conjur-asset-key-pair 0.2.1

data/spec/dummy/Rakefile

@@ -0,0 +1,7 @@
+#!/usr/bin/env rake
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Dummy::Application.load_tasks

data/spec/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,2 @@
+class ApplicationController < ActionController::API
+end

data/spec/dummy/config.ru

@@ -0,0 +1,4 @@
+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment',  __FILE__)
+run Dummy::Application

data/spec/dummy/config/application.rb

@@ -0,0 +1,64 @@
+require File.expand_path('../boot', __FILE__)
+
+ENV['CONJUR_ASSET_SERVICE'] = "true"
+
+# Pick the frameworks you want:
+require "sequel-rails/railtie"
+require "action_controller/railtie"
+
+Bundler.require
+
+require "conjur-asset-key-pair"
+
+module Dummy
+  class Application < Rails::Application
+    # Settings in config/environments/* take precedence over those specified here.
+    # Application configuration should go into files in config/initializers
+    # -- all .rb files in that directory are automatically loaded.
+
+    # Custom directories with classes and modules you want to be autoloadable.
+    # config.autoload_paths += %W(#{config.root}/extras)
+
+    # Only load the plugins named here, in the order given (default is alphabetical).
+    # :all can be used as a placeholder for all plugins not explicitly named.
+    # config.plugins = [ :exception_notification, :ssl_requirement, :all ]
+
+    # Activate observers that should always be running.
+    # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
+
+    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
+    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+    # config.time_zone = 'Central Time (US & Canada)'
+
+    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
+    # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
+    # config.i18n.default_locale = :de
+
+    # Configure the default encoding used in templates for Ruby 1.9.
+    config.encoding = "utf-8"
+
+    # Configure sensitive parameters which will be filtered from the log file.
+    config.filter_parameters += [:password]
+
+    # Enable escaping HTML in JSON.
+    config.active_support.escape_html_entities_in_json = true
+
+    # Use SQL instead of Active Record's schema dumper when creating the database.
+    # This is necessary if your schema can't be completely dumped by the schema dumper,
+    # like if you have constraints or database-specific column types
+    #config.active_record.schema_format = :sql
+
+    # Enforce whitelist mode for mass assignment.
+    # This will create an empty whitelist of attributes available for mass-assignment for all models
+    # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
+    # parameters by using an attr_accessible or attr_protected declaration.
+    #config.active_record.whitelist_attributes = true
+
+    # Enable the asset pipeline
+    config.assets.enabled = true
+
+    # Version of your assets, change this if you want to expire all your assets
+    config.assets.version = '1.0'
+  end
+end
+

data/spec/dummy/config/boot.rb

@@ -0,0 +1,10 @@
+require 'rubygems'
+gemfile = File.expand_path('../../../../Gemfile', __FILE__)
+
+if File.exist?(gemfile)
+  ENV['BUNDLE_GEMFILE'] = gemfile
+  require 'bundler'
+  Bundler.setup
+end
+
+$:.unshift File.expand_path('../../../../lib', __FILE__)

data/spec/dummy/config/database.yml

@@ -0,0 +1,19 @@
+development:
+  adapter: postgresql
+  encoding: unicode
+  database: conjur-asset-key-pair_dev
+  pool: 5
+  username: postgres
+  password:
+
+test: &test
+  adapter: postgresql
+  encoding: unicode
+  database: conjur-asset-key-pair_test
+  pool: 5
+  username: postgres
+  password:
+
+cucumber:
+  <<: *test
+

data/spec/dummy/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the rails application
+require File.expand_path('../application', __FILE__)
+
+# Initialize the rails application
+Dummy::Application.initialize!

