hancock 0.0.2

data/lib/sinatra/hancock/views/users/signup_form.haml

@@ -0,0 +1,18 @@
+%fieldset
+  %legend Signup for an account
+  %form{:action => '/sso/signup', :method => 'POST'}
+    %label{:for => 'first_name'} 
+      First Name:
+      %input{:type => 'text', :name => 'first_name'}
+      %br
+    %label{:for => 'last_name'} 
+      Last Name:
+      %input{:type => 'text', :name => 'last_name'}
+      %br
+    %label{:for => 'email'} 
+      Email:
+      %input{:type => 'text', :name => 'email'}
+      %br
+    %input{:type => 'submit', :value => 'Signup'}
+    or
+    %a{:href => '/'} Cancel

data/spec/acceptance/signing_up_spec.rb

@@ -0,0 +1,90 @@
+require File.expand_path(File.dirname(__FILE__)+'/../spec_helper')
+
+describe "visiting /sso/signup" do
+  def app
+    Hancock::App
+  end
+  before(:each) do
+    @user = Hancock::User.new(:email      => /\w+@\w+\.\w{2,3}/.gen.downcase,
+                              :first_name => /\w+/.gen.capitalize,
+                              :last_name  => /\w+/.gen.capitalize)
+  end
+  describe "when signing up" do
+    it "should sign the user up" do
+      get '/sso/signup'
+
+      post '/sso/signup', :email => @user.email,
+                          :first_name => @user.first_name,
+                          :last_name => @user.last_name
+
+      confirmation_url = last_response.body.to_s.match(%r!/sso/register/\w{40}!)
+      confirmation_url.should_not be_nil
+
+      get "#{confirmation_url}"
+      password = /\w+{9,32}/.gen
+
+      last_response.body.to_s.should have_selector("form[action='#{confirmation_url}']")
+
+      post "#{confirmation_url}", :password => password, :password_confirmation => password
+      follow_redirect!
+
+      last_response.body.to_s.should have_selector("h3:contains('Hello #{@user.first_name} #{@user.last_name}')")
+    end
+
+    describe "and form hacking" do
+      it "should be unauthorized" do
+        get '/sso/signup'
+
+        post '/sso/signup', :email => @user.email,
+                            :first_name => @user.first_name,
+                            :last_name => @user.last_name
+
+        fake_url = /\w+{9,40}/.gen
+        get "/sso/register/#{fake_url}"
+        last_response.body.to_s.should match(/BadRequest/)
+      end
+    end
+  end
+
+  if ENV['WATIR']
+    begin
+      require 'safariwatir'
+      describe "with no valid browser sessions" do
+        before(:each) do
+          @sso_server = 'http://hancock.atmos.org/sso'
+          @browser = Watir::Safari.new
+          @browser.goto("http://localhost:5000/sso/logout")
+        end
+        it "should browse properly in safari" do
+          # session cookie fails on localhost :\
+          # sso_server = 'http://localhost:20000/sso'
+
+          # make a request and signup to access the site
+          @browser.goto('http://localhost:5000/')
+          @browser.link(:url, "#{@sso_server}/signup").click
+          @browser.text_field(:name, :first_name).set(@user.first_name)
+          @browser.text_field(:name, :last_name).set(@user.last_name)
+          @browser.text_field(:name, :email).set(@user.email)
+          @browser.button(:value, 'Signup').click
+
+          # hacky way to strip this outta the markup in development mode
+          register_url = @browser.html.match(%r!#{@sso_server}/register/\w{40}!).to_s
+          register_url.should_not be_nil
+          password = /\w+{9,32}/.gen
+
+          # register from the url from their email
+          @browser.goto(register_url)
+          @browser.text_field(:name, :password).set(password)
+          @browser.text_field(:name, :password_confirmation).set(password)
+          @browser.button(:value, 'Am I Done Yet?').click
+
+          sleep 2
+
+          # sent back to be greeted on the consumer
+          @browser.html.should match(%r!Hancock Client: Sinatra!)
+          @browser.html.should have_selector("h2 a[href='mailto:#{@user.email}']:contains('#{@user.first_name} #{@user.last_name}')")
+        end
+      end
+    rescue; end
+  end
+end

