secure_escrow 0.0.1 → 0.0.2

data/Gemfile.lock

@@ -2,7 +2,6 @@ PATH
   remote: .
   specs:
     secure_escrow (0.0.1)
-      redis
 
 GEM
   remote: http://rubygems.org/
@@ -65,7 +64,6 @@ GEM
     rake (0.9.2.2)
     rb-appscript (0.6.1)
     rb-fsevent (0.4.3.1)
-    redis (2.2.2)
     rspec (2.7.0)
       rspec-core (~> 2.7.0)
       rspec-expectations (~> 2.7.0)

data/Readme.md

@@ -35,16 +35,18 @@ SecureEscrow has 5 integration points with a Rails application
 - Forms generated by views
 
 ### Install as Middleware
-Add the SecureEscrow::Middleware around your Rails application. It must be configured with access to a backing key-value store.
+Add the SecureEscrow::Middleware around your Rails application. It must be configured with both a Rack endpoint to call, and a Rails app instance to retrieve routes and configuration information from.
 In this example, the <tt>Awesome::Application.config.redis</tt> value is available after the <tt>environment</tt> file has been run.
 
-Example <tt>config.ru</tt>:
+Example <tt>config/initializers/secure_escrow.rb</tt>:
 
 ````ruby
-# This file is used by Rack-based servers to start the application.
-require ::File.expand_path('../config/environment',  __FILE__)
-use SecureEscrow::Middleware, Awesome::Application.config.redis
-run Awesome::Application
+Awesome::Application.middleware.insert_before(
+  Rack::Lock,
+  SecureEscrow::Middleware,
+  Awesome::Application,
+  store: Awesome::Application.config.redis
+)
 ````
 
 ### Configure Domain Information
@@ -54,12 +56,14 @@ may differ for various environments. For example, in <tt>development.rb</tt> you
 
 ````ruby
 # = SecureEscrow config =
-config.secure_domain_name       = 'www.secure-awesome.devlocal'
-config.secure_domain_protocol   = 'http'
-config.secure_domain_port       = 3000
-config.insecure_domain_name     = 'www.insecure-awesome.devlocal'
-config.insecure_domain_protocol = 'http'
-config.insecure_domain_port     = 3000 
+config.secure_escrow = {
+  secure_domain_name:       'www.secure-awesome.devlocal',
+  secure_domain_protocol:   'http',
+  secure_domain_port:       3000,
+  insecure_domain_name:     'www.insecure-awesome.devlocal',
+  insecure_domain_protocol: 'http',
+  insecure_domain_port:     3000,
+}
 `````
 
 ### Declare Escrowed Routes
@@ -80,10 +84,12 @@ escrow 'signin' => 'sessions#create',   as: :user_session
 get    'signout'=> 'sessions#destroy',  as: :destroy_user_session
 ````
 
+Alternatively, SecureEscrow can be configured to escrow any POST action without explicitly declaring it within the application. Just provide `allow_non_escrow_routes: true` to the initial SecureEscrow configuration.
+
 ### Deliver JavaScript assets
 SecureEscrow integrates in the Rails asset pipeline. Just add the following to your <tt>application.js</tt>.
