smaak 0.0.10 → 0.1.0

data/spec/lib/smaak/auth_message_spec.rb

@@ -3,128 +3,101 @@ require 'smaak'
 
 describe Smaak::AuthMessage do
   before :all do
-    @test_nonce = 1234567890
     @test_server_private_key = OpenSSL::PKey::RSA.new(4096)
+    @test_token_life = 10
+    @test_nonce = 1234567890
     @test_psk = "testpresharedkey"
     @test_server_public_key = @test_server_private_key.public_key
-    @test_identity = 'test-service'
+    @test_identity = "test-service"
+    @test_identifier = 'test-service-1.cpt1.host-h.net'
+    @test_recipient = @test_server_public_key.export
+    @test_encrypt = true
   end
 
   before :each do
-    @test_message_data = { 'recipient' => @test_server_public_key.export,
-                           'identity' => @test_identity,
-                           'psk' => Smaak::obfuscate_psk(@test_psk),
-                           'expires' => Time.now.to_i + 10,
-                           'nonce' => @test_nonce }
-    @test_message = Smaak::build_message(@test_message_data)
-
-    @iut = Smaak::AuthMessage.new(@test_message)
+    @test_expires = Time.now.to_i + @test_token_life
+    @iut = Smaak::AuthMessage.new(@test_identifier, @test_nonce, @test_expires, Smaak::Crypto::obfuscate_psk(@test_psk), @test_recipient, @test_encrypt)
   end
 
   context "when initialized" do
-    it "should raise an ArgumentError if no message is provided" do
+    it "should raise an ArgumentError if no identifier is provided" do
       expect {
-        Smaak::AuthMessage.new(nil)
-      }.to raise_error ArgumentError, "Message not specified"
-    end
-
-    it "should remember the message provided" do
-      expect(@iut.message).to eq(@test_message)
+        Smaak::AuthMessage.new(nil, nil, nil, nil, nil, nil)
+      }.to raise_error ArgumentError, "Message must have a valid identifier set"
     end
 
-    it "should unpack the message data using Base64::decode and JSON.parse" do
-      expect(@iut.message_data).to eq(@test_message_data)
+    it "should raise an ArgumentError if no nonce is provided" do
+      expect {
+        Smaak::AuthMessage.new(@test_identifier, nil, nil, nil, nil, nil)
+      }.to raise_error ArgumentError, "Message must have a valid nonce set"
     end
 
-    it "should raise an ArgumentError if the message does not have a valid expiry set" do
-      error = "Message must have a valid expiry set"
-
-      expired_data = @test_message_data.dup
-
-      expect {
-        expired_data['expires'] = ""
-        Smaak::AuthMessage.new(Smaak::build_message(expired_data))
-      }.to raise_error ArgumentError, error
+    it "should raise an ArgumentError if an invalid nonce is provided" do
       expect {
-        expired_data['expires'] = nil
-        Smaak::AuthMessage.new(Smaak::build_message(expired_data))
-      }.to raise_error ArgumentError, error
+        Smaak::AuthMessage.new(@test_identifier, 0, nil, nil, nil, nil)
+      }.to raise_error ArgumentError, "Message must have a valid nonce set"
       expect {
-        expired_data['expires'] = 'sometimes'
-        Smaak::AuthMessage.new(Smaak::build_message(expired_data))
-      }.to raise_error ArgumentError, error
+        Smaak::AuthMessage.new(@test_identifier, 'invalid nonce', nil, nil, nil, nil)
+      }.to raise_error ArgumentError, "Message must have a valid nonce set"
     end
 
-    it "should prevent its message from being changed" do
-      expect{
-        @iut.message = ""
-      }.to raise_error NoMethodError
+    it "should raise an ArgumentError if no expiry is provided" do
+      expect {
+        Smaak::AuthMessage.new(@test_identifier, @test_nonce, nil, nil, nil, nil)
+      }.to raise_error ArgumentError, "Message must have a valid expiry set"
     end
 
-    it "should prevent its message data from being changed" do
-      expect{
-        @iut.message_data = ""
-      }.to raise_error NoMethodError
+    it "should raise an ArgumentError if an invalid expiry is provided" do
+      expect {
+        Smaak::AuthMessage.new(@test_identifier, @test_nonce, 0, nil, nil, nil)
+      }.to raise_error ArgumentError, "Message must have a valid expiry set"
+      expect {
+        Smaak::AuthMessage.new(@test_identifier, @test_nonce, 'invalid expire', nil, nil, nil)
+      }.to raise_error ArgumentError, "Message must have a valid expiry set"
     end
 
-    it "should extract the identity from the message data and remember it" do
-      expect(@iut.identity).to eq("test-service")
+    it "should remember the identifier provided" do
+      expect(@iut.identifier).to eq(@test_identifier)
     end
 
