Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fixed broken tests and design error.

  • Loading branch information...
commit 9972b84f49e6123c035795e4f13df473ec7c322b 1 parent b5879a7
@pwnall authored
View
14 test/functional/authentication_controller_test.rb
@@ -16,12 +16,13 @@ def setup
def test_auth_with_redirect
get :auth, :nonce => @nonce, :redirect_to => 'http://www.awesome.com/auth'
- golden_url = 'http://www.awesome.com/auth?dn=costan%40mit.edu&nonce=' +
- CGI.escape(@nonce) + '&signature='
+ golden_url = 'http://www.awesome.com/auth?auth%5Bdn%5D=costan%40mit.edu' +
+ '&auth%5Bnonce%5D=' + CGI.escape(@nonce) + '&auth%5Bsignature%5D='
assert_response :redirect
url = @response.redirect_url
assert_equal golden_url, url[0, golden_url.length], 'Invalid golden URL'
- _check_signature URI.decode(url[golden_url.length..-1])
+ _check_signature_data 'dn' => @dn, 'nonce' => @nonce,
+ 'signature' => URI.decode(url.to_s[golden_url.length..-1])
end
def test_auth_with_callback
@@ -31,13 +32,12 @@ def test_auth_with_callback
assert_equal @dn, data['dn'], 'DN'
assert_equal @nonce, data['nonce'], 'Nonce'
- _check_signature data['signature']
+ _check_signature_data data
end
- def _check_signature(signature)
+ def _check_signature_data(data)
flexmock(MitCertAuthProxy).should_receive(:signing_key).
and_return(SignKeyHolder.new.key.public_key)
- data = {'dn' => @dn, 'nonce' => @nonce, 'signature' => signature}
- assert MitCertAuthProxy.verify_data(data), 'Invalid signature'
+ assert MitCertAuthProxy.verify_data_signature(data), 'Invalid signature'
end
end
View
2  test/functional/documentation_controller_test.rb
@@ -15,7 +15,7 @@ def test_index
def _check_sign_key(sign_key_pem)
sign_key = OpenSSL::PKey::RSA.new sign_key_pem
assert !sign_key.private?, 'Private key leaked!'
- assert_equal sign_key.inspect, SignKeyHolder.new.key.public_key.inspect,
+ assert_equal SignKeyHolder.new.key.public_key.inspect, sign_key.inspect,
'Wrong key returned'
end
View
49 vendor/plugins/mit_cert_auth_proxy/lib/mit_cert_auth_proxy.rb
@@ -30,7 +30,7 @@ def self.redirect_url(base_url, signature_data)
url.query += '&' unless url.query.empty?
# NOTE: the "sort" call is only there for determinism.
url.query += signature_data.map { |k, v|
- CGI.escape(k.to_s) + '=' + CGI.escape(v.to_s)
+ CGI.escape("auth[#{k.to_s}]") + '=' + CGI.escape(v.to_s)
}.sort.join '&'
url
end
@@ -54,8 +54,11 @@ def self.random_nonce
# Checks the authentication data.
#
- # Returns the authentication nonce for application-specific verification, or
- # false if the authentication data shows a failure.
+ # Returns a hash with the following information on success, or
+ # false if the authentication data shows a failure.
+ # :nonce:: the application should verify it for freshness
+ # :name:: the full name in the user's MIT certificate
+ # :email:: the e-mail address in the user's MIT certificate
def self.verify_data(data)
# Step 1: SSL status.
return false if data['verify'] != 'SUCCESS'
@@ -85,6 +88,37 @@ def self.verify_data(data)
return decode_data(data)
end
+ # Generates fake authentication data for automated testing.
+ #
+ # The caller is responsible for generating an OpenSSL key pair, and for
+ # mocking signing_key to return the public key. The following code will do the
+ # trick:
+ #
+ # flexmock(MitCertAuthProxy).should_receive(:signing_key).
+ # and_return(private_sign_key.public_key)
+ #
+ # Args:
+ # name:: the full name in the DN of the fake authentication data
+ # email:: the e-mail in the DN of the fake authentication data
+ # private_sign_key:: an OpenSSL key pair used to sign the request
+ # nonce:: the nonce in the fake data; defaults to generating a random nonce
+ #
+ # Returns a hash mocking the authentication service's response.
+ def self.mock_auth_data(name, email, private_sign_key, nonce = random_nonce)
+ dn = '/C=US/ST=Massachusetts/O=Massachusetts Institute of Technology/' +
+ 'OU=Client CA v1/CN=' + name + '/' + 'emailAddress=' + email
+ issuer_dn = '/C=US/ST=Massachusetts/O=Massachusetts Institute of ' +
+ 'Technology/OU=Client CA v1'
