smaak 0.0.10 → 0.1.0

data/spec/lib/smaak/client_spec.rb

@@ -3,70 +3,183 @@ require 'smaak'
 
 describe Smaak::Client do
   before :all do
-    @test_service_identity = 'service-to-talk-to'
+    @test_uri = "http://rubygems.org:80/gems/smaak"
+    @test_encrypt = false
+    @test_service_identifier = 'service-to-talk-to'
     @test_service_psk = 'testsharedsecret'
     @test_client_private_key = OpenSSL::PKey::RSA.new(4096)
     @test_service_private_key = OpenSSL::PKey::RSA.new(4096)
     @test_service_public_key = @test_service_private_key.public_key
     @test_data = {}
     @iut = Smaak::Client.new
-    @test_identity = 'test-client'
+    @test_identifier = 'test-client-1.cpt1.host-h.net'
     @test_token_life = 5
-    @iut.set_identity(@test_identity)
+    @iut.set_identifier(@test_identifier)
     @iut.set_private_key(@test_client_private_key)
     @iut.set_token_life(@test_token_life)
-    @iut.add_association(@test_service_identity, @test_service_public_key, @test_service_psk)
+    @iut.add_association(@test_service_identifier, @test_service_public_key, @test_service_psk, @test_encrypt)
+
+    @request = Net::HTTP::Post.new(@test_uri)
+    @request.body = "body-data"
+    @test_adaptor = Smaak::NetHttpAdaptor.new(@request)
   end
 
-  context "when given an identity" do
-    it "should remember an identity provided" do
+  context "when given an identifier" do
+    it "should remember an identifier provided" do
       iut = Smaak::Client.new
-      expect(iut.identity).to eq(nil)
-      iut.set_identity('test-client')
-      expect(iut.identity).to eq('test-client')
+      expect(iut.identifier).to eq(nil)
+      iut.set_identifier(@test_identifier)
+      expect(iut.identifier).to eq(@test_identifier)
+    end
+
+    it "should raise an ArgumentError if an identifier is not provided" do
+      expect {
+        @iut.set_identifier(nil)
+      }.to raise_error ArgumentError, "Invalid identifier"
+      expect {
+        @iut.set_identifier("")
+      }.to raise_error ArgumentError, "Invalid identifier"
+      expect {
+        @iut.set_identifier("  ")
+      }.to raise_error ArgumentError, "Invalid identifier"
     end
   end
 
-  context "when asked to build an auth header destined for an associate" do
+  context "when asked to sign a request destined for an associate" do
     it "should raise an ArgumentError if the associate is unknown" do
       expect{
-        @iut.build_auth_header("unknown")
+        @iut.sign_request("unknown", nil)
       }.to raise_error ArgumentError, "Associate invalid"
       expect{
-        @iut.build_auth_header(nil)
+        @iut.sign_request(nil, nil)
       }.to raise_error ArgumentError, "Associate invalid"
     end
 
-    it "should compile the auth message data using the associate details" do
-      expect(Smaak).to receive(:compile_auth_message_data).with(@test_service_public_key, @test_service_psk, @test_token_life, @test_identity, @test_data)
-      @iut.build_auth_header(@test_service_identity)
+    it "should raise an ArgumentError if an adaptor was not provided" do
+      expect {
+        @iut.sign_request(@test_service_identifier, nil)
+      }.to raise_error ArgumentError, "Invalid adaptor"
     end
 