-    it "should prevent its identity from being changed" do
-      expect{
-        @iut.identity = ""
-      }.to raise_error NoMethodError
+    it "should remember the nonce provided" do
+      expect(@iut.nonce).to eq(@test_nonce)
     end
 
-    it "should raise an ArgumentError if the message does not have a valid nonce set" do
-      error = "Message must have a valid nonce"
-
-      noncense_data = @test_message_data.dup
+    it "should remember the expiry provided" do
+      expect(@iut.expires).to eq(@test_expires)
+    end
 
-      expect {
-        noncense_data['nonce'] = "broken"
-        Smaak::AuthMessage.new(Smaak::build_message(noncense_data))
-      }.to raise_error ArgumentError, error
-      expect {
-        noncense_data['nonce'] = nil
-        Smaak::AuthMessage.new(Smaak::build_message(noncense_data))
-      }.to raise_error ArgumentError, error
-      expect {
-        noncense_data['nonce'] = 0
-        Smaak::AuthMessage.new(Smaak::build_message(noncense_data))
-      }.to raise_error ArgumentError, error
+    it "should remember the psk provided" do
+      expect(@iut.psk).to eq(Smaak::Crypto::obfuscate_psk(@test_psk))
     end
 
-    it "should extract the nonce from the message data and remember it" do
-      expect(@iut.nonce).to eq(@test_nonce)
+    it "should remember the recipient provided" do
+      expect(@iut.recipient).to eq(@test_recipient)
     end
 
-    it "should prevent its nonce from being changed" do
-      expect{
-        @iut.nonce = ""
-      }.to raise_error NoMethodError
+    it "should remember a boolean representation of whether encryption is required" do
+      expect(@iut.encrypt).to eq(true)
     end
 
-    it "should raise an ArgumentError if the message data does not contain an identity" do
-      error = "Message must have a valid identity set"
-      anonymous_data = @test_message_data.dup
-      anonymous_data['identity'] = nil
-      expect {
-        Smaak::AuthMessage.new(Smaak::build_message(anonymous_data))
-      }.to raise_error ArgumentError, error
-      anonymous_data['identity'] = ""
-      expect {
-        Smaak::AuthMessage.new(Smaak::build_message(anonymous_data))
-      }.to raise_error ArgumentError, error
+    it "should translate the encrypt parameter from string to boolean" do
+      iut = Smaak::AuthMessage.new(@test_identifier, @test_nonce, @test_expires, Smaak::Crypto::obfuscate_psk(@test_psk), @test_recipient, false)
+      expect(iut.encrypt).to eq(false)
+      
+      iut = Smaak::AuthMessage.new(@test_identifier, @test_nonce, @test_expires, Smaak::Crypto::obfuscate_psk(@test_psk), @test_recipient, true)
+      expect(iut.encrypt).to eq(true)
+      
+      iut = Smaak::AuthMessage.new(@test_identifier, @test_nonce, @test_expires, Smaak::Crypto::obfuscate_psk(@test_psk), @test_recipient, "false")
+      expect(iut.encrypt).to eq(false)
+      
+      iut = Smaak::AuthMessage.new(@test_identifier, @test_nonce, @test_expires, Smaak::Crypto::obfuscate_psk(@test_psk), @test_recipient, "true")
+      expect(iut.encrypt).to eq(true)
     end
   end
 
   context "when asked if it has expired" do
     it "should return true if the current timestamp exceeds that of the message expiry" do
-      expired_data = @test_message_data.dup
-      expired_data['expires'] = Time.now - 1
-      iut = Smaak::AuthMessage.new(Smaak::build_message(expired_data))
+      iut = Smaak::AuthMessage.new(@test_identifier, @test_nonce, Time.now - 1, Smaak::Crypto::obfuscate_psk(@test_psk), @test_recipient, false)
       expect(iut.expired?).to eq(true)
     end
 
@@ -133,54 +106,13 @@ describe Smaak::AuthMessage do
     end
   end
 
-  context "when asked if the signature is ok given a signature and public key" do
-    before :each do
-      @test_signature = Smaak::sign_message_data(@test_message_data, @test_server_private_key)
-    end
-
-    it "should return false if the public key provided is not the correct key for the signature" do
-      mismatched = OpenSSL::PKey::RSA.new(4096).public_key
-      expect(@iut.signature_ok?(@test_signature, mismatched)).to eq(false)
-    end
-
-    it "should return false if the signature is nil" do
-      expect(@iut.signature_ok?(nil, @test_server_public_key)).to eq(false)
-    end
-
-    it "should return false if the public key is nil" do
-      expect(@iut.signature_ok?(@test_signature, nil)).to eq(false)
-    end
-
-    it "should return false if OpenSSL cannot verify the message against the signature using the public key" do
-      broken = @test_message_data
-      broken['identity'] = 'suspect-identity'
-      iut = Smaak::AuthMessage.new(Smaak::build_message(broken))
-      expect(iut.signature_ok?(@test_signature, @test_server_public_key)).to eq(false)
-    end
-
-    it "should return true if OpenSSL succesfully verifies message against the signature using the public key" do
-      expect(@iut.signature_ok?(@test_signature, @test_server_public_key)).to eq(true)
-    end
-  end
-
   context "when asked whether a message's psk matched" do
-    it "should return false if no psk was provided" do
-      expect(@iut.psk_match?(nil)).to eq(false)
-    end
-
-    it "should return false if the message data does not include a psk" do
-      broken = @test_message_data
-      broken['psk'] = nil
-      iut = Smaak::AuthMessage.new(Smaak::build_message(broken))
-      expect(iut.psk_match?(@test_psk)).to eq(false)
-    end
-
     it "should return false if the PSKs do not match" do
       expect(@iut.psk_match?("doesnotmatch")).to eq(false)
     end
 
