Add specs using pedicel pay

[kse-clearhaus]

Added unit tests, small code cleanups.

Primary goal right now would be to add a few comments to the library, as well as clean up the code slightly.

Not to be merged yet.

[ct-clearhaus]

To keep diffs small, when adding another line, I prefer the trailing , 🙂

[kse-clearhaus]

So do i :)
Was just following rubocop recommendations. I'll change the rubocop warning, then.

[ct-clearhaus]

I like the idea to rename DEFAULTS[:apple_root_ca_g3_cert_pem] to DEFAULTS[:trusted_ca_pem] but I'd like to have APPLE_ROOT_CA_G3_CERT_PEM inside the Pedicel module.

[ct-clearhaus]

I think it's perfectly fine to raise an ArgumentError; one wouldn't want to catch such an error (I think) when rescuing Pedicel::Errors?

[kse-clearhaus]

I agree! I'd missed the builtin ArgumentError :/

[ct-clearhaus]

This breaks the alignment of the comments below.

Do not fear a few long lines 🙂

[kse-clearhaus]

I can live with the long lines then :)
Though this break was more for clarity, with which it didn't help, of course. Going to look at it again.

[ct-clearhaus]

At first sight, I did only notice the wrapping. Now I notice !private_key.nil? -> private_key.

I don't know if I like it. Generally I certainly do because if foo reads better than if !foo.nil?, but since !x.nil? is necessary earlier on the line (because ^ will not coerce), I don't really know.

I'm indifferent and I guess you prefer the coercing version, let's go with it 🙂

[ct-clearhaus]

Rather no comment IMO.

[kse-clearhaus]

I agree that the comment I wrote does not make sense :)
But do you mean no comments at all?
I was considering writing some simple rdoc documentation.

[ct-clearhaus]

I'd like to see comments exactly when I need to read the comments in order to understand the code.

My reasoning:

• If a method needs a comment to understand what the method is doing, then rename the method name and/or parameters.
• If I need to really understand, I'd read the source code anyway.
• Comments will over time drift from the actual code since nothing enforces (or tests) that the comments are aligned with the code. Thus, over time, comments will inevitably be wrong. And, rather no comments than wrong/misleading/... comments.

[ct-clearhaus]

Why? The initial check ("assert style-ish" programming) shouldn't be carried "all over" IMO.

symmetric_key can itself derive the merchant_id; no reason to copy the code.

[kse-clearhaus]

It's a bit of pedantry I guess.
When called with (symmetric_key and private_key), it would fail in symmetric_key(), since neither certificate nor merchant_id was defined, so I added

+      if private_key && merchant_id
+        symmetric_key = symmetric_key(
+          private_key: private_key,
+          merchant_id: merchant_id
+        )

I guess the check above came as a side-effect of that.

Though, it would probably make sense to argue that the function should fail if passed only symmetric_key and private_key. which it would with the original code.

My thought when I wrote it was probably that it wasn't entirely clear.

[ct-clearhaus]

The initial check would fail if symmetric_key && private_key.

[kse-clearhaus]

No it doesn't. A unit test like the following fails:

describe 'decrypt'
  context 'should fail on' do
    it 'excessive arguments' do
      backend, merchant, token, _data = PedicelPay::Helper.generate_all

      p = Pedicel::EC.new(
        JSON.parse(token.to_json),
        config: Pedicel::DEFAULTS.merge(
          trusted_ca_pem: backend.ca_certificate
        )
      )

      merchant_id = merchant.merchant_id
      certificate = merchant.certificate
      private_key = merchant.key
      symmetric_key = p.symmetric_key(
        certificate: merchant.certificate,
        private_key: merchant.key
      )
      expect do
        p.decrypt(
          symmetric_key: symmetric_key,
          private_key: private_key
        )
      end.to raise_error(ArgumentError)
    end
  end
end

With symmetric_key and private_key the right side evaluates to false, while the left side evaluates to true, satisfying the XOR.

[ct-clearhaus]

Indeed. The logic is broken.

[ct-clearhaus]

Is rubocop asking for this formatting?

