I’ve now got basic
function test coverage for the
OpenID consumer functionality. It required me to
intercept get and post requests to the
get rails to recognize and process them. I also had to add
two methods to
ActionController::TestResponse to make
it more closely emulate
I can test degrading from smart to dumb consumer, but in order to test things like non-DiffieHellman session types, further alterations to the consumer will be required. Also test complete means that at this point I should expect to interop with well behaved implementations, not that this code is fully immune to attacks. For example, I don’t yet verify TrustRoots.
Inevitably, there will be bugs, but at this point each bug should be expressible as a test case.
The most interesting bug that was found during this process was a case where the signatures did not match, where the difference was only in trailing blanks. The root cause was running with MYSQL version <= 5.0. Such a problem would have been very difficult to track down in production. But it was easy to fix.
The complete set of unit and function tests (several of which includes multiple virtual HTTP requests) takes about 7.5 seconds to execute on my three year old ThinkPad — comparable to how long it would take to compile a similar sized application written in Java. And this includes my weblog tests as it hardly seemed worthwhile to remove them.
Ruby on Rails continues to impress me.