slosilo 1.0.0 → 2.2.1

data/spec/keystore_spec.rb

@@ -7,7 +7,7 @@ describe Slosilo::Keystore do
   describe '#put' do
     it "handles Slosilo::Keys" do
       subject.put(:test, key)
-      adapter['test'].to_der.should == rsa.to_der
+      expect(adapter['test'].to_der).to eq(rsa.to_der)
     end
 
     it "refuses to store a key with a nil id" do
@@ -19,7 +19,7 @@ describe Slosilo::Keystore do
     end
 
     it "passes the Slosilo key to the adapter" do
-      adapter.should_receive(:put_key).with "test", key
+      expect(adapter).to receive(:put_key).with "test", key
       subject.put :test, key
     end
   end

data/spec/random_spec.rb

@@ -4,6 +4,16 @@ describe Slosilo::Random do
   subject { Slosilo::Random }
   let(:other_salt) { Slosilo::Random::salt }
   
-  its('salt.length') { should == 32 }
-  its(:salt) { should_not == other_salt }
+  describe '#salt' do
+    subject { super().salt }
+    describe '#length' do
+      subject { super().length }
+      it { is_expected.to eq(32) }
+    end
+  end
+
+  describe '#salt' do
+    subject { super().salt }
+    it { is_expected.not_to eq(other_salt) }
+  end
 end

data/spec/sequel_adapter_spec.rb

@@ -8,21 +8,21 @@ describe Slosilo::Adapters::SequelAdapter do
   include_context "with example key"
 
   let(:model) { double "model" }
-  before { subject.stub create_model: model }
+  before { allow(subject).to receive_messages create_model: model }
   
   describe "#get_key" do
     context "when given key does not exist" do
-      before { model.stub :[] => nil }
+      before { allow(model).to receive_messages :[] => nil }
       it "returns nil" do
-        subject.get_key(:whatever).should_not be
+        expect(subject.get_key(:whatever)).not_to be
       end
     end
 
     context "when it exists" do
       let(:id) { "id" }
-      before { model.stub(:[]).with(id).and_return (double "key entry", id: id, key: rsa.to_der) }
+      before { allow(model).to receive(:[]).with(id).and_return (double "key entry", id: id, key: rsa.to_der) }
       it "returns it" do
-        subject.get_key(id).should == key
+        expect(subject.get_key(id)).to eq(key)
       end
     end
   end
@@ -30,14 +30,14 @@ describe Slosilo::Adapters::SequelAdapter do
   describe "#put_key" do
     let(:id) { "id" }
     it "creates the key" do
-      model.should_receive(:create).with id: id, key: key.to_der
-      model.stub columns: [:id, :key]
+      expect(model).to receive(:create).with id: id, key: key.to_der
+      allow(model).to receive_messages columns: [:id, :key]
       subject.put_key id, key
     end
 
     it "adds the fingerprint if feasible" do
-      model.should_receive(:create).with id: id, key: key.to_der, fingerprint: key.fingerprint
-      model.stub columns: [:id, :key, :fingerprint]
+      expect(model).to receive(:create).with id: id, key: key.to_der, fingerprint: key.fingerprint
+      allow(model).to receive_messages columns: [:id, :key, :fingerprint]
       subject.put_key id, key
     end
   end
@@ -46,25 +46,21 @@ describe Slosilo::Adapters::SequelAdapter do
   describe "#each" do
     let(:one) { double("one", id: :one, key: :onek) }
     let(:two) { double("two", id: :two, key: :twok) }
-    before { model.stub(:each).and_yield(one).and_yield(two) }
+    before { allow(model).to receive(:each).and_yield(one).and_yield(two) }
     
     it "iterates over each key" do
       results = []
-      Slosilo::Key.stub(:new) {|x|x}
+      allow(Slosilo::Key).to receive(:new) {|x|x}
       adapter.each { |id,k| results << { id => k } }
-      results.should == [ { one: :onek}, {two: :twok } ]
+      expect(results).to eq([ { one: :onek}, {two: :twok } ])
     end
   end
 
