BotAway::TestCase::InstanceTagTestCase
+  def self.included(base)
+    base.module_eval do
+      include RSpec::Rails::ViewExampleGroup
+    end
+  end
+  
+  def mock_object
+    @mock_object ||= BotAway::TestCase::MockObject.new
+  end
+
+  def default_instance_tag
+    @default_instance_tag ||= ActionView::Helpers::InstanceTag.new("object_name", "method_name", view, mock_object)
+  end
+end

data/lib/bot-away/test_case/matchers.rb

@@ -0,0 +1,20 @@
+module BotAway::TestCase::Matchers
+  autoload :ObfuscationMatcher, 'bot-away/test_case/matchers/obfuscation_matcher'
+  autoload :HoneypotMatcher,    'bot-away/test_case/matchers/honeypot_matcher'
+  
+  def be_obfuscated_as(obfuscated_name, obfuscated_id)
+    ObfuscationMatcher.new(obfuscated_name, obfuscated_id)
+  end
+  
+  def include_honeypot_called(tag_name, tag_id)
+    HoneypotMatcher.new(tag_name, tag_id)
+  end
+  
+  def be_obfuscated
+    be_obfuscated_as obfuscated_name, obfuscated_id
+  end
+  
+  def include_honeypot
+    include_honeypot_called tag_name, tag_id
+  end
+end

data/lib/bot-away/test_case/matchers/honeypot_matcher.rb

@@ -0,0 +1,30 @@
+class BotAway::TestCase::Matchers::HoneypotMatcher
+  attr_reader :tag_name, :tag_id
+  
+  def initialize(tag_name, tag_id)
+    @tag_name, @tag_id = tag_name, tag_id
+  end
+  
+  def matches?(target)
+    target = target.call if target.kind_of?(Proc)
+    @target = target
+    match(:id, tag_id) && match(:name, tag_name)
+  end
+
+  def match(key, value, suffix = nil)
+    @rx = /#{key}=['"]#{Regexp::escape value}["']/
+    @target[@rx]
+  end
+
+  def description
+    "include a honeypot named '#{tag_name}' with id '#{tag_id}'"
+  end
+
+  def failure_message
+    "expected #{@target.inspect}\n  to match #{@rx.inspect}"
+  end
+  
+  def negative_failure_message
+    "expected #{@target.inspect}\n  to not match #{@rx.inspect}"
+  end
+end

data/lib/bot-away/test_case/matchers/obfuscation_matcher.rb

@@ -0,0 +1,30 @@
+class BotAway::TestCase::Matchers::ObfuscationMatcher
+  attr_reader :obfuscated_name, :obfuscated_id
+  
+  def initialize(obfuscated_name, obfuscated_id)
+    @obfuscated_id, @obfuscated_name = obfuscated_id, obfuscated_name
+  end
+
+  def matches?(target)
+    target = target.call if target.kind_of?(Proc)
+    @target = target
+    match(:id, obfuscated_id) && match(:name, obfuscated_name)
+  end
+
+  def match(key, value)
+    @rx = /#{key}=['"]#{Regexp::escape value}["']/
+    @target[@rx]
+  end
+
+  def description
+    "be obfuscated as '#{obfuscated_name}' with id '#{obfuscated_id}'"
+  end
+
+  def failure_message
+    "expected #{@target.inspect}\n  to match #{@rx.inspect}"
+  end
+  
+  def negative_failure_message
+    "expected #{@target.inspect}\n  to not match #{@rx.inspect}"
+  end
+end

data/lib/bot-away/test_case/mock_object.rb

@@ -0,0 +1,16 @@
+class BotAway::TestCase::MockObject
+  attr_accessor :method_name
+
+  def id
+    1
+  end
+
+  # for testing grouped_collection_select
+  def object_name
+    [self]
+  end
+
+  def initialize
+    @method_name = 'method_value'
+  end
+end

data/lib/bot-away/version.rb

@@ -0,0 +1,12 @@
+module BotAway
+  module Version
+    MAJOR = 2
+    MINOR = 0
+    PATCH = 0
+    BUILD = nil
+    
+    STRING = BUILD ? [MAJOR, MINOR, PATCH, BUILD].join('.') : [MAJOR, MINOR, PATCH].join('.')
+  end
+
+  VERSION = BotAway::Version::STRING
+end

data/lib/locale/honeypots.yml

@@ -0,0 +1,6 @@
+en:
+  bot_away:
+    number_of_honeypot_warning_messages: 3
+    honeypot_warning_1: "Leave this empty: "
+    honeypot_warning_2: "Don't fill this in: "
+    honeypot_warning_3: "Keep this blank: "

