slosilo 0.4.1 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6918af427a277c2bb00cfee84403f527b2f9add6
-  data.tar.gz: 55e3365667529c34e2999f5313211779ee38e032
+  metadata.gz: d243023c094f7eaec65752017e2550d57030d13a
+  data.tar.gz: f99b144884f5f3bf351fe4190e06c99f076b961f
 SHA512:
-  metadata.gz: 7ccab3fc113dda1efe8a603a80f48309d4f776ade1f0ab45198ef6bc8d53736c54dc0e78e6cd0fbbbf0bcf15e4baf5da89884b8543303f5f7d10e3c1821ec141
-  data.tar.gz: b313e1b365592f9ec2c60c5992bcd92305856894006e2440661494b90df9faae6a630ce3458b681a3a20f22df569c194472cbe89a8d3643f97638baedff739b8
+  metadata.gz: 3b2b0a71040bedaf6e15da8c6fdf6bca34fec490fe41f8834c72ba170ab22cbe7bd8d1d1b93dcfd24855acbf4ad634aa342cdb0374d562277ac9d4df493c6e7a
+  data.tar.gz: 8f4741e1f0f4a00cb0b466e6776445830efc11f66947cac7533fc2d65d0060a0116f7b0239c130ff3866e24e628323170bf684ee2285dc1020e21e2a36106663

data/lib/slosilo.rb

@@ -3,8 +3,7 @@ require "slosilo/keystore"
 require "slosilo/symmetric"
 require "slosilo/attr_encrypted"
 require "slosilo/random"
-require "slosilo/rack/middleware"
-require "slosilo/http_request"
+require "slosilo/errors"
 
 if defined? Sequel
   require 'slosilo/adapters/sequel_adapter'

data/lib/slosilo/adapters/sequel_adapter.rb

@@ -6,15 +6,21 @@ module Slosilo
       def model
         @model ||= create_model
       end
+
+      def secure?
+        !Slosilo.encryption_key.nil?
+      end
       
       def create_model
         model = Sequel::Model(:slosilo_keystore)
         model.unrestrict_primary_key
-        model.attr_encrypted :key
+        model.attr_encrypted :key if secure?
         model
       end
       
       def put_key id, value
+        fail Error::InsecureKeyStorage unless secure? || !value.private?
+
         attrs = { id: id, key: value.to_der }
         attrs[:fingerprint] = value.fingerprint if fingerprint_in_db?
         model.create attrs

data/lib/slosilo/errors.rb

@@ -0,0 +1,12 @@
+module Slosilo
+  class Error < RuntimeError
+    # An error thrown when attempting to store a private key in an unecrypted
+    # storage. Set Slosilo.encryption_key to secure the storage or make sure
+    # to store just the public keys (using Key#public).
+    class InsecureKeyStorage < Error
+      def initialize msg = "can't store a private key in a plaintext storage"
+        super
+      end
+    end
+  end
+end

data/lib/slosilo/key.rb

@@ -98,6 +98,16 @@ module Slosilo
     def hash
       to_der.hash
     end
+
+    # return a new key with just the public part of this
+    def public
+      Key.new(@key.public_key)
+    end
+
+    # checks if the keypair contains a private key
+    def private?
+      @key.private?
+    end
     
     private
     

data/lib/slosilo/keystore.rb

@@ -7,7 +7,9 @@ module Slosilo
     end
     
     def put id, key
-      adapter.put_key id.to_s, key
+      id = id.to_s
+      fail ArgumentError, "id can't be empty" if id.empty?
+      adapter.put_key id, key
     end
     
     def get opts

data/lib/slosilo/version.rb

@@ -1,3 +1,3 @@
 module Slosilo
-  VERSION = "0.4.1"
+  VERSION = "1.0.0"
 end

data/slosilo.gemspec

@@ -18,9 +18,10 @@ Gem::Specification.new do |gem|
   gem.required_ruby_version = '>= 1.9.3'
   
   gem.add_development_dependency 'rake'
-  gem.add_development_dependency 'rspec'
-  gem.add_development_dependency 'ci_reporter'
+  gem.add_development_dependency 'rspec', '~> 2.14'
+  gem.add_development_dependency 'ci_reporter', '~> 1.9'
   gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'io-grab', '~> 0.0.1'
   gem.add_development_dependency 'sequel' # for sequel tests
   gem.add_development_dependency 'sqlite3' # for sequel tests
 end

data/spec/key_spec.rb

@@ -7,6 +7,7 @@ describe Slosilo::Key do
   its(:to_der) { should == rsa.to_der }
   its(:to_s) { should == rsa.public_key.to_pem }
   its(:fingerprint) { should == key_fingerprint }
+  it { should be_private }
 
   context "with identical key" do
     let(:other) { Slosilo::Key.new rsa.to_der }
@@ -38,6 +39,16 @@ describe Slosilo::Key do
     end
   end
 
