adal 1.0.0

data/spec/adal/self_signed_jwt_factory_spec.rb

@@ -0,0 +1,63 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+require 'jwt'
+
+include FakeData
+
+describe ADAL::SelfSignedJwtFactory do
+  describe '#create_and_sign_jwt' do
+    before(:each) do
+      key = OpenSSL::PKey::RSA.new 2048
+      @cert = OpenSSL::X509::Certificate.new
+      @cert.public_key = key.public_key
+      @jwt = ADAL::SelfSignedJwtFactory
+             .new(CLIENT_ID, 'some_token_endpoint')
+             .create_and_sign_jwt(@cert, key)
+    end
+
+    it 'should be decodable with the public key' do
+      expect do
+        JWT.decode(@jwt, @cert.public_key)
+      end.to_not raise_error
+    end
+
+    it 'should contain the correct keys in the payload' do
+      payload, = JWT.decode(@jwt, @cert.public_key)
+      expect(payload.keys).to contain_exactly(
+        'aud', 'iss', 'sub', 'nbf', 'exp', 'jti')
+    end
+
+    it 'should containt the correct keys in the header' do
+      _, header = JWT.decode(@jwt, @cert.public_key)
+      expect(header.keys).to contain_exactly('x5t', 'alg', 'typ')
+    end
+
+    it 'should contain the correct thumbprint from the certificate' do
+      thumbprint = OpenSSL::Digest::SHA1.new(@cert.to_der).base64digest
+      _, header = JWT.decode(@jwt, @cert.public_key)
+      expect(header['x5t']).to eq(thumbprint)
+    end
+  end
+end

data/spec/adal/token_request_spec.rb

@@ -0,0 +1,150 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../support/fake_data'
+
+require 'spec_helper'
+
+include FakeData
+
+describe ADAL::TokenRequest do
+  let(:authority) { ADAL::Authority.new(AUTHORITY, TENANT) }
+  let(:cache) { ADAL::MemoryCache.new }
+  let(:client) { ADAL::ClientCredential.new(CLIENT_ID, CLIENT_SECRET) }
+  let(:token_request) { ADAL::TokenRequest.new(authority, client, cache) }
+  let(:token_response) do
+    ADAL::SuccessResponse.new(expires_in: 100, resource: RESOURCE)
+  end
+
+  # The mocking seam is the OAuthRequest class.
+  def mock_oauth_request(result = nil)
+    instance_double('oauth_request', execute: result)
+  end
+
+  describe '#get_with_authorization_code' do
+    context 'with a matching token in the cache' do
+      before(:each) do
+        ADAL::CacheDriver.new(authority, client, cache).add(token_response)
+      end
+
+      it 'should not make an OAuthRequest' do
+        expect(ADAL::OAuthRequest).to_not receive(:new)
+        token_request.get_with_authorization_code(
+          AUTH_CODE, REDIRECT_URI, RESOURCE)
+      end
+
+      it 'should retrieve the token response from the cache' do
+        expect(
+          token_request.get_with_authorization_code(
+            AUTH_CODE, REDIRECT_URI, RESOURCE)
+        ).to eq(token_response)
+      end
+    end
+
+    context 'without a matching token in the cache' do
+      before(:each) do
+        allow(ADAL::OAuthRequest).to receive(:new)
+          .and_return(mock_oauth_request(token_response))
+      end
+
+      it 'should make an OAuthRequest' do
+        expect(ADAL::OAuthRequest).to receive(:new).once
+        token_request.get_with_authorization_code(AUTH_CODE, REDIRECT_URI)
+      end
+
+      it 'should return the token response from the OAuth flow' do
+        expect(
+          token_request.get_with_authorization_code(AUTH_CODE, REDIRECT_URI)
+        ).to eq(token_response)
+      end
+    end
+  end
+
+  describe '#get_for_client' do
+    context 'with a matching token in the cache' do
+      before(:each) do
+        ADAL::CacheDriver.new(authority, client, cache).add(token_response)
+      end
+
+      it 'should not make an OAuthRequest' do
+        expect(ADAL::OAuthRequest).to_not receive(:new)
+        token_request.get_for_client(RESOURCE)
+      end
+
+      it 'should retrieve the token response from the cache' do
+        expect(token_request.get_for_client(RESOURCE)).to eq(token_response)
+      end
+    end
+
+    context 'without a matching token in the cache' do
+      before(:each) do
+        allow(ADAL::OAuthRequest).to receive(:new)
+          .and_return(mock_oauth_request(token_response))
+      end
+
+      it 'should make an OAuthRequest' do
+        expect(ADAL::OAuthRequest).to receive(:new).once
+        token_request.get_for_client(RESOURCE)
+      end
+
+      it 'should return the token response from the OAuth flow' do
+        expect(token_request.get_for_client(RESOURCE)).to eq(token_response)
+      end
+    end
+  end
+
+  describe '#get_with_refresh_token' do
+    let(:refresh_token_response) { ADAL::SuccessResponse.new }
+    before(:each) do
+      allow(ADAL::OAuthRequest).to receive(:new)
+        .and_return(mock_oauth_request(refresh_token_response))
+    end
+
+    context 'with a matching token in the cache' do
+      before(:each) do
+        ADAL::CacheDriver.new(authority, client, cache).add(token_response)
+      end
+
+      it 'should make an OAuth request' do
+        expect(ADAL::OAuthRequest).to receive(:new).once
+        token_request.get_with_refresh_token(REFRESH_TOKEN, RESOURCE)
+      end
+
+      it 'should return the refreshed token response' do
+        expect(token_request.get_with_refresh_token(REFRESH_TOKEN, RESOURCE))
+          .to eq(refresh_token_response)
+      end
+    end
+
+    context 'without a matching token in the cache' do
+      it 'should make an OAuth request' do
+        expect(ADAL::OAuthRequest).to receive(:new).once
+        token_request.get_with_refresh_token(REFRESH_TOKEN, RESOURCE)
+      end
+
+      it 'should return the refreshed token response' do
+        expect(token_request.get_with_refresh_token(REFRESH_TOKEN, RESOURCE))
+          .to eq(refresh_token_response)
+      end
+    end
+  end
+end