 
-````ruby
+````javascript
 // SecureEscrow
 // ======================
 //= require secure_escrow

data/lib/assets/javascripts/secure_escrow.js

@@ -14,12 +14,18 @@
     // Consumes iframe content and bubbles it up as an ajax response
     function onLoad() {
       var payload_error,
-          innerText, json, response;
+          inner_text, http_status, wrapper_json, json, response;
 
       try {
-        innerText = iframe[0].contentWindow.document.body.innerText;
+        inner_text = $(iframe[0].contentWindow.document).find("#response").text();
         try {
-          json = JSON.parse(innerText);
+          wrapper_json = JSON.parse(inner_text);
+          http_status = wrapper_json.status;
+          try {
+            json = JSON.parse(wrapper_json.body);
+          } catch(_3) {
+            payload_error = 'Error parsing original body';
+          }
         } catch(_2) {
           payload_error = 'Error parsing JSON response';
         }
@@ -27,23 +33,18 @@
         payload_error = 'Error accessing response body';
       }
 
-
       response = {
-        responseText: innerText
+        responseText: wrapper_json.body
       };
 
-      if (payload_error) {
-        response.errorJSON = { error: payload_error };
-      } else {
-        response.responseJSON = json;
-      }
- 
-      if (json && json.success) {
-        form.trigger('ajax:success', response);
+      if (http_status >= 200 && http_status < 300) {
+        form.trigger('ajax:success', [json]);
       } else {
-        form.trigger('ajax:error', response);
+        form.trigger('ajax:error', [response]);
       }
-      form.trigger('ajax:complete', response);
+      form.trigger('ajax:complete', [response]);
+
+      iframe.remove();
     }
 
     iframe.load(onLoad);
@@ -57,10 +58,8 @@
         escrow   = form.data('escrow'),
         isEscrow = escrow !== undefined;
 
-    if (isEscrow) {
-      if ('iframe' === escrow) {
-        handleRemoteEscrowSubmission(form);
-      }
+    if (isEscrow && 'iframe' === escrow) {
+      handleRemoteEscrowSubmission(form);
     }
 
   });

data/lib/secure_escrow/middleware.rb

@@ -9,8 +9,11 @@ module SecureEscrow
     POST             = 'POST'
     GET              = 'GET'
     COOKIE_SEPARATOR = ';'
+    EXPIRE_COOKIE    = Time.gm(1979, 1, 1)
     RAILS_ROUTES     = 'action_dispatch.routes'
     LOCATION         = 'Location'
+    CONTENT_TYPE     = 'Content-Type'
+    JSON_CONTENT     = /^application\/json/
     ESCROW_MATCH     = /^(.+)\.(.+)$/
     TTL              = 180 # Seconds until proxied response expires
     NONCE            = 'nonce'
@@ -21,9 +24,11 @@ module SecureEscrow
   end
 
   class Middleware
-    def initialize app, store
-      @app = app
-      @store = store
+    def initialize next_app, rails_app, config
+      @next_app   = next_app
+      @rails_app  = rails_app
+      @config     = config
+      @store      = config[:store]
     end
 
     def call env
@@ -31,7 +36,7 @@ module SecureEscrow
     end
 
     def presenter env
-      Presenter.new @app, @store, env
+      Presenter.new @next_app, @rails_app, @config, env
     end
 
     def handle_presenter e
@@ -49,12 +54,14 @@ module SecureEscrow
     class Presenter
       include MiddlewareConstants
 
-      attr_reader :app, :store, :env
+      attr_reader :next_app, :rails_app, :store, :config, :env
 
-      def initialize app, store, env
-        @app   = app
-        @store = store
-        @env   = env
+      def initialize next_app, rails_app, config, env
+        @next_app   = next_app
+        @rails_app  = rails_app
+        @config     = config
+        @store      = config[:store]
+        @env        = env
       end
 
       def serve_response_from_escrow?
@@ -70,9 +77,11 @@ module SecureEscrow
       end
 
       def store_response_in_escrow?
-        method = env[REQUEST_METHOD]
-        return false unless POST == method
-        recognize_path[:escrow]
+        return false unless POST == env[REQUEST_METHOD]
+        recognized = recognize_path
+        config[:allow_non_escrow_routes] ?
+          recognized :
+          recognized && recognized[:escrow]
       end
 
       def serve_response_from_escrow!
@@ -83,7 +92,20 @@ module SecureEscrow
           # Destroy the stored value
           store.del key
 
-          return value[RESPONSE]
+          status, headers, body = value[RESPONSE]
+
+          if headers[CONTENT_TYPE] && JSON_CONTENT.match(headers[CONTENT_TYPE])
+            body = [
+              "<html><body><script id=\"response\" type=\"text/x-json\">%s</script></body></html>" %
+              { status: status, body: body.join.to_s }.to_json
+            ]
+            headers[CONTENT_TYPE] = "text/html; charset=utf-8"
+            status = 200
+          end
+
+          expire_cookie_token!(headers)
+
+          [ status, headers, body ]
         else
           # HTTP Status Code 403 - Forbidden
           return [ 403, {}, [ BAD_NONCE ] ]
@@ -101,7 +123,10 @@ module SecureEscrow
         id, nonce = store_in_escrow status, header, response
         token = "#{id}.#{nonce}"
 
-        response_headers = { LOCATION => redirect_to_location(token) }
+        response_headers = {
+          LOCATION      => redirect_to_location(token),
+          CONTENT_TYPE  => header[CONTENT_TYPE]
+        }
         set_cookie_token!(response_headers, token) if homogenous_host_names?