data/spec/app.rb

@@ -0,0 +1,29 @@
+module Sinatra
+  module Hancock
+    module TestApp
+      module Helpers
+        def landing_page
+          <<-HAML
+%h3 Hello #{session_user.first_name} #{session_user.last_name}!
+- unless @consumers.empty?
+  %ul#consumers
+    - @consumers.each do |consumer|
+      %li
+        %a{:href => consumer.url}= consumer.label
+HAML
+        end
+      end
+      def self.registered(app)
+        app.helpers Helpers
+        app.set :sessions, true
+        app.get '/' do
+          ensure_authenticated
+          @consumers = ::Hancock::Consumer.visible
+          @consumers += ::Hancock::Consumer.internal if session_user.internal?
+          haml landing_page
+        end
+      end
+    end
+  end
+  ::Hancock::App.register(Hancock::TestApp)
+end

data/spec/features/sessions.feature

@@ -0,0 +1,24 @@
+Feature: Logging In to an SSO Account
+  In order to authenticate existing users
+  As an existing user
+    Scenario: logging in
+      Given I am not logged in on the sso provider
+      And a valid consumer and user exists
+      When I request the landing page
+      Then I should see the login form
+      When I login
+      Then I should see a list of consumers
+    Scenario: logging in as a redirect from a consumer
+      Given I am not logged in on the sso provider
+      And a valid consumer and user exists
+      When I request authentication returning to the consumer app
+      Then I should see the login form
+      When I login
+      Then I should be redirected to the consumer app to start the handshake
+    Scenario: logging in
+      Given I am not logged in on the sso provider
+      And a valid consumer and user exists
+      When I request authentication
+      Then I should see the login form
+      When I login
+      Then I should be redirected to the sso provider root on login

data/spec/features/signup.feature

@@ -0,0 +1,26 @@
+Feature: Signing Up for an SSO Account
+  In order to get users involved
+  As a new user
+    Scenario: signing up as a redirect from a consumer
+      Given I am not logged in on the sso provider
+      And a valid consumer exists
+      When I request authentication returning to the consumer app
+      Then I should see the login form
+      When I click signup
+      Then I should see the signup form
+      When I signup with valid info
+      Then I should receive a registration url via email
+      When I hit the registration url and provide a password
+      Then I should be redirected to the consumer app
+
+    Scenario: signing up
+      Given I am not logged in on the sso provider
+      And a valid consumer exists
+      Given I request authentication
+      Then I should see the login form
+      When I click signup
+      Then I should see the signup form
+      When I signup with valid info
+      Then I should receive a registration url via email
+      When I hit the registration url and provide a password
+      Then I should be redirected to the sso provider root

data/spec/features/sso.feature

@@ -0,0 +1,35 @@
+Feature: Authenticating Against the SSO Provider
+  In order to authenticate existing users on a consumer via openid
+    Scenario: SSO Server should be an OpenID Identity Provider
+      When I request the OpenID Identity Provider Page
+      Then I should receive a yadis document from the sso server
+
+    Scenario: OpenID Mode CheckIDSetup
+      Given a valid consumer and user exists
+      And I am logged in on the sso provider
+      When I request the sso page with a checkid mode of checkIDSetup
+      Then I should be redirected to the consumer app with openid params
+    Scenario: OpenID Mode CheckIDSetup
+      Given a valid consumer and user exists
+      And I am logged in on the sso provider
+      When I request the sso page with a checkid mode of checkIDSetup for another users's page
+      Then I should not be redirected to the consumer app with openid params
+    Scenario: OpenID Mode CheckIDSetup unauthenticated
+      Given a valid consumer and user exists
+      When I request the sso page with a checkid mode of checkIDSetup
+      Then I should see the login form
+
+    Scenario: OpenID Mode Immediate
+      Given a valid consumer and user exists
+      And I am logged in on the sso provider
+      When I request the sso page with a checkid mode of immediate
+      Then I should be redirected to the consumer app with openid params
+    Scenario: OpenID Mode Immediate unauthenticated
+      Given a valid consumer and user exists
+      When I request the sso page with a checkid mode of immediate
+      Then I should see the login form
+
+    Scenario: OpenID Mode Associate
+      Given a valid consumer and user exists
+      When I request the sso page with a checkid mode of associate
+      Then I should receive an associate response from the sso server

