Add Keybase integration (#10297)

* create account_identity_proofs table * add endpoint for keybase to check local proofs * add async task to update validity and liveness of proofs from keybase * first pass keybase proof CRUD * second pass keybase proof creation * clean up proof list and add badges * add avatar url to keybase api * Always highlight the “Identity Proofs” navigation item when interacting with proofs. * Update translations. * Add profile URL. * Reorder proofs. * Add proofs to bio. * Update settings/identity_proofs front-end. * Use `link_to`. * Only encode query params if they exist. URLs without params had a trailing `?`. * Only show live proofs. * change valid to active in proof list and update liveness before displaying * minor fixes * add keybase config at well-known path * extremely naive feature flagging off the identity proof UI * fixes for rubocop * make identity proofs page resilient to potential keybase issues * normalize i18n * tweaks for brakeman * remove two unused translations * cleanup and add more localizations * make keybase_contacts an admin setting * fix ExternalProofService my_domain * use Addressable::URI in identity proofs * use active model serializer for keybase proof config * more cleanup of keybase proof config * rename proof is_valid and is_live to proof_valid and proof_live * cleanup * assorted tweaks for more robust communication with keybase * Clean up * Small fixes * Display verified identity identically to verified links * Clean up unused CSS * Add caching for Keybase avatar URLs * Remove keybase_contacts setting

Add Keybase integration (#10297)
9c4cbdba · Eugen Rochko · GitHub · 42c581c4 · 9c4cbdba · 9c4cbdba
Unverified Commit 9c4cbdba authored 6 years ago by Eugen Rochko Committed by GitHub 6 years ago
--- a/config/navigation.rb
+++ b/config/navigation.rb
@@ -14,6 +14,7 @@ SimpleNavigation::Configuration.run do |navigation|
      settings.item :import, safe_join([fa_icon('cloud-upload fw'), t('settings.import')]), settings_import_url
      settings.item :export, safe_join([fa_icon('cloud-download fw'), t('settings.export')]), settings_export_url
      settings.item :authorized_apps, safe_join([fa_icon('list fw'), t('settings.authorized_apps')]), oauth_authorized_applications_url
+      settings.item :identity_proofs, safe_join([fa_icon('key fw'), t('settings.identity_proofs')]), settings_identity_proofs_path, highlights_on: %r{/settings/identity_proofs*}
    end

    primary.item :relationships, safe_join([fa_icon('users fw'), t('settings.relationships')]), relationships_url

--- a/config/routes.rb
+++ b/config/routes.rb
@@ -22,6 +22,8 @@ Rails.application.routes.draw do
  get '.well-known/host-meta', to: 'well_known/host_meta#show', as: :host_meta, defaults: { format: 'xml' }
  get '.well-known/webfinger', to: 'well_known/webfinger#show', as: :webfinger
  get '.well-known/change-password', to: redirect('/auth/edit')
+  get '.well-known/keybase-proof-config', to: 'well_known/keybase_proof_config#show'
+
  get 'manifest', to: 'manifests#show', defaults: { format: 'json' }
  get 'intent', to: 'intents#show'
  get 'custom.css', to: 'custom_css#show', as: :custom_css
@@ -106,6 +108,8 @@ Rails.application.routes.draw do
      resource :confirmation, only: [:new, :create]
    end

+    resources :identity_proofs, only: [:index, :show, :new, :create, :update]
+
    resources :applications, except: [:edit] do
      member do
        post :regenerate
@@ -248,6 +252,9 @@ Rails.application.routes.draw do
    # OEmbed
    get '/oembed', to: 'oembed#show', as: :oembed

+    # Identity proofs
+    get :proofs, to: 'proofs#index'
+
    # JSON / REST API
    namespace :v1 do
      resources :statuses, only: [:create, :show, :destroy] do