+  describe '#public' do
+    it "returns a key with just the public half" do
+      pkey = subject.public
+      expect(pkey).to be_a(Slosilo::Key)
+      expect(pkey).to_not be_private
+      expect(pkey.key).to_not be_private
+      expect(pkey.to_der).to eq(rsa.public_key.to_der)
+    end
+  end
+
   let(:plaintext) { 'quick brown fox jumped over the lazy dog' }
   describe '#encrypt' do
     it "generates a symmetric encryption key and encrypts the plaintext with the public key" do

data/spec/keystore_spec.rb

@@ -10,6 +10,14 @@ describe Slosilo::Keystore do
       adapter['test'].to_der.should == rsa.to_der
     end
 
+    it "refuses to store a key with a nil id" do
+      expect { subject.put(nil, key) }.to raise_error(ArgumentError)
+    end
+
+    it "refuses to store a key with an empty id" do
+      expect { subject.put('', key) }.to raise_error(ArgumentError)
+    end
+
     it "passes the Slosilo key to the adapter" do
       adapter.should_receive(:put_key).with "test", key
       subject.put :test, key

data/spec/sequel_adapter_spec.rb

@@ -1,6 +1,6 @@
 require 'spec_helper'
 require 'sequel'
-require 'io_helper'
+require 'io/grab'
 
 require 'slosilo/adapters/sequel_adapter'
 
@@ -56,65 +56,120 @@ describe Slosilo::Adapters::SequelAdapter do
     end
   end
 
-  context do
+  shared_context "database" do
     let(:db) { Sequel.sqlite }
     before do
-      Slosilo::encryption_key = Slosilo::Symmetric.new.random_key
       subject.unstub :create_model
-      Sequel::Model.cache_anonymous_models = false
+      begin
+        Sequel::Model.cache_anonymous_models = false
+      rescue NoMethodError # sequel 4.0 moved the method
+        Sequel.cache_anonymous_models = false
+      end
       Sequel::Model.db = db
     end
+  end
 
-    context "with old schema" do
-      before do
-        db.create_table :slosilo_keystore do
-          String :id, primary_key: true
-          bytea :key, null: false
-        end
-        subject.put_key 'test', key
-      end
-
-      context "after migration" do
-        before { subject.migrate! }
+  shared_context "encryption key" do
+    before do
+      Slosilo.encryption_key = Slosilo::Symmetric.new.random_key
+    end
+  end
 
-        it "supports look up by id" do
-          subject.get_key("test").should == key
-        end
+  context "with old schema" do
+    include_context "encryption key"
+    include_context "database"
 
-        it "supports look up by fingerprint, without a warning" do
-          STDERR.grab do
-            subject.get_by_fingerprint(key.fingerprint).should == [key, 'test']
-          end.should be_empty
-        end
+    before do
+      db.create_table :slosilo_keystore do
+        String :id, primary_key: true
+        bytea :key, null: false
       end
+      subject.put_key 'test', key
+    end
+
+    context "after migration" do
+      before { subject.migrate! }
 
       it "supports look up by id" do
         subject.get_key("test").should == key
       end
 
-      it "supports look up by fingerprint, but issues a warning" do
-        STDERR.grab do
+      it "supports look up by fingerprint, without a warning" do
+        $stderr.grab do
           subject.get_by_fingerprint(key.fingerprint).should == [key, 'test']
-        end.should_not be_empty
+        end.should be_empty
       end
     end
 
-    context "with current schema" do
-      before do
-        Sequel.extension :migration
-        require 'slosilo/adapters/sequel_adapter/migration.rb'
-        Sequel::Migration::descendants.first.apply db, :up
-        subject.put_key 'test', key
-      end
+    it "supports look up by id" do
+      subject.get_key("test").should == key
+    end
 