data/spec/dummy/config/environments/cucumber.rb

@@ -0,0 +1,40 @@
+Dummy::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb
+
+  # The test environment is used exclusively to run your application's
+  # test suite. You never need to work with it otherwise. Remember that
+  # your test database is "scratch space" for the test suite and is wiped
+  # and recreated between test runs. Don't rely on the data there!
+  config.cache_classes = true
+
+  # Configure static asset server for tests with Cache-Control for performance
+  config.serve_static_assets = true
+
+  # Log error messages when you accidentally call methods on nil
+  config.whiny_nils = true
+
+  # Show full error reports and disable caching
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = true
+
+  # Raise exceptions instead of rendering exception templates
+  config.action_dispatch.show_exceptions = false
+
+  # Disable request forgery protection in test environment
+  config.action_controller.allow_forgery_protection    = false
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  # config.action_mailer.delivery_method = :test
+
+  # Raise exception on mass assignment protection for Active Record models
+  # config.active_record.mass_assignment_sanitizer = :strict
+
+  # Print deprecation notices to the stderr
+  config.active_support.deprecation = :stderr
+end
+
+ENV['CONJUR_AUTHN_URL'] ||= "https://authn-ci-conjur.herokuapp.com"
+ENV['CONJUR_AUTHZ_URL'] ||= "https://authz-ci-conjur.herokuapp.com"
+ENV['CONJUR_CORE_URL'] ||= "https://core-ci-conjur.herokuapp.com"

data/spec/dummy/config/environments/development.rb

@@ -0,0 +1,37 @@
+Dummy::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb
+
+  # In the development environment your application's code is reloaded on
+  # every request. This slows down response time but is perfect for development
+  # since you don't have to restart the web server when you make code changes.
+  config.cache_classes = false
+
+  # Log error messages when you accidentally call methods on nil.
+  config.whiny_nils = true
+
+  # Show full error reports and disable caching
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Don't care if the mailer can't send
+  # config.action_mailer.raise_delivery_errors = false
+
+  # Print deprecation notices to the Rails logger
+  config.active_support.deprecation = :log
+
+  # Only use best-standards-support built into browsers
+  config.action_dispatch.best_standards_support = :builtin
+
+  # Raise exception on mass assignment protection for Active Record models
+  #config.active_record.mass_assignment_sanitizer = :strict
+
+  # Log the query plan for queries taking more than this (works
+  # with SQLite, MySQL, and PostgreSQL)
+  #config.active_record.auto_explain_threshold_in_seconds = 0.5
+
+  # Do not compress assets
+  config.assets.compress = false
+
+  # Expands the lines which load the assets
+  config.assets.debug = true
+end

data/spec/dummy/config/environments/test.rb

@@ -0,0 +1,38 @@
+Dummy::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb
+
+  # The test environment is used exclusively to run your application's
+  # test suite. You never need to work with it otherwise. Remember that
+  # your test database is "scratch space" for the test suite and is wiped
+  # and recreated between test runs. Don't rely on the data there!
+  config.cache_classes = true
+
+  # Configure static asset server for tests with Cache-Control for performance
+  config.serve_static_assets = true
+  config.static_cache_control = "public, max-age=3600"
+
+  # Log error messages when you accidentally call methods on nil
+  config.whiny_nils = true
+
+  # Show full error reports and disable caching
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Raise exceptions instead of rendering exception templates
+  config.action_dispatch.show_exceptions = false
+
+  # Disable request forgery protection in test environment
+  config.action_controller.allow_forgery_protection    = false
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  #config.action_mailer.delivery_method = :test
+
+  # Raise exception on mass assignment protection for Active Record models
+  #config.active_record.mass_assignment_sanitizer = :strict
+
+  # Print deprecation notices to the stderr
+  config.active_support.deprecation = :stderr
+end
+

data/spec/dummy/config/initializers/authenticator.rb

@@ -0,0 +1,5 @@
+require 'authable/rack/authenticator'
+
+Dummy::Application.config.middleware.use Authable::Rack::Authenticator
+
+ENV['DUMMY_SLOSILO_KEY'] = "FuMJAe21j/JPQFjm+9WxQTsjwR/WB6Az3GIqC8dYRnw="

data/spec/dummy/config/initializers/conjur.rb

@@ -0,0 +1,6 @@
+ENV['CONJUR_ACCOUNT'] ||= 'ci'
+
+def conjur_account
+  ENV['CONJUR_ACCOUNT']
+end
+  