data/spec/features/step_definitions/sessions_steps.rb

@@ -0,0 +1,31 @@
+Given /^a valid consumer and user exists$/ do
+  @consumer = ::Hancock::Consumer.gen(:internal)
+  @user     = ::Hancock::User.gen
+  get '/sso/logout'  # log us out if we're logged in
+end
+
+Then /^I login$/ do
+  post "/sso/login", :email => @user.email,
+                     :password => @user.password
+end
+
+Then /^I should be redirected to the consumer app to start the handshake$/ do
+  redirection = Addressable::URI.parse(last_response.headers['Location'])
+
+  "#{redirection.scheme}://#{redirection.host}#{redirection.path}".should eql(@consumer.url)
+  redirection.query_values['id'].to_i.should eql(@user.id)
+end
+
+Then /^I should be redirected to the sso provider root on login$/ do
+  last_response.headers['Location'].should eql('/')
+  follow_redirect!
+end
+
+When /^I request the landing page$/ do
+  get '/'
+end
+
+Then /^I should see a list of consumers$/ do
+  last_response.headers['Location'].should eql('/')
+  follow_redirect!
+end

data/spec/features/step_definitions/signup_steps.rb

@@ -0,0 +1,56 @@
+Given /^I am not logged in on the sso provider$/ do
+  @user = Hancock::User.new(:email      => /\w+@\w+\.\w{2,3}/.gen.downcase,
+                            :first_name => /\w+/.gen.capitalize,
+                            :last_name  => /\w+/.gen.capitalize)
+  get "/sso/logout"
+end
+
+Given /^a valid consumer exists$/ do
+  @consumer = ::Hancock::Consumer.gen(:internal)
+end
+
+Given /^I request authentication$/ do
+  get "/sso/login"
+end
+
+Given /^I request authentication returning to the consumer app$/ do
+  get "/sso/login?return_to=#{@consumer.url}"
+end
+
+Then /^I should see the login form$/ do
+  last_response.should be_a_login_form
+end
+
+Given /^I click signup$/ do
+  get "/sso/signup"
+end
+
+Then /^I should see the signup form$/ do
+  last_response.should be_a_signup_form
+end
+
+Given /^I signup with valid info$/ do
+  post "/sso/signup", 'email'      => @user.email,
+                      'first_name' => @user.first_name,
+                      'last_name'  => @user.last_name
+  last_response.status.should eql(200)
+end
+
+Then /^I should receive a registration url via email$/ do
+  @confirmation_url = last_response.body.to_s.match(%r!/sso/register/\w{40}!).to_s
+  @confirmation_url.should_not match(/^\s*$/)
+end
+
+Given /^I hit the registration url and provide a password$/ do
+  get @confirmation_url
+  post @confirmation_url, 'user[password]' => @user.password,
+                          'used[password_confirmation]' => @user.password
+end
+
+Then /^I should be redirected to the sso provider root$/ do
+  last_response.headers['Location'].should eql('/')
+end
+
+Then /^I should be redirected to the consumer app$/ do
+  last_response.headers['Location'].should eql(@consumer.url)
+end