-    it "should build the message" do
-      expect(Smaak).to receive(:generate_nonce).twice().and_return(12345)
-      test_message_data = Smaak::compile_auth_message_data(@test_service_public_key, @test_service_psk, @test_token_life, @test_identity, @test_data)
-      expect(Smaak).to receive(:build_message).with(test_message_data)
-      expect{
-        @iut.build_auth_header(@test_service_identity)
-      }.to raise_error
+    it "should create a new auth message using the associate details" do
+      expect(Smaak::AuthMessage).to receive(:create).with(@test_service_public_key.export, @test_service_psk, @test_token_life, @test_identifier, @test_encrypt)
+      expect {
+        @iut.sign_request(@test_service_identifier, @test_adaptor)
+      }.to raise_error NoMethodError
+    end
+
+    it "should encrypt the request body if the associate is configured for encryption" do
+      @iut.add_association('encrypted', @test_service_public_key, @test_service_psk, true)
+      expect(Smaak::Crypto).to receive(:encrypt).with(@test_adaptor.body, @test_service_public_key).and_return(@test_adaptor.body)
+      @iut.sign_request('encrypted', @test_adaptor)
+    end
+
+    it "should not encrypt the request body if the associate is not configure for encryption" do
+      expect(Smaak::Crypto).not_to receive(:encrypt)
+      @iut.sign_request(@test_service_identifier, @test_adaptor)
     end
 
     it "should sign the message" do
-      expect(Smaak).to receive(:generate_nonce).twice().and_return(12345)
-      test_message_data = Smaak::compile_auth_message_data(@test_service_public_key, @test_service_psk, @test_token_life, @test_identity, @test_data)
-      expect(Smaak).to receive(:sign_message_data).with(test_message_data, @test_client_private_key)
-      expect{
-        @iut.build_auth_header(@test_service_identity)
+      expect(Smaak).to receive(:sign_authorization_headers)
+      @iut.sign_request(@test_service_identifier, @test_adaptor)
+    end
+
+    it "should return the adaptor with the signed request" do
+      expect(@iut.sign_request(@test_service_identifier, @test_adaptor)).to eq(@test_adaptor)
+    end 
+  end
+
+  context "when asked to help the developer by providing GET and POST requests given an associate, URI, body, ssl and ssl verify option" do
+    it "should compile a Net::HTTP request" do
+      url = URI.parse(@test_uri)
+      expect(Net::HTTP).to receive(:new).with(url.host, url.port)
+      expect {
+        @iut.get(@test_service_identifier, @test_uri, @test_body, false, OpenSSL::SSL::VERIFY_NONE)
+      }.to raise_error
+    end
+
+    it "should set the method to GET if requested" do
+      url = URI.parse(@test_uri)
+      expect(Net::HTTP::Get).to receive(:new).with(url.to_s)
+      expect {
+        @iut.get(@test_service_identifier, @test_uri, @test_body, false, OpenSSL::SSL::VERIFY_NONE)
       }.to raise_error
     end
 