data/spec/controllers/basic_form_view_spec.rb

@@ -0,0 +1,112 @@
+require 'spec_helper'
+
+# For all intents and purposes this is a view spec, but because rspec mocks up the controller
+# in view specs (and rightly so!), we need to technically run it as a controller spec in order
+# to invoke a real controller first.
+describe TestsController do
+  include BotAway::TestCase::ControllerTestCase
+  render_views
+  before { enable_forgery_protection }
+  
+  let(:params) { { :controller => 'tests', :action => 'basic_form' } }
+
+  it "should use forgery protection" do # sanity check
+    subject.send(:protect_against_forgery?).should be_true
+  end
+  
+  shared_examples_for "enabled" do
+    it "returns false when queried for disablement" do
+      BotAway.should_not be_disabled_for(params)
+      BotAway.should_not be_excluded(params)
+    end
+    
+    it "obfuscates the elements" do
+      get 'basic_form'
+      response.body.should =~ /id="c89ca970ba19a4174d332aa8cfbd0c42"/ # user_login
+      response.body.should =~ /id="f41749ab8ef9d2358cfd170fd9af2f5e"/ # user_password
+    end
+  end
+  
+  shared_examples_for "disabled" do
+    it "returns true when queried for disablement" do
+      # ..."disablement"?
+      BotAway.should be_disabled_for(params)
+      BotAway.should be_excluded(params)
+    end
+    
+    it "does not obfuscate the elements" do
+      get 'basic_form'
+      response.body.should_not =~ /id="c89ca970ba19a4174d332aa8cfbd0c42"/ # user_login
+      response.body.should_not =~ /id="f41749ab8ef9d2358cfd170fd9af2f5e"/ # user_password
+    end
+  end
+  
+  context "with bot-away disabled for only this view" do
+    before { BotAway.disabled_for({:controller => 'tests', :action => 'basic_form'}) }
+    it_should_behave_like "disabled"
+  end
+  
+  context "with bot-away enabled for all views" do
+    it_should_behave_like "enabled"
+  end
+  
+  
+  
+  
+  
+  context "with matching controller name" do
+    context "and no action" do
+      before { BotAway.disabled_for :controller => 'tests' }
+      it_should_behave_like "disabled"
+    end
+    
+    context "and matching action" do
+      before { BotAway.disabled_for :controller => 'tests', :action => 'basic_form' }
+      it_should_behave_like "disabled"
+    end
+    
+    context "and not matching action" do
+      before { BotAway.disabled_for :controller => 'tests', :action => 'create' }
+      it_should_behave_like "enabled"
+    end
+  end
+  
+  context "with not matching controller name" do
+    context "and no action" do
+      before { BotAway.disabled_for :controller => 'users' }
+      it_should_behave_like "enabled"
+    end
+    
+    context "and matching action" do
+      before { BotAway.disabled_for :controller => 'users', :action => 'basic_form' }
+      it_should_behave_like "enabled"
+    end
+    
+    context "and not matching action" do
+      before { BotAway.disabled_for :controller => 'users', :action => 'create' }
+      it_should_behave_like "enabled"
+    end
+  end
+  
+  context "with no controller name" do
+    context "and matching action" do
+      before { BotAway.disabled_for :action => 'basic_form' }
+      it_should_behave_like "disabled"
+    end
+    
+    context "and not matching action" do
+      before { BotAway.disabled_for :action => 'create' }
+      it_should_behave_like "enabled"
+    end
+  end
+  
+  context "with matching mode" do
+    before { BotAway.disabled_for :mode => ENV['RAILS_ENV'] }
+    it_should_behave_like "disabled"
+  end
+  
+  context "with not matching mode" do
+    before { BotAway.disabled_for :mode => "this_is_not_#{ENV['RAILS_ENV']}" }
+    it_should_behave_like "enabled"
+  end
+end

data/spec/controllers/{test_controller_spec.rb → tests_controller_spec.rb}

@@ -1,88 +1,42 @@
 require 'spec_helper'
 
