The need
I have a Rails app that is using Paperclip to generate expiring urls for files stored in S3. The urls are set to expire after 1 minute. As much as i trust Paperclip and Amazon, I need tests that prove that these generated urls do in fact expire on time, and that visitors to those files after they’ve expired are prevented from accessing the file.
Disclaimer
This has been a bit of a rush, so no doubt i’ll refactor and tidy the code and this post laster today / in the week.
The solution
I’ve used RSpec and Cucumber to check expiring urls that the system generates to ensure they expire successfully. RSpec simply checks that a generated url includes the Expires parameter and it’s value is set exactly to 60 seconds from now. Cucumber goes further than this by uploading files and checking if they are accessible before and after expiration.
RSpec to simply test that the expiration time generated for a link is correctly set to 1 minute
This test simply asks the model containing the attachment (in this case an “Asset” model), how many seconds from now remain before the attachment expires.
Spec
describe Asset do
it “should return an attachment link that expires within 1 minute” do
asset = Factory.build(:asset)
asset.seconds_until_attachment_expires.should == 60
end
end
This depends on a few new methods in the Asset model class, which take care of extracting the Expires param from the expiring url, and comparing to Time.now.
Asset Model Class
First, we create an instance helper method that returns the number of seconds an object’s url has left before it expires
def seconds_until_attachment_expires
Asset.seconds_until_attachment_expires(expiring_attachment_url)
end
I decided to pass the responsibility of calculating this number to a class method. I did this because the Cucumber tests need to request the same calculation for urls that were generated in the past. If they interacted with an instance of the Asset class, by default it would return a new url each time it was asked. So, rather than clutter up the instance method with a decision about whether to issue a new url or return an existing one, i simply passed the responsibility to the class. That seems to work for now, although I might refactor it later.
Next, we create the class level method that calculates time left until expiration. This accepts a url, meaning we can test urls generated now or in the past
def self.seconds_until_attachment_expires(url)
seconds = attachment_expiration_in_seconds_from_epoch(url) – Time.now.strftime(”%s”).to_i
seconds.round
end
This method simply strips the time from the generated url (via the attachment_expiration_in_seconds_from_epoch method) and rounds the value.
def self.attachment_expiration_in_seconds_from_epoch(url)
url.split(”&”).second.split(”=”).last.to_i
end
Clearly, this is tightly coupled to the format of the generated url string, so a cleaner way should be sought. However, for now, this method is only used in the tests and it does work, so it’ll do for the moment.
Finally, to ensure that Rspec, Cucumber and the app all interact with a url generated exactly 60 seconds from now, we create a model instance method that generates the link. All requests for the link call this method.
def expiring_attachment_url
attachment.expiring_url(60)
end
Cucumber to test actual file access via the browser
Cucumber takes things 1 step further. It interacts with all the same methods that we created on the Asset model, but also goes off and uploads attachments and then tries to access them before and after they’ve expired. We use Timecop to create expired urls, and a Cucumber before hook to ensure all scenarios run from the current time by default.
Scenarios
@selenium
Scenario: Viewing an active attachment on an object
Given some object has been created and a plain text file attached
When I visit the object’s attachment url
Then I should see the contents of the uploaded attachment
And I should not see “Request has expired”
@selenium
Scenario: Viewing an expired attachment on an object
Given some object has been created and a plain text file attached
When I visit the object’s attachment url after it has expired
Then I should not see the contents of the uploaded attachment
And I should see “Request has expired”
features/support/hooks.rb
Before do
Timecop.return
end
NB: For the sake of completeness (even though we’re not calling Timecop from our Rspec specs), to be completely satisfied that Timecop isn’t affecting our specs in any unexpected way, we add the same to spec_helper.rb too:
spec/spec_helper.rb
config.before do
Timecop.return
end
config.before do
Timecop.return
end
steps
This is where Timecop offers a wonderfully simple way of generating expired urls.
And /^I visit the question’s attachment url after it has expired$/ do
#First, go back in time 2 minutes and generate the expiring url, and make sure it’s set to expire in 1 minute
Timecop.freeze(Time.now – 2.to_i.minutes) do
@url = current_object.asset.expiring_attachment_url
Asset.attachment_expires_in(@url).should == 60
end
#Next, return to the current time and make sure the previously generated expiring url has now been expired for 1 minute
Timecop.return
Asset.attachment_expires_in(@url).should == -60
#Finally, go visit the expired url
visit @url
end
When run, cucumber correctly reports that expired urls result in the user seeing the message “Request has expired”, and non-expired urls correctly provide access to the uploaded file.
Summary
Although a rough and ready solution, and most likely needing refactoring, it does provide us with a way to test expiration of uploads to S3.
I hope you found this useful.
Stories can be used to drive automated browser tests! Man, they fell off their seats at the point!