--- a/db/migrate/20190316190352_create_account_identity_proofs.rb
+++ b/db/migrate/20190316190352_create_account_identity_proofs.rb
+class CreateAccountIdentityProofs < ActiveRecord::Migration[5.2]
+  def change
+    create_table :account_identity_proofs do |t|
+      t.belongs_to :account, foreign_key: { on_delete: :cascade }
+      t.string :provider, null: false, default: ''
+      t.string :provider_username, null: false, default: ''
+      t.text :token, null: false, default: ''
+      t.boolean :verified, null: false, default: false
+      t.boolean :live, null: false, default: false
+
+      t.timestamps null: false
+    end
+
+    add_index :account_identity_proofs, [:account_id, :provider, :provider_username], unique: true, name: :index_account_proofs_on_account_and_provider_and_username
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -36,6 +36,19 @@ ActiveRecord::Schema.define(version: 2019_03_17_135723) do
    t.index ["account_id", "domain"], name: "index_account_domain_blocks_on_account_id_and_domain", unique: true
  end

+  create_table "account_identity_proofs", force: :cascade do |t|
+    t.bigint "account_id"
+    t.string "provider", default: "", null: false
+    t.string "provider_username", default: "", null: false
+    t.text "token", default: "", null: false
+    t.boolean "verified", default: false, null: false
+    t.boolean "live", default: false, null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["account_id", "provider", "provider_username"], name: "index_account_proofs_on_account_and_provider_and_username", unique: true
+    t.index ["account_id"], name: "index_account_identity_proofs_on_account_id"
+  end
+
  create_table "account_moderation_notes", force: :cascade do |t|
    t.text "content", null: false
    t.bigint "account_id", null: false
@@ -732,6 +745,7 @@ ActiveRecord::Schema.define(version: 2019_03_17_135723) do
  add_foreign_key "account_conversations", "accounts", on_delete: :cascade
  add_foreign_key "account_conversations", "conversations", on_delete: :cascade
  add_foreign_key "account_domain_blocks", "accounts", name: "fk_206c6029bd", on_delete: :cascade
+  add_foreign_key "account_identity_proofs", "accounts", on_delete: :cascade
  add_foreign_key "account_moderation_notes", "accounts"
  add_foreign_key "account_moderation_notes", "accounts", column: "target_account_id"
  add_foreign_key "account_pins", "accounts", column: "target_account_id", on_delete: :cascade

