door_mat 0.0.5

data/spec/lib/crypto_spec.rb

@@ -0,0 +1,130 @@
+require 'spec_helper'
+
+module DoorMat
+  describe "DoorMat Crypto Module" do
+    it "Compare strings securely" do
+      expect(DoorMat::Crypto::secure_compare('','asdf')).to be false
+      expect(DoorMat::Crypto::secure_compare('asdf','jkfa')).to be false
+      expect(DoorMat::Crypto::secure_compare('asdf','asdfa')).to be false
+      expect(DoorMat::Crypto::secure_compare('asdf','asd')).to be false
+      expect(DoorMat::Crypto::secure_compare('asdf','')).to be false
+      expect(DoorMat::Crypto::secure_compare('asdfa','asdf')).to be false
+      expect(DoorMat::Crypto::secure_compare('asd','asdf')).to be false
+
+      expect(DoorMat::Crypto::secure_compare('asdf','asdf')).to be true
+      expect(DoorMat::Crypto::secure_compare('','')).to be true
+    end
+
+    it "Hashes passwords" do
+      expect(DoorMat::Crypto::secure_compare(
+                 DoorMat::Crypto::PasswordHash.pbkdf2_salt(),
+                 DoorMat::Crypto::PasswordHash.pbkdf2_salt())).to be false
+
+      static_password = "MXaREjXsHsVQIEcjjPQX"
+      random_password = OpenSSL::Random.random_bytes(200).scan(/\w/).join("")[0,20]
+      static_salt = "MzI=--MTAwMDA=--arpM8+sl0mdOt+44eJNygxPI6UpD2bGFruymWMZ7jQg="
+      random_salt = DoorMat::Crypto::PasswordHash.pbkdf2_salt()
+
+      expect(DoorMat::Crypto::secure_compare(
+          DoorMat::Crypto::PasswordHash.pbkdf2_hash(static_password, static_salt),
+          DoorMat::Crypto::PasswordHash.pbkdf2_hash(static_password, random_salt))).to be false
+      expect(DoorMat::Crypto::secure_compare(
+          DoorMat::Crypto::PasswordHash.pbkdf2_hash(static_password, static_salt),
+          DoorMat::Crypto::PasswordHash.pbkdf2_hash(random_password, static_salt))).to be false
+      expect(DoorMat::Crypto::secure_compare(
+          DoorMat::Crypto::PasswordHash.pbkdf2_hash(static_password, static_salt),
+          DoorMat::Crypto::PasswordHash.pbkdf2_hash(static_password, static_salt))).to be true
+      expect(DoorMat::Crypto::secure_compare(
+          DoorMat::Crypto::PasswordHash.pbkdf2_hash(random_password, random_salt),
+          DoorMat::Crypto::PasswordHash.pbkdf2_hash(random_password, random_salt))).to be true
+
+
+      expect(DoorMat::Crypto::secure_compare(
+          DoorMat::Crypto::PasswordHash.bcrypt_salt(),
+          DoorMat::Crypto::PasswordHash.bcrypt_salt())).to be false
+
+      static_password = "L7CXudYmS1ewNOPGYlHc"
+      random_password = OpenSSL::Random.random_bytes(200).scan(/\w/).join("")[0,20]
+      static_salt = "$2a$12$XJsQd7Z7vcef.9ksiYBxS."