+    it "supports look up by fingerprint, but issues a warning" do
+      $stderr.grab do
+        subject.get_by_fingerprint(key.fingerprint).should == [key, 'test']
+      end.should_not be_empty
+    end
+  end
 
-      it "supports look up by id" do
-        subject.get_key("test").should == key
-      end
+  shared_context "current schema" do
+    include_context "database"
+    before do
+      Sequel.extension :migration
+      require 'slosilo/adapters/sequel_adapter/migration.rb'
+      Sequel::Migration.descendants.first.apply db, :up
+    end
+  end
 
-      it "supports look up by fingerprint" do
-        subject.get_by_fingerprint(key.fingerprint).should == [key, 'test']
-      end
+  context "with current schema" do
+    include_context "encryption key"
+    include_context "current schema"
+    before do
+      subject.put_key 'test', key
+    end
+
+    it "supports look up by id" do
+      subject.get_key("test").should == key
+    end
+
+    it "supports look up by fingerprint" do
+      subject.get_by_fingerprint(key.fingerprint).should == [key, 'test']
+    end
+  end
+
+  context "with an encryption key", :wip do
+    include_context "encryption key"
+    include_context "current schema"
+
+    it { should be_secure }
+
+    it "saves the keys in encrypted form" do
+      subject.put_key 'test', key
+
+      expect(db[:slosilo_keystore][id: 'test'][:key]).to_not eq(key.to_der)
+      expect(subject.get_key 'test').to eq(key)
+    end
+  end
+
+  context "without an encryption key", :wip do
+    before do
+      Slosilo.encryption_key = nil
+    end
+
+    include_context "current schema"
+
+    it { should_not be_secure }
+
+    it "refuses to store a private key" do
+      expect { subject.put_key 'test', key }.to raise_error(Slosilo::Error::InsecureKeyStorage)
+    end
+
+    it "saves the keys in plaintext form" do
+      pkey = key.public
+      subject.put_key 'test', pkey
+
+      expect(db[:slosilo_keystore][id: 'test'][:key]).to eq(pkey.to_der)
+      expect(subject.get_key 'test').to eq(pkey)
     end
   end
 end

data/spec/spec_helper.rb

@@ -1,6 +1,10 @@
 require "simplecov"
 SimpleCov.start
 
+RSpec.configure do |c|
+  c.treat_symbols_as_metadata_keys_with_true_values = true
+end
+
 require 'slosilo'
 
 shared_context "with mock adapter" do

metadata

@@ -1,97 +1,111 @@
 --- !ruby/object:Gem::Specification
 name: slosilo
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 1.0.0
 platform: ruby
 authors:
 - Rafał Rzepecki
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-12-24 00:00:00.000000000 Z
+date: 2014-10-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.14'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.14'
 - !ruby/object:Gem::Dependency
   name: ci_reporter
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.9'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: io-grab
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.1
 - !ruby/object:Gem::Dependency
   name: sequel
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: This gem provides an easy way of storing and retrieving encryption keys
@@ -102,8 +116,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .kateproject
+- ".gitignore"
+- ".kateproject"
 - Gemfile
 - LICENSE
 - README.md
@@ -116,22 +130,17 @@ files:
 - lib/slosilo/adapters/sequel_adapter.rb
 - lib/slosilo/adapters/sequel_adapter/migration.rb
 - lib/slosilo/attr_encrypted.rb
-- lib/slosilo/http_request.rb
+- lib/slosilo/errors.rb
 - lib/slosilo/key.rb
 - lib/slosilo/keystore.rb
-- lib/slosilo/rack/middleware.rb
 - lib/slosilo/random.rb
 - lib/slosilo/symmetric.rb
 - lib/slosilo/version.rb
 - lib/tasks/slosilo.rake
 - slosilo.gemspec
 - spec/file_adapter_spec.rb
-- spec/http_request_spec.rb
-- spec/http_stack_spec.rb
-- spec/io_helper.rb
 - spec/key_spec.rb
 - spec/keystore_spec.rb
-- spec/rack_middleware_spec.rb
 - spec/random_spec.rb
 - spec/sequel_adapter_spec.rb
 - spec/slosilo_spec.rb
@@ -147,28 +156,24 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.3
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Store SSL keys in a database
 test_files:
 - spec/file_adapter_spec.rb
-- spec/http_request_spec.rb
-- spec/http_stack_spec.rb
-- spec/io_helper.rb
 - spec/key_spec.rb
 - spec/keystore_spec.rb
-- spec/rack_middleware_spec.rb
 - spec/random_spec.rb
 - spec/sequel_adapter_spec.rb
 - spec/slosilo_spec.rb