data/spec/adal/token_response_spec.rb

@@ -0,0 +1,102 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+OAUTH_FIXTURES = File.expand_path('../../fixtures/oauth', __FILE__)
+
+describe ADAL::TokenResponse do
+  let(:response) { File.read(File.expand_path(file_name, OAUTH_FIXTURES)) }
+
+  describe '::parse' do
+    context 'with a successful response' do
+      context 'with an id token' do
+        let(:file_name) { 'success_with_id_token.json' }
+
+        it 'should not raise any errors' do
+          expect { ADAL::TokenResponse.parse(response) }.to_not raise_error
+        end
+
+        describe 'response' do
+          subject { ADAL::TokenResponse.parse(response) }
+
+          it { is_expected.to be_instance_of ADAL::SuccessResponse }
+
+          describe '#error?' do
+            # RSpec does some metaprogramming voodoo; this calls subject.error?.
+            it { is_expected.to_not be_error }
+          end
+        end
+      end
+
+      context 'without an id token' do
+        let(:file_name) { 'success.json' }
+
+        it 'should not raise any errors' do
+          expect { ADAL::TokenResponse.parse(response) }.to_not raise_error
+        end
+
+        describe 'response' do
+          subject { ADAL::TokenResponse.parse(response) }
+
+          it { is_expected.to be_instance_of ADAL::SuccessResponse }
+
+          describe '#error?' do
+            it { is_expected.to_not be_error }
+          end
+        end
+      end
+    end
+
+    context 'with an error response' do
+      let(:file_name) { 'error.json' }
+
+      it 'should not raise any errors' do
+        expect { ADAL::TokenResponse.parse(response) }.to_not raise_error
+      end
+
+      describe 'response' do
+        subject { ADAL::TokenResponse.parse(response) }
+
+        it { is_expected.to be_instance_of ADAL::ErrorResponse }
+
+        describe '#error?' do
+          it { is_expected.to be_error }
+        end
+      end
+    end
+  end
+
+  context 'with a successful response' do
+    let(:file_name) { 'success.json' }
+
+    describe '::parse' do
+    end
+  end
+
+  context 'with an error response' do
+    let(:file_name) { 'error.json' }
+
+    describe '::parse' do
+    end
+  end
+end

