sso 0.1.2 → 0.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5e1f2feee69f64105e38a748befeebe0de6d33a5
-  data.tar.gz: c0637201a0d104c075dc7c049eef0d9f381e0596
+  metadata.gz: b9660c9f78d14f395529c39a41a4355c7b0141cd
+  data.tar.gz: 56552af9e5cc37cae7ef084c68e80a0ac0a4d4c0
 SHA512:
-  metadata.gz: 3fbaa085b9054c762040a7a91f19999ce4a7745b388c431ff754f7b7c23ffc6ac21e15f8bc3cfeb995dd8803682cd363117f13577ccd4c7ddb24647f96a179db
-  data.tar.gz: 336dfa7ce8ee44a663fe2a8678c67966f021f4a2927fded0d239333877e9043e9fead2c503f1296d2df54b225e913cfbfed669d43ad612e3a9921679a710c346
+  metadata.gz: b86244b2218c89bdac9433bf12c69ee0119e834cc1ec2c9d24a260e5121c05810a28cfbdb70cb012032383e59c1969e8322e5be21a7ef67b10973de0af66c8a5
+  data.tar.gz: 2823fc5f108f37bda20eaf72c75abaa70db5a270cb5522fa7d2dee388e57d26990d8a2010d2d283946bf3cef28d36a62be6254eea09b7f0fe3af9319185f30f4

data/lib/sso.rb

@@ -1,10 +1,10 @@
 require 'operation'
 
 require 'sso/logging'
+require 'sso/meter'
 require 'sso/benchmarking'
-
-require 'sso/server/configuration'
-require 'sso/server/configure'
+require 'sso/configuration'
+require 'sso/configure'
 
 require 'sso/client/omniauth/strategies/sso'
 

data/lib/sso/benchmarking.rb

@@ -2,13 +2,17 @@ module SSO
   # Helper to log results of benchmarks.
   module Benchmarking
     include ::SSO::Logging
+    include ::SSO::Meter
 
-    def benchmark(name, &block)
+    def benchmark(name: nil, metric: nil, &block)
+      return unless block_given?
       result = nil
       seconds = Benchmark.realtime do
         result = block.call
       end
-      info { "#{name} took #{(seconds * 1000).round}ms" }
+      milliseconds = (seconds * 1000).round
+      debug { "#{name || metric || 'Benchmark'} took #{milliseconds}ms" }
+      histogram key: metric, value: milliseconds if metric
       result
     end
   end

data/lib/sso/client/authentications/passport.rb

@@ -85,7 +85,7 @@ module SSO
         end
 
         def failure_rack_array
-          payload = { success: true, code: :passport_verification_failed }
+          payload = { success: false, code: :passport_verification_failed }
           [200, { 'Content-Type' => 'application/json' }, [payload.to_json]]
         end
 
@@ -121,7 +121,7 @@ module SSO
         end
 
         def decrypt_chip!
-          benchmark 'Passport chip decryption' do
+          benchmark(name: 'Passport chip decryption') do
             decipher = chip_digest
             decipher.decrypt
             decipher.key = chip_key

data/lib/sso/client/passport_verifier.rb

@@ -18,18 +18,22 @@ module SSO
         fetch_response { |failure| return failure }
         interpret_response
 
-      rescue JSON::ParserError
+      rescue ::JSON::ParserError
         error { 'SSO Server response is not valid JSON.' }
         error { response.inspect }
+        Operations.failure :server_response_not_parseable, object: response
+      end
+
+      def human_readable_timeout_in_ms
+        "#{timeout_in_milliseconds}ms"
       end
 
       private
 
       def fetch_response
-        yield Operations.failure(:server_unreachable, object: response)                   unless response.code == 200
+        yield Operations.failure(:server_unreachable, object: response)                   unless response.code.to_s == '200'
         yield Operations.failure(:server_response_not_parseable, object: response)        unless parsed_response
         yield Operations.failure(:server_response_missing_success_flag, object: response) unless response_has_success_flag?
-        yield Operations.failure(:server_response_unsuccessful, object: response)         unless parsed_response['success'].to_s == 'true'
         Operations.success :server_response_looks_legit
       end
 
