Ubuntu Push Notifications

Merge lp:~chipaca/ubuntu-push/shuffle-signing-bits into lp:ubuntu-push

shuffle-signing-bits
Merge into trunk

Proposed by John Lenton on 2014-06-11

Status:	Superseded
Proposed branch:	lp:~chipaca/ubuntu-push/shuffle-signing-bits
Merge into:	lp:ubuntu-push
Diff against target:	959 lines (+525/-68) 18 files modified client/client.go (+21/-1) client/client_test.go (+36/-1) client/session/session.go (+5/-17) client/session/session_test.go (+6/-21) debian/changelog (+14/-0) debian/rules (+0/-1) scripts/register (+43/-0) scripts/unicast (+2/-0) server/acceptance/acceptanceclient.go (+1/-1) server/acceptance/cmd/acceptanceclient.go (+3/-1) server/acceptance/suites/suite.go (+2/-2) server/acceptance/suites/unicast.go (+11/-3) server/api/handlers.go (+104/-8) server/api/handlers_test.go (+193/-2) server/store/inmemory.go (+26/-0) server/store/inmemory_test.go (+44/-0) server/store/store.go (+8/-0) signing-helper/signing-helper.cpp (+6/-10)
To merge this branch:	bzr merge lp:~chipaca/ubuntu-push/shuffle-signing-bits
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Ubuntu Push Hackers		2014-06-11	Pending
Review via email: mp+222782@code.launchpad.net

This proposal has been superseded by a proposal from 2014-06-11.

Description of the change

Move the signing bits about a bit (up from session to client, for reuse from service).

lp:~chipaca/ubuntu-push/shuffle-signing-bits updated on 2014-06-11

181. By John Lenton on 2014-06-11: merged trunk

Unmerged revisions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

John Lenton

Stuart Bishop

Ubuntu Push Hackers

 === modified file 'client/client.go'
 --- client/client.go	2014-05-21 10:03:18 +0000
 +++ client/client.go	2014-06-11 11:43:11 +0000
@@ -28,6 +28,7 @@
  	"fmt"
  	"io/ioutil"
  	"os"
++	"os/exec"
  	"strings"
  	"launchpad.net/go-dbus/v1"
@@ -160,7 +161,26 @@
  		ExpectAllRepairedTime:  client.config.ExpectAllRepairedTime.TimeDuration(),
  		PEM:        client.pem,
  		Info:       info,
--		AuthHelper: client.config.AuthHelper,
++		AuthGetter: client.getAuthorization,
++	}
++}
++
++// getAuthorization gets the authorization blob to send to the server
++func (client *PushClient) getAuthorization() string {
++	client.log.Debugf("getting authorization")
++	// using a helper, for now at least
++	if len(client.config.AuthHelper) == 0 {
++		// do nothing if helper is unset or empty
++		return ""
++	}
++
++	auth, err := exec.Command(client.config.AuthHelper[0], client.config.AuthHelper[1:]...).Output()
++	if err != nil {
++		// For now we just log the error, as we don't want to block unauthorized users
++		client.log.Errorf("unable to get the authorization token from the account: %v", err)
++		return ""
++	} else {
++		return strings.TrimSpace(string(auth))
+ 	}
+ }
 === modified file 'client/client_test.go'
 --- client/client_test.go	2014-05-20 13:56:37 +0000
 +++ client/client_test.go	2014-06-11 11:43:11 +0000
@@ -272,7 +272,7 @@
  		ExpectAllRepairedTime:  30 * time.Minute,
  		PEM:        cli.pem,
  		Info:       info,
--		AuthHelper: []string{"auth", "helper"},
++		AuthGetter: func() string { return "" },
+ 	}
  	// sanity check that we are looking at all fields
  	vExpected := reflect.ValueOf(expected)
@@ -284,6 +284,11 @@
+ 	}
  	// finally compare
  	conf := cli.deriveSessionConfig(info)
++	// compare authGetter by string
++	c.Check(fmt.Sprintf("%v", conf.AuthGetter), Equals, fmt.Sprintf("%v", cli.getAuthorization))
++	// and set it to nil
++	conf.AuthGetter = nil
++	expected.AuthGetter = nil
  	c.Check(conf, DeepEquals, expected)
+ }
@@ -951,3 +956,33 @@
  	c.Assert(err, NotNil)
  	c.Check(cs.log.Captured(), Matches, "(?msi).*showing notification: no way$")
+ }
++
++/*****************************************************************
++    getAuthorization() tests
++******************************************************************/
++
++func (cs *clientSuite) TestGetAuthorizationIgnoresErrors(c *C) {
++	cli := NewPushClient(cs.configPath, cs.leveldbPath)
++	cli.configure()
++	cli.config.AuthHelper = []string{"sh", "-c", "echo hello; false"}
++
++	c.Check(cli.getAuthorization(), Equals, "")
++}
++
++func (cs *clientSuite) TestGetAuthorizationGetsIt(c *C) {
++	cli := NewPushClient(cs.configPath, cs.leveldbPath)
++	cli.configure()
++	cli.config.AuthHelper = []string{"echo", "hello"}
++
++	c.Check(cli.getAuthorization(), Equals, "hello")
++}
++
++func (cs *clientSuite) TestGetAuthorizationWorksIfUnsetOrNil(c *C) {
++	cli := NewPushClient(cs.configPath, cs.leveldbPath)
++	cli.log = cs.log
++
++	c.Assert(cli.config, NotNil)
++	c.Check(cli.getAuthorization(), Equals, "")
++	cli.configure()
++	c.Check(cli.getAuthorization(), Equals, "")
++}
 === modified file 'client/session/session.go'
 --- client/session/session.go	2014-05-23 05:59:38 +0000
 +++ client/session/session.go	2014-06-11 11:43:11 +0000
@@ -26,7 +26,6 @@
  	"fmt"
  	"math/rand"
  	"net"
--	"os/exec"
  	"strings"
  	"sync"
  	"sync/atomic"
@@ -87,7 +86,7 @@
  	ExpectAllRepairedTime  time.Duration
  	PEM                    []byte
  	Info                   map[string]interface{}
--	AuthHelper             []string
++	AuthGetter             func() string
+ }
  // ClientSession holds a client<->server session and its configuration.