-    it "should place the message and its signature (encoded base64) in a JSON dictionary" do
-      expect(Smaak).to receive(:generate_nonce).twice().and_return(12345)
-      test_message_data = Smaak::compile_auth_message_data(@test_service_public_key, @test_service_psk, @test_token_life, @test_identity, @test_data)
-      test_signature = Smaak::sign_message_data(test_message_data, @test_client_private_key)
-      test_message = Smaak::build_message(test_message_data)
-      test_envelope = { 'message' => test_message, 'signature' => Base64.encode64(test_signature) }.to_json
-      expect(@iut.build_auth_header(@test_service_identity)).to eq(test_envelope)
+    it "should set the method to POST if requested" do
+      url = URI.parse(@test_uri)
+      expect(Net::HTTP::Post).to receive(:new).with(url.to_s)
+      expect {
+        @iut.post(@test_service_identifier, @test_uri, @test_body, false, OpenSSL::SSL::VERIFY_NONE)
+      }.to raise_error
+    end
+
+    it "should set use_ssl appropriately" do
+      url = URI.parse(@test_uri)
+      mock_http = double(Net::HTTP)
+      expect(Net::HTTP).to receive(:new).with(url.host, url.port).and_return(mock_http)
+      expect(mock_http).to receive(:use_ssl=).with(false)
+      expect {
+        @iut.get(@test_service_identifier, @test_uri, @test_body, false, OpenSSL::SSL::VERIFY_NONE)
+      }.to raise_error
+    end
+
+    it "should configure ssl verification appropriately" do
+      url = URI.parse(@test_uri)
+      mock_http = double(Net::HTTP)
+      expect(Net::HTTP).to receive(:new).with(url.host, url.port).and_return(mock_http)
+      expect(mock_http).to receive(:use_ssl=).with(false)
+      expect(mock_http).to receive(:verify_mode=).with(OpenSSL::SSL::VERIFY_NONE)
+      expect {
+        @iut.get(@test_service_identifier, @test_uri, @test_body, false, OpenSSL::SSL::VERIFY_NONE)
+      }.to raise_error
+    end
+
+    it "should set the body appropriately" do
+      url = URI.parse(@test_uri)
+      mock_req = double(Net::HTTP::Post)
+      expect(Net::HTTP::Post).to receive(:new).with(url.to_s).and_return(mock_req)
+      expect(mock_req).to receive(:body=).with(@test_body)
+      expect {
+        @iut.post(@test_service_identifier, @test_uri, @test_body, false, OpenSSL::SSL::VERIFY_NONE)
+      }.to raise_error
+    end
+
+    it "should connect using the URI provided" do
+      url = URI.parse(@test_uri)
+      mock_http = Net::HTTP.new(url.host, url.port)
+      mock_req = Net::HTTP::Post.new(url.to_s)
+      expect(Net::HTTP).to receive(:new).with(url.host, url.port).and_return(mock_http)
+      expect(Net::HTTP::Post).to receive(:new).with(url.to_s).and_return(mock_req)
+      expect(mock_http).to receive(:request).with(mock_req)
+      @iut.post(@test_service_identifier, @test_uri, @test_body, false, OpenSSL::SSL::VERIFY_NONE)
+    end
+
+    it "should decrypt the response body if the request was encrypted" do
+      @iut.add_association('encrypted', @test_service_public_key, @test_service_psk, true)
+      url = URI.parse(@test_uri)
+      mock_http = Net::HTTP.new(url.host, url.port)
+      mock_req = Net::HTTP::Post.new(url.to_s)
+      expect(Net::HTTP).to receive(:new).with(url.host, url.port).and_return(mock_http)
+      expect(Net::HTTP::Post).to receive(:new).with(url.to_s).and_return(mock_req)
+      mock_response = ""
+      expect(mock_response).to receive(:body).and_return ""
+      expect(mock_response).to receive(:body=)
+      expect(mock_http).to receive(:request).with(mock_req).and_return(mock_response)
+      expect(Smaak::Crypto).to receive(:encrypt).and_return ""
+      expect(Smaak::Crypto).to receive(:decrypt).with("", @iut.key)
+      
+      @iut.post('encrypted', @test_uri, @test_body, false, OpenSSL::SSL::VERIFY_NONE)
+    end
+
+    it "should return the response" do
+      url = URI.parse(@test_uri)
+      mock_http = Net::HTTP.new(url.host, url.port)
+      mock_req = Net::HTTP::Post.new(url.to_s)
+      expect(Net::HTTP).to receive(:new).with(url.host, url.port).and_return(mock_http)
+      expect(Net::HTTP::Post).to receive(:new).with(url.to_s).and_return(mock_req)
+      expect(mock_http).to receive(:request).with(mock_req).and_return "response"
+      expect(@iut.post(@test_service_identifier, @test_uri, @test_body, false, OpenSSL::SSL::VERIFY_NONE)).to eql("response")
     end
   end
 end