@@ -130,7 +134,7 @@ module SSO
 
       def response!
         debug { "Fetching Passport from #{endpoint.inspect}" }
-        benchmark 'Passport authorization request' do
+        benchmark(name: 'Passport verification request', metric: 'client.passport.verification.duration') do
           ::HTTParty.get endpoint, timeout: timeout_in_seconds, query: query_params, headers: { 'Accept' => 'application/json' }
         end
       end
@@ -140,7 +144,7 @@ module SSO
       end
 
       def response_has_success_flag?
-        parsed_response && parsed_response.respond_to?(:key?) && parsed_response.key?('success')
+        parsed_response && parsed_response.respond_to?(:key?) && (parsed_response.key?('success') || parsed_response.key?(:success))
       end
 
     end

data/lib/sso/client/warden/hooks/after_fetch.rb

@@ -12,6 +12,7 @@ module SSO
         class AfterFetch
           include ::SSO::Logging
           include ::SSO::Benchmarking
+          include ::SSO::Meter
 
           attr_reader :passport, :warden, :options
           delegate :request, to: :warden
@@ -31,12 +32,14 @@ module SSO
             return unless passport.is_a?(::SSO::Client::Passport)
             verify
 
-          rescue Timeout::Error
+          rescue ::Timeout::Error
             error { 'SSO Server timed out. Continuing with last known authentication/authorization...' }
-            # meter status: :timeout, scope: scope, passport_id: user.passport_id, timeout_ms: human_readable_timeout_in_ms
+            meter :timeout, timeout_ms: verifier.human_readable_timeout_in_ms
+            Operations.failure :server_request_timed_out
 
           rescue => exception
             ::SSO.config.exception_handler.call exception
+            Operations.failure :client_exception_caught
           end
 
           private
@@ -53,14 +56,17 @@ module SSO
             verification.code
           end
 
+          def verification_object
+            verification.object
+          end
+
           def verify
             debug { "Validating Passport #{passport.id.inspect} of logged in #{passport.user.class} in scope #{warden_scope.inspect}" }
 
             case verification_code
             when :server_unreachable                    then server_unreachable!
             when :server_response_not_parseable         then server_response_not_parseable!
-            when :server_response_missing_success_flag! then server_response_missing_success_flag!
-            when :server_response_unsuccessful!         then server_response_unsuccessful!
+            when :server_response_missing_success_flag  then server_response_missing_success_flag!
             when :passport_valid                        then passport_valid!
             when :passport_valid_and_modified           then passport_valid_and_modified!(verification.object)
             when :passport_invalid                      then passport_invalid!
@@ -74,39 +80,54 @@ module SSO
             passport.modified!
             passport.user = modified_passport.user
             passport.state = modified_passport.state
-            # meter status: :valid, passport_id: user.passport_id
+            meter :valid_and_modified
+            Operations.success :valid_and_modified
           end
 
           def passport_valid!
             debug { 'Valid passport, no changes' }
             passport.verified!
-            # meter status: :valid, passport_id: user.passport_id
+            meter :valid
+            Operations.success :valid
           end
 
           def passport_invalid!
             info { 'Your Passport is not valid any more.' }
             warden.logout warden_scope
-            # meter status: :invalid, passport_id: user.passport_id
+            meter :invalid
+            Operations.failure :invalid
           end
 
           def server_unreachable!
-            error { "SSO Server responded with an unexpected HTTP status code (#{response.code.inspect} instead of 200)." }
+            error { "SSO Server responded with an unexpected HTTP status code (#{verification_code.inspect} instead of 200). #{verification_object.inspect}" }
+            meter :server_unreachable
+            Operations.failure :server_unreachable
           end
 
           def server_response_missing_success_flag!
             error { 'SSO Server response did not include the expected success flag.' }
+            meter :server_response_missing_success_flag
+            Operations.failure :server_response_missing_success_flag
           end
 
           def unexpected_server_response_status!
             error { "SSO Server response did not include a known passport status code. #{verification_code.inspect}" }
+            meter :unexpected_server_response_status
+            Operations.failure :unexpected_server_response_status
           end
 
           def server_response_not_parseable!
             error { 'SSO Server response could not be parsed at all.' }
+            meter :server_response_not_parseable
+            Operations.failure :server_response_not_parseable
           end
 
