slosilo 0.1.2

data/lib/tasks/slosilo.rake

@@ -0,0 +1,22 @@
+namespace :slosilo do
+  desc "Dump a public key"
+  task :dump, [:name] => :environment do |t, args|
+    args.with_defaults(:name => :own)
+    puts Slosilo[args[:name]]
+  end
+  
+  desc "Enroll a key"
+  task :enroll, [:name] => :environment do |t, args|
+    key = Slosilo::Key.new STDIN.read
+    Slosilo[args[:name]] = key
+    puts key
+  end
+
+  desc "Generate a key pair"
+  task :generate, [:name] => :environment do |t, args|
+    args.with_defaults(:name => :own)
+    key = Slosilo::Key.new
+    Slosilo[args[:name]] = key
+    puts key
+  end
+end

data/slosilo.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/slosilo/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Rafa\305\202 Rzepecki"]
+  gem.email         = ["divided.mind@gmail.com"]
+  gem.description   = %q{This gem provides an easy way of storing and retrieving encryption keys in the database.}
+  gem.summary       = %q{Store SSL keys in a database}
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "slosilo"
+  gem.require_paths = ["lib"]
+  gem.version       = Slosilo::VERSION
+  gem.required_ruby_version = '~> 1.9.3'
+  
+  gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'rspec'
+  gem.add_development_dependency 'ci_reporter'
+  gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'sequel' # for sequel tests
+  gem.add_development_dependency 'sqlite3' # for sequel tests
+end

data/spec/http_request_spec.rb

@@ -0,0 +1,107 @@
+require 'spec_helper'
+
+describe Slosilo::HTTPRequest do
+  let(:keyname) { :bacon }
+  let(:encrypt) { subject.encrypt! }
+  subject { Hash.new }
+  before do 
+    subject.extend Slosilo::HTTPRequest
+    subject.keyname = keyname
+  end
+  
+  describe "#sign!" do
+    let(:own_key) { double "own key" }
+    before { Slosilo.stub(:[]).with(:own).and_return own_key }
+    
+    let(:signed_data) { "this is the truest truth" }
+    before { subject.stub signed_data: signed_data }
+    let(:timestamp) { "long time ago" }
+    let(:signature) { "seal of approval" }
+    let(:token) { { "data" => signed_data, "timestamp" => timestamp, "signature" => signature } }
+    
+    it "makes a token out of the data to sign and inserts headers" do
+      own_key.stub(:signed_token).with(signed_data).and_return token
+      subject.should_receive(:[]=).with 'Timestamp', timestamp
+      subject.should_receive(:[]=).with 'X-Slosilo-Signature', signature
+      subject.sign!
+    end
+  end
+  
+  describe "#signed_data" do
+    before { subject.stub path: :path, body: 'body' }
+    context "when X-Slosilo-Key not present" do
+      its(:signed_data) { should == { "path" => :path, "body" => "Ym9keQ==" } }
+    end
+    
+    context "when X-Slosilo-Key is present" do
+      before { subject.merge! 'X-Slosilo-Key' => :key } 
+      its(:signed_data) { should == { "path" => :path, "body" => "Ym9keQ==", "key" => :key } }
+    end
+  end
+  
+  describe "#encrypt!" do
+    context "when key not set" do
+      before { subject.keyname = nil }
+      it "does nothing" do
+        subject.should_not_receive(:body=)
+        encrypt
+      end
+    end
+    
+    context "when requested key does not exist" do
+      before { Slosilo.stub(:[]).and_return nil }
+      it "raises error" do
+        expect{ encrypt }.to raise_error
+      end
+    end
+    
+    context "when the key exists" do
+      let(:key) { double "key" }
+      context "when the body is not empty" do
+        let(:plaintext) { "Keep your solutions close, and your problems closer." }
+        let(:ciphertext) { "And, when you want something, all the universe conspires in helping you to achieve it." }
+        let(:skey) { "make me sound like a fool instead" }
+        before do 
+          subject.stub body: plaintext
+          key.stub(:encrypt).with(plaintext).and_return([ciphertext, skey])
+          Slosilo.stub(:[]).with(keyname).and_return key
+        end
+        
+        it "encrypts the message body and adds the X-Slosilo-Key header" do
+          subject.should_receive(:body=).with ciphertext
+          subject.should_receive(:[]=).with 'X-Slosilo-Key', Base64::urlsafe_encode64(skey)
+          encrypt
+        end
+      end
+      
+      context "when the body is empty" do
+        before { subject.stub body: "" }
+        it "doesn't set the key header" do
+          subject.should_not_receive(:[]=).with 'X-Slosilo-Key'
+          encrypt
+        end
+      end
+    end
+  end
+  
+  describe "#exec" do
+    class Subject
+      def exec *a
+        "ok, got it"
+      end
+
+      def initialize keyname
+        extend Slosilo::HTTPRequest
+        self.keyname = keyname
+      end
+    end
+    
+    subject { Subject.new keyname }
+
+    it "encrypts, then signs and delegates to the superclass" do
+      subject.should_receive(:encrypt!).once.ordered
+      subject.should_receive(:sign!).once.ordered
+      subject.exec(:foo).should == "ok, got it"
+    end
+  end
+end