@@ -244,21 +243,10 @@
  // addAuthorization gets the authorization blob to send to the server
  // and adds it to the session.
  func (sess *ClientSession) addAuthorization() error {
--	sess.Log.Debugf("adding authorization")
--	// using a helper, for now at least
--	if len(sess.AuthHelper) == 0 {
--		// do nothing if helper is unset or empty
--		return nil
--	}
--
--	auth, err := exec.Command(sess.AuthHelper[0], sess.AuthHelper[1:]...).Output()
--	if err != nil {
--		// For now we just log the error, as we don't want to block unauthorized users
--		sess.Log.Errorf("unable to get the authorization token from the account: %v", err)
--	} else {
--		sess.auth = strings.TrimSpace(string(auth))
--	}
--
++	if sess.AuthGetter != nil {
++		sess.Log.Debugf("adding authorization")
++		sess.auth = sess.AuthGetter()
++	}
  	return nil
+ }
 === modified file 'client/session/session_test.go'
 --- client/session/session_test.go	2014-05-23 05:59:38 +0000
 +++ client/session/session_test.go	2014-06-11 11:43:11 +0000
@@ -354,33 +354,18 @@
  func (cs *clientSessionSuite) TestAddAuthorizationAddsAuthorization(c *C) {
  	sess := &ClientSession{Log: cs.log}
--	sess.AuthHelper = []string{"echo", "some auth"}
++	sess.AuthGetter = func() string { return "some auth" }
  	c.Assert(sess.auth, Equals, "")
  	err := sess.addAuthorization()
  	c.Assert(err, IsNil)
  	c.Check(sess.auth, Equals, "some auth")
+ }
--func (cs *clientSessionSuite) TestAddAuthorizationIgnoresErrors(c *C) {
--	sess := &ClientSession{Log: cs.log}
--	sess.AuthHelper = []string{"sh", "-c", "echo hello; false"}
--
--	c.Assert(sess.auth, Equals, "")
--	err := sess.addAuthorization()
--	c.Assert(err, IsNil)
--	c.Check(sess.auth, Equals, "")
--}
--
--func (cs *clientSessionSuite) TestAddAuthorizationSkipsIfUnsetOrNil(c *C) {
--	sess := &ClientSession{Log: cs.log}
--	sess.AuthHelper = nil
--	c.Assert(sess.auth, Equals, "")
--	err := sess.addAuthorization()
--	c.Assert(err, IsNil)
--	c.Check(sess.auth, Equals, "")
--
--	sess.AuthHelper = []string{}
--	err = sess.addAuthorization()
++func (cs *clientSessionSuite) TestAddAuthorizationSkipsIfUnset(c *C) {
++	sess := &ClientSession{Log: cs.log}
++	sess.AuthGetter = nil
++	c.Assert(sess.auth, Equals, "")
++	err := sess.addAuthorization()
  	c.Assert(err, IsNil)
  	c.Check(sess.auth, Equals, "")
+ }
 === modified file 'debian/changelog'
 --- debian/changelog	2014-06-05 09:42:22 +0000
 +++ debian/changelog	2014-06-11 11:43:11 +0000
@@ -1,3 +1,17 @@
++ubuntu-push (0.31ubuntu1) UNRELEASED; urgency=medium
++
++  [ Samuele Pedroni ]
++  * Support registering tokens and sending notifications with a token
++  * Register script and scripts unicast support
++
++  [ Roberto Alsina ]
++  * Make signing-helper generate a HTTP header instead of a querystring.
++
++  [ John R. Lenton ]
++  * Move signing bits up from session to client, for reuse by service.
