From c76718932382e6851e1ad9f004246bde3fc74de8 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 2 Oct 2012 15:45:07 +0200 Subject: starting to write a srp test with python srp lib --- users/test/integration/api/python/flow_with_srp.py | 58 ++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100755 users/test/integration/api/python/flow_with_srp.py (limited to 'users') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py new file mode 100755 index 0000000..cb89f6e --- /dev/null +++ b/users/test/integration/api/python/flow_with_srp.py @@ -0,0 +1,58 @@ +#!/usr/bin/env python + +# under development + +import requests +import json +import string +import random +import srp +import binascii + +# let's have some random name +def id_generator(size=6, chars=string.ascii_uppercase + string.digits): + return ''.join(random.choice(chars) for x in range(size)) + +# using globals for a start +server = 'http://localhost:3000' +login = id_generator() +password = id_generator() + id_generator() + +# log the server communication +def print_and_parse(response): + print response.request.method + ': ' + response.url + print " " + json.dumps(response.request.data) + print " -> " + response.text + return json.loads(response.text) + +def signup(session): + salt, vkey = srp.create_salted_verification_key( login, password ) + user_params = { + 'user[login]': login, + 'user[password_verifier]': binascii.hexlify(vkey), + 'user[password_salt]': binascii.hexlify(salt) + } + return session.post(server + '/users.json', data = user_params) + +usr = srp.User( login, password ) + +def authenticate(session, login): + uname, A = usr.start_authentication() + params = { + 'login': uname, + 'A': A + } + init = print_and_parse(session.post(server + '/sessions', data = params)) + M = usr.process_challenge( init['salt'], init['B'] ) + return session.put(server + '/sessions/' + login, data = {'client_auth': M}) + +session = requests.session() +user = print_and_parse(signup(session)) + +# SRP signup would happen here and calculate M hex +auth = print_and_parse(authenticate(session, user['login'])) +usr.verify_session( auth ) + +# At this point the authentication process is complete. +assert usr.authenticated() + -- cgit v1.2.3 From c7d473882a01981ff6ff8f0e2b5c120a0026a531 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 2 Oct 2012 15:45:43 +0200 Subject: send salt on initializing login --- users/app/controllers/sessions_controller.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'users') diff --git a/users/app/controllers/sessions_controller.rb b/users/app/controllers/sessions_controller.rb index e68d798..f79b069 100644 --- a/users/app/controllers/sessions_controller.rb +++ b/users/app/controllers/sessions_controller.rb @@ -8,7 +8,8 @@ class SessionsController < ApplicationController def create @user = User.find_by_param(params[:login]) session[:handshake] = @user.initialize_auth(params['A'].hex) - render :json => { :B => session[:handshake].bb.to_s(16) } + render :json => { :B => session[:handshake].bb.to_s(16), + :salt => @user.password_salt } rescue RECORD_NOT_FOUND render :json => {:errors => {:login => ["unknown user"]}} end -- cgit v1.2.3 From 793f36bb8063017cd8b48f084597f4e64b72d0f4 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 2 Oct 2012 15:52:48 +0200 Subject: use hexlify and unhexlify everywhere needed except the final auth as this is still broken anyway --- users/test/integration/api/python/flow_with_srp.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'users') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py index cb89f6e..1aad555 100755 --- a/users/test/integration/api/python/flow_with_srp.py +++ b/users/test/integration/api/python/flow_with_srp.py @@ -40,11 +40,12 @@ def authenticate(session, login): uname, A = usr.start_authentication() params = { 'login': uname, - 'A': A + 'A': binascii.hexlify(A) } init = print_and_parse(session.post(server + '/sessions', data = params)) - M = usr.process_challenge( init['salt'], init['B'] ) - return session.put(server + '/sessions/' + login, data = {'client_auth': M}) + M = usr.process_challenge( binascii.unhexlify(init['salt']), binascii.unhexlify(init['B']) ) + return session.put(server + '/sessions/' + login, + data = {'client_auth': binascii.hexlify(M)}) session = requests.session() user = print_and_parse(signup(session)) -- cgit v1.2.3 From 5fe296eb9f9b216e05921ac0c41f5defc1cc2054 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 2 Oct 2012 16:12:50 +0200 Subject: trying to use the same Hash Alg and Prime as webapp - still failing --- users/test/integration/api/python/flow_with_srp.