cloudkit 0.9.0

data/test/ext_test.rb

@@ -0,0 +1,57 @@
+require 'helper'
+class ExtTest < Test::Unit::TestCase
+
+  context "A Hash" do
+
+    should "re-key an entry if it exists" do
+      x = {:a => 1, :b => 2}
+      x.rekey!(:b, :c)
+      assert x == {:a => 1, :c => 2}
+      x.rekey!(:d, :b)
+      assert x == {:a => 1, :c => 2}
+    end
+
+    should "merge conditionally" do
+      x = {:a => 1}
+      y = {:b => 2}
+      x.filter_merge!(:c => y[:c])
+      assert x == {:a => 1}
+      x.filter_merge!(:c => y[:b])
+      assert x == {:a => 1, :c => 2}
+      x = {}.filter_merge!(:a => 1)
+      assert x == {:a => 1}
+    end
+
+    should "exclude pairs using a single key" do
+      x = {:a => 1, :b => 2}
+      y = x.excluding(:b)
+      assert y == {:a => 1}
+    end
+
+    should "exclude pairs using a list of keys" do
+      x = {:a => 1, :b => 2, :c => 3}
+      y = x.excluding(:b, :c)
+      assert y == {:a => 1}
+    end
+  end
+
+  context "An Array" do
+
+    should "exclude elements" do
+      x = [0, 1, 2, 3]
+      y = x.excluding(1, 3)
+      assert_equal [0, 2], y
+    end
+  end
+
+  context "An Object" do
+
+    should "try" do
+      x = {:a => 'a'}
+      result = x[:a].try(:upcase)
+      assert_equal 'A', result
+      assert_nothing_raised {x[:b].try(:upcase)}
+    end
+  end
+
+end

data/test/flash_session_test.rb

@@ -0,0 +1,22 @@
+require 'helper'
+class FlashSessionTest < Test::Unit::TestCase
+
+  context "A FlashSession" do
+
+    setup do
+      @flash = CloudKit::FlashSession.new
+    end
+
+    should "accept a value for a key" do
+      @flash['greeting'] = 'hello'
+      assert_equal 'hello', @flash['greeting']
+    end
+
+    should "erase a key/value pair after access" do
+      @flash['greeting'] = 'hello'
+      x = @flash['greeting']
+      assert_nil @flash['greeting']
+    end
+
+  end
+end

data/test/helper.rb

@@ -0,0 +1,50 @@
+$:.unshift File.expand_path(File.dirname(__FILE__)) + '/../lib'
+require 'cloudkit'
+require 'test/unit'
+require 'shoulda'
+require 'rexml/document'
+
+def auth_key; "cloudkit.user"; end
+def remote_user; "/cloudkit_users/abcdef"; end
+
+def echo_text(text)
+  lambda {|env| [200, {'Content-Type' => 'text/html'}, [text]]}
+end
+
+def echo_env(key)
+  lambda {|env| [200, {'Content-Type' => 'text/html'}, [env[key] || '']]}
+end
+
+def auth
+  {auth_key => remote_user}
+end
+
+def plain_service
+  Rack::Builder.new do
+    use Rack::Config do |env|
+      env['cloudkit.storage.uri'] = 'sqlite://service.db'
+    end
+    use CloudKit::Service, :collections => [:items, :things]
+    run echo_text('martino')
+  end
+end
+
+def authed_service
+  Rack::Builder.new do
+    use Rack::Config do |env|
+      env['cloudkit.storage.uri'] = 'sqlite://service.db'
+      r = CloudKit::Request.new(env)
+      r.announce_auth('cloudkit.filter.oauth') # mock
+    end
+    use CloudKit::Service, :collections => [:items, :things]
+    run echo_text('martino')
+  end
+end
+
+def openid_app
+  Rack::Builder.new do
+    use Rack::Session::Pool
+    use CloudKit::OpenIDFilter
+    run echo_env(auth_key)
+  end
+end