++
++ -- John R. Lenton <john.lenton@canonical.com>  Fri, 06 Jun 2014 12:02:56 +0100
++
  ubuntu-push (0.3+14.10.20140605-0ubuntu1) utopic; urgency=medium
    [ John Lenton ]
 === modified file 'debian/rules'
 --- debian/rules	2014-05-02 12:42:27 +0000
 +++ debian/rules	2014-06-11 11:43:11 +0000
@@ -5,7 +5,6 @@
  export UBUNTU_PUSH_TEST_RESOURCES_ROOT := $(CURDIR)
  override_dh_auto_build:
--	cd $$( find ./ -type d -regex '\./[^/]*/src/launchpad.net' -printf "%h\n" | head -n1)
  	dh_auto_build --buildsystem=golang
  	(cd signing-helper && cmake . && make)
 === added file 'scripts/register'
 --- scripts/register	1970-01-01 00:00:00 +0000
 +++ scripts/register	2014-06-11 11:43:11 +0000
@@ -0,0 +1,43 @@
++#!/usr/bin/python3
++"""
++request a unicast registration
++"""
++import argparse
++import json
++import requests
++import subprocess
++import datetime
++import sys
++
++
++def main():
++    parser = argparse.ArgumentParser(description=__doc__)
++    parser.add_argument('deviceid', nargs=1)
++    parser.add_argument('appid', nargs=1)
++    parser.add_argument('-H', '--host',
++                        help="host:port (default: %(default)s)",
++                        default="localhost:8080")
++    parser.add_argument('--no-https', action='store_true', default=False)
++    parser.add_argument('--insecure', action='store_true', default=False,
++                         help="don't check host/certs with https")
++    parser.add_argument('--auth_helper',  default="")
++    args = parser.parse_args()
++    scheme = 'https'
++    if args.no_https:
++        scheme = 'http'
++    url = "%s://%s/register" % (scheme, args.host)
++    body = {
++        'deviceid': args.deviceid[0],
++        'appid': args.appid[0],
++        }
++    headers = {'Content-Type': 'application/json'}
++    if args.auth_helper:
++        auth = subprocess.check_output([args.auth_helper, url]).strip()
++        headers['Authorization'] = auth
++    r = requests.post(url, data=json.dumps(body), headers=headers,
++                      verify=not args.insecure)
++    print(r.status_code)
++    print(r.text)
++
++if __name__ == '__main__':
++    main()
 === modified file 'scripts/unicast'
 --- scripts/unicast	2014-05-29 14:55:19 +0000
 +++ scripts/unicast	2014-06-11 11:43:11 +0000
@@ -52,6 +52,8 @@
          userid, devid = reg.split(':', 1)
          body['userid'] = userid
          body['deviceid'] = devid
++    else:
++        body['token'] = reg
      xauth = {}
      if args.user and args.password:
          xauth = {'auth': requests.auth.HTTPBasicAuth(args.user, args.password)}
 === modified file 'server/acceptance/acceptanceclient.go'
 --- server/acceptance/acceptanceclient.go	2014-05-23 12:30:32 +0000
 +++ server/acceptance/acceptanceclient.go	2014-06-11 11:43:11 +0000
@@ -155,7 +155,7 @@
  				return err
+ 			}
  			events <- fmt.Sprintf("%sbroadcast chan:%v app:%v topLevel:%d payloads:%s", sess.Prefix, recv.ChanId, recv.AppId, recv.TopLevel, pack)
--		case "connwarn":
++		case "warn", "connwarn":
  			events <- fmt.Sprintf("%sconnwarn %s", sess.Prefix, recv.Reason)
+ 		}
+ 	}
 === modified file 'server/acceptance/cmd/acceptanceclient.go'
 --- server/acceptance/cmd/acceptanceclient.go	2014-05-21 07:58:26 +0000
 +++ server/acceptance/cmd/acceptanceclient.go	2014-06-11 11:43:11 +0000
@@ -90,7 +90,9 @@
+ 		}
+ 	}
  	if len(cfg.AuthHelper) != 0 {
--		auth, err := exec.Command(cfg.AuthHelper[0], cfg.AuthHelper[1:]...).Output()
++		helperArgs := cfg.AuthHelper[1:]
++		helperArgs = append(helperArgs, "https://push.ubuntu.com/")
++		auth, err := exec.Command(cfg.AuthHelper[0], helperArgs...).Output()
  		if err != nil {
  			log.Fatalf("auth helper: %v", err)
+ 		}
 === modified file 'server/acceptance/suites/suite.go'
 --- server/acceptance/suites/suite.go	2014-05-02 09:56:49 +0000
 +++ server/acceptance/suites/suite.go	2014-06-11 11:43:11 +0000
@@ -89,7 +89,7 @@
  	// to kill the server process
  	KillGroup map[string]func(os.Signal)
  	// hook to adjust requests
--	MassageRequest func(req *http.Request) *http.Request