-describe TestController do
-  if RAILS_VERSION < "3.0"
-    # rails 2
-
-    def setup_default_controller
-      @request = ActionController::TestRequest.new
-      # can the authenticity token so that we can predict the generated element names
-      @request.session[:_csrf_token] = 'aVjGViz+pIphXt2pxrWfXgRXShOI0KXOILR23yw0WBo='
-      @request.remote_addr = '208.77.188.166' # example.com
-      @response = ActionController::TestResponse.new
-      @controller = TestController.new
-    
-      @controller.request = @request
-      @controller.params = {}
-      @controller.send(:initialize_current_url)
-      @controller
-    end
-  
-    include ActionController::TestProcess
-
-    def controller
-      @controller
-    end
-  else
-    # rails 3
-    def setup_default_controller
-      @controller.request.session[:_csrf_token] = 'aVjGViz+pIphXt2pxrWfXgRXShOI0KXOILR23yw0WBo='
-      @controller.request.remote_addr = '208.77.188.166'
-      
-      @controller
-    end
-    
-    #extend ActiveSupport::Concern
-    #include ActionController::TestCase::Behavior
-    delegate :session, :to => :controller
-  end
-
-  def prepare!(action = 'index', method = 'get')
-    controller
-    send(method, action)
-    if RAILS_VERSION < "3.0"
-      if @response.template.instance_variable_get("@exception")
-        raise @response.template.instance_variable_get("@exception")
-      end
-    end
-  end
-
-  before(:each) { setup_default_controller }
+describe TestsController do
+  include BotAway::TestCase::ControllerTestCase
   
-  after :each do
-    # effectively disables forgery protection.
-    TestController.request_forgery_protection_token = nil
+  before do
+    disable_forgery_protection
+    request.session[:_csrf_token] = 'aVjGViz+pIphXt2pxrWfXgRXShOI0KXOILR23yw0WBo='
+    request.remote_addr = '208.77.188.166'
   end
-
   
   context "with a model" do
+    render_views
+    
     context "with forgery protection" do
-      before :each do
-        (class << controller; self; end).send(:protect_from_forgery)
-        prepare!('model_form')
+      before do
+        enable_forgery_protection
+        get 'model_form'
       end
 
       it "should work?" do
-        #puts @response.body
+        response.body.should =~ /<select/
       end
     end
 
     context "without forgery protection" do
-      before :each do
-        prepare!('model_form')
+      before do
+        get 'model_form'
       end
 
       it "should work?" do
-        #puts @response.body
+        response.body.should =~ /<select/
       end
     end
   end
 
   context "with forgery protection" do
-    before :each do
-      (class << controller; self; end).send(:protect_from_forgery)
-      prepare! if RAILS_VERSION < "3.0"
-    end
+    before { enable_forgery_protection }
+
     #"object_name_method_name" name="object_name[method_name]" size="30" type="text" value="" /></div>
     #<input id="e21372563297c728093bf74c3cb6b96c" name="a0844d45bf150668ff1d86a6eb491969" size="30" type="text" value="method_value" />
     
@@ -92,12 +46,12 @@ describe TestController do
                '842d8d1c80014ce9f3d974614338605c' => 'some_value'
              }
       post 'proc_form', form
-      #puts @response.body
+      #puts response.body
       controller.params[:object_name].should == { 'method_name' => 'some_value' }
     end
     
     context "after processing valid obfuscated post" do
-      before(:each) do
+      before do
         post 'proc_form', { 'authenticity_token' => '1234',
                  'object_name' => { 'method_name' => '' },
                  '842d8d1c80014ce9f3d974614338605c' => 'some_value'
@@ -152,36 +106,31 @@ describe TestController do
       controller.request.remote_addr = '127.0.0.1'
       post 'proc_form', form
       # puts controller.params.inspect
-      controller.params.should == { 'action' => 'proc_form', 'controller' => 'test',
-                                                       'authenticity_token' => 'yPgTAsngzpBO8k1v83RGH26sTrQYD50Ou2oiMT4r/iw=',
-                                                       'user_session' => {
-                                                          'login' => 'admin',
-                                                          'password' => 'pwpwpw',
-                                                          'remember_me' => '1'
-                                                       },
-                                                       'commit' => 'Log In'
+      controller.params.should == { 'action' => 'proc_form', 'controller' => 'tests',
+                                     'authenticity_token' => 'yPgTAsngzpBO8k1v83RGH26sTrQYD50Ou2oiMT4r/iw=',
+                                     'user_session' => {
+                                        'login' => 'admin',
+                                        'password' => 'pwpwpw',
+                                        'remember_me' => '1'
+                                     },
+                                     'commit' => 'Log In'
       }
     end
   end
 
   context "without forgery protection" do
-    before :each do
-      prepare! if RAILS_VERSION < "3.0"
-    end
-
     it "processes non-obfuscated form post" do
       form = { #'authenticity_token' => '1234',
                'object_name' => { 'method_name' => 'test' }
              }
       post 'proc_form', form
-      # puts @response.body
+      # puts response.body
       controller.params.should_not == { 'suspected_bot' => true }
       controller.params[:object_name].should == { 'method_name' => 'test' }
     end
 
     it "produces non-obfuscated form elements" do
-      prepare! if RAILS_VERSION >= "3.0"
-      @response.body.should_not match(/<\/div><input/)
+      response.body.should_not match(/<\/div><input/)
     end
   end
 end