data/spec/http_stack_spec.rb

@@ -0,0 +1,44 @@
+require 'spec_helper'
+
+describe "http request stack" do
+  include_context "with example key"
+  include_context "with mock adapter"
+  before { Slosilo[:own] = key }
+
+  class MockRequest < Hash
+    def exec *a
+    end
+    
+    def [] name
+      name = name.sub(/^HTTP_/,'').gsub('_', '-').split(/(\W)/).map(&:capitalize).join
+      result = super name
+    end
+    
+    def initialize
+      extend Slosilo::HTTPRequest
+      self['Authorization'] = "Simon says it's fine"
+    end
+  end
+  
+  subject { MockRequest.new }
+  let(:path) { '/some/path' }
+
+  context "with authorization header" do
+    it "works" do
+      mw = Slosilo::Rack::Middleware.new lambda{|_|:ok}, signature_required: true
+      subject.stub path: path, body: ''
+      mw.stub path: path
+      subject.send :exec
+      mw.call(subject).should == :ok
+    end
+    
+    it "detects tampering" do
+      mw = Slosilo::Rack::Middleware.new lambda{|_|:ok}, signature_required: true
+      subject.stub path: path, body: ''
+      mw.stub path: path
+      subject.send :exec
+      subject['Authorization'] = "Simon changed his mind"
+      mw.call(subject).should_not == :ok
+    end
+  end
+end

