convert breach migration plugin to proper gem and fix name

Change-Id: Ie26495b5ea3e09f31b6b80d643679fe94ca9816b
Reviewed-on: https://gerrit.instructure.com/29455
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Stephan Hagemann <stephan@pivotallabs.com>
Product-Review: Stephan Hagemann <stephan@pivotallabs.com>
QA-Review: Stephan Hagemann <stephan@pivotallabs.com>

Gemfile

@@ -144,9 +144,10 @@ gem 'crocodoc-ruby', '0.0.1', :require => 'crocodoc'
 # we can go back to the gem once 1.7.8 is released
 gem 'regru-premailer', :require => 'premailer', :github => "regru/premailer", :ref => "08a73c70701f5d81bc4a5cf6c959a45ad94db88e"
 
-gem 'canvas_sanitize', path: 'gems/canvas_sanitize'
+gem 'canvas_breach_mitigation', path: 'gems/canvas_breach_mitigation'
 gem 'canvas_crummy', path: 'gems/canvas_crummy'
 gem 'canvas_mimetype_fu', path: 'gems/canvas_mimetype_fu'
+gem 'canvas_sanitize', path: 'gems/canvas_sanitize'
 
 group :assets do
   gem 'compass-rails', '1.0.3'

app/controllers/application_controller.rb

@@ -1020,15 +1020,15 @@ class ApplicationController < ActionController::Base
         redirect_to(login_url(:needs_cookies => '1'))
         return false
       else
-        raise(ActionController::InvalidAuthenticityToken) unless BreachMitigation::MaskingSecrets.valid_authenticity_token?(session, form_authenticity_param) ||
-          BreachMitigation::MaskingSecrets.valid_authenticity_token?(session, request.headers['X-CSRF-Token'])
+        raise(ActionController::InvalidAuthenticityToken) unless CanvasBreachMitigation::MaskingSecrets.valid_authenticity_token?(session, form_authenticity_param) ||
+          CanvasBreachMitigation::MaskingSecrets.valid_authenticity_token?(session, request.headers['X-CSRF-Token'])
       end
     end
     Rails.logger.warn("developer_key id: #{@developer_key.id}") if @developer_key
   end
 
   def form_authenticity_token
-    BreachMitigation::MaskingSecrets.masked_authenticity_token(session)
+    CanvasBreachMitigation::MaskingSecrets.masked_authenticity_token(session)
   end
 
   API_REQUEST_REGEX = %r{\A/api/v\d}

gems/canvas_breach_mitigation/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

gems/canvas_breach_mitigation/.rspec

@@ -0,0 +1,2 @@
+--color
+--format progress

gems/canvas_breach_mitigation/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

gems/canvas_breach_mitigation/README.md

@@ -1,4 +1,8 @@
-# breach-mitigation-rails
+# Canvas Breach Mitigation
+
+This is a fork of the breach-mitigation-rails gem: http://rubygems.org/gems/breach-mitigation-rails
+
+TODO: Ideally this should be replaced with the gem
 
 Makes Rails applications less susceptible to the BREACH /
 CRIME attacks. See [breachattack.com](http://breachattack.com/) for

gems/canvas_breach_mitigation/canvas_breach_mitigation.gemspec

@@ -0,0 +1,19 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+Gem::Specification.new do |spec|
+  spec.name          = "canvas_breach_mitigation"
+  spec.version       = '0.0.1'
+  spec.authors       = ["Raphael Weiner", "David Julia"]
+  spec.email         = ["rweiner@pivotallabs.com", "djulia@pivotallabs.com"]
+  spec.summary       = %q{Subset of breach-mitigation-rails gem}
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.5"
+  spec.add_development_dependency "rspec"
+end

gems/canvas_breach_mitigation/lib/canvas_breach_mitigation.rb

@@ -0,0 +1,3 @@
+module CanvasBreachMitigation
+  require "canvas_breach_mitigation/masking_secrets"
+end

gems/canvas_breach_mitigation/lib/canvas_breach_mitigation/masking_secrets.rb

@@ -1,4 +1,4 @@
-module BreachMitigation
+module CanvasBreachMitigation
   class MaskingSecrets
     class << self
       AUTHENTICITY_TOKEN_LENGTH = 32

gems/canvas_breach_mitigation/spec/masking_secrets_spec.rb

@@ -0,0 +1,52 @@
+require "spec_helper"
+
+describe CanvasBreachMitigation::MaskingSecrets do
+  before do
+    Rails = double("Rails").as_null_object unless defined? Rails
+  end
+
+  let(:masking_secrets) { CanvasBreachMitigation::MaskingSecrets }
+
+  describe ".masked_authenticity_token" do
+    it "puts :_csrf_token into the supplied session" do
+      session = {}
+      masking_secrets.masked_authenticity_token(session)
+      session[:_csrf_token].should_not be_nil
+    end
+
+    it "returns a byte string" do
+      masking_secrets.masked_authenticity_token({}).should_not be nil
+    end
+  end
+
+  describe ".valid_authenticity_token?" do
+    let(:session) do
+      # Seed a session with a :_csrf_token
+      Hash.new.tap do |session|
+        masking_secrets.masked_authenticity_token(session)
+      end
+    end
+
+    it "returns true for a valid unmasked token" do
+      valid_unmasked = session[:_csrf_token]
+      masking_secrets.valid_authenticity_token?(session, valid_unmasked).should == true
+    end
+
+    it "returns false for an invalid unmasked token" do
+      masking_secrets.valid_authenticity_token?(session, SecureRandom.base64(32)).should == false
+    end
+
+    it "returns true for a valid masked token" do
+      valid_masked = masking_secrets.masked_authenticity_token(session)
+      masking_secrets.valid_authenticity_token?(session, valid_masked).should == true
+    end
+
+    it "returns false for an invalid masked token" do
+      masking_secrets.valid_authenticity_token?(session, SecureRandom.base64(64)).should == false
+    end
+
+    it "returns false for a token of the wrong length" do
+      masking_secrets.valid_authenticity_token?(session, SecureRandom.base64(2)).should == false
+    end
+  end
+end

gems/canvas_breach_mitigation/spec/spec_helper.rb

@@ -0,0 +1,22 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+
+require "canvas_breach_mitigation"
+require 'securerandom'
+require 'base64'
+
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+end

lib/authentication_methods.rb

@@ -119,8 +119,8 @@ module AuthenticationMethods
         @developer_key ||
           request.get? ||
           !allow_forgery_protection ||
-          BreachMitigation::MaskingSecrets.valid_authenticity_token?(session, form_authenticity_param) ||
-          BreachMitigation::MaskingSecrets.valid_authenticity_token?(session, request.headers['X-CSRF-Token']) ||
+          CanvasBreachMitigation::MaskingSecrets.valid_authenticity_token?(session, form_authenticity_param) ||
+          CanvasBreachMitigation::MaskingSecrets.valid_authenticity_token?(session, request.headers['X-CSRF-Token']) ||
           raise(AccessTokenError)
       end
     end