 
         # HTTP Status Code 303 - See Other
@@ -147,7 +172,8 @@ module SecureEscrow
         # Serialze the nonce and Rack response triplet,
         # store in Redis, and set TTL
         key = escrow_key id
-        store.setex key, value.to_json, TTL
+
+        store.setex key, TTL, value.to_json
 
         [ id, nonce ]
       end
@@ -156,21 +182,15 @@ module SecureEscrow
         [ UUID.generate, SecureRandom.hex(4) ]
       end
 
-      private
-      def set_cookie_token! headers, token
-        Rack::Utils.set_cookie_header!(headers, DATA_KEY,
-          value: token,
-          httponly: true)
+      def call_result
+        @call_result ||= next_app.call env
       end
 
       def redirect_to_location token = nil
-        routes = app.routes
-        config = app.config
-
         redirect_to_options = {
-          protocol: config.insecure_domain_protocol,
-          host:     config.insecure_domain_name,
-          port:     config.insecure_domain_port
+          protocol: rails_config[:insecure_domain_protocol] || request.protocol,
+          host:     rails_config[:insecure_domain_name]     || request.host,
+          port:     rails_config[:insecure_domain_port]     || request.port,
         }
 
         if token && !homogenous_host_names?
@@ -181,37 +201,50 @@ module SecureEscrow
           recognize_path.merge(redirect_to_options))
       end
 
+      private
+      def rails_config
+        @rails_config ||= rails_app.config.secure_escrow
+      end
+
+      def set_cookie_token! headers, token
+        Rack::Utils.set_cookie_header! headers, DATA_KEY,
+          value: token,
+          httponly: true
+      end
+
+      def expire_cookie_token! headers
+        Rack::Utils.set_cookie_header! headers, DATA_KEY,
+          value: "",
+          httponly: true,
+          expires: EXPIRE_COOKIE
+      end
+
       def rewrite_location_header! header
         return unless header[LOCATION]
 
-        config = app.config
-        routes = app.routes
-
         # Rewrite redirect to secure domain
         header[LOCATION] = routes.url_for(
           routes.recognize_path(header[LOCATION]).merge(
-            host:     config.insecure_domain_name,
-            protocol: config.insecure_domain_protocol,
-            port:     config.insecure_domain_port
+            host:     rails_config[:insecure_domain_name],
+            protocol: rails_config[:insecure_domain_protocol],
+            port:     rails_config[:insecure_domain_port],
           ))
 
         header
       end
 
-      def call_result
-        @call_result ||= app.call env
-      end
-
-      def rails_routes
-        @rails_routes ||= app.routes
+      def routes
+        @routes ||= rails_app.routes
       end
 
       # TODO: Examine the performance implications of parsing the
       # Cookie / Query payload this early in the stack
       def escrow_id_and_nonce
-        data = (homogenous_host_names? ?
+        data = Array((homogenous_host_names? ?
           Rack::Utils.parse_query(env[HTTP_COOKIE], COOKIE_SEPARATOR) :
-          Rack::Utils.parse_query(env[QUERY_STRING]))[DATA_KEY]
+          Rack::Utils.parse_query(env[QUERY_STRING]))[DATA_KEY]).find do |e|
+          e.match ESCROW_MATCH
+        end
 
         return unless data
         match = data.match ESCROW_MATCH
@@ -221,18 +254,16 @@ module SecureEscrow
       end
 
       def homogenous_host_names?