data/spec/dummy/config/locales/en.yml

@@ -0,0 +1,5 @@
+# Sample localization file for English. Add more files in this directory for other locales.
+# See https://github.com/svenfuchs/rails-i18n/tree/master/rails%2Flocale for starting points.
+
+en:
+  hello: "Hello world"

data/spec/dummy/config/routes.rb

@@ -0,0 +1,58 @@
+Dummy::Application.routes.draw do
+  # The priority is based upon order of creation:
+  # first created -> highest priority.
+
+  # Sample of regular route:
+  #   match 'products/:id' => 'catalog#view'
+  # Keep in mind you can assign values other than :controller and :action
+
+  # Sample of named route:
+  #   match 'products/:id/purchase' => 'catalog#purchase', :as => :purchase
+  # This route can be invoked with purchase_url(:id => product.id)
+
+  # Sample resource route (maps HTTP verbs to controller actions automatically):
+  #   resources :products
+
+  # Sample resource route with options:
+  #   resources :products do
+  #     member do
+  #       get 'short'
+  #       post 'toggle'
+  #     end
+  #
+  #     collection do
+  #       get 'sold'
+  #     end
+  #   end
+
+  # Sample resource route with sub-resources:
+  #   resources :products do
+  #     resources :comments, :sales
+  #     resource :seller
+  #   end
+
+  # Sample resource route with more complex sub-resources
+  #   resources :products do
+  #     resources :comments
+  #     resources :sales do
+  #       get 'recent', :on => :collection
+  #     end
+  #   end
+
+  # Sample resource route within a namespace:
+  #   namespace :admin do
+  #     # Directs /admin/products/* to Admin::ProductsController
+  #     # (app/controllers/admin/products_controller.rb)
+  #     resources :products
+  #   end
+
+  # You can have the root of your site routed with "root"
+  # just remember to delete public/index.html.
+  # root :to => 'welcome#index'
+
+  # See how all your routes lay out with "rake routes"
+
+  # This is a legacy wild controller route that's not recommended for RESTful applications.
+  # Note: This route will make all actions in every controller accessible via GET requests.
+  # match ':controller(/:action(/:id))(.:format)'
+end

data/spec/dummy/db/schema.rb

@@ -0,0 +1,24 @@
+Sequel.migration do
+  change do
+    create_table(:schema_migrations) do
+      column :filename, "text", :null=>false
+      
+      primary_key [:filename]
+    end
+    
+    create_table(:secrets) do
+      primary_key :id
+      column :userid, "text", :null=>false
+      column :ownerid, "text", :null=>false
+      column :key, "bytea", :null=>false
+      column :created_at, "timestamp without time zone", :default=>Sequel::CURRENT_TIMESTAMP, :null=>false
+    end
+    
+    create_table(:slosilo_keystore) do
+      column :id, "text", :null=>false
+      column :key, "bytea", :null=>false
+      
+      primary_key [:id]
+    end
+  end
+end

data/spec/dummy/script/rails

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
+
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require File.expand_path('../../config/boot',  __FILE__)
+require 'rails/commands'

