I’m trying to develop an app that will be partially protected with SSL
and client certificates, probably behind Apache. The application will
automatically create and login a user if it is presented with a valid
client certificate. The certificate will be first validated by
Apache’s mod_ssl and then passed to Rails in ENV[‘SSL_CLIENT_CERT’], at
which point Rails will use the information in the certificate to create
a new user.
In order to mimic a passed valid certificate, I’ve put the line:
request.env[‘SSL_CLIENT_CERT’] = File.open(‘tmp/client.crt’).read
into my ‘login’ action in ApplicationController, which protects most of
the site with a before_filter :login, assuming (of course) that
‘tmp/client.crt’ is a valid client certificate. The result is that any
person who visits the (development) application will be logged in as the
same user from ‘tmp/client.crt’.
So far its been fine, however I’m run into little problems when I am
integrating testing into the application. I obviously want to test the
authorized/not authorized behavior of the app, which doesn’t work with
the above line in the ApplicationController, since everyone is
automatically authorized. The authorized tests basically do the same
thing, i.e. read a valid certificate from a file and stick it in
@request.env
Is there a way to put something in the request.env hash that doesn’t
persist to the testing framework and/or put something in the development
environment that has the same effect? Obviously I could wait till the
end of the development to implement the SSL authorization, but I don’t
think that this fixes the fundamental issue.
Is there a better way to do this?
Thanks!