+      random_salt = DoorMat::Crypto::PasswordHash.bcrypt_salt()
+
+      expect(DoorMat::Crypto::secure_compare(
+          DoorMat::Crypto::PasswordHash.bcrypt_hash(static_password, static_salt),
+          DoorMat::Crypto::PasswordHash.bcrypt_hash(static_password, random_salt))).to be false
+      expect(DoorMat::Crypto::secure_compare(
+          DoorMat::Crypto::PasswordHash.bcrypt_hash(static_password, static_salt),
+          DoorMat::Crypto::PasswordHash.bcrypt_hash(random_password, static_salt))).to be false
+      expect(DoorMat::Crypto::secure_compare(
+          DoorMat::Crypto::PasswordHash.bcrypt_hash(static_password, static_salt),
+          DoorMat::Crypto::PasswordHash.bcrypt_hash(static_password, static_salt))).to be true
+      expect(DoorMat::Crypto::secure_compare(
+          DoorMat::Crypto::PasswordHash.bcrypt_hash(random_password, random_salt),
+          DoorMat::Crypto::PasswordHash.bcrypt_hash(random_password, random_salt))).to be true
+
+    end
+
+    it "Does Symmetric encryption" do
+      message = "Be the change you want to see in the world. -Apparently not by Mahatma Gandhi"
+      # http://www.nytimes.com/2011/08/30/opinion/falser-words-were-never-spoken.html?_r=0
+
+      static_key = "8FBav54BeCoD+np2bQeg6zYFSQum/Yq6ftoBLYwdrHM="
+      static_ciphertext = "VVRGLTg=--QgtPjJI61mvsfaB6Txls7A==--Z1c9L9h6ttZi7GgI--Pn+8P7lWazaiNLiy4rf+bc5o7zlnnOruesUc6lE65UDvasYfEGINIdUzvzpN9Z8wBySqXqH5nndLCW3L3xLTreflpIdDcP0Fqp9rWP0="
+
+      h = DoorMat::Crypto::SymmetricStore.encrypt(message)
+      random_key = h[:key]
+      random_ciphertext = h[:ciphertext]
+
+      assert_equal(message, DoorMat::Crypto::SymmetricStore.decrypt(static_ciphertext, static_key),
+                   "decrypted ciphertext match original message")
+      assert_equal(message, DoorMat::Crypto::SymmetricStore.decrypt(random_ciphertext, random_key),
+                   "decrypted ciphertext match original message")
+
+      encoding, auth_tag, iv, encrypted_string = static_ciphertext.split('--')
+      expect {
+        bad_key = "8FBbv54BeCoD+np2bQeg6zYFSQum/Yq6ftoBLYwdrHM="
+        DoorMat::Crypto::SymmetricStore.decrypt(static_ciphertext, bad_key)
+      }.to raise_error(OpenSSL::Cipher::CipherError)
+      expect {
+        bad_auth_tag = [encoding, "qgtPjJI61mvsfaB6Txls7A==", iv, encrypted_string].join('--')
+        DoorMat::Crypto::SymmetricStore.decrypt(bad_auth_tag, static_key)
+      }.to raise_error(OpenSSL::Cipher::CipherError)
+      expect {
+        bad_iv = [encoding, auth_tag, "z1c9L9h6ttZi7GgI", encrypted_string].join('--')
+        DoorMat::Crypto::SymmetricStore.decrypt(bad_iv, static_key)
+      }.to raise_error(OpenSSL::Cipher::CipherError)
+      expect {
+        bad_encrypted_string = [encoding, auth_tag, iv, "pn+8P7lWazaiNLiy4rf+bc5o7zlnnOruesUc6lE65UDvasYfEGINIdUzvzpN9Z8wBySqXqH5nndLCW3L3xLTreflpIdDcP0Fqp9rWP0="].join('--')
+        DoorMat::Crypto::SymmetricStore.decrypt(bad_encrypted_string, static_key)
+      }.to raise_error(OpenSSL::Cipher::CipherError)
+
+    end
+
+    it "Does Asymmetric encryption" do
+      h = DoorMat::Crypto::AsymmetricStore.generate_pem_encrypted_pkey_pair_and_key
+      private_key = DoorMat::Crypto::AsymmetricStore.private_key_from_pem_encrypted_pkey_pair(h[:pem_encrypted_pkey], h[:key])
+      public_key = DoorMat::Crypto::AsymmetricStore.public_key_from_pem_encrypted_pkey_pair(h[:pem_encrypted_pkey], h[:key])
+
+      pem_public_key = DoorMat::Crypto::AsymmetricStore.pem_public_key_from_pem_encrypted_pkey_pair(h[:pem_encrypted_pkey], h[:key])
+      expect(pem_public_key).to eq public_key.to_pem
+
+      public_key = DoorMat::Crypto::AsymmetricStore.public_key_from_pem_public_key(pem_public_key)