data/spec/models/key_pair_spec.rb

@@ -0,0 +1,117 @@
+require 'spec_helper'
+
+KEY_PAIR_KEY = Slosilo::Key.new
+  
+describe KeyPair do
+  include_context "mock authz"
+  include_context "current user"
+  
+  before {
+    KeyPair.unrestrict_primary_key
+  }
+
+  let(:id) { KeyPair.model.db["SELECT crockford(pri_nextval('key_pairs_id_seq'::regclass))"].first.values[0] }
+  let(:ownerid) { nil }
+  let(:key_pair) {
+    params = { id: id, userid: userid }
+    params[:ownerid] = ownerid if ownerid
+    KeyPair.new(params) 
+  }
+  let(:private_key_variable) { mock(:private_key_variable, id: 'private-key-variable-id', value: KEY_PAIR_KEY.key.to_pem) }
+  let(:public_key_variable) { mock(:public_key_variable, id: 'public-key-variable-id', value: KEY_PAIR_KEY.key.public_key.to_pem) }
+  let(:variable_options) { {} }
+
+  before {
+    Slosilo::Key.stub(:new).and_return KEY_PAIR_KEY
+
+    authz_api.should_receive(:create_variable).with('application/x-pem-file', 'rsa-private-key', variable_options).and_return private_key_variable
+    private_key_variable.should_receive(:add_value).with(KEY_PAIR_KEY.key.to_pem)
+    authz_api.should_receive(:create_variable).with('application/x-pem-file', 'rsa-public-key', variable_options).and_return public_key_variable
+    public_key_variable.should_receive(:add_value).with(KEY_PAIR_KEY.key.public_key.to_pem)
+    
+    authz_api.stub(:variable).with(private_key_variable.id).and_return private_key_variable
+    authz_api.stub(:variable).with(public_key_variable.id).and_return public_key_variable
+  }
+
+  context "#new" do
+    before { key_pair.valid? }
+    context "fields" do
+      subject { key_pair }
+      its(:public_key) { 
+        authz_api.should_receive(:variable).with('public-key-variable-id').and_return public_key_variable
+        should be_instance_of(Slosilo::Key) 
+      } 
+      its(:private_key) { should be_instance_of(Slosilo::Key) } 
+      its(:public_keyid) { should == public_key_variable.id }
+      its(:private_keyid) { should == private_key_variable.id }
+    end
+    context "validation errors" do
+      subject { key_pair.errors }
+      its(:full_messages) { should == [] }
+    end
+  end
+  
+  def key_pair_role(role)
+    "ci:@:key_pair/#{key_pair.id}/#{role}"
+  end
+  
+  shared_context "saved service key_pair" do
+    before {
+      key_pair.stub(:create_authz_resources)
+      key_pair.stub(:create_authz_roles)
+      
+      authz_api.should_receive(:variable).with('public-key-variable-id').and_return public_key_variable = mock(:public_key_variable)
+      public_key_variable.should_receive(:resource).and_return public_key_resource = mock(:public_key_resource)
+      public_key_resource.should_receive(:permit).with(:execute, key_pair_role('encrypt'))
+
+      authz_api.should_receive(:variable).with('private-key-variable-id').and_return private_key_variable = mock(:private_key_variable)
+      private_key_variable.should_receive(:resource).and_return private_key_resource = mock(:private_key_resource)
+      private_key_resource.should_receive(:permit).with(:execute, key_pair_role('decrypt'))
+     
+      key_pair.save
+    }
+  end
+  
+  context "#saved" do
+    include_context "saved service key_pair"
+   
+    subject { key_pair }
+
+    let(:decrypt_role) { double(:"decrypt-role") }
+    before {
+      authz_api.stub(:role).with("ci:@:key_pair/#{id}/decrypt").and_return decrypt_role
+    }
+    let(:encrypt_role) { double(:"encrypt-role") }
+    before {
+      authz_api.stub(:role).with("ci:@:key_pair/#{id}/encrypt").and_return encrypt_role
+    }
+    
+    context "group owner" do
+      let(:ownerid) { "a:group:owner" }
+      let(:variable_options) { { acting_as: ownerid } }
+      it "should create the variable with options" do
+        key_pair.should be
+      end
+    end
+    
+    context "encryption" do
+      let(:message) { "the-message" }
+      let(:encrypted_message) { key_pair.encrypt(message)  }
+      it "encrypted message should match the expected format" do
+        encrypted_message.length.should == 288
+      end
+      context "and decryption" do
+        it "round-trips successfully" do
+          key_pair.decrypt(encrypted_message) == message
+        end
+      end
+    end
+
+    context "#public_json" do
+      context ".keys" do
+        subject { key_pair.public_json.keys }
+        specify { should == [ :id, :userid, :ownerid, :resource_identifier ] }
+      end
+    end
+  end
+end