[kse-clearhaus]

Yes, both regarding line-lengths and StandardError.
I would probably prefer omitting StandardError, so I'd be happy to change it back :)

[kse-clearhaus]

Would changing it back be okay?

[ct-clearhaus]

Is rubocop asking for this formatting?

I think I might even prefer it glued into one long line. Easier for grep'ing.

[kse-clearhaus]

Fixed, sort of. :)

[ct-clearhaus]

Is rubocop asking for this formatting?

[ct-clearhaus]

I think it shouldn't be needed; see below.

[mt-clearhaus]

I would combine these two lines, rather than having a line break after unless, or replace them with an unless ...\n ...\n end structure.

🚲 🏠

[mt-clearhaus]

It is in the category "do not fear a few long lines", mentioned by @ct-clearhaus earlier.

[mt-clearhaus]

The keys :EC_v1 and :RSA_v1 are symbols, but version appears to return a string.

[kse-clearhaus]

Version currently returns a string:

    def version
      @token['version']&.to_sym
    end

This is a problem, however, since it is used in a string above:

      raise VersionError, "unsupported version: #{version}" unless SUPPORTED_VERSIONS.include?(@token['version'])

I'll change to consistent symbol use unless the other is preferred :)

[ct-clearhaus]

Why is that a problem?

irb(main):001:0> "#{:foobar}"
=> "foobar"

[ct-clearhaus]

Also version returns a symbol 🙂

[mt-clearhaus]

Hmm, when I reviewed and searched for "def version" on the page https://github.com/clearhaus/pedicel/pull/7/files , I got the following:

i.e. [@token['applicationData']].pack('H*'). I still do. Weird. I have checked out the branch locally and see @token['version']&.to_sym.

My point was:

> { EC_v1: 1, RSA_v1: 2 }['EC_v1']
=> nil

[mt-clearhaus]

Never mind 🙂 Notice on the screenshot that def version is on line 24, whereas [@token['applicationData']].pack('H*') is on line 47. GitHub collapsed the lines in between. Thanks to @ct-clearhaus for noticing.

[ct-clearhaus]

I was apparently cheated too. First after thinking why applicationData had to do with version my eyes could see 🙂

[kse-clearhaus]

I definitely meant symbol, but wrote string :)

It turns out to not be a problem, but I got sidetracked and looked at different issues here.
I had simply assumed that:

puts("Hello " + :world)

would be functionally similar to:

puts("Hello #{:world}")

[mt-clearhaus]

Hmm, both . and :: work for invoking a singleton method in a module. I wonder which one is the most blessed? 🙂

[ct-clearhaus]

. is: https://github.com/bbatsov/ruby-style-guide#double-colons

[mt-clearhaus]

Is => _ not superfluous?

[kse-clearhaus]

Yes, will be fixed along with standarderror

[mt-clearhaus]

Maybe also s/Pedicel.config/config/ here, like it has been changed in other places?

[kse-clearhaus]

The plan was to have config: Pedicel.config as default for functions that require it, which means functions use config to refer to the parameter, which by default is Pedicel.config.

[kse-clearhaus]

I would prefer letting it be Pedicel.config, simply because it's easier to see where it comes from. What do you think?

[mt-clearhaus]

Dash is not hex.

[kse-clearhaus]

Yup, trailing dash was an error.

[mt-clearhaus]

Do we want these rubocop magic knobs? We have not used Rubocop, at least in PCI, the last two years. Are we starting to?

[ct-clearhaus]

We could use codeclimate ...

[kse-clearhaus]

I like having some style-checker, but it's not up to me.

Is there a specific reason to use CodeClimate instead on rubocop?
Rubocop seems to work well for me. It's the ruby language that generates the errors.

[mt-clearhaus]

A lot of fine changes and specs, but also a lot of controversial Rubocop-inspired weirdness. I will let @ct-clearhaus take steering on style, as he has written most of our code (in general) and started this repo.

[ct-clearhaus]

Why should signing_time_ok? disappear?

[kse-clearhaus]

Hmm. I guess the predicate signing_time_ok? would be a good choice to keep, but as it is, the functionality existed in self.verify_signed_time.