--- a/spec/controllers/api/proofs_controller_spec.rb
+++ b/spec/controllers/api/proofs_controller_spec.rb
+require 'rails_helper'
+
+describe Api::ProofsController do
+  let(:alice) { Fabricate(:account, username: 'alice') }
+
+  before do
+    stub_request(:get, 'https://keybase.io/_/api/1.0/sig/proof_valid.json?domain=cb6e6126.ngrok.io&kb_username=crypto_alice&sig_hash=111111111111111111111111111111111111111111111111111111111111111111&username=alice').to_return(status: 200, body: '{"proof_valid":true,"proof_live":false}')
+    stub_request(:get, 'https://keybase.io/_/api/1.0/sig/proof_live.json?domain=cb6e6126.ngrok.io&kb_username=crypto_alice&sig_hash=111111111111111111111111111111111111111111111111111111111111111111&username=alice').to_return(status: 200, body: '{"proof_valid":true,"proof_live":true}')
+    stub_request(:get, 'https://keybase.io/_/api/1.0/sig/proof_valid.json?domain=cb6e6126.ngrok.io&kb_username=hidden_alice&sig_hash=222222222222222222222222222222222222222222222222222222222222222222&username=alice').to_return(status: 200, body: '{"proof_valid":true,"proof_live":true}')
+    stub_request(:get, 'https://keybase.io/_/api/1.0/sig/proof_live.json?domain=cb6e6126.ngrok.io&kb_username=hidden_alice&sig_hash=222222222222222222222222222222222222222222222222222222222222222222&username=alice').to_return(status: 200, body: '{"proof_valid":true,"proof_live":true}')
+  end
+
+  describe 'GET #index' do
+    describe 'with a non-existent username' do
+      it '404s' do
+        get :index, params: { username: 'nonexistent', provider: 'keybase' }
+
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
+    describe 'with a user that has no proofs' do
+      it 'is an empty list of signatures' do
+        get :index, params: { username: alice.username, provider: 'keybase' }
+
+        expect(body_as_json[:signatures]).to eq []
+      end
+    end
+
+    describe 'with a user that has a live, valid proof' do
+      let(:token1) { '111111111111111111111111111111111111111111111111111111111111111111' }
+      let(:kb_name1) { 'crypto_alice' }
+
+      before do
+        Fabricate(:account_identity_proof, account: alice, verified: true, live: true, token: token1, provider_username: kb_name1)
+      end
+
+      it 'is a list with that proof in it' do
+        get :index, params: { username: alice.username, provider: 'keybase' }
+
+        expect(body_as_json[:signatures]).to eq [
+          { kb_username: kb_name1, sig_hash: token1 },
+        ]
+      end
+
+      describe 'add one that is neither live nor valid' do
+        let(:token2) { '222222222222222222222222222222222222222222222222222222222222222222' }
+        let(:kb_name2) { 'hidden_alice' }
+
+        before do
+          Fabricate(:account_identity_proof, account: alice, verified: false, live: false, token: token2, provider_username: kb_name2)
+        end
+
+        it 'is a list with both proofs' do
+          get :index, params: { username: alice.username, provider: 'keybase' }
+
+          expect(body_as_json[:signatures]).to eq [
+            { kb_username: kb_name1, sig_hash: token1 },
+            { kb_username: kb_name2, sig_hash: token2 },
+          ]
+        end
+      end
+    end
+
+    describe 'a user that has an avatar' do
+      let(:alice) { Fabricate(:account, username: 'alice', avatar: attachment_fixture('avatar.gif')) }
+
+      context 'and a proof' do
+        let(:token1) { '111111111111111111111111111111111111111111111111111111111111111111' }
+        let(:kb_name1) { 'crypto_alice' }
+
+        before do
+          Fabricate(:account_identity_proof, account: alice, verified: true, live: true, token: token1, provider_username: kb_name1)
+          get :index, params: { username: alice.username, provider: 'keybase' }
+        end
+
+        it 'has two keys: signatures and avatar' do
+          expect(body_as_json.keys).to match_array [:signatures, :avatar]
+        end
+
+        it 'has the correct signatures' do
+          expect(body_as_json[:signatures]).to eq [
+            { kb_username: kb_name1, sig_hash: token1 },
+          ]
+        end
+
+        it 'has the correct avatar url' do
+          first_part = 'https://cb6e6126.ngrok.io/system/accounts/avatars/'
+          last_part  = 'original/avatar.gif'
+