   shared_context "database" do
     let(:db) { Sequel.sqlite }
     before do
-      subject.unstub :create_model
-      begin
-        Sequel::Model.cache_anonymous_models = false
-      rescue NoMethodError # sequel 4.0 moved the method
-        Sequel.cache_anonymous_models = false
-      end
+      allow(subject).to receive(:create_model).and_call_original
+      Sequel::Model.cache_anonymous_models = false
       Sequel::Model.db = db
     end
   end
@@ -91,24 +87,24 @@ describe Slosilo::Adapters::SequelAdapter do
       before { subject.migrate! }
 
       it "supports look up by id" do
-        subject.get_key("test").should == key
+        expect(subject.get_key("test")).to eq(key)
       end
 
       it "supports look up by fingerprint, without a warning" do
-        $stderr.grab do
-          subject.get_by_fingerprint(key.fingerprint).should == [key, 'test']
-        end.should be_empty
+        expect($stderr.grab do
+          expect(subject.get_by_fingerprint(key.fingerprint)).to eq([key, 'test'])
+        end).to be_empty
       end
     end
 
     it "supports look up by id" do
-      subject.get_key("test").should == key
+      expect(subject.get_key("test")).to eq(key)
     end
 
     it "supports look up by fingerprint, but issues a warning" do
-      $stderr.grab do
-        subject.get_by_fingerprint(key.fingerprint).should == [key, 'test']
-      end.should_not be_empty
+      expect($stderr.grab do
+        expect(subject.get_by_fingerprint(key.fingerprint)).to eq([key, 'test'])
+      end).not_to be_empty
     end
   end
 
@@ -129,11 +125,11 @@ describe Slosilo::Adapters::SequelAdapter do
     end
 
     it "supports look up by id" do
-      subject.get_key("test").should == key
+      expect(subject.get_key("test")).to eq(key)
     end
 
     it "supports look up by fingerprint" do
-      subject.get_by_fingerprint(key.fingerprint).should == [key, 'test']
+      expect(subject.get_by_fingerprint(key.fingerprint)).to eq([key, 'test'])
     end
   end
 
@@ -141,7 +137,7 @@ describe Slosilo::Adapters::SequelAdapter do
     include_context "encryption key"
     include_context "current schema"
 
-    it { should be_secure }
+    it { is_expected.to be_secure }
 
     it "saves the keys in encrypted form" do
       subject.put_key 'test', key
@@ -158,7 +154,7 @@ describe Slosilo::Adapters::SequelAdapter do
 
     include_context "current schema"
 
-    it { should_not be_secure }
+    it { is_expected.not_to be_secure }
 
     it "refuses to store a private key" do
       expect { subject.put_key 'test', key }.to raise_error(Slosilo::Error::InsecureKeyStorage)

data/spec/slosilo_spec.rb

@@ -7,32 +7,32 @@ describe Slosilo do
   
   describe '[]' do
     it "returns a Slosilo::Key" do
-      Slosilo[:test].should be_instance_of Slosilo::Key
+      expect(Slosilo[:test]).to be_instance_of Slosilo::Key
     end
 
     it "allows looking up by fingerprint" do
-      Slosilo[fingerprint: key_fingerprint].should == key
+      expect(Slosilo[fingerprint: key_fingerprint]).to eq(key)
     end
     
     context "when the requested key does not exist" do
       it "returns nil instead of creating a new key" do
-        Slosilo[:aether].should_not be
+        expect(Slosilo[:aether]).not_to be
       end
     end
   end
   
   describe '.sign' do
     let(:own_key) { double "own key" }
-    before { Slosilo.stub(:[]).with(:own).and_return own_key }
+    before { allow(Slosilo).to receive(:[]).with(:own).and_return own_key }
     let (:argument) { double "thing to sign" }
     it "fetches the own key and signs using that" do
-      own_key.should_receive(:sign).with(argument)
+      expect(own_key).to receive(:sign).with(argument)
       Slosilo.sign argument
     end
   end
   
   describe '.token_valid?' do
-    before { adapter['test'].stub token_valid?: false }
+    before { allow(adapter['test']).to receive_messages token_valid?: false }
     let(:key2) { double "key 2", token_valid?: false }
     let(:key3) { double "key 3", token_valid?: false }
     before do
@@ -44,19 +44,19 @@ describe Slosilo do
     subject { Slosilo.token_valid? token }
     
     context "when no key validates the token" do
-      before { Slosilo::Key.stub new: (double "key", token_valid?: false) }
-      it { should be_false }
+      before { allow(Slosilo::Key).to receive_messages new: (double "key", token_valid?: false) }
+      it { is_expected.to be_falsey }
     end
     
     context "when a key validates the token" do
       let(:valid_key) { double token_valid?: true }
       let(:invalid_key) { double token_valid?: true }
       before do
-        Slosilo::Key.stub new: invalid_key
+        allow(Slosilo::Key).to receive_messages new: invalid_key
         adapter[:key2] = valid_key
       end
       