-          def meter(*_)
-            # This will be a hook for e.g. statistics, benchmarking, etc, measure everything
+          def meter(key, data = {})
+            options[:key] = "client.warden.hooks.after_fetch.#{key}"
+            options[:tags] = { scope: warden_scope }
+            data[:passport_id] = passport.id
+            options[:data] = data
+            track options
           end
 
           # TODO: Use ActionDispatch remote IP or you might get the Load Balancer's IP instead :(

data/lib/sso/client/warden/strategies/passport.rb

@@ -21,7 +21,7 @@ module SSO
               debug { "Persisting trusted Passport #{authentication.object.inspect}" }
               success! authentication.object
             else
-              debug { 'Authentication from Passport failed.' }
+              debug { 'Authentication from Passport on Client failed.' }
               debug { "Responding with #{authentication.object.inspect}" }
               custom! authentication.object
             end
@@ -31,7 +31,7 @@ module SSO
           end
 
           def passport_authentication
-            benchmark 'Passport proxy verification' do
+            benchmark(name: 'Passport proxy verification request', metric: 'client.passport.verification') do
               ::SSO::Client::Authentications::Passport.new(request).authenticate
             end
           end

data/lib/sso/{server/configuration.rb → configuration.rb}

@@ -2,6 +2,7 @@ require 'logger'
 
 module SSO
   class Configuration
+    include ::SSO::Logging
 
     # Server
 
@@ -54,6 +55,11 @@ module SSO
     end
     attr_writer :exception_handler
 
+    def metric
+      @metric || default_metric
+    end
+    attr_writer :metric
+
     def passport_chip_key
       @passport_chip_key || fail('You need to configure a secret passport_chip_key, see SSO::Configuration for more info.')
     end
@@ -110,8 +116,14 @@ module SSO
       end
     end
 
+    def default_metric
+      proc do |type:, key:, value:, tags:, data:|
+        debug { "Measuring #{type.inspect} with key #{key.inspect} and value #{value.inspect} and tags #{tags} and data #{data}" }
+      end
+    end
+
     def default_session_backend
-      fail('You need to configure session_backend, see SSO::Configuration for more info.') unless %w(developmen test).include?(environment)
+      fail('You need to configure session_backend, see SSO::Configuration for more info.') unless %w(development test).include?(environment)
     end
 
     def default_passport_verification_timeout_ms

data/lib/sso/meter.rb

@@ -0,0 +1,32 @@
+module SSO
+  module Meter
+    include ::SSO::Logging
+
+    def track(key:, value: 1, tags: nil, data: {})
+      data[:caller] = caller_name
+      # info { "Measuring increment #{key.inspect} with value #{value.inspect} and tags #{tags} and data #{data}" }
+      metric.call type: :increment, key: "sso.#{key}", value: value, tags: tags, data: data
+
+    rescue => exception
+      ::SSO.config.exception_handler.call exception
+    end
+
+    def histogram(key:, value:, tags: nil, data: {})
+      data[:caller] = caller_name
+      # info { "Measuring histogram #{key.inspect} with value #{value.inspect} and tags #{tags} and data #{data}" }
+      metric.call type: :histogram, key: "sso.#{key}", value: value, tags: tags, data: data
+
+    rescue => exception
+      ::SSO.config.exception_handler.call exception
+    end
+
+    def caller_name
+      self.class.name
+    end
+
+    def metric
+      ::SSO.config.metric
+    end
+
+  end
+end

data/lib/sso/server/authentications/passport.rb

@@ -15,7 +15,7 @@ module SSO
             result
           else
             # TODO: Prevent Flooding here.
-            debug { "The Passport authentication failed: #{result.code}" }
+            debug { "The Server Passport authentication failed: #{result.code}" }
             Operations.failure :passport_authentication_failed, object: failure_rack_array
           end
         end
@@ -73,7 +73,7 @@ module SSO
         # all passports simply because a load balancer is pointing to the wrong Rails application or something.
         #
         def failure_rack_array
-          payload = { success: true, code: :passport_invalid }
+          payload = { success: false, code: :passport_invalid }
           [200, { 'Content-Type' => 'application/json' }, [payload.to_json]]
         end
 