data/spec/lib/smaak/crypto_spec.rb

@@ -0,0 +1,94 @@
+require './spec/spec_helper.rb'
+
+describe Smaak::Crypto do
+  before :all do
+    @private_key = OpenSSL::PKey::RSA.new(4096)
+    @data = {'a' => 'B'}.to_json
+    @bdata = Base64::strict_encode64(@data)
+    @digest = OpenSSL::Digest::SHA256.new
+    @signature = @private_key.sign(@digest, @bdata)
+    @public_key = @private_key.public_key
+  end
+
+  context "when asked to obfuscate a clear-text psk" do
+    it "should reverse the psk and apply an MD5 hexadecimal digest to the result" do
+      expect(Smaak::Crypto::obfuscate_psk('sharedsecret')).to eq(Digest::MD5.hexdigest('sharedsecret'.reverse))
+    end
+  end
+
+  context "when asked to generate a nonce" do
+    it "should generate a random nonce with at most 1 in a ten billion probability of a consecutive clash" do
+      expect(SecureRandom).to receive(:random_number).with(10000000000)
+      Smaak::Crypto::generate_nonce
+    end
+
+    it "should generate a different nonce every time with high probability (less than 1 in 10000) given a history of 1000000 nonces" do
+      repeat = {}
+      failed = 0
+      threshold = 1000000
+      for i in 1..threshold do
+        value = Smaak::Crypto::generate_nonce
+        failed = failed + 1 if repeat[value] == 1
+        repeat[value] = 1
+      end
+      failed_p = (failed.to_f / threshold) * 100
+      puts "I've seen #{failed_p} % of nonces before in #{threshold} generations"
+      expect(failed_p < 0.01).to eq(true)
+    end
+  end
+
+  context "when asked to encode data using base 64" do
+    it "should encode the data without newlines or line feeds using base 64 (strict)" do
+      data = "some data"
+      expect(Smaak::Crypto::encode64(data)).to eq(Base64.strict_encode64(data))
+    end
+  end
+
+  context "when asked to decode data using base 64" do
+    it "should decode the data using base 64 (strict)" do
+      expect(Smaak::Crypto::decode64(Base64.strict_encode64("some data"))).to eq("some data")
+    end
+  end
+
+  context "when asked to sign data given a private key" do
+    it "should sign a strict Base64 representation of the data with the key using a 256 bit SHA digest" do
+      expect(Smaak::Crypto::sign_data(@data, @private_key)).to eq(@signature)
+    end
+  end
+
+  context "when asked to verify a signature given data and a public key" do
+    it "should verify using a 256 bit SHA digest" do
+      expect(OpenSSL::Digest::SHA256).to receive(:new).and_return(@digest)
+      Smaak::Crypto::verify_signature(@signature, @bdata, @public_key)
+    end 
+
+    it "should return true when the signature is verified by the public key" do
+      expect(Smaak::Crypto::verify_signature(@signature, @bdata, @public_key)).to eq(true)
+    end
+
+    it "should return false when the signature cannot be verified by the public key" do
+      other_key = OpenSSL::PKey::RSA.new(4096).public_key
+      expect(Smaak::Crypto::verify_signature(@signature, @bdata, other_key)).to eq(false)
+    end
+  end
+
+  context "when asked to encrypt data given a public key" do
+    it "should return a base64 representation of the data encrypted with the public key" do
+      expect(@private_key.private_decrypt(Base64.strict_decode64(Smaak::Crypto::encrypt(@data, @public_key)))).to eq(@data)
+    end
+  end
+
+  context "when asked to decrypt encrypted data given a private key" do
+    it "should return a decryption using the private key of a base64 decode of the data" do
+      expect(Smaak::Crypto::decrypt(Base64.strict_encode64(@public_key.public_encrypt(@data)), @private_key)).to eq(@data)
+    end
+  end
+
+  context "when asked to sync data from an IO stream" do
+    it "should sink all data from the stream, collating when nil is read" do
+      mock_stream = double(Object)
+      allow(mock_stream).to receive(:gets).and_return("a", "b", nil)
+      expect(Smaak::Crypto::sink(mock_stream)).to eq("ab")
+    end
+  end
+end

data/spec/lib/smaak/server_spec.rb

@@ -2,26 +2,34 @@ require './spec/spec_helper.rb'
 require 'smaak'
 require 'mock/request.rb'
 
+def mock_auth_message(env)
+  request = Rack::Request.new(env)
+  adaptor = Smaak::create_adaptor(request)
+  @iut.build_auth_message_from_request(adaptor)
+end
+
 describe Smaak::Server do
   before :all do
     @iut = Smaak::Server.new
     @iut.set_token_life(2)
-    @test_nonce = 1234567890
+    @test_nonce = "1234567890"
     @test_server_private_key = OpenSSL::PKey::RSA.new(4096)
     @test_psk = "testpresharedkey"
     @test_server_public_key = @test_server_private_key.public_key
-    @test_identity = 'test-service'
+    @test_identifier = 'test-service-1.cpt1.host-h.net'
+    @message = Smaak::AuthMessage.new(@test_identifier, @test_nonce, Time.now.to_i, @test_psk, @test_server_public_key.export, false)
+    @iut.add_association(@test_identifier, @test_server_public_key, @test_psk, false)
+    @iut.set_public_key(@test_server_public_key)
+    @iut.set_private_key(@test_server_private_key)
   end
 