data/lib/slosilo/http_request.rb

@@ -1,59 +0,0 @@
-module Slosilo
-  # A mixin module which simplifies generating signed and encrypted requests.
-  # It's designed to be mixed into a standard Net::HTTPRequest object
-  # and ensures the request is signed and optionally encrypted before execution.
-  # Requests prepared this way will be recognized by Slosilo::Rack::Middleware.
-  #
-  # As an example, you can use it with RestClient like so:
-  #   RestClient.add_before_execution_proc do |req, params|
-  #     require 'slosilo'
-  #     req.extend Slosilo::HTTPRequest
-  #     req.keyname = :somekey
-  #   end
-  #
-  # The request won't be encrypted unless you set the destination keyname.
-  
-  module HTTPRequest
-    # Encrypt the request with key named @keyname from Slosilo::Keystore. 
-    # If calling this manually, make sure to encrypt before signing.
-    def encrypt!
-      return unless @keyname
-      return unless body && !body.empty?
-      self.body, key = Slosilo[@keyname].encrypt body
-      self['X-Slosilo-Key'] = Base64::urlsafe_encode64 key
-    end
-    
-    # Sign the request with :own key from Slosilo::Keystore. 
-    # If calling this manually, make sure to encrypt before signing.
-    def sign!
-      token = Slosilo[:own].signed_token signed_data
-      self['Timestamp'] = token["timestamp"]
-      self['X-Slosilo-Signature'] = token["signature"]
-    end
-    
-    # Build the data hash to sign.
-    def signed_data
-      data = { "path" => path, "body" => [body].pack('m0') }
-      if key = self['X-Slosilo-Key']
-        data["key"] = key
-      end
-      if authz = self['Authorization']
-        data["authorization"] = authz
-      end
-      data
-    end
-    
-    # Encrypt, sign and execute the request.
-    def exec *a
-      # we need to hook here because the body might be set
-      # in several ways and here it's hopefully finalized
-      encrypt!
-      sign!
-      super *a
-    end
-    
-    # Name of the key used to encrypt the request. 
-    # Use it to establish the identity of the receiver.
-    attr_accessor :keyname
-  end
-end

data/lib/slosilo/rack/middleware.rb

@@ -1,123 +0,0 @@
-module Slosilo
-  module Rack
-    # Con perform verification of request signature and decryption of request body.
-    #
-    # Signature verification and body decryption are enabled with constructor switches and are 
-    # therefore performed (or not) for all requests.
-    #
-    # When signature verification is performed, the following elements are included in the 
-    # signature string:
-    # 
-    # 1. Request path and query string
-    # 2. base64 encoded request body
-    # 3. Request timestamp from HTTP_TIMESTAMP
-    # 4. Body encryption key from HTTP_X_SLOSILO_KEY (if present)
-    # 
-    # When body decryption is performed, an encryption key for the message body is encrypted
-    # with this service's public key and placed in HTTP_X_SLOSILO_KEY. This middleware
-    # decryps the key using our :own private key, and then decrypts the body using the decrypted key.
-    class Middleware
-      class EncryptionError < SecurityError
-      end
-      class SignatureError < SecurityError
-      end
-
-      def initialize app, opts = {}
-        @app = app
-        @encryption_required = opts[:encryption_required] || false
-        @signature_required = opts[:signature_required] || false
-      end
-      
-      def call env
-        @env = env
-        @body = env['rack.input'].read rescue ""
-        
-        begin
-          verify
-          decrypt
-        rescue EncryptionError
-          return error 403, $!.message
-        rescue SignatureError
-          return error 401, $!.message
-        end
-        
-        @app.call env
-      end
-      
-      private
-      def verify
-        if signature
-          raise SignatureError, "Bad signature" unless Slosilo.token_valid?(token)
-        else
-          raise SignatureError, "Signature required" if signature_required?
-        end
-      end
-      
-      attr_reader :env
-      
-      def token
-        return nil unless signature
-        t = { "data" => { "path" => path, "body" => [body].pack('m0') }, "timestamp" => timestamp, "signature" => signature }
-        t["data"]["key"] = encoded_key if encoded_key
-        t['data']['authorization'] = env['HTTP_AUTHORIZATION'] if env['HTTP_AUTHORIZATION']
-        t
-      end
-      
-      def path
-        env['SCRIPT_NAME'] + env['PATH_INFO'] + query_string
-      end
-      
-      def query_string
-        if env['QUERY_STRING'].empty?
-          ''
-        else
-          '?' + env['QUERY_STRING']
-        end
-      end
-
-      attr_reader :body
-      
-      def timestamp
-        env['HTTP_TIMESTAMP']
-      end
-      
-      def signature
-        env['HTTP_X_SLOSILO_SIGNATURE']
-      end
-      
-      def encoded_key
-        env['HTTP_X_SLOSILO_KEY']
-      end
-      
-      def key
-        if encoded_key
-          Base64::urlsafe_decode64(encoded_key)
-        else
-          raise EncryptionError, "Encryption required" if encryption_required?
-        end
-      end
-      
-      def decrypt
-        return unless key
-        plaintext = Slosilo[:own].decrypt body, key
-        env['rack.input'] = StringIO.new plaintext
-      rescue EncryptionError
-        raise unless body.empty? || body.nil?
-      rescue Exception => e
-        raise EncryptionError, "Bad encryption", e.backtrace
-      end
-      
-      def error status, message
-        [status, { 'Content-Type' => 'text/plain', 'Content-Length' => message.length.to_s }, [message] ]
-      end
-      
-      def encryption_required?
-        @encryption_required
-      end
-      
-      def signature_required?
-        @signature_required
-      end
-    end
-  end
-end