data/lib/sso/server/middleware/passport_destruction.rb

@@ -27,7 +27,7 @@ module SSO
         end
 
         def json_code(code)
-          [200, { 'Content-Type' => 'application/json' }, [{ success: true, code: code }.to_json]]
+          [200, { 'Content-Type' => 'application/json' }, [{ success: false, code: code }.to_json]]
         end
 
         def passports_path

data/lib/sso/server/middleware/passport_exchange.rb

@@ -19,16 +19,16 @@ module SSO
           end
 
           token = request.params['access_token']
-          debug { "Detected incoming Passport creation request for access token #{token.inspect}" }
+          debug { "Detected incoming Passport exchange request for access token #{token.inspect}" }
           access_token = ::Doorkeeper::AccessToken.find_by_token token
 
-          return json_code :access_token_not_found unless access_token
-          return json_code :access_token_invalid unless access_token.valid?
+          return json_error :access_token_not_found unless access_token
+          return json_error :access_token_invalid unless access_token.valid?
 
           finding = ::SSO::Server::Passports.find_by_access_token_id(access_token.id)
           if finding.failure?
             # This should never happen. Every Access Token should be connected to a Passport.
-            return json_code :passport_not_found
+            return json_error :passport_not_found
           end
           passport = finding.object
 
@@ -44,8 +44,8 @@ module SSO
           [200, { 'Content-Type' => 'application/json' }, [payload.to_json]]
         end
 
-        def json_code(code)
-          [200, { 'Content-Type' => 'application/json' }, [{ success: true, code: code }.to_json]]
+        def json_error(code)
+          [200, { 'Content-Type' => 'application/json' }, [{ success: false, code: code }.to_json]]
         end
 
         def passports_path

data/lib/sso/server/passport.rb

@@ -46,7 +46,7 @@ module SSO
       end
 
       def state!
-        result = benchmark 'Passport user state calculation' do
+        result = benchmark(name: 'Passport user state calculation') do
           OpenSSL::HMAC.hexdigest user_state_digest, user_state_key, user_state_base
         end
         debug { "The user state is #{result.inspect}" }
@@ -62,7 +62,7 @@ module SSO
       end
 
       def chip!
-        benchmark 'Passport chip encryption' do
+        benchmark(name: 'Passport chip encryption') do
           ensure_secret
           cipher = chip_digest
           cipher.encrypt

data/lib/sso/server/warden/strategies/passport.rb

@@ -20,8 +20,8 @@ module SSO
               debug { "Responding with #{authentication.object}" }
               custom! authentication.object
             else
-              debug { 'Authentication from Passport failed.' }
-              fail authentication.code
+              debug { 'Authentication from Passport on Server failed.' }
+              custom! authentication.object
             end
 
           rescue => exception
@@ -29,7 +29,7 @@ module SSO
           end
 
           def passport_authentication
-            benchmark 'Passport verification' do
+            benchmark(name: 'Passport verification') do
               ::SSO::Server::Authentications::Passport.new(request).authenticate
             end
           end

data/spec/dummy/app/controllers/sessions_controller.rb

@@ -2,7 +2,7 @@ class SessionsController < ApplicationController
   include ::SSO::Logging
   delegate :logout, to: :warden
 
-  before_action :not_json, only: [:new]
+  before_action :prevent_json, only: [:new]
 
   # POI
   def new
@@ -27,8 +27,9 @@ class SessionsController < ApplicationController
 
   private
 
-  def not_json
-    return unless request.format == :json
+  def prevent_json
+    return unless request.format.to_sym == :json
+    warn { "This request is asking for JSON where it shouldn't" }
     render status: :unauthorized, json: { status: :error, code: :authentication_failed }
   end
 