+
+      quote = 'The smallest feline is a masterpiece. -Leonardo da Vinci'
+      ciphertext = DoorMat::Crypto::AsymmetricStore.encrypt(quote, public_key)
+      expect(DoorMat::Crypto::AsymmetricStore.decrypt(ciphertext, private_key)).to eq quote
+
+    end
+
+    it "handles spurious exception in to_pem calls" do
+      dummy = OpenSSL::PKey::RSA.generate(2048)
+      allow(dummy).to receive(:to_pem) do
+        allow(dummy).to receive(:to_pem).and_call_original
+        raise OpenSSL::PKey::RSAError
+      end
+      allow(OpenSSL::PKey::RSA).to receive(:generate).and_return(dummy)
+      expect(DoorMat.configuration.logger).to receive(:error)
+
+      DoorMat::Crypto::AsymmetricStore.generate_pem_encrypted_pkey_pair_and_key
+    end
+  end
+end

data/spec/lib/process_spec.rb

@@ -0,0 +1,159 @@
+require 'spec_helper'
+
+module DoorMat
+
+  describe "DoorMat::Process::CreateNewAnonymousActor" do
+    let(:user_alice) { {name: 'Alice', email: 'alice@example.com', password: 'k#dkvKfdj38g!'} }
+    let(:user_bob) { {name: 'Bob', email: 'bob@example.com', password: 'je&*hK38,%D'} }
+
+    it 'returns nil if an exception was raised while creating the anonymous actor' do
+      anonymous_actor = DoorMat::Process::CreateNewAnonymousActor.owned_by(nil)
+      expect(anonymous_actor).to be_nil
+    end
+
+    it 'allows Alice and Bob to share information' do
+      TestHelper::create_signed_up_actor_with_confirmed_email_address(user_alice[:email], user_alice[:password])
+      TestHelper::create_signed_up_actor_with_confirmed_email_address(user_bob[:email], user_bob[:password])
+
+      alice, session = TestHelper::sign_in_existing_actor(user_alice[:email], user_alice[:password])
+      anonymous_actor = DoorMat::Process::CreateNewAnonymousActor.owned_by(alice)
+
+      # Reusing UserDetail here but this could be any model
+      # with a field protected by an attr_symmetric_store
+      anonymous_actor.user_detail = UserDetail.new
+      anonymous_actor.user_detail.name = 'a message'
+      anonymous_actor.user_detail.save!
+
+      # At this point, an actor exist for Bob but he is not signed in
+      membership = alice.memberships.first
+      locked_actor_bob = DoorMat::Email.matching(user_bob[:email]).first.actor
+      expect(membership.share_with!(locked_actor_bob)).to be_truthy
+
+      TestHelper::sign_out(session)
+
+      # Bob sign in and can access the message shared by Alice
+      bob, session = TestHelper::sign_in_existing_actor(user_bob[:email], user_bob[:password])
+      membership = bob.memberships.first
+      expect(membership.load_sub_session).to be_truthy
+
+      expect(membership.member_of.user_detail.name).to eq('a message')
+
+      TestHelper::sign_out(session)
+    end
+
+  end
+
+  describe "DoorMat::Process::ActorPasswordChange" do
+    let(:user) { {name: 'Alice', email: 'user@example.com', password: 'k#dkvKfdj38g!', new_password: 'new_k#dkvKfdj38g!'} }
+
+    it 'changes the password' do
+      alice, session = TestHelper::create_signed_in_actor_with_confirmed_email_address(user[:email], user[:password])
+
+      user_detail = UserDetail.new
+      user_detail.actor = alice
+      user_detail.name = user[:name]
+      user_detail.save
+
+      (5..10).each do |i|
+        g = Game.init_for_actor_and_doors(alice, i)
+        g.save
+      end
+      game_first_state, game_last_state = Game.first.state, Game.last.state
+      TestHelper::sign_out(session)
+
+      alice, session = TestHelper::sign_in_existing_actor(user[:email], user[:password])
+
+      expect(DoorMat::Process::ActorPasswordChange.with(alice, 'new_pwd_1', user[:password])).to be true
+      TestHelper::sign_out(session)
+
