13 files changed, 117 insertions, 79 deletions

diff --git a/users/Gemfile b/users/Gemfile
index 5e6ebd6..e30033a 100644
--- a/users/Gemfile
+++ b/users/Gemfile
@@ -1,17 +1,15 @@
 source "http://rubygems.org"
 
+eval(File.read(File.dirname(__FILE__) + '/../common_dependencies.rb'))
+eval(File.read(File.dirname(__FILE__) + '/../ui_dependencies.rb'))
+
+# We require leap_web_core from here so we can use the path option.
+gem "leap_web_core", :path => '../core'
+
 # Declare your gem's dependencies in leap_web_users.gemspec.
 # Bundler will treat runtime dependencies like base dependencies, and
 # development dependencies will be added by default to the :development group.
 gemspec
 
-# jquery-rails is used by the dummy application
-gem "jquery-rails"
-
-# Declare any dependencies that are still in development here instead of in
-# your gemspec. These might include edge Rails or gems from your path or
-# Git. Remember to move these dependencies to your gemspec before releasing
-# your gem to rubygems.org.
-
 # To use debugger
-gem 'ruby-debug'
+# gem 'ruby-debug'
diff --git a/users/Rakefile b/users/Rakefile
index cf5108e..38da5fc 100644
--- a/users/Rakefile
+++ b/users/Rakefile
@@ -1,4 +1,8 @@
 #!/usr/bin/env rake
+
+require 'rake/packagetask'
+require 'rubygems/package_task'
+
 begin
   require 'bundler/setup'
 rescue LoadError
@@ -20,8 +24,10 @@ RDoc::Task.new(:rdoc) do |rdoc|
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
 
-
-
+spec = eval(File.read('leap_web_users.gemspec'))
+Gem::PackageTask.new(spec) do |p|
+    p.gem_spec = spec
+end
 
 Bundler::GemHelper.install_tasks
 
diff --git a/users/Readme.md b/users/Readme.md
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/users/Readme.md
diff --git a/users/app/controllers/sessions_controller.rb b/users/app/controllers/sessions_controller.rb
index b8043f5..284c0e2 100644
--- a/users/app/controllers/sessions_controller.rb
+++ b/users/app/controllers/sessions_controller.rb
@@ -9,7 +9,7 @@ class SessionsController < ApplicationController
     @user = User.find_by_param(params[:login])
     session[:handshake] = @user.initialize_auth(params['A'].hex)
     User.current = @user #?
-    render :json => { :B => session[:handshake].bb.to_s(16), :salt => @user.password_salt }
+    render :json => session[:handshake]
   rescue RECORD_NOT_FOUND
     render :json => {:errors => {:login => ["unknown user"]}}
   end
@@ -18,10 +18,10 @@ class SessionsController < ApplicationController
     # TODO: validate the id belongs to the session
     @user = User.find_by_param(params[:id])
     @srp_session = session.delete(:handshake)
-    @server_auth = @srp_session.authenticate!(params[:client_auth].hex)
+    @srp_session.authenticate!(params[:client_auth].hex)
     session[:user_id] = @user.id
     User.current = @user #?
-    render :json => {:M2 => "%064x" % @server_auth}
+    render :json => @srp_session
   rescue WRONG_PASSWORD
     session[:handshake] = nil
     render :json => {:errors => {"password" => ["wrong password"]}}
diff --git a/users/app/models/user.rb b/users/app/models/user.rb
index a6aab84..1afb9db 100644
--- a/users/app/models/user.rb
+++ b/users/app/models/user.rb
@@ -5,8 +5,19 @@ class User < CouchRest::Model::Base
   property :password_verifier, String, :accessible => true
   property :password_salt, String, :accessible => true
 
-  validates :login, :password_salt, :password_verifier, :presence => true
-  validates :login, :uniqueness => true
+  validates :login, :password_salt, :password_verifier,
+    :presence => true
+
+  validates :login,
+    :uniqueness => true
+
+  validates :login,
+    :format => { :with => /\A[A-Za-z\d_]+\z/,
+      :message => "Only letters, digits and _ allowed" }
+
+  validates :password_salt, :password_verifier,
+    :format => { :with => /\A[\dA-Fa-f]+\z/,
+      :message => "Only hex numbers allowed" }
 
   timestamps!
 