data/spec/lib/sso/benchmarking_spec.rb

@@ -0,0 +1,83 @@
+require 'spec_helper'
+
+RSpec.describe ::SSO::Benchmarking do
+
+  let(:instance) { MyTestNamespace::MyClass.new }
+
+  before do
+    stub_const 'MyTestNamespace', Module.new
+    stub_const 'MyTestNamespace::MyClass', Class.new { include SSO::Benchmarking }
+  end
+
+  describe '#benchmark' do
+    context 'without block' do
+      it 'is nil' do
+        expect(instance.benchmark).to be_nil
+      end
+    end
+
+    context 'block given' do
+      context 'without arguments' do
+        it 'returns what was passed in' do
+          duration = instance.benchmark { :something }
+          expect(duration).to eq :something
+        end
+
+        it 'logs' do
+          expect(instance).to receive(:debug) do |_, &block|
+            expect(block.call).to eq 'Benchmark took 0ms'
+          end
+          instance.benchmark {}
+        end
+
+        it 'does not meter' do
+          expect(::SSO.config).to_not receive(:metric)
+          instance.benchmark {}
+        end
+      end
+
+      context 'only with name' do
+        it 'logs with the name' do
+          expect(instance).to receive(:debug) do |_, &block|
+            expect(block.call).to eq 'Long calculation took 0ms'
+          end
+          instance.benchmark(name: 'Long calculation') {}
+        end
+
+        it 'does not meter' do
+          expect(instance).to_not receive(:histogram)
+          instance.benchmark(name: 'Long calculation') {}
+        end
+      end
+
+      context 'only with metric' do
+        it 'logs with the metric' do
+          expect(instance).to receive(:debug) do |_, &block|
+            expect(block.call).to eq 'blob.serialization took 0ms'
+          end
+          instance.benchmark(metric: 'blob.serialization') {}
+        end
+
+        it 'meters as histogram with the metric as name' do
+          expect(instance).to receive(:histogram).with key: 'blob.serialization', value: 0
+          instance.benchmark(metric: 'blob.serialization') {}
+        end
+      end
+
+      context 'with name and metric' do
+        it 'logs with the name' do
+          expect(instance).to receive(:debug) do |_, &block|
+            expect(block.call).to eq 'Synchronous encryption took 0ms'
+          end
+          instance.benchmark(name: 'Synchronous encryption', metric: 'encryption.aes') {}
+        end
+
+        it 'meters as histogram with the metric as name' do
+          expect(instance).to receive(:histogram).with key: 'encryption.aes', value: 0
+          instance.benchmark(name: 'Synchronous encryption', metric: 'encryption.aes') {}
+        end
+      end
+    end
+  end
+
+end

data/spec/lib/sso/client/warden/hooks/after_fetch_spec.rb

@@ -1,6 +1,6 @@
 require 'spec_helper'
 
-RSpec.describe SSO::Client::Warden::Hooks::AfterFetch, type: :request, db: true do
+RSpec.describe SSO::Client::Warden::Hooks::AfterFetch, type: :request, db: true, stub_benchmarks: true do
 
   # Client side
   let(:warden_env)      { {} }
@@ -10,6 +10,7 @@ RSpec.describe SSO::Client::Warden::Hooks::AfterFetch, type: :request, db: true
   let(:hook)            { described_class.new passport: client_passport, warden: warden, options: {} }
   let(:client_user)     { double :client_user, name: 'Good old client user' }
   let(:client_passport) { ::SSO::Client::Passport.new id: passport_id, secret: passport_secret, state: passport_state, user: client_user }
+  let(:operation)       { hook.call }
 
   # Shared
   let!(:oauth_app)      { create :outsider_doorkeeper_application }
@@ -34,6 +35,10 @@ RSpec.describe SSO::Client::Warden::Hooks::AfterFetch, type: :request, db: true
   context 'invalid passport' do
     let(:passport_secret) { SecureRandom.uuid }
 
+    before do
+      expect(warden).to receive :logout
+    end
+
     it 'does not verify the passport' do
       expect(client_passport).to_not be_verified
       hook.call
@@ -45,6 +50,20 @@ RSpec.describe SSO::Client::Warden::Hooks::AfterFetch, type: :request, db: true
       hook.call
       expect(client_passport).to_not be_modified
     end
+
+    it 'fails' do
+      expect(operation).to be_failure
+    end
+
+    it 'has a useful error code' do
+      expect(operation.code).to eq :invalid
+    end
+
+    it 'meters the invalid passport' do
+      expect(::SSO.config.metric).to receive(:call).with type: :histogram, key: 'sso.client.passport.verification.duration', value: 42_000, tags: nil, data: { caller: 'SSO::Client::PassportVerifier' }
+      expect(::SSO.config.metric).to receive(:call).with type: :increment, key: 'sso.client.warden.hooks.after_fetch.invalid', value: 1, tags: { scope: nil }, data: { passport_id: client_passport.id, caller: 'SSO::Client::Warden::Hooks::AfterFetch' }
+      hook.call
+    end
   end
 