data/spec/http_request_spec.rb

@@ -1,107 +0,0 @@
-require 'spec_helper'
-
-describe Slosilo::HTTPRequest do
-  let(:keyname) { :bacon }
-  let(:encrypt) { subject.encrypt! }
-  subject { Hash.new }
-  before do 
-    subject.extend Slosilo::HTTPRequest
-    subject.keyname = keyname
-  end
-  
-  describe "#sign!" do
-    let(:own_key) { double "own key" }
-    before { Slosilo.stub(:[]).with(:own).and_return own_key }
-    
-    let(:signed_data) { "this is the truest truth" }
-    before { subject.stub signed_data: signed_data }
-    let(:timestamp) { "long time ago" }
-    let(:signature) { "seal of approval" }
-    let(:token) { { "data" => signed_data, "timestamp" => timestamp, "signature" => signature } }
-    
-    it "makes a token out of the data to sign and inserts headers" do
-      own_key.stub(:signed_token).with(signed_data).and_return token
-      subject.should_receive(:[]=).with 'Timestamp', timestamp
-      subject.should_receive(:[]=).with 'X-Slosilo-Signature', signature
-      subject.sign!
-    end
-  end
-  
-  describe "#signed_data" do
-    before { subject.stub path: :path, body: 'body' }
-    context "when X-Slosilo-Key not present" do
-      its(:signed_data) { should == { "path" => :path, "body" => "Ym9keQ==" } }
-    end
-    
-    context "when X-Slosilo-Key is present" do
-      before { subject.merge! 'X-Slosilo-Key' => :key } 
-      its(:signed_data) { should == { "path" => :path, "body" => "Ym9keQ==", "key" => :key } }
-    end
-  end
-  
-  describe "#encrypt!" do
-    context "when key not set" do
-      before { subject.keyname = nil }
-      it "does nothing" do
-        subject.should_not_receive(:body=)
-        encrypt
-      end
-    end
-    
-    context "when requested key does not exist" do
-      before { Slosilo.stub(:[]).and_return nil }
-      it "raises error" do
-        expect{ encrypt }.to raise_error
-      end
-    end
-    
-    context "when the key exists" do
-      let(:key) { double "key" }
-      context "when the body is not empty" do
-        let(:plaintext) { "Keep your solutions close, and your problems closer." }
-        let(:ciphertext) { "And, when you want something, all the universe conspires in helping you to achieve it." }
-        let(:skey) { "make me sound like a fool instead" }
-        before do 
-          subject.stub body: plaintext
-          key.stub(:encrypt).with(plaintext).and_return([ciphertext, skey])
-          Slosilo.stub(:[]).with(keyname).and_return key
-        end
-        
-        it "encrypts the message body and adds the X-Slosilo-Key header" do
-          subject.should_receive(:body=).with ciphertext
-          subject.should_receive(:[]=).with 'X-Slosilo-Key', Base64::urlsafe_encode64(skey)
-          encrypt
-        end
-      end
-      
-      context "when the body is empty" do
-        before { subject.stub body: "" }
-        it "doesn't set the key header" do
-          subject.should_not_receive(:[]=).with 'X-Slosilo-Key'
-          encrypt
-        end
-      end
-    end
-  end
-  
-  describe "#exec" do
-    class Subject
-      def exec *a
-        "ok, got it"
-      end
-
-      def initialize keyname
-        extend Slosilo::HTTPRequest
-        self.keyname = keyname
-      end
-    end
-    
-    subject { Subject.new keyname }
-
-    it "encrypts, then signs and delegates to the superclass" do
-      subject.should_receive(:encrypt!).once.ordered
-      subject.should_receive(:sign!).once.ordered
-      subject.exec(:foo).should == "ok, got it"
-    end
-  end
-end