+      alice, session = TestHelper::sign_in_existing_actor(user[:email], 'new_pwd_1')
+
+      expect(DoorMat::Process::ActorPasswordChange.with(alice, 'new_pwd_2', 'new_pwd_1')).to be true
+      TestHelper::sign_out(session)
+
+      _, _ = TestHelper::sign_in_existing_actor(user[:email], 'new_pwd_2')
+      expect(Game.first.state).to eq(game_first_state)
+      expect(Game.last.state).to eq(game_last_state)
+
+      expect(UserDetail.first.name).to eq(user[:name])
+    end
+
+    it 'fails if the current session is not valid' do
+      alice, session = TestHelper::create_signed_in_actor_with_confirmed_email_address(user[:email], user[:password])
+      allow(session).to receive(:valid?).and_return(false)
+      expect(DoorMat::Process::ActorPasswordChange.with(alice, 'new_pwd_1', user[:password])).to be false
+    end
+
+    it 're-raise exceptions other than a RecordNotFound' do
+      alice, session = TestHelper::create_signed_in_actor_with_confirmed_email_address(user[:email], user[:password])
+      allow(session).to receive(:valid?).and_raise(RuntimeError)
+      expect {
+        DoorMat::Process::ActorPasswordChange.with(alice, 'new_pwd_1', user[:password])
+      }.to raise_error(RuntimeError)
+    end
+
+
+    it 'changes the password' do
+      alice, session = TestHelper::create_signed_in_actor_with_confirmed_email_address(user[:email], user[:password])
+
+      TestHelper::sign_out(session)
+
+      alice_1, session_1 = TestHelper::sign_in_existing_actor(user[:email], user[:password])
+      alice_2, session_2 = TestHelper::sign_in_existing_actor(user[:email], user[:password])
+      expect(RequestStore.store[:current_session]).to eq(session_2)
+
+      expect(DoorMat::Process::ActorPasswordChange.with(alice_2, 'new_pwd_1', user[:password])).to be true
+      TestHelper::sign_out(session_2)
+
+      RequestStore.store[:current_session] = session_1
+
+      expect(DoorMat::Process::ActorPasswordChange.with(alice_1, 'new_pwd_2', user[:password])).to be false
+      expect(DoorMat::Process::ActorPasswordChange.with(alice_1, 'new_pwd_2', nil)).to be false
+    end
+
+    it 'can still access data if password change fails' do
+      alice, old_session = TestHelper::create_signed_in_actor_with_confirmed_email_address(user[:email], user[:password])
+
+      user_detail = UserDetail.new
+      user_detail.actor = alice
+      user_detail.name = user[:name]
+      user_detail.save
+
+      encrypted_name_before = encrypted_name_after = ''
+      DoorMat::Crypto.skip_crypto_callback { encrypted_name_before = UserDetail.all.first.name }
+      allow(DoorMat::Crypto::SymmetricStore).to receive(:decrypt).and_raise(OpenSSL::Cipher::CipherError)
+      expect(DoorMat::Process::ActorPasswordChange.with(alice, user[:new_password])).to be false
+      DoorMat::Crypto.skip_crypto_callback { encrypted_name_after = UserDetail.all.first.name }
+      expect(encrypted_name_before).to eq(encrypted_name_after)
+      allow(DoorMat::Crypto::SymmetricStore).to receive(:decrypt).and_call_original
+
+      _, new_session = TestHelper::sign_in_existing_actor(user[:email], user[:password])
+      expect(old_session.id).not_to eq(new_session.id)
+      expect(UserDetail.first.name).to eq(user[:name])
+    end
+
+    it 'fails the ActivityResetPassword if after_password_reset fails' do
+      alice = TestHelper::create_signed_up_actor_with_confirmed_email_address(user[:email], user[:password])
+
+      email = alice.emails.first
+      token = SecureRandom.uuid
+
+      activity = DoorMat::ActivityResetPassword.new
+      activity.actor = email.actor
+      activity.email = email
+      activity.link_hash = DoorMat::ActivityResetPassword.hash_token(token)
+      activity.started!