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'users') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py index 1aad555..08ac94a 100755 --- a/users/test/integration/api/python/flow_with_srp.py +++ b/users/test/integration/api/python/flow_with_srp.py @@ -26,7 +26,7 @@ def print_and_parse(response): return json.loads(response.text) def signup(session): - salt, vkey = srp.create_salted_verification_key( login, password ) + salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) user_params = { 'user[login]': login, 'user[password_verifier]': binascii.hexlify(vkey), @@ -34,7 +34,7 @@ def signup(session): } return session.post(server + '/users.json', data = user_params) -usr = srp.User( login, password ) +usr = srp.User( login, password, srp.SHA256, srp.NG_1024 ) def authenticate(session, login): uname, A = usr.start_authentication() -- cgit v1.2.3 From 5bc3eae400754dda90a45d6953a02a069a1c0285 Mon Sep 17 00:00:00 2001 From: jessib Date: Tue, 2 Oct 2012 15:29:28 -0700 Subject: Some more tweaks to help ticket models. Still want to tweak current_user access from users engine. --- users/app/controllers/sessions_controller.rb | 6 ++++++ users/app/models/user.rb | 7 +++++++ 2 files changed, 13 insertions(+) (limited to 'users') diff --git a/users/app/controllers/sessions_controller.rb b/users/app/controllers/sessions_controller.rb index e68d798..d398057 100644 --- a/users/app/controllers/sessions_controller.rb +++ b/users/app/controllers/sessions_controller.rb @@ -8,6 +8,7 @@ class SessionsController < ApplicationController def create @user = User.find_by_param(params[:login]) session[:handshake] = @user.initialize_auth(params['A'].hex) + User.current = @user #? render :json => { :B => session[:handshake].bb.to_s(16) } rescue RECORD_NOT_FOUND render :json => {:errors => {:login => ["unknown user"]}} @@ -17,6 +18,7 @@ class SessionsController < ApplicationController @user = User.find_by_param(params[:id]) @server_auth = @user.authenticate!(params[:client_auth].hex, session.delete(:handshake)) session[:user_id] = @user.id + User.current = @user #? render :json => {:M2 => @server_auth} rescue WRONG_PASSWORD session[:handshake] = nil @@ -25,6 +27,10 @@ class SessionsController < ApplicationController def destroy session[:user_id] = nil + User.current = nil #? redirect_to root_path end + + + end diff --git a/users/app/models/user.rb b/users/app/models/user.rb index fa64f42..95ee810 100644 --- a/users/app/models/user.rb +++ b/users/app/models/user.rb @@ -46,4 +46,11 @@ class User < CouchRest::Model::Base password_verifier.hex end + def self.current + Thread.current[:user] + end + def self.current=(user) + Thread.current[:user] = user + end + end -- cgit v1.2.3 From 118d9ab5c9f4d7a82b7cf24774ef12d3c221f8ef Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 5 Oct 2012 13:59:39 +0200 Subject: moving to ruby_srp 0.1.0, works with python srp --- users/app/controllers/sessions_controller.rb | 6 ++++-- users/app/models/user.rb | 10 ++++++++-- users/leap_web_users.gemspec | 2 +- users/test/integration/api/python/flow_with_srp.py | 2 +- users/test/integration/api/python/signup_and_login.py | 10 +++------- 5 files changed, 17 insertions(+), 13 deletions(-) (limited to 'users') diff --git a/users/app/controllers/sessions_controller.rb b/users/app/controllers/sessions_controller.rb index 7852e5c..b8043f5 100644 --- a/users/app/controllers/sessions_controller.rb +++ b/users/app/controllers/sessions_controller.rb @@ -15,11 +15,13 @@ class SessionsController < ApplicationController end def update + # TODO: validate the id belongs to the session @user = User.find_by_param(params[:id]) - @server_auth = @user.authenticate!(params[:client_auth].hex, session.delete(:handshake)) + @srp_session = session.delete(:handshake) + @server_auth = @srp_session.authenticate!(params[:client_auth].hex) session[:user_id] = @user.id User.current = @user #? - render :json => {:M2 => @server_auth} + render :json => {:M2 => "%064x" % @server_auth} rescue WRONG_PASSWORD session[:handshake] = nil render :json => {:errors => {"password" => ["wrong password"]}} diff --git a/users/app/models/user.rb b/users/app/models/user.rb index 95ee810..a6aab84 100644 --- a/users/app/models/user.rb +++ b/users/app/models/user.rb @@ -1,7 +1,5 @@ class User < CouchRest::Model::Base - include SRP::Authentication - property :login, String, :accessible => true property :email, String, :accessible => true property :password_verifier, String, :accessible => true @@ -38,6 +36,10 @@ class User < CouchRest::Model::Base super(options.merge(:only => ['login', 'password_salt'])) end + def initialize_auth(aa) + return SRP::Session.new(self, aa) + end + def salt password_salt.hex end @@ -46,6 +48,10 @@ class User < CouchRest::Model::Base password_verifier.hex end + def username + login + end + def self.current Thread.current[:user] end diff --git a/users/leap_web_users.gemspec