data/spec/key_spec.rb

@@ -0,0 +1,115 @@
+require 'spec_helper'
+
+describe Slosilo::Key do
+  include_context "with example key"
+  
+  subject { key }
+  its(:to_der) { should == rsa.to_der }
+  its(:to_s) { should == rsa.public_key.to_pem }
+  
+  let(:plaintext) { 'quick brown fox jumped over the lazy dog' }
+  describe '#encrypt' do
+    it "generates a symmetric encryption key and encrypts the plaintext with the public key" do
+      ctxt, skey = subject.encrypt plaintext
+      pskey = rsa.private_decrypt skey
+      Slosilo::Symmetric.new.decrypt(ctxt, key: pskey).should == plaintext
+    end
+  end
+  
+  describe '#decrypt' do
+    let(:ciphertext) { "\x8B\xE6\xEC\x8C\xAB\xA4\xC0\x8EF\"\x0F\xD5Yh\xA1\aq\x00\xF5\xAC\xAB\v\a\xEC\xF6G\xA6\e\x14N\xFF\x11\x98\xDA\x19\xB5\x8994_:\xA0\xF8\x06l\xDC\x9B\xB1\xE8z\x83\xCC\x9A\x02E\x02tOhu\x92F]h" }
+    let(:skey) { "\x15\xFF\xD4>\x9C\xF4\x0F\xB6\x04C\x18\xC1\x96\xC3\xE0T\xA3\xF5\xE8\x17\xA6\xE0\x86~rrw\xC3\xDF\x11)$\x9B\r@\x0E\xE4Zv\rw-\xFC\x1C\x84\x17\xBD\xDB\x12u\xCD\r\xFEo\xD5\xC8[\x8FEA\\\xA9\xA2F#\x8BH -\xFA\xF7\xA9\xEBf\x97\xAAT}\x8E*\xC0r\x944p\xD0\x9A\xE7\xBD\a;O\f\xEF\xE4B.y\xFA\xB4e@O\xBB\x15>y\xC9\t=\x01\xE1J\xF3X\xA9\x9E3\x04^H\x1F\xFF\x19C\x93ve)@\xF7\t_\xCF\xDE\xF1\xB7]\x83lL\xB8%A\x93p{\xE9Y\xBAu\xCE\x99T\xDC\xDF\xE7\x0FD%\xB9AXb\x1CW\x94$P\xBB\xE1g\xDEE\t\xC4\x92\x9E\xFEt\xDF\xD0\xEA\x03\xC4\x12\xA9\x02~u\xF4\x92 ;\xA0\xCE.\b+)\x05\xEDo\xA5cF\xF8\x12\xD7F\x97\xE44\xBF\xF1@\xA5\xC5\xA8\xE5\a\xE8ra<\x04\xB5\xA2\f\t\xF7T\x97\e\xF5(^\xAB\xA5%84\x10\xD1\x13e<\xCA/\xBF}%\xF6\xB1%\xB2" }
+    
+    it "decrypts the symmetric key and then uses it to decrypt the ciphertext" do
+      subject.decrypt(ciphertext, skey).should == plaintext
+    end
+  end
+  
+  describe '#initialize' do
+    context "when no argument given" do
+      subject { Slosilo::Key.new }
+      let (:rsa) { double "key" }
+      it "generates a new key pair" do
+        OpenSSL::PKey::RSA.should_receive(:new).with(2048).and_return(rsa)
+        subject.key.should == rsa
+      end
+    end
+    context "when given an armored key" do
+      subject { Slosilo::Key.new rsa.to_der }
+      its(:to_der) { should == rsa.to_der }
+    end
+    context "when given a key instance" do
+      subject { Slosilo::Key.new rsa }
+      its(:to_der) { should == rsa.to_der }
+    end
+    context "when given something else" do