+
+      recovery_key = StringIO.new 'the recovery key'
+      forgot_password = DoorMat::ForgotPassword.new(email: user[:email],
+                                                    password: user[:new_password],
+                                                    password_confirmation: user[:new_password],
+                                                    token: token,
+                                                    recovery_key: recovery_key)
+
+      allow(DoorMat::Process::ActorPasswordChange).to receive(:after_password_reset).and_return(false)
+      expect(DoorMat::Process::ResetPassword.with(forgot_password)).to be false
+    end
+
+  end
+end

data/spec/models/door_mat/access_token_spec.rb

@@ -0,0 +1,134 @@
+require 'spec_helper'
+
+module DoorMat
+  describe AccessToken do
+    let(:admin) { {email: Rails.application.secrets.admin_account_email, password: Rails.application.secrets.admin_account_pwd} }
+    let(:params) { {token_for: :big_ticket, identifier: 'user@example.com', confirm_identifier: 'user@example.com', name: 'User', is_public: '1', remember_me: '0'} }
+
+    describe '#_url methods' do
+      it 'returns an array of atoms' do
+        DoorMat::TestHelper.create_signed_up_actor_with_confirmed_email_address(admin[:email], admin[:password])
+        request = Object.new
+
+        access_token = DoorMat::AccessToken.create_from_params(params[:token_for],
+                                                               params[:identifier],
+                                                               params[:confirm_identifier],
+                                                               params[:name],
+                                                               params[:is_public],
+                                                               params[:remember_me],
+                                                               request)
+
+        # generic_redirect_url
+        access_token.default_parameters[:generic_redirect_url] = [:a, :b]
+        expect(access_token.generic_redirect_url).to eq([:a, :b])
+
+        access_token.default_parameters.delete :generic_redirect_url
+        expect(access_token.generic_redirect_url).to eq([:main_app, :root_url])
+
+
+        # default_success_url
+        expect(access_token.default_success_url).to eq([:main_app, :draw_results_url])
+
+        access_token.default_parameters[:generic_redirect_url] = [:c, :d]
+        access_token.session_parameters.delete :default_success_url
+        expect(access_token.default_success_url).to eq([:c, :d])
+
+
+        # default_failure_url
+        access_token.default_parameters[:generic_redirect_url] = [:e, :f]
+        expect(access_token.default_failure_url).to eq([:e, :f])
+
+        access_token.session_parameters[:default_failure_url] = [:g, :h]
+        expect(access_token.default_failure_url).to eq([:g, :h])
+
+        access_token.default_parameters[:generic_redirect_url] = [:main_app, :root_url]
+        access_token.session_parameters[:default_success_url] = [:main_app, :draw_results_url]
+        access_token.session_parameters.delete :default_failure_url
+
+      end
+
+    end
+
+    describe '#create_from_params' do
+
+      it 'can not create an access_token when the actor for the session can not be loaded' do
+        request = OpenStruct.new(:remote_ip => '127.0.0.1')
+
+        access_token = DoorMat::AccessToken.create_from_params(params[:token_for],
+                                                               params[:identifier],
+                                                               params[:confirm_identifier],
+                                                               params[:name],
+                                                               params[:is_public],
+                                                               params[:remember_me],
+                                                               request)
+
+        expect(access_token).not_to be_valid
+      end
+
+      it 'can create an access_token when the actor for the session can be loaded' do
+        DoorMat::TestHelper.create_signed_up_actor_with_confirmed_email_address(admin[:email], admin[:password])
+        request = Object.new
+
+        access_token = DoorMat::AccessToken.create_from_params(params[:token_for],
+                                                               params[:identifier],