+          expect(body_as_json[:avatar]).to match /#{Regexp.quote(first_part)}(?:\d{3,5}\/){3}#{Regexp.quote(last_part)}/
+        end
+      end
+    end
+  end
+end
--- a/spec/controllers/settings/identity_proofs_controller_spec.rb
+++ b/spec/controllers/settings/identity_proofs_controller_spec.rb
+require 'rails_helper'
+
+describe Settings::IdentityProofsController do
+  render_views
+
+  let(:user) { Fabricate(:user) }
+  let(:valid_token) { '1'*66 }
+  let(:kbname) { 'kbuser' }
+  let(:provider) { 'keybase' }
+  let(:findable_id) { Faker::Number.number(5) }
+  let(:unfindable_id) { Faker::Number.number(5) }
+  let(:postable_params) do
+    { account_identity_proof: { provider: provider, provider_username: kbname, token: valid_token } }
+  end
+
+  before do
+    allow_any_instance_of(ProofProvider::Keybase::Verifier).to receive(:status) { { 'proof_valid' => true, 'proof_live' => true } }
+    sign_in user, scope: :user
+  end
+
+  describe 'new proof creation' do
+    context 'GET #new with no existing proofs' do
+      it 'redirects to :index' do
+        get :new
+        expect(response).to redirect_to settings_identity_proofs_path
+      end
+    end
+
+    context 'POST #create' do
+      context 'when saving works' do
+        before do
+          allow(ProofProvider::Keybase::Worker).to receive(:perform_async)
+          allow_any_instance_of(ProofProvider::Keybase::Verifier).to receive(:valid?) { true }
+          allow_any_instance_of(AccountIdentityProof).to receive(:on_success_path) { root_url }
+        end
+
+        it 'serializes a ProofProvider::Keybase::Worker' do
+          expect(ProofProvider::Keybase::Worker).to receive(:perform_async)
+          post :create, params: postable_params
+        end
+
+        it 'delegates redirection to the proof provider' do
+          expect_any_instance_of(AccountIdentityProof).to receive(:on_success_path)
+          post :create, params: postable_params
+          expect(response).to redirect_to root_url
+        end
+      end
+
+      context 'when saving fails' do
+        before do
+          allow_any_instance_of(ProofProvider::Keybase::Verifier).to receive(:valid?) { false }
+        end
+
+        it 'redirects to :index' do
+          post :create, params: postable_params
+          expect(response).to redirect_to settings_identity_proofs_path
+        end
+
+        it 'flashes a helpful message' do
+          post :create, params: postable_params
+          expect(flash[:alert]).to eq I18n.t('identity_proofs.errors.failed', provider: 'Keybase')
+        end
+      end
+
+      context 'it can also do an update if the provider and username match an existing proof' do
+        before do
+          allow_any_instance_of(ProofProvider::Keybase::Verifier).to receive(:valid?) { true }
+          allow(ProofProvider::Keybase::Worker).to receive(:perform_async)
+          Fabricate(:account_identity_proof, account: user.account, provider: provider, provider_username: kbname)
+          allow_any_instance_of(AccountIdentityProof).to receive(:on_success_path) { root_url }
+        end
+
+        it 'calls update with the new token' do
+          expect_any_instance_of(AccountIdentityProof).to receive(:save) do |proof|
+            expect(proof.token).to eq valid_token
+          end
+
+          post :create, params: postable_params
+        end
+      end
+    end
+  end
+
+  describe 'GET #index' do
+    context 'with no existing proofs' do
+      it 'shows the helpful explanation' do
+        get :index
+        expect(response.body).to match I18n.t('identity_proofs.explanation_html')
+      end
+    end
+
+    context 'with two proofs' do
+      before do
+        allow_any_instance_of(ProofProvider::Keybase::Verifier).to receive(:valid?) { true }
+        @proof1 = Fabricate(:account_identity_proof, account: user.account)
+        @proof2 = Fabricate(:account_identity_proof, account: user.account)
+        allow_any_instance_of(AccountIdentityProof).to receive(:badge) { double(avatar_url: '', profile_url: '', proof_url: '') }
+        allow_any_instance_of(AccountIdentityProof).to receive(:refresh!) { }
+      end
+
+      it 'has the first proof username on the page' do
+        get :index
+        expect(response.body).to match /#{Regexp.quote(@proof1.provider_username)}/