++	MassageRequest func(req *http.Request, message interface{}) *http.Request
  	// other state
  	httpClient *http.Client
+ }
@@ -124,7 +124,7 @@
  	request.Header.Set("Content-Type", "application/json")
  	if s.MassageRequest != nil {
--		request = s.MassageRequest(request)
++		request = s.MassageRequest(request, message)
+ 	}
  	resp, err := s.httpClient.Do(request)
 === modified file 'server/acceptance/suites/unicast.go'
 --- server/acceptance/suites/unicast.go	2014-05-15 16:41:54 +0000
 +++ server/acceptance/suites/unicast.go	2014-06-11 11:43:11 +0000
@@ -40,11 +40,19 @@
+ }
  func (s *UnicastAcceptanceSuite) TestUnicastToConnected(c *C) {
--	userId, auth := s.associatedAuth("DEV1")
++	_, auth := s.associatedAuth("DEV1")
++	res, err := s.PostRequest("/register", &api.Registration{
++		DeviceId: "DEV1",
++		AppId:    "app1",
++	})
++	c.Assert(err, IsNil)
++	c.Assert(res, Matches, ".*ok.*")
++	var reg map[string]interface{}
++	err = json.Unmarshal([]byte(res), &reg)
++	c.Assert(err, IsNil)
  	events, errCh, stop := s.StartClientAuth(c, "DEV1", nil, auth)
  	got, err := s.PostRequest("/notify", &api.Unicast{
--		UserId:   userId,
--		DeviceId: "DEV1",
++		Token:    reg["token"].(string),
  		AppId:    "app1",
  		ExpireOn: future,
  		Data:     json.RawMessage(`{"a": 42}`),
 === modified file 'server/api/handlers.go'
 --- server/api/handlers.go	2014-05-29 16:22:00 +0000
 +++ server/api/handlers.go	2014-06-11 11:43:11 +0000
@@ -51,6 +51,8 @@
  	ioError        = "io-error"
  	invalidRequest = "invalid-request"
  	unknownChannel = "unknown-channel"
++	unknownToken   = "unknown-token"
++	unauthorized   = "unauthorized"
  	unavailable    = "unavailable"
  	internalError  = "internal"
+ )
@@ -121,6 +123,11 @@
  		unknownChannel,
  		"Unknown channel",
+ 	}
++	ErrUnknownToken = &APIError{
++		http.StatusBadRequest,
++		unknownToken,
++		"Unknown token",
++	}
  	ErrUnknown = &APIError{
  		http.StatusInternalServerError,
  		internalError,
@@ -136,16 +143,33 @@
  		unavailable,
  		"Could not store notification",
+ 	}
++	ErrCouldNotMakeToken = &APIError{
++		http.StatusServiceUnavailable,
++		unavailable,
++		"Could not make token",
++	}
++	ErrCouldNotResolveToken = &APIError{
++		http.StatusServiceUnavailable,
++		unavailable,
++		"Could not resolve token",
++	}
++	ErrUnauthorized = &APIError{
++		http.StatusUnauthorized,
++		unauthorized,
++		"Unauthorized",
++	}
+ )
--type castCommon struct {
++type Registration struct {
++	DeviceId string `json:"deviceid"`
++	AppId    string `json:"appid"`
+ }
  type Unicast struct {
++	Token    string `json:"token"`
  	UserId   string `json:"userid"`
  	DeviceId string `json:"deviceid"`
  	AppId    string `json:"appid"`
--	//Registration string          `json:"registration"`
  	//CoalesceTag  string          `json:"coalesce_tag"`
  	ExpireOn string          `json:"expire_on"`
  	Data     json.RawMessage `json:"data"`
@@ -183,15 +207,15 @@
+ }
  func checkRequestAsPost(request *http.Request, maxBodySize int64) *APIError {
++	if request.Method != "POST" {
++		return ErrWrongRequestMethod
++	}
  	if err := checkContentLength(request, maxBodySize); err != nil {
  		return err
+ 	}
  	if request.Header.Get("Content-Type") != JSONMediaType {
  		return ErrWrongContentType
+ 	}
--	if request.Method != "POST" {
--		return ErrWrongRequestMethod
--	}
  	return nil
+ }
@@ -325,7 +349,10 @@
+ }
  func checkUnicast(ucast *Unicast) (time.Time, *APIError) {
--	if ucast.UserId == "" || ucast.DeviceId == "" || ucast.AppId == "" {
++	if ucast.AppId == "" {
++		return zeroTime, ErrMissingIdField
++	}
++	if ucast.Token == "" && (ucast.UserId == "" || ucast.DeviceId == "") {
  		return zeroTime, ErrMissingIdField
+ 	}
  	return checkCastCommon(ucast.Data, ucast.ExpireOn)
@@ -341,9 +368,21 @@
  	if apiErr != nil {
  		return apiErr
+ 	}
--	chanId := store.UnicastInternalChannelId(ucast.UserId, ucast.DeviceId)
++	chanId, err := sto.GetInternalChannelIdFromToken(ucast.Token, ucast.AppId, ucast.UserId, ucast.DeviceId)