   context 'user does not change' do
@@ -64,6 +83,20 @@ RSpec.describe SSO::Client::Warden::Hooks::AfterFetch, type: :request, db: true
       hook.call
       expect(client_passport.user.name).to eq 'Good old client user'
     end
+
+    it 'succeeds' do
+      expect(operation).to be_success
+    end
+
+    it 'has a useful error code' do
+      expect(operation.code).to eq :valid
+    end
+
+    it 'meters the invalid passport' do
+      expect(::SSO.config.metric).to receive(:call).with type: :histogram, key: 'sso.client.passport.verification.duration', value: 42_000, tags: nil, data: { caller: 'SSO::Client::PassportVerifier' }
+      expect(::SSO.config.metric).to receive(:call).with type: :increment, key: 'sso.client.warden.hooks.after_fetch.valid', value: 1, tags: { scope: nil }, data: { passport_id: client_passport.id, caller: 'SSO::Client::Warden::Hooks::AfterFetch' }
+      hook.call
+    end
   end
 
   context 'user attribute changed which is not included in the state digest' do
@@ -88,6 +121,20 @@ RSpec.describe SSO::Client::Warden::Hooks::AfterFetch, type: :request, db: true
       hook.call
       expect(client_passport.user.name).to eq 'Good old client user'
     end
+
+    it 'succeeds' do
+      expect(operation).to be_success
+    end
+
+    it 'has a useful error code' do
+      expect(operation.code).to eq :valid
+    end
+
+    it 'meters the invalid passport' do
+      expect(::SSO.config.metric).to receive(:call).with type: :histogram, key: 'sso.client.passport.verification.duration', value: 42_000, tags: nil, data: { caller: 'SSO::Client::PassportVerifier' }
+      expect(::SSO.config.metric).to receive(:call).with type: :increment, key: 'sso.client.warden.hooks.after_fetch.valid', value: 1, tags: { scope: nil }, data: { passport_id: client_passport.id, caller: 'SSO::Client::Warden::Hooks::AfterFetch' }
+      hook.call
+    end
   end
 