data/spec/features/step_definitions/sso_steps.rb

@@ -0,0 +1,74 @@
+When /^I am logged in on the sso provider$/ do
+  @identity_url = "http://example.org/sso/users/#{@user.id}"
+  post "/sso/login", :email => @user.email,
+                     :password => @user.password
+end
+
+When /^I request the sso page with a checkid mode of checkIDSetup$/ do
+  params = {
+    "openid.ns"         => "http://specs.openid.net/auth/2.0",
+    "openid.mode"       => "checkid_setup",
+    "openid.return_to"  => @consumer.url,
+    "openid.identity"   => @identity_url,
+    "openid.claimed_id" => @identity_url
+  }
+
+  get "/sso", params
+end
+When %r!^I request the sso page with a checkid mode of checkIDSetup for another users's page$! do
+  params = {
+    "openid.ns"         => "http://specs.openid.net/auth/2.0",
+    "openid.mode"       => "checkid_setup",
+    "openid.return_to"  => @consumer.url,
+    "openid.identity"   => 'http://example.org/sso/users/42',
+    "openid.claimed_id" => 'http://example.org/sso/users/42'
+  }
+
+  get "/sso", params
+end
+
+When /^I request the sso page with a checkid mode of associate$/ do
+  @openid_session = OpenID::Consumer::AssociationManager.create_session("DH-SHA1")
+  params =  {
+    "openid.ns"           => 'http://specs.openid.net/auth/2.0',
+    "openid.mode"         => "associate",
+    "openid.session_type" => 'DH-SHA1',
+    "openid.assoc_type"   => 'HMAC-SHA1',
+    "openid.dh_consumer_public"=> @openid_session.get_request['dh_consumer_public']
+  }
+
+  get "/sso", params
+end
+
+When /^I request the sso page with a checkid mode of immediate$/ do
+  params = {
+    "openid.ns"         => "http://specs.openid.net/auth/2.0",
+    "openid.mode"       => "checkid_immediate",
+    "openid.return_to"  => @consumer.url,
+    "openid.identity"   => @identity_url,
+    "openid.claimed_id" => @identity_url 
+  }
+
+  get "/sso", params
+end
+
+Then /^I should be redirected to the consumer app with openid params$/ do
+  last_response.should be_a_redirect_to_the_consumer(@consumer, @user)
+end
+
+Then /^I should receive an associate response from the sso server$/ do
+  last_response.should be_an_openid_associate_response(@openid_session)
+end
+
+Then /^I should not be redirected to the consumer app with openid params$/ do
+  last_response.status.should eql(403)
+end
+
+When /^I request the OpenID Identity Provider Page$/ do
+  get '/sso/xrds'
+end
+
+Then /^I should receive a yadis document from the sso server$/ do
+  last_response.should be_an_identity_provider
+end
+

data/spec/features/support/env.rb

@@ -0,0 +1,16 @@
+require File.expand_path(File.dirname(__FILE__)+'/../../spec_helper')
+require 'haml'
+
+Hancock::App.set :environment, :development
+
+World do
+  def app
+    @app = Rack::Builder.new do
+      run Hancock::App
+    end
+  end
+  include Rack::Test::Methods
+  include Webrat::Methods
+  include Webrat::Matchers
+  include Hancock::Matchers
+end

data/spec/fixtures.rb

@@ -0,0 +1,39 @@
+Hancock::User.fix {{
+  :enabled               => true,
+  :email                 => /\w+@\w+.\w{2,3}/.gen.downcase,
+  :first_name            => /\w+/.gen.capitalize,
+  :last_name             => /\w+/.gen.capitalize,
+  :password              => (pass = /\w+/.gen.downcase),
+  :password_confirmation => pass,
+  :salt                  => (salt = Digest::SHA1.hexdigest("--#{Time.now.to_s}--email--")),
+  :crypted_password      => Hancock::User.encrypt(pass, salt)
+}}
+
+Hancock::User.fix(:internal) {{
+  :enabled               => true,
+  :email                 => /\w+@\w+.\w{2,3}/.gen.downcase,
+  :first_name            => /\w+/.gen.capitalize,
+  :last_name             => /\w+/.gen.capitalize,
+  :password              => (pass = /\w+/.gen.downcase),
+  :password_confirmation => pass,
+  :salt                  => (salt = Digest::SHA1.hexdigest("--#{Time.now.to_s}--email--")),
+  :crypted_password      => Hancock::User.encrypt(pass, salt),
+  :internal              => true
+}}
+
+Hancock::Consumer.fix(:internal) {{
+  :url      => %r!http://(\w+).example.org/login!.gen.downcase,
+  :label    => /(\w+) (\w+)/.gen,
+  :internal => true
+}}
+
+Hancock::Consumer.fix(:visible_to_all) {{
+  :url      => %r!http://(\w+).consumerapp.com/login!.gen.downcase,
+  :label    => /(\w+) (\w+)/.gen,
+  :internal => false
+}}
+
+Hancock::Consumer.fix(:hidden) {{
+  :url      => 'http://localhost:9292/login',
+  :internal => false
+}}