-      it { should be_true }
+      it { is_expected.to be_truthy }
     end
   end
   
@@ -66,18 +66,18 @@ describe Slosilo do
       let(:token) {{ 'data' => 'foo', 'key' => key.fingerprint, 'signature' => 'XXX' }}
 
       context "and the signature is valid" do
-        before { key.stub(:token_valid?).with(token).and_return true }
+        before { allow(key).to receive(:token_valid?).with(token).and_return true }
 
         it "returns the key id" do
-          subject.token_signer(token).should == 'test'
+          expect(subject.token_signer(token)).to eq('test')
         end
       end
 
       context "and the signature is invalid" do
-        before { key.stub(:token_valid?).with(token).and_return false }
+        before { allow(key).to receive(:token_valid?).with(token).and_return false }
 
         it "returns nil" do
-          subject.token_signer(token).should_not be
+          expect(subject.token_signer(token)).not_to be
         end
       end
     end
@@ -85,7 +85,39 @@ describe Slosilo do
     context "when token doesn't match a key" do
       let(:token) {{ 'data' => 'foo', 'key' => "footprint", 'signature' => 'XXX' }}
       it "returns nil" do
-        subject.token_signer(token).should_not be
+        expect(subject.token_signer(token)).not_to be
+      end
+    end
+
+    context "with JWT token" do
+      before do
+        expect(key).to receive(:validate_jwt) do |jwt|
+          expect(jwt.header).to eq 'kid' => key.fingerprint
+          expect(jwt.claims).to eq({})
+          expect(jwt.signature).to eq 'sig'
+        end
+      end
+
+      it "accepts pre-parsed JSON serialization" do
+        expect(Slosilo.token_signer(
+          'protected' => 'eyJraWQiOiIxMDdiZGI4NTAxYzQxOWZhZDJmZGIyMGI0NjdkNGQwYTYyYTE2YTk4YzM1ZjJkYTBlYjNiMWZmOTI5Nzk1YWQ5In0=',
+          'payload' => 'e30=',
+          'signature' => 'c2ln'
+        )).to eq 'test'
+      end
+
+      it "accepts pre-parsed JWT token" do
+        expect(Slosilo.token_signer(Slosilo::JWT(
+          'protected' => 'eyJraWQiOiIxMDdiZGI4NTAxYzQxOWZhZDJmZGIyMGI0NjdkNGQwYTYyYTE2YTk4YzM1ZjJkYTBlYjNiMWZmOTI5Nzk1YWQ5In0=',
+          'payload' => 'e30=',
+          'signature' => 'c2ln'
+        ))).to eq 'test'
+      end
+
+      it "accepts compact serialization" do
+        expect(Slosilo.token_signer(
+          'eyJraWQiOiIxMDdiZGI4NTAxYzQxOWZhZDJmZGIyMGI0NjdkNGQwYTYyYTE2YTk4YzM1ZjJkYTBlYjNiMWZmOTI5Nzk1YWQ5In0=.e30=.c2ln'
+        )).to eq 'test'
       end
     end
   end

data/spec/spec_helper.rb

@@ -1,10 +1,6 @@
 require "simplecov"
 SimpleCov.start
 
-RSpec.configure do |c|
-  c.treat_symbols_as_metadata_keys_with_true_values = true
-end
-
 require 'slosilo'
 
 shared_context "with mock adapter" do
@@ -45,7 +41,7 @@ Dg1ikwi8GUF4HPZe9DyhXgDhg19wM/qcpjX8bSypsUWHWP+FanhjdWU=
 -----END RSA PRIVATE KEY-----
         """ }
   let (:key) { Slosilo::Key.new rsa.to_der }
-  let (:key_fingerprint) { "d28e3a347e368416b3129a40c1b887fe" }
+  let (:key_fingerprint) { "107bdb8501c419fad2fdb20b467d4d0a62a16a98c35f2da0eb3b1ff929795ad9" }
 