+      subject { Slosilo::Key.new "foo" }
+      it "fails early" do
+        expect { subject }.to raise_error
+      end
+    end
+  end
+  
+  describe "#sign" do
+    context "when given a hash" do
+      it "converts to a sorted array and signs that" do
+        key.should_receive(:sign_string).with '[["a",3],["b",42]]'
+        key.sign b: 42, a: 3
+      end
+    end
+    context "when given an array" do
+      it "signs a JSON representation instead" do
+        key.should_receive(:sign_string).with '[2,[42,2]]'
+        key.sign [2, [42, 2]]
+      end
+    end
+    context "when given a string" do
+      let(:expected_signature) { "d[\xA4\x00\x02\xC5\x17\xF5P\x1AD\x91\xF9\xC1\x00P\x0EG\x14,IN\xDE\x17\xE1\xA2a\xCC\xABR\x99'\xB0A\xF5~\x93M/\x95-B\xB1\xB6\x92!\x1E\xEA\x9C\v\xC2O\xA8\x91\x1C\xF9\x11\x92a\xBFxm-\x93\x9C\xBBoM\x92%\xA9\xD06$\xC1\xBC.`\xF8\x03J\x16\xE1\xB0c\xDD\xBF\xB0\xAA\xD7\xD4\xF4\xFC\e*\xAB\x13A%-\xD3\t\xA5R\x18\x01let6\xC8\xE9\"\x7F6O\xC7p\x82\xAB\x04J(IY\xAA]b\xA4'\xD6\x873`\xAB\x13\x95g\x9C\x17\xCAB\xF8\xB9\x85B:^\xC5XY^\x03\xEA\xB6V\x17b2\xCA\xF5\xD6\xD4\xD2\xE3u\x11\xECQ\x0Fb\x14\xE2\x04\xE1<a\xC5\x01eW-\x15\x01X\x81K\x1A\xE5A\vVj\xBF\xFC\xFE#\xD5\x93y\x16\xDC\xB4\x8C\xF0\x02Y\xA8\x87i\x01qC\xA7#\xE8\f\xA5\xF0c\xDEJ\xB0\xDB BJ\x87\xA4\xB0\x92\x80\x03\x95\xEE\xE9\xB8K\xC0\xE3JbE-\xD4\xCBP\\\x13S\"\eZ\xE1\x93\xFDa pinch of salt" }
+      it "signs it" do
+        key.stub salt: 'a pinch of salt'
+        key.sign("this sentence is not this sentence").should == expected_signature
+      end
+    end
+  end
+  
+  describe "#signed_token" do
+    let(:time) { Time.new(2012,1,1,1,1,1,0) }
+    let(:data) { { "foo" => :bar } }
+    let(:token_to_sign) { { "data" => data, "timestamp" => "2012-01-01 01:01:01 UTC" } }
+    let(:signature) { "signature" }
+    let(:salt) { 'a pinch of salt' }
+    let(:expected_signature) { Base64::urlsafe_encode64 "\xB0\xCE{\x9FP\xEDV\x9C\xE7b\x8B[\xFAil\x87^\x96\x17Z\x97\x1D\xC2?B\x96\x9C\x8Ep-\xDF_\x8F\xC21\xD9^\xBC\n\x16\x04\x8DJ\xF6\xAF-\xEC\xAD\x03\xF9\xEE:\xDF\xB5\x8F\xF9\xF6\x81m\xAB\x9C\xAB1\x1E\x837\x8C\xFB\xA8P\xA8<\xEA\x1Dx\xCEd\xED\x84f\xA7\xB5t`\x96\xCC\x0F\xA9t\x8B\x9Fo\xBF\x92K\xFA\xFD\xC5?\x8F\xC68t\xBC\x9F\xDE\n$\xCA\xD2\x8F\x96\x0EtX2\x8Cl\x1E\x8Aa\r\x8D\xCAi\x86\x1A\xBD\x1D\xF7\xBC\x8561j\x91YlO\xFA(\x98\x10iq\xCC\xAF\x9BV\xC6\v\xBC\x10Xm\xCD\xFE\xAD=\xAA\x95,\xB4\xF7\xE8W\xB8\x83;\x81\x88\xE6\x01\xBA\xA5F\x91\x17\f\xCE\x80\x8E\v\x83\x9D<\x0E\x83\xF6\x8D\x03\xC0\xE8A\xD7\x90i\x1D\x030VA\x906D\x10\xA0\xDE\x12\xEF\x06M\xD8\x8B\xA9W\xC8\x9DTc\x8AJ\xA4\xC0\xD3!\xFA\x14\x89\xD1p\xB4J7\xA5\x04\xC2l\xDC8<\x04Y\xD8\xA4\xFB[\x89\xB1\xEC\xDA\xB8\xD7\xEA\x03Ja pinch of salt" }