[ct-clearhaus]

I see. And agree.

I think I tried making the replay-check part of the validation but gave up. (Notice cms_signing_time is left without an implementation 🙂)

[kse-clearhaus]

I agree that it could be argued that the replay-check could be part of the validation :)
I viewed the validation as a syntax check, as opposed to a semantic check.

[ct-clearhaus]

I subjectively like the class/module name to specify the scope mostly because it is much easier to understand where to find the method IMO; thus, concerning "readability".

[kse-clearhaus]

Yeah, ruby is funny like that.
Hmm. There's also the question that a class function fetches an instance variable:

  def self.config
    @config ||= DEFAULTS
  end

I'm just going to think on this for a bit.

[kse-clearhaus]

In this case config is an argument to the function.

[kse-clearhaus]

It's difficult to get an overview of the coverage of the tests, but I believe the tests are quite comprehensive.

[kse-clearhaus]

I don't recall, is this a deep check that one certificate matches the other correctly (does the certificate have the same issuer, public key, subject name etc.) or just by object matching?

I assume it's the first. :)

[ct-clearhaus]

I would be surprised if it's not ensuring that the certs are "as certs" the same, but I'll dig deeper to ensure.

[ct-clearhaus]

Fixed by 76c7555

[kse-clearhaus]

Is this just in case the certificate is bad or could there actually be non-hex characters there?

[ct-clearhaus]

Thanks for asking! 💯

In the spreedly/Gala example there are non-hex chars. They fixed it by skipping these initial non-hex chars: https://github.com/spreedly/gala/blob/master/lib/gala/payment_token.rb#L87

This was my attempt at a more general solution.

[kse-clearhaus]

How peculiar! 👍

[kse-clearhaus]

I have to admit, I'm not a huge fan of this.
My preference would to not have any global variables (class level), so only instance variables are set.

[ct-clearhaus]

#10 +41 -90 lines, so I'm pretty happy 🙂

[ct-clearhaus]

There are good reasons for both:

• https://github.com/bbatsov/ruby-style-guide#consistent-multi-line-chains
• include '.' on first line of multiline chained method invocations rubocop/ruby-style-guide#176

I'm 🤷‍♂️ for which to choose (recently perhaps leaning towards the reasoning in rubocop/ruby-style-guide#176 (comment)). I expect (because git blame 😛) that @kse-clearhaus prefer the "dot in the front" style (which, depending on your way of thinking, could make more sense when used with & as the safe navigation operator). @kse-clearhaus can you confirm?

[ct-clearhaus]

I fell into a crater.

Think about

ary = [1,2,3]

or alike through this.

If something is commented out, then it's because it doesn't work.

Comments

#ary \ # Single-line comment.
#  .slice(5..-1) \
#  &.first \
#  &.zero?

ary \
  # Single-line comment.
  .slice(5..-1) \
  &.first \
  &.zero?

#ary \
#  # Multi-line
#  # comment.
#  .slice(5..-1) \
#  &.first \
#  &.zero?

ary # Single-line comment.
  .slice(5..-1)
  &.first
  &.zero?

#ary
#  # Single-line comment.
#  .slice(5..-1)
#  &.first
#  &.zero?

#ary
#  # Multi-line
#  # comment.
#  .slice(5..-1)
#  &.first
#  &.zero?

ary. # Single-line comment.
  slice(5..-1)&.
  first&.
  zero?

ary.
  # Single-line comment.
  slice(5..-1)&.
  first&.
  zero?

ary.
  # Multi-line
  # comment.
  slice(5..-1)&.
  first&.
  zero?

Clear winner: "trailing ."

Commenting out lines

ary \
  #.slice(5..-1) \
  &.first \
  &.zero?

#ary \
#  .slice(5..-1) \
#  &.first \
#  #&.zero?

#ary \
#  .slice(5..-1) \
#  &.first \
#  #&.zero?

ary
  #.slice(5..-1)
  &.first
  &.zero?

ary
  .slice(5..-1)
  &.first
  #&.zero?

ary
  #.slice(5..-1)
  #&.first
  #&.zero?

ary.
  #slice(5..-1)&.
  first&.
  zero?

