Add dummy browserid verification function.

This allows us to run tests with well-formed but invalid browserid assertions. Next step is a configuration option to switch it on/off at server startup.
2011-12-07 23:27:37 +11:00 · 2011-12-07 23:27:37 +11:00 · 52129fdd36
--- a/loadtest/test_sauropod.py
+++ b/loadtest/test_sauropod.py
@ -5,6 +5,8 @@ from urllib import quote as urlquote
 from urllib import unquote as urlunquote
 from urlparse import urljoin

+import vep
+
 from funkload.FunkLoadTestCase import FunkLoadTestCase
 from funkload.utils import Data

@ -24,7 +26,8 @@ class SauropodTests(FunkLoadTestCase):
    def start_session(self, userid=None):
        if userid is None:
            userid = "user%d@moz.com" % random.randint(0, self.num_users - 1)
-        params = {"audience": self.audience, "assertion": self.userid}
+        assertion = vep.DummyVerifier.make_assertion(userid, self.audience)
+        params = {"audience": self.audience, "assertion": assertion}
        res = self.post(urljoin(self.root_url, "/session/start"),
                        params=params)
        self.assertEquals(res.code, 200)
--- a/srv/main.js
+++ b/srv/main.js
@ -56,10 +56,48 @@ sauropod.use(express.static(__dirname + '/'));

 var tokens = {} // TODO: Randomly generated uuid's, only in memory

+
+//  A dummy routine that just parses BrowserID assertions without verifying.
+//  For use in testing scenarios..
+function dummyVerifyBrowserID(assertion, audience, cb) {
+    function base64urldecode(arg) {
+        var s = arg;
+        s = s.replace(/-/g, '+'); // 62nd char of encoding
+        s = s.replace(/_/g, '/'); // 63rd char of encoding
+        switch (s.length % 4) // Pad with trailing '='s
+        {
+            case 0: break; // No pad chars in this case
+            case 2: s += "=="; break; // Two pad chars
+            case 3: s += "="; break; // One pad char
+            default: throw new InputException("Illegal base64url string!");
+        }
+        var buf = new Buffer(s, "base64");
+        return buf.toString("ascii");
+    }
+    function parseJWT(arg) {
+        var data = arg.split(".");
+        var payload = JSON.parse(base64urldecode(data[1]));
+        return payload
+    }
+    try {
+        var bundle = JSON.parse(base64urldecode(assertion));
+        var cert = bundle["certificates"][bundle["certificates"].length - 1];
+        var assert = bundle["assertion"]
+        if (parseJWT(assert)["aud"] != audience) {
+            cb({'error': 'Invalid user'});
+        } else {
+            cb({'success': parseJWT(cert)["principal"]["email"]});
+        }
+    } catch (e) {
+        cb({'error': 'Invalid assertion'});
+    }
+}
+
+
+//  The real routine to verify BrowserID assertions.
+//  For use in production.
 function verifyBrowserID(assertion, audience, cb)
 {
-    // Uncomment this to stub out verification for testing purposes
-    //return cb({success: audience});
    var cert = 'assertion=' + encodeURIComponent(assertion) + '&audience=' + encodeURIComponent(audience);

    var options = {