b/users/leap_web_users.gemspec index cebb632..2bbb0b8 100644 --- a/users/leap_web_users.gemspec +++ b/users/leap_web_users.gemspec @@ -20,7 +20,7 @@ Gem::Specification.new do |s| s.add_dependency "rails", "~> 3.2.8" s.add_dependency "leap_web_core", "~> 0.0.1" s.add_dependency "couchrest_session_store", "~> 0.0.1" - s.add_dependency "ruby-srp" + s.add_dependency "ruby-srp", "~> 0.1.0" LeapWebCore::Dependencies.add_ui_gems_to_spec(s) diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py index 08ac94a..ea630f2 100755 --- a/users/test/integration/api/python/flow_with_srp.py +++ b/users/test/integration/api/python/flow_with_srp.py @@ -52,7 +52,7 @@ user = print_and_parse(signup(session)) # SRP signup would happen here and calculate M hex auth = print_and_parse(authenticate(session, user['login'])) -usr.verify_session( auth ) +usr.verify_session( binascii.unhexlify(auth["M2"]) ) # At this point the authentication process is complete. assert usr.authenticated() diff --git a/users/test/integration/api/python/signup_and_login.py b/users/test/integration/api/python/signup_and_login.py index 2d79688..ac611d7 100755 --- a/users/test/integration/api/python/signup_and_login.py +++ b/users/test/integration/api/python/signup_and_login.py @@ -20,14 +20,13 @@ def print_and_parse(response): print response.request.method + ': ' + response.url print " " + json.dumps(response.request.data) print " -> " + response.text - print " () " + json.dumps(requests.utils.dict_from_cookiejar(response.cookies)) return json.loads(response.text) def signup(session): user_params = { 'user[login]': id_generator(), 'user[password_verifier]': '12345', - 'user[password_salt]': '54321' + 'user[password_salt]': 'AB54321' } return session.post(server + '/users.json', data = user_params) @@ -36,11 +35,8 @@ def authenticate(session, login): 'login': login, 'A': '12345', } - init = session.post(server + '/sessions', data = params) - cookies = requests.utils.dict_from_cookiejar(init.cookies) - init = session.post(server + '/sessions', data = params, cookies = cookies) - print "(%) " + json.dumps(cookies) - return session.put(server + '/sessions/' + login, data = {'client_auth': '123'}, cookies = cookies) + init = print_and_parse(session.post(server + '/sessions', data = params)) + return session.put(server + '/sessions/' + login, data = {'client_auth': '123'}) session = requests.session() user = print_and_parse(signup(session)) -- cgit v1.2.3 From c2d5a80b576ffc5f9ff0807c9a52fec8b4f34123 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 5 Oct 2012 16:47:19 +0200 Subject: ruby-srp 0.1.1 has to_json method - simplifies controller --- users/app/controllers/sessions_controller.rb | 6 +++--- users/leap_web_users.gemspec | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'users') diff --git a/users/app/controllers/sessions_controller.rb b/users/app/controllers/sessions_controller.rb index b8043f5..284c0e2 100644 --- a/users/app/controllers/sessions_controller.rb +++ b/users/app/controllers/sessions_controller.rb @@ -9,7 +9,7 @@ class SessionsController < ApplicationController @user = User.find_by_param(params[:login]) session[:handshake] = @user.initialize_auth(params['A'].hex) User.current = @user #? - render :json => { :B => session[:handshake].bb.to_s(16), :salt => @user.password_salt } + render :json => session[:handshake] rescue RECORD_NOT_FOUND render :json => {:errors => {:login => ["unknown user"]}} end @@ -18,10 +18,10 @@ class SessionsController < ApplicationController # TODO: validate the id belongs to the session @user = User.find_by_param(params[:id]) @srp_session = session.delete(:handshake) - @server_auth = @srp_session.authenticate!(params[:client_auth].hex) + @srp_session.authenticate!(params[:client_auth].hex) session[:user_id] = @user.id User.current = @user #? - render :json => {:M2 => "%064x" % @server_auth} + render :json => @srp_session rescue WRONG_PASSWORD session[:handshake] = nil render :json => {:errors => {"password" => ["wrong password"]}} diff --git a/users/leap_web_users.gemspec b/users/leap_web_users.gemspec index 2bbb0b8..90aa4df 100644 --- a/users/leap_web_users.gemspec +++ b/users/leap_web_users.gemspec @@ -20,7 +20,7 @@ Gem::Specification.new do |s| s.add_dependency "rails", "~> 3.2.8" s.add_dependency "leap_web_core", "~> 0.0.1" s.add_dependency "couchrest_session_store", "~> 0.0.1" - s.add_dependency "ruby-srp", "~> 0.1.0" + s.add_dependency "ruby-srp", "~> 0.1.1" LeapWebCore::Dependencies.add_ui_gems_to_spec(s) -- cgit v1.2.3 From e264e7354788c0b7eff7bb296eed9c59304cc8b8 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 5 Oct 2012 16:48:27 +0200 Subject: using safe_unhexlify to workaround 0 padding also changed the debug output so it helps creating tests for ruby-srp --- users/test/integration/api/python/flow_with_srp.py | 29 ++++++++++++++++++---- 1 file changed, 24 insertions(+), 5 deletions(-) (limited to 'users') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py index ea630f2..3bbbc71 100755 --- a/users/test/integration/api/python/flow_with_srp.py +++ b/users/test/integration/api/python/flow_with_srp.py @@ -6,9 +6,11 @@ import requests import json import string import random -import srp +import srp._pysrp as srp import binascii +safe_unhexlify = lambda x: binascii.unhexlify(x) if (len(x) % 2 == 0) else binascii.unhexlify('0'+x) + # let's have some random name def id_generator(size=6, chars=string.ascii_uppercase + string.digits): return ''.join(random.choice(chars) for x in range(size)) @@ -18,15 +20,20 @@ server = 'http://localhost:3000' login = id_generator() password = id_generator() + id_generator() +print ' username = "' + login + '"' +print ' password = "' + password + '"' + # log the server communication def print_and_parse(response): - print response.request.method + ': ' + response.url - print " " + json.dumps(response.request.data) + # print response.request.method + ': ' + response.url + # print " " + json.dumps(response.request.data) print " -> " + response.text return json.loads(response.text) def signup(session): salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) + print ' salt = "' + binascii.hexlify(salt) + '"' + print ' v = "' + binascii.hexlify(vkey) + '"' user_params = { 'user[login]': login, 'user[password_verifier]': binascii.hexlify(vkey), @@ -38,12 +45,16 @@ usr = srp.User( login, password, srp.SHA256, srp.NG_1024 ) def authenticate(session, login): uname, A = usr.start_authentication() + print ' aa = "' + binascii.hexlify(A) + '"' params = { 'login': uname, 'A': binascii.hexlify(A) } init = print_and_parse(session.post(server + '/sessions', data = params)) - M = usr.process_challenge( binascii.unhexlify(init['salt']), binascii.unhexlify(init['B']) ) + # print ' b = "' + init['b'] + '"' + print ' bb = "' + init['B'] + '"' + M = usr.process_challenge( safe_unhexlify(init['salt']), safe_unhexlify(init['B']) ) + print ' m = "' + binascii.hexlify(M) + '"' return session.put(server + '/sessions/' + login, data = {'client_auth': binascii.hexlify(M)}) @@ -52,7 +63,15 @@ user = print_and_parse(signup(session)) # SRP signup would happen here and calculate M hex auth = print_and_parse(authenticate(session, user['login'])) -usr.verify_session( binascii.unhexlify(auth["M2"]) ) +if ( 'errors' in auth ): + print ' u = "%x"' % usr.u + print ' x = "%x"' % usr.x + print ' v = "%x"' % usr.v + print ' S = "%x"' % usr.S + print ' K = "' + binascii.hexlify(usr.K) + '"' + print ' M = "%x"' % usr.M +else: + usr.verify_session( safe_unhexlify(auth["M2"]) ) # At this point the authentication process is complete. assert usr.authenticated() -- cgit v1.2.3 From 5267a127ee967b1d89df6033cc9869715e960886 Mon Sep 17 00:00:00 2001 From: Azul Date: Sat, 6 Oct 2012 19:39:48 +0200 Subject: comment out debugging lines --- users/test/integration/api/python/flow_with_srp.py | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'users') diff --git a/users/test/integration/api/python/flow_with_srp.py b/users/test/integration/api/python/flow_with_srp.py index 3bbbc71..0a11aec 100755 --- a/users/test/integration/api/python/flow_with_srp.py +++ b/users/test/integration/api/python/flow_with_srp.py @@ -16,24 +16,24 @@ def id_generator(size=6, chars=string.ascii_uppercase + string.digits): return ''.join(random.choice(chars) for x in range(size)) # using globals for a start -server = 'http://localhost:3000' +server = 'http://springbok/1/' login = id_generator() password = id_generator() + id_generator() -print ' username = "' + login + '"' -print ' password = "' + password + '"' +# print ' username = "' + login + '"' +# print ' password = "' + password + '"' # log the server communication def print_and_parse(response): # print response.request.method + ': ' + response.url # print " " + json.dumps(response.request.data) - print " -> " + response.text + # print " -> " + response.text return json.loads(response.text) def signup(session): salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 ) - print ' salt = "' + binascii.hexlify(salt) + '"' - print ' v = "' + binascii.hexlify(vkey) + '"' + # print ' salt = "' + binascii.hexlify(salt) + '"' + # print ' v = "' + binascii.hexlify(vkey) + '"' user_params = { 'user[login]': login, 'user[password_verifier]': binascii.hexlify(vkey), @@ -45,16 +45,16 @@ usr = srp.User( login, password, srp.SHA256, srp.NG_1024 ) def authenticate(session, login): uname, A = usr.start_authentication() - print ' aa = "' + binascii.hexlify(A) + '"' + # print ' aa = "' + binascii.hexlify(A) + '"' params = { 'login': uname, 