-        config = app.config
-        config.secure_domain_name == config.insecure_domain_name
+        rails_config[:secure_domain_name] == rails_config[:insecure_domain_name]
       end
 
       def recognize_path
         begin
-          rails_routes.recognize_path(
+          routes.recognize_path(
             env[REQUEST_PATH],
             method: env[REQUEST_METHOD]
           )
         rescue ActionController::RoutingError
-          {}
         end
       end
 

data/lib/secure_escrow/railtie.rb

@@ -4,44 +4,50 @@ require "action_pack"
 module SecureEscrow
   module Railtie
     module Routing
-      def escrow options, &block
+      def escrow *args, &block
+        options = args.extract_options!
         defaults = options[:defaults] || {}
         defaults[:escrow] = true
-        post options.merge(defaults), &block
+        options[:defaults] = defaults
+        args.push options
+        post *args, &block
       end
     end
 
     module ActionViewHelper
       DATA_ESCROW = 'data-escrow'
       IFRAME = 'iframe'
-      POST   = 'post'
+      POST   = 'POST'
 
       def escrow_form_for record, options = {}, &proc
         options[:html] ||= {}
 
-        stringy_record = String === record || Symbol === record
+        stringy_record = case record
+        when String, Symbol then true
+        else false
+        end
         apply_form_for_options!(record, options) unless stringy_record
 
 
-        form_for record, escrow_options(options), &proc
+        form_for record, escrow_options(options, POST), &proc
       end
 
       def escrow_form_tag url_for_options = {}, options = {}, &block
-        form_tag url_for_options, escrow_options(options), &block
+        form_tag url_for_options, escrow_options(options, POST), &block
       end
 
       private
-      def escrow_options options
+      def escrow_options options, method
         # Rewrite URL to point to secure domain
         app = Rails.application
-        config = app.config
+        config = app.config.secure_escrow
 
         submission_url = controller.url_for(
-          app.routes.recognize_path(options[:url]).
+          app.routes.recognize_path(options[:url], method: method).
             merge(
-              host:     config.secure_domain_name,
-              protocol: config.secure_domain_protocol,
-              port:     config.secure_domain_port
+              host:     config[:secure_domain_name]     || request.host,
+              protocol: config[:secure_domain_protocol] || request.protocol,
+              port:     config[:secure_domain_port]     || request.port,
             ))
 
         options[:url] = submission_url

data/lib/secure_escrow/version.rb

@@ -1,3 +1,3 @@
 module SecureEscrow
-  VERSION = "0.0.1"
+  VERSION = "0.0.2"
 end

data/secure_escrow.gemspec

@@ -7,7 +7,7 @@ Gem::Specification.new do |s|
   s.version     = SecureEscrow::VERSION
   s.authors     = ["Duncan Beevers"]
   s.email       = ["duncan@dweebd.com"]
-  s.homepage    = ""
+  s.homepage    = "https://github.com/duncanbeevers/SecureEscrow"
   s.summary     = "Secure AJAX-style actions for Rails applications"
   s.description = "SecureEscrow provides a content proxy for Rails applications allowing POSTing to secure actions from insecure domains without full-page refreshes"
 

data/spec/middleware_spec.rb

@@ -1,11 +1,13 @@
 require File.expand_path(File.join(File.dirname(__FILE__), 'spec_helper'))
 include SecureEscrow::MiddlewareConstants
 
-describe 'SecureEscrow::Middleware' do
-  let(:app) { MockEngine.new }
+describe SecureEscrow::Middleware do
+  let(:rack_app) { MockRackApp.new }
+  let(:rails_app) { MockEngine.new }
   let(:store) { MockRedis.new }
-  let(:middleware) { SecureEscrow::Middleware.new app, store }
-  let(:presenter) { SecureEscrow::Middleware::Presenter.new app, store, env }
+  let(:config) { { store: store } }
+  let(:middleware) { SecureEscrow::Middleware.new rack_app, rails_app, config }
+  let(:presenter) { SecureEscrow::Middleware::Presenter.new rack_app, rails_app, config, env }
   let(:env) { {} }
 
   context 'as a Rack application' do
@@ -14,10 +16,16 @@ describe 'SecureEscrow::Middleware' do
     end
 
     it 'should handle_presenter with wrapped environment' do
-      middleware.should_receive(:presenter).with(env).
-        once.and_return(presenter)
-
-      middleware.should_receive(:handle_presenter).with(presenter).once
+      middleware.should_receive(:handle_presenter).
+        with(duck_type(
+          :serve_response_from_escrow?,
+          :serve_response_from_escrow!,
+          :response_is_redirect?,
+          :redirect_to_response!,
+          :store_response_in_escrow?,
+          :store_response_in_escrow_and_redirect!,
+          :serve_response_from_application!