++	if err != nil {
++		switch err {
++		case store.ErrUnknownToken:
++			return ErrUnknownToken
++		case store.ErrUnauthorized:
++			return ErrUnauthorized
++		default:
++			h.logger.Errorf("could not resolve token: %v", err)
++			return ErrCouldNotResolveToken
++		}
++	}
++
  	msgId := generateMsgId()
--	err := sto.AppendToUnicastChannel(chanId, ucast.AppId, ucast.Data, msgId, expire)
++	err = sto.AppendToUnicastChannel(chanId, ucast.AppId, ucast.Data, msgId, expire)
  	if err != nil {
  		h.logger.Errorf("could not store notification: %v", err)
  		return ErrCouldNotStoreNotification
@@ -378,6 +417,62 @@
  	fmt.Fprintf(writer, `{"ok":true}`)
+ }
++type RegisterHandler struct {
++	*context
++}
++
++func checkRegister(reg *Registration) *APIError {
++	if reg.DeviceId == "" || reg.AppId == "" {
++		return ErrMissingIdField
++	}
++	return nil
++}
++
++func (h *RegisterHandler) doRegister(sto store.PendingStore, reg *Registration) (string, *APIError) {
++	apiErr := checkRegister(reg)
++	if apiErr != nil {
++		return "", apiErr
++	}
++	token, err := sto.Register(reg.DeviceId, reg.AppId)
++	if err != nil {
++		h.logger.Errorf("could not make a token: %v", err)
++		return "", ErrCouldNotMakeToken
++	}
++	return token, nil
++}
++
++func (h *RegisterHandler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
++	var apiErr *APIError
++	defer func() {
++		if apiErr != nil {
++			RespondError(writer, apiErr)
++		}
++	}()
++
++	reg := &Registration{}
++
++	sto, apiErr := h.prepare(writer, request, reg)
++	if apiErr != nil {
++		return
++	}
++	defer sto.Close()
++
++	token, apiErr := h.doRegister(sto, reg)
++	if apiErr != nil {
++		return
++	}
++
++	writer.Header().Set("Content-Type", "application/json")
++	res, err := json.Marshal(map[string]interface{}{
++		"ok":    true,
++		"token": token,
++	})
++	if err != nil {
++		panic(fmt.Errorf("couldn't marshal our own response: %v", err))
++	}
++	writer.Write(res)
++}
++
  // MakeHandlersMux makes a handler that dispatches for the various API endpoints.
  func MakeHandlersMux(storeForRequest StoreForRequest, broker broker.BrokerSending, logger logger.Logger) *http.ServeMux {
  	ctx := &context{
@@ -388,5 +483,6 @@
  	mux := http.NewServeMux()
  	mux.Handle("/broadcast", &BroadcastHandler{context: ctx})
  	mux.Handle("/notify", &UnicastHandler{context: ctx})
++	mux.Handle("/register", &RegisterHandler{context: ctx})
  	return mux
+ }
 === modified file 'server/api/handlers_test.go'
 --- server/api/handlers_test.go	2014-05-01 18:58:16 +0000
 +++ server/api/handlers_test.go	2014-06-11 11:43:11 +0000
@@ -192,6 +192,16 @@
  	intercept func(meth string, err error) error
+ }
++func (isto *interceptInMemoryPendingStore) Register(appId, deviceId string) (string, error) {
++	token, err := isto.InMemoryPendingStore.Register(appId, deviceId)
++	return token, isto.intercept("Register", err)
++}
++
++func (isto *interceptInMemoryPendingStore) GetInternalChannelIdFromToken(token, appId, userId, deviceId string) (store.InternalChannelId, error) {
++	chanId, err := isto.InMemoryPendingStore.GetInternalChannelIdFromToken(token, appId, userId, deviceId)
++	return chanId, isto.intercept("GetInternalChannelIdFromToken", err)
++}
++
  func (isto *interceptInMemoryPendingStore) GetInternalChannelId(channel string) (store.InternalChannelId, error) {
  	chanId, err := isto.InMemoryPendingStore.GetInternalChannelId(channel)
  	return chanId, isto.intercept("GetInternalChannelId", err)
@@ -262,6 +272,14 @@
  	u = unicast()
  	u.UserId = ""
++	u.DeviceId = ""
++	u.Token = "TOKEN"
++	expire, apiErr = checkUnicast(u)
++	c.Assert(apiErr, IsNil)
++	c.Check(expire.Format(time.RFC3339), Equals, future)
++
++	u = unicast()
++	u.UserId = ""
  	expire, apiErr = checkUnicast(u)
  	c.Check(apiErr, Equals, ErrMissingIdField)
@@ -353,6 +371,40 @@
  	c.Check(s.testlog.Captured(), Equals, "ERROR could not store notification: fail\n")
+ }
++func (s *handlersSuite) TestDoUnicastFromTokenFailures(c *C) {
++	fail := errors.New("fail")
++	sto := &interceptInMemoryPendingStore{