@@ -22,8 +33,8 @@ class User < CouchRest::Model::Base
     # valid set of attributes for testing
     def valid_attributes_hash
       { :login => "me",
-        :password_verifier => "1234",
-        :password_salt => "4321" }
+        :password_verifier => "1234ABC",
+        :password_salt => "4321AB" }
     end
 
   end
diff --git a/users/leap_web_users.gemspec b/users/leap_web_users.gemspec
index 2bbb0b8..f64a76a 100644
--- a/users/leap_web_users.gemspec
+++ b/users/leap_web_users.gemspec
@@ -1,29 +1,21 @@
 $:.push File.expand_path("../lib", __FILE__)
 
-# Maintain your gem's version:
-require "leap_web_users/version"
-require "leap_web_core/dependencies"
+require File.expand_path('../../lib/leap_web/version.rb', __FILE__)
 
 # Describe your gem and declare its dependencies:
 Gem::Specification.new do |s|
   s.name        = "leap_web_users"
-  s.version     = LeapWebUsers::VERSION
+  s.version     = LeapWeb::VERSION
   s.authors     = ["Azul"]
   s.email       = ["azul@leap.se"]
   s.homepage    = "http://www.leap.se"
   s.summary     = "User registration and authorization for the leap platform"
   s.description = "This this plugin for the leap platform provides user signup and login. It uses Secure Remote Password for the authentication."
   
-  s.files = Dir["{app,config,db,lib}/**/*"] + ["MIT-LICENSE", "Rakefile", "README.rdoc"]
+  s.files = Dir["{app,config,db,lib}/**/*"] + ["Rakefile", "Readme.md"]
   s.test_files = Dir["test/**/*"]
 
-  s.add_dependency "rails", "~> 3.2.8"
-  s.add_dependency "leap_web_core", "~> 0.0.1"
-  s.add_dependency "couchrest_session_store", "~> 0.0.1"
-  s.add_dependency "ruby-srp", "~> 0.1.0"
-
-  LeapWebCore::Dependencies.add_ui_gems_to_spec(s)
-  
-  s.add_development_dependency "mocha"
+  s.add_dependency "leap_web_core", LeapWeb::VERSION
 
+  s.add_dependency "ruby-srp", "~> 0.1.1"
 end
diff --git a/users/lib/leap_web_users/engine.rb b/users/lib/leap_web_users/engine.rb
index b6ab60e..9b7545e 100644
--- a/users/lib/leap_web_users/engine.rb
+++ b/users/lib/leap_web_users/engine.rb
@@ -1,8 +1,7 @@
 # thou shall require all your dependencies in an engine.
-require "ruby-srp"
 require "leap_web_core"
-LeapWebCore::Dependencies.require_ui_gems
-
+require "leap_web_core/ui_dependencies"
+require "ruby-srp"
 
 module LeapWebUsers
   class Engine < ::Rails::Engine
diff --git a/users/lib/leap_web_users/version.rb b/users/lib/leap_web_users/version.rb
deleted file mode 100644
index 14e54c1..0000000
--- a/users/lib/leap_web_users/version.rb
+++ /dev/null
@@ -1,3 +0,0 @@
-module LeapWebUsers
-  VERSION = "0.0.1"
-end
diff --git a/users/test/functional/sessions_controller_test.rb b/users/test/functional/sessions_controller_test.rb
index 7876d84..b6e56a7 100644
--- a/users/test/functional/sessions_controller_test.rb
+++ b/users/test/functional/sessions_controller_test.rb
@@ -8,7 +8,9 @@ class SessionsControllerTest < ActionController::TestCase
     @server_hex = 'b123'
     @server_rnd = @server_hex.hex
     @server_rnd_exp = 'e123'.hex
+    @salt = 'stub user salt'
     @server_handshake = stub :aa => @client_rnd, :bb => @server_rnd, :b => @server_rnd_exp
+    @server_auth = 'adfe'
   end
 
   test "should get login screen" do
@@ -21,11 +23,13 @@ class SessionsControllerTest < ActionController::TestCase
     user.expects(:initialize_auth).
       with(@client_rnd).
       returns(@server_handshake)
+    @server_handshake.expects(:to_json).
+     returns({'B' => @server_hex, 'salt' => @salt}.to_json)
     User.expects(:find_by_param).with(user.login).returns(user)
     post :create, :login => user.login, 'A' => @client_hex
     assert_equal @server_handshake, session[:handshake]
     assert_response :success
-    assert_json_response :B => @server_hex
+    assert_json_response :B => @server_hex, :salt => @salt
   end
 