+                                                               params[:confirm_identifier],
+                                                               params[:name],
+                                                               params[:is_public],
+                                                               params[:remember_me],
+                                                               request)
+
+        expect(access_token).to be_valid
+      end
+
+      it 'can not create an access_token if the status is not valid' do
+        DoorMat::TestHelper.create_signed_up_actor_with_confirmed_email_address(admin[:email], admin[:password])
+        original_value = DoorMat.configuration.password_less_sessions[params[:token_for].to_sym][:status]
+        DoorMat.configuration.password_less_sessions[params[:token_for].to_sym][:status] = :invalid
+        request = OpenStruct.new(:remote_ip => '127.0.0.1')
+
+        access_token = DoorMat::AccessToken.create_from_params(params[:token_for],
+                                                               params[:identifier],
+                                                               params[:confirm_identifier],
+                                                               params[:name],
+                                                               params[:is_public],
+                                                               params[:remember_me],
+                                                               request)
+
+        expect(access_token.errors.full_messages.join('')).to match(/Could not create a request token based on the information provided/)
+        expect(access_token).not_to be_valid
+        DoorMat.configuration.password_less_sessions[params[:token_for].to_sym][:status] = original_value
+      end
+
+    end
+
+    describe '#swap_token!' do
+
+      it 'swaps an existing token for a new one' do
+        DoorMat::TestHelper.create_signed_up_actor_with_confirmed_email_address(admin[:email], admin[:password])
+        request = Object.new
+
+        access_token = DoorMat::AccessToken.create_from_params(params[:token_for],
+                                                               params[:identifier],
+                                                               params[:confirm_identifier],
+                                                               params[:name],
+                                                               params[:is_public],
+                                                               params[:remember_me],
+                                                               request)
+
+        access_token.used!
+        expect(access_token).to be_valid
+        RequestStore.store[:current_access_token] = access_token
+
+        cookies = Object.new
+        allow(cookies).to receive(:encrypted).and_return({})
+
+        DoorMat::AccessToken.swap_token!(cookies, :big_ticket, :play_game, true)
+
+        expect(access_token.destroyed?).to be_truthy
+        expect(RequestStore.store[:current_access_token]).to be_valid
+      end
+
+    end
+
+  end
+end

data/spec/models/door_mat/activity_spec.rb

@@ -0,0 +1,38 @@
+require 'spec_helper'
+
+module DoorMat
+  describe ActivityConfirmEmail do
+
+    it 're-raise an error that occurs while sending the email' do
+      controller = Object.new
+      allow(controller).to receive(:confirm_email_url).and_return('some_url')
+      allow(DoorMat::ActivityMailer).to receive(:confirm_email).and_raise(RuntimeError)
+      actor = build(:actor)
+      email = build(:email, id: 1, status: :not_confirmed)
+      email.actor = actor
+
+      expect{
+        DoorMat::ActivityConfirmEmail.for(email, controller)
+      }.to raise_error(RuntimeError)
+    end
+
+  end
+
+  describe ActivityResetPassword do
+
+    it 're-raise an error that occurs while sending the email' do
+      controller = Object.new
+      allow(controller).to receive(:choose_new_password_url).and_return('some_url')
+      allow(DoorMat::ActivityMailer).to receive(:reset_password).and_raise(RuntimeError)
+      actor = build(:actor)
+      email = build(:email, id: 1, status: :not_confirmed)
+      email.actor = actor
+
+      expect{
+        DoorMat::ActivityResetPassword.for(email, controller)
+      }.to raise_error(RuntimeError)
+    end
+
+  end
+end
+