   let (:another_rsa) do
     OpenSSL::PKey::RSA.new """
@@ -80,20 +76,6 @@ ooQ2FuL0K6ukQfHPjuMswqi41lmVH8gIVqVC+QnImUCrGxH9WXWy
   end
   
   def self.mock_own_key
-    before { Slosilo.stub(:[]).with(:own).and_return key }
-  end
-end
-
-class RackEnvironmentInputMatcher
-  def initialize expected
-    @expected = expected
+    before { allow(Slosilo).to receive(:[]).with(:own).and_return key }
   end
-  
-  def == env
-    env['rack.input'].read.should == @expected
-  end
-end
-
-def rack_environment_with_input expected
-  RackEnvironmentInputMatcher.new expected
 end

data/spec/symmetric_spec.rb

@@ -3,49 +3,71 @@ require 'spec_helper'
 describe Slosilo::Symmetric do
   # TODO transform it to class methods only?
   let(:plaintext) { "quick brown fox jumped over the lazy dog" }
+  let(:auth_data) { "some record id" }
   let(:key) { "^\xBAIv\xDB1\x0Fi\x04\x11\xFD\x14\xA7\xCD\xDFf\x93\xFE\x93}\v\x01\x11\x98\x14\xE0;\xC1\xE2 v\xA5".force_encoding("ASCII-8BIT") }
-  let(:iv) { "\xA1\xFA#z\x16\x80R\xCC|\x0Fyc\xB7j\x17\xED".force_encoding("ASCII-8BIT") }
-  let(:ciphertext) { "\xA1\xFA#z\x16\x80R\xCC|\x0Fyc\xB7j\x17\xED\x15\xC9r\xC9\xEE\xB9\xBC5\xB7\ni\x0F\f\xC8X\x80 h\a\xF4\xA6\xE3\x15\x9D\xF1-\xE5\bs\xF6\x02Z\x0F\xCD|S\x1A\xAA\x9At\xEFT\x17\xA5lT\x8C\xF3".force_encoding("ASCII-8BIT") }
+  let(:iv) { "\xD9\xABn\x01b\xFA\xBD\xC2\xE5\xEA\x01\xAC".force_encoding("ASCII-8BIT") }
+  let(:ciphertext) { "G^W1\x9C\xD4\xCC\x87\xD3\xFF\x86[\x0E3\xC0\xC8^\xD9\xABn\x01b\xFA\xBD\xC2\xE5\xEA\x01\xAC\x9E\xB9:\xF7\xD4ebeq\xDC \xC0sG\xA4\xAE,\xB8A|\x97\xBC\xFD\x85\xE1\xB93\x95>\xBD\n\x05\xFB\x15\x1F\x06#3M9".force_encoding('ASCII-8BIT') }
+
   describe '#encrypt' do
-    it "encrypts with AES-256-CBC" do
-      subject.stub random_iv: iv
-      subject.encrypt(plaintext, key: key).should == ciphertext
+    it "encrypts with AES-256-GCM" do
+      allow(subject).to receive_messages random_iv: iv
+      expect(subject.encrypt(plaintext, key: key, aad: auth_data)).to eq(ciphertext)
     end
   end
   