     it "should return true if the PSKs do match" do
-      expect(@iut.psk_match?(@test_psk)).to eq(false)
+      expect(@iut.psk_match?(@test_psk)).to eq(true)
     end
   end
 
@@ -190,13 +122,6 @@ describe Smaak::AuthMessage do
       expect(@iut.intended_for_recipient?(mismatched.export)).to eq (false)
     end
 
-    it "should return false if the message_data does not include a recipient" do
-      broken = @test_message_data
-      broken['recipient'] = nil
-      iut = Smaak::AuthMessage.new(Smaak::build_message(broken))
-      expect(iut.intended_for_recipient?(@test_server_public_key.export)).to eq (false)
-    end
-
     it "should return false if the public key is not specified" do
       expect(@iut.intended_for_recipient?(nil)).to eq (false)
     end
@@ -206,28 +131,34 @@ describe Smaak::AuthMessage do
     end
   end
 
-  context "when asked to verify the message using a signature" do
-    before :each do
-      @test_signature = Smaak::sign_message_data(@test_message_data, @test_server_private_key)
+  context "when asked to verify the message" do
+    it "should check message expiry and return false if the message has expired" do
+      expect(@iut).to(receive(:expired?)).and_return(true)
+      expect(@iut.verify(Smaak::Crypto::obfuscate_psk(@test_psk))).to eq(false)
     end
 
-    it "should check message expiry return false if the message has expired" do
-      expect(@iut).to(receive(:expired?)).and_return(true)
-      expect(@iut.verify(@test_signature, @test_server_public_key, @test_psk)).to eq(false)
+    it "should try and match the PSK and return false if it cannot" do
+      expect(@iut).to(receive(:psk_match?)).and_return(false)
+      expect(@iut.verify(Smaak::Crypto::obfuscate_psk(@test_psk))).to eq(false)
     end
 
-    it "should check the signature and return false if not OK" do
-      expect(@iut).to(receive(:signature_ok?)).and_return(false)
-      expect(@iut.verify(@test_signature, @test_server_public_key, @test_psk)).to eq(false)
+    it "should return true if the message was successfully verified" do
+      expect(@iut.verify(@test_psk)).to eq(true)
     end
+  end
 
-    it "should try and match the PSK and return false if it cannot" do
-      expect(@iut).to(receive(:psk_match?)).and_return(false)
-      expect(@iut.verify(@test_signature, @test_server_public_key, @test_psk)).to eq(false)
+  context "when asked to create an AuthMessage from scratch" do
+    it "should initialize with the recipient_public_key, psk, expires, identifier, nonce, encrypt provided, calculating expiry, generating a nonce, and obfuscating the PSK" do
+      allow(Smaak::Crypto).to receive(:generate_nonce).and_return(@test_nonce)
+      expect(Smaak::AuthMessage).to receive(:new).with(@test_identifier, @test_nonce, @test_expires, Smaak::Crypto::obfuscate_psk(@test_psk), @test_recipient, @test_encrypt)
+      Smaak::AuthMessage.create(@test_recipient, @test_psk, @test_token_life, @test_identifier, @test_encrypt)
     end
+  end
 
-    it "should return the identity specified in the message if the message was successfully verified" do
-      expect(@iut.verify(@test_signature, @test_server_public_key, @test_psk)).to eq(@test_identity)
+  context "when asked to build an AuthMessage from existing data" do
+    it "should initialize with the recipient_public_key, psk, expires, identifier, nonce, encrypt provided" do
+      expect(Smaak::AuthMessage).to receive(:new).with(@test_identifier, @test_nonce, @test_expires, Smaak::Crypto::obfuscate_psk(@test_psk), @test_recipient, @test_encrypt)
+      Smaak::AuthMessage.build(@test_recipient, Smaak::Crypto::obfuscate_psk(@test_psk), @test_expires, @test_identifier, @test_nonce, @test_encrypt)
     end
   end
 end