++		store.NewInMemoryPendingStore(),
++		func(meth string, err error) error {
++			if meth == "GetInternalChannelIdFromToken" {
++				return fail
++			}
++			return err
++		},
++	}
++	ctx := &context{logger: s.testlog}
++	bh := &UnicastHandler{ctx}
++	u := &Unicast{
++		Token:    "tok",
++		AppId:    "app1",
++		ExpireOn: future,
++		Data:     json.RawMessage(`{"a": 1}`),
++	}
++	apiErr := bh.doUnicast(sto, u)
++	c.Check(apiErr, Equals, ErrCouldNotResolveToken)
++	c.Check(s.testlog.Captured(), Equals, "ERROR could not resolve token: fail\n")
++	s.testlog.ResetCapture()
++
++	fail = store.ErrUnknownToken
++	apiErr = bh.doUnicast(sto, u)
++	c.Check(apiErr, Equals, ErrUnknownToken)
++	c.Check(s.testlog.Captured(), Equals, "")
++	fail = store.ErrUnauthorized
++	apiErr = bh.doUnicast(sto, u)
++	c.Check(apiErr, Equals, ErrUnauthorized)
++	c.Check(s.testlog.Captured(), Equals, "")
++}
++
  func newPostRequest(path string, message interface{}, server *httptest.Server) *http.Request {
  	packedMessage, err := json.Marshal(message)
  	if err != nil {
@@ -427,7 +479,7 @@
  	dest := make(map[string]bool)
  	err = json.Unmarshal(body, &dest)
  	c.Assert(err, IsNil)
--	c.Check(dest, DeepEquals, map[string]bool{"ok": true})
++	c.Assert(dest, DeepEquals, map[string]bool{"ok": true})
  	top, _, err := sto.GetChannelSnapshot(store.SystemInternalChannelId)
  	c.Assert(err, IsNil)
@@ -639,7 +691,7 @@
  	c.Check(response.Header.Get("Content-Type"), Equals, "application/json")
  	body, err := getResponseBody(response)
  	c.Assert(err, IsNil)
--	c.Check(string(body), Matches, ".*ok.*")
++	c.Assert(string(body), Matches, ".*ok.*")
  	chanId := store.UnicastInternalChannelId("user2", "dev3")
  	c.Check(<-bsend.chanId, Equals, chanId)
@@ -682,3 +734,142 @@
  	c.Assert(err, IsNil)
  	checkError(c, response, ErrMissingIdField)
+ }
++
++func (s *handlersSuite) TestCheckRegister(c *C) {
++	registration := func() *Registration {
++		return &Registration{
++			DeviceId: "DEV1",
++			AppId:    "app1",
++		}
++	}
++	reg := registration()
++	apiErr := checkRegister(reg)
++	c.Assert(apiErr, IsNil)
++
++	reg = registration()
++	reg.AppId = ""
++	apiErr = checkRegister(reg)
++	c.Check(apiErr, Equals, ErrMissingIdField)
++
++	reg = registration()
++	reg.DeviceId = ""
++	apiErr = checkRegister(reg)
++	c.Check(apiErr, Equals, ErrMissingIdField)
++}
++
++func (s *handlersSuite) TestDoRegisterMissingIdField(c *C) {
++	sto := store.NewInMemoryPendingStore()
++	rh := &RegisterHandler{}
++	token, apiErr := rh.doRegister(sto, &Registration{})
++	c.Check(apiErr, Equals, ErrMissingIdField)
++	c.Check(token, Equals, "")
++}
++
++func (s *handlersSuite) TestDoRegisterCouldNotMakeToken(c *C) {
++	sto := &interceptInMemoryPendingStore{
++		store.NewInMemoryPendingStore(),
++		func(meth string, err error) error {
++			if meth == "Register" {
++				return errors.New("fail")
++			}
++			return err
++		},
++	}
++	ctx := &context{logger: s.testlog}
++	rh := &RegisterHandler{ctx}
++	_, apiErr := rh.doRegister(sto, &Registration{
++		DeviceId: "DEV1",
++		AppId:    "app1",
++	})
++	c.Check(apiErr, Equals, ErrCouldNotMakeToken)
++	c.Check(s.testlog.Captured(), Equals, "ERROR could not make a token: fail\n")
++}
++
++func (s *handlersSuite) TestRespondsToRegisterAndUnicast(c *C) {
++	sto := store.NewInMemoryPendingStore()
++	stoForReq := func(http.ResponseWriter, *http.Request) (store.PendingStore, error) {
++		return sto, nil
++	}
++	bsend := testBrokerSending{make(chan store.InternalChannelId, 1)}
++	testServer := httptest.NewServer(MakeHandlersMux(stoForReq, bsend, nil))
++	defer testServer.Close()
++
++	request := newPostRequest("/register", &Registration{
++		DeviceId: "dev3",
++		AppId:    "app2",
++	}, testServer)
++
++	response, err := s.client.Do(request)
++	c.Assert(err, IsNil)
++
++	c.Check(response.StatusCode, Equals, http.StatusOK)
++	c.Check(response.Header.Get("Content-Type"), Equals, "application/json")
++	body, err := getResponseBody(response)
++	c.Assert(err, IsNil)
++	c.Assert(string(body), Matches, ".*ok.*")