'A': binascii.hexlify(A) } init = print_and_parse(session.post(server + '/sessions', data = params)) # print ' b = "' + init['b'] + '"' - print ' bb = "' + init['B'] + '"' + # print ' bb = "' + init['B'] + '"' M = usr.process_challenge( safe_unhexlify(init['salt']), safe_unhexlify(init['B']) ) - print ' m = "' + binascii.hexlify(M) + '"' + # print ' m = "' + binascii.hexlify(M) + '"' return session.put(server + '/sessions/' + login, data = {'client_auth': binascii.hexlify(M)}) -- cgit v1.2.3 From 2215250a39162f9e1fcb8f90e02a637faa63438c Mon Sep 17 00:00:00 2001 From: Azul Date: Sun, 7 Oct 2012 20:09:00 +0200 Subject: added validations --- users/app/models/user.rb | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'users') diff --git a/users/app/models/user.rb b/users/app/models/user.rb index a6aab84..e10f55e 100644 --- a/users/app/models/user.rb +++ b/users/app/models/user.rb @@ -5,8 +5,17 @@ class User < CouchRest::Model::Base property :password_verifier, String, :accessible => true property :password_salt, String, :accessible => true - validates :login, :password_salt, :password_verifier, :presence => true - validates :login, :uniqueness => true + validates :login, :password_salt, :password_verifier, + :presence => true + + validates :login, + :uniqueness => true, + :format => { :with => /\A\w+\z/, + :message => "Only letters, digits and _ allowed" } + + validates :password_salt, :password_verifier, + :format => { :with => /\A[\dA-Fa-f]+\z/, + :message => "Only hex numbers allowed" } timestamps! -- cgit v1.2.3 From d776e9ea988b0bc00b24c0e0760bcfe3d95057a7 Mon Sep 17 00:00:00 2001 From: Azul Date: Sun, 7 Oct 2012 21:00:36 +0200 Subject: adding validations for valid login chars and verifier and salt being hex --- users/app/models/user.rb | 10 ++++++---- users/test/unit/user_test.rb | 41 ++++++++++++++++++++++++++--------------- 2 files changed, 32 insertions(+), 19 deletions(-) (limited to 'users') diff --git a/users/app/models/user.rb b/users/app/models/user.rb index e10f55e..1afb9db 100644 --- a/users/app/models/user.rb +++ b/users/app/models/user.rb @@ -9,8 +9,10 @@ class User < CouchRest::Model::Base :presence => true validates :login, - :uniqueness => true, - :format => { :with => /\A\w+\z/, + :uniqueness => true + + validates :login, + :format => { :with => /\A[A-Za-z\d_]+\z/, :message => "Only letters, digits and _ allowed" } validates :password_salt, :password_verifier, @@ -31,8 +33,8 @@ class User < CouchRest::Model::Base # valid set of attributes for testing def valid_attributes_hash { :login => "me", - :password_verifier => "1234", - :password_salt => "4321" } + :password_verifier => "1234ABC", + :password_salt => "4321AB" } end end diff --git a/users/test/unit/user_test.rb b/users/test/unit/user_test.rb index 870d422..822ef33 100644 --- a/users/test/unit/user_test.rb +++ b/users/test/unit/user_test.rb @@ -3,37 +3,48 @@ require 'test_helper' class UserTest < ActiveSupport::TestCase include SRP::Util + setup do + @attribs = User.valid_attributes_hash + @user = User.new(@attribs) + end + test "test set of attributes should be valid" do - user = User.new(User.valid_attributes_hash) - assert user.valid? + @user.valid? + assert_equal Hash.new, @user.errors.messages + end + + test "test require hex for password_verifier" do + @user.password_verifier = "QWER" + assert !@user.valid? + end + + test "test require alphanumerical for login" do + @user.login = "qwär" + assert !@user.valid? end test "find_by_param gets User by login" do - user = User.create!(User.valid_attributes_hash) - assert_equal user, User.find_by_param(user.login) - user.destroy + @user.save + assert_equal @user, User.find_by_param(@user.login) + @user.destroy end test "to_param gives user login" do - user = User.new(User.valid_attributes_hash) - assert_equal user.login, user.to_param + assert_equal @user.login, @user.to_param end test "verifier returns number for the hex in password_verifier" do - user = User.new(User.valid_attributes_hash) - assert_equal user.password_verifier.hex, user.verifier + assert_equal @user.password_verifier.hex, @user.verifier end test "salt returns number for the hex in password_salt" do - user = User.new(User.valid_attributes_hash) - assert_equal user.password_salt.hex, user.salt + assert_equal @user.password_salt.hex, @user.salt end - test "should include SRP::Authentication" do + test "should include SRP" do client_rnd = bigrand(32).hex - user = User.new(User.valid_attributes_hash) - srp_session = user.initialize_auth(client_rnd) - assert srp_session.is_a? SRP::Authentication::Session + srp_session = @user.initialize_auth(client_rnd) + assert srp_session.is_a? SRP::Session assert_equal client_rnd, srp_session.aa end -- cgit v1.2.3 From efcf0e5927055d2b86804c84b00c614b38191964 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 8 Oct 2012 10:45:27 +0200 Subject: enabling rake gem in engines, using LeapWeb::Version all over the place --- users/Rakefile | 10 ++++++++-- users/leap_web_users.gemspec | 7 +++---- 2 files changed, 11 insertions(+), 6 deletions(-) (limited to 'users') diff --git a/users/Rakefile b/users/Rakefile index cf5108e..38da5fc 100644 --- a/users/Rakefile +++ b/users/Rakefile @@ -1,4 +1,8 @@ #!