+      end
+
+      it 'has the second proof username on the page' do
+        get :index
+        expect(response.body).to match /#{Regexp.quote(@proof2.provider_username)}/
+      end
+    end
+  end
+end
--- a/spec/controllers/well_known/keybase_proof_config_controller_spec.rb
+++ b/spec/controllers/well_known/keybase_proof_config_controller_spec.rb
+require 'rails_helper'
+
+describe WellKnown::KeybaseProofConfigController, type: :controller do
+  render_views
+
+  describe 'GET #show' do
+    it 'renders json' do
+      get :show
+
+      expect(response).to have_http_status(200)
+      expect(response.content_type).to eq 'application/json'
+      expect { JSON.parse(response.body) }.not_to raise_exception
+    end
+  end
+end
--- a/spec/fabricators/account_identity_proof_fabricator.rb
+++ b/spec/fabricators/account_identity_proof_fabricator.rb
+Fabricator(:account_identity_proof) do
+  account
+  provider 'keybase'
+  provider_username { sequence(:provider_username) { |i| "#{Faker::Lorem.characters(15)}" } }
+  token { sequence(:token) { |i| "#{i}#{Faker::Crypto.sha1()*2}"[0..65] } }
+  verified false
+  live false
+end
--- a/spec/lib/proof_provider/keybase/verifier_spec.rb
+++ b/spec/lib/proof_provider/keybase/verifier_spec.rb
+require 'rails_helper'
+
+describe ProofProvider::Keybase::Verifier do
+  let(:my_domain) { Rails.configuration.x.local_domain }
+
+  let(:keybase_proof) do
+    local_proof = AccountIdentityProof.new(
+      provider: 'Keybase',
+      provider_username: 'cryptoalice',
+      token: '11111111111111111111111111'
+    )
+
+    described_class.new('alice', 'cryptoalice', '11111111111111111111111111')
+  end
+
+  let(:query_params) do
+    "domain=#{my_domain}&kb_username=cryptoalice&sig_hash=11111111111111111111111111&username=alice"
+  end
+
+  describe '#valid?' do
+    let(:base_url) { 'https://keybase.io/_/api/1.0/sig/proof_valid.json' }
+
+    context 'when valid' do
+      before do
+        json_response_body = '{"status":{"code":0,"name":"OK"},"proof_valid":true}'
+        stub_request(:get, "#{base_url}?#{query_params}").to_return(status: 200, body: json_response_body)
+      end
+
+      it 'calls out to keybase and returns true' do
+        expect(keybase_proof.valid?).to eq true
+      end
+    end
+
+    context 'when invalid' do
+      before do
+        json_response_body = '{"status":{"code":0,"name":"OK"},"proof_valid":false}'
+        stub_request(:get, "#{base_url}?#{query_params}").to_return(status: 200, body: json_response_body)
+      end
+
+      it 'calls out to keybase and returns false' do
+        expect(keybase_proof.valid?).to eq false
+      end
+    end
+
+    context 'with an unexpected api response' do
+      before do
+        json_response_body = '{"status":{"code":100,"desc":"wrong size hex_id","fields":{"sig_hash":"wrong size hex_id"},"name":"INPUT_ERROR"}}'
+        stub_request(:get, "#{base_url}?#{query_params}").to_return(status: 200, body: json_response_body)
+      end
+
+      it 'swallows the error and returns false' do
+        expect(keybase_proof.valid?).to eq false
+      end
+    end
+  end
+
+  describe '#status' do
+    let(:base_url) { 'https://keybase.io/_/api/1.0/sig/proof_live.json' }
+
+    context 'with a normal response' do
+      before do
+        json_response_body = '{"status":{"code":0,"name":"OK"},"proof_live":false,"proof_valid":true}'
+        stub_request(:get, "#{base_url}?#{query_params}").to_return(status: 200, body: json_response_body)
+      end
+
+      it 'calls out to keybase and returns the status fields as proof_valid and proof_live' do
+        expect(keybase_proof.status).to include({ 'proof_valid' => true, 'proof_live' => false })
+      end
+    end
+
+    context 'with an unexpected keybase response' do
+      before do
+        json_response_body = '{"status":{"code":100,"desc":"missing non-optional field sig_hash","fields":{"sig_hash":"missing non-optional field sig_hash"},"name":"INPUT_ERROR"}}'
+        stub_request(:get, "#{base_url}?#{query_params}").to_return(status: 200, body: json_response_body)
+      end
+
+      it 'raises a ProofProvider::Keybase::UnexpectedResponseError' do
+        expect { keybase_proof.status }.to raise_error ProofProvider::Keybase::UnexpectedResponseError
+      end
+    end
+  end
+end