+        )).once
 
       middleware.call(env)
     end
@@ -118,21 +126,21 @@ describe 'SecureEscrow::Middleware' do
 
     describe 'response_is_redirect?' do
       it 'should not include status codes less than 300' do
-        app.should_receive(:call).
+        rack_app.should_receive(:call).
           once.with(env).and_return([ 299, {}, [ '' ] ])
 
         presenter.response_is_redirect?.should be_false
       end
 
       it 'should not include status codes greater than 399' do
-        app.should_receive(:call).
+        rack_app.should_receive(:call).
           once.with(env).and_return([ 400, {}, [ '' ] ])
 
         presenter.response_is_redirect?.should be_false
       end
 
       it 'should include 304' do
-        app.should_receive(:call).
+        rack_app.should_receive(:call).
           once.with(env).and_return([ 304, {}, [ '' ] ])
 
         presenter.response_is_redirect?.should be_true
@@ -148,11 +156,8 @@ describe 'SecureEscrow::Middleware' do
       it 'should not store non-existent routes' do
         presenter.env[REQUEST_METHOD] = POST
 
-        app.routes.should_receive(:recognize_path).
-          once.with(env[REQUEST_PATH], { method: POST }).
-          and_raise(
-            ActionController::RoutingError.new("No route matches #{env[REQUEST_PATH]}")
-          )
+        rails_app.routes.stub!(:recognize_path).
+          and_raise(ActionController::RoutingError.new("No route matches #{env[REQUEST_PATH]}"))
 
         presenter.store_response_in_escrow?.should be_false
       end
@@ -160,17 +165,35 @@ describe 'SecureEscrow::Middleware' do
       it 'should not store non-escrow routes' do
         presenter.env[REQUEST_METHOD] = POST
 
-        app.routes.should_receive(:recognize_path).
+        rails_app.routes.should_receive(:recognize_path).
           once.with(env[REQUEST_PATH], { method: POST }).
           and_return(controller: 'session', action: 'create')
 
         presenter.store_response_in_escrow?.should be_false
       end
 
+      describe 'configured not to check for escrowable routes' do
+        let(:config) { { store: store, allow_non_escrow_routes: true } }
+
+        it 'should store https existent, non-escrow routes' do
+          presenter.env[REQUEST_METHOD] = POST
+
+          presenter.store_response_in_escrow?.should be_true
+        end
+
+        it 'should not store non-existent routes' do
+          presenter.env[REQUEST_METHOD] = POST
+          rails_app.routes.stub!(:recognize_path).
+            and_raise(ActionController::RoutingError.new("No route matches #{env[REQUEST_PATH]}"))
+
+          presenter.store_response_in_escrow?.should be_false
+        end
+      end
+
       it 'should store escrow routes' do
         presenter.env[REQUEST_METHOD] = POST
 
-        app.routes.should_receive(:recognize_path).
+        rails_app.routes.should_receive(:recognize_path).
           once.with(env[REQUEST_PATH], { method: POST }).
           and_return(controller: 'session', action: 'create', escrow: true)
 
@@ -196,50 +219,118 @@ describe 'SecureEscrow::Middleware' do
         presenter.serve_response_from_escrow!
       end
 
-      it 'should return the escrowed response' do
-        response = [ 200, {}, [ 'text' ] ]
-        store_in_escrow store, 'id', 'nonce', response
+      context 'when the response type is not application/json' do
+        it 'should deliver the original response code' do
+          response = [ 403, {}, [ 'text' ] ]
+          store_in_escrow store, 'id', 'nonce', response
+          set_escrow_cookie presenter, 'id', 'nonce'
+
+          status, headers, body = presenter.serve_response_from_escrow!
+          status.should eq 403
+        end
+
+        it 'should deliver the content-type header' do
+          response = [ 403, { 'Content-Type' => 'application/x-waterbuffalo' }, [ 'text' ] ]
+          store_in_escrow store, 'id', 'nonce', response
+          set_escrow_cookie presenter, 'id', 'nonce'
+
+          status, headers, body = presenter.serve_response_from_escrow!