data/test/oauth_filter_test.rb

@@ -0,0 +1,331 @@
+require 'helper'
+class OAuthFilterTest < Test::Unit::TestCase
+
+  context "An OAuthFilter" do  
+
+    setup do
+      @oauth_filtered_app = CloudKit::OAuthFilter.new(echo_env(auth_key))
+      token = JSON.generate(
+        :secret          => 'pfkkdhi9sl3r4s00',
+        :consumer_key    => 'dpf43f3p2l4k3l03',
+        :consumer_secret => 'kd94hf93k423kf44',
+        :user_id         => 'martino')
+      Rack::MockRequest.new(@oauth_filtered_app).get('/') # prime the storage
+      @store = @oauth_filtered_app.store
+      result = @store.put('/cloudkit_oauth_tokens/nnch734d00sl2jdk', :json => token)
+      @token_etag = result.parsed_content['etag']
+    end
+
+    teardown do
+      @store.reset!
+      @store.load_static_consumer
+    end
+
+    should "verify signatures" do
+      response = do_get
+      assert_equal 200, response.status
+      assert_equal 'martino', response.body
+    end
+
+    should "notify downstream nodes of its presence" do
+      app = CloudKit::OAuthFilter.new(echo_env('cloudkit.via'))
+      response = Rack::MockRequest.new(app).get('/')
+      assert_equal 'cloudkit.filter.oauth', response.body
+    end
+
+    should "not allow a nonce/timestamp combination to appear twice" do
+      do_get
+      response = do_get
+      assert_equal '', response.body
+      get_request_token
+      response = get_request_token
+      assert_equal 401, response.status
+    end
+
+    should "add the remote user to the rack environment for verified requests" do
+      response = do_get
+      assert_equal 'martino', response.body
+    end
+
+    should "allow requests for / to pass through" do
+      response = Rack::MockRequest.new(@oauth_filtered_app).get('/')
+      assert_equal 200, response.status
+    end
+
+    should "reject unauthorized requests" do
+      response = Rack::MockRequest.new(@oauth_filtered_app).get(
+        'http://photos.example.net/photos?file=vacation.jpg&size=original' +
+        '&oauth_version=1.0' +
+        '&oauth_consumer_key=dpf43f3p2l4k3l03' +
+        '&oauth_token=nnch734d00sl2jdk' +
+        '&oauth_timestamp=1191242096' +
+        '&oauth_nonce=kllo9940pd9333jh' +
+        '&oauth_signature=fail'+
+        '&oauth_signature_method=HMAC-SHA1', 'X-Remote-User' => 'intruder') # TODO rework
+      assert_equal '', response.body
+    end
+
+    context "supporting OAuth Discovery" do
+
+      should "set the auth challenge for unauthorized requests" do
+        app = CloudKit::OAuthFilter.new(
+          lambda {|env| [200, {}, [env['cloudkit.challenge']['WWW-Authenticate'] || '']]})
+        response = Rack::MockRequest.new(app).get(
+          '/items', 'HTTP_HOST' => 'example.org')
+        assert_equal 'OAuth realm="http://example.org"', response.body
+        app = CloudKit::OAuthFilter.new(
+          lambda {|env| [200, {}, [env['cloudkit.challenge']['Link'] || '']]})
+        response = Rack::MockRequest.new(app).get(
+          '/items', 'HTTP_HOST' => 'example.org')
+        assert_equal '<http://example.org/oauth/meta>; rel="http://oauth.net/discovery/1.0/rel/provider"',
+          response.body
+      end
+
+      should "provide XRD metadata on GET /oauth/meta" do
+        response = Rack::MockRequest.new(@oauth_filtered_app).get(
+          '/oauth/meta', 'HTTP_HOST' => 'example.org')
+        assert_equal 200, response.status
+        doc = REXML::Document.new(response.body)
+        assert REXML::XPath.first(doc, '//XRD/Type')
+        assert_equal 'http://oauth.net/discovery/1.0',
+          REXML::XPath.first(doc, '//XRD/Type').children[0].to_s
+        assert REXML::XPath.first(doc, '//XRD/Service/Type')
+        assert_equal 'http://oauth.net/discovery/1.0/rel/provider',
+          REXML::XPath.first(doc, '//XRD/Service/Type').children[0].to_s
+        assert REXML::XPath.first(doc, '//XRD/Service/URI')
+        assert_equal 'http://example.org/oauth',
+          REXML::XPath.first(doc, '//XRD/Service/URI').children[0].to_s
+      end
+
+      should "respond to OAuth Discovery Draft 2 / XRDS-Simple Discovery" do
+        response = Rack::MockRequest.new(@oauth_filtered_app).get(
+          '/anything',
+          'HTTP_HOST'   => 'example.org',
+          'HTTP_ACCEPT' => 'application/xrds+xml')
+        assert 200, response.status
+        assert_equal 'http://example.org/oauth', response['X-XRDS-Location']
+      end
+
+      should "provide a descriptor document on GET /oauth" do
+        response = Rack::MockRequest.new(@oauth_filtered_app).get(
+          '/oauth', 'HTTP_HOST' => 'example.org')
+        assert_equal 200, response.status