data/spec/lib/smaak/cavage_04_spec.rb

@@ -0,0 +1,231 @@
+require './spec/spec_helper.rb'
+
+describe Smaak::Cavage04 do
+  context "when signing headers" do
+    before :all do
+      @test_server_private_key = OpenSSL::PKey::RSA.new(4096)
+    end
+
+    before :each do
+      @request = Net::HTTP::Post.new("http://rubygems.org:80/gems/smaak")
+      @request.body = "body-data"
+      @adaptor = Smaak::NetHttpAdaptor.new(@request)
+      @iut = Smaak::Cavage04.new(@adaptor)
+      @test_token_life = 10
+      @test_nonce = 1234567890
+      @test_expires = Time.now.to_i + @test_token_life
+      @test_psk = "testpresharedkey"
+      @test_server_public_key = @test_server_private_key.public_key
+      @test_identity = "test-service"
+      @test_identifier = 'test-service-1.cpt1.host-h.net'
+      @test_recipient = @test_server_public_key.export
+      @test_encrypt = true
+      @auth_message = Smaak::AuthMessage.new(@test_identifier, @test_nonce, @test_expires, Smaak::Crypto::obfuscate_psk(@test_psk), @test_recipient, @test_encrypt)
+    end
+
+    context "as a specification implementation" do
+      it "should publish the specification that it is based on" do
+        expect(Smaak::Cavage04::SPECIFICATION.nil?).to eq(false)
+        expect(Smaak::Cavage04::SPECIFICATION.is_a? String).to eq(true)
+      end
+
+      it "should provide a list of headers to be signed" do
+        expect(Smaak::Cavage04::headers_to_be_signed.include? "host").to eq(true)
+        expect(Smaak::Cavage04::headers_to_be_signed.include? "date").to eq(true)
+        expect(Smaak::Cavage04::headers_to_be_signed.include? "digest").to eq(true)
+        expect(Smaak::Cavage04::headers_to_be_signed.include? "content-length").to eq(true)
+      end
+
+      it "should indicate that the specification specific header (request-target) is to be signed" do
+        expect(Smaak::Cavage04::headers_to_be_signed.include? "(request-target)").to eq(true)
+      end
+    end
+
+    context "when initialized" do
+      it "should raise an ArgumentError if no adaptor is provided" do
+        expect {
+          Smaak::Cavage04.new(nil)
+        }.to raise_error ArgumentError, "Must provide a valid request adaptor"
+      end
+
+      it "should remember an adaptor provided" do
+        expect(@iut.adaptor).to eq(@adaptor)
+      end
+
+      it "should set its headers to be signed to that of the specification and that of Smaak" do
+        Smaak::Cavage04::headers_to_be_signed.each do |header|
+          expect(@iut.headers_to_be_signed.include? header).to eq(true)
+        end
+        Smaak::headers_to_be_signed.each do |header|
+          expect(@iut.headers_to_be_signed.include? header).to eq(true)
+        end
+      end
+    end
+
+    context "when asked to compile the authorization header with signature speficied" do
+      it "should raise an ArgumentError if the signature is invalid" do
+        expect {
+          @iut.compile_auth_header(nil)
+        }.to raise_error ArgumentError, "invalid signature"
+        expect {
+          @iut.compile_auth_header("")
+        }.to raise_error ArgumentError, "invalid signature"
+        expect {
+          @iut.compile_auth_header("  ")
+        }.to raise_error ArgumentError, "invalid signature"
+        expect {
+          @iut.compile_auth_header(978)
+        }.to raise_error ArgumentError, "invalid signature"
+      end
+
+      context "when compiled" do