   context 'user attribute changed which results in a new state digest' do
@@ -112,6 +159,148 @@ RSpec.describe SSO::Client::Warden::Hooks::AfterFetch, type: :request, db: true
       hook.call
       expect(client_passport.user['name']).to eq server_user.name
     end
+
+    it 'succeeds' do
+      expect(operation).to be_success
+    end
+
+    it 'has a useful error code' do
+      expect(operation.code).to eq :valid_and_modified
+    end
+
+    it 'meters the invalid passport' do
+      expect(::SSO.config.metric).to receive(:call).with type: :histogram, key: 'sso.client.passport.verification.duration', value: 42_000, tags: nil, data: { caller: 'SSO::Client::PassportVerifier' }
+      expect(::SSO.config.metric).to receive(:call).with type: :increment, key: 'sso.client.warden.hooks.after_fetch.valid_and_modified', value: 1, tags: { scope: nil }, data: { passport_id: client_passport.id, caller: 'SSO::Client::Warden::Hooks::AfterFetch' }
+      hook.call
+    end
+  end
+
+  context 'server request times out' do
+    before do
+      expect(::HTTParty).to receive(:get).and_raise ::Net::ReadTimeout
+    end
+
+    it 'fails' do
+      expect(operation).to be_failure
+    end
+
+    it 'has a useful error code' do
+      expect(operation.code).to eq :server_request_timed_out
+    end
+
+    it 'meters the timeout' do
+      expect(::SSO.config.metric).to receive(:call).with type: :increment, key: 'sso.client.warden.hooks.after_fetch.timeout', value: 1, tags: { scope: nil }, data: { timeout_ms: '100ms', passport_id: client_passport.id, caller: 'SSO::Client::Warden::Hooks::AfterFetch' }
+      hook.call
+    end
+  end
+
+  context 'server unreachable' do
+    before do
+      expect(::HTTParty).to receive(:get).and_return double(:response, code: 302)
+    end
+
+    it 'fails' do
+      expect(operation).to be_failure
+    end
+
+    it 'has a useful error code' do
+      expect(operation.code).to eq :server_unreachable
+    end
+
+    it 'meters the timeout' do
+      expect(::SSO.config.metric).to receive(:call).with type: :histogram, key: 'sso.client.passport.verification.duration', value: 42_000, tags: nil, data: { caller: 'SSO::Client::PassportVerifier' }
+      expect(::SSO.config.metric).to receive(:call).with type: :increment, key: 'sso.client.warden.hooks.after_fetch.server_unreachable', value: 1, tags: { scope: nil }, data: { passport_id: client_passport.id, caller: 'SSO::Client::Warden::Hooks::AfterFetch' }
+      hook.call
+    end
+  end
+
+  context 'server response not parseable' do
+    let(:response) { double :response, code: 200 }
+
+    before do
+      expect(::HTTParty).to receive(:get).and_return response
+      allow(response).to receive(:parsed_response).and_raise ::JSON::ParserError
+    end
+
+    it 'fails' do
+      expect(operation).to be_failure
+    end
+
+    it 'has a useful error code' do
+      expect(operation.code).to eq :server_response_not_parseable
+    end
+
+    it 'meters the timeout' do
+      expect(::SSO.config.metric).to receive(:call).with type: :histogram, key: 'sso.client.passport.verification.duration', value: 42_000, tags: nil, data: { caller: 'SSO::Client::PassportVerifier' }
+      expect(::SSO.config.metric).to receive(:call).with type: :increment, key: 'sso.client.warden.hooks.after_fetch.server_response_not_parseable', value: 1, tags: { scope: nil }, data: { passport_id: client_passport.id, caller: 'SSO::Client::Warden::Hooks::AfterFetch' }
+      hook.call
+    end
+  end
+
+  context 'server response has no success flag at all' do
+    let(:response) { double :response, code: 200, parsed_response: { some: :thing } }
+
+    before do
+      expect(::HTTParty).to receive(:get).and_return response
+    end
+
+    it 'fails' do
+      expect(operation).to be_failure
+    end
+
+    it 'has a useful error code' do
+      expect(operation.code).to eq :server_response_missing_success_flag
+    end
+
+    it 'meters the timeout' do
+      expect(::SSO.config.metric).to receive(:call).with type: :histogram, key: 'sso.client.passport.verification.duration', value: 42_000, tags: nil, data: { caller: 'SSO::Client::PassportVerifier' }
+      expect(::SSO.config.metric).to receive(:call).with type: :increment, key: 'sso.client.warden.hooks.after_fetch.server_response_missing_success_flag', value: 1, tags: { scope: nil }, data: { passport_id: client_passport.id, caller: 'SSO::Client::Warden::Hooks::AfterFetch' }
+      hook.call
+    end
+  end
+
+  context 'server behaves weirdly' do
+    let(:response) { double :response, code: 200, parsed_response: { success: true } }
+
+    before do
+      expect(::HTTParty).to receive(:get).and_return response
+    end
+
+    it 'fails' do
+      expect(operation).to be_failure
+    end
+
+    it 'has a useful error code' do
+      expect(operation.code).to eq :unexpected_server_response_status
+    end
+
+    it 'meters the timeout' do
+      expect(::SSO.config.metric).to receive(:call).with type: :histogram, key: 'sso.client.passport.verification.duration', value: 42_000, tags: nil, data: { caller: 'SSO::Client::PassportVerifier' }
+      expect(::SSO.config.metric).to receive(:call).with type: :increment, key: 'sso.client.warden.hooks.after_fetch.unexpected_server_response_status', value: 1, tags: { scope: nil }, data: { passport_id: client_passport.id, caller: 'SSO::Client::Warden::Hooks::AfterFetch' }
+      hook.call
+    end
+  end
+
+  context 'client-side exception' do
+    before do
+      expect(::HTTParty).to receive(:get).and_raise ArgumentError
+    end
+
+    it 'fails' do
+      expect(operation).to be_failure
+    end
+
+    it 'has a useful error code' do
+      expect(operation.code).to eq :client_exception_caught
+    end
+  end
+
+  describe '.activate' do
+
+    it 'proxies the options to warden' do
+      expect(::Warden::Manager).to receive(:after_fetch).with(scope: :insider).and_yield :passport, :warden, :options
+      described_class.activate scope: :insider
+    end
   end
 