   before :each do
-    @test_message_data = { 'recipient' => @test_server_public_key.export,
-                           'identity' => @test_identity,
-                           'psk' => Smaak::obfuscate_psk(@test_psk),
-                           'expires' => Time.now.to_i + 10,
-                           'nonce' => @test_nonce }
-    @message = Smaak::AuthMessage.new(Smaak::build_message(@test_message_data))
     @iut.nonce_store[@test_nonce] = nil
     expect(@iut.nonce_store[@test_nonce]).to eq(nil)
+
+    @test_expires = "#{Time.now.to_i + 5}"
+    @env = {"CONTENT_LENGTH" => "25", "REQUEST_METHOD" => "POST", "PATH_INFO" => "/gems/smaak", "HTTP_X_SMAAK_ENCRYPT" => "false", "HTTP_X_SMAAK_RECIPIENT" => Base64.strict_encode64(@test_server_public_key.export), "HTTP_X_SMAAK_IDENTIFIER" => @test_identifier, "HTTP_X_SMAAK_NONCE" => @test_nonce, "HTTP_X_SMAAK_EXPIRES" => @test_expires, "HTTP_X_SMAAK_PSK" => Smaak::Crypto::obfuscate_psk(@test_psk) }
+    @auth_message = mock_auth_message(@env)
   end
 
   context "when initialized" do
@@ -31,7 +39,36 @@ describe Smaak::Server do
 
     it "should not know its own public key" do
       iut = Smaak::Server.new
-      expect(iut.public_key).to eq(nil)
+      expect(iut.key).to eq(nil)
+    end
+
+    it "should not know its own private key" do
+      iut = Smaak::Server.new
+      expect(iut.private_key).to eq(nil)
+    end
+  end
+
+  context "when given a private key" do
+    it "should remember its private key" do
+      @iut.set_private_key(@test_server_private_key)
+      expect(@iut.private_key).to eql(@test_server_private_key)
+    end
+
+    it "should validate and adapt the key before assignment" do
+      expect(@iut).to receive(:adapt_rsa_key).with(@test_server_private_key)
+      @iut.set_private_key(@test_server_private_key)
+    end
+  end
+
+  context "when given a public key" do
+    it "should remember its public key" do
+      @iut.set_key(@test_server_public_key)
+      expect(@iut.key).to eql(@test_server_public_key)
+    end
+
+    it "should validate and adapt the key before assignment" do
+      expect(@iut).to receive(:adapt_rsa_key).with(@test_server_public_key)
+      @iut.set_private_key(@test_server_public_key)
     end
   end
 
@@ -69,27 +106,140 @@ describe Smaak::Server do
     end
   end
 
-  context "when asked to verify a message given a signature" do
-    before :each do
-      @signature = Smaak::sign_message_data(@test_message_data, @test_server_private_key)
-      @iut.set_public_key(@test_server_public_key.export)
-      @iut.add_association(@test_identity, @test_server_public_key.export, @test_psk)
+  context "when asked to build an AuthMessage from a request received" do
+    it "should decode the x-smaak-recipient header using base64 to obtain the recipient publc key" do
+      expect(@auth_message.recipient).to eql(@test_server_public_key.export)
     end
 
-    it "should look up the identity specified in the message and retrieve its public key from the associations store" do
-      expect(@iut.verify_auth_message(@message, @signature)).to eq(@test_identity)
+    it "should set the psk to the x-smaak-psk header value" do
+      expect(@auth_message.psk).to eql(Smaak::Crypto::obfuscate_psk(@test_psk))
     end
 
-    it "should look up the identity specified in the message and retrieve its PSK from the associations store" do
-      expect(@iut.verify_auth_message(@message, @signature)).to eq(@test_identity)
+    it "should set expires to the x-smaak-expires header value" do
+      expect(@auth_message.expires).to eql(@test_expires)
     end
 