+        before :each do
+          @iut.adaptor.set_header("x-smaak-nonce", "12345")
+          @iut.adaptor.set_header("x-smaak-encrypt", "true")
+          @iut.compile_auth_header("signature")
+        end
+      
+        it "should indicate the use of RSA keys" do
+          expect(@iut.adaptor.request["authorization"].include?("keyId=\"rsa-key-1\"")).to eq(true)
+        end
+
+        it "should indicate the use of the rsa-sha256 algorithm" do
+           expect(@iut.adaptor.request["authorization"].include?("algorithm=\"rsa-sha256\"")).to eq(true)
+        end
+
+        it "should insert the signature in the header" do
+          expect(@iut.adaptor.request["authorization"].include?("signature=\"signature\"")).to eq(true)
+        end
+
+        it "should specify the order in which the headers that are signed appear in the request so that the signature can be verified by the receiver" do
+          expect(@iut.adaptor.request["authorization"].include?("\"x-smaak-nonce x-smaak-encrypt\"")).to eq(true)
+        end
+
+        it "should set the authorization header on the adaptor to the compiled header" do
+          expect(@iut.adaptor.request["authorization"]).to eq("Signature keyId=\"rsa-key-1\",algorithm=\"rsa-sha256\", headers=\"x-smaak-nonce x-smaak-encrypt\", signature=\"signature\"")
+        end
+      end
+    end
+
+    context "when asked to compile the headers to be included in the signature" do
+      it "should use an empty string as body if the body is not provided" do
+        @adaptor.request.body = nil
+        expect(Digest::SHA256).to receive(:hexdigest).with("").and_return(Digest::SHA256.hexdigest(""))
+        @iut.compile_signature_headers(@auth_message)
+      end
+
+      it "should set the authorization header to an empty string to preserve it at the top of the request headers list, in order not to interfere with the remaining headers' order" do
+        @iut.compile_signature_headers(@auth_message)
+        expect(@iut.adaptor.request["authorization"]).to eq("")
+      end
+
+      it "should set the host header to the adaptor request's host" do
+        @iut.compile_signature_headers(@auth_message)
+        expect(@iut.adaptor.request["host"]).to eq("rubygems.org")
+      end
+
+      it "should set the date header to the current timestamp, in GMT" do
+        @iut.compile_signature_headers(@auth_message)
+        expect(@iut.adaptor.request["date"]).to eq(Time.now.gmtime.to_s.gsub("UTC", "GMT"))
+      end
+
+      it "should set the digest header to a SHA256 hexadecimal digest of the body, labeled with SHA-256=" do
+        @iut.compile_signature_headers(@auth_message)
+        expect(@iut.adaptor.request["digest"]).to eq("SHA-256=#{Digest::SHA256.hexdigest(@request.body)}")
+      end
+
+      it "should set the x-smaak-recipient header to the base64 encoding of the message recipient's public key (source: auth_message), with no newlines" do
+        @iut.compile_signature_headers(@auth_message)
+        expect(@iut.adaptor.request["x-smaak-recipient"]).to eql(Base64.strict_encode64(@auth_message.recipient))
+      end
+
+      it "should set the x-smaak-psk header to the obfuscated pre-shared key (source: auth_message)" do
+        @iut.compile_signature_headers(@auth_message)
+        expect(@iut.adaptor.request["x-smaak-psk"]).to eql(@auth_message.psk)
+      end
+
+      it "should set the x-smaak-expires header to the expiry (source: auth_message)" do