 end

data/spec/lib/sso/client/warden/strategies/passport_spec.rb

@@ -52,7 +52,7 @@ RSpec.describe SSO::Client::Warden::Strategies::Passport do
         expect(rack_array.size).to eq 3
         expect(rack_array[0]).to eq 200
         expect(rack_array[1]).to eq 'Content-Type' => 'application/json'
-        expect(rack_array[2]).to eq ['{"success":true,"code":"passport_verification_failed"}']
+        expect(rack_array[2]).to eq ['{"success":false,"code":"passport_verification_failed"}']
       end
       strategy.authenticate!
     end

data/spec/spec_helper.rb

@@ -34,6 +34,11 @@ RSpec.configure do |config|
   config.before :suite do
     DatabaseCleaner.strategy = :transaction
     DatabaseCleaner.clean_with :truncation
+    SSO.config.exception_handler = nil
+    SSO.config.passport_chip_key = nil
+    SSO.config.oauth_client_id = nil
+    SSO.config.oauth_client_secret = nil
+    SSO.config.metric = ::SSO::Test::Helpers.meter
   end
 
   config.before :each do
@@ -48,6 +53,10 @@ RSpec.configure do |config|
     SSO.config.exception_handler = proc { |exception| fail exception }
   end
 
+  config.before :each, stub_benchmarks: true do
+    stub_benchmarks
+  end
+
   config.after :each do
     Timecop.return
     SSO.config.exception_handler = nil

data/spec/support/sso/test/helpers.rb

@@ -4,6 +4,17 @@ module SSO
   module Test
     module Helpers
 
+      def self.meter
+        proc {}
+      end
+
+      def stub_benchmarks
+        allow(Benchmark).to receive(:realtime) do |&block|
+          block.call
+          42
+        end
+      end
+
       # Inspired by Warden::Spec::Helpers
       def env_with_params(path = '/', params = {}, env = {})
         method = params.delete(:method) || 'GET'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sso
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.3
 platform: ruby
 authors:
 - halo
@@ -265,12 +265,13 @@ files:
 - lib/sso/client/passport_verifier.rb
 - lib/sso/client/warden/hooks/after_fetch.rb
 - lib/sso/client/warden/strategies/passport.rb
+- lib/sso/configuration.rb
+- lib/sso/configure.rb
 - lib/sso/logging.rb
+- lib/sso/meter.rb
 - lib/sso/server.rb
 - lib/sso/server/README.md
 - lib/sso/server/authentications/passport.rb
-- lib/sso/server/configuration.rb
-- lib/sso/server/configure.rb
 - lib/sso/server/doorkeeper/access_token_marker.rb
 - lib/sso/server/doorkeeper/grant_marker.rb
 - lib/sso/server/doorkeeper/resource_owner_authenticator.rb
@@ -324,6 +325,7 @@ files:
 - spec/dummy/db/schema.rb
 - spec/integration/oauth/authorization_code_spec.rb
 - spec/integration/oauth/password_spec.rb
+- spec/lib/sso/benchmarking_spec.rb
 - spec/lib/sso/client/authentications/passport_spec.rb
 - spec/lib/sso/client/warden/hooks/after_fetch_spec.rb
 - spec/lib/sso/client/warden/strategies/passport_spec.rb
@@ -403,6 +405,7 @@ test_files:
 - spec/dummy/Rakefile
 - spec/integration/oauth/authorization_code_spec.rb
 - spec/integration/oauth/password_spec.rb
+- spec/lib/sso/benchmarking_spec.rb
 - spec/lib/sso/client/authentications/passport_spec.rb
 - spec/lib/sso/client/warden/hooks/after_fetch_spec.rb
 - spec/lib/sso/client/warden/strategies/passport_spec.rb