   describe '#decrypt' do
-    it "decrypts with AES-256-CBC" do
-      subject.decrypt(ciphertext, key: key).should == plaintext
+    it "decrypts with AES-256-GCM" do
+      expect(subject.decrypt(ciphertext, key: key, aad: auth_data)).to eq(plaintext)
+    end
+
+
+    context "when the ciphertext has been messed with" do
+      let(:ciphertext) {  "pwnd!" } # maybe we should do something more realistic like add some padding?
+      it "raises an exception" do
+        expect{ subject.decrypt(ciphertext, key: key, aad: auth_data)}.to raise_exception /Invalid version/
+      end
+      context "by adding a trailing 0" do
+        let(:new_ciphertext){ ciphertext + '\0' }
+        it "raises an exception" do
+          expect{ subject.decrypt(new_ciphertext, key: key, aad: auth_data) }.to raise_exception /Invalid version/
+        end
+      end
     end
-    
-    context "when ciphertext happens to end in a zero" do
-      let(:ciphertext) { "\x7F\xD6\xEAb\xE56\a\xD3\xC5\xF2J\n\x8C\x8Fg\xB7-\\\x8A\fh\x18\xC8\x91\xB9 \x97\xC9\x12\xE6\xA6\xAE\xB1I\x1E\x80\xAB\xD8\xDC\xBD\xB6\xCD\x9A\xA3MH\xA8\xB0\xC7\xDA\x87\xA7c\xD75,\xD2A\xB8\x9E\xE3o\x04\x00" }
-      let(:key) { "4pSuk1rAQyuHA5uUYaj0X0BsiPCFb9Nc8J03XA6V5/Y" }
-      it "works correctly" do
-        subject.decrypt(ciphertext, key: key).should == "R6KNTQ4aUivojbaqhgAqj1I4PaF8h/5/YcENy4uNbfk="
+
+    context "when no auth_data is given" do
+      let(:auth_data){""}
+      let(:ciphertext){ "Gm\xDAT\xE8I\x9F\xB7\xDC\xBB\x84\xD3Q#\x1F\xF4\x8C\aV\x93\x8F_\xC7\xBC87\xC9U\xF1\xAF\x8A\xD62\x1C5H\x86\x17\x19=B~Y*\xBC\x9D\eJeTx\x1F\x02l\t\t\xD3e\xA4\x11\x13y*\x95\x9F\xCD\xC4@\x9C"}
+
+      it "decrypts the message" do
+        expect(subject.decrypt(ciphertext, key: key, aad: auth_data)).to eq(plaintext)
+      end
+
+      context "and the ciphertext has been messed with" do
+        it "raises an exception" do
+          expect{ subject.decrypt(ciphertext + "\0\0\0", key: key, aad: auth_data)}.to raise_exception OpenSSL::Cipher::CipherError
+        end
       end
     end
 
-    context "when the iv ends in space" do
-      let(:ciphertext) { "\xC0\xDA#\xE9\xE1\xFD\xEDJ\xADs4P\xA9\xD6\x92 \xF7\xF8_M\xF6\x16\xC2i$\x8BT^\b\xA1\xB2L&\xE9\x80\x02[]6i\x9B\xD3\xC3\xED\xA9\xD1\x94\xE8\x15\xFD\xDA\xFEUj\xC5upH*\xBF\x82\x15le" }
-      let(:key) { "4pSuk1rAQyuHA5uUYaj0X0BsiPCFb9Nc8J03XA6V5/Y" }
-      it "works correctly" do
-        subject.decrypt(ciphertext, key: key).should == "zGptmL3vd4obi1vqSiWHt/Ias2k+6qDtuq9vdow8jNA="
+    context "when the auth data doesn't match" do
+      let(:auth_data){ "asdf" }
+      it "raises an exception" do
+        expect{ subject.decrypt(ciphertext, key: key, aad: auth_data)}.to raise_exception OpenSSL::Cipher::CipherError
       end
     end
   end
   
   describe '#random_iv' do
     it "generates a random iv" do
-      OpenSSL::Cipher.any_instance.should_receive(:random_iv).and_return :iv
-      subject.random_iv.should == :iv
+      expect_any_instance_of(OpenSSL::Cipher).to receive(:random_iv).and_return :iv
+      expect(subject.random_iv).to eq(:iv)
     end
   end
 
   describe '#random_key' do
     it "generates a random key" do
-      OpenSSL::Cipher.any_instance.should_receive(:random_key).and_return :key
-      subject.random_key.should == :key
+      expect_any_instance_of(OpenSSL::Cipher).to receive(:random_key).and_return :key
+      expect(subject.random_key).to eq(:key)
     end
   end
 end

data/test.sh

@@ -0,0 +1,25 @@
+#!/bin/bash -xe
+
+iid=slosilo-test-$(date +%s)
+
+docker build -t $iid -f - . << EOF
+  FROM ruby
+  WORKDIR /app
+  COPY Gemfile slosilo.gemspec ./
+  RUN bundle
+  COPY . ./
+  RUN bundle
+EOF
+
+cidfile=$(mktemp -u)
+docker run --cidfile $cidfile -v /app/spec/reports $iid bundle exec rake jenkins || :
+
+cid=$(cat $cidfile)
+
+docker cp $cid:/app/spec/reports spec/
+docker rm $cid
+
+# untag, will use cache next time if available but no junk will be left
+docker rmi $iid
+
+rm $cidfile