+    let(:expected_token) { { "data" => data, "timestamp" => "2012-01-01 01:01:01 UTC", "signature" => expected_signature } }
+    before do
+      key.stub salt: salt
+      Time.stub new: time
+    end
+    subject { key.signed_token data }
+    it { should == expected_token }
+  end
+  
+  describe "#token_valid?" do
+    let(:data) { { "foo" => :bar } }
+    let(:signature) { Base64::urlsafe_encode64 "\xB0\xCE{\x9FP\xEDV\x9C\xE7b\x8B[\xFAil\x87^\x96\x17Z\x97\x1D\xC2?B\x96\x9C\x8Ep-\xDF_\x8F\xC21\xD9^\xBC\n\x16\x04\x8DJ\xF6\xAF-\xEC\xAD\x03\xF9\xEE:\xDF\xB5\x8F\xF9\xF6\x81m\xAB\x9C\xAB1\x1E\x837\x8C\xFB\xA8P\xA8<\xEA\x1Dx\xCEd\xED\x84f\xA7\xB5t`\x96\xCC\x0F\xA9t\x8B\x9Fo\xBF\x92K\xFA\xFD\xC5?\x8F\xC68t\xBC\x9F\xDE\n$\xCA\xD2\x8F\x96\x0EtX2\x8Cl\x1E\x8Aa\r\x8D\xCAi\x86\x1A\xBD\x1D\xF7\xBC\x8561j\x91YlO\xFA(\x98\x10iq\xCC\xAF\x9BV\xC6\v\xBC\x10Xm\xCD\xFE\xAD=\xAA\x95,\xB4\xF7\xE8W\xB8\x83;\x81\x88\xE6\x01\xBA\xA5F\x91\x17\f\xCE\x80\x8E\v\x83\x9D<\x0E\x83\xF6\x8D\x03\xC0\xE8A\xD7\x90i\x1D\x030VA\x906D\x10\xA0\xDE\x12\xEF\x06M\xD8\x8B\xA9W\xC8\x9DTc\x8AJ\xA4\xC0\xD3!\xFA\x14\x89\xD1p\xB4J7\xA5\x04\xC2l\xDC8<\x04Y\xD8\xA4\xFB[\x89\xB1\xEC\xDA\xB8\xD7\xEA\x03Ja pinch of salt" }
+    let(:token) { { "data" => data, "timestamp" => "2012-01-01 01:01:01 UTC", "signature" => signature } }
+    before { Time.stub now: Time.new(2012,1,1,1,2,1,0) }
+    subject { key.token_valid? token }
+    it { should be_true }
+    context "when token is 1 hour old" do
+      before { Time.stub now: Time.new(2012,1,1,2,1,1,0) }
+      it { should be_false }
+      context "when timestamp in the token is changed accordingly" do
+        let(:token) { { "data" => data, "timestamp" => "2012-01-01 02:00:01 UTC", "signature" => signature } }
+        it { should be_false }
+      end
+    end
+    context "when the data is changed" do
+      let(:data) { { "foo" => :baz } }
+      it { should be_false }
+    end
+    context "when RSA decrypt raises an error" do
+      before { OpenSSL::PKey::RSA.any_instance.should_receive(:public_decrypt).and_raise(OpenSSL::PKey::RSAError) }
+      it { should be_false }
+    end
+  end
+end