+        assert_equal 'application/xrds+xml', response['Content-Type']
+      end
+
+      should "populate the static consumer on startup" do
+        response = @store.get('/cloudkit_oauth_consumers/cloudkitconsumer')
+        assert_equal 200, response.status
+      end
+
+    end
+
+    context "supporting authorization" do
+
+      should "generate request tokens" do
+        response = get_request_token
+        assert_equal 201, response.status
+        token, secret = response.body.split('&')
+        token_parts = token.split('=')
+        secret_parts = secret.split('=')
+        assert_equal 'oauth_token', token_parts.first
+        assert_equal 'oauth_token_secret', secret_parts.first
+        assert token_parts.last
+        assert !token_parts.last.empty?
+        assert secret_parts.last
+        assert !secret_parts.last.empty?
+      end
+
+      should "not generate request tokens for invalid consumers" do  
+        # this does not mean consumers must register, only that they
+        # should use the static value provided in the xrd document
+        # or one that is specified in the consumer database
+        pre_sign = Rack::Request.new(Rack::MockRequest.env_for(
+          'http://photos.example.net/oauth/request_tokens',
+          'Authorization' => 'OAuth realm="http://photos.example.net", ' +
+          'oauth_version="1.0", ' +
+          'oauth_consumer_key="mysteryconsumer", ' +
+          'oauth_timestamp="1191242096", ' +
+          'oauth_nonce="AAAAAAAAAAAAAAAAA", ' +
+          'oauth_signature_method="HMAC-SHA1"',
+          :method => "POST"))
+        signature = OAuth::Signature.build(pre_sign) do |token, consumer_key|
+          [nil, '']
+        end
+        response = Rack::MockRequest.new(@oauth_filtered_app).post(
+          'http://photos.example.net/oauth/request_tokens?' +
+          'oauth_version=1.0' +
+          '&oauth_consumer_key=mysteryconsumer' +
+          '&oauth_timestamp=1191242096' +
+          '&oauth_nonce=AAAAAAAAAAAAAAAAA' +
+          '&oauth_signature=' + CGI.escape(signature.signature) +
+          '&oauth_signature_method=HMAC-SHA1')
+        assert_equal 401, response.status
+      end
+
+      should "store request tokens for authorizaton" do
+        response = get_request_token
+        assert_equal 201, response.status
+        token, secret = extract_token(response)
+        request_token = @store.get("/cloudkit_oauth_request_tokens/#{token}").parsed_content
+        assert request_token
+        assert_equal secret, request_token['secret']
+        assert !request_token['authorized_at']
+      end
+
+      should "redirect to login before allowing GET requests for request token authorization" do
+        response = get_request_token
+        token, secret = extract_token(response)
+        response = Rack::MockRequest.new(@oauth_filtered_app).get(
+          "/oauth/authorization?oauth_token=#{token}")
+        assert_equal 302, response.status
+        assert_equal '/login', response['Location']
+      end
+
+      should "respond successfully to authorization GET requests for logged-in users with a valid request token" do
+        response = get_request_token
+        token, secret = extract_token(response)
+        response = Rack::MockRequest.new(@oauth_filtered_app).get(
+          "/oauth/authorization?oauth_token=#{token}", auth)
+        assert_equal 200, response.status
+      end
+
+      should "reject authorization GET requests with invalid tokens" do
+        response = get_request_token
+        token, secret = extract_token(response)
+        response = Rack::MockRequest.new(@oauth_filtered_app).get(
+          "/oauth/authorization?oauth_token=fail", auth)
+        assert_equal 401, response.status
+      end
+
+      should "authorize request tokens for verified requests" do
+        response = get_request_token
+        token, secret = extract_token(response)
+        response = Rack::MockRequest.new(@oauth_filtered_app).put(
+          "/oauth/authorized_request_tokens/#{token}?submit=Approve", auth)
+        assert_equal 200, response.status
+        request_token = @store.get("/cloudkit_oauth_request_tokens/#{token}").parsed_content
+        assert request_token['authorized_at']
+        assert request_token['user_id']
+      end
+
+      should "removed denied request tokens" do
+        response = get_request_token
+        token, secret = extract_token(response)
+        response = Rack::MockRequest.new(@oauth_filtered_app).put(
+          "/oauth/authorized_request_tokens/#{token}?submit=Deny", auth)
+        assert_equal 200, response.status