#ary.
#  slice(5..-1)&.
#  first&.
#  #zero?

#ary.
#  #slice(5..-1)&.
#  #first&.
#  #zero?

As for "trailing \ leading ." and "trailing .": Notice the inconsistency:
iff you comment out the last line, things will break.

REPL pasting

ary \
  .slice(5..-1) \
  &.first \
  &.zero?

ary.
  slice(5..-1)&.
  first&.
  zero?

ary
  .slice(5..-1)
  &.first
  &.zero?

In this, 1 < m < n < 4 (and as for Array#[], "4 = -1").

Things you could do and why

The "whys" are just examples.

Pasting line 1

What's that ary thingy?

Pasting line 1..m:

It fails at some point, let me divide and conquer to see some intermediate
value.

Pasting line m..-1:

I have this toy ary at hand in my REPL, modify this the same way as would
happen with the more complex one that fails.

Pasting line m..n:

As above, but divide and conquer to understand what is happening.

Pasting line m..m:

What's this thing doing to my toy ary?

Support matrix

                        1       1..m    m..-1   m..n    m..m
                        -----   -----   -----   -----   -------
 trailing , leading .   + (a)   + (a)   +       + (a)   + (a)
           trailing .   + (b)   + (b)   + (c)   + (c)   + (b,c)
            leading .   +       -       -       -       +

(a): After the trailing \, hit enter (again).
(b): Delete the trailing ..
(c): Add a . in the REPL before pasting.

[ct-clearhaus]

Just updated the above.

I think that it's more important to have comments in code (and that it's possible to comment the code "freely") than it is to be able to debug code easily (by either commenting out lines or C&P'ing to a REPL).
Reasons:

• The comments are supposed to exist for a long time and be read multiple times (by a later self)
• Debugging is (hopefully) done less frequently.
• It's not too hard to also comment out a trailing \ or ..
• It's not too hard to add a . or delete a trailing \ or . in a REPL.

Thus, I think I still lean towards "trailing .". But!

Assume you care more about commenting out code than pasting in a REPL. Then:

Why not get the benefits from "leading ." if you don't need the "comment freedom"?

"Because consistency" and "your eyes should only care about one" are both rather awful reasons IMO. Seasoned developers can for sure easily read both.

My thinking: Stop commenting out code! Drop in binding.pry on the line before, and paste into the REPL. That's usually a far superior way to understand code.

Thus, "trailing ." is the winner for me.

[kse-clearhaus]

From the above, I would agree that trailing . is preferable.

However, visually and semantically, I still much prefer a leading ..
In a sense, I read a leading . as a self-sufficient line, you start somewhere and you know where you're going.
I read the . as something like and then do. I read

ary
  .slice(5..-1)
  &.first
  &.zero?

as

Take ary,
then slice it,
then first,
then zero?

I read

ary. # Single-line comment.
  slice(5..-1)&.
  first&.
  zero?

as

Take ary then,
slice it then,
first then,
zero?

Where I clearly prefer the former.

With regards to:

Leading dots are an antipattern:

1. They require the continuation to be present at precisely next line. (I.e. you cannot put more than one in-line comment in between.)
2. They break mental context by requiring one to always analyze one more line of code.
3. Most importantly, code written with leading dots cannot be copied and pasted to irb/pry.

1. That's true. But I don't see that as a major obstacle. If you're chaining complex enough functions
   that you feel like you need to add multiline comments between them, you could probably refactor.
2. They don't break mental context, the indentation on the next line indicate if it continues or not, at the very worst you can look at the first character.
3. True, but when I'm in ViM I can just select the lines and shift + j to join them.

I think the most important part is that we're consistent about our choice. So I'd gladly use trailing .s :)

[ct-clearhaus]

You cannot Join lines if there are comments 🙂

[ct-clearhaus]

I'm happy. What about you @kse-clearhaus and @mt-clearhaus?

[mt-clearhaus]

👍