data/spec/keystore_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe Slosilo::Keystore do
+  include_context "with example key"
+  include_context "with mock adapter"
+  
+  describe '#put' do
+    it "handles Slosilo::Keys too" do
+      subject.put(:test, key)
+      adapter['test'].should == rsa.to_der
+    end
+  end
+end

data/spec/rack_middleware_spec.rb

@@ -0,0 +1,109 @@
+require 'spec_helper'
+
+describe Slosilo::Rack::Middleware do
+  include_context "with example key"
+  mock_own_key
+  
+  let(:app) { double "app" }
+  subject { Slosilo::Rack::Middleware.new app }
+  
+  describe '#path' do
+    context "when QUERY_STRING is empty" do
+      let(:env) { { 'SCRIPT_NAME' => '/foo', 'PATH_INFO' => '/bar', 'QUERY_STRING' => '' } }
+      before { subject.stub env: env }
+      its(:path) { should == '/foo/bar' }
+    end
+    context "when QUERY_STRING is not" do
+      let(:env) { { 'SCRIPT_NAME' => '/foo', 'PATH_INFO' => '/bar', 'QUERY_STRING' => 'baz' } }
+      before { subject.stub env: env }
+      its(:path) { should == '/foo/bar?baz' }
+    end
+  end
+  
+  describe '#call' do
+    let(:call) { subject.call(env) }
+    let(:path) { "/this/is/the/path" }
+    before { subject.stub path: path }
+    context "when no X-Slosilo-Key is given" do
+      let(:env) { {} }
+      let(:result) { double "result" }
+      it "passes the env verbatim" do
+        app.should_receive(:call).with(env).and_return(result)
+        call.should == result
+      end
+
+      context "and X-Slosilo-Signature is given" do
+        let(:body) { "the body" }
+        let(:timestamp) { "long time ago" }
+        let(:signature) { "in blood" }
+        let(:env) { {'rack.input' => StringIO.new(body), 'HTTP_TIMESTAMP' => timestamp, 'HTTP_X_SLOSILO_SIGNATURE' => signature } }
+        let(:token) { { "data" => { "path" => path, "body" => "dGhlIGJvZHk=" }, "timestamp" => timestamp, "signature" => signature } }
+        context "when the signature is valid" do
+          before { Slosilo.stub(:token_valid?).with(token).and_return true }
+          it "passes the env verbatim" do
+            app.should_receive(:call).with(env).and_return(result)
+            call.should == result
+          end
+        end
+        context "when the signature is invalid" do
+          before { Slosilo.stub(:token_valid?).with(token).and_return false }
+          it "returns 401" do
+            call[0].should == 401
+          end
+        end
+      end
+
+      context "but encryption is required" do
+        subject { Slosilo::Rack::Middleware.new app, encryption_required: true }
+        context "and the body is not empty" do
+          let(:env) { {'rack.input' => StringIO.new('foo') } }
+          it "returns 403" do
+            status, headers, body = call
+            status.should == 403
+          end
+        end
+        context "but the body is empty" do
+          subject { Slosilo::Rack::Middleware.new app, encryption_required: true, signature_required: false }
+          let(:body) { "" }
+          let(:timestamp) { "long time ago" }
+          let(:env) { {'rack.input' => StringIO.new(body) } }
+          it "passes the env verbatim" do
+            app.should_receive(:call).with(env).and_return(result)
+            call.should == result
+          end
+        end
+      end
+    end
+    
+    context "when no X-Slosilo-Signature is given" do
+      context "but signature is required" do
+        let(:env) {{}}
+        subject { Slosilo::Rack::Middleware.new app, signature_required: true }
+        it "returns 401" do
+          status, headers, body = call
+          status.should == 401
+        end
+      end
+    end
+      
+    let(:plaintext) { "If you were taught that elves caused rain, every time it rained, you'd see the proof of elves." }
+    let(:skey) { "Eiho7xIoFj-Qwqc0swcQQJzJyM1sSv_b6VdRIoHCPRUwemB0v5MNyOirU_5dQ_bNzlmSlo8HDvfAnMgapwpIBH__uDUV_3nCkzrzQVV3-bSp6owJnqebeSQxJMoVMKEWqqek3ZCBPo0OB63A8mkYGu9955gDEDOnlxLkETGb3SmDQIVJtiMmAkUWN0fh9z1M9Ycw9FfworaHKQXRLw6z6Rl-Yoe_TDaiKVlGIYjQKpCz8h_I5lRdrhPJaP53d0yQuKMK3PBHMzE77IikZyQ3VZdoqI9XqzUJF27KehxJ_BCx0oAcPaxG6I7WWe3Xb7K7MhE4HgzqVZACDLhYfm_0XA==" }
+    let(:ciphertext) { "0\xDE\xE1\xBA=\x06+K\xE0\xCAD\xC6\xE3 d\xC7kx\x90\r\ni\xDCXmS!EP\xAB\xEF\xAA\x13{\x85f\x8FU,\xB3zO\x1F\x85\f\x0E\xAE\xF8\x10`\x1C\x94\xAB@\xFA\xBC\xC0/\x1F\xA6nX\xFF-m\xF4\xC3f\xBB\xCA\x05\xC82\x18l\xC3\xF0v\x96\v\x8F\xFC\xB2\xC7wX;\xF6v\xDCX:\xCC\xF8\xD7\x99\xC8\x1A\xBA\x9F\xDB\xE7\x0F\xF2\xC9f\aaGs\xEFc" }
+    context "when X-Slosilo-Key is given" do
+      context "when the key decrypts cleanly" do
+        let(:env) { {'HTTP_X_SLOSILO_KEY' => skey, 'rack.input' => StringIO.new(ciphertext) } }
+        it "passes the decrypted contents" do
+          app.should_receive(:call).with(rack_environment_with_input(plaintext)).and_return(:result)
+          call.should == :result
+        end
+      end
+      context "when the key is invalid" do
+        let(:env) { {'HTTP_X_SLOSILO_KEY' => "broken #{skey}", 'rack.input' => StringIO.new(ciphertext) } }
+        it "returns 403 status" do
+          status, headers, body = call
+          status.should == 403
+        end
+      end
+    end
+  end
+end

data/spec/random_spec.rb

@@ -0,0 +1,9 @@
+require 'spec_helper'
+
+describe Slosilo::Random do
+  subject { Slosilo::Random }
+  let(:other_salt) { Slosilo::Random::salt }
+  
+  its('salt.length') { should == 32 }
+  its(:salt) { should_not == other_salt }
+end