+
+ data = {'dn' => dn, 'issuer_dn' => issuer_dn, 'verify' => 'SUCCESS',
+ 'serial' => 'D376EC2AE81A03E10743D175CB659F58',
+ 'nonce' => nonce, 'valid_from' => (Time.now - 120).utc.to_s,
+ 'valid_until' => (Time.now + 120).utc.to_s,
+ 'cipher' => 'DHE-RSA-CAMELLIA256-SHA', 'protocol' => 'TLSv1',
+ 'ssl_sig' => 'sha1WithRSAEncryption'}
+ sign_data! private_sign_key, data
+ end
+
# URL to MIT's page explaining how to obtain certificates.
#
# Sites that need for MIT certificates should have a link to this page. The
@@ -101,7 +135,7 @@ def self.mit_certificates_url
def self.verify_data_signature(data)
signature = data['signature'].unpack('m').first
blob = _presign_blob data
- signing_key.verify OpenSSL::Digest::SHA1.new, signature, blob
+ signing_key.verify OpenSSL::Digest::SHA256.new, signature, blob
end
# Extracts the interesting fields from the authentication data.
@@ -123,10 +157,13 @@ def self.decode_data(data)
# This should only be called by the authentication proxy itself. Other library
# users won't have the private signing key, so they won't get much use out of
# this method.
+ #
+ # Returns the modified authentication data.
def self.sign_data!(private_sign_key, data)
- blob = _presign_blob data
- raw_signature = private_sign_key.sign OpenSSL::Digest::SHA1.new, blob
+ blob = _presign_blob data
+ raw_signature = private_sign_key.sign OpenSSL::Digest::SHA256.new, blob
data['signature'] = [raw_signature].pack('m')
+ data
end
# Computes the blob of text to be signed.
View
21 vendor/plugins/mit_cert_auth_proxy/test/mit_cert_auth_proxy_test.rb
@@ -18,11 +18,14 @@ def test_mit_ca_paths
def test_redirect_url
data = {:s => :win, 't u' => 'also win'}
- [['http://www.awesome.com', 'http://www.awesome.com?s=win&t+u=also+win'],
- ['http://mit.edu/', 'http://mit.edu/?s=win&t+u=also+win'],
- ['http://mit.edu/page', 'http://mit.edu/page?s=win&t+u=also+win'],
+ [['http://www.awesome.com',
+ 'http://www.awesome.com?auth%5Bs%5D=win&auth%5Bt+u%5D=also+win'],
+ ['http://mit.edu/',
+ 'http://mit.edu/?auth%5Bs%5D=win&auth%5Bt+u%5D=also+win'],
+ ['http://mit.edu/page',
+ 'http://mit.edu/page?auth%5Bs%5D=win&auth%5Bt+u%5D=also+win'],
['http://mit.edu/page?q=one',
- 'http://mit.edu/page?q=one&s=win&t+u=also+win']
+ 'http://mit.edu/page?q=one&auth%5Bs%5D=win&auth%5Bt+u%5D=also+win']
].each do |base_url, golden_url|
assert_equal golden_url,
MitCertAuthProxy.redirect_url(base_url, data).to_s,
@@ -89,4 +92,14 @@ def test_mit_certificates_url
assert /certificates at mit/i =~ page,
'The linked page doesn\'t contain "certificates at mit"'
end
+
+ def test_mock_auth_data
+ key = OpenSSL::PKey::RSA.generate 512
+ flexmock(MitCertAuthProxy).should_receive(:signing_key).
+ and_return(key.public_key)
+ data = MitCertAuthProxy.mock_auth_data 'VMC', 'vmc@MIT.EDU', key,
+ 'some nonce'
+ golden = { :name => 'VMC', :email => 'vmc@MIT.EDU', :nonce => 'some nonce' }
+ assert_equal golden, MitCertAuthProxy.verify_data(data)
+ end
end
View
18 vendor/plugins/mit_cert_auth_proxy/test/signature_verification_test.rb
@@ -12,21 +12,11 @@ def setup
@@key ||= OpenSSL::PKey::RSA.generate 512
@key = @@key
-
- dn = '/C=US/ST=Massachusetts/O=Massachusetts Institute of Technology/' +
- 'OU=Client CA v1/CN=Victor Marius Costan/' +
- 'emailAddress=costan@MIT.EDU'
- issuer_dn = '/C=US/ST=Massachusetts/O=Massachusetts Institute of ' +
- 'Technology/OU=Client CA v1'
-
+
@nonce = 'O9eYWU/t1NSb+ZDmfniqizBSeNhVtsnTHS1H3T2FtRc='
- @data = {'dn' => dn, 'issuer_dn' => issuer_dn, 'verify' => 'SUCCESS',
- 'serial' => 'D376EC2AE81A03E10743D175CB659F58',
- 'nonce' => @nonce, 'valid_from' => (Time.now - 120).utc.to_s,
- 'valid_until' => (Time.now + 120).utc.to_s,
- 'cipher' => 'DHE-RSA-CAMELLIA256-SHA', 'protocol' => 'TLSv1',
- 'ssl_sig' => 'sha1WithRSAEncryption'}
-
+ @data = MitCertAuthProxy.mock_auth_data 'Victor Marius Costan',
+ 'costan@MIT.EDU', @key, @nonce
+ @data.delete 'signature'
flexmock(MitCertAuthProxy).should_receive(:signing_key).
and_return(@key.public_key)
end
Please sign in to comment.
Something went wrong with that request. Please try again.