+        @iut.compile_signature_headers(@auth_message)
+        expect(@iut.adaptor.request["x-smaak-expires"]).to eql("#{@auth_message.expires}")
+      end
+
+      it "should set the x-smaak-nonce header to the nonce (source: auth_message)" do
+        @iut.compile_signature_headers(@auth_message)
+        expect(@iut.adaptor.request["x-smaak-nonce"]).to eql("#{@auth_message.nonce}")
+      end
+
+      it "should set the x-smaak-encrypt header to the encryption choice (source: auth_message)" do
+        @iut.compile_signature_headers(@auth_message)
+        expect(@iut.adaptor.request["x-smaak-encrypt"]).to eql("#{@auth_message.encrypt}")
+      end
+
+      it "should set the content-type to text/plain" do
+        @iut.compile_signature_headers(@auth_message)
+        expect(@iut.adaptor.request["content-type"]).to eql("text/plain")
+      end
+
+      it "should set the content-length to the length of the adaptor's request body" do
+        @iut.compile_signature_headers(@auth_message)
+        expect(@iut.adaptor.request["content-length"]).to eql("#{@request.body.size}")
+      end
+
+      it "should compile and return (preserving insert order) the list of signature headers, pre-pended with the (request-target) header" do
+         headers = @iut.compile_signature_headers(@auth_message).split("\n")
+         expect(headers[0].split(":")[0]).to eql("(request-target)")
+         expect(headers[1].split(":")[0]).to eql("host")
+         expect(headers[2].split(":")[0]).to eql("date")
+         expect(headers[3].split(":")[0]).to eql("digest")
+         expect(headers[4].split(":")[0]).to eql("x-smaak-recipient")
+         expect(headers[5].split(":")[0]).to eql("x-smaak-identifier")
+         expect(headers[6].split(":")[0]).to eql("x-smaak-psk")
+         expect(headers[7].split(":")[0]).to eql("x-smaak-expires")
+         expect(headers[8].split(":")[0]).to eql("x-smaak-nonce")
+         expect(headers[9].split(":")[0]).to eql("x-smaak-encrypt")
+         expect(headers[10].split(":")[0]).to eql("content-length")
+      end
+
+      it "should not include int he list of signature headers non-signature headers" do
+         content_type_present = false
+         headers = @iut.compile_signature_headers(@auth_message).split("\n")
+         headers.each do |header|
+           content_type_present = true if header.split(":")[0] == "content-type"
+         end
+         expect(content_type_present).to eql(false)
+      end
+    end 
+  end
+
+  context "when receiving a signed header" do
+    before :each do
+      @env = \
+{"CONTENT_LENGTH"=>"25", "CONTENT_TYPE"=>"text/plain", "GATEWAY_INTERFACE"=>"CGI/1.1", "PATH_INFO"=>"/secure-service", "QUERY_STRING"=>"", "REMOTE_ADDR"=>"10.0.0.224", "REMOTE_HOST"=>"service-provider-public", "REQUEST_METHOD"=>"POST", "REQUEST_URI"=>"http://service-provider-internal:9393/secure-service", "SCRIPT_NAME"=>"", "SERVER_NAME"=>"service-provider-internal", "SERVER_PORT"=>"9393", "SERVER_PROTOCOL"=>"HTTP/1.1", "SERVER_SOFTWARE"=>"WEBrick/1.3.1 (Ruby/2.0.0/2014-02-24)", "HTTP_ACCEPT_ENCODING"=>"gzip;q=1.0,deflate;q=0.6,identity;q=0.3", "HTTP_ACCEPT"=>"*/*", "HTTP_USER_AGENT"=>"Ruby", "HTTP_AUTHORIZATION"=>"Signature keyId=\"rsa-key-1\",algorithm=\"rsa-sha256\", headers=\"host date digest x-smaak-recipient x-smaak-identifier x-smaak-psk x-smaak-expires x-smaak-nonce x-smaak-encrypt