data/spec/sequel_adapter_spec.rb

@@ -0,0 +1,60 @@
+require 'spec_helper'
+
+require 'slosilo/adapters/sequel_adapter'
+
+describe Slosilo::Adapters::SequelAdapter do
+  let(:model) { double "model" }
+  before { subject.stub create_model: model }
+  
+  describe "#get_key" do
+    context "when given key does not exist" do
+      before { model.stub :[] => nil }
+      it "returns nil" do
+        subject.get_key(:whatever).should_not be
+      end
+    end
+  end
+  
+  describe "#put_key" do
+    let(:id) { "id" }
+    let(:key) { "key" }
+    it "creates the key" do
+      model.should_receive(:create).with id: id, key: key
+      subject.put_key id, key
+    end
+  end
+  
+  let(:adapter) { subject }
+  describe "#each" do
+    let(:one) { double("one", id: :one, key: :onek) }
+    let(:two) { double("two", id: :two, key: :twok) }
+    before { model.stub(:each).and_yield(one).and_yield(two) }
+    
+    it "iterates over each key" do
+      results = []
+      adapter.each { |id,k| results << { id => k } }
+      results.should == [ { one: :onek}, {two: :twok } ]
+    end
+  end
+  
+  describe '#model' do
+    let(:db) { Sequel.sqlite }
+    before do
+      Slosilo::encryption_key = Slosilo::Symmetric.new.random_key
+      subject.unstub :create_model
+      require 'sequel'
+      Sequel::Model.db = db
+      Sequel.extension :migration
+      require 'slosilo/adapters/sequel_adapter/migration'
+      Sequel::Migration::descendants.first.apply db, :up
+    end
+      
+    let(:key) { 'fake key' }
+    let(:id) { 'some id' }
+    it "transforms (encrypts) the key" do
+      subject.model.create id: id, key: key
+      db[:slosilo_keystore][id: id][:key].should_not == key
+      subject.model[id].key.should == key
+    end
+  end
+end