+          headers['Content-Type'].should eq 'application/x-waterbuffalo'
+        end
+
+        it 'should deliver the original response body' do
+          response = [ 403, { 'Content-Type' => 'application/x-waterbuffalo' }, [ 'text' ] ]
+          store_in_escrow store, 'id', 'nonce', response
+          set_escrow_cookie presenter, 'id', 'nonce'
+
+          status, headers, body = presenter.serve_response_from_escrow!
+          body.should eq [ 'text' ]
+        end
+      end
+
+      context 'when the response type is application/json; charset=utf-8' do
+        let(:response_headers) { { 'Content-Type' => 'application/json; charset=utf-8' } }
+        it 'should deliver the response with status code 200' do
+          response = [ 403, response_headers, [ 'text' ] ]
+          store_in_escrow store, 'id', 'nonce', response
+          set_escrow_cookie presenter, 'id', 'nonce'
+
+          status, headers, body = presenter.serve_response_from_escrow!
+          status.should eq 200
+        end
+
+        it 'should deliver the headers with content-type text/html; charset=utf-8' do
+          response = [ 403, response_headers, [ 'text' ] ]
+          store_in_escrow store, 'id', 'nonce', response
+          set_escrow_cookie presenter, 'id', 'nonce'
+
+          status, headers, body = presenter.serve_response_from_escrow!
+          headers['Content-Type'].should eq "text/html; charset=utf-8"
+        end
+
+        it 'should wrap the response in html and json' do
+          response = [ 403, response_headers, [ 'text' ] ]
+          store_in_escrow store, 'id', 'nonce', response
+          set_escrow_cookie presenter, 'id', 'nonce'
+
+          json_representation = "{\"status\":403,\"body\":\"text\"}"
+
+          status, headers, body = presenter.serve_response_from_escrow!
+          body.join.should eq "<html><body><script id=\"response\" type=\"text/x-json\">#{json_representation}</script></body></html>"
+        end
+      end
+
+      it 'should delete the secure escrow cookie' do
+        store_in_escrow store, 'id', 'nonce', [
+          200, {
+            "Set-Cookie" => "_everloop_session=persists"
+          },
+          [ "" ]
+        ]
+
         set_escrow_cookie presenter, 'id', 'nonce'
 
-        presenter.serve_response_from_escrow!.should eq response
+        status, headers, body = presenter.serve_response_from_escrow!
+        headers["Set-Cookie"].should eq "_everloop_session=persists\nsecure_escrow=; expires=Mon, 01-Jan-1979 00:00:00 GMT; HttpOnly"
       end
-    end
+   end
 
     describe 'redirect_to_response!' do
       it 'should use status code from application' do
         response = [ 315, {}, [ '' ] ]
-        app.should_receive(:call).
+        rack_app.should_receive(:call).
           once.with(env).and_return(response)
 
         presenter.redirect_to_response!.should eq response
       end
 
       it 'should rewrite location' do
+        config = rails_app.config.secure_escrow
         original_location = "%s://%s:%s/path/" % [
-          app.config.secure_domain_protocol,
-          app.config.secure_domain_name,
-          app.config.secure_domain_port
+          config[:secure_domain_protocol],
+          config[:secure_domain_name],
+          config[:secure_domain_port],
         ]
         expected_location = "%s://%s:%s/path/" % [
-          app.config.insecure_domain_protocol,
-          app.config.insecure_domain_name,
-          app.config.insecure_domain_port
+          config[:insecure_domain_protocol],
+          config[:insecure_domain_name],
+          config[:insecure_domain_port],
         ]
 
         original_response = [ 315, { LOCATION => original_location }, [ '' ] ]
-        app.should_receive(:call).
+        rack_app.should_receive(:call).
           once.with(env).and_return(original_response)
 
-        app.routes.should_receive(:recognize_path).
+        rails_app.routes.should_receive(:recognize_path).
           once.with(original_location).
           and_return(controller: 'sessions', action: 'create')
-        app.routes.should_receive(:url_for).