/usr/bin/env rake + +require 'rake/packagetask' +require 'rubygems/package_task' + begin require 'bundler/setup' rescue LoadError @@ -20,8 +24,10 @@ RDoc::Task.new(:rdoc) do |rdoc| rdoc.rdoc_files.include('lib/**/*.rb') end - - +spec = eval(File.read('leap_web_users.gemspec')) +Gem::PackageTask.new(spec) do |p| + p.gem_spec = spec +end Bundler::GemHelper.install_tasks diff --git a/users/leap_web_users.gemspec b/users/leap_web_users.gemspec index 90aa4df..e68529a 100644 --- a/users/leap_web_users.gemspec +++ b/users/leap_web_users.gemspec @@ -1,13 +1,12 @@ $:.push File.expand_path("../lib", __FILE__) -# Maintain your gem's version: -require "leap_web_users/version" require "leap_web_core/dependencies" +require File.expand_path('../../lib/leap_web/version.rb', __FILE__) # Describe your gem and declare its dependencies: Gem::Specification.new do |s| s.name = "leap_web_users" - s.version = LeapWebUsers::VERSION + s.version = LeapWeb::VERSION s.authors = ["Azul"] s.email = ["azul@leap.se"] s.homepage = "http://www.leap.se" @@ -18,7 +17,7 @@ Gem::Specification.new do |s| s.test_files = Dir["test/**/*"] s.add_dependency "rails", "~> 3.2.8" - s.add_dependency "leap_web_core", "~> 0.0.1" + s.add_dependency "leap_web_core", LeapWeb::VERSION s.add_dependency "couchrest_session_store", "~> 0.0.1" s.add_dependency "ruby-srp", "~> 0.1.1" -- cgit v1.2.3 From 51bc4cf65133982e9cf197bcf07aed3efce3d6dc Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 8 Oct 2012 11:27:19 +0200 Subject: cleaned up the gemspecs a bit - now all build --- users/Readme.md | 0 users/leap_web_users.gemspec | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 users/Readme.md (limited to 'users') diff --git a/users/Readme.md b/users/Readme.md new file mode 100644 index 0000000..e69de29 diff --git a/users/leap_web_users.gemspec b/users/leap_web_users.gemspec index e68529a..04d5b8e 100644 --- a/users/leap_web_users.gemspec +++ b/users/leap_web_users.gemspec @@ -13,7 +13,7 @@ Gem::Specification.new do |s| s.summary = "User registration and authorization for the leap platform" s.description = "This this plugin for the leap platform provides user signup and login. It uses Secure Remote Password for the authentication." - s.files = Dir["{app,config,db,lib}/**/*"] + ["MIT-LICENSE", "Rakefile", "README.rdoc"] + s.files = Dir["{app,config,db,lib}/**/*"] + ["Rakefile", "Readme.md"] s.test_files = Dir["test/**/*"] s.add_dependency "rails", "~> 3.2.8" -- cgit v1.2.3 From f5aea5347601c3500bb3670971d44995c35c3c7b Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 8 Oct 2012 19:50:00 +0200 Subject: use couchrest session store in core, updated dummy path --- users/leap_web_users.gemspec | 1 - users/test/test_helper.rb | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) (limited to 'users') diff --git a/users/leap_web_users.gemspec b/users/leap_web_users.gemspec index 04d5b8e..94c32ff 100644 --- a/users/leap_web_users.gemspec +++ b/users/leap_web_users.gemspec @@ -18,7 +18,6 @@ Gem::Specification.new do |s| s.add_dependency "rails", "~> 3.2.8" s.add_dependency "leap_web_core", LeapWeb::VERSION - s.add_dependency "couchrest_session_store", "~> 0.0.1" s.add_dependency "ruby-srp", "~> 0.1.1" LeapWebCore::Dependencies.add_ui_gems_to_spec(s) diff --git a/users/test/test_helper.rb b/users/test/test_helper.rb index b268c51..08d4d41 100644 --- a/users/test/test_helper.rb +++ b/users/test/test_helper.rb @@ -1,5 +1,5 @@ ENV["RAILS_ENV"] = "test" -require File.expand_path('../dummy/config/environment', __FILE__) +require File.expand_path('../../../test/dummy/config/environment', __FILE__) require 'rails/test_help' require 'mocha' -- cgit v1.2.3 From 00b7b36516d1d07300870029ad5190f06122a493 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 10 Oct 2012 19:56:35 +0200 Subject: first steps at reducing core --- users/Gemfile | 13 ++++--------- users/leap_web_users.gemspec | 8 +------- users/lib/leap_web_users.rb | 2 ++ users/lib/leap_web_users/engine.rb | 4 +--- users/lib/leap_web_users/version.rb | 3 --- 5 files changed, 8 insertions(+), 22 deletions(-) delete mode 100644 users/lib/leap_web_users/version.rb (limited to 'users') diff --git a/users/Gemfile b/users/Gemfile index 5e6ebd6..81b0ae8 100644 --- a/users/Gemfile +++ b/users/Gemfile @@ -1,17 +1,12 @@ source "http://rubygems.org" +eval(File.read(File.dirname(__FILE__) + '/../common_dependencies.rb')) +eval(File.read(File.dirname(__FILE__) + '/../ui_dependencies.rb')) + # Declare your gem's dependencies in leap_web_users.gemspec. # Bundler will treat runtime dependencies like base dependencies, and # development dependencies will be added by default to the :development group. gemspec -# jquery-rails is used by the dummy application -gem "jquery-rails" - -# Declare any dependencies that are still in development here instead of in -# your gemspec. These might include edge Rails or gems from your path or -# Git. Remember to move these dependencies to your gemspec before releasing -# your gem to rubygems.org. - # To use debugger -gem 'ruby-debug' +# gem 'ruby-debug' diff --git a/users/leap_web_users.gemspec b/users/leap_web_users.gemspec index 94c32ff..f64a76a 100644 --- a/users/leap_web_users.gemspec +++ b/users/leap_web_users.gemspec @@ -1,6 +1,5 @@ $:.push File.expand_path("../lib", __FILE__) -require "leap_web_core/dependencies" require File.expand_path('../../lib/leap_web/version.rb', __FILE__) # Describe your gem and declare its dependencies: @@ -16,12 +15,7 @@ Gem::Specification.new do |s| s.files = Dir["{app,config,db,lib}/**/*"] + ["Rakefile", "Readme.md"] s.test_files = Dir["test/**/*"] - s.add_dependency "rails", "~> 3.2.8" s.add_dependency "leap_web_core", LeapWeb::VERSION - s.add_dependency "ruby-srp", "~> 0.1.1" - - LeapWebCore::Dependencies.add_ui_gems_to_spec(s) - - s.add_development_dependency "mocha" + s.add_dependency "ruby-srp", "~> 0.1.1" end diff --git a/users/lib/leap_web_users.rb b/users/lib/leap_web_users.rb index e1b7b1f..1ea1c40 100644 --- a/users/lib/leap_web_users.rb +++ b/users/lib/leap_web_users.rb @@ -1,3 +1,5 @@ +require "leap_web_core" +require "leap_web_core/ui_dependencies" require "leap_web_users/engine" module LeapWebUsers diff --git a/users/lib/leap_web_users/engine.rb b/users/lib/leap_web_users/engine.rb index b6ab60e..734564b 100644 --- a/users/lib/leap_web_users/engine.rb +++ b/users/lib/leap_web_users/engine.rb @@ -1,8 +1,6 @@ # thou shall require all your dependencies in an engine. require "ruby-srp" -require "leap_web_core" -LeapWebCore::Dependencies.require_ui_gems - +require "haml-rails" module LeapWebUsers class Engine < ::Rails::Engine diff --git a/users/lib/leap_web_users/version.rb b/users/lib/leap_web_users/version.rb deleted file mode 100644 index 14e54c1..0000000 --- a/users/lib/leap_web_users/version.rb +++ /dev/null @@ -1,3 +0,0 @@ -module LeapWebUsers - VERSION = "0.0.1" -end -- cgit v1.2.3 From add8d015c87a00626b739080bd75c7e7aeb9c1df Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 11 Oct 2012 10:22:34 +0200 Subject: moved core dependency into */Gemfile with :path In order to get the rails generators and the like to work properly in engines we need to require all the dependencies in the engine.rb file. Since I want to keep that list of engines in a centralized place we still need core and we need to require it from the other engines. We don't want to require the core gem to be installed so I added it with :path option to the Gemfile. --- users/Gemfile | 3 +++ users/lib/leap_web_users.rb | 2 -- users/lib/leap_web_users/engine.rb | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) (limited to 'users') diff --git a/users/Gemfile b/users/Gemfile index 81b0ae8..e30033a 100644 --- a/users/Gemfile +++ b/users/Gemfile @@ -3,6 +3,9 @@ source "http://rubygems.org" eval(File.read(File.dirname(__FILE__) + '/../common_dependencies.rb')) eval(File.read(File.dirname(__FILE__) + '/../ui_dependencies.rb')) +# We require leap_web_core from here so we can use the path option. +gem "leap_web_core", :path => '../core' + # Declare your gem's dependencies in leap_web_users.gemspec. # Bundler will treat runtime dependencies like base dependencies, and # development dependencies will be added by default to the :development group. diff --git a/users/lib/leap_web_users.rb b/users/lib/leap_web_users.rb index 1ea1c40..e1b7b1f 100644 --- a/users/lib/leap_web_users.rb +++ b/users/lib/leap_web_users.rb @@ -1,5 +1,3 @@ -require "leap_web_core" -require "leap_web_core/ui_dependencies" require "leap_web_users/engine" module LeapWebUsers diff --git a/users/lib/leap_web_users/engine.rb b/users/lib/leap_web_users/engine.rb index 734564b..9b7545e 100644 --- a/users/lib/leap_web_users/engine.rb +++ b/users/lib/leap_web_users/engine.rb @@ -1,6 +1,7 @@ # thou shall require all your dependencies in an engine. +require "leap_web_core" +require "leap_web_core/ui_dependencies" require "ruby-srp" -require "haml-rails" module LeapWebUsers class Engine < ::Rails::Engine -- cgit v1.2.3 From 3b4703b6669bb712fd078080d6f3b83af089b19e Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 11 Oct 2012 11:09:36 +0200 Subject: fixed account_flow_test - srp.authenticate now takes a single arg --- users/test/integration/api/account_flow_test.rb | 27 ++++++++++++------------- 1 file changed, 13 insertions(+), 14 deletions(-) (limited to 'users') diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb index e20bcf6..66de1e5 100644 --- a/users/test/integration/api/account_flow_test.rb +++ b/users/test/integration/api/account_flow_test.rb @@ -30,40 +30,39 @@ class AccountFlowTest < ActionDispatch::IntegrationTest :password_verifier => @srp.verifier.to_s(16), :password_salt => @srp.salt.to_s(16) } + post '/users.json', :user => @user_params + @user = User.find_by_param(@login) end def teardown @user.destroy if @user # make sure we can run this test again end - test "signup and login with srp via api" do - post '/users.json', :user => @user_params - @user = User.find_by_param(@login) + test "signup response" do assert_json_response @user_params.slice(:login, :password_salt) assert_response :success - server_auth = @srp.authenticate(self, @login, @password) + end + + test "signup and login with srp via api" do + server_auth = @srp.authenticate(self) assert_nil server_auth["errors"] assert server_auth["M2"] end test "signup and wrong password login attempt" do - post '/users.json', :user => @user_params - @user = User.find_by_param(@login) - assert_json_response @user_params.slice(:login, :password_salt) - assert_response :success - server_auth = @srp.authenticate(self, @login, "wrong password") + srp = SRP::Client.new(@login, "wrong password") + server_auth = srp.authenticate(self) assert_equal ["wrong password"], server_auth["errors"]['password'] assert_nil server_auth["M2"] end test "signup and wrong username login attempt" do - post '/users.json', :user => @user_params - @user = User.find_by_param(@login) - assert_json_response @user_params.slice(:login, :password_salt) - assert_response :success + srp = SRP::Client.new("wrong_login", @password) + server_auth = nil assert_raises RECORD_NOT_FOUND do - server_auth = @srp.authenticate(self, "wronglogin", @password) + server_auth = srp.authenticate(self) end + assert_nil server_auth end end -- cgit v1.2.3 From 9416bd9b8829f57fa54d50e8b3f53f614a1b29b5 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 11 Oct 2012 11:30:02 +0200 Subject: adjusted sessions controller test to new srp api handshake.to_json now returns what we want. --- users/test/functional/sessions_controller_test.rb | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'users') diff --git a/users/test/functional/sessions_controller_test.rb b/users/test/functional/sessions_controller_test.rb index 7876d84..b6e56a7 100644 --- a/users/test/functional/sessions_controller_test.rb +++ b/users/test/functional/sessions_controller_test.rb @@ -8,7 +8,9 @@ class SessionsControllerTest < ActionController::TestCase @server_hex = 'b123' @server_rnd = @server_hex.hex @server_rnd_exp = 'e123'.hex + @salt = 'stub user salt' @server_handshake = stub :aa => @client_rnd, :bb => @server_rnd, :b => @server_rnd_exp + @server_auth = 'adfe' end test "should get login screen" do @@ -21,11 +23,13 @@ class SessionsControllerTest < ActionController::TestCase user.expects(:initialize_auth). with(@client_rnd). returns(@server_handshake) + @server_handshake.expects(:to_json). + returns({'B' => @server_hex, 'salt' => @salt}.to_json) User.expects(:find_by_param).with(user.login).returns(user) post :create, :login => user.login, 'A' => @client_hex assert_equal @server_handshake, session[:handshake] assert_response :success - assert_json_response :B => @server_hex + assert_json_response :B => @server_hex, :salt => @salt end test "should report user not found" do @@ -39,9 +43,11 @@ class SessionsControllerTest < ActionController::TestCase test "should authorize" do session[:handshake] = @server_handshake user = stub :login => "me", :id => 123 - user.expects(:authenticate!). - with(@client_rnd, @server_handshake). + @server_handshake.expects(:authenticate!). + with(@client_rnd). returns(@server_auth) + @server_handshake.expects(:to_json). + returns({:M2 => @server_auth}.to_json) User.expects(:find_by_param).with(user.login).returns(user) post :update, :id => user.login, :client_auth => @client_hex assert_nil session[:handshake] @@ -52,8 +58,8 @@ class SessionsControllerTest < ActionController::TestCase test "should report wrong password" do session[:handshake] = @server_handshake user = stub :login => "me", :id => 123 - user.expects(:authenticate!). - with(@client_rnd, @server_handshake). + @server_handshake.expects(:authenticate!). + with(@client_rnd). raises(WRONG_PASSWORD) User.expects(:find_by_param).with(user.login).returns(user) post :update, :id => user.login, :client_auth => @client_hex -- cgit v1.2.3