data/spec/http_stack_spec.rb

@@ -1,44 +0,0 @@
-require 'spec_helper'
-
-describe "http request stack" do
-  include_context "with example key"
-  include_context "with mock adapter"
-  before { Slosilo[:own] = key }
-
-  class MockRequest < Hash
-    def exec *a
-    end
-    
-    def [] name
-      name = name.sub(/^HTTP_/,'').gsub('_', '-').split(/(\W)/).map(&:capitalize).join
-      result = super name
-    end
-    
-    def initialize
-      extend Slosilo::HTTPRequest
-      self['Authorization'] = "Simon says it's fine"
-    end
-  end
-  
-  subject { MockRequest.new }
-  let(:path) { '/some/path' }
-
-  context "with authorization header" do
-    it "works" do
-      mw = Slosilo::Rack::Middleware.new lambda{|_|:ok}, signature_required: true
-      subject.stub path: path, body: ''
-      mw.stub path: path
-      subject.send :exec
-      mw.call(subject).should == :ok
-    end
-    
-    it "detects tampering" do
-      mw = Slosilo::Rack::Middleware.new lambda{|_|:ok}, signature_required: true
-      subject.stub path: path, body: ''
-      mw.stub path: path
-      subject.send :exec
-      subject['Authorization'] = "Simon changed his mind"
-      mw.call(subject).should_not == :ok
-    end
-  end
-end

data/spec/io_helper.rb

@@ -1,18 +0,0 @@
-class IO
-  def grab &block
-    @grabbed_output = ""
-    class << self
-      def write arg
-        @grabbed_output += arg
-      end
-    end
-
-    begin
-      yield
-    ensure
-      singleton_class.send :remove_method, :write
-    end
-
-    @grabbed_output
-  end
-end