++	var reg map[string]interface{}
++	err = json.Unmarshal(body, &reg)
++	c.Assert(err, IsNil)
++
++	token, ok := reg["token"].(string)
++	c.Assert(ok, Equals, true)
++	c.Check(token, Not(Equals), nil)
++
++	payload := json.RawMessage(`{"foo":"bar"}`)
++
++	request = newPostRequest("/notify", &Unicast{
++		Token:    token,
++		AppId:    "app2",
++		ExpireOn: future,
++		Data:     payload,
++	}, testServer)
++
++	response, err = s.client.Do(request)
++	c.Assert(err, IsNil)
++
++	c.Check(response.StatusCode, Equals, http.StatusOK)
++	c.Check(response.Header.Get("Content-Type"), Equals, "application/json")
++	body, err = getResponseBody(response)
++	c.Assert(err, IsNil)
++	c.Assert(string(body), Matches, ".*ok.*")
++
++	chanId := store.UnicastInternalChannelId("dev3", "dev3")
++	c.Check(<-bsend.chanId, Equals, chanId)
++	top, notifications, err := sto.GetChannelSnapshot(chanId)
++	c.Assert(err, IsNil)
++	c.Check(top, Equals, int64(0))
++	c.Check(notifications, HasLen, 1)
++}
++
++func (s *handlersSuite) TestCannotRegisterWithMissingFields(c *C) {
++	stoForReq := func(http.ResponseWriter, *http.Request) (store.PendingStore, error) {
++		return store.NewInMemoryPendingStore(), nil
++	}
++	ctx := &context{stoForReq, nil, nil}
++	testServer := httptest.NewServer(&RegisterHandler{ctx})
++	defer testServer.Close()
++
++	request := newPostRequest("/", &Registration{
++		DeviceId: "DEV1",
++	}, testServer)
++
++	response, err := s.client.Do(request)
++	c.Assert(err, IsNil)
++	checkError(c, response, ErrMissingIdField)
++}
++
++func (s *handlersSuite) TestCannotRegisterWithNonPOST(c *C) {
++	stoForReq := func(http.ResponseWriter, *http.Request) (store.PendingStore, error) {
++		return store.NewInMemoryPendingStore(), nil
++	}
++	ctx := &context{stoForReq, nil, nil}
++	testServer := httptest.NewServer(&RegisterHandler{ctx})
++	defer testServer.Close()
++
++	request, err := http.NewRequest("GET", testServer.URL, nil)
++	c.Assert(err, IsNil)
++
++	response, err := s.client.Do(request)
++	c.Assert(err, IsNil)
++	checkError(c, response, ErrWrongRequestMethod)
++}
 === modified file 'server/store/inmemory.go'
 --- server/store/inmemory.go	2014-05-02 15:10:18 +0000
 +++ server/store/inmemory.go	2014-06-11 11:43:11 +0000
@@ -17,7 +17,10 @@
  package store
  import (
++	"encoding/base64"
  	"encoding/json"
++	"fmt"
++	"strings"
  	"sync"
  	"time"
@@ -44,6 +47,29 @@
+ 	}
+ }
++func (sto *InMemoryPendingStore) Register(deviceId, appId string) (string, error) {
++	return base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s::%s", appId, deviceId))), nil
++}
++
++func (sto *InMemoryPendingStore) GetInternalChannelIdFromToken(token, appId, userId, deviceId string) (InternalChannelId, error) {
++	if token != "" && appId != "" {
++		decoded, err := base64.StdEncoding.DecodeString(token)
++		if err != nil {
++			return "", ErrUnknownToken
++		}
++		token = string(decoded)
++		if !strings.HasPrefix(token, appId+"::") {
++			return "", ErrUnauthorized
++		}
++		deviceId := token[len(appId)+2:]
++		return UnicastInternalChannelId(deviceId, deviceId), nil
++	}
++	if userId != "" && deviceId != "" {
++		return UnicastInternalChannelId(userId, deviceId), nil
++	}
++	return "", ErrUnknownToken
++}
++
  func (sto *InMemoryPendingStore) GetInternalChannelId(name string) (InternalChannelId, error) {
  	if name == "system" {
  		return SystemInternalChannelId, nil
 === modified file 'server/store/inmemory_test.go'
 --- server/store/inmemory_test.go	2014-04-30 17:44:56 +0000
 +++ server/store/inmemory_test.go	2014-06-11 11:43:11 +0000
@@ -30,6 +30,50 @@
  var _ = Suite(&inMemorySuite{})
++func (s *inMemorySuite) TestRegister(c *C) {
++	sto := NewInMemoryPendingStore()
++
++	tok1, err := sto.Register("DEV1", "app1")
++	c.Assert(err, IsNil)
++	tok2, err := sto.Register("DEV1", "app1")
++	c.Assert(err, IsNil)
++	c.Check(len(tok1), Not(Equals), 0)
++	c.Check(tok1, Equals, tok2)
++}
++
++func (s *inMemorySuite) TestGetInternalChannelIdFromToken(c *C) {
++	sto := NewInMemoryPendingStore()
++