   test "should report user not found" do
@@ -39,9 +43,11 @@ class SessionsControllerTest < ActionController::TestCase
   test "should authorize" do
     session[:handshake] = @server_handshake
     user = stub :login => "me", :id => 123
-    user.expects(:authenticate!).
-      with(@client_rnd, @server_handshake).
+    @server_handshake.expects(:authenticate!).
+      with(@client_rnd).
       returns(@server_auth)
+    @server_handshake.expects(:to_json).
+      returns({:M2 => @server_auth}.to_json)
     User.expects(:find_by_param).with(user.login).returns(user)
     post :update, :id => user.login, :client_auth => @client_hex
     assert_nil session[:handshake]
@@ -52,8 +58,8 @@ class SessionsControllerTest < ActionController::TestCase
   test "should report wrong password" do
     session[:handshake] = @server_handshake
     user = stub :login => "me", :id => 123
-    user.expects(:authenticate!).
-      with(@client_rnd, @server_handshake).
+    @server_handshake.expects(:authenticate!).
+      with(@client_rnd).
       raises(WRONG_PASSWORD)
     User.expects(:find_by_param).with(user.login).returns(user)
     post :update, :id => user.login, :client_auth => @client_hex
diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb
index e20bcf6..66de1e5 100644
--- a/users/test/integration/api/account_flow_test.rb
+++ b/users/test/integration/api/account_flow_test.rb
@@ -30,40 +30,39 @@ class AccountFlowTest < ActionDispatch::IntegrationTest
       :password_verifier => @srp.verifier.to_s(16),
       :password_salt => @srp.salt.to_s(16)
     }
+    post '/users.json', :user => @user_params
+    @user = User.find_by_param(@login)
   end
 
   def teardown
     @user.destroy if @user # make sure we can run this test again
   end
 
-  test "signup and login with srp via api" do
-    post '/users.json', :user => @user_params
-    @user = User.find_by_param(@login)
+  test "signup response" do
     assert_json_response @user_params.slice(:login, :password_salt)
     assert_response :success
-    server_auth = @srp.authenticate(self, @login, @password)
+  end
+
+  test "signup and login with srp via api" do
+    server_auth = @srp.authenticate(self)
     assert_nil server_auth["errors"]
     assert server_auth["M2"]
   end
 
   test "signup and wrong password login attempt" do
-    post '/users.json', :user => @user_params
-    @user = User.find_by_param(@login)
-    assert_json_response @user_params.slice(:login, :password_salt)
-    assert_response :success
-    server_auth = @srp.authenticate(self, @login, "wrong password")
+    srp = SRP::Client.new(@login, "wrong password")
+    server_auth = srp.authenticate(self)
     assert_equal ["wrong password"], server_auth["errors"]['password']
     assert_nil server_auth["M2"]
   end
 
   test "signup and wrong username login attempt" do
-    post '/users.json', :user => @user_params
-    @user = User.find_by_param(@login)
-    assert_json_response @user_params.slice(:login, :password_salt)
-    assert_response :success
+    srp = SRP::Client.new("wrong_login", @password)
+    server_auth = nil
     assert_raises RECORD_NOT_FOUND do
-      server_auth = @srp.authenticate(self, "wronglogin", @password)
+      server_auth = srp.authenticate(self)
     end
+    assert_nil server_auth
   end
 
 end
diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py
index ea630f2..0a11aec 100755
--- a/users/test/integration/api/python/flow_with_srp.py
+++ b/users/test/integration/api/python/flow_with_srp.py
@@ -6,27 +6,34 @@ import requests
 import json
 import string
 import random
-import srp
+import srp._pysrp as srp
 import binascii
 
+safe_unhexlify = lambda x: binascii.unhexlify(x) if (len(x) % 2 == 0) else binascii.unhexlify('0'+x)
+
 # let's have some random name
 def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
   return ''.join(random.choice(chars) for x in range(size))
 
 # using globals for a start
-server = 'http://localhost:3000'
+server = 'http://springbok/1/'
 login = id_generator()
 password = id_generator() + id_generator()
 
+# print '    username = "' + login + '"'
+# print '    password = "' + password + '"'
+
 # log the server communication
 def print_and_parse(response):
-  print response.request.method + ': ' + response.url
-  print "    " + json.dumps(response.request.data)
-  print " -> " + response.text
+  # print response.request.method + ': ' + response.url
+  # print "    " + json.dumps(response.request.data)
+  # print " -> " + response.text
   return json.loads(response.text)
 
 def signup(session):
   salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 )
+  # print '    salt = "' + binascii.hexlify(salt) + '"'
+  # print '    v = "' + binascii.hexlify(vkey) + '"'
   user_params = {
       'user[login]': login,
       'user[password_verifier]': binascii.hexlify(vkey),
@@ -38,12 +45,16 @@ usr = srp.User( login, password, srp.SHA256, srp.NG_1024 )
 