data/spec/matchers.rb

@@ -0,0 +1,170 @@
+module Hancock
+  module Matchers
+    class LoginForm
+      include Webrat::Methods
+      include Webrat::Matchers
+      def matches?(target)
+        target.should have_selector("form[action='/sso/login'][method='POST']")
+        target.should have_selector("form[action='/sso/login'][method='POST'] input[type='text'][name='email']")
+        target.should have_selector("form[action='/sso/login'][method='POST'] input[type='password'][name='password']")
+        target.should have_selector("form[action='/sso/login'][method='POST'] input[type='submit'][value='Login']")
+        true
+      end
+      def failure_message
+        puts "Expected a login form to be displayed, it wasn't"
+      end
+    end
+
+    def be_a_login_form
+      LoginForm.new
+    end
+
+    class SignupForm
+      include Webrat::Methods
+      include Webrat::Matchers
+      def matches?(target)
+        target.should have_selector("form[action='/sso/signup'][method='POST']")
+        target.should have_selector("form[action='/sso/signup'][method='POST'] input[type='text'][name='email']")
+        target.should have_selector("form[action='/sso/signup'][method='POST'] input[type='text'][name='first_name']")
+        target.should have_selector("form[action='/sso/signup'][method='POST'] input[type='text'][name='last_name']")
+        target.should have_selector("form[action='/sso/signup'][method='POST'] input[type='submit'][value='Signup']")
+        true
+      end
+
+      def failure_message
+        puts "Expected a signup form to be displayed, it wasn't"
+      end
+    end
+    def be_a_signup_form
+      SignupForm.new
+    end
+    class IdentityProviderDocument
+      include Webrat::Methods
+      include Webrat::Matchers
+      include Spec::Matchers
+      def matches?(target)
+        target.header['Content-Type'].should eql('application/xrds+xml')
+        target.body.should have_xpath("//xrd/service[uri='http://example.org/sso']")
+        target.body.should have_xpath("//xrd/service[type='http://specs.openid.net/auth/2.0/server']")
+        true
+      end
+      def failure_message
+        puts "Expected a identity provider yadis document"
+      end
+    end
+
+    def be_an_identity_provider
+      IdentityProviderDocument.new
+    end
+
+    class RedirectToConsumer
+      include Spec::Matchers
+      include Webrat::Methods
+      include Webrat::Matchers
+      def initialize(consumer, user)
+        @consumer, @user = consumer, user
+        @identity_url = "http://example.org/sso/users/#{user.id}"
+      end
+
+      def matches?(target)
+        target.status.should == 302
+
+        redirect_params = Addressable::URI.parse(target.headers['Location']).query_values
+
+        redirect_params['openid.ns'].should               == 'http://specs.openid.net/auth/2.0'
+        redirect_params['openid.mode'].should             == 'id_res'
+        redirect_params['openid.return_to'].should        == @consumer.url
+        redirect_params['openid.assoc_handle'].should     =~ /^\{HMAC-SHA1\}\{[^\}]{8}\}\{[^\}]{8}\}$/
+        redirect_params['openid.op_endpoint'].should      == 'http://example.org/sso' 
+        redirect_params['openid.claimed_id'].should       == @identity_url
+        redirect_params['openid.identity'].should         == @identity_url
+
+        redirect_params['openid.sreg.email'].should         == @user.email
+        redirect_params['openid.sreg.last_name'].should     == @user.last_name
+        redirect_params['openid.sreg.first_name'].should    == @user.first_name
+
+        redirect_params['openid.sig'].should_not be_nil
+        redirect_params['openid.signed'].should_not be_nil
+        redirect_params['openid.response_nonce'].should_not be_nil
+        true
+      end
+      def failure_message
+        puts "Expected a redirect to the consumer"
+      end
+    end
+
+    def be_a_redirect_to_the_consumer(consumer, user)
+      RedirectToConsumer.new(consumer, user)
+    end
+
+    class ReturnAnOpenIDAssociateResponse
+      include Spec::Matchers
+      include Webrat::Methods
+      include Webrat::Matchers
+      def initialize(session)
+        @openid_session = session
+      end
+