data/spec/rack_middleware_spec.rb

@@ -1,109 +0,0 @@
-require 'spec_helper'
-
-describe Slosilo::Rack::Middleware do
-  include_context "with example key"
-  mock_own_key
-  
-  let(:app) { double "app" }
-  subject { Slosilo::Rack::Middleware.new app }
-  
-  describe '#path' do
-    context "when QUERY_STRING is empty" do
-      let(:env) { { 'SCRIPT_NAME' => '/foo', 'PATH_INFO' => '/bar', 'QUERY_STRING' => '' } }
-      before { subject.stub env: env }
-      its(:path) { should == '/foo/bar' }
-    end
-    context "when QUERY_STRING is not" do
-      let(:env) { { 'SCRIPT_NAME' => '/foo', 'PATH_INFO' => '/bar', 'QUERY_STRING' => 'baz' } }
-      before { subject.stub env: env }
-      its(:path) { should == '/foo/bar?baz' }
-    end
-  end
-  
-  describe '#call' do
-    let(:call) { subject.call(env) }
-    let(:path) { "/this/is/the/path" }
-    before { subject.stub path: path }
-    context "when no X-Slosilo-Key is given" do
-      let(:env) { {} }
-      let(:result) { double "result" }
-      it "passes the env verbatim" do
-        app.should_receive(:call).with(env).and_return(result)
-        call.should == result
-      end
-
-      context "and X-Slosilo-Signature is given" do
-        let(:body) { "the body" }
-        let(:timestamp) { "long time ago" }
-        let(:signature) { "in blood" }
-        let(:env) { {'rack.input' => StringIO.new(body), 'HTTP_TIMESTAMP' => timestamp, 'HTTP_X_SLOSILO_SIGNATURE' => signature } }
-        let(:token) { { "data" => { "path" => path, "body" => "dGhlIGJvZHk=" }, "timestamp" => timestamp, "signature" => signature } }
-        context "when the signature is valid" do
-          before { Slosilo.stub(:token_valid?).with(token).and_return true }
-          it "passes the env verbatim" do
-            app.should_receive(:call).with(env).and_return(result)
-            call.should == result
-          end
-        end
-        context "when the signature is invalid" do
-          before { Slosilo.stub(:token_valid?).with(token).and_return false }
-          it "returns 401" do
-            call[0].should == 401
-          end
-        end
-      end
-
-      context "but encryption is required" do
-        subject { Slosilo::Rack::Middleware.new app, encryption_required: true }
-        context "and the body is not empty" do
-          let(:env) { {'rack.input' => StringIO.new('foo') } }
-          it "returns 403" do
-            status, headers, body = call
-            status.should == 403
-          end
-        end
-        context "but the body is empty" do
-          subject { Slosilo::Rack::Middleware.new app, encryption_required: true, signature_required: false }
-          let(:body) { "" }
-          let(:timestamp) { "long time ago" }
-          let(:env) { {'rack.input' => StringIO.new(body) } }
-          it "passes the env verbatim" do
-            app.should_receive(:call).with(env).and_return(result)
-            call.should == result
-          end
-        end
-      end
-    end
-    
-    context "when no X-Slosilo-Signature is given" do
-      context "but signature is required" do
-        let(:env) {{}}
-        subject { Slosilo::Rack::Middleware.new app, signature_required: true }
-        it "returns 401" do
-          status, headers, body = call
-          status.should == 401
-        end
-      end
-    end
-      
-    let(:plaintext) { "If you were taught that elves caused rain, every time it rained, you'd see the proof of elves." }
-    let(:skey) { "Eiho7xIoFj-Qwqc0swcQQJzJyM1sSv_b6VdRIoHCPRUwemB0v5MNyOirU_5dQ_bNzlmSlo8HDvfAnMgapwpIBH__uDUV_3nCkzrzQVV3-bSp6owJnqebeSQxJMoVMKEWqqek3ZCBPo0OB63A8mkYGu9955gDEDOnlxLkETGb3SmDQIVJtiMmAkUWN0fh9z1M9Ycw9FfworaHKQXRLw6z6Rl-Yoe_TDaiKVlGIYjQKpCz8h_I5lRdrhPJaP53d0yQuKMK3PBHMzE77IikZyQ3VZdoqI9XqzUJF27KehxJ_BCx0oAcPaxG6I7WWe3Xb7K7MhE4HgzqVZACDLhYfm_0XA==" }
-    let(:ciphertext) { "0\xDE\xE1\xBA=\x06+K\xE0\xCAD\xC6\xE3 d\xC7kx\x90\r\ni\xDCXmS!EP\xAB\xEF\xAA\x13{\x85f\x8FU,\xB3zO\x1F\x85\f\x0E\xAE\xF8\x10`\x1C\x94\xAB@\xFA\xBC\xC0/\x1F\xA6nX\xFF-m\xF4\xC3f\xBB\xCA\x05\xC82\x18l\xC3\xF0v\x96\v\x8F\xFC\xB2\xC7wX;\xF6v\xDCX:\xCC\xF8\xD7\x99\xC8\x1A\xBA\x9F\xDB\xE7\x0F\xF2\xC9f\aaGs\xEFc" }
-    context "when X-Slosilo-Key is given" do
-      context "when the key decrypts cleanly" do
-        let(:env) { {'HTTP_X_SLOSILO_KEY' => skey, 'rack.input' => StringIO.new(ciphertext) } }
-        it "passes the decrypted contents" do
-          app.should_receive(:call).with(rack_environment_with_input(plaintext)).and_return(:result)
-          call.should == :result
-        end
-      end
-      context "when the key is invalid" do
-        let(:env) { {'HTTP_X_SLOSILO_KEY' => "broken #{skey}", 'rack.input' => StringIO.new(ciphertext) } }
-        it "returns 403 status" do
-          status, headers, body = call
-          status.should == 403
-        end
-      end
-    end
-  end
-end