-    it "should check nonce uniqueness and return false if not unique" do
-      expect(@iut.auth_message_unique?(@message)).to eq(true)
-      expect(@iut.verify_auth_message(@message, @signature)).to eq(false)
+    it "should set the identifier to the x-smaak-identifier header value" do
+      expect(@auth_message.identifier).to eql(@test_identifier)
+    end
+
+    it "should set the nonce to the x-smaak-nonce header value" do
+      expect(@auth_message.nonce).to eql(@test_nonce)
+    end
+
+    it "should return the auth_message" do
+      expect(@auth_message.is_a?(Smaak::AuthMessage)).to eql(true)
     end
   end
 
-  context "when asked to get the message and signature from a signed auth request" do
+  context "when asked to verify an auth message" do
+    it "should return false if the auth message is not unique" do
+      @iut.nonce_store[@test_nonce] = 1
+      expect(@iut.verify_auth_message(@auth_message)).to eql(false)
+    end
+
+    it "should return false if the auth_message is not intended for the recipient" do
+      env = @env
+      env["HTTP_X_SMAAK_RECIPIENT"] = Base64.strict_encode64("another-recipient")
+      auth_message = mock_auth_message(env)
+      expect(@iut.verify_auth_message(auth_message)).to eql(false)
+    end
+
+    it "should return false if the auth_message's pre-shared key does not match the association's, indexed by the auth message's identifier field" do
+      env = @env
+      env["HTTP_X_SMAAK_PSK"] = "doesnotmatch"
+      auth_message = mock_auth_message(env)
+      expect(@iut.verify_auth_message(auth_message)).to eql(false)
+    end
+
+    it "should return true if the message successfully verifies" do
+      expect(@iut.verify_auth_message(@auth_message)).to eql(true)
+    end
+  end
+
+  context "when asked to verify a signed request" do
+    it "should create an adaptor for the request" do
+      expect(Smaak).to receive(:create_adaptor).with(@request)
+      expect {
+        @iut.verify_signed_request(@request)
+      }.to raise_error
+    end
+
+    it "should build an auth message using the adaptor" do
+      mock_adaptor = double(Smaak::RackAdaptor)
+      expect(Smaak).to receive(:create_adaptor).with(@request).and_return(mock_adaptor)
+      expect(@iut).to receive(:build_auth_message_from_request).with(mock_adaptor)
+      expect {
+        @iut.verify_signed_request(@request)
+      }.to raise_error
+    end
+
+    it "should return false if the constructed auth message cannot be verified" do
+      mock_adaptor = double(Smaak::RackAdaptor)
+      expect(Smaak).to receive(:create_adaptor).with(@request).and_return(mock_adaptor)
+      expect(@iut).to receive(:build_auth_message_from_request).with(mock_adaptor).and_return(@auth_message)
+      expect(@iut).to receive(:verify_auth_message).and_return false
+      expect(@iut.verify_signed_request(@request)).to eql(false)
+    end
+
+    it "should decrypt the request body if the auth_message indicates encryption" do
+      mock_adaptor = double(Smaak::RackAdaptor)
+      expect(Smaak).to receive(:create_adaptor).with(@request).and_return(mock_adaptor)
+      expect(@iut).to receive(:build_auth_message_from_request).with(mock_adaptor).and_return(@auth_message)
+      expect(@iut).to receive(:verify_auth_message).and_return true
+      allow(@auth_message).to receive(:encrypt).and_return true
+      expect(mock_adaptor).to receive(:body).and_return("body")
+      expect(Smaak::Crypto).to receive(:sink).with("body").and_return("body")
+      expect(Smaak::Crypto).to receive(:decrypt).with("body", @iut.private_key)
+      expect {
+        @iut.verify_signed_request(@request)
+      }.to raise_error
+    end
+
+    it "should return false, nil if the headers could not be authorized" do
+      mock_adaptor = double(Smaak::RackAdaptor)
+      expect(Smaak).to receive(:create_adaptor).with(@request).and_return(mock_adaptor)
+      expect(@iut).to receive(:build_auth_message_from_request).with(mock_adaptor).and_return(@auth_message)
+      expect(@iut).to receive(:verify_auth_message).and_return true
+      allow(@auth_message).to receive(:encrypt).and_return true
+      expect(mock_adaptor).to receive(:body).and_return("body")
+      expect(Smaak::Crypto).to receive(:sink).with("body").and_return("body")
+      expect(Smaak::Crypto).to receive(:decrypt).with("body", @iut.private_key).and_return("body")
+      expect(Smaak).to receive(:verify_authorization_headers).with(mock_adaptor, @test_server_public_key).and_return(false)
+      auth_message, body = @iut.verify_signed_request(@request)
+      expect(auth_message).to eql(false)
+      expect(body).to eql(nil)
+    end
+
+    it "should return the auth_message and the body if successfully verified" do
+      mock_adaptor = double(Smaak::RackAdaptor)
+      expect(Smaak).to receive(:create_adaptor).with(@request).and_return(mock_adaptor)
+      expect(@iut).to receive(:build_auth_message_from_request).with(mock_adaptor).and_return(@auth_message)
+      expect(@iut).to receive(:verify_auth_message).and_return true
+      allow(@auth_message).to receive(:encrypt).and_return true
+      expect(mock_adaptor).to receive(:body).and_return("body")
+      expect(Smaak::Crypto).to receive(:sink).with("body").and_return("body")
+      expect(Smaak::Crypto).to receive(:decrypt).with("body", @iut.private_key).and_return("body")
+      expect(Smaak).to receive(:verify_authorization_headers).with(mock_adaptor, @test_server_public_key).and_return(true)
+      auth_message, body = @iut.verify_signed_request(@request)
+      expect(auth_message).to eql(@auth_message)
+      expect(body).to eql("body")
+    end
+  end
+
+
+  context "when asked to compile a response" do
+    it "should return the data provided if the auth_message provided does not indicate encryption" do
+      expect(Smaak::Crypto).not_to receive(:encrypt)
+      result = @iut.compile_response(@auth_message, "data")
+      expect(result).to eql("data")
+    end
+
+    it "should return the data provided, encrypted with the public key of the associate identified by the auth_message if the auth_message provided indicates encryption" do
+      allow(@auth_message).to receive(:encrypt).and_return true
+      expect(Smaak::Crypto).to receive(:encrypt).with("data", @test_server_public_key).and_return("encrypted_data")
+      result = @iut.compile_response(@auth_message, "data")
+      expect(result).to eql("encrypted_data")
+    end
   end
 end