data/spec/adal/user_credential_spec.rb

@@ -0,0 +1,125 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+include FakeData
+
+describe ADAL::UserCredential do
+  let(:user_cred) { ADAL::UserCredential.new(USERNAME, PASSWORD) }
+  let(:fed_url) { 'https://abc.def/' }
+
+  before(:each) do
+    expect(Net::HTTP).to receive(:get).once.and_return(
+      "{\"account_type\": \"#{account_type}\", " \
+      "\"federation_metadata_url\": \"#{fed_url}\"}")
+  end
+
+  context 'with a federated user' do
+    let(:account_type) { 'Federated' }
+
+    describe '#account_type' do
+      subject { user_cred.account_type }
+
+      it { is_expected.to eq ADAL::UserCredential::AccountType::FEDERATED }
+
+      it 'should cache the response instead of making multiple HTTP requests' do
+        # Note the .once in the before block.
+        user_cred.account_type
+        user_cred.account_type
+      end
+    end
+
+    describe '#request_params' do
+      subject { user_cred.request_params }
+      let(:action) do
+        'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal'
+      end
+      let(:grant_type) { 'grant_type' }
+      let(:token) { 'token' }
+      let(:wstrust_url) { 'https://ghi.jkl/' }
+
+      before(:each) do
+        expect_any_instance_of(ADAL::MexRequest).to receive(:execute)
+          .and_return(double(wstrust_url: wstrust_url, action: action))
+        expect_any_instance_of(ADAL::WSTrustRequest).to receive(:execute)
+          .and_return(double(token: token, grant_type: grant_type))
+      end
+
+      it 'contains assertion, grant_type and scope' do
+        expect(subject.keys).to contain_exactly(:assertion, :grant_type, :scope)
+      end
+
+      describe 'assertion' do
+        subject { user_cred.request_params[:assertion] }
+
+        it 'contains the base64 encoded token' do
+          expect(Base64.decode64(subject)).to eq token
+        end
+      end
+
+      describe 'scope' do
+        subject { user_cred.request_params[:scope] }
+
+        it { is_expected.to eq :openid }
+      end
+    end
+  end
+
+  context 'with a managed user' do
+    let(:account_type) { 'Managed' }
+
+    describe '#account_type' do
+      subject { user_cred.account_type }
+      it { is_expected.to eq ADAL::UserCredential::AccountType::MANAGED }
+    end
+
+    describe '#request_params' do
+      it 'should contain username, password and grant type' do
+        expect(user_cred.request_params.keys).to contain_exactly(
+          :username, :password, :grant_type, :scope)
+      end
+
+      describe 'grant_type' do
+        subject { user_cred.request_params[:grant_type] }
+
+        it { is_expected.to eq 'password' }
+      end
+    end
+  end
+
+  context 'with an unknown account type user' do
+    let(:account_type) { 'Unknown' }
+
+    describe '#account_type' do
+      subject { user_cred.account_type }
+      it { is_expected.to eq ADAL::UserCredential::AccountType::UNKNOWN }
+    end
+
+    describe '#request_params' do
+      it 'should throw an error' do
+        expect { user_cred.request_params }.to raise_error(
+          ADAL::UserCredential::UnsupportedAccountTypeError)
+      end
+    end
+  end
+end

data/spec/adal/user_identifier_spec.rb

@@ -0,0 +1,115 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+require_relative '../spec_helper'
+
+describe ADAL::UserIdentifier do
+  describe '#initialize' do
+    context 'with a valid type' do
+      subject { -> { ADAL::UserIdentifier.new('a@io', :DISPLAYABLE_ID) } }
+      it { is_expected.to_not raise_error }
+    end
+
+    context 'with an invalid type' do
+      subject { -> { ADAL::UserIdentifier.new('a@io', :NEW_ID) } }
+      it { is_expected.to raise_error ArgumentError }
+    end
+  end
+
+  describe 'request_parameters' do
+    let(:id) { 'my id' }
+    let(:type) { ADAL::UserIdentifier::UNIQUE_ID }
+    let(:user_id) { ADAL::UserIdentifier.new(id, type) }
+    subject { user_id.request_params }
+    it { is_expected.to eq(user_info: user_id) }
+  end
+
+  describe '==' do
+    let(:id) { 'my id' }
+    subject { ADAL::UserIdentifier.new(id, type) }
+
+    context 'with another UserIdentifier' do
+      let(:type) { ADAL::UserIdentifier::Type::UNIQUE_ID }
+      it 'uses object equality' do
+        expect(subject == subject).to be_truthy
+        expect(subject == ADAL::UserIdentifier.new(id, type)).to be_falsey
+      end
+    end
+
+    context 'with a string username' do
+      let(:type) { ADAL::UserIdentifier::Type::UNIQUE_ID }
+      it 'matches strings to the id' do
+        expect(subject == id).to be_truthy
+        expect(subject == '5').to be_falsey
+      end
+    end
+
+    context 'with a UserInformation' do
+      context 'with type UNIQUE_ID' do
+        let(:type) { ADAL::UserIdentifier::Type::UNIQUE_ID }
+
+        it 'matches oid' do
+          user_info = ADAL::UserInformation.new(oid: id)
+          expect(subject == user_info).to be_truthy
+        end
+
+        it 'matches sub' do
+          user_info = ADAL::UserInformation.new(sub: id)
+          expect(subject == user_info).to be_truthy
+        end
+
+        it 'does not match upn' do
+          user_info = ADAL::UserInformation.new(upn: id)
+          expect(subject == user_info).to be_falsey
+        end
+
+        it 'does not match email' do
+          user_info = ADAL::UserInformation.new(email: id)
+          expect(subject == user_info).to be_falsey
+        end
+      end
+
+      context 'with type DISPLAYABLE_ID' do
+        let(:type) { ADAL::UserIdentifier::Type::DISPLAYABLE_ID }
+
+        it 'does not match oid' do
+          user_info = ADAL::UserInformation.new(oid: id)
+          expect(subject == user_info).to be_falsey
+        end
+
+        it 'does not match sub' do
+          user_info = ADAL::UserInformation.new(sub: id)
+          expect(subject == user_info).to be_falsey
+        end
+
+        it 'matches upn' do
+          user_info = ADAL::UserInformation.new(upn: id)
+          expect(subject == user_info).to be_truthy
+        end
+
+        it 'matches email' do
+          user_info = ADAL::UserInformation.new(email: id)
+          expect(subject == user_info).to be_truthy
+        end
+      end
+    end
+  end
+end