+      def matches?(target)
+        message = OpenID::Message.from_kvform("#{target.body}")  # wtf do i have to interpolate this!
+        secret = @openid_session.extract_secret(message)
+        secret.should_not be_nil
+
+        args = message.get_args(OpenID::OPENID_NS)
+
+        args['assoc_type'].should       == 'HMAC-SHA1'
+        args['assoc_handle'].should     =~ /^\{HMAC-SHA1\}\{[^\}]{8}\}\{[^\}]{8}\}$/
+        args['session_type'].should     == 'DH-SHA1'
+        args['enc_mac_key'].size.should == 28
+        args['expires_in'].should       =~ /^\d+$/
+        args['dh_server_public'].size.should == 172
+        true
+      end
+      def failure_message
+        puts "Expected an OpenID Associate Response"
+      end
+    end
+    def be_an_openid_associate_response(openid_session)
+      ReturnAnOpenIDAssociateResponse.new(openid_session)
+    end
+
+    class ReturnAnOpenIDImmediateResponse
+      include Spec::Matchers
+      include Webrat::Methods
+      include Webrat::Matchers
+      def initialize(consumer, user)
+        @consumer, @user = consumer, user
+        @identity_url = "http://example.org/sso/users/#{user.id}"
+      end
+
+      def matches?(target)
+        target.status.should == 302
+
+        redirect_params = Addressable::URI.parse(target.headers['Location']).query_values
+
+        redirect_params['openid.ns'].should               == 'http://specs.openid.net/auth/2.0'
+        redirect_params['openid.mode'].should             == 'id_res'
+        redirect_params['openid.return_to'].should        == @consumer.url
+        redirect_params['openid.assoc_handle'].should     =~ /^\{HMAC-SHA1\}\{[^\}]{8}\}\{[^\}]{8}\}$/
+        redirect_params['openid.op_endpoint'].should      == 'http://example.org/sso' 
+        redirect_params['openid.claimed_id'].should       == @identity_url
+        redirect_params['openid.identity'].should         == @identity_url
+
+        redirect_params['openid.sreg.email'].should         == @user.email
+        redirect_params['openid.sreg.last_name'].should     == @user.last_name
+        redirect_params['openid.sreg.first_name'].should    == @user.first_name
+
+        redirect_params['openid.sig'].should_not be_nil
+        redirect_params['openid.signed'].should_not be_nil
+        redirect_params['openid.response_nonce'].should_not be_nil
+        true
+      end
+      def failure_message
+        puts "Expected an OpenID Associate Response"
+      end
+    end
+    def be_an_openid_immediate_response(consumer, user)
+      ReturnAnOpenIDImmediateResponse.new(consumer, user)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,61 @@
+require 'rubygems'
+require 'pp'
+gem 'rspec', '~>1.2.0'
+require 'spec'
+require 'sinatra/test'
+require 'dm-sweatshop'
+
+$:.push File.join(File.dirname(__FILE__), '..', 'lib')
+require 'hancock'
+gem 'webrat', '~>0.4.2'
+require 'webrat/sinatra'
+
+gem 'rack-test', '~>0.1.0'
+require 'rack/test'
+
+require File.expand_path(File.dirname(__FILE__) + '/app')
+require File.expand_path(File.dirname(__FILE__) + '/matchers')
+require File.expand_path(File.dirname(__FILE__) + '/fixtures')
+
+DataMapper.setup(:default, 'sqlite3::memory:')
+DataMapper.auto_migrate!
+Sinatra::Mailer.delivery_method = :test_send
+
+Webrat.configure do |config|
+  if ENV['SELENIUM'].nil?
+    config.mode = :sinatra
+  else
+    gem 'selenium-client', '~>1.2.10'
+    config.mode = :selenium
+    config.application_framework = :sinatra
+    config.application_port = 4567
+    require 'webrat/selenium'
+  end
+end
+
+Hancock::App.set :environment, :development
+Hancock::App.set :do_not_reply, 'sso@example.com'
+
+Spec::Runner.configure do |config|
+  def app
+    @app = Rack::Builder.new do
+      run Hancock::App
+    end
+  end
+
+  def login(user)
+    post '/sso/login', :email => user.email, :password => user.password
+  end
+
+  config.include(Rack::Test::Methods)
+  config.include(Webrat::Methods)
+  config.include(Webrat::Matchers)
+  config.include(Hancock::Matchers)
+  config.after do
+    Sinatra::Mailer::Email.deliveries = [ ]
+  end
+  unless ENV['SELENIUM'].nil?
+    config.include(Webrat::Selenium::Methods)
+    config.include(Webrat::Selenium::Matchers)
+  end
+end