data/spec/lib/smaak/smaak_service_spec.rb

@@ -0,0 +1,52 @@
+require './spec/spec_helper.rb'
+
+class Tester < Smaak::SmaakService
+  attr_reader :configured
+
+  def self.mutex
+    @@mutex
+  end
+
+  def self.instance
+    @@instance
+  end
+
+  def configure_service
+    super
+    @configured = true
+  end
+end
+
+describe Smaak::SmaakService do
+  before :all do
+    @iut = Tester.get_instance
+  end
+
+  context "when initialized" do
+    it "should instantiate itself and remember it" do
+      expect(@iut.smaak_server.nil?).to eq(false)
+      expect(@iut.smaak_server.is_a?(Smaak::Server)).to eq(true)
+    end
+
+    it "should call configure_service as an IOC seam" do
+      expect(@iut.configured).to eq(true)
+    end
+  end
+
+  context "when asked for an instance of itself" do
+    it "should always return the same instance" do
+      a = Smaak::SmaakService.get_instance
+      b = Smaak::SmaakService.get_instance
+      c = Smaak::SmaakService.get_instance
+      expect(a).to eq(b)
+      expect(b).to eq(c)
+    end
+  end
+
+  context "as a singleton" do
+    it "should implement the singleton pattern and be thread-safe" do
+      expect(Tester::mutex.is_a? Mutex).to eq(true)
+      expect(Tester::instance.nil?).to eq(false)
+    end
+  end
+end