+        rails_app.routes.should_receive(:url_for).
           once.with(
             controller: 'sessions',
             action:     'create',
-            host:       app.config.insecure_domain_name,
-            protocol:   app.config.insecure_domain_protocol,
-            port:       app.config.insecure_domain_port
+            host:       config[:insecure_domain_name],
+            protocol:   config[:insecure_domain_protocol],
+            port:       config[:insecure_domain_port],
           ).and_return(expected_location)
 
         presenter.redirect_to_response![1][LOCATION].should eq expected_location
@@ -254,6 +345,31 @@ describe 'SecureEscrow::Middleware' do
         presenter.store_response_in_escrow_and_redirect![0].should eq 303
       end
 
+      describe 'headers' do
+        it 'should set Location header to redirect location' do
+          mock_location = mock('redirect_to_location')
+          presenter.should_receive(:redirect_to_location).
+            once.and_return(mock_location)
+
+          headers = presenter.store_response_in_escrow_and_redirect![1]
+          headers['Location'].should eq mock_location
+        end
+
+        it 'should set Location header to redirect location' do
+          mock_content_type = mock('content_type')
+
+          presenter.stub!(
+            redirect_to_location: '/',
+            store_in_escrow: [ 'id', 'nonce' ])
+          
+          presenter.should_receive(:call_result).
+            and_return([ 200, { 'Content-Type' => mock_content_type}, '' ])
+
+          headers = presenter.store_response_in_escrow_and_redirect![1]
+          headers['Content-Type'].should eq mock_content_type
+        end
+      end
+
       context 'when insecure_domain_name is different from secure_domain_name' do
         let(:app) {
           MockEngine.new(
@@ -279,7 +395,7 @@ describe 'SecureEscrow::Middleware' do
     describe 'serve_response_from_application!' do
       it 'should serve response from application' do
         response = [ 200, {}, [ '' ] ]
-        app.should_receive(:call).
+        rack_app.should_receive(:call).
           once.with(env).and_return(response)
         presenter.serve_response_from_application!.should eq response
       end
@@ -332,10 +448,11 @@ describe 'SecureEscrow::Middleware' do
         end
 
         it 'should rewrite domain of redirect to secure domain' do
+          config = rails_app.config.secure_escrow
           original_redirect_url = "%s://%s:%s" % [
-            app.config.secure_domain_protocol,
-            app.config.secure_domain_name,
-            app.config.secure_domain_port
+            config[:secure_domain_protocol],
+            config[:secure_domain_name],
+            config[:secure_domain_port],
           ]
           rewritten_redirect_url = 'boo'
 
@@ -344,16 +461,16 @@ describe 'SecureEscrow::Middleware' do
           presenter.should_receive(:generate_id_and_nonce).
             once.with.and_return([ 'id', 'nonce'])
 
-          app.routes.should_receive(:recognize_path).
+          rails_app.routes.should_receive(:recognize_path).
             once.with(original_redirect_url).
             and_return(controller: 'sessions', action: 'create')
 
-          app.routes.should_receive(:url_for).
+          rails_app.routes.should_receive(:url_for).
             once.with(
               controller: 'sessions', action: 'create',
-              host:     app.config.insecure_domain_name,
-              protocol: app.config.insecure_domain_protocol,
-              port:     app.config.insecure_domain_port
+              host:     config[:insecure_domain_name],
+              protocol: config[:insecure_domain_protocol],
+              port:     config[:insecure_domain_port],
             ).and_return(rewritten_redirect_url)
 
           expected_stored_value = {
@@ -362,8 +479,8 @@ describe 'SecureEscrow::Middleware' do
           }.to_json
 
           key = presenter.escrow_key 'id'
-          store.should_receive(:set).
-            once.with(key, expected_stored_value)
+          store.should_receive(:setex).