 def authenticate(session, login):
   uname, A = usr.start_authentication()
+  # print '    aa = "' + binascii.hexlify(A) + '"'
   params = {
       'login': uname,
       'A': binascii.hexlify(A)
       }
   init = print_and_parse(session.post(server + '/sessions', data = params))
-  M = usr.process_challenge( binascii.unhexlify(init['salt']), binascii.unhexlify(init['B']) )
+  # print '    b = "' + init['b'] + '"'
+  # print '    bb = "' + init['B'] + '"'
+  M = usr.process_challenge( safe_unhexlify(init['salt']), safe_unhexlify(init['B']) )
+  # print '    m = "' + binascii.hexlify(M) + '"'
   return session.put(server + '/sessions/' + login, 
       data = {'client_auth': binascii.hexlify(M)})
 
@@ -52,7 +63,15 @@ user = print_and_parse(signup(session))
 
 # SRP signup would happen here and calculate M hex
 auth = print_and_parse(authenticate(session, user['login']))
-usr.verify_session( binascii.unhexlify(auth["M2"]) )
+if ( 'errors' in auth ):
+  print '    u = "%x"' % usr.u
+  print '    x = "%x"' % usr.x
+  print '    v = "%x"' % usr.v
+  print '    S = "%x"' % usr.S
+  print '    K = "' + binascii.hexlify(usr.K) + '"'
+  print '    M = "%x"' % usr.M
+else:
+  usr.verify_session( safe_unhexlify(auth["M2"]) )
 
 # At this point the authentication process is complete.
 assert usr.authenticated()
diff --git a/users/test/test_helper.rb b/users/test/test_helper.rb
index b268c51..08d4d41 100644
--- a/users/test/test_helper.rb
+++ b/users/test/test_helper.rb
@@ -1,5 +1,5 @@
 ENV["RAILS_ENV"] = "test"
-require File.expand_path('../dummy/config/environment', __FILE__)
+require File.expand_path('../../../test/dummy/config/environment', __FILE__)
 require 'rails/test_help'
 require 'mocha'
 
diff --git a/users/test/unit/user_test.rb b/users/test/unit/user_test.rb
index 870d422..822ef33 100644
--- a/users/test/unit/user_test.rb
+++ b/users/test/unit/user_test.rb
@@ -3,37 +3,48 @@ require 'test_helper'
 class UserTest < ActiveSupport::TestCase
 
   include SRP::Util
+  setup do
+    @attribs = User.valid_attributes_hash
+    @user = User.new(@attribs)
+  end
+
   test "test set of attributes should be valid" do
-    user = User.new(User.valid_attributes_hash)
-    assert user.valid?
+    @user.valid?
+    assert_equal Hash.new, @user.errors.messages
+  end
+
+  test "test require hex for password_verifier" do
+    @user.password_verifier = "QWER"
+    assert !@user.valid?
+  end
+
+  test "test require alphanumerical for login" do
+    @user.login = "qwär"
+    assert !@user.valid?
   end
 
   test "find_by_param gets User by login" do
-    user = User.create!(User.valid_attributes_hash)
-    assert_equal user, User.find_by_param(user.login)
-    user.destroy
+    @user.save
+    assert_equal @user, User.find_by_param(@user.login)
+    @user.destroy
   end
 
   test "to_param gives user login" do
-    user = User.new(User.valid_attributes_hash)
-    assert_equal user.login, user.to_param
+    assert_equal @user.login, @user.to_param
   end
 
   test "verifier returns number for the hex in password_verifier" do
-    user = User.new(User.valid_attributes_hash)
-    assert_equal user.password_verifier.hex, user.verifier
+    assert_equal @user.password_verifier.hex, @user.verifier
   end
 
   test "salt returns number for the hex in password_salt" do
-    user = User.new(User.valid_attributes_hash)
-    assert_equal user.password_salt.hex, user.salt
+    assert_equal @user.password_salt.hex, @user.salt
   end
 
-  test "should include SRP::Authentication" do
+  test "should include SRP" do
     client_rnd = bigrand(32).hex
-    user = User.new(User.valid_attributes_hash)
-    srp_session = user.initialize_auth(client_rnd)
-    assert srp_session.is_a? SRP::Authentication::Session
+    srp_session = @user.initialize_auth(client_rnd)
+    assert srp_session.is_a? SRP::Session
     assert_equal client_rnd, srp_session.aa
   end