data/spec/slosilo_spec.rb

@@ -0,0 +1,58 @@
+require 'spec_helper'
+
+describe Slosilo do
+  include_context "with mock adapter"
+  let(:key) { OpenSSL::PKey::RSA.new 512 }
+  before { adapter['test'] = key.to_der }
+  
+  describe '[]' do
+    it "returns a Slosilo::Key" do
+      Slosilo[:test].should be_instance_of Slosilo::Key
+    end
+    
+    context "when the requested key does not exist" do
+      it "returns nil instead of creating a new key" do
+        Slosilo[:aether].should_not be
+      end
+    end
+  end
+  
+  describe '.sign' do
+    let(:own_key) { double "own key" }
+    before { Slosilo.stub(:[]).with(:own).and_return own_key }
+    let (:argument) { double "thing to sign" }
+    it "fetches the own key and signs using that" do
+      own_key.should_receive(:sign).with(argument)
+      Slosilo.sign argument
+    end
+  end
+  
+  describe '.token_valid?' do
+    before { adapter['test'].stub token_valid?: false }
+    let(:key2) { double "key 2", token_valid?: false }
+    let(:key3) { double "key 3", token_valid?: false }
+    before do
+      adapter[:key2] = key2
+      adapter[:key3] = key3
+    end
+    
+    let(:token) { double "token" }
+    subject { Slosilo.token_valid? token }
+    
+    context "when no key validates the token" do
+      before { Slosilo::Key.stub new: (double "key", token_valid?: false) }
+      it { should be_false }
+    end
+    
+    context "when a key validates the token" do
+      let(:valid_key) { double token_valid?: true }
+      let(:invalid_key) { double token_valid?: true }
+      before do
+        Slosilo::Key.stub new: invalid_key
+        Slosilo::Key.stub(:new).with(key2).and_return(valid_key)
+      end
+      
+      it { should be_true }
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,62 @@
+require "simplecov"
+SimpleCov.start
+
+require 'slosilo'
+
+shared_context "with mock adapter" do
+  require 'slosilo/adapters/mock_adapter'
+
+  let(:adapter) { Slosilo::Adapters::MockAdapter.new }
+  before { Slosilo::adapter = adapter }
+end
+
+shared_context "with example key" do
+  let(:rsa) { OpenSSL::PKey::RSA.new """
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAtTG/SQhW9QawP+GL6EZ5Al9gscCr7HiRO7MuQqFkaXIJD6+3
+prdHRrb0qqjNlGFgDBGAuswZ2AYqhBt7eekup+/vIpI5n04b0w+is3WwZAFco4uP
+ojDeM0aY65Ar3Zgra2vWUJXRwBumroZjVBVoLJSgVfwIhwU6ORbS2oJflbtqxpuS
+zkPDqS6RwEzI/DHuHTOI26fe+vfuDqGOuSR6iVI16lfvTbWwccpDwU0W9vSlyjjD
+LIw0MnoKL3DHyzO66s+oNNRleMvjghQtJk/xg1kRuHReJ5/ygt2zyzdKSLeqU+T+
+TCWw/F65jrFElftexiS+g+lZC467VLCaMe1fJQIDAQABAoIBAQCiNWzXRr4CEQDL
+z3Deeehu9U+tEZ1Xzv/FgD0TrUQlGc9+2YIBn+YRKkySUxfnk9zWMP0bPQiN2cdK
+CQhbNSNteGCOhHVNZjGGm2K+YceNX6K9Tn1BZ5okMTlI+QIsGMQWIK316omh/58S
+coCNj7R45H09PKmtpkJfRU1yDHDhqypjPDpb9/7U5mt3g2BdXYi+1hilfonHoDrC
+yy3eRdf7Tlij9O3UeM+Z7pZrKATcvpDkYbNWizDITvKMYy6Ss+ajM5v7lt6QN5LP
+MHjwX8Ilrxkxl0jeopr4f94tR7rNDZbLC457j8gns7cUeODtF7pPZqlrlk4KOq8Q
+DvEMt2ZpAoGBAOLNUiO1SwRo75Y8ukuMVQev8O8WuzEEGINoM1lQiYlbUw3HmVp3
+iUvv58ANmKSzTXpOEZ1L8pZHSp435FrzD2WZmCAoXhNdfAXtmZA7Y46iE6BF4qrr
+UegtLPhVgwpO74Y+4w2YwfDknzCOhWE4sxCbukuSvxz2pz1Vm31eFB6jAoGBAMyF
+VxfYq9WhmLNsHqR+qfhb1EC5FfpSq23z/o4ryiKqCaWHimVtOO7DL7x2SK3mVNNZ
+X8b4+vnJpAQ3nOxeg8fpmBaLAWYRna2AN/CYVIMKYusawhsGAlZZTu2mtJKLiOPS
+8/z5dK55xJWlG5JalUB+n/4vd3WmXiT/XJj3qU+XAoGBALyHzLXeKCPcTvzmMj5G
+wxAG0xMMJEMUkoP5hGXEKvBBOAMGXpXzM/Ap1s2w/6g5XDhE2SOWVGtTi9WFxI9N
+6Qid6vUgWUNjvIr4/WQF2jZgyEu8jDVkM8v6cZ1lB+7zuuwvLnLI/r6ObT3h20H7
+7e3qZawYqkEbT94OYZiPMc5dAoGAHmIQtjIyFOKU1NLTGozWo1bBCXx1j2KIpSUC
+RAytUsj/9d9U6Ax50L6ecNkBoxP8tgko+V4zqrgR7a51WYgQ+7nwJikwZAFp80SB
+CvUWWQFKALNQ8sLJxhouZ4/Ec6DXDUFhjcthUio00iZdGjjqw1IMYq6aiJfWlJh7
+IR5pwLECgYEAyjlguks/3cjrHRF+yjonxT4tLuBI/n3TAQUPqmtkJtcwZSAJas/1
+c/twlAJ7F6n3ZroF3lgPxMJRRHZl4Z4dJsDatIxVShf3nSGg9Mi5C25obxahbv5/
+Dg1ikwi8GUF4HPZe9DyhXgDhg19wM/qcpjX8bSypsUWHWP+FanhjdWU=
+-----END RSA PRIVATE KEY-----
+        """ }
+  let (:key) { Slosilo::Key.new rsa.to_der }
+  
+  def self.mock_own_key
+    before { Slosilo.stub(:[]).with(:own).and_return key }
+  end
+end
+
+class RackEnvironmentInputMatcher
+  def initialize expected
+    @expected = expected
+  end
+  
+  def == env
+    env['rack.input'].read.should == @expected
+  end
+end
+
+def rack_environment_with_input expected
+  RackEnvironmentInputMatcher.new expected
+end