+            once.with(key, TTL, expected_stored_value)
 
           presenter.store_in_escrow(
             303,
@@ -376,7 +493,7 @@ describe 'SecureEscrow::Middleware' do
 
     describe 'escrow_id and escrow_nonce' do
       context 'when insecure_domain_name is different from secure_domain_name' do
-        let(:app) {
+        let(:rails_app) {
           MockEngine.new(
             secure_domain_name:   'www.ssl-example.com',
             insecure_domain_name: 'www.example.com'
@@ -405,6 +522,13 @@ describe 'SecureEscrow::Middleware' do
           presenter.escrow_id.should    eq 'id'
           presenter.escrow_nonce.should eq 'nonce'
         end
+
+        it 'should select first suitable escrow key from cookie' do
+          set_multi_escrow_cookie presenter, "A", "B", "C", "D"
+
+          presenter.escrow_id.should    eq "A"
+          presenter.escrow_nonce.should eq "B"
+        end
       end
 
     end
@@ -420,6 +544,13 @@ def set_escrow_cookie presenter, id = 'id', nonce = 'nonce'
   set_escrow_env HTTP_COOKIE, presenter, id, nonce
 end
 
+def set_multi_escrow_cookie presenter, id1 = 'id1', nonce1 = 'nonce1', id2 = 'id2', nonce2 = 'nonce2'
+  presenter.env[HTTP_COOKIE] = "%s=%s.%s; %s=%s.%s" % [
+    SecureEscrow::MiddlewareConstants::DATA_KEY, id1, nonce1,
+    SecureEscrow::MiddlewareConstants::DATA_KEY, id2, nonce2
+  ]
+end
+
 def set_escrow_env key, presenter, id, nonce
   presenter.env[key] = "%s=%s.%s" % [
     SecureEscrow::MiddlewareConstants::DATA_KEY,
@@ -427,7 +558,7 @@ def set_escrow_env key, presenter, id, nonce
   ]
 end
 
-def store_in_escrow store, id = 'id', nonce = 'nonce', response = []
+def store_in_escrow store, id = 'id', nonce = 'nonce', response = [ 200, {}, [ "" ] ]
   store.set(
     presenter.escrow_key(id),
     ActiveSupport::JSON.encode(

data/spec/mock_engine.rb

@@ -12,16 +12,16 @@ class MockEngine
   end
 
   def config extra_config = {}
-    @config ||= Config.new(
-      {
-        secure_domain_name:       'www.example.com',
-        secure_domain_protocol:   'https',
-        secure_domain_port:       443,
-        insecure_domain_name:     'www.example.com',
-        insecure_domain_protocol: 'http',
-        insecure_domain_port:     80
-      }.merge extra_config
-    )
+    @config ||= Config.new.tap do |config|
+      config.secure_escrow = {
+          secure_domain_name:       'www.example.com',
+          secure_domain_protocol:   'https',
+          secure_domain_port:       443,
+          insecure_domain_name:     'www.example.com',
+          insecure_domain_protocol: 'http',
+          insecure_domain_port:     80
+        }.merge extra_config
+    end
   end
 
   def routes
@@ -32,6 +32,9 @@ class MockEngine
   end
 
   class Routes
+    def recognize_path path, options = {}
+      {}
+    end
   end
 end
 

data/spec/mock_rack_app.rb

@@ -0,0 +1,6 @@
+class MockRackApp
+  def call env
+    [ 200, {}, %w(OK!) ]
+  end
+end
+

data/spec/mock_redis.rb

@@ -1,5 +1,5 @@
 class MockRedis
-  def setex key, value, ttl
+  def setex key, ttl, value
     set key, value
     expire key, ttl
   end

data/spec/spec_helper.rb

@@ -16,5 +16,6 @@ Spork.each_run do
   # Load mocks
   require 'mock_engine'
   require 'mock_redis'
+  require 'mock_rack_app'
 end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secure_escrow
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-11-08 00:00:00.000000000 Z
+date: 2012-02-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70248523590320 !ruby/object:Gem::Requirement
+  requirement: &70114553359420 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,7 +21,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *70248523590320
+  version_requirements: *70114553359420
 description: SecureEscrow provides a content proxy for Rails applications allowing
   POSTing to secure actions from insecure domains without full-page refreshes
 email:
@@ -47,9 +47,10 @@ files:
 - secure_escrow.gemspec
 - spec/middleware_spec.rb
 - spec/mock_engine.rb
+- spec/mock_rack_app.rb
 - spec/mock_redis.rb
 - spec/spec_helper.rb
-homepage: ''
+homepage: https://github.com/duncanbeevers/SecureEscrow
 licenses: []
 post_install_message: 
 rdoc_options: []
@@ -76,5 +77,6 @@ summary: Secure AJAX-style actions for Rails applications
 test_files:
 - spec/middleware_spec.rb
 - spec/mock_engine.rb
+- spec/mock_rack_app.rb
 - spec/mock_redis.rb
 - spec/spec_helper.rb