content-length\", signature=\"RQgXQo+Fugz1ubgV1UAJvdPaNHiwTMtu0x+LNJ/7rvY5gaY5R88tUPtcFMzjRzw2QXtY5pettjfbq9LvISnW5MFG7p+goY4YsF4a6b7KgbU8RCAMLVyj4zWEIh/R+3WovuhcG8e5iLGN5/HGHkgDjZzi1a2WwU+tcwSwKBQ0BN+hKUV6haAHxUcNJ8bOgtnZZpSbD0megEmmBwiOjY5EsdM9wFMqGRrBWYV950xs/cPgO7Hjgq4kTnBiFC8Zkcz5zmkkokVE6VliNSPrqIZHm4fGk9UWyDYydlE+4z/wa4KrDs7/JXCQh+HF+BfSlnhG1xm9UT857o8Uz3j8ds4hvzUJyVcHX5B7wFln5szSFz5cdNFdMq6RP3e/TWGEV9J3sWi3pLymQog9jfkS1sjBSUxlc0Nh1hyiBFjybPZcbx6L77hsYV7dnCKF1z5UItvNj2JOkUCe+ppDkfhNxNkSUv9KBir+U+xJwDh+uyO/IAj8TB0cklsdnJNNHCDA4Mmi59RnA6uMsjOo6j7btkRF8nZmDvq0AWmgIUnwIWNWt13ecBH6u1Y03s5D09gX8sILKWuhC4oGEzjE7gBxrORn/MSPNAwAOsx/3ud4PFlOa7DGKApolpL0099w5QgFDqDYALujDdZC2GNgHCdoJqNLoMCEkyVWArvvgxtQ4Xq/0zU=\"", "HTTP_HOST"=>"service-provider-internal", "HTTP_DATE"=>"2015-06-23 13:40:07 GMT", "HTTP_DIGEST"=>"SHA-256=748957b58cc24d2bb9eb8f9c468571712a14f6a89ce936c0fb2d3c5016e4dbdc", "HTTP_X_SMAAK_RECIPIENT"=>"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUFxL2tiYjdBNWllQWV1WlBBVnI3MAo5cjl1TkFzc2dmYkdjeGMzZTc3RDNndkY4U2tzbURNQmQyTUt5TUh0ZjBrM1pqSVdZemJJVG5jQXM1Nnd4cmRSClhiVHpIZnhjMll1dDMwd0ljR2YvUVk4ZTJXNmdMWko4aVM3MXlYb0JQNFpEc2lLSXd4ajFsenYyVFlXWnNSL3EKd28xSzBxZ1NzOXJJVEVkWDVqampycHBYWTdobHNPMGVKQ2JBRG0weEtnU1hMcFQycnJzUnJ2OFllRXFvZTRMaQpDOFd6RjZZRlh1U3RHR1E4SXlxbjdPaTN5aVU2WFc3OTl2cFpIeHJlaERYaytDalZuU0ZXWkVPUHg3cENpam9SCnlXb0gyUmR6QVpQczdVdVJWOUdGWWFQeHRudmttNVdVZDVTdWVCNlMxT2E4dVZ3UnpyeXl6WkRjdG0xdWs1VjIKUE0zLzFqbFJMbFJzTWxSeHdZUDRzaFMzVlhjTkdGYjkvbzkvTjkzbitKZUFpSGd4YU5pQjN6YVV0a05XWWs0Vgozang2d0psTythOUNxdGJJeXg2ZzdyTHhOanVqRFpRZTZGcUdsMzVkVDR5MHA2UmVuUWQ4b1p5aWw3dlpqSkJaCjluTWRJblMyU05wWUZFclBsb25rdXNZKzZsam9TbFNLMXVSRmd2S3dzeGE3RmROMXZWSnRJQk9qdVJzSk9DaHYKOTB2K0ZEQWwxSnNZVUNPUnByUmtMWXB2TWI4Q1BZaUlzb3JmTUdKNnI3NktYUEIzRS9xejRmaWJ1UmZVeWJxMgp5eGxRTVJKb216d1BPemUrbWRQUU5Hd3VTTjU0VnByYXhoNGFpcWtaUVBsSWpRb1dFaFVKRWxMb0NtQXZ4TmtxCmRBcVZJMXZ3cS9FRXFBTEh3amJKRXIwQ0F3RUFBUT09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=", "HTTP_X_SMAAK_IDENTIFIER"=>"service-provider-public", "HTTP_X_SMAAK_PSK"=>"917e5f9bcf6d7c20a338d8a39bbf79ef", "HTTP_X_SMAAK_EXPIRES"=>"1435066809", "HTTP_X_SMAAK_NONCE"=>"6457661831", "HTTP_X_SMAAK_ENCRYPT"=>"false", "HTTP_CONNECTION"=>"close"}
+      @request = Rack::Request.new(@env)
+      @adaptor = Smaak::RackAdaptor.new(@request)
+      @iut = Smaak::Cavage04.new(@adaptor)
+    end
+
+    context "when asked to extract signature headers from a request" do
+      it "should find the signature headers list in the authorization header return them separated using spaces" do
+        expect(@iut.extract_signature_headers).to eq(\
+"(request-target): post /secure-service\nhost: service-provider-internal\ndate: 2015-06-23 13:40:07 GMT\ndigest: SHA-256=748957b58cc24d2bb9eb8f9c468571712a14f6a89ce936c0fb2d3c5016e4dbdc\nx-smaak-recipient: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUFxL2tiYjdBNWllQWV1WlBBVnI3MAo5cjl1TkFzc2dmYkdjeGMzZTc3RDNndkY4U2tzbURNQmQyTUt5TUh0ZjBrM1pqSVdZemJJVG5jQXM1Nnd4cmRSClhiVHpIZnhjMll1dDMwd0ljR2YvUVk4ZTJXNmdMWko4aVM3MXlYb0JQNFpEc2lLSXd4ajFsenYyVFlXWnNSL3EKd28xSzBxZ1NzOXJJVEVkWDVqampycHBYWTdobHNPMGVKQ2JBRG0weEtnU1hMcFQycnJzUnJ2OFllRXFvZTRMaQpDOFd6RjZZRlh1U3RHR1E4SXlxbjdPaTN5aVU2WFc3OTl2cFpIeHJlaERYaytDalZuU0ZXWkVPUHg3cENpam9SCnlXb0gyUmR6QVpQczdVdVJWOUdGWWFQeHRudmttNVdVZDVTdWVCNlMxT2E4dVZ3UnpyeXl6WkRjdG0xdWs1VjIKUE0zLzFqbFJMbFJzTWxSeHdZUDRzaFMzVlhjTkdGYjkvbzkvTjkzbitKZUFpSGd4YU5pQjN6YVV0a05XWWs0Vgozang2d0psTythOUNxdGJJeXg2ZzdyTHhOanVqRFpRZTZGcUdsMzVkVDR5MHA2UmVuUWQ4b1p5aWw3dlpqSkJaCjluTWRJblMyU05wWUZFclBsb25rdXNZKzZsam9TbFNLMXVSRmd2S3dzeGE3RmROMXZWSnRJQk9qdVJzSk9DaHYKOTB2K0ZEQWwxSnNZVUNPUnByUmtMWXB2TWI4Q1BZaUlzb3JmTUdKNnI3NktYUEIzRS9xejRmaWJ1UmZVeWJxMgp5eGxRTVJKb216d1BPemUrbWRQUU5Hd3VTTjU0VnByYXhoNGFpcWtaUVBsSWpRb1dFaFVKRWxMb0NtQXZ4TmtxCmRBcVZJMXZ3cS9FRXFBTEh3amJKRXIwQ0F3RUFBUT09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=\nx-smaak-identifier: service-provider-public\nx-smaak-psk: 917e5f9bcf6d7c20a338d8a39bbf79ef\nx-smaak-expires: 1435066809\nx-smaak-nonce: 6457661831\nx-smaak-encrypt: false\ncontent-length: 25")
+      end
+
+      it "should prepend the (request-target) header" do
+        expect(@iut.extract_signature_headers[0..15]).to eq("(request-target)")
+      end
+
+      it "should return the signature headers in the order expressed in the signature, so that signature verification can succeed" do
+        #host date digest x-smaak-recipient x-smaak-identifier x-smaak-psk x-smaak-expires x-smaak-nonce x-smaak-encrypt content-length
+        expect(@iut.extract_signature_headers).to eq(\
+"(request-target): post /secure-service\nhost: service-provider-internal\ndate: 2015-06-23 13:40:07 GMT\ndigest: SHA-256=748957b58cc24d2bb9eb8f9c468571712a14f6a89ce936c0fb2d3c5016e4dbdc\nx-smaak-recipient: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUFxL2tiYjdBNWllQWV1WlBBVnI3MAo5cjl1TkFzc2dmYkdjeGMzZTc3RDNndkY4U2tzbURNQmQyTUt5TUh0ZjBrM1pqSVdZemJJVG5jQXM1Nnd4cmRSClhiVHpIZnhjMll1dDMwd0ljR2YvUVk4ZTJXNmdMWko4aVM3MXlYb0JQNFpEc2lLSXd4ajFsenYyVFlXWnNSL3EKd28xSzBxZ1NzOXJJVEVkWDVqampycHBYWTdobHNPMGVKQ2JBRG0weEtnU1hMcFQycnJzUnJ2OFllRXFvZTRMaQpDOFd6RjZZRlh1U3RHR1E4SXlxbjdPaTN5aVU2WFc3OTl2cFpIeHJlaERYaytDalZuU0ZXWkVPUHg3cENpam9SCnlXb0gyUmR6QVpQczdVdVJWOUdGWWFQeHRudmttNVdVZDVTdWVCNlMxT2E4dVZ3UnpyeXl6WkRjdG0xdWs1VjIKUE0zLzFqbFJMbFJzTWxSeHdZUDRzaFMzVlhjTkdGYjkvbzkvTjkzbitKZUFpSGd4YU5pQjN6YVV0a05XWWs0Vgozang2d0psTythOUNxdGJJeXg2ZzdyTHhOanVqRFpRZTZGcUdsMzVkVDR5MHA2UmVuUWQ4b1p5aWw3dlpqSkJaCjluTWRJblMyU05wWUZFclBsb25rdXNZKzZsam9TbFNLMXVSRmd2S3dzeGE3RmROMXZWSnRJQk9qdVJzSk9DaHYKOTB2K0ZEQWwxSnNZVUNPUnByUmtMWXB2TWI4Q1BZaUlzb3JmTUdKNnI3NktYUEIzRS9xejRmaWJ1UmZVeWJxMgp5eGxRTVJKb216d1BPemUrbWRQUU5Hd3VTTjU0VnByYXhoNGFpcWtaUVBsSWpRb1dFaFVKRWxMb0NtQXZ4TmtxCmRBcVZJMXZ3cS9FRXFBTEh3amJKRXIwQ0F3RUFBUT09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=\nx-smaak-identifier: service-provider-public\nx-smaak-psk: 917e5f9bcf6d7c20a338d8a39bbf79ef\nx-smaak-expires: 1435066809\nx-smaak-nonce: 6457661831\nx-smaak-encrypt: false\ncontent-length: 25")
+      end
+    end
+
+    context "when asked to extract the signature from a request" do
+      it "should extract only the signature field from the request" do
+        expect(@iut.extract_signature).to eq("RQgXQo+Fugz1ubgV1UAJvdPaNHiwTMtu0x+LNJ/7rvY5gaY5R88tUPtcFMzjRzw2QXtY5pettjfbq9LvISnW5MFG7p+goY4YsF4a6b7KgbU8RCAMLVyj4zWEIh/R+3WovuhcG8e5iLGN5/HGHkgDjZzi1a2WwU+tcwSwKBQ0BN+hKUV6haAHxUcNJ8bOgtnZZpSbD0megEmmBwiOjY5EsdM9wFMqGRrBWYV950xs/cPgO7Hjgq4kTnBiFC8Zkcz5zmkkokVE6VliNSPrqIZHm4fGk9UWyDYydlE+4z/wa4KrDs7/JXCQh+HF+BfSlnhG1xm9UT857o8Uz3j8ds4hvzUJyVcHX5B7wFln5szSFz5cdNFdMq6RP3e/TWGEV9J3sWi3pLymQog9jfkS1sjBSUxlc0Nh1hyiBFjybPZcbx6L77hsYV7dnCKF1z5UItvNj2JOkUCe+ppDkfhNxNkSUv9KBir+U+xJwDh+uyO/IAj8TB0cklsdnJNNHCDA4Mmi59RnA6uMsjOo6j7btkRF8nZmDvq0AWmgIUnwIWNWt13ecBH6u1Y03s5D09gX8sILKWuhC4oGEzjE7gBxrORn/MSPNAwAOsx/3ud4PFlOa7DGKApolpL0099w5QgFDqDYALujDdZC2GNgHCdoJqNLoMCEkyVWArvvgxtQ4Xq/0zU=")
+      end
+    end
+  end
+end
+