++	tok1, err := sto.Register("DEV1", "app1")
++	c.Assert(err, IsNil)
++	chanId, err := sto.GetInternalChannelIdFromToken(tok1, "app1", "", "")
++	c.Assert(err, IsNil)
++	c.Check(chanId, Equals, UnicastInternalChannelId("DEV1", "DEV1"))
++}
++
++func (s *inMemorySuite) TestGetInternalChannelIdFromTokenFallback(c *C) {
++	sto := NewInMemoryPendingStore()
++
++	chanId, err := sto.GetInternalChannelIdFromToken("", "app1", "u1", "d1")
++	c.Assert(err, IsNil)
++	c.Check(chanId, Equals, UnicastInternalChannelId("u1", "d1"))
++}
++
++func (s *inMemorySuite) TestGetInternalChannelIdFromTokenErrors(c *C) {
++	sto := NewInMemoryPendingStore()
++	tok1, err := sto.Register("DEV1", "app1")
++	c.Assert(err, IsNil)
++
++	_, err = sto.GetInternalChannelIdFromToken(tok1, "app2", "", "")
++	c.Assert(err, Equals, ErrUnauthorized)
++
++	_, err = sto.GetInternalChannelIdFromToken("", "app2", "", "")
++	c.Assert(err, Equals, ErrUnknownToken)
++
++	_, err = sto.GetInternalChannelIdFromToken("****", "app2", "", "")
++	c.Assert(err, Equals, ErrUnknownToken)
++}
++
  func (s *inMemorySuite) TestGetInternalChannelId(c *C) {
  	sto := NewInMemoryPendingStore()
 === modified file 'server/store/store.go'
 --- server/store/store.go	2014-05-02 15:10:18 +0000
 +++ server/store/store.go	2014-06-11 11:43:11 +0000
@@ -52,6 +52,8 @@
+ }
  var ErrUnknownChannel = errors.New("unknown channel name")
++var ErrUnknownToken = errors.New("unknown token")
++var ErrUnauthorized = errors.New("unauthorized")
  var ErrFull = errors.New("channel is full")
  var ErrExpected128BitsHexRepr = errors.New("expected 128 bits hex repr")
@@ -98,11 +100,17 @@
  // PendingStore let store notifications into channels.
  type PendingStore interface {
++	// Register returns a token for a device id, application id pair.
++	Register(deviceId, appId string) (token string, err error)
  	// GetInternalChannelId returns the internal store id for a channel
  	// given the name.
  	GetInternalChannelId(name string) (InternalChannelId, error)
  	// AppendToChannel appends a notification to the channel.
  	AppendToChannel(chanId InternalChannelId, notification json.RawMessage, expiration time.Time) error
++	// GetInternalChannelIdFromToken returns the matching internal store
++	// id for a channel given a registered token and application id or
++	// directly a device id, user id pair.
++	GetInternalChannelIdFromToken(token, appId, userId, deviceId string) (InternalChannelId, error)
  	// AppendToUnicastChannel appends a notification to the unicast channel.
  	// GetChannelSnapshot gets all the current notifications and
  	AppendToUnicastChannel(chanId InternalChannelId, appId string, notification json.RawMessage, msgId string, expiration time.Time) error
 === modified file 'signing-helper/signing-helper.cpp'
 --- signing-helper/signing-helper.cpp	2014-05-01 10:24:23 +0000
 +++ signing-helper/signing-helper.cpp	2014-06-11 11:43:11 +0000
@@ -33,6 +33,7 @@
  #include <QObject>
  #include <QString>
  #include <QTimer>
++#include <QUrlQuery>
  #include "ssoservice.h"
  #include "token.h"
@@ -63,12 +64,8 @@
      void SigningExample::handleCredentialsFound(Token token)
+     {
          qDebug() << "Credentials found, signing url.";
--
--        QString authHeader = token.signUrl(this->url, QStringLiteral("GET"), true);
--
--        std::cout << authHeader.toStdString() << "\n";
++        std::cout << token.signUrl(this->url, QStringLiteral("POST")).toStdString();
          QCoreApplication::instance()->exit(0);
--
+     }
      void SigningExample::handleCredentialsNotFound()
@@ -84,13 +81,12 @@
  int main(int argc, char *argv[])
+ {
      QCoreApplication a(argc, argv);
--
--    UbuntuOne::SigningExample *example = new UbuntuOne::SigningExample(&a);
--
++    if (argc<2) {
++        return 2;
++    }
++    UbuntuOne::SigningExample *example = new UbuntuOne::SigningExample(&a, argv[1]);
      QObject::connect(example, SIGNAL(finished()), &a, SLOT(quit()));
--
      QTimer::singleShot(0, example, SLOT(doExample()));
--
      return a.exec();
+ }