+        request_token = @store.get("/cloudkit_oauth_request_tokens/#{token}").parsed_content
+        assert 410, response.status
+      end
+
+      should "redirect to login for authorization PUT requests unless logged-in" do
+        response = get_request_token
+        token, secret = extract_token(response)
+        response = Rack::MockRequest.new(@oauth_filtered_app).put(
+          "/oauth/authorized_request_tokens/#{token}?submit=Approve")
+        assert_equal 302, response.status
+        assert_equal '/login', response['Location']
+      end
+
+      should "not create access tokens for request tokens that have already been authorized" do
+        response = get_request_token
+        token, secret = extract_token(response)
+        response = Rack::MockRequest.new(@oauth_filtered_app).put(
+          "/oauth/authorized_request_tokens/#{token}?submit=Approve", auth)
+        assert_equal 200, response.status
+        response = Rack::MockRequest.new(@oauth_filtered_app).put(
+          "/oauth/authorized_request_tokens/#{token}?submit=Approve", auth)
+        assert_equal 401, response.status
+      end
+
+      should "provide access tokens in exchange for authorized request tokens" do
+        response = get_access_token
+        assert_equal 201, response.status
+        token, secret = extract_token(response)
+        assert !token.empty?
+        assert !secret.empty?
+      end
+
+      should "remove request tokens after creating access tokens" do
+        response = get_access_token
+        assert_equal 201, response.status
+        request_tokens = @store.get('/cloudkit_oauth_request_tokens').parsed_content
+        assert_equal 0, request_tokens['uris'].size
+      end
+
+    end
+  end
+
+  def do_get
+    Rack::MockRequest.new(@oauth_filtered_app).get(
+      'http://photos.example.net/photos?file=vacation.jpg&size=original' +
+      '&oauth_version=1.0' +
+      '&oauth_consumer_key=dpf43f3p2l4k3l03' +
+      '&oauth_token=nnch734d00sl2jdk' +
+      '&oauth_timestamp=1191242096' +
+      '&oauth_nonce=kllo9940pd9333jh' +
+      '&oauth_signature=tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D' +
+      '&oauth_signature_method=HMAC-SHA1')
+  end
+
+  def get_request_token
+    pre_sign = Rack::Request.new(Rack::MockRequest.env_for(
+      'http://photos.example.net/oauth/request_tokens',
+      'Authorization' => 'OAuth realm="http://photos.example.net", ' +
+      'oauth_version="1.0", ' +
+      'oauth_consumer_key="cloudkitconsumer", ' +
+      'oauth_timestamp="1191242096", ' +
+      'oauth_nonce="AAAAAAAAAAAAAAAAA", ' +
+      'oauth_signature_method="HMAC-SHA1"',
+      :method => "POST"))
+    signature = OAuth::Signature.build(pre_sign) do |token, consumer_key|
+      [nil, '']
+    end
+    Rack::MockRequest.new(@oauth_filtered_app).post(
+      'http://photos.example.net/oauth/request_tokens?' +
+      'oauth_version=1.0' +
+      '&oauth_consumer_key=cloudkitconsumer' +
+      '&oauth_timestamp=1191242096' +
+      '&oauth_nonce=AAAAAAAAAAAAAAAAA' +
+      '&oauth_signature=' + CGI.escape(signature.signature) +
+      '&oauth_signature_method=HMAC-SHA1')
+  end
+
+  def get_access_token
+    response = get_request_token
+    token, secret = extract_token(response)
+    response = Rack::MockRequest.new(@oauth_filtered_app).put(
+      "/oauth/authorized_request_tokens/#{token}", auth)
+    assert_equal 200, response.status
+    pre_sign = Rack::Request.new(Rack::MockRequest.env_for(
+      'http://photos.example.net/oauth/access_tokens',
+      'Authorization' => 'OAuth realm="http://photos.example.net", ' +
+      'oauth_version="1.0", ' +
+      'oauth_consumer_key="cloudkitconsumer", ' +
+      'oauth_token="' + token + '", ' +
+      'oauth_timestamp="1191242097", ' +
+      'oauth_nonce="AAAAAAAAAAAAAAAAA", ' +
+      'oauth_signature_method="HMAC-SHA1"',
+      :method => "POST"))
+    signature = OAuth::Signature.build(pre_sign) do |token, consumer_key|
+      [secret, '']
+    end
+    Rack::MockRequest.new(@oauth_filtered_app).post(
+      'http://photos.example.net/oauth/access_tokens?' +
+      'oauth_version=1.0' +
+      '&oauth_consumer_key=cloudkitconsumer' +
+      '&oauth_token=' + token +
+      '&oauth_timestamp=1191242097' +
+      '&oauth_nonce=AAAAAAAAAAAAAAAAA' +
+      '&oauth_signature=' + CGI.escape(signature.signature) +
+      '&oauth_signature_method=HMAC-SHA1')
+  end
+
+  def extract_token(response)
+    token, secret = response.body.split('&')
+    token_parts = token.split('=')
+    secret_parts = secret.split('=